[pkg-lxc-devel] Bug#1073132: Bug#1073132: LXC debian template can't find gpg pub keys on Bookworm without network
Eppii
eppii at gandi.net
Thu Jun 13 12:02:57 BST 2024
Hello,
Just a comment about backward compatibility bellow:
> On 13 Jun 2024, at 11:40, Pierre-Elliott Bécue <peb at debian.org> wrote:
>
> Control: severity -1 important
>
> Hi,
>
> Thanks for the report.
>
> Eppii <eppii at gandi.net> wrote on 13/06/2024 at 09:54:47+0200:
>
>> Package: lxc-templates
>> Version: 3.0.4.48.g4765da8-1
>>
>> ||/ Name Version Architecture Description
>> +++-==============-===================-============-============================================
>> ii lxc-templates 3.0.4.48.g4765da8-1 amd64 Linux Containers userspace tools (templates)
>>
>> Hello !
>>
>> Context: we want to create a lxc with the lxc-debian template on a bookworm server without any access to internet.
>>
>> We identified three issues preventing to achieve our goal and had to edit the /usr/share/lxc/templates/lxc-debian to succeed.
>>
>> Description:
>>
>> The download_debian() function states that it must verify signatures using /etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg
>> but since bookworm, debian-archive-keyring install gpg files into the /usr/share/keyrings folder only. See
>> https://packages.debian.org/bookworm/all/debian-archive-keyring/filelist versus bullseye version.
>>
>> Path lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg does not exist hence it always tries to download
>> from http://ftp-master.debian.org. Which fails on a no internet access server.
>>
>> A workaround is to add the --keyring /usr/share/keyrings/debian-archive-$release-stable.gpg args to the command as followed:
>> lxc-create -n test -t debian -- --mirror http://mymirror/debian --security-mirror http://mymirror/debian-security --release bookworm -
>> -keyring /usr/share/keyrings/debian-archive-buster-stable.gpg
>
> You can also create a symlink as a workaround.
>
>> A solution would be to modify the line 436 from:
>> - lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg
>> + lreleasekeyring=/usr/share/keyrings/debian-archive-$release-stable.gpg
>
> It'll require a bit more flexibility to stay backward compatible. :)
It seems that pub keys lives into /usr/share/keyrings/ from a long time now, and will stay this way in the future; see https://packages.debian.org/buster/all/debian-archive-keyring/filelist
Shouldn’t it source from the beginning into the /usr path?
>
>> OR install the gpg keys back to etc/apt/trusted.gpg.d/ folder or whatever you see as a better fit ;).
>
> The motivation behind moving the keys to /usr is that /etc is for sysops to
> maintain configuration/variable parts. These keys are not to be touched,
> so they should go to a place that is not to be touched by sysops.
>
> I'll design a patch.
>
> --
> PEB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20240613/1252a890/attachment-0001.htm>
More information about the Pkg-lxc-devel
mailing list