How To Automatically Confirm Importing Repo Key?

Home » CentOS » How To Automatically Confirm Importing Repo Key?
CentOS 1 Comment

Hi,

I’m trying to set up provisioning LXC container running CentOS. And among other things, I need to install nginx + passenger from a non-official repo (the docs:
https://www.phusionpassenger.com/library/install/nginx/install/oss/el7/). With this playbook:

– hosts: all
tasks:
# https://docs.ansible.com/ansible/yum_repository_module.html
– name: Add repository
yum_repository:
# from https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo
name: passenger
description: Passenger repository
baseurl:
https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch
repo_gpgcheck: 1
gpgcheck: 0
enabled: 1
gpgkey: https://packagecloud.io/gpg.key
sslverify: 1
sslcacert: /etc/pki/tls/certs/ca-bundle.crt

# http://docs.ansible.com/ansible/command_module.html
– name: (1) Add repository key (shell command)
command: rpm –import https://packagecloud.io/gpg.key

# # http://docs.ansible.com/ansible/rpm_key_module.html
# – name: (2) Add repository key (python code)
# rpm_key:
# key: https://packagecloud.io/gpg.key

# http://docs.ansible.com/ansible/yum_module.html
– name: Install nginx
yum: name={{ item }}
with_items: nginx

ansible fails performing the last task with:

Failure talking to yum: failure: repodata/repomd.xml from passenger:
[Errno 256] No more mirrors to try. https://oss-binaries.phusionpassenger.com/yum/passenger/el/7/x86_64/repodata/repomd.xml:
[Errno -1] repomd.xml signature could not be verified for passenger

no matter which way of importing key I choose (1 or 2).

If I then SSH to container and run `yum install nginx` manually, it says:

Retrieving key from https://packagecloud.io/gpg.key Importing GPG key 0xD59097AB:
Userid : “packagecloud ops (production key)
Fingerprint: 418a 7f2f b0e1 e6e7 eabf 6fe8 c2e7 3424 d590 97ab From : https://packagecloud.io/gpg.key Is this ok [y/N]:

And I suppose this extra confirmation request is what makes ansible fail. Can it be confirmed automatically?

I tried to make it clear for those who don’t use ansible, but feel free to ask questions. Thanks in advance.

Related Stack Overflow question (just in case):
http://stackoverflow.com/questions/38327406/how-to-install-yum-repository-key-with-ansible/41882838

Regards, Yuri

One thought on - How To Automatically Confirm Importing Repo Key?

  • Now that I think about it, I should’ve reproduced it with just shell script and didn’t involve ansible, when asking the question. Things are more or less clear now. The only thing I’d like to confirm if this makes for a good way of automatically confirming importing repo key?

    yum makecache -y –disablerepo=* –enablerepo=passenger

    Regards, Yuri