Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-8249

puppetlabs-apache : phusion passenger yum repo gpg key is invalid

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Zendesk Ticket IDs:
      32751
    • Zendesk Ticket Count:
      1
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: 3.4.0
      Puppet Version: 5.5.8
      OS Name/Version: CentOS 7.5

      The yum repo gpg key hardcoded into apache::mod::passenger is no longer valid for downloading the phusion passenger RPM. Running this code out-of-the-box will result in an error. For example, on a fresh 2018.1.5 install with the apache module installed, a puppet apply will fail:

      # cat test.pp
      class { "apache": }
      class { "apache::mod::passenger": }
      

      Desired Behavior:
      The above code should not fail.

      Actual Behavior:

      # puppet apply test.pp
      Error: Execution of '/usr/bin/yum -d 0 -e 0 -y install mod_passenger' returned 1: One of the configured repositories failed (passenger),
       and yum doesn't have enough cached data to continue. At this point the only
       safe thing yum can do is fail. There are a few ways to work "fix" this:
       
           1. Contact the upstream for the repository and get them to fix the problem.
       
           2. Reconfigure the baseurl/etc. for the repository, to point to a working
              upstream. This is most often useful if you are using a newer
              distribution release than is supported by the repository (and the
              packages for the previous distribution release still work).
       
           3. Run the command with the repository temporarily disabled
                  yum --disablerepo=passenger ...
       
           4. Disable the repository permanently, so yum won't use it by default. Yum
              will then just ignore the repository until you permanently enable it
              again or use --enablerepo for temporary usage:
       
                  yum-config-manager --disable passenger
              or
                  subscription-manager repos --disable=passenger
       
           5. Configure the failing repository to be skipped, if it is unavailable.
              Note that yum will try to contact the repo. when it runs most commands,
              so will have to try and fail each time (and thus. yum will be be much
              slower). If it is a very temporary problem though, this is often a nice
              compromise:
       
                  yum-config-manager --save --setopt=passenger.skip_if_unavailable=true
       
      failure: repodata/repomd.xml from passenger: [Errno 256] No more mirrors to try.
      https://oss-binaries.phusionpassenger.com/yum/passenger/el/7/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for passenger
      Error: /Stage[main]/Apache::Mod::Passenger/Apache::Mod[passenger]/Package[mod_passenger]/ensure: change from 'purged' to 'present' failed: Execution of '/usr/bin/yum -d 0 -e 0 -y install mod_passenger' returned 1: One of the configured repositories failed (passenger),
       and yum doesn't have enough cached data to continue. At this point the only
       safe thing yum can do is fail. There are a few ways to work "fix" this:
       
           1. Contact the upstream for the repository and get them to fix the problem.
       
           2. Reconfigure the baseurl/etc. for the repository, to point to a working
              upstream. This is most often useful if you are using a newer
              distribution release than is supported by the repository (and the
              packages for the previous distribution release still work).
       
           3. Run the command with the repository temporarily disabled
                  yum --disablerepo=passenger ...
       
           4. Disable the repository permanently, so yum won't use it by default. Yum
              will then just ignore the repository until you permanently enable it
              again or use --enablerepo for temporary usage:
       
                  yum-config-manager --disable passenger
              or
                  subscription-manager repos --disable=passenger
       
           5. Configure the failing repository to be skipped, if it is unavailable.
              Note that yum will try to contact the repo. when it runs most commands,
              so will have to try and fail each time (and thus. yum will be be much
              slower). If it is a very temporary problem though, this is often a nice
              compromise:
       
                  yum-config-manager --save --setopt=passenger.skip_if_unavailable=true
       
      failure: repodata/repomd.xml from passenger: [Errno 256] No more mirrors to try.
      https://oss-binaries.phusionpassenger.com/yum/passenger/el/7/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for passenger
      

      This issue can be resolved by setting manage_repo to false on the passenger class and supplying a custom yumrepo class pointing to a different gpg key:

      # cat test2.pp
      class { "apache": }
      class { "apache::mod::passenger":
        manage_repo => false,
      }
       
      if $::osfamily == 'RedHat' {
        if $::operatingsystem == 'Amazon' {
          $baseurl = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/6Server/$basearch'
        } else {
          $baseurl = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch'
        }
       
        yumrepo { 'passenger':
          ensure        => 'present',
          baseurl       => $baseurl,
          descr         => 'passenger',
          enabled       => '1',
          gpgcheck      => '0',
          gpgkey        => 'https://packagecloud.io/phusion/passenger/gpgkey',
          repo_gpgcheck => '1',
          sslcacert     => '/etc/pki/tls/certs/ca-bundle.crt',
          sslverify     => '1',
          before        => Apache::Mod['passenger'],
        }
      }
      

      I suspect we just need to update https://github.com/puppetlabs/puppetlabs-apache/blob/3.4.0/manifests/mod/passenger.pp#L530. I'll submit a PR.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                adam.bottchen Adam Bottchen
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support