[Puppet Users] Installing Jenkins with Puppet fails to import GPG key

On 26/04/2012, at 9:22, Michael Harris wrote:

I've asked this question over on serverfault, but had no response.

I'm trying to install Jenkins with Puppet using the manifests below.

# init.pp
class jenkins {
include jenkins::install, jenkins::service
}

# service.pp
class jenkins::service {
service { "jenkins":
ensure => running,
hasstatus => true,
hasrestart => true,
enable => true,
require => Class["jenkins::install"],
}
}

# install.pp
class jenkins::install {
include jenkins::install::repo
include jenkins::install::java

package { "jenkins":
ensure => present,
require => Class['jenkins::install::repo','jenkins::install::java'],
}
}

# install/repo.pp
class jenkins::install::repo {
file { "/etc/pki/rpm-gpg/jenkins-ci.org.key":
owner => root,
group => root,
mode => 0600,
source => "puppet:///jenkins/jenkins-ci.org.key"
}

yumrepo { "jenkins":
baseurl => "http://pkg.jenkins-ci.org/redhat",
descr => "Jenkins",
enabled => 1,
gpgcheck => 1,
gpgkey => "file:///etc/pki/rpm-gpg/jenkins-ci.org.key",
require => File["/etc/pki/rpm-gpg/jenkins-ci.org.key"]
}
}

# install/java.pp
class jenkins::install::java {
package { "java-1.6.0-openjdk":
ensure => present,
}
}

The repo is added and the key written to the file system. However, I get the following error.

err: /Stage[main]/Jenkins::Install/Package[jenkins]/ensure: change from absent to present failed: Execution of '/usr/bin/yum -d 0 -e 0 -y install jenkins' returned 1: warning: rpmts_HdrFromFdno: Header V4 DSA signature: NOKEY, key ID d50582e6
Traceback (most recent call last):
File "/usr/bin/yum", line 29, in ?
yummain.user_main(sys.argv[1:], exit_code=True)
File "/usr/share/yum-cli/yummain.py", line 309, in user_main
errcode = main(args)
File "/usr/share/yum-cli/yummain.py", line 261, in main
return_code = base.doTransaction()
File "/usr/share/yum-cli/cli.py", line 410, in doTransaction
if self.gpgsigcheck(downloadpkgs) != 0:
File "/usr/share/yum-cli/cli.py", line 510, in gpgsigcheck
self.getKeyForPackage(po, lambda x, y, z: self.userconfirm())
File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 3519, in getKeyForPackage
keys = self._retrievePublicKey(keyurl, repo)
File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 3484, in _retrievePublicKey
keys_info = misc.getgpgkeyinfo(rawkey, multiple=True)
File "/usr/lib/python2.4/site-packages/yum/misc.py", line 375, in getgpgkeyinfo
raise ValueError(str(e))
ValueError: unknown pgp packet type 17 at 706

This suggests to me that the key isn't being imported successfully, and `rpm -qa gpg-pubkey` doesn't show the key. If I manually `yum install jenkins` without the key imported I get the same error. With the key imported, the manual installation succeeds.

I'm successfully installing other yum repos and keys standalone (basically the `install/repo.pp` manifest as its own module), such as EPEL, but as this repo is only for Jenkins I wanted to include it in my Jenkins module.

Is there something wrong with my manifests? Or some other problem?

**UPDATE**:

If I run this manifest on the node with `puppet apply jenkins.pp` I get the following error. I don't know if this is part of the problem or a red herring.

# jenkins.pp
file { "/etc/pki/rpm-gpg/jenkins-ci.org.key":
owner => root,
group => root,
mode => 0600,
source => "/root/jenkins-ci.org.key"
}

yumrepo { "jenkins":
baseurl => "http://pkg.jenkins-ci.org/redhat",
descr => "Jenkins",
enabled => 1,
gpgcheck => 1,
gpgkey => "file:///etc/pki/rpm-gpg/jenkins-ci.org.key",
require => File["/etc/pki/rpm-gpg/jenkins-ci.org.key"]
}

# output
warning: Could not retrieve fact fqdn
notice: /Stage[main]//File[/etc/pki/rpm-gpg/jenkins-ci.org.key]/ensure: defined content as '{md5}9fa06089848262c5a6383ec27fdd2575'
notice: /Stage[main]//Yumrepo[jenkins]/descr: descr changed '' to 'Jenkins'
notice: /Stage[main]//Yumrepo[jenkins]/baseurl: baseurl changed '' to 'http://pkg.jenkins-ci.org/redhat'
notice: /Stage[main]//Yumrepo[jenkins]/enabled: enabled changed '' to '1'
notice: /Stage[main]//Yumrepo[jenkins]/gpgcheck: gpgcheck changed '' to '1'
notice: /Stage[main]//Yumrepo[jenkins]/gpgkey: gpgkey changed '' to 'file:///etc/pki/rpm-gpg/jenkins-ci.org.key'
notice: Finished catalog run in 0.11 seconds
err: /File[/var/lib/puppet/rrd]/ensure: change from absent to directory failed: Could not set 'directory on ensure: Could not find group puppet
err: Could not send report: Got 1 failure(s) while initializing: change from absent to directory failed: Could not set 'directory on ensure: Could not find group puppet

Again, the repo is added but the key is not imported.

Any advice would be greatly appreciated.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/vXiEqP6KCt4J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

On Thursday, 26 April 2012 11:17:05 UTC+10, denmat wrote:

The way that i import my keys is to set the gpg key for the yum repo like
so:

yumrepo { "jenkins":
baseurl => "http://pkg.jenkins-ci.org/redhat",
descr => "Jenkins",
enabled => 1,
gpgcheck => 1,
gpgkey => "http://pkg.jenkins-ci.org/redhat/
jenkins-ci.org.key",
}

Should take care of the import for you.

Cool, I didn't know I could specify a URL for the key, thanks.

However, I get the same error and the key still fails to import.

cheers, Michael

--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/cI79Jc80xg0J.

To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thursday, 26 April 2012 18:33:18 UTC+10, denmat wrote:
Hi, I just spun up a fresh AWS instance and did this:

$ cat puppet.repo.pp
class jenkins {

yumrepo { "jenkins":
baseurl => "http://pkg.jenkins-ci.org/redhat",
descr => "Jenkins",
enabled => 1,
gpgcheck => 1,
gpgkey => "
http://pkg.jenkins-ci.org/redhat/jenkins-ci.org.key",
}
package {"jenkins": ensure => latest }
}

include jenkins

I appreciate your help, but with that manifest I get the same error on both
the node I'm trying to install on and on a fresh CentOS 5.7 with Puppet
2.7.9.

err: /Stage[main]/Jenkins/Package[jenkins]/ensure: change from absent to
latest failed: Could not update: Execution of '/usr/bin/yum -d 0 -e 0 -y
install jenkins' returned 1: warning: rpmts_HdrFromFdno: Header V4 DSA
signature: NOKEY, key ID d50582e6

--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/sVsibb6ExBsJ.

To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Friday, 27 April 2012 15:15:34 UTC+10, denmat wrote:
Well, the good news is you're not crazy :)

On Fri, 27 Apr 2012, denmat wrote:

Well, the good news is you're not crazy :)

I loaded up a 5.7 instance and puppet 2.7.9+ and got the same result as you!

I did a yum update and got the same issue - so it is not a common
issue that is already fixed.

I did a manual rpm --import of the key and the subsequent yum install
worked. It is clearly an OS issue particular to Jenkins rather than a
'puppet' issue (as Puppet installed via yum and installed the key
automagically without an issue).

What I did notice is that a copy of the key jenkins pubkey doesn't get
installed into /etc/pki. But you can query it via rpm -qa gpg-pubkey*:
rpm -qi gpg-pubkey-d50582e6-4a3feef6

On 27 April 2012 06:15, denmat wrote:
Normally what happens is that if it is 'assumed yes', yum will
automatically accept the public key via the url - I don't know why
Jenkins is different - but it appears to install a new repo file and
try to import the pubkey again on install - maybe this confuses yum?
Just speculating - not going to investigate further :)

On 24/05/2012, at 3:27, Dan Carley wrote:

On 27 April 2012 06:15, denmat wrote:
Normally what happens is that if it is 'assumed yes', yum will
automatically accept the public key via the url - I don't know why
Jenkins is different - but it appears to install a new repo file and
try to import the pubkey again on install - maybe this confuses yum?
Just speculating - not going to investigate further :)

The problem stems from Yum on EL5 not being able to parse user attributes within key. It can be worked around a bit more cleanly by removing the attribute from the public key. I've written a blog post with more details:

http://dan.carley.co/blog/2012/05/22/yum-gpg-keys-for-jenkins/
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.