Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Created attachment 1840207[details]
reposync debug output
Description of problem:
reposync with installroot specified fails when repo file contains repo_gpgcheck=1. When I comment out that directive it works fine.
Version-Release number of selected component (if applicable):
# rpm -qa python3-dnf
python3-dnf-4.4.2-11.el8.noarch
How reproducible:
I'm doing this:
> sudo su - repoman
> pubrepoadm distro sync -n pgdg14
pubrepoadm is a script which calls:
reposync -c /data/yumrepos/public/distroroot/common-8/etc/dnf.conf -p /data/yumrepos/public/pkgmirror/common/8/x86_64 -g -n --download-metadata --remote-time --repoid=pgdg14
There is installroot specified in that dnf.conf. The repo file contains this:
[pgdg14]
name=PostgreSQL 14 for RHEL/CentOS $releasever - $basearch
baseurl=https://download.postgresql.org/pub/repos/yum/14/redhat/rhel-$releasever-$basearch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG
repo_gpgcheck = 1
I'm getting:
Errors during downloading metadata for repository 'pgdg14':
- Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG [Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG]
Error: Failed to retrieve GPG key for repo 'pgdg14': Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG [Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG]
I've tried with --installroot instead of -c and with both of them specified, but
the result is the same.
Debug output with '-d 10' is in the attachment.
Contents of dnf.conf in installroot:
[main]
installroot=/data/yumrepos/public/distroroot/common-8
# This should probably be removed for CentOS 8 because it's logging in
# reporoot.
logfile=/var/log/repoman/dnf.log
keepcache=0
payload_gpgcheck=1
gpgcheck=1
assumeno=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False
The default OS directory does not contain the GPG key mentioned in the error message:
# ls /etc/pki/rpm-gpg
RPM-GPG-KEY-AlmaLinux RPM-GPG-KEY-EPEL-8
But it is present in the installroot:
# ls /data/yumrepos/public/distroroot/common-8/etc/pki/rpm-gpg
RPM-GPG-KEY-elrepo.org RPM-GPG-KEY-jenkins RPM-GPG-KEY-SALTSTACK
RPM-GPG-KEY-EPEL-8 RPM-GPG-KEY-nginx
RPM-GPG-KEY-grafana RPM-GPG-KEY-PGDG
All those keys are imported in the respective keyrings (OS default in the OS keyring and installroot keys in the installroot keyring).
It seems to me that reposync attempted to fetch the GPG key file from the OS path /etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG instead from that path inside installroot.
I'm also attaching dnf.librepo.log from the installroot. It doesn't have additional information, though.
Steps to Reproduce:
1. Create minimal installroot necessary for reposync to function
2. Add the above repo file
3. Run reposync
If I comment out repo_gpgcheck directive everything works fine.
Actual results:
Execution is aborted.
Expected results:
reposync should be able to do its thing without an error.
Additional info:
In the debug output there is:
Failed to create directory "/run/user/1104": 13 - Permission denied
1104 is the UID for repoman user. I've created that directory manually, but the result is the same. The only difference is that an empty directory named gnupg is created there.
I have investigated this and I believe it is not a bug.
> It seems to me that reposync attempted to fetch the GPG key file from the OS path /etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG instead from that path inside installroot.
You are correct, this is documented in the dnf manpage installroot section:
...
cachedir, log files, releasever, and gpgkey are taken from or stored in the installroot.
Gpgkeys are imported into the installroot from a path relative to the host which can be specified in the repository section of configuration files.
...
This means that it tries to load the gpg key from the host and store it inside the installroot. I think the first sentence could be confusing and there is room for improvement but it is clarified in the second sentence.
> All those keys are imported in the respective keyrings (OS default in the OS keyring and installroot keys in the installroot keyring).
If you mean they are imported by rpm that is only relevant to the `gpgcheck` option (so for packages) for `repo_gpgcheck` - for signed repository metadata we actually store keys separately for each repo. Therefore the key is likely not yet imported for the pgdg14 repo.
You can verify this if you place the key into /etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG on the host and run reposync, it will ask to import it and everything will work. If you try reposync again but remove the `gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG` setting from the repo config it will continue to work because the key is already imported.
I think this is not documented anywhere though so we could fix that if you think it would be helpful.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (dnf bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2022:7712