I am trying to execute below command which is part of Docker installation, but it got stuck.
The gpg part of the command got stuck, if I remove gpg after pipe, it works.
---
- hosts: all
become: yes
tasks:
- name: add docker GPG key
shell: "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
General Ansible advise: if you just feed all your command lines in shell tasks in Ansible, then you are doing it wrong.
Ansible does have existing module, that are purposed to serve the idempotency idea that is at the root of Ansible goal and that will greatly simplify all tasks you will try to achieve.
This being said, you now have to understand what that specific line of the Docker manual is trying to achieve.
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| gpg --dearmor -o /etc/apt/keyrings/docker.gpg
This command would add the GPG key of Docker to a trusted keyring on the node, so it can validate the authenticity of the package you will later use in a package task.
So the purposed module, in this case is the apt_key one.
Your task ends up being:
- name: add docker GPG key
apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
Example for apt
To download files via HTTPS to your node you may use the get_url_module, followed by an apt_key_module task to add a key.
- name: Download apt key
get_url:
url: https://download.docker.com/linux/ubuntu/gpg
dest: /tmp # or /etc/pki/rpm-gpg depending on the infrastructure
- name: Add a key from a file
ansible.builtin.apt_key:
file: /tmp/gpg
state: present
You could also add it by
- name: Add an Apt signing key, uses whichever key is at the URL
ansible.builtin.apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
state: present
You may need to use other modules or task for gpg or keyring.
Similar Q&A
Got the same problem today, as I don't want to use the apt_key module because apt-key command, that the module use under the hood, is deprecated. I was following the same approach than you.
As @Zeitounator mention, the issue is caused because gpg is running in the nteractive mode and waiting a confirmation, and I'm sure that is because the destination file already exist (probably because you run the task before), so it's asking you to override that file.
So the solution in this case is to use the creates option in the shell module pointing to the path where you are storing the gpg key. Whit this the task would not run again if the file exist. See https://docs.ansible.com/ansible/latest/collections/ansible/builtin/shell_module.html#parameter-creates
- name: add docker GPG key
shell: |
curl -fsSL https://download.docker.com/linux/ubuntu/gpg |\
gpg --dearmor -o /etc/apt/keyrings/docker.gpg
creates: /etc/apt/keyrings/docker.gpg
apt_key has been deprecated.. For a general work around,
Ansible Example "- name: One way to avoid apt_key once it is removed from your distro..." suggests using a combination of ansible.builtin.get_url and ansible.builtin.apt_repository.
Also note that the Example indicates that "armored keys should use .asc extension, binary should use .gpg". Although the Docker Ubuntu installation instructions refers to docker.gpg, I used docker.asc because the Docker installation instructions imply that the key is armored (i.e., they require running gpg --dearmor).
- name: install Docker | Add Docker’s official GPG key
become: yes
block:
- name: docker | add apt key
ansible.builtin.get_url:
url: https://download.docker.com/linux/ubuntu/gpg
dest: /etc/apt/keyrings/docker.asc
- name: docker | add apt source
ansible.builtin.apt_repository:
repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
state: present
Also see How can I manage keyring files in trusted.gpg.d with ansible playbook since apt-key is deprecated?
