ansible-role-docker icon indicating copy to clipboard operation
ansible-role-docker copied to clipboard

Published 20 hours ago verified publisher icon geerlingguy

Add GPG keys to `/apt/keyrings` instead of `/apt/trusted.gpg.d`, Update task `Add Docker apt key`

Open kawadeomkar opened this issue 2 years ago • 8 comments

https://github.com/geerlingguy/ansible-role-docker/issues/435

I started this issue because I faced a similar problem as https://github.com/geerlingguy/ansible-role-docker/issues/434 when adding the docker apt repository Signed-By regarding source https://download.docker.com/linux/ubuntu/ jammy: │ /etc/apt/trusted.gpg.d/docker.asc != , Which I then had to fix by:

sudo rm /etc/apt/sources.list.d/docker.list
sudo rm /etc/apt/sources.list.d/download_docker_com_linux_ubuntu.list

and then running the changes in this branch.

I did some research and noticed that GPG keys should not be placed in /etc/apt/trusted.gpg.d/ (please see https://github.com/geerlingguy/ansible-role-docker/issues/435)

After updating the tasks to mirror the installation method in https://docs.docker.com/engine/install/debian/#install-using-the-repository, I was still getting an error:

W: GPG error: https://download.docker.com/linux/ubuntu jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
E: The repository 'https://download.docker.com/linux/ubuntu jammy InRelease' is not signed.

until I noticed that the task here https://github.com/geerlingguy/ansible-role-docker/blob/8ff4a241477f5f24c718d606a2ee450b370cc47c/tasks/setup-Debian.yml#L30 was saving the GPG key in binary whereas in the docker docs, the key is converted to an ASCII-encoded format.

I updated the ansible tasks to use the fallback curl/shell method and added a few more tasks to mirror the installation method of the docker docs.

With these changes, I'm not getting any errors and able to successfully run the role on version 7.0.2.

@geerlingguy (or any maintainer) Please let me know what you think of these changes:

  1. whether the GPG keys should be saved to /etc/apt/keyrings (as per docker) or /usr/share/keyrings (as per debian)
  2. If the tasks proposed in this PR are sufficient If using the task ansible.builtin.get_url is preferred, I believe a task like this might be required as well directly afterwards:
- name: Dearmor Docker GPG key
  ansible.builtin.command: gpg --dearmor /etc/apt/keyrings/docker.gpg

kawadeomkar avatar Nov 17 '23 04:11 kawadeomkar

This worked for me!

bryion avatar Nov 17 '23 04:11 bryion

This also affects Ubuntu.

~@geerlingguy sorry for the ping but this role is currently not only not working, every time it is used and rolled out it re-breaks the docker repositories and apt update on existing machines.~

EDIT:

Actually, although the /etc/apt/trusted.gpg.d/ path used by this role is outdated, it still works because the path to the keyfile is hardcoded into the apt repository source file:

https://github.com/geerlingguy/ansible-role-docker/blob/8ff4a241477f5f24c718d606a2ee450b370cc47c/defaults/main.yml#L41

so this doesn't even have to necessarily be changed yet. All I had to do was delete the /etc/apt/sources.list.d/download_docker_com_linux_ubuntu.list file that was on that machine and caused the conflict. But I have no idea where that file (duplicate reference to the docker repo) came from.

EDIT2:

Yea okay I see now this was discussed in #434. The filename was changed in https://github.com/geerlingguy/ansible-role-docker/commit/c3a127134d6bde44bdd57fa1be1751f77d887614. This is a breaking change as we see by these issues and PRs, but to be fair it was changed when going from role version 6.2.0 to 7.0.0 so a new major version.

All is well if you pin your role versions and read through every commit and diff before updating...

jantari avatar Nov 29 '23 10:11 jantari

See: https://www.jeffgeerling.com/blog/2022/aptkey-deprecated-debianubuntu-how-fix-ansible as well...

geerlingguy avatar Nov 29 '23 17:11 geerlingguy

Thank you @jantari and @geerlingguy for the information. I will update this PR and @ you again when it is ready.

kawadeomkar avatar Nov 30 '23 23:11 kawadeomkar

Hello, apologies for the delay. I was out on vacation with limited internet connectivity. I've updated the PR to only contain edits to save to /apt/keyrings using the original get_url ansible command. @jantari Please take a look whenever you get the chance, thanks!

kawadeomkar avatar Dec 18 '23 21:12 kawadeomkar

This also fix raspbian compatibility. For raspbian it is also need to change these variables:

docker_apt_arch: armhf
docker_apt_ansible_distribution: raspbian

https://docs.docker.com/engine/install/raspberry-pi-os/#install-using-the-repository

rizlas avatar Jan 05 '24 15:01 rizlas

@geerlingguy sorry for the tag but could you take a look whenever you get a chance? Thanks

kawadeomkar avatar Feb 01 '24 00:02 kawadeomkar

@geerlingguy sorry for the tag but could you take a look whenever you get a chance? Thanks

it would be pritty wonderful. I've got the same problem. Very wait when it will be merged

mihalt avatar Mar 29 '24 18:03 mihalt

LGTM. Docker install script also uses /etc/apt/keyrings.

jamesmyatt avatar May 26 '24 12:05 jamesmyatt