Chef bootstrap installation -->gpg key not found on keyserver


#1

hi all,

I´m trying to install chef by using chef-solo bootstrap installation. I
face a problem while importing gpg key from cookbook

log debug…


[Mon, 09 Jan 2012 13:50:50 +0000] INFO: Processing execute[install-key
2940ABA983EF826A] action run
(/var/chef/cookbooks/apt/providers/repository.rb line 25)
[Mon, 09 Jan 2012 13:50:50 +0000] INFO: execute[install-key
2940ABA983EF826A] sh(apt-key adv --keyserver pgpkeys.mit.edu --recv
2940ABA983EF826A)
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring
–secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg
–keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg
–keyring /etc/apt/trusted.gpg.d//opscode-keyring.gpg --keyserver
pgpkeys.mit.edu --recv 2940ABA983EF826A
gpgkeys: key 2940ABA983EF826A not found on keyserver
[Mon, 09 Jan 2012 13:50:50 +0000] ERROR: execute[install-key
2940ABA983EF826A] (/var/chef/cookbooks/apt/providers/repository.rb line 25)
has had an error
[Mon, 09 Jan 2012 13:50:50 +0000] ERROR: apt_repository[opscode]
(gecode::default line 33) has had an error
[Mon, 09 Jan 2012 13:50:50 +0000] ERROR: apt_repository[opscode]
(/var/chef/cookbooks/gecode/recipes/default.rb:33:in `from_file’) had an
error:


I´m not in touch with gpg keys so my question: could be I made a mistake on
installing basic system ?

thanks a lot
Till


#2

I haven’t reproduced this, but I can see that this key appears to be
in the keyserver:

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2940ABA983EF826A

And the same command worked from an amazon ec2 instance:

ubuntu@ip-10-122-105-9:~$ sudo gpg --ignore-time-conflict --no-options
–no-default-keyring --secret-keyring /etc/apt/secring.gpg
–trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg
–primary-keyring /etc/apt/trusted.gpg --keyring
/etc/apt/trusted.gpg.d//opscode-keyring.gpg --keyserver
pgpkeys.mit.edu --recv 2940ABA983EF826A
gpg: keyblock resource `/etc/apt/trusted.gpg.d//opscode-keyring.gpg’:
file open error
gpg: requesting key 83EF826A from hkp server pgpkeys.mit.edu
gpg: key 83EF826A: public key “Opscode Packages packages@opscode.com” imported
gpg: Total number processed: 1
gpg: imported: 1

sort of:

ubuntu@ip-10-122-105-9:~ echo ?
2

So, touching the file first works:

ubuntu@ip-10-122-105-9:~ sudo touch /etc/apt/trusted.gpg.d/opscode-keyring.gpg ubuntu@ip-10-122-105-9:~ sudo gpg --ignore-time-conflict --no-options
–no-default-keyring --secret-keyring /etc/apt/secring.gpg
–trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg
–primary-keyring /etc/apt/trusted.gpg --keyring
/etc/apt/trusted.gpg.d/opscode-keyring.gpg --keyserver pgpkeys.mit.edu
–recv 2940ABA983EF826A
gpg: requesting key 83EF826A from hkp server pgpkeys.mit.edu
gpg: key 83EF826A: “Opscode Packages packages@opscode.com” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
ubuntu@ip-10-122-105-9:~$

It looks like gpg is broken WRT how apt-key expects it to work, maybe
not opening with O_CREAT set in the open flags? Anyway, it’s not
creating a new keyring file, so this command may need a “touch
/path/to/keyring/file” for now or the apt cookbook could be fixed to
use the default keyring.

I don’t know what the right way to handle this is, but you’ve got a
couple of options, the easier/more visible of which is to have chef
touch the file to be created.

-Peter

On Mon, Jan 9, 2012 at 10:10 AM, Till Brinkmann
till.brinkmann@9elements.com wrote:

hi all,

I´m trying to install chef by using chef-solo bootstrap installation. I face
a problem while importing gpg key from cookbook

log debug…


[Mon, 09 Jan 2012 13:50:50 +0000] INFO: Processing execute[install-key
2940ABA983EF826A] action run
(/var/chef/cookbooks/apt/providers/repository.rb line 25)
[Mon, 09 Jan 2012 13:50:50 +0000] INFO: execute[install-key
2940ABA983EF826A] sh(apt-key adv --keyserver pgpkeys.mit.edu --recv
2940ABA983EF826A)
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring
–secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg
–keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg
–keyring /etc/apt/trusted.gpg.d//opscode-keyring.gpg --keyserver
pgpkeys.mit.edu --recv 2940ABA983EF826A
gpgkeys: key 2940ABA983EF826A not found on keyserver
[Mon, 09 Jan 2012 13:50:50 +0000] ERROR: execute[install-key
2940ABA983EF826A] (/var/chef/cookbooks/apt/providers/repository.rb line 25)
has had an error
[Mon, 09 Jan 2012 13:50:50 +0000] ERROR: apt_repository[opscode]
(gecode::default line 33) has had an error
[Mon, 09 Jan 2012 13:50:50 +0000] ERROR: apt_repository[opscode]
(/var/chef/cookbooks/gecode/recipes/default.rb:33:in `from_file’) had an
error:


I´m not in touch with gpg keys so my question: could be I made a mistake on
installing basic system ?

thanks a lot
Till


#3

When installing a Chef-server using the chef-solo bootstrap method
[1], the recipe will install gecode from a deb package if you’re
running on Debian or Ubuntu. If you’re running a release prior to
wheezy or natty, it adds an Opscode apt repository to do so, grabbing
a key for said repository along the way. This is what is failing.

On Mon, Jan 9, 2012 at 10:10 AM, Till Brinkmann
till.brinkmann@9elements.com wrote:

Executing: gpg --ignore-time-conflict --no-options --no-default-keyring
–secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg
–keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg
–keyring /etc/apt/trusted.gpg.d//opscode-keyring.gpg --keyserver
pgpkeys.mit.edu --recv 2940ABA983EF826A
gpgkeys: key 2940ABA983EF826A not found on keyserver

Now and then we’ve seen issues with some keyservers responding incorrectly.

I’m curious if you tried a second time and whether it worked this time
or not. As Paul noted, the key is on the keyserver.

We could possibly add a retry here that tries from another keyserver
on failure to prevent this from happening now and then. Perhaps the
keyserver attribute to the apt_repository LWRP in the apt cookbook
could take an array.

Bryan

[1] http://wiki.opscode.com/display/chef/Installing+Chef+Server+using+Chef+Solo


#4

Bryan, Peter
thanks for your replay it looks like we got a configuration issue in our
firewall.
From time to time the firewall blocks the gkd-keyserver response. We use a
third party firewall :-/

I tried it some times and now my installation is not in a good state.
First we will fix our firewall to get a 100% response for gpg keyserver and
second I will try installation from scratch.
I hope that will work.

Thanks a lot !
Till

Am 9. Januar 2012 18:40 schrieb Bryan McLellan btm@loftninjas.org:

When installing a Chef-server using the chef-solo bootstrap method
[1], the recipe will install gecode from a deb package if you’re
running on Debian or Ubuntu. If you’re running a release prior to
wheezy or natty, it adds an Opscode apt repository to do so, grabbing
a key for said repository along the way. This is what is failing.

On Mon, Jan 9, 2012 at 10:10 AM, Till Brinkmann
till.brinkmann@9elements.com wrote:

Executing: gpg --ignore-time-conflict --no-options --no-default-keyring
–secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg
–keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg
–keyring /etc/apt/trusted.gpg.d//opscode-keyring.gpg --keyserver
pgpkeys.mit.edu --recv 2940ABA983EF826A
gpgkeys: key 2940ABA983EF826A not found on keyserver

Now and then we’ve seen issues with some keyservers responding incorrectly.

I’m curious if you tried a second time and whether it worked this time
or not. As Paul noted, the key is on the keyserver.

We could possibly add a retry here that tries from another keyserver
on failure to prevent this from happening now and then. Perhaps the
keyserver attribute to the apt_repository LWRP in the apt cookbook
could take an array.

Bryan

[1]
http://wiki.opscode.com/display/chef/Installing+Chef+Server+using+Chef+Solo


#5

some other thing,

on the opscode wiki there is an alternative way if gpg-key installation
fail at first time…Issues downloading from gnupg.net?

http://wiki.opscode.com/display/chef/Installing+Chef+Client+on+Ubuntu+or+Debian

–> Add the GPG Key and Update Index

May it´s a good idea to add a line there If gpg fails at this (normal) way,
some installation like bootstrap could also fail.

:slight_smile: Thanks a lot system bootstrap installation now run without an error

Till

Am 10. Januar 2012 13:17 schrieb Till Brinkmann <
till.brinkmann@9elements.com>:

Bryan, Peter
thanks for your replay it looks like we got a configuration issue in our
firewall.
From time to time the firewall blocks the gkd-keyserver response. We use a
third party firewall :-/

I tried it some times and now my installation is not in a good state.
First we will fix our firewall to get a 100% response for gpg keyserver
and second I will try installation from scratch.
I hope that will work.

Thanks a lot !
Till

Am 9. Januar 2012 18:40 schrieb Bryan McLellan btm@loftninjas.org:

When installing a Chef-server using the chef-solo bootstrap method

[1], the recipe will install gecode from a deb package if you’re
running on Debian or Ubuntu. If you’re running a release prior to
wheezy or natty, it adds an Opscode apt repository to do so, grabbing
a key for said repository along the way. This is what is failing.

On Mon, Jan 9, 2012 at 10:10 AM, Till Brinkmann
till.brinkmann@9elements.com wrote:

Executing: gpg --ignore-time-conflict --no-options --no-default-keyring
–secret-keyring /etc/apt/secring.gpg --trustdb-name
/etc/apt/trustdb.gpg
–keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg
–keyring /etc/apt/trusted.gpg.d//opscode-keyring.gpg --keyserver
pgpkeys.mit.edu --recv 2940ABA983EF826A
gpgkeys: key 2940ABA983EF826A not found on keyserver

Now and then we’ve seen issues with some keyservers responding
incorrectly.

I’m curious if you tried a second time and whether it worked this time
or not. As Paul noted, the key is on the keyserver.

We could possibly add a retry here that tries from another keyserver
on failure to prevent this from happening now and then. Perhaps the
keyserver attribute to the apt_repository LWRP in the apt cookbook
could take an array.

Bryan

[1]
http://wiki.opscode.com/display/chef/Installing+Chef+Server+using+Chef+Solo


#6

Re,
I´m not sure if it is a point of interest for you (bug tracking)…

I´tried bootstrap installation on debian 6.0.3 several times from scratch
(chef-solo).

And if I´m not using [“init_type” : “runit”] the installation fails because
of insserv errors.
If you want I can provide additional information from my research…

greetings Till

Am 10. Januar 2012 16:51 schrieb Till Brinkmann <
till.brinkmann@9elements.com>:

some other thing,

on the opscode wiki there is an alternative way if gpg-key installation
fail at first time…Issues downloading from gnupg.net?

http://wiki.opscode.com/display/chef/Installing+Chef+Client+on+Ubuntu+or+Debian

–> Add the GPG Key and Update Index

May it´s a good idea to add a line there If gpg fails at this (normal)
way, some installation like bootstrap could also fail.

:slight_smile: Thanks a lot system bootstrap installation now run without an error

Till

Am 10. Januar 2012 13:17 schrieb Till Brinkmann <
till.brinkmann@9elements.com>:

Bryan, Peter

thanks for your replay it looks like we got a configuration issue in our
firewall.
From time to time the firewall blocks the gkd-keyserver response. We use
a third party firewall :-/

I tried it some times and now my installation is not in a good state.
First we will fix our firewall to get a 100% response for gpg keyserver
and second I will try installation from scratch.
I hope that will work.

Thanks a lot !
Till

Am 9. Januar 2012 18:40 schrieb Bryan McLellan btm@loftninjas.org:

When installing a Chef-server using the chef-solo bootstrap method

[1], the recipe will install gecode from a deb package if you’re
running on Debian or Ubuntu. If you’re running a release prior to
wheezy or natty, it adds an Opscode apt repository to do so, grabbing
a key for said repository along the way. This is what is failing.

On Mon, Jan 9, 2012 at 10:10 AM, Till Brinkmann
till.brinkmann@9elements.com wrote:

Executing: gpg --ignore-time-conflict --no-options --no-default-keyring
–secret-keyring /etc/apt/secring.gpg --trustdb-name
/etc/apt/trustdb.gpg
–keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg
–keyring /etc/apt/trusted.gpg.d//opscode-keyring.gpg --keyserver
pgpkeys.mit.edu --recv 2940ABA983EF826A
gpgkeys: key 2940ABA983EF826A not found on keyserver

Now and then we’ve seen issues with some keyservers responding
incorrectly.

I’m curious if you tried a second time and whether it worked this time
or not. As Paul noted, the key is on the keyserver.

We could possibly add a retry here that tries from another keyserver
on failure to prevent this from happening now and then. Perhaps the
keyserver attribute to the apt_repository LWRP in the apt cookbook
could take an array.

Bryan

[1]
http://wiki.opscode.com/display/chef/Installing+Chef+Server+using+Chef+Solo


#7

On Thu, Jan 12, 2012 at 5:41 AM, Till Brinkmann
till.brinkmann@9elements.com wrote:

I´m not sure if it is a point of interest for you (bug tracking)…

Yup. We track bugs on http://tickets.opscode.com

I´tried bootstrap installation on debian 6.0.3 several times from scratch
(chef-solo).

And if I´m not using [“init_type” : “runit”] the installation fails because
of insserv errors.
If you want I can provide additional information from my research…

Oh insserv. What we really need is more init systems.

I don’t see any open bugs related to insserv that would apply. Could
you file one please? It’d be great if you could be specific about the
version of debian, what instructions you’re following (steps to
reproduce), the version of Chef, and be sure to include the complete
error (wrap it in {code} tags so the JIRA macro will format it right)
so other people can find the bug.

Thanks!

Bryan