-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Installation: Update section about installing RPM packages #69
Conversation
autorefresh=1 | ||
type=rpm-md |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those two parameters have not been part of the previous package repository configuration. They are now inherited from the advised package repository configuration like ES is doing it.
We did not research about their meaning yet, please advise correspondingly if you think they should be removed again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On our tests, they didn't cause any harm, so we just followed ES here, and included them to the new configuration.
docs/install/redhat.rst
Outdated
# Import the public GPG key for verifying the package signatures. | ||
sudo rpm --import https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hopefully, this command will drop the key at /etc/pki/rpm-gpg/RPM-GPG-KEY-crate
, to match the repository configuration below? Actually, I did not validate the changes yet. Maybe someone of you can spare a few minutes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was not stored under that location on Amazon Linux 2023, but everything still worked fine, with no warnings or errors. Potentially yum automatically knew where keys were stored and didn't attempt to check the manually specified path? Not sure, other repositories are using that path also:
[root@ip-172-31-26-116 ec2-user]# cat /etc/yum.repos.d/amazonlinux.repo
[amazonlinux]
name=Amazon Linux 2023 repository
mirrorlist=https://al2023-repos-$awsregion-de612dc2.s3.dualstack.$awsregion.$awsdomain/core/mirrors/$releasever/$basearch/mirror.list
priority=10
enabled=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
[amazonlinux-source]
name=Amazon Linux 2023 repository - Source packages
mirrorlist=https://al2023-repos-$awsregion-de612dc2.s3.dualstack.$awsregion.$awsdomain/core/mirrors/$releasever/SRPMS/mirror.list
enabled=0
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
metadata_expire=6h
[amazonlinux-debuginfo]
name=Amazon Linux 2023 repository - Debug
mirrorlist=https://al2023-repos-$awsregion-de612dc2.s3.dualstack.$awsregion.$awsdomain/core/mirrors/$releasever/debuginfo/$basearch/mirror.list
enabled=0
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
metadata_expire=6h
[root@ip-172-31-26-116 ec2-user]# ls /etc/pki/rpm-gpg/
RPM-GPG-KEY-amazon-linux-2022 RPM-GPG-KEY-amazon-linux-2023
[root@ip-172-31-26-116 ec2-user]# rpm --import https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate
[root@ip-172-31-26-116 ec2-user]# ls /etc/pki/rpm-gpg/
RPM-GPG-KEY-amazon-linux-2022 RPM-GPG-KEY-amazon-linux-2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From man dnf.conf
:
gpgkey list of strings
URLs of a GPG key files that can be used for signing metadata and packages of this repository, empty by default. If a file can not be verified using the already im‐
ported keys, import of keys from this option is attempted and the keys are then used for verification.
So this setting is skipped due to the previous rpm --import
.
It also supports a URL. So we can skip the manual rpm --import
and just set gpgkey=https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate
.
dnf install crate
then looks like this:
[root@ip-172-31-26-116 ec2-user]# dnf install crate
Last metadata expiration check: 0:00:14 ago on Thu Apr 11 07:52:24 2024.
Dependencies resolved.
=========================================================================================================================================================================================
Package Architecture Version Repository Size
=========================================================================================================================================================================================
Installing:
crate x86_64 5.6.4-1 cratedb-stable 117 M
Transaction Summary
=========================================================================================================================================================================================
Install 1 Package
Total download size: 117 M
Installed size: 225 M
Is this ok [y/N]: y
Downloading Packages:
crate-5.6.4-1.x86_64.rpm 79 MB/s | 117 MB 00:01
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 79 MB/s | 117 MB 00:01
CrateDB RPM package repository - x86_64 - Stable 66 kB/s | 3.1 kB 00:00
Importing GPG key 0x06F6EAEB:
Userid : "CRATE Jenkins <[email protected]>"
Fingerprint: 90C2 3FC6 585B C071 7F8F BFC3 7FAA E51A 06F6 EAEB
From : https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate
Is this ok [y/N]: y
Key imported successfully
[...]
The global rpm --import
was useful previously, as the crate-release
package also needed to be verified with this key, but that is obsolete now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
gpgkey
setting also supports a URL. So we can skip the manualrpm --import
and just setgpgkey=https://cdn.crate.io/downloads/yum/RPM-GPG-KEY-crate
.
That sounds sweet. If there are no other objections, I will change it like this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to share my observations, probing the installation on CentOS 9 Stream, and AlmaLinux 9, using the snippet in this patch.
TLDR; It apparently works well, even with the new GPG public key, which is about to be swapped in by @seut.
racker --verbose run -it --rm almalinux:9 /bin/bash
racker --verbose run -it --rm quay.io/centos/centos:stream9 /bin/bash
I missed to check on AlmaLinux, but on CentOS, the gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-crate
setting does not have any kind of relevance any longer. When using rpm --import
to import a public GPG key, it will no longer be located into /etc/pki/rpm-gpg
at all, apparently.
In this spirit, I've verified that, when using that approach, that gpgkey=
line can be omitted from the cratedb.repo
file altogether.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The patch has been amended to do it like advised. It seems to work well, thanks. Please have a look at the amended installation guidelines. If you may want to exercise it once more, we can be sure it contains no flaws. 🙏
This comment was marked as off-topic.
This comment was marked as off-topic.
docs/install/redhat.rst
Outdated
[cratedb-stable] | ||
name=CrateDB RPM package repository - $basearch - Stable | ||
baseurl=https://cdn.crate.io/downloads/yum/7/$basearch | ||
enabled=1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to enable it by default? ES doesn't for a reason, see the note at https://www.elastic.co/guide/en/elasticsearch/reference/current/rpm.html#rpm-repo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's the rationale provided by ES:
The configured repository is disabled by default. This eliminates the possibility of accidentally upgrading
elasticsearch
when upgrading the rest of the system. Each install or upgrade command must explicitly enable the repository as indicated in the sample commands above.
For us, it would be a change I guess, because it also was enabled=1
before. I will be happy to follow ES's suggestions however, like you are proposing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've also followed this advice, and amended the patch accordingly. Thanks. Please check wording and coherence.
Dear @WalBeh, on my recent probings, I may have received this message:
I did not turn too much attention to it, because, well, I was testing it on an OS container instance, where I accepted that However, I wanted to ask if that reflects "your issue"? At your comment, you did not exactly report about the problem, only the solution you applied. Is it related to sysctl settings in any way, because you have been defining them on behalf of the Ansible recipe then? Cheers, |
76928c0
to
e36a139
Compare
Registering with the package repository using the `crate-release-7.0-1.x86_64.rpm` packages and friends is being deprecated. It is advised to configure the RPM repository manually instead.
e36a139
to
8a9ec08
Compare
About
Registering with the RPM package repository using the
crate-release-7.0-1.x86_64.rpm
packages and friends is being deprecated. It is advised to configure the RPM repository manually instead.Preview
https://cratedb-guide--69.org.readthedocs.build/install/redhat.html
Caveat
I've only edited the documentation, without doing any kind of validation yet. Maybe you can spare a few minutes? Thanks for your support!
/cc @hlcianfagna, @WalBeh, @BaurzhanSakhariev, @matriv