Ignore key error on apt-get update from ansible playbook

Question

I have a playbook in ansible that install packages from a repository that has invalid keys:

- name: Add Cloudera key
  apt_key:
    keyserver: keys.gnupg.net
    id: F36A89E33CC1BD0F71079007327574EE02A818DD

- name: Install Cloudera packages
  apt:
    name: {{ item }}
    update_cache: yes
    state: latest
    allow_unautenticated: yes
  with_items:
    - sudo
    - libssl-dev
    - ....

but ansible fails to update the cache:

"msg": "Failed to update apt cache: W:GPG error: http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease: The following signatures were invalid: F36A89E33CC1BD0F71079007327574EE02A818DD, E:The repository 'http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease' is not signed."

even with the allow_unauthenticated option or force option set to yes. How can I update the cache with these key problems?

EDIT The apt command that reproduces this behavior are:

sudo wget 'https://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh/cloudera.list' \ -O /etc/apt/sources.list.d/cloudera.list
sudo apt-get update


 W: GPG error: http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease: The following signatures were invalid: F36A89E33CC1BD0F71079007327574EE02A818DD
W: The repository 'http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

But I can go on and issue the command

sudo apt-get install hadoop-hdfs-namenode

and it installs the package after the warning. Ansible is considering the warning above (W The following signatures were invalid), an error from Cloudera side that provided the wrong key or the wrong signed repository, but moves forward and installs the package:

dpkg -l | grep hadoop-hdfs-namenode
ii  hadoop-hdfs-namenode                  2.6.0+cdh5.14.2+2748-1.cdh5.14.2.p0.11~jessie-cdh5.14.2 all          Name Node for Hadoop

so what I'm trying to achieve is that Ansible reproduces this behavior: execute the apt-get update command and continue without bailing out on the update part. Ansible can install a package from a unsigned repository with the option allow_unauthenticated.

EDIT #2: The full ansible command is below:

    iveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/user/.ansible/cp/be00dd5395 -tt 192.168.9.22 '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-thnmveqcmiwmvbdbabglejbbsaidohqe; /usr/bin/python /home/user/.ansible/tmp/ansible-tmp-1528224540.4225562-47865757921408/apt.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
    Escalation succeeded
    <192.168.9.22> (1, b'\r\n{"msg": "Failed to update apt cache: W:GPG error: http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease: The following signatures were invalid: F36A89E33CC1BD0F71079007327574EE02A818DD, E:The repository \'http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease\' is not signed.", "failed": true, "exception": "  File \\"/tmp/ansible_RDFb3C/ansible_module_apt.py\\", line 991, in main\\n    cache.update()\\n  File \\"/usr/lib/python2.7/dist-packages/apt/cache.py\\", line 464, in update\\n    raise FetchFailedException(e)\\n", "invocation": {"module_args": {"dpkg_options": "force-confdef,force-confold", "upgrade": null, "force": false, "force_apt_get": false, "install_recommends": null, "package": ["sudo", "build-essential", "python-dev", "python3-dev", "openjdk-8-jdk", "git", "libssl-dev", "libsqlite3-dev", "zlib1g-dev", "bzip2", "libreadline-dev", "vim", "rsync", "apt-transport-https", "vsftpd", "ftp", "tmux", "postgresql", "postgresql-client", "libpq-dev", "python-psycopg2", "ntp", "r-base"], "autoclean": false, "name": ["sudo", "build-essential", "python-dev", "python3-dev", "openjdk-8-jdk", "git", "libssl-dev", "libsqlite3-dev", "zlib1g-dev", "bzip2", "libreadline-dev", "vim", "rsync", "apt-transport-https", "vsftpd", "ftp", "tmux", "postgresql", "postgresql-client", "libpq-dev", "python-psycopg2", "ntp", "r-base"], "purge": false, "allow_unauthenticated": true, "state": "latest", "autoremove": false, "update_cache": true, "default_release": null, "only_upgrade": false, "deb": null, "cache_valid_time": 0}}}\r\n', b'Shared connection to 192.168.9.22 closed.\r\n')                                                                                                
    <192.168.9.22> ESTABLISH SSH CONNECTION FOR USER: None
    <192.168.9.22> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/user/.ansible/cp/be00dd5395 192.168.9.22 '/bin/sh -c '"'"'rm -f -r /home/user/.ansible/tmp/ansible-tmp-1528224540.4225562-47865757921408/ > /dev/null 2>&1 && sleep 0'"'"''    
    <192.168.9.22> (0, b'', b'')
    The full traceback is:
      File "/tmp/ansible_RDFb3C/ansible_module_apt.py", line 991, in main
        cache.update()
      File "/usr/lib/python2.7/dist-packages/apt/cache.py", line 464, in update
        raise FetchFailedException(e)

    failed: [192.168.9.22] (item=['sudo', 'build-essential', 'python-dev', 'python3-dev', 'openjdk-8-jdk', 'git', 'libssl-dev', 'libsqlite3-dev', 'zlib1g-dev', 'bzip2', 'libreadline-dev', 'vim', 'rsync', 'apt-transport-https', 'vsftpd', 'ftp', 'tmux', 'postgresql', 'postgresql-client', 'libpq-dev', 'python-psycopg2', 'ntp', 'r-base']) => {               
        "changed": false,
        "invocation": {
            "module_args": {
                "allow_unauthenticated": true,
                "autoclean": false,
                "autoremove": false,
                "cache_valid_time": 0,
                "deb": null,
                "default_release": null,
                "dpkg_options": "force-confdef,force-confold",
                "force": false,
                "force_apt_get": false,
                "install_recommends": null,
                "name": [
                    "sudo",
                    "build-essential",
                    "python-dev",
                    "python3-dev",
                    "openjdk-8-jdk",
                    "git",
                    "libssl-dev",
                    "libsqlite3-dev",
                    "zlib1g-dev",
                    "bzip2",
                    "libreadline-dev",
                    "vim",
                    "rsync",
                    "apt-transport-https",
                    "vsftpd",
                    "ftp",
                    "tmux",
                    "postgresql",
                    "postgresql-client",
                    "libpq-dev",
                    "python-psycopg2",
                    "ntp",
                    "r-base"
                ],
                "only_upgrade": false,
                "package": [
                    "sudo",
                    "build-essential",
                    "python-dev",
                    "python3-dev",
                    "openjdk-8-jdk",
                    "git",
                    "libssl-dev",
                    "libsqlite3-dev",
                    "zlib1g-dev",
                    "bzip2",
                    "libreadline-dev",
                    "vim",
                    "rsync",
                    "apt-transport-https",
                    "vsftpd",
                    "ftp",
                    "tmux",
                    "postgresql",
                    "postgresql-client",
                    "libpq-dev",
                    "python-psycopg2",
                    "ntp",
                    "r-base"
                ],
                "purge": false,
                "state": "latest",
                "update_cache": true,
                "upgrade": null
            }
        },
        "item": [
            "sudo",
            "build-essential",
            "python-dev",
            "python3-dev",
            "openjdk-8-jdk",
            "git",
            "libssl-dev",
            "libsqlite3-dev",
            "zlib1g-dev",
            "bzip2",
            "libreadline-dev",
            "vim",
            "rsync",
            "apt-transport-https",
            "vsftpd",
            "ftp",
            "tmux",
            "postgresql",
            "postgresql-client",
            "libpq-dev",
            "python-psycopg2",
            "ntp",
            "r-base"
        ],
    "msg": "Failed to update apt cache: W:GPG error: http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease: The following signatures were invalid: F36A89E33CC1BD0F71079007327574EE02A818DD, E:The repository 'http://archive.cloudera.com/cdh5/debian/jessie/amd64/cdh jessie-cdh5 InRelease' is not signed."
}

apt actually updates the cache even with the warning, and if one issues the `apt install` command, a prompt appears and if accepted the installation proceeds. It seems that ansible is treating the warning about keys as errors and both parameters that supposed would fix this are not working. — Ivan, Jun 05 '18 at 17:57
Exactly what I did. I reran the command with `-vvv` and even with the messages, the `apt` part works, the ansible one doesn't. I'm trying to come up with some solution because I don't want to drop ansible and do this part by hand and I can't change the signing key from Cloudera. For example, the same procedure of adding a key from a foreign repository and installing packages works for CRAN R. — Ivan, Jun 05 '18 at 18:01
I updated the question to reflect what I think that you're asking. — Ivan, Jun 05 '18 at 18:10
BTW, it seems that the vendor is aware of this problem but no solution was provided: https://community.cloudera.com/t5/CDH-Manual-Installation/installing-from-apt-repository-broken-for-Debian9/td-p/61046 — Ivan, Jun 05 '18 at 18:11
[How to debug Ansible issues?](https://stackoverflow.com/q/42417079/2947502) — techraf, Jun 06 '18 at 06:32

score 0 · Answer 1 · answered Oct 18 '21 at 14:34

0

Stick the apt commands in a bash script and use the script module to execute them.

answered Oct 18 '21 at 14:34

gerardw

5,822
46
39

Ignore key error on apt-get update from ansible playbook

1 Answers1