Download yum keys to host before installing

The LXC image prep script copies the contents of /etc/pki/rpm-gpg to the container image so that these keys can be used inside the container. Importantly, /etc/pki/rpm-gpg is only a staging area where keys are kept on the filesystem and is not the actual set of keys imported into the package manager database. For the EPEL key to be properly copied into the LXC container image it must first be staged into the host /etc/pki/rpm-gpg directory and then installed using the rpm_key module. If the key is installed directly using rpm_key then it is not available as a file to copy into the container image. Depends-On: https://review.opendev.org/735289 Change-Id: Ifdeb447e1ef000dbe83394f6e5b0ed3c7afc84c5
2020-06-16 09:06:08 +01:00 · 2020-06-16 09:06:08 +01:00 · 295c3c0a93
commit 295c3c0a93
parent 37f3a9fe9e
3 changed files with 24 additions and 9 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -246,13 +246,14 @@ lxc_cache_locales: "{{ _lxc_cache_locales | default(['en_US.UTF-8']) }}"

 # Centos EPEL repository options
 lxc_centos_epel_mirror: "{{ centos_epel_mirror | default('http://download.fedoraproject.org/pub/epel') }}"
-lxc_centos_epel_key: "{{ centos_epel_key | default('http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7') }}"
+lxc_centos_epel_key: "{{ centos_epel_key | default('http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-' ~ ansible_distribution_major_version) }}"

-# LXC must be installed from a COPR repository on CentOS 7 since the version
+# LXC must be installed from a COPR repository on CentOS since the version
 # provided in EPEL is much too old (1.x).
 lxc_centos_package_baseurl: https://copr-be.cloud.fedoraproject.org/results/thm/lxc2.0/epel-7-x86_64/
 lxc_centos_package_key: https://copr-be.cloud.fedoraproject.org/results/thm/lxc2.0/pubkey.gpg

+
 ## Set default mirror for openSUSE repositories
 # NOTE(hwoarang): Ensure that the full path to the 'opensuse' directory is used.
 # Additionally, set 'lxc_hosts_opensuse_mirror_obs_url' to a mirror which also mirrors
--- a/tasks/lxc_install_dnf.yml
+++ b/tasks/lxc_install_dnf.yml
@ -76,9 +76,18 @@
    - "rsync -a --delete /tmp/thm-lxc2.0/ /opt/thm-lxc2.0/"
    - "yum-config-manager --enable thm-lxc2.0-local"

+- name: Download EPEL gpg keys
+  get_url:
+     url: "{{ lxc_centos_epel_key }}"
+     dest: /etc/pki/rpm-gpg
+  register: _get_yum_keys
+  until: _get_yum_keys is success
+  retries: 5
+  delay: 2
+
 - name: Install EPEL gpg keys
  rpm_key:
-    key: "http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7"
+    key: "/etc/pki/rpm-gpg/{{ lxc_centos_epel_key.split('/')[-1] }}"
    state: present
  register: _add_yum_keys
  until: _add_yum_keys is success
--- a/tasks/lxc_install_yum.yml
+++ b/tasks/lxc_install_yum.yml
@ -34,15 +34,20 @@
  retries: 5
  delay: 2

- name: Install EPEL gpg keys
-  rpm_key:
-    key: "{{ lxc_centos_epel_key }}"
-    state: present
-  register: _add_yum_keys
-  until: _add_yum_keys is success
+- name: Download EPEL gpg keys
+  get_url:
+     url: "{{ lxc_centos_epel_key }}"
+     dest: /etc/pki/rpm-gpg
+  register: _get_yum_keys
+  until: _get_yum_keys is success
  retries: 5
  delay: 2

+- name: Install EPEL gpg keys
+  rpm_key:
+    key: "/etc/pki/rpm-gpg/{{ lxc_centos_epel_key.split('/')[-1] }}"
+    state: present
+
 - name: Install the EPEL repository
  yum_repository:
    name: epel-lxc_hosts