[CentOS] How to automatically confirm importing repo key?

Yuri Kanivetsky

yuri.kanivetsky at gmail.com
Sun Mar 5 11:51:53 UTC 2017


Hi,

I'm trying to set up provisioning LXC container running CentOS. And
among other things, I need to install nginx + passenger from a
non-official repo (the docs:
https://www.phusionpassenger.com/library/install/nginx/install/oss/el7/).
With this playbook:

- hosts: all
  tasks:
    # https://docs.ansible.com/ansible/yum_repository_module.html
    - name: Add repository
      yum_repository:
        # from https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo
        name: passenger
        description: Passenger repository
        baseurl:
https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch
        repo_gpgcheck: 1
        gpgcheck: 0
        enabled: 1
        gpgkey: https://packagecloud.io/gpg.key
        sslverify: 1
        sslcacert: /etc/pki/tls/certs/ca-bundle.crt

    # http://docs.ansible.com/ansible/command_module.html
    - name: (1) Add repository key (shell command)
      command: rpm --import https://packagecloud.io/gpg.key

#     # http://docs.ansible.com/ansible/rpm_key_module.html
#     - name: (2) Add repository key (python code)
#       rpm_key:
#         key: https://packagecloud.io/gpg.key

    # http://docs.ansible.com/ansible/yum_module.html
    - name: Install nginx
      yum: name={{ item }}
      with_items: nginx

ansible fails performing the last task with:

Failure talking to yum: failure: repodata/repomd.xml from passenger:
[Errno 256] No more mirrors to try.
https://oss-binaries.phusionpassenger.com/yum/passenger/el/7/x86_64/repodata/repomd.xml:
[Errno -1] repomd.xml signature could not be verified for passenger

no matter which way of importing key I choose (1 or 2).

If I then ssh to container and run `yum install nginx` manually, it says:

Retrieving key from https://packagecloud.io/gpg.key
Importing GPG key 0xD59097AB:
 Userid     : "packagecloud ops (production key) <ops at packagecloud.io>"
 Fingerprint: 418a 7f2f b0e1 e6e7 eabf 6fe8 c2e7 3424 d590 97ab
 From       : https://packagecloud.io/gpg.key
Is this ok [y/N]:

And I suppose this extra confirmation request is what makes ansible
fail. Can it be confirmed automatically?

I tried to make it clear for those who don't use ansible, but feel
free to ask questions. Thanks in advance.

Related Stack Overflow question (just in case):
http://stackoverflow.com/questions/38327406/how-to-install-yum-repository-key-with-ansible/41882838

Regards,
Yuri



More information about the CentOS mailing list