Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Puppet upgrade breaks APT #755

Open
TobiPeterG opened this issue Jan 29, 2025 · 0 comments
Open

Puppet upgrade breaks APT #755

TobiPeterG opened this issue Jan 29, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@TobiPeterG
Copy link

TobiPeterG commented Jan 29, 2025
edited
Loading

Describe the Bug

So far, we ran puppet 7 on our machines. Since it's going EOL soon, we are in the process of migrating to puppet8.
We use this module to automatically update the agents to puppet 8. While this works, we get this error:

Error: /Stage[main]/Apt::Update/Exec[apt_update]: Failed to call refresh: '/usr/bin/apt-get update' returned 100 instead of one of [0]
Error: /Stage[main]/Apt::Update/Exec[apt_update]: '/usr/bin/apt-get update' returned 100 instead of one of [0]

And sometimes:

Error: Could not prefetch package provider 'apt': Execution of '/usr/bin/apt-mark showmanual' returned 100: E: Conflicting values set for option Signed-By regarding source https://apt.puppet.com/ focal: /etc/apt/keyrings/GPG-KEY-puppet-20250406.asc != 
E: Conflicting values set for option Signed-By regarding source https://apt.puppet.com/ focal: /etc/apt/keyrings/GPG-KEY-puppet-20250406.asc != 
E: The list of sources could not be read.

When running APT, we see this:

apt update
E: Conflicting values set for option Signed-By regarding source https://apt.puppet.com/ focal: /etc/apt/keyrings/GPG-KEY-puppet-20250406.asc != 
E: Conflicting values set for option Signed-By regarding source https://apt.puppet.com/ focal: /etc/apt/keyrings/GPG-KEY-puppet-20250406.asc != 
E: The list of sources could not be read.
E: Conflicting values set for option Signed-By regarding source https://apt.puppet.com/ focal: /etc/apt/keyrings/GPG-KEY-puppet-20250406.asc != 
E: Conflicting values set for option Signed-By regarding source https://apt.puppet.com/ focal: /etc/apt/keyrings/GPG-KEY-puppet-20250406.asc != 
E: The list of sources could not be read.
root@playground1:/tmp# apt update
E: Conflicting values set for option Signed-By regarding source https://apt.puppet.com/ focal: /etc/apt/keyrings/GPG-KEY-puppet-20250406.asc != 
E: Conflicting values set for option Signed-By regarding source https://apt.puppet.com/ focal: /etc/apt/keyrings/GPG-KEY-puppet-20250406.asc != 
E: The list of sources could not be read.
root@playground1:/tmp# apt install hiera-eyaml
E: Conflicting values set for option Signed-By regarding source https://apt.puppet.com/ focal: /etc/apt/keyrings/GPG-KEY-puppet-20250406.asc != 
E: Conflicting values set for option Signed-By regarding source https://apt.puppet.com/ focal: /etc/apt/keyrings/GPG-KEY-puppet-20250406.asc != 
E: The list of sources could not be read.
E: Conflicting values set for option Signed-By regarding source https://apt.puppet.com/ focal: /etc/apt/keyrings/GPG-KEY-puppet-20250406.asc != 
E: Conflicting values set for option Signed-By regarding source https://apt.puppet.com/ focal: /etc/apt/keyrings/GPG-KEY-puppet-20250406.asc != 
E: The list of sources could not be read.

We had a look at the lists in /etc/apt/sources.list.d/ and found a puppet7-release.list and the pc_repo.list. On systems where we manually upgraded puppet to version 8 we also had puppet8-release.list. The release lists come from the release packages we use to initially install puppet on our machines (as recommended in the official docu https://www.puppet.com/docs/puppet/8/install_puppet.html). The release lists however do not contain a link to the asc file to sign it, the new pc_repo list does. Removing the release lists "solves" the issue, but is not elegant. We have them on every machine and they are created using the official way to install puppet.

Our config looks like this:

class {'puppet_agent':
  package_version => 'latest',
  collection      => 'puppet8',
  service_names   => [],
  config          => [{section => main, setting => runinterval, value => '5m'}],
  before          => Service['puppet'],
}

service { 'puppet':
  ensure => running,
  enable => true,
}

The puppet8-release.list looks like this:

# Puppet 8 focal Repository
deb http://apt.puppet.com focal puppet8

pc_repo.list:
cat /etc/apt/sources.list.d/pc_repo.list

# This file is managed by Puppet. DO NOT EDIT.
# pc_repo
deb [signed-by=/etc/apt/keyrings/GPG-KEY-puppet-20250406.asc] https://apt.puppet.com focal puppet8

Curiously, on systems running puppet7, the pc_repo.list looks like this:

# This file is managed by Puppet. DO NOT EDIT.
# pc_repo
deb https://apt.puppet.com focal puppet7

and does not include the signing key.

Am I missing something?
Should we install puppet differently in the future?
Shouldn't the puppet release deb create the file with link to the signing key?

Expected Behavior

The puppet upgrade should not break APT

Steps to Reproduce

Steps to reproduce the behavior:

  1. Install puppet initially using the release package from their website https://apt.puppetlabs.com/
  2. Run puppet with this module with the config shown above (setting puppet8)
  3. try to use APT

Environment

  • Version 4.22.0
  • Platform Ubuntu 20.04

Additional Context
@TobiPeterG TobiPeterG added the bug Something isn't working label Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TobiPeterG