Installation: Update section about installing RPM packages

[amotl]

About

Registering with the RPM package repository using the crate-release-7.0-1.x86_64.rpm packages and friends is being deprecated. It is advised to configure the RPM repository manually instead.

Preview

https://cratedb-guide--69.org.readthedocs.build/install/redhat.html

Caveat

I've only edited the documentation, without doing any kind of validation yet. Maybe you can spare a few minutes? Thanks for your support!

/cc @hlcianfagna, @WalBeh, @BaurzhanSakhariev, @matriv

[amotl]

Those two parameters have not been part of the previous package repository configuration. They are now inherited from the advised package repository configuration like ES is doing it.

We did not research about their meaning yet, please advise correspondingly if you think they should be removed again.

[amotl]

On our tests, they didn't cause any harm, so we just followed ES here, and included them to the new configuration.

[amotl]

Hopefully, this command will drop the key at /etc/pki/rpm-gpg/RPM-GPG-KEY-crate, to match the repository configuration below? Actually, I did not validate the changes yet. Maybe someone of you can spare a few minutes?

[hammerhead]

It was not stored under that location on Amazon Linux 2023, but everything still worked fine, with no warnings or errors. Potentially yum automatically knew where keys were stored and didn't attempt to check the manually specified path? Not sure, other repositories are using that path also:

[root@ip-172-31-26-116 ec2-user]# cat /etc/yum.repos.d/amazonlinux.repo 
[amazonlinux]
name=Amazon Linux 2023 repository
mirrorlist=https://al2023-repos-$awsregion-de612dc2.s3.dualstack.$awsregion.$awsdomain/core/mirrors/$releasever/$basearch/mirror.list
priority=10
enabled=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023

[amazonlinux-source]
name=Amazon Linux 2023 repository - Source packages
mirrorlist=https://al2023-repos-$awsregion-de612dc2.s3.dualstack.$awsregion.$awsdomain/core/mirrors/$releasever/SRPMS/mirror.list
enabled=0
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
metadata_expire=6h

[amazonlinux-debuginfo]
name=Amazon Linux 2023 repository - Debug
mirrorlist=https://al2023-repos-$awsregion-de612dc2.s3.dualstack.$awsregion.$awsdomain/core/mirrors/$releasever/debuginfo/$basearch/mirror.list
enabled=0
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
metadata_expire=6h
[root@ip-172-31-26-116 ec2-user]# ls /etc/pki/rpm-gpg/
RPM-GPG-KEY-amazon-linux-2022  RPM-GPG-KEY-amazon-linux-2023
[root@ip-172-31-26-116 ec2-user]# rpm --import https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate 
[root@ip-172-31-26-116 ec2-user]# ls /etc/pki/rpm-gpg/
RPM-GPG-KEY-amazon-linux-2022  RPM-GPG-KEY-amazon-linux-2023

[hammerhead]

From man dnf.conf:

       gpgkey list of strings

              URLs  of  a GPG key files that can be used for signing metadata and packages of this repository, empty by default. If a file can not be verified using the already im‐
              ported keys, import of keys from this option is attempted and the keys are then used for verification.

So this setting is skipped due to the previous rpm --import.

It also supports a URL. So we can skip the manual rpm --import and just set gpgkey=https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate.

dnf install crate then looks like this:

[root@ip-172-31-26-116 ec2-user]# dnf install crate
Last metadata expiration check: 0:00:14 ago on Thu Apr 11 07:52:24 2024.
Dependencies resolved.
=========================================================================================================================================================================================
 Package                                  Architecture                              Version                                      Repository                                         Size
=========================================================================================================================================================================================
Installing:
 crate                                    x86_64                                    5.6.4-1                                      cratedb-stable                                    117 M

Transaction Summary
=========================================================================================================================================================================================
Install  1 Package

Total download size: 117 M
Installed size: 225 M
Is this ok [y/N]: y
Downloading Packages:
crate-5.6.4-1.x86_64.rpm                                                                                                                                  79 MB/s | 117 MB     00:01    
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                     79 MB/s | 117 MB     00:01     
CrateDB RPM package repository - x86_64 - Stable                                                                                                          66 kB/s | 3.1 kB     00:00    
Importing GPG key 0x06F6EAEB:
 Userid     : "CRATE Jenkins <[email protected]>"
 Fingerprint: 90C2 3FC6 585B C071 7F8F BFC3 7FAA E51A 06F6 EAEB
 From       : https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate
Is this ok [y/N]: y
Key imported successfully
[...]

The global rpm --import was useful previously, as the crate-release package also needed to be verified with this key, but that is obsolete now.

[amotl]

The gpgkey setting also supports a URL. So we can skip the manual rpm --import and just set gpgkey=https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate.

That sounds sweet. If there are no other objections, I will change it like this.

[amotl]

Just to share my observations, probing the installation on CentOS 9 Stream, and AlmaLinux 9, using the snippet in this patch.

TLDR; It apparently works well, even with the new GPG public key, which is about to be swapped in by @seut.

racker --verbose run -it --rm almalinux:9 /bin/bash
racker --verbose run -it --rm quay.io/centos/centos:stream9 /bin/bash

I missed to check on AlmaLinux, but on CentOS, the gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-crate setting does not have any kind of relevance any longer. When using rpm --import to import a public GPG key, it will no longer be located into /etc/pki/rpm-gpg at all, apparently.

In this spirit, I've verified that, when using that approach, that gpgkey= line can be omitted from the cratedb.repo file altogether.

[amotl]

The patch has been amended to do it like advised. It seems to work well, thanks. Please have a look at the amended installation guidelines. If you may want to exercise it once more, we can be sure it contains no flaws. 🙏

[seut]

Do we want to enable it by default? ES doesn't for a reason, see the note at https://www.elastic.co/guide/en/elasticsearch/reference/current/rpm.html#rpm-repo.

[amotl]

That's the rationale provided by ES:

The configured repository is disabled by default. This eliminates the possibility of accidentally upgrading elasticsearch when upgrading the rest of the system. Each install or upgrade command must explicitly enable the repository as indicated in the sample commands above.

For us, it would be a change I guess, because it also was enabled=1 before. I will be happy to follow ES's suggestions however, like you are proposing.

[amotl]

I've also followed this advice, and amended the patch accordingly. Thanks. Please check wording and coherence.

[amotl]

Dear @WalBeh,

on my recent probings, I may have received this message:

/var/tmp/rpm-tmp.RXQENZ: line 4: sysctl: command not found

Warning: unable to set vm.max_map_count; is this an OpenVZ
instance? If so, it is highly recommended that you set
vm.max_map_count to 262144 on the host.

I did not turn too much attention to it, because, well, I was testing it on an OS container instance, where I accepted that sysctl may not be available. I probably need to validate this once more on a real VM.

However, I wanted to ask if that reflects "your issue"? At your comment, you did not exactly report about the problem, only the solution you applied.

Is it related to sysctl settings in any way, because you have been defining them on behalf of the Ansible recipe then?

Cheers,
Andreas