Bug 1237057

Is this for docker build?

Can't you just download the keys into the container?  I think we would want to make the same symlink magic we do to make this work properly.

Michal can you answer the questions ^^

Michal can you answer the questions ^^

Daniel: Yes, I can but I would expect this to work smoothly when using repos from my host machine.

Daniel Riek what do you think the correct solution is?

I think the solution makes sense - mount the gpg keys directory in addition to the client certs directory to complete the secrets requirements.

The yum install inside the container would also have to "accept/insert" the GPG key on first run. Is that going to be a problem?

Then the goal would be to 

mount /etc/pki/rpm-gpg /run/secrets/rpm-gpg

What is the location of the Certs dir?  Will this work if I am on a RHEL7 box and have a RHEL6 image? RHEL6 EPEL?

If you just add a link 

ls -l /etc/pki/rpm-gpg /usr/share/rhel/secrets/rpm-gpg

You will get the content into the container.

Under /run/secrets

Something is wrong here, or?  Having EPEL-7 propagated into Dockerfile does
seem to be security problem.

It is like we've done mock build for *pure* RHEL-7 chroot but the EPEL-7 was
available inside.

I mean, yes - host need to properly define right yum repos  and related
GPG keys, but inheriting *all* the repos from host sounds wrong.

I want more precise control over the repos that the secrets patch/subman is injecting from the host, as well as the ability to have yum repos defined on the host that are *only* injected for containers.

At the moment, one can work around all of this by basically disabling the secrets patch inside each container, create a bind mount -v /etc/pkgrepos.d:/etc/pkgrepos.d, then inside the container, rm /etc/yum.repos.d/redhat.repo && cp -a /etc/pkgrepos.d/* /etc/yum.repos.d etc.

Solution that worked for me (CentOS 7):
1. Delete all epel***.repo files inside /etc/yum.repo.d/ folder
2. Reinstall these repo files : yum install epel-release

My case: Running Red Hat Openstack 7, it has the same error, the reason is because the install is looking for "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL", but the file there is "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7", so the esay fix is to copy the file "RPM-GPG-KEY-EPEL-7" as "RPM-GPG-KEY-EPEL" in same dir, re-run install, everything is fine.

$ sudo yum install -y python-rdomanager-oscplugin

warning: /var/cache/yum/x86_64/7Server/epel/packages/fio-2.2.8-2.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL


GPG key retrieval failed: [Errno 14] curl#37 - "Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL"

[stack@osp7_director ~]$ ls -l /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
ls: cannot access /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL: No such file or directory

[stack@lab31_osp7_director ~]$ ls -l /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL*
-rw-r--r--. 1 root root 1662 Nov 25  2014 /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7


$ sudo cp /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

$ sudo yum install -y python-rdomanager-oscplugin

...Complete!

We have no plans to ship another version of Docker at this time. RHEL7 is in final support stages where only security fixes will get released.  Customers should move to use Podman which is available starting in RHEL 7.6.