From 8057b2d926650d430c735ef61f4c145a5843c33f Mon Sep 17 00:00:00 2001 From: Zhao Chao Date: Thu, 12 Jul 2018 21:52:39 +0800 Subject: [PATCH] More reliable gpg keys importing in DIB elements We're still seeing apt-key failed to import gpg keys these days during the images building in the gate jobs, the problem is keys.gnupg.net and keyserver.ubuntu.com are both not stable according to [1] and [2], it's better to adopt pool.sks-keyservers.net instead and with simple retries. To reduce code duplication, this common apt-key importing function is also moved to ubuntu-guest as an environment snippet. [1] https://www.gnupg.org/faq/gnupg-faq.html#new_user_default_keyserver [2] https://sks-keyservers.net/overview-of-pools.php Closes-Bug: #1579094 Change-Id: I0fe200d140f6f9c4d423dd498797a225e3295a71 Signed-off-by: Zhao Chao --- .../99-reliable-apt-key-importing.bash | 34 +++++++++++++++++++ .../pre-install.d/10-percona-apt-key | 21 ------------ .../pre-install.d/10-mongodb-apt-key | 4 +-- .../pre-install.d/10-percona-apt-key | 21 ------------ .../pre-install.d/10-percona-apt-key | 21 ------------ .../pre-install.d/10-percona-apt-key | 21 ------------ .../install.d/30-mariadb | 6 ++-- .../install.d/30-mariadb | 6 ++-- 8 files changed, 44 insertions(+), 90 deletions(-) create mode 100644 integration/scripts/files/elements/ubuntu-guest/environment.d/99-reliable-apt-key-importing.bash diff --git a/integration/scripts/files/elements/ubuntu-guest/environment.d/99-reliable-apt-key-importing.bash b/integration/scripts/files/elements/ubuntu-guest/environment.d/99-reliable-apt-key-importing.bash new file mode 100644 index 0000000000..2661fc05cc --- /dev/null +++ b/integration/scripts/files/elements/ubuntu-guest/environment.d/99-reliable-apt-key-importing.bash @@ -0,0 +1,34 @@ +# sometimes the primary key server is unavailable and we should try an +# alternate. see +# https://bugs.launchpad.net/percona-server/+bug/907789. Disable +# shell errexit so we can interrogate the exit code and take action +# based on the exit code. We will reenable it later. +# +# NOTE(zhaochao): we still have this problem from time to time, so it's +# better use more reliable keyservers and just retry on that(for now, 3 +# tries should be fine). +# According to: +# [1] https://www.gnupg.org/faq/gnupg-faq.html#new_user_default_keyserver +# [2] https://sks-keyservers.net/overview-of-pools.php +# we'll just the primary suggested pool: pool.sks-keyservers.net. +function get_key_robust() { + KEY=$1 + set +e + + tries=1 + while [ $tries -le 3 ]; do + if [ $tries -eq 3 ]; then + set -e + fi + + echo "Importing the key, try: $tries" + apt-key adv --keyserver hkp://pool.sks-keyservers.net \ + --recv-keys ${KEY} && break + + tries=$((tries+1)) + done + + set -e +} + +export -f get_key_robust diff --git a/integration/scripts/files/elements/ubuntu-mariadb/pre-install.d/10-percona-apt-key b/integration/scripts/files/elements/ubuntu-mariadb/pre-install.d/10-percona-apt-key index 55b5ef81d6..83bf943593 100755 --- a/integration/scripts/files/elements/ubuntu-mariadb/pre-install.d/10-percona-apt-key +++ b/integration/scripts/files/elements/ubuntu-mariadb/pre-install.d/10-percona-apt-key @@ -12,27 +12,6 @@ set -o xtrace # Add Percona GPG key mkdir -p /home/${GUEST_USERNAME}/.gnupg -# sometimes the primary key server is unavailable and we should try an -# alternate. see -# https://bugs.launchpad.net/percona-server/+bug/907789. Disable -# shell errexit so we can interrogate the exit code and take action -# based on the exit code. We will reenable it later. -function get_key_robust() { - KEY=$1 - set +e - - apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys ${KEY} - - if [ "$?" -ne "0" ]; - then - echo "Trying alternate keyserver hkp://keyserver.ubuntu.com" - set -e - apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv-keys ${KEY} - fi - - set -e -} - get_key_robust 1C4CBDCDCD2EFD2A get_key_robust 9334A25F8507EFA5 diff --git a/integration/scripts/files/elements/ubuntu-mongodb/pre-install.d/10-mongodb-apt-key b/integration/scripts/files/elements/ubuntu-mongodb/pre-install.d/10-mongodb-apt-key index 07edd12512..43ed1b0686 100755 --- a/integration/scripts/files/elements/ubuntu-mongodb/pre-install.d/10-mongodb-apt-key +++ b/integration/scripts/files/elements/ubuntu-mongodb/pre-install.d/10-mongodb-apt-key @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash set -e set -o xtrace @@ -7,7 +7,7 @@ set -o xtrace apt-get --allow-unauthenticated -y install software-properties-common -apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927 +get_key_robust EA312927 echo "deb http://repo.mongodb.org/apt/ubuntu "$(lsb_release -sc)"/mongodb-org/3.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list diff --git a/integration/scripts/files/elements/ubuntu-mysql/pre-install.d/10-percona-apt-key b/integration/scripts/files/elements/ubuntu-mysql/pre-install.d/10-percona-apt-key index d62c605891..3c68cae9e7 100755 --- a/integration/scripts/files/elements/ubuntu-mysql/pre-install.d/10-percona-apt-key +++ b/integration/scripts/files/elements/ubuntu-mysql/pre-install.d/10-percona-apt-key @@ -12,27 +12,6 @@ set -o xtrace # Add Percona GPG key mkdir -p /home/${GUEST_USERNAME}/.gnupg -# sometimes the primary key server is unavailable and we should try an -# alternate. see -# https://bugs.launchpad.net/percona-server/+bug/907789. Disable -# shell errexit so we can interrogate the exit code and take action -# based on the exit code. We will reenable it later. -function get_key_robust() { - KEY=$1 - set +e - - apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys ${KEY} - - if [ "$?" -ne "0" ]; - then - echo "Trying alternate keyserver hkp://keyserver.ubuntu.com" - set -e - apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv-keys ${KEY} - fi - - set -e -} - get_key_robust 1C4CBDCDCD2EFD2A get_key_robust 9334A25F8507EFA5 diff --git a/integration/scripts/files/elements/ubuntu-percona/pre-install.d/10-percona-apt-key b/integration/scripts/files/elements/ubuntu-percona/pre-install.d/10-percona-apt-key index d323645510..4e6ec1a548 100755 --- a/integration/scripts/files/elements/ubuntu-percona/pre-install.d/10-percona-apt-key +++ b/integration/scripts/files/elements/ubuntu-percona/pre-install.d/10-percona-apt-key @@ -14,27 +14,6 @@ if [ ! -e /home/${GUEST_USERNAME}/.gnupg ]; then mkdir -p /home/${GUEST_USERNAME}/.gnupg fi -# sometimes the primary key server is unavailable and we should try an -# alternate. see -# https://bugs.launchpad.net/percona-server/+bug/907789. Disable -# shell errexit so we can interrogate the exit code and take action -# based on the exit code. We will reenable it later. -function get_key_robust() { - KEY=$1 - set +e - - apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys ${KEY} - - if [ "$?" -ne "0" ]; - then - echo "Trying alternate keyserver hkp://keyserver.ubuntu.com" - set -e - apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv-keys ${KEY} - fi - - set -e -} - get_key_robust 1C4CBDCDCD2EFD2A get_key_robust 9334A25F8507EFA5 diff --git a/integration/scripts/files/elements/ubuntu-pxc/pre-install.d/10-percona-apt-key b/integration/scripts/files/elements/ubuntu-pxc/pre-install.d/10-percona-apt-key index d323645510..4e6ec1a548 100755 --- a/integration/scripts/files/elements/ubuntu-pxc/pre-install.d/10-percona-apt-key +++ b/integration/scripts/files/elements/ubuntu-pxc/pre-install.d/10-percona-apt-key @@ -14,27 +14,6 @@ if [ ! -e /home/${GUEST_USERNAME}/.gnupg ]; then mkdir -p /home/${GUEST_USERNAME}/.gnupg fi -# sometimes the primary key server is unavailable and we should try an -# alternate. see -# https://bugs.launchpad.net/percona-server/+bug/907789. Disable -# shell errexit so we can interrogate the exit code and take action -# based on the exit code. We will reenable it later. -function get_key_robust() { - KEY=$1 - set +e - - apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys ${KEY} - - if [ "$?" -ne "0" ]; - then - echo "Trying alternate keyserver hkp://keyserver.ubuntu.com" - set -e - apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv-keys ${KEY} - fi - - set -e -} - get_key_robust 1C4CBDCDCD2EFD2A get_key_robust 9334A25F8507EFA5 diff --git a/integration/scripts/files/elements/ubuntu-trusty-mariadb/install.d/30-mariadb b/integration/scripts/files/elements/ubuntu-trusty-mariadb/install.d/30-mariadb index eba83c70d1..e8b7dd760f 100755 --- a/integration/scripts/files/elements/ubuntu-trusty-mariadb/install.d/30-mariadb +++ b/integration/scripts/files/elements/ubuntu-trusty-mariadb/install.d/30-mariadb @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # CONTEXT: GUEST during CONSTRUCTION as ROOT # PURPOSE: Install controller base required packages @@ -11,7 +11,9 @@ export DEBIAN_FRONTEND=noninteractive # NOTE(vkmc): Using MariaDB repositories is required # https://mariadb.com/kb/en/mariadb/installing-mariadb-deb-files/ apt-get --allow-unauthenticated -y install software-properties-common -apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db + +get_key_robust 0xcbcb082a1bb943db + add-apt-repository 'deb http://ftp.osuosl.org/pub/mariadb/repo/10.1/ubuntu trusty main' # Pin MariaDB repository diff --git a/integration/scripts/files/elements/ubuntu-xenial-mariadb/install.d/30-mariadb b/integration/scripts/files/elements/ubuntu-xenial-mariadb/install.d/30-mariadb index 521f3e68ba..85b86d5dd5 100755 --- a/integration/scripts/files/elements/ubuntu-xenial-mariadb/install.d/30-mariadb +++ b/integration/scripts/files/elements/ubuntu-xenial-mariadb/install.d/30-mariadb @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # CONTEXT: GUEST during CONSTRUCTION as ROOT # PURPOSE: Install controller base required packages @@ -11,7 +11,9 @@ export DEBIAN_FRONTEND=noninteractive # NOTE(vkmc): Using MariaDB repositories is required # https://mariadb.com/kb/en/mariadb/installing-mariadb-deb-files/ apt-get -y install software-properties-common -apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 + +get_key_robust 0xF1656F24C74CD1D8 + add-apt-repository 'deb http://ftp.osuosl.org/pub/mariadb/repo/10.1/ubuntu xenial main' # Pin MariaDB repository