Bug? package, yum and dnf modules apparently ignore localpkg_gpgcheck on CentOS 8

12 views
Skip to first unread message

Darby Mitchell

unread,
Nov 18, 2021, 4:36:47 PM11/18/21
to Ansible Development
I ran into a problem that I think is a bug, but I saw that I should bring it up as a question on the mailing list first.  So, my question is, is it expected behavior for ansible.builtin.package, ansible.builtin.yum and ansible.builtin.dnf to ignore the localpkg_gpgcheck setting in /etc/dnf/dnf.conf?

On CentOS 7, the package module and the yum module both honor the localpkg_gpgcheck setting in /etc/yum.conf.  If you set it to 0, you can install unsigned packages from a file using the package module (which doesn't have a disable_gpg_check option).

On CentOS 8, these modules appear to ignore the localpkg_gpgcheck setting in /etc/dnf/dnf.conf (which is soft linked to /etc/yum.conf).

Attached is a minimal example of the behavior...
If I just dnf install the RPM, it works like a charm.
2021.11.18-ansible-log.txt

Matt Martz

unread,
Nov 18, 2021, 5:09:09 PM11/18/21
to Darby Mitchell, Ansible Development
That is correct. The module explicitly only evaluates whether `disable_gpg_check` is set or not. It does not respect the system configuration.

--
You received this message because you are subscribed to the Google Groups "Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-deve...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-devel/2f7007e4-9554-4255-be38-f5bd668b48cfn%40googlegroups.com.


--
Matt Martz
@sivel
sivel.net

Darby Mitchell

unread,
Nov 18, 2021, 8:45:22 PM11/18/21
to Ansible Development
Okay, but the package module doesn't have a disable_gpg_check setting.  So, previously (CentOS 7), you could install an unsigned package from a file with the package module.  Now, you can't.  You have to use either the dnf module or the yum module on CentOS 8/RHEL 8 to install an unsigned package from a file, so you can disable GPG verification.

Here's my use case: There are several unsigned packages we need to install.  Even in 2021, not every organization signs the packages they provide.  We wrote a role a few years ago that downloads and installs an arbitrary list of packages.  When we use this role, we have previously downloaded and inspected the packages to confirm they are genuine, and we've cached the SHA256 sums, which we can use to verify the integrity of the packages downloaded by the role.  The list includes the URL and the SHA256 sum of each package like so:
- package_name: some-package-1.0-1.el8.noarch.rpm
  package_url: https://some-company.com/path/to/some-package-1.0-1.el8.noarch.rpm
  package_sum: sha256:c3dd60d3ab4f1d56bb69fe3c644c2858d723331345a52453905257720cb2a155

The way the role was originally written (using the package module) was intended to work for RHEL/CentOS as well as other Linux distributions that are not yum/dnf-based.

Maybe the package module needs a disable_gpg_check that passes --nogpgcheck to yum/dnf and --allow-unauthenticated to apt-get?  I'm less familiar with apt-based systems, but I think that does the same thing as nogpgcheck on yum.

flowerysong

unread,
Nov 18, 2021, 10:23:16 PM11/18/21
to Ansible Development
package by design only supports very basic options that are available on all package managers. If you want to do non-generic things like disabling GPG checks you should use the underlying modules directly.

Matt Martz

unread,
Nov 19, 2021, 9:24:47 AM11/19/21
to Darby Mitchell, Ansible Development
> Okay, but the package module doesn't have a disable_gpg_check setting

That is an incorrect assessment.  The `package` module is simply a proxy to the underlying module.  From the documentation:

> This module acts as a proxy to the underlying package manager module. While all arguments will be passed to the underlying module, not all modules support the same arguments. This documentation only covers the minimum intersection of module arguments that all packaging modules support.

As such, you can pass any argument that the underlying module supports, but not all modules support the same arguments, so it will be up to you to pass the correct arguments based on the target.


Warron French

unread,
Nov 19, 2021, 11:48:33 AM11/19/21
to Ansible Development
Hello @Matt Martz,
I am really new to Ansible, and have been reading through emails on this Mail List for the last few months.  Most of the time the stuff is way over my head; I got some low-level training recently so it has revitalized my interest and improved my ability to have a place to start from.

In response to j.darby, where you wrote:
"As such, you can pass any argument that the underlying module supports, but not all modules support the same arguments, so it will be up to you to pass the correct arguments based on the target..."  can you provide an updated snippet based on j.darby's attached sample, even if specific to a CentOS 8 use case?

Respectfully, and thank you,
Reply all
Reply to author
Forward
0 new messages