Add GPG keys to /apt/keyrings instead of /apt/trusted.gpg.d, Update task Add Docker apt key
#436
Conversation
|
This worked for me! |
tasks/setup-Debian.yml
Outdated
| curl -sSL {{ docker_apt_gpg_key }} | apt-key add - | ||
| when: add_repository_key is failed and docker_add_repo | bool | ||
| curl -fsSL {{ docker_apt_gpg_key }} | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg --yes | ||
| changed_when: false |
There was a problem hiding this comment.
not sure of a way around this
There was a problem hiding this comment.
Yes, there is: https://stackoverflow.com/questions/71585303/how-can-i-manage-keyring-files-in-trusted-gpg-d-with-ansible-playbook-since-apt
You can just skip the gpg --dearmor and save the file directly into /etc/apt/keyrings/ with a .asc extension. This means you can skip the shell module completely and only use get_url.
There was a problem hiding this comment.
Really all that needs to be changed here is the dest: /etc/apt/trusted.gpg.d/docker.asc from the Add Docker apt key. task needs to be dest: /etc/apt/keyrings/docker.asc instead.
|
This also affects Ubuntu.
EDIT: Actually, although the ansible-role-docker/defaults/main.yml Line 41 in 8ff4a24 so this doesn't even have to necessarily be changed yet. All I had to do was delete the EDIT2: Yea okay I see now this was discussed in #434. The filename was changed in c3a1271. This is a breaking change as we see by these issues and PRs, but to be fair it was changed when going from role version 6.2.0 to 7.0.0 so a new major version. All is well if you pin your role versions and read through every commit and diff before updating... |
|
Thank you @jantari and @geerlingguy for the information. I will update this PR and @ you again when it is ready. |
|
Hello, apologies for the delay. I was out on vacation with limited internet connectivity. I've updated the PR to only contain edits to save to |
|
This also fix raspbian compatibility. https://docs.docker.com/engine/install/raspberry-pi-os/#install-using-the-repository |
|
@geerlingguy sorry for the tag but could you take a look whenever you get a chance? Thanks |
it would be pritty wonderful. I've got the same problem. Very wait when it will be merged |
|
LGTM. Docker install script also uses |
Motivation ---------- We were running into geerlingguy/ansible-role-docker#436 It seems we just have to uninstall the pip packages and remove these files: ``` sudo rm /etc/apt/sources.list.d/docker.list sudo rm /etc/apt/sources.list.d/download_docker_com_linux_ubuntu.list ``` How to test ----------- 1. Remove the files 2. Run the ansible playbook 3. `docker-compose` should be uninstalled 4. `docker compose` should be on v2
…g /etc/apt/keyrings/docker.asc key Related to: - #3337 - geerlingguy/ansible-role-docker#436
…g /etc/apt/keyrings/docker.asc key Related to: - spantaleev#3337 - geerlingguy/ansible-role-docker#436
#435
I started this issue because I faced a similar problem as #434
when adding the docker apt repository
Signed-By regarding source https://download.docker.com/linux/ubuntu/ jammy: │ /etc/apt/trusted.gpg.d/docker.asc != ,Which I then had to fix by:
and then running the changes in this branch.
I did some research and noticed that GPG keys should not be placed in
/etc/apt/trusted.gpg.d/(please see #435)After updating the tasks to mirror the installation method in https://docs.docker.com/engine/install/debian/#install-using-the-repository, I was still getting an error:
until I noticed that the task here
ansible-role-docker/tasks/setup-Debian.yml
Line 30 in 8ff4a24
was saving the GPG key in binary whereas in the docker docs, the key is converted to an ASCII-encoded format.
I updated the ansible tasks to use the fallback curl/shell method and added a few more tasks to mirror the installation method of the docker docs.
With these changes, I'm not getting any errors and able to successfully run the role on version 7.0.2.
@geerlingguy (or any maintainer) Please let me know what you think of these changes:
/etc/apt/keyrings(as per docker) or/usr/share/keyrings(as per debian)If using the task
ansible.builtin.get_urlis preferred, I believe a task like this might be required as well directly afterwards: