I ran into a problem that I think is a bug, but I saw that I should bring it up as a question on the mailing list first. So, my question is, is it expected behavior for ansible.builtin.package, ansible.builtin.yum and ansible.builtin.dnf to ignore the localpkg_gpgcheck setting in /etc/dnf/dnf.conf?
On CentOS 7, the package module and the yum module both honor the localpkg_gpgcheck setting in /etc/yum.conf. If you set it to 0, you can install unsigned packages from a file using the package module (which doesn’t have a disable_gpg_check option).
On CentOS 8, these modules appear to ignore the localpkg_gpgcheck setting in /etc/dnf/dnf.conf (which is soft linked to /etc/yum.conf).
Attached is a minimal example of the behavior…
If I just dnf install the RPM, it works like a charm.
Okay, but the package module doesn’t have a disable_gpg_check setting. So, previously (CentOS 7), you could install an unsigned package from a file with the package module. Now, you can’t. You have to use either the dnf module or the yum module on CentOS 8/RHEL 8 to install an unsigned package from a file, so you can disable GPG verification.
Here’s my use case: There are several unsigned packages we need to install. Even in 2021, not every organization signs the packages they provide. We wrote a role a few years ago that downloads and installs an arbitrary list of packages. When we use this role, we have previously downloaded and inspected the packages to confirm they are genuine, and we’ve cached the SHA256 sums, which we can use to verify the integrity of the packages downloaded by the role. The list includes the URL and the SHA256 sum of each package like so:
The way the role was originally written (using the package module) was intended to work for RHEL/CentOS as well as other Linux distributions that are not yum/dnf-based.
Maybe the package module needs a disable_gpg_check that passes --nogpgcheck to yum/dnf and --allow-unauthenticated to apt-get? I’m less familiar with apt-based systems, but I think that does the same thing as nogpgcheck on yum.
package by design only supports very basic options that are available on all package managers. If you want to do non-generic things like disabling GPG checks you should use the underlying modules directly.
Okay, but the package module doesn’t have a disable_gpg_check setting
That is an incorrect assessment. The package module is simply a proxy to the underlying module. From the documentation:
This module acts as a proxy to the underlying package manager module. While all arguments will be passed to the underlying module, not all modules support the same arguments. This documentation only covers the minimum intersection of module arguments that all packaging modules support.
As such, you can pass any argument that the underlying module supports, but not all modules support the same arguments, so it will be up to you to pass the correct arguments based on the target.
Hello @Matt Martz,
I am really new to Ansible, and have been reading through emails on this Mail List for the last few months. Most of the time the stuff is way over my head; I got some low-level training recently so it has revitalized my interest and improved my ability to have a place to start from.
In response to j.darby, where you wrote:
“As such, you can pass any argument that the underlying module supports, but not all modules support the same arguments, so it will be up to you to pass the correct arguments based on the target…” can you provide an updated snippet based on j.darby’s attached sample, even if specific to a CentOS 8 use case?