Should we as a first improvement add some explanation and a link somewhere at Managing Content?
1 Like
I guess it would be good to have a Katello specific version of these docs somewhere around what you linked to. I will discuss this internally.
2 Likes
First, I think this is needed before launching the pulpcore-manager command :
export PULP_SETTINGS=“/etc/pulp/settings.py”
Then my problem is still there.
The public and secret keys are ok for the user pulp, with gpg --list-keys and gpg --list-secret-keys.
I don’t understand from where I get the “Permission denied”.
I am consulting some notes of mine, and it looks like the pulpcore-manager command needs to be run as the pulp user. Can you try:
su pulp
PULP_SETTINGS="/etc/pulp/settings.py" pulpcore-manager ...
Edit: su pulp won’t work because the pulp user has /sbin/nologin as it’s shell in /etc/passwd, there was some way of using su to run the pulpcore-manager command as the pulp user regardless. I just don’t remember exactly what it was.
I have used some info from these threads too :
I run :
sudo -s pulp /bin/bash
export PULP_SETTINGS=“/etc/pulp/settings.py”
pulpcore-manager add-signing-service --class deb:AptReleaseSigningService katello_deb_sign ./sign_deb_release.sh 0B93…900
and get the permission denied
RuntimeError: b’gpg: signing failed: Permission denied\ngpg: signing failed: Permission denied\n’
And to be more complete, as pulp user :
bash-4.4$ gpg --list-keys
/var/lib/pulp/.gnupg/pubring.kbx
pub rsa4096 2019-10-29 [SC]
0B93…900
uid [ ultime ] ubuntu
bash-4.4$ gpg --list-secret-keys
/var/lib/pulp/.gnupg/pubring.kbx
sec rsa4096 2019-10-29 [SC]
0B93…900
uid [ ultime ] ubuntu
This is just a guess, but try checking ownership on the files in /var/lib/pulp/.gnupg/ with ls -al /var/lib/pulp/.gnupg/, it should look something like this:
# ls -al /var/lib/pulp/.gnupg/
total 20
drwx------. 4 pulp pulp 4096 Jan 9 20:11 .
drwxrwxr-x. 10 pulp pulp 159 Jan 9 19:58 ..
-rw-------. 1 pulp pulp 117 Jan 9 19:58 gpg.conf
drwx------. 2 pulp pulp 58 Jan 9 19:58 openpgp-revocs.d
drwx------. 2 pulp pulp 58 Jan 9 19:58 private-keys-v1.d
-rw-r--r--. 1 pulp pulp 1355 Jan 9 19:58 pubring.kbx
-rw-------. 1 pulp pulp 32 Jan 9 19:58 pubring.kbx~
srwx------. 1 pulp pulp 0 Jan 9 19:58 S.gpg-agent
srwx------. 1 pulp pulp 0 Jan 9 19:58 S.gpg-agent.browser
srwx------. 1 pulp pulp 0 Jan 9 19:58 S.gpg-agent.extra
srwx------. 1 pulp pulp 0 Jan 9 19:58 S.gpg-agent.ssh
-rw-------. 1 pulp pulp 1280 Jan 9 19:58 trustdb.gpg
The important thing is that everything should be owned by the pulp user and nothing by root. I have a vague memory of a similar issue where just one file in the .gnupg folder was owned by root, and that caused permission errors. If that is not it, I am running out of ideas.
bash-4.4$ ls -la .gnupg/
total 24
drwx------ 3 pulp pulp 4096 12 janv. 15:36 .
drwxrwxr-x 12 pulp pulp 4096 12 janv. 10:19 ..
drwx------ 2 pulp pulp 4096 11 janv. 17:42 private-keys-v1.d
-rw-r--r-- 1 pulp pulp 1311 12 janv. 10:02 pubring.kbx
-rw-r--r-- 1 pulp pulp 2590 11 janv. 17:32 pubring.kbx~
srwx------ 1 pulp pulp 0 12 janv. 15:31 S.gpg-agent
srwx------ 1 pulp pulp 0 11 janv. 15:02 S.gpg-agent.browser
srwx------ 1 pulp pulp 0 11 janv. 15:02 S.gpg-agent.extra
srwx------ 1 pulp pulp 0 11 janv. 15:02 S.gpg-agent.ssh
-rw------- 1 pulp pulp 1280 11 janv. 17:39 trustdb.gpg
Can you verify as the pulp user, if the signing-script works in principle and investigate further from there:
su pulp -s /bin/bash
/var/lib/pulp/sign_deb_release.sh <any file>
This should return something like:
{ "signatures": { "inline": "/tmp/tmp.1pQwZfLogh/InRelease", "detached": "/tmp/tmp.1pQwZfLogh/Release.gpg" } }
1 Like
The problem is with the “–local-user” option in the script :
–local-user “${GPG_KEY_ID}”
I think the problem may be related to the fact I exported the key of our aptly server and import it in the foreman server.
Hi,
I fix some problems, and now I’m able to sign a file with the key.
./sign_deb_release.sh testfile
{ “signatures”: { “inline”: “/tmp/tmp.alQ2QSYbkP/InRelease”, “detached”: “/tmp/tmp.alQ2QSYbkP/Release.gpg” } }
My problem was about the “su -”. Running “chown pulp /dev/pts/0” solve the problem.
But there is still an error when I launch the pulpcore-manager command :
dynaconf.validator.ValidationError: CONTENT_ORIGIN is a required setting but it was not configured. This may be caused by invalid read permissions of the settings file. Note that CONTENT_ORIGIN is set by the installer automatically.
but
echo $PULP_SETTINGS
“/etc/pulp/settings.py”
and
grep CONTENT_ORIGIN /etc/pulp/settings.py
CONTENT_ORIGIN = “https://myserveurname”
Can you post the full pulpcore-manager command that results in the error?
export PULP_SETTINGS=“/etc/pulp/settings.py”; pulpcore-manager add-signing-service --class deb:AptReleaseSigningService ubuntu my key 0B93…0900
Traceback (most recent call last):
File “/usr/bin/pulpcore-manager”, line 33, in
sys.exit(load_entry_point(‘pulpcore==3.28.19’, ‘console_scripts’, ‘pulpcore-manager’)())
File “/usr/lib/python3.9/site-packages/pulpcore/app/manage.py”, line 11, in manage
execute_from_command_line(sys.argv)
File “/usr/lib/python3.9/site-packages/django/core/management/init.py”, line 442, in execute_from_command_line
utility.execute()
File “/usr/lib/python3.9/site-packages/django/core/management/init.py”, line 382, in execute
settings.INSTALLED_APPS
File “/usr/lib/python3.9/site-packages/django/conf/init.py”, line 102, in getattr
self._setup(name)
File “/usr/lib/python3.9/site-packages/django/conf/init.py”, line 89, in _setup
self._wrapped = Settings(settings_module)
File “/usr/lib/python3.9/site-packages/django/conf/init.py”, line 217, in init
mod = importlib.import_module(self.SETTINGS_MODULE)
File “/usr/lib64/python3.9/importlib/init.py”, line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File “”, line 1030, in _gcd_import
File “”, line 1007, in _find_and_load
File “”, line 986, in _find_and_load_unlocked
File “”, line 680, in _load_unlocked
File “”, line 850, in exec_module
File “”, line 228, in _call_with_frames_removed
File “/usr/lib/python3.9/site-packages/pulpcore/app/settings.py”, line 381, in
settings = DjangoDynaconf(
File “/usr/lib/python3.9/site-packages/dynaconf/contrib/django_dynaconf_v2.py”, line 84, in load
lazy_settings.populate_obj(django_settings_module)
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 115, in getattr
self._setup()
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 174, in _setup
self._wrapped = Settings(
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 253, in init
self.execute_loaders()
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 1025, in execute_loaders
self.pre_load(env, silent=silent, key=key)
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 1044, in pre_load
self.load_file(path=preloads, env=env, silent=silent, key=key)
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 1071, in load_file
if py_loader.try_to_load_from_py_module_name(
File “/usr/lib/python3.9/site-packages/dynaconf/loaders/py_loader.py”, line 68, in try_to_load_from_py_module_name
mod = importlib.import_module(str(name))
File “/usr/lib64/python3.9/importlib/init.py”, line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File “”, line 1030, in _gcd_import
File “”, line 1007, in _find_and_load
File “”, line 986, in _find_and_load_unlocked
File “”, line 680, in _load_unlocked
File “”, line 850, in exec_module
File “”, line 228, in _call_with_frames_removed
File “/usr/lib/python3.9/site-packages/pulp_ansible/app/settings.py”, line 24, in
ANSIBLE_CONTENT_HOSTNAME = settings.CONTENT_ORIGIN + “/pulp/content”
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 115, in getattr
self._setup()
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 174, in _setup
self._wrapped = Settings(
File “/usr/lib/python3.9/site-packages/dynaconf/base.py”, line 256, in init
self.validators.validate(
File “/usr/lib/python3.9/site-packages/dynaconf/validator.py”, line 467, in validate
validator.validate(
File “/usr/lib/python3.9/site-packages/dynaconf/validator.py”, line 213, in validate
self._validate_items(
File “/usr/lib/python3.9/site-packages/dynaconf/validator.py”, line 274, in _validate_items
raise ValidationError(_message, details=[(self, _message)])
dynaconf.validator.ValidationError: CONTENT_ORIGIN is a required setting but it was not configured. This may be caused by invalid read permissions of the settings file. Note that CONTENT_ORIGIN is set by the installer automatically.
Try running it as a single command:
PULP_SETTINGS="/etc/pulp/settings.py" pulpcore-manager add-signing-service --class deb:AptReleaseSigningService ubuntu <my_key> 0B93…0900
The result is exactly the same.
To me, this looks like a bug in pulpcore-manager, perhaps something in the settings load order. Can you create an issue with pulpcore here: Issues · pulp/pulpcore · GitHub
The key information for the issue is that you have CONTENT_ORIGIN in your /etc/pulp/settings.py, PULP_SETTINGS="/etc/pulp/settings.py" is clearly set, the command you ran and its full error output.
The pulpcore version you are running is also important. You should be able to find it by running pulp status on your Foreman host.
I had one more thought: What does ls -al /etc/pulp/settings.py say?
-rw-r----- 1 root pulp 2938 Nov 24 10:58 /etc/pulp/settings.py