yum install --nogpgcheck and friends

yumhamster

New Member
Joined
May 16, 2021
Messages
1
Reaction score
0
Credits
31
Hi all,

I'm trying to use yum whilst building a docker image. Standard stuff. The docker image is built on a gitlab-runner (via kaniko). Again standard stuff.

I am trying to install centos-release-scl which has an associated gpg key for rpm verification.

$ yum install -y centos-release-scl

The gitlab admin's in their wisdom have mounted the gitlab-runner docker volume /etc/pki read-only which causes my yum install to fail since it is unable to write the gpg key to /etc/pki/rpm-gpg/ . They will not change this behaviour.

Is there a way to stop yum from downloading the gpg signature? It seems there are ways to ask for no gpg checking (eg. via 'gpgcheck = 0' or 'yum install --nogpgcheck' or 'setting yum.conf [main] gpgcheck=0'), but still yum insists on downloading the gpg signature. And the docker build fails.

/etc/yum/conf
===========
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project....s.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
override_install_langs=en_US.utf8
tsflags=nodocs


/etc/yum.repo.d/my.repo
==================
[CentOS_7_extras_x86_64]
metadata_expire = 1
enabled_metadata = 1
sslclientcert = /etc/pki-docker/entitlement/5503589818749365981.pem
baseurl = https://path/to/CentOS_7/extras_x86_64
sslverify = 1
name = co7_extras_x86_64
sslclientkey = /etc/pki-docker/entitlement/5503589818749365981-key.pem
gpgkey = https://path/to/gpg_key_content
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 0

You will notice I have changed /etc/pki to /etc/pki-docker above. This works well for non-gpg checked repos; presumably ones where the gpg does not exist at all on the remote satellite mirror.

Running the yum install in a local docker container (ie. not via a gitlab-runner) results in the following highlighting where the gpg signature is downloaded to before installation.

[[email protected] bin]# ls -ltr /etc/pki/rpm-gpg/
total 16
-rw-r--r--. 1 root root 1057 Oct 29 2018 RPM-GPG-KEY-CentOS-SIG-SCLo
:


Is there a way to stop this? Alternatively (and preferably) is there a way to have the key saved to my /etc/pki-docker/rpm-gpg directory and installed from there? Allowing gpg checking to take place?

Help me Obi Wan. I'm really stumped!
 


Tolkem

Well-Known Member
Joined
Jan 6, 2019
Messages
1,504
Reaction score
1,241
Credits
10,990
MALIBAL Linux Laptops

Linux Laptops Custom Built for You
MALIBAL is an innovative computer manufacturer that produces high-performance, custom laptops for Linux.

For more info, visit: https://www.malibal.com

Staff online


Top