[pkg-lxc-devel] Bug#1073132: Bug#1073132: LXC debian template can't find gpg pub keys on Bookworm without network
Pierre-Elliott Bécue
peb at debian.org
Thu Jun 13 10:40:41 BST 2024
Control: severity -1 important
Hi,
Thanks for the report.
Eppii <eppii at gandi.net> wrote on 13/06/2024 at 09:54:47+0200:
> Package: lxc-templates
> Version: 3.0.4.48.g4765da8-1
>
> ||/ Name Version Architecture Description
> +++-==============-===================-============-============================================
> ii lxc-templates 3.0.4.48.g4765da8-1 amd64 Linux Containers userspace tools (templates)
>
> Hello !
>
> Context: we want to create a lxc with the lxc-debian template on a bookworm server without any access to internet.
>
> We identified three issues preventing to achieve our goal and had to edit the /usr/share/lxc/templates/lxc-debian to succeed.
>
> Description:
>
> The download_debian() function states that it must verify signatures using /etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg
> but since bookworm, debian-archive-keyring install gpg files into the /usr/share/keyrings folder only. See
> https://packages.debian.org/bookworm/all/debian-archive-keyring/filelist versus bullseye version.
>
> Path lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg does not exist hence it always tries to download
> from http://ftp-master.debian.org. Which fails on a no internet access server.
>
> A workaround is to add the --keyring /usr/share/keyrings/debian-archive-$release-stable.gpg args to the command as followed:
> lxc-create -n test -t debian -- --mirror http://mymirror/debian --security-mirror http://mymirror/debian-security --release bookworm -
> -keyring /usr/share/keyrings/debian-archive-buster-stable.gpg
You can also create a symlink as a workaround.
> A solution would be to modify the line 436 from:
> - lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg
> + lreleasekeyring=/usr/share/keyrings/debian-archive-$release-stable.gpg
It'll require a bit more flexibility to stay backward compatible. :)
> OR install the gpg keys back to etc/apt/trusted.gpg.d/ folder or whatever you see as a better fit ;).
The motivation behind moving the keys to /usr is that /etc is for sysops to
maintain configuration/variable parts. These keys are not to be touched,
so they should go to a place that is not to be touched by sysops.
I'll design a patch.
--
PEB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 853 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20240613/ac11fa74/attachment.sig>
More information about the Pkg-lxc-devel
mailing list