[libvirt] [jenkins-ci PATCH] guests: Special-case fedora-gpg-keys updates on Rawhide

During each Rawhide development cycle there is a point at which packages start being signed with new keys, which causes updates to fail. To work around the problem, make sure fedora-gpg-keys is updated before attempting to update all other packages; updating fedora-gpg-keys itself requires gpg signature checking to be disabled. Signed-off-by: Andrea Bolognani <abologna(a)redhat.com&gt; --- I am actually not 100% sure we need to disable gpg signature checking in order to update fedora-gpg-keys: it would make sense for that one package to be signed with the old key to make the update possible without breaking trust at any point in time. Unfortunately I updated my Rawhide guest without taking a snapshot first, and I can't figure out a way to get it back to a state suitable for checking whether the above makes sense :( Perhaps someone with deeper understanding of the Fedora release process will confirm or deny. guests/lcitool | 24 +++++++++++++++++------- guests/playbooks/update/tasks/base.yml | 9 +++++++++ 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/guests/lcitool b/guests/lcitool index 821cafc..ddeee6a 100755 --- a/guests/lcitool +++ b/guests/lcitool @@ -511,7 +511,8 @@ class Application: facts = self._inventory.get_facts(host) package_format = facts["package_format"] os_name = facts["os_name"] - os_full = os_name + str(facts["os_version"]) + os_version = str(facts["os_version"]) + os_full = os_name + os_version if package_format not in ["deb", "rpm"]: raise Error("Host {} doesn't support Dockerfiles".format(host)) @@ -560,12 +561,21 @@ class Application: apt-get autoclean -y """)) elif package_format == "rpm": - sys.stdout.write(textwrap.dedent(""" - RUN yum update -y && \\ - yum install -y ${PACKAGES} && \\ - yum autoremove -y && \\ - yum clean all -y - """)) + if os_name == "Fedora" and os_version == "Rawhide": + sys.stdout.write(textwrap.dedent(""" + RUN yum update -y --nogpgcheck fedora-gpg-keys && \\ + yum update -y && \\ + yum install -y ${PACKAGES} && \\ + yum autoremove -y && \\ + yum clean all -y + """)) + else: + sys.stdout.write(textwrap.dedent(""" + RUN yum update -y && \\ + yum install -y ${PACKAGES} && \\ + yum autoremove -y && \\ + yum clean all -y + """)) def run(self): cmdline = self._parser.parse_args() diff --git a/guests/playbooks/update/tasks/base.yml b/guests/playbooks/update/tasks/base.yml index 11f600f..cc16eb0 100644 --- a/guests/playbooks/update/tasks/base.yml +++ b/guests/playbooks/update/tasks/base.yml @@ -64,6 +64,15 @@ - not ( os_name == 'Fedora' and os_version == 'Rawhide' ) +- name: Update installed packages + package: + name: fedora-gpg-keys + state: latest + disable_gpg_check: yes + when: + - os_name == 'Fedora' + - os_version == 'Rawhide' + - name: Update installed packages command: dnf update --refresh --exclude 'kernel*' -y args: -- 2.17.1