yum install --nogpgcheck and friends

yumhamster

New Member
Joined
May 16, 2021
Messages
1
Reaction score
0
Credits
31
Hi all,

I'm trying to use yum whilst building a docker image. Standard stuff. The docker image is built on a gitlab-runner (via kaniko). Again standard stuff.

I am trying to install centos-release-scl which has an associated gpg key for rpm verification.

$ yum install -y centos-release-scl

The gitlab admin's in their wisdom have mounted the gitlab-runner docker volume /etc/pki read-only which causes my yum install to fail since it is unable to write the gpg key to /etc/pki/rpm-gpg/ . They will not change this behaviour.

Is there a way to stop yum from downloading the gpg signature? It seems there are ways to ask for no gpg checking (eg. via 'gpgcheck = 0' or 'yum install --nogpgcheck' or 'setting yum.conf [main] gpgcheck=0'), but still yum insists on downloading the gpg signature. And the docker build fails.

/etc/yum/conf
===========
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project....s.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
override_install_langs=en_US.utf8
tsflags=nodocs


/etc/yum.repo.d/my.repo
==================
[CentOS_7_extras_x86_64]
metadata_expire = 1
enabled_metadata = 1
sslclientcert = /etc/pki-docker/entitlement/5503589818749365981.pem
baseurl = https://path/to/CentOS_7/extras_x86_64
sslverify = 1
name = co7_extras_x86_64
sslclientkey = /etc/pki-docker/entitlement/5503589818749365981-key.pem
gpgkey = https://path/to/gpg_key_content
enabled = 1
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
gpgcheck = 0

You will notice I have changed /etc/pki to /etc/pki-docker above. This works well for non-gpg checked repos; presumably ones where the gpg does not exist at all on the remote satellite mirror.

Running the yum install in a local docker container (ie. not via a gitlab-runner) results in the following highlighting where the gpg signature is downloaded to before installation.

[root@9c2e5704abf5 bin]# ls -ltr /etc/pki/rpm-gpg/
total 16
-rw-r--r--. 1 root root 1057 Oct 29 2018 RPM-GPG-KEY-CentOS-SIG-SCLo
:


Is there a way to stop this? Alternatively (and preferably) is there a way to have the key saved to my /etc/pki-docker/rpm-gpg directory and installed from there? Allowing gpg checking to take place?

Help me Obi Wan. I'm really stumped!
 



Members online


Top