Bug 1382335

Summary: gpg2 started from PackageKit or dnf leaves "gpg-agent"s hanging around for every disabled repository
Product: [Fedora] Fedora Reporter: Christian Stadelmann <fedora>
Component: librepoAssignee: Tomas Mlcoch <tmlcoch>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: bcl, dennis, gabriel, jamielinux, jonathan, klember, rdieter, rhughes, rpm-software-management, smparrish, tmlcoch, tmraz
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-21 19:34:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Christian Stadelmann 2016-10-06 11:42:28 UTC
Description of problem:
At any time I'm looking into the list of processes running on my F25 alpha machine, I'm seeing a bunch of gpg-agents hanging around:

Version-Release number of selected component (if applicable):
gnupg2-2.1.13-2.fc25.x86_64
PackageKit-1.1.4-1.fc25.x86_64
gnome-software-3.22.0-1.fc25.x86_64

How reproducible:
I don't know

Steps to Reproduce:
1. have some repositories disabled, so they have .repo files in /etc/yum.repos.d/, but don't show up in `dnf repolist`
2. have a look at `ps -aux | grep gpg-agent`

Actual results:
$ ps -aux | grep gpg-agent
root      8217  0.0  0.0 167832   612 ?        Ss   11:18   0:00 gpg-agent --homedir /var/cache/PackageKit/25/metadata/mildew-usbguard.tmp/gpgdir --use-standard-socket --daemon
root      8770  0.0  0.0 167832   552 ?        Ss   13:34   0:00 gpg-agent --homedir /var/cache/PackageKit/25/metadata/rpmfusion-free-updates.tmp/gpgdir --use-standard-socket --daemon
root      9497  0.0  0.0 167832   556 ?        Ss   13:34   0:00 gpg-agent --homedir /var/cache/PackageKit/25/metadata/rpmfusion-nonfree-updates.tmp/gpgdir --use-standard-socket --daemon
root      9758  0.0  0.0 167832   680 ?        Ss   13:34   0:00 gpg-agent --homedir /var/cache/PackageKit/25/metadata/mangelajo-kicad.tmp/gpgdir --use-standard-socket --daemon
root     10789  0.0  0.0 167832   552 ?        Ss   13:34   0:00 gpg-agent --homedir /var/cache/PackageKit/25/metadata/fabiand-rust-binary.tmp/gpgdir --use-standard-socket --daemon
root     11571  0.0  0.0 167832   620 ?        Ss   13:34   0:00 gpg-agent --homedir /var/cache/PackageKit/25/metadata/timlau-yumex-dnf.tmp/gpgdir --use-standard-socket --daemon
christi+ 17795  0.0  0.0 119388   944 pts/1    S+   13:36   0:00 grep --color=auto gpg-agent
christi+ 22603  0.0  0.0 276184   880 ?        Ss   13:33   0:00 gpg-agent --homedir /home/christian/.gnupg --use-standard-socket --daemon

Expected results:
gpg agents don't have to run all the time.
For disabled yum repositories there shouldn't be any gpg agent running. There is no need to ever do this.

Additional info:
this bug seems to affect disabled repositories only.
The processes are child to PID 1.

Comment 1 Gabriel PREDA 2016-12-24 11:42:14 UTC
This heppens to me too:

.........
 2662 ?        Ss     0:00 gpg-agent --homedir /var/cache/PackageKit/25/metadata/updates.tmp/gpgdir --use-standard-socket --daemon
 2843 ?        Ss     0:00 gpg-agent --homedir /var/cache/PackageKit/25/metadata/zyga-snapcore.tmp/gpgdir --use-standard-socket --da
[eRadical@me ~]$ sudo strace -p 2843
strace: Process 2843 attached
pselect6(4, [3], NULL, NULL, {tv_sec=1, tv_nsec=606607385}, {[], 8}) = 0 (Timeout)
pselect6(4, [3], NULL, NULL, {tv_sec=2, tv_nsec=1014}, {[], 8}) = 0 (Timeout)
clone(child_stack=0x7ff5470bcff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7ff5470bd9d0, tls=0x7ff5470bd700, child_tidptr=0x7ff5470bd9d0) = 3916
futex(0x7ff547ab8060, FUTEX_WAKE_PRIVATE, 1) = 1
pselect6(4, [3], NULL, NULL, {tv_sec=2, tv_nsec=91591}, {[], 8}) = 1 (in [3], left {tv_sec=2, tv_nsec=89314})
accept(3, {sa_family=AF_UNIX}, [110->2]) = 5
clone(child_stack=0x7ff5468bbff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7ff5468bc9d0, tls=0x7ff5468bc700, child_tidptr=0x7ff5468bc9d0) = 3917
futex(0x7ff547ab8060, FUTEX_WAKE_PRIVATE, 1) = 1
pselect6(4, [3], NULL, NULL, {tv_sec=1, tv_nsec=999802436}, {[], 8}) = 0 (Timeout)
pselect6(4, [3], NULL, NULL, {tv_sec=2, tv_nsec=926}, {[], 8}) = 0 (Timeout)
pselect6(4, [3], NULL, NULL, {tv_sec=2, tv_nsec=747}, {[], 8}) = 0 (Timeout)
pselect6(4, [3], NULL, NULL, {tv_sec=2, tv_nsec=570}, {[], 8}) = 0 (Timeout)
pselect6(4, [3], NULL, NULL, {tv_sec=2, tv_nsec=673}, {[], 8}^Cstrace: Process 2843 detached
 <detached ...>

PackageKit.x86_64 1.1.4-2.fc25

Comment 2 Dennis Gilmore 2017-03-10 00:42:26 UTC
We hit this composing branched Fedora https://pagure.io/fedora-kickstarts/c/1c70356e936a8535ebd94d02a5cf3370b410f5df?branch=f26 is the workaround we had to do to get livecds working again PackageKit has to ensure it cleans up gpg-agent after itself

Comment 3 Christian Stadelmann 2017-05-15 16:20:41 UTC
On Fedora 26, this issue also affects dnf, which shares just a few libraries (librepo, libsolv) with PackageKit. As strace reveals, the `gpg-agent` processes are started from gpg2, running with this command line:
> execve("/usr/bin/gpg2", ["gpg2", "--enable-special-filenames", "--batch", "--no-sk-comments", "--status-fd", "38", "--no-tty", "--charset", "utf8", "--enable-progress-filter", "--exit-on-status-write-error", "--import", "--", "-&39"], [/* 25 vars */] <unfinished ...>

which, in turn, starts gpg-agent:

> execve("/usr/bin/gpg-agent", ["gpg-agent", "--homedir", "/tmp/tmpc5mct44v", "--use-standard-socket", "--daemon"], [/* 25 vars */]) = 0

So it looks like the issue is actually in gpg2, not PackageKit. Reassinging then.

Steps to reproduce for dnf:
1. run `dnf upgrade`
2. after dnf finished, have a look at the list of running processes.

Steps to reproduce for gnome-software (using PackageKit):
1. open gnome-software
2. on "Updates" page, press the refresh button
3. exit gnome-software
4. have a look at the list of running processes.

Steps to reproduce for pkcon (the PackageKit command line utility):
1. run $ pkcon --cache-age=10 get-updates
2. after pkcon finished, have a look at the list of running processes.

What happens:
A list of gpg-agent processes is still running and gets more and more on every of the "Steps to reproduce" options above. Those processes are never terminated, even though they finished their work.

Comment 4 Tomas Mraz 2017-05-16 06:31:25 UTC
I do not see any ways around it than killing the gpg-agent from the process that runs the gpg with the different homedir. The gpg-agent is kept running by gpg because it would be used for subsequent gpg runs with the same homedir. If the homedir is just temporary and there won't be any subsequent gpg runs the gpg-agent must be explicitly killed.

The agent can be killed with:

gpgconf --kill gpg-agent

Comment 5 Fedora End Of Life 2018-05-03 08:26:07 UTC
This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 6 Christian Stadelmann 2018-05-21 19:34:55 UTC
This issue is not present any more on Fedora 28.