how to deal with percona keyserver with ansible

Asked 10/5, 2015 at 13:53 Answered 10/5, 2015 at 23:23

I have been trying to create a percona role in ansible and failing at it. I won't really say failing but it doesn't work as planned. Below is a snippet of the role

- name: Setting up percona server apt-key
  apt_key: 
    id=1C4CBDCDCD2EFD2A
    keyserver=keys.gnupg.net
    state=present

Upon running this I ended up with the following error:

failed: [192.168.56.107] => {"cmd": "apt-key adv --keyserver keys.gnupg.net --recv 1C4CBDCDCD2EFD2A", "failed": true, "rc": 2}
stderr: gpg: requesting key CD2EFD2A from hkp server keys.gnupg.net
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

As you can see ansible executes the following command: apt-key adv --keyserver keys.gnupg.net --recv 1C4CBDCDCD2EFD2A, meanwhile the command that actually works, tested and recommended from percona repository page is apt-key adv --keyserver keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A. There is a difference in the commands the former is just --recv and the latter is --recv-keys. I have no idea how to make ansible run this commands either can using the ansible command module itself.

There is also this url found on percona download page to the repo key which can be used in the apt_key module instead of keyserver.

What I am interested in knowing is whether it's possible to make ansible run the actual apt_key commands with --recv-keys

Consciousness answered 10/5, 2015 at 13:53 Comment(0)

The following command should work for you:

- apt_key: url=http://www.percona.com/redir/downloads/RPM-GPG-KEY-percona
           state=present

Chalutz answered 10/5, 2015 at 23:23 Comment(3)

Url is the option I tried first, but the command is what I ended up using as it's more natural to use – Consciousness 11/5, 2015 at 6:44

@blacksensei You did not mention that you used url parameter in your original question. Also, using "command" module is generally an anti-pattern when a native module is available. Finally, your command will always show "changed" status when you run it, where as apt_key module will show proper changed/ok results based if something was done. – Chalutz 11/5, 2015 at 12:39

sorry for the miscommunication . In my post I attempted saying it with these: "There is also this url found on percona download page to the repo key which can be used in the apt_key module instead of keyserver. " . Now command being an anti-pattern is really new to me.I would do more search and if so, accept your answer rather. – Consciousness 11/5, 2015 at 16:27

The source code for the apt_key module shows it building a command line using --recv but no mention of --recv-keys, so it doesn't look like you can use this module the way you want. I would suggest filing a feature request with the Ansible team to ask that they support this flag.

In the meantime you should be able to call apt-key manually via the command module. The command would be virtually identical to what the debug output showed:

 - name: call apt_key manually
   command: apt-key adv --keyserver keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A

Lissner answered 10/5, 2015 at 14:49 Comment(0)

Recommended topics

Hot tags