GPG key for EPEL repository isn't getting installed before Package resource that requires EPEL repository.

bschonec commented 1 year ago

Affected Puppet, Ruby, OS and module versions/distributions

Puppet: puppetserver-7.8.0-1.el8.noarch, puppet-agent-7.18.0-1.el7.x86_64
Distribution:
- Puppet Server: Red Hat Enterprise Linux release 8.6 (Ootpa)
- Puppet client: Red Hat Enterprise Linux Server release 7.9 (Maipo)
Module version: 6.0.0

How to reproduce (e.g Puppet code you use)

The GPG key for the EPEL repository is not installed:

[root@d1 yum.repos.d]# rpm -q gpg-pubkey-352c64e5-52ae6884
package gpg-pubkey-352c64e5-52ae6884 is not installed
[root@d1 yum.repos.d]# ll /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
ls: cannot access /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7: No such file or directory
[root@d1 yum.repos.d]#

Using a simple site.pp file:

node default {
  include yum
  package {'nmon': ensure => installed }  # Requires EPEL repository to exist
}

common.yaml:

---

yum::config:
  gpgcheck:
    key: gpgcheck
    ensure: 0

yum::managed_repos:
  - 'epel'

yum::repos:
  epel:
    enabled: true
    gpgcheck: true
    metalink: absent

What are you seeing

The module is creating the /etc/yum.repos.d/epel.repo file properly but then the Package resource is trying to install the 'nmon' package before the EPEL GPG key is imported into the RPM database. This causes yum/dnf to complain because the /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 file doesn't yet exist and hence the EPEL GPG key is not imported.

After the attempt to install the nmon package, the yum::gpgkey defined type THEN executes, properly installing the /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 and importing the RPM GPG key.

What behaviour did you expect instead

The EPEL GPG key file should already exist and be "rpm --import"ed into the RPM database before package resources are installed.

Output log

[root@d1 yum.repos.d]# ls -l /etc/yum.repos.d/epel.repo
ls: cannot access /etc/yum.repos.d/epel.repo: No such file or directory
[root@d1 yum.repos.d]# ls -l /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
ls: cannot access /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7: No such file or directory
[root@d1 yum.repos.d]# rpm -q gpg-pubkey-352c64e5-52ae6884
package gpg-pubkey-352c64e5-52ae6884 is not installed
[root@d1 yum.repos.d]# puppet agent -t --environment=junk --server=puppet.example.com
Info: Using environment 'junk'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for d1.auto111.usva0017.oraclevcn.com
Info: Applying configuration version 'puppet-01p-junk-b8911725615'
Notice: /Stage[main]/Yum/Yumrepo[epel]/ensure: created (corrective)
Info: Yumrepo[epel](provider=inifile): changing mode of /etc/yum.repos.d/epel.repo from 600 to 644
Error: Execution of '/bin/yum -d 0 -e 0 -y install nmon' returned 1: warning: /var/cache/yum/x86_64/7Server/epel/packages/nmon-16g-3.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY

GPG key retrieval failed: [Errno 14] curl#37 - "Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"
Error: /Stage[main]/Main/Node[default]/Package[nmon]/ensure: change from 'purged' to 'present' failed: Execution of '/bin/yum -d 0 -e 0 -y install nmon' returned 1: warning: /var/cache/yum/x86_64/7Server/epel/packages/nmon-16g-3.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY

GPG key retrieval failed: [Errno 14] curl#37 - "Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7" (corrective)
Notice: /Stage[main]/Yum/Yum::Gpgkey[/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7]/File[/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7]/ensure: defined content as '{sha256}028b9accc59bab1d21f2f3f544df5469910581e728a64fd8c411a725a82300c2' (corrective)
Notice: /Stage[main]/Yum/Yum::Gpgkey[/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7]/Exec[rpm-import-/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7]/returns: executed successfully (corrective)
Info: Stage[main]: Unscheduling all events on Stage[main]
Notice: Applied catalog in 3.68 seconds
[root@d1 yum.repos.d]# ls -l /etc/yum.repos.d/epel.repo
-rw-r--r--. 1 root root 133 Aug 17 12:54 /etc/yum.repos.d/epel.repo
[root@d1 yum.repos.d]# ls -l /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
-rw-r--r--. 1 root root 1662 Aug 17 12:54 /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
[root@d1 yum.repos.d]# rpm -q gpg-pubkey-352c64e5-52ae6884
gpg-pubkey-352c64e5-52ae6884
[root@d1 yum.repos.d]#

Any additional information you'd like to impart

My assumption is that the repo file, the rpm-gpg file and the GPG key should exist and be imported before any attempt to install packages from the repository.

vchepkov commented 1 year ago

I don't think it's an issue with the module. There is no relationship defined between nmon package and yum class by default. In general, package can be non-yum or coming from other repositories, not defined by yum class. You have to be explicit to provide relationship, if it's required.

either require yum class in your manifest instead of just include or specify this relationship in the package

package { 'nmon': 
  ensure => installed,
  require => Class['yum'],
}

bschonec commented 1 year ago

I understand your point but in order for the repository to be usable the GPG key needs to be installed/imported before any attempt to install packages from that repo can be successful.

If I had fifteen packages from EPEL that need to be installed, then conceivably, I'd have to order all of them before the yum class module. If the requirement for the GPG key was backed into the yum class module, those ordering constraints would disappear.

Would a 'contain' be appropriate for that?

vchepkov commented 1 year ago

yum::gpgkey is a defined resource and they are contained in yum class and will be defined together with yum repositories

require yum

should solve your problem

You also can contain yum class within a profile and establish relationship this way

class profile::server {
  require profile::yum

class profile::yum {
  contain yum

bschonec commented 1 year ago

Thank you for the useful information. I'll give that a try.

voxpupuli / puppet-yum