guests/lcitool | 24 +++++++++++++++++------- guests/playbooks/update/tasks/base.yml | 9 +++++++++ 2 files changed, 26 insertions(+), 7 deletions(-)
During each Rawhide development cycle there is a point
at which packages start being signed with new keys, which
causes updates to fail.
To work around the problem, make sure fedora-gpg-keys is
updated before attempting to update all other packages;
updating fedora-gpg-keys itself requires gpg signature
checking to be disabled.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
I am actually not 100% sure we need to disable gpg
signature checking in order to update fedora-gpg-keys:
it would make sense for that one package to be signed
with the old key to make the update possible without
breaking trust at any point in time. Unfortunately I
updated my Rawhide guest without taking a snapshot
first, and I can't figure out a way to get it back to
a state suitable for checking whether the above makes
sense :( Perhaps someone with deeper understanding of
the Fedora release process will confirm or deny.
guests/lcitool | 24 +++++++++++++++++-------
guests/playbooks/update/tasks/base.yml | 9 +++++++++
2 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/guests/lcitool b/guests/lcitool
index 821cafc..ddeee6a 100755
--- a/guests/lcitool
+++ b/guests/lcitool
@@ -511,7 +511,8 @@ class Application:
facts = self._inventory.get_facts(host)
package_format = facts["package_format"]
os_name = facts["os_name"]
- os_full = os_name + str(facts["os_version"])
+ os_version = str(facts["os_version"])
+ os_full = os_name + os_version
if package_format not in ["deb", "rpm"]:
raise Error("Host {} doesn't support Dockerfiles".format(host))
@@ -560,12 +561,21 @@ class Application:
apt-get autoclean -y
"""))
elif package_format == "rpm":
- sys.stdout.write(textwrap.dedent("""
- RUN yum update -y && \\
- yum install -y ${PACKAGES} && \\
- yum autoremove -y && \\
- yum clean all -y
- """))
+ if os_name == "Fedora" and os_version == "Rawhide":
+ sys.stdout.write(textwrap.dedent("""
+ RUN yum update -y --nogpgcheck fedora-gpg-keys && \\
+ yum update -y && \\
+ yum install -y ${PACKAGES} && \\
+ yum autoremove -y && \\
+ yum clean all -y
+ """))
+ else:
+ sys.stdout.write(textwrap.dedent("""
+ RUN yum update -y && \\
+ yum install -y ${PACKAGES} && \\
+ yum autoremove -y && \\
+ yum clean all -y
+ """))
def run(self):
cmdline = self._parser.parse_args()
diff --git a/guests/playbooks/update/tasks/base.yml b/guests/playbooks/update/tasks/base.yml
index 11f600f..cc16eb0 100644
--- a/guests/playbooks/update/tasks/base.yml
+++ b/guests/playbooks/update/tasks/base.yml
@@ -64,6 +64,15 @@
- not ( os_name == 'Fedora' and
os_version == 'Rawhide' )
+- name: Update installed packages
+ package:
+ name: fedora-gpg-keys
+ state: latest
+ disable_gpg_check: yes
+ when:
+ - os_name == 'Fedora'
+ - os_version == 'Rawhide'
+
- name: Update installed packages
command: dnf update --refresh --exclude 'kernel*' -y
args:
--
2.17.1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, Sep 04, 2018 at 03:59:23PM +0200, Andrea Bolognani wrote: > During each Rawhide development cycle there is a point > at which packages start being signed with new keys, which > causes updates to fail. > > To work around the problem, make sure fedora-gpg-keys is > updated before attempting to update all other packages; > updating fedora-gpg-keys itself requires gpg signature > checking to be disabled. > > Signed-off-by: Andrea Bolognani <abologna@redhat.com> > --- > I am actually not 100% sure we need to disable gpg > signature checking in order to update fedora-gpg-keys: > it would make sense for that one package to be signed > with the old key to make the update possible without > breaking trust at any point in time. Unfortunately I > updated my Rawhide guest without taking a snapshot > first, and I can't figure out a way to get it back to > a state suitable for checking whether the above makes > sense :( Perhaps someone with deeper understanding of > the Fedora release process will confirm or deny. > guests/lcitool | 24 +++++++++++++++++------- > guests/playbooks/update/tasks/base.yml | 9 +++++++++ > 2 files changed, 26 insertions(+), 7 deletions(-) After chatting with one of the Fedora team about this, we came to conclusion there's no nicer option right now, so Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2024 Red Hat, Inc.