Engine deployment on oVirt Node NG 4.5.3 (Stream 9) fails due to missing gpg key #104
Comments
|
That is quite weird, as the key was supposed to be automatically installed. In any case, you can manually import the public key as described here: rpms and gpg |
Hi, maybe i try to hack ansible to get it installed, i dont think i can fiddle with the engine when it is in local deployment phase. |
|
You need to import the key to the node, it's the one that supposed to check the signature of the appliance rpm. |
|
Oh okay, i thought it is the engine vm that is created locally before it gets transfered to the target storage. I try that, thank you. |
|
Something is off with the gpg keys.. [root@ovnode01 packages]# rpm -qpi ovirt-engine-appliance-4.5-20221026100609.1.el9.x86_64.rpm [root@ovnode01 packages]# rpm -K ovirt-engine-appliance-4.5-20221026100609.1.el9.x86_64.rpm [root@ovnode01 packages]# ls -l /etc/pki/rpm-gpg/ [root@ovnode01 packages]# gpg --dry-run /etc/pki/rpm-gpg/RPM-GPG-KEY-oVirt-4.5 Trying to import this key on another machine for testing fails.. [root@testnode03 rpm-gpg]# rpm --import /tmp/RPM-GPG-KEY-oVirt-4.5 All other rpm gpg keys from the oVirt node can be imported on my testhost. For some reason, rpm does not like this key. I grabbed this key again from another oVirt Cluster (running Stream 8), same issue. |
|
Have you tried to re-pull the key, as in instructions? I.e.
pub 2048R/FE590CB7 2014-03-30 [expires: 2028-04-06]
|
|
[root@ovnode01 ~]# gpg --recv-keys FE590CB7 [root@ovnode01 ~]# gpg --export --armor FE590CB7 > ovirt-infra.pub just found this on the net : "RHEL 9 deprecating and no longer enabling SHA1 out of the box". Is it possible that CentOS Stream 9 has SHA 1 disabled? |
|
[root@ovnode01 ~]# update-crypto-policies --set LEGACY [root@ovnode01 ~]# rpm --import ovirt-infra.pub [root@ovnode01 ~]# rpm -K /var/cache/dnf/ovirt-45-upstream-6644f816c5ff2731/packages/ovirt-engine-appliance-4.5-20221026100609.1.el9.x86_64.rpm I try to continue for now, i hope the engine that gets created has legacy support enabled. |
|
Yes, looks like we may need to create new signing keys for EL9. |
|
Good news, with "update-crypto-policies --set LEGACY" on the node, i was able to complete the hosted engine deployment. EL9 based node and engine is up and running on a new FC SAN. I enable the policy on any addtional node to be sure. |
|
Just don't forget to switch back to the default after you're finished with the installation:
|
|
@lveyde is the new gpg key included in 4.5.4? Can we close this issue? |
Hello,
i try to deploy a new oVirt Cluster by using a fresh node installed with "ovirt-node-ng-installer-latest-el9.iso" (4.5.3, secureboot disabled). This works fine, but trying to deploy hosted engine with "hosted-engine --deploy" it fails after some time because the gpg key for the ovirt-engine-appliance is missing, this leads to a failed deployment.
[ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Install ovirt-engine-appliance rpm] [ ERROR ] fatal: [localhost]: FAILED! => {"attempts": 10, "changed": false, "msg": "Failed to validate GPG signature for ovirt-engine-appliance-4.5-20221026100609.1.el9.x86_64: Public key for ovirt-engine-appliance-4.5-20221026100609.1.el9.x86_64.rpm is not installed"}Anyone know a quick workaround for this issue?
The text was updated successfully, but these errors were encountered: