Bug 1221834

Summary: can't enable packagehub or desktopapplications without having to go through a manual key accept
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Base Container Images Reporter: Dirk Mueller <dmueller>
Component: Channels/RepositoriesAssignee: BCI Internal Team <bci-internal>
Status: NEW --- QA Contact:
Severity: Normal    
Priority: P5 - None CC: alexandre.vicenzi
Version: latest   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dirk Mueller 2024-03-21 18:16:51 UTC 
in a registered (!) bci container with this:

export ADDITIONAL_MODULES=PackageHub,sle-we,sle-module-desktop-applications,sle-module-development-tools,sle-module-legacy

any installation of packages is failing because you first have to zypper ref with accept-gpg-keys to get the missing keys imported:

 Repository:       SLE-15-SP5-Desktop-NVIDIA-Driver
  Key Fingerprint:  9B76 3D49 D8A5 C892 FC17 8BAC F511 3243 C66B 6EAE
  Key Name:         NVIDIA Corporation <linux-bugs@nvidia.com>
  Key Algorithm:    DSA 1024
  Key Created:      Thu Jun 15 16:13:18 2006
  Key Expires:      (does not expire)
  Subkey:           F016EEAA03224CDD 2006-06-15 [does not expire]
  Rpm Name:         gpg-pubkey-c66b6eae-4491871e



    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key's name. If
    you are not sure whether the presented key is authentic, ask the repository provider or check
    their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they
    are using.


New repository or package signing key received:

  Repository:       SUSE-PackageHub-15-SP5-Backports-Pool for sle-15-x86_64
  Key Fingerprint:  F044 C2C5 07A1 262B 538A AADD 8A49 EB03 25DB 7AE0
  Key Name:         openSUSE:Backports OBS Project <openSUSE:Backports@build.opensuse.org>
  Key Algorithm:    RSA 4096
  Key Created:      Wed May 10 14:46:12 2023
  Key Expires:      Sun May  9 14:46:12 2027
  Rpm Name:         gpg-pubkey-25db7ae0-645bae34


I wonder if we should preload the packagehub key. and filter out the nvidia repo as it shouldn't be useful inside a container?
Comment 1 Alexandre Vicenzi 2024-03-26 17:00:53 UTC 
We can preload the PackageHub key, but PackageHub is an extra system extension that might not enabled in the system.

What prevents us from loading all repo keys? I'm not sure if there's a rule for what should be or not loaded.

If you want to use CUDA inside a container you need nvidia-container-toolkit, plus drivers on the host. This toolkit package is available in SLE_BCI repo and drivers on the host are on the BaseSystem repo. CUDA-related packages are in NVIDIA-Compute repo.

I think we don't need Desktop-NVIDIA-Driver inside a container.