skip to Main Content

I think something changed somewhere ( not sure if at clients servers because they are newer releases) but suddenly my tasks using the package module are failing because of gpg signature check at Oracle linux and Rhel servers .

I know its an issue from ansible because I see with verbose the gpg check being forced from the ansible play .

We use generic playbooks with the package module (which in time is calling to zypper yum apt etc for each distribution specific package manager) , I know at the yum module we can use
disable_gpg_check: yes

But if I use that option with the package module, it works when running on rhel servers, but fails when running against debian / sles or whatever not using yum module because only yum module has that option, and the other package modules do not .

I would love to find a solution in order to avoid gpg check with yum and still use the generic package module .

The manual command yum install at the server works flawless . Also when I run anisble with verbose (-vvv…) I see the gpgcheck yes being pushed

2

Answers


  1. Chosen as BEST ANSWER

    The real solution was adding at playbook time a module defaults for package, with the default(omit) in order to avoid failures when the module package called zypper or apt .

    We did that at our "masterplaybooks" that load all the roles :

      vars:
        value_for_gpg: "yes"
      module_defaults:    
        package:
          disable_gpg_check: "{{ value_for_gpg | default(omit) }}"
    

    Modifying every package task as stated by Zeitounator is not a feasible option since we have more than 100 tasks using the package module into our repositories, but may be an option for others .

    What I think is it would be nice that ansible allows direct modification of module defaults directly from group_vars or host_vars


  2. The real solution to your problem is reactivating gpg checks on the given targets and fix the configuration so it succeeds because it should not be disabled.

    That being said, a possible workaround here:

    • Create a group in your inventory (either static or dynamic based on the os name for example) containing all the relevant targets where you want to disable gpg check for yum through the package module. I’ll call this group bad_hosts below
    • Add a variable for that group only, for example in group_vars/bad_hosts.yml
      disable_yum_gpg_check: true
      
    • Modify your task (it took for granted your word saying you can use the option in the package task):
      - name: install package
        package:
          name: some_software
          state: present
          disable_gpg_check: "{{ disable_yum_gpg_check | d(omit) }}"
      
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search