During each Rawhide development cycle there is a point
at which packages start being signed with new keys, which
causes updates to fail.
To work around the problem, make sure fedora-gpg-keys is
updated before attempting to update all other packages;
updating fedora-gpg-keys itself requires gpg signature
checking to be disabled.
Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
---
I am actually not 100% sure we need to disable gpg
signature checking in order to update fedora-gpg-keys:
it would make sense for that one package to be signed
with the old key to make the update possible without
breaking trust at any point in time. Unfortunately I
updated my Rawhide guest without taking a snapshot
first, and I can't figure out a way to get it back to
a state suitable for checking whether the above makes
sense :( Perhaps someone with deeper understanding of
the Fedora release process will confirm or deny.
guests/lcitool | 24 +++++++++++++++++-------
guests/playbooks/update/tasks/base.yml | 9 +++++++++
2 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/guests/lcitool b/guests/lcitool
index 821cafc..ddeee6a 100755
--- a/guests/lcitool
+++ b/guests/lcitool
@@ -511,7 +511,8 @@ class Application:
facts = self._inventory.get_facts(host)
package_format = facts["package_format"]
os_name = facts["os_name"]
- os_full = os_name + str(facts["os_version"])
+ os_version = str(facts["os_version"])
+ os_full = os_name + os_version
if package_format not in ["deb", "rpm"]:
raise Error("Host {} doesn't support Dockerfiles".format(host))
@@ -560,12 +561,21 @@ class Application:
apt-get autoclean -y
"""))
elif package_format == "rpm":
- sys.stdout.write(textwrap.dedent("""
- RUN yum update -y && \\
- yum install -y ${PACKAGES} && \\
- yum autoremove -y && \\
- yum clean all -y
- """))
+ if os_name == "Fedora" and os_version == "Rawhide":
+ sys.stdout.write(textwrap.dedent("""
+ RUN yum update -y --nogpgcheck fedora-gpg-keys && \\
+ yum update -y && \\
+ yum install -y ${PACKAGES} && \\
+ yum autoremove -y && \\
+ yum clean all -y
+ """))
+ else:
+ sys.stdout.write(textwrap.dedent("""
+ RUN yum update -y && \\
+ yum install -y ${PACKAGES} && \\
+ yum autoremove -y && \\
+ yum clean all -y
+ """))
def run(self):
cmdline = self._parser.parse_args()
diff --git a/guests/playbooks/update/tasks/base.yml b/guests/playbooks/update/tasks/base.yml
index 11f600f..cc16eb0 100644
--- a/guests/playbooks/update/tasks/base.yml
+++ b/guests/playbooks/update/tasks/base.yml
@@ -64,6 +64,15 @@
- not ( os_name == 'Fedora' and
os_version == 'Rawhide' )
+- name: Update installed packages
+ package:
+ name: fedora-gpg-keys
+ state: latest
+ disable_gpg_check: yes
+ when:
+ - os_name == 'Fedora'
+ - os_version == 'Rawhide'
+
- name: Update installed packages
command: dnf update --refresh --exclude 'kernel*' -y
args:
--
2.17.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
