Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 749366

Summary: app-emulation/lxc: cannot create a debian lxc container newer than "stretch"
Product: Gentoo Linux Reporter: Chris Smith <chris>
Component: Current packagesAssignee: Joonas Niilola <juippis>
Status: RESOLVED WORKSFORME    
Severity: normal CC: virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Chris Smith 2020-10-16 02:00:54 UTC 
attempting to create a new Debian lxc container using "buster" or "bullseye" results in an abort due to an incorrect or out of date keyring.

# lxc-create -n deb -t debian -- -r buster
debootstrap is /usr/sbin/debootstrap
Checking cache download in /var/lib/cache/lxc/debian/rootfs-buster-amd64 ... 
gpg: key 7638D0442B90D010: 4 signatures not checked due to missing keys
gpg: key 7638D0442B90D010: "Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
Downloading debian minimal ...
I: Retrieving InRelease 
I: Checking Release signature
E: Release signed by unknown key (key id DCC9EFBF77E11517)
   The specified keyring /var/lib/cache/lxc/debian/archive-key.gpg may be incorrect or out of date.
   You can find the latest Debian release key at https://ftp-master.debian.org/keys.html
Failed to download the rootfs, aborting.

# lxc-create -n deb -t debian -- -r bullseye
debootstrap is /usr/sbin/debootstrap
Checking cache download in /var/lib/cache/lxc/debian/rootfs-bullseye-amd64 ... 
gpg: key 7638D0442B90D010: 4 signatures not checked due to missing keys
gpg: key 7638D0442B90D010: "Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
Downloading debian minimal ...
I: Retrieving InRelease 
I: Checking Release signature
E: Release signed by unknown key (key id 648ACFD622F3D138)
   The specified keyring /var/lib/cache/lxc/debian/archive-key.gpg may be incorrect or out of date.
   You can find the latest Debian release key at https://ftp-master.debian.org/keys.html
Failed to download the rootfs, aborting.

Older releases seem to work:
lxc-create -n deb -t debian -- -r stretch
debootstrap is /usr/sbin/debootstrap
Checking cache download in /var/lib/cache/lxc/debian/rootfs-stretch-amd64 ... 
gpg: key 7638D0442B90D010: 4 signatures not checked due to missing keys
gpg: key 7638D0442B90D010: "Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
Downloading debian minimal ...
I: Retrieving InRelease 
I: Retrieving Release 
I: Retrieving Release.gpg 
I: Checking Release signature
I: Valid Release signature (key id 126C0D24BD8A2942CC7DF8AC7638D0442B90D010)
I: Retrieving Packages 
I: Validating Packages
Comment 1 Chris Smith 2020-10-16 02:02:15 UTC 
using app-emulation/lxc-4.0.4 and app-emulation/lxc-templates-3.0.4
Comment 2 Joonas Niilola gentoo-dev 2020-10-16 05:12:37 UTC 
This may be related to the SKS server hack...

Few things to try: 
You can try to import the new PGP keys they use to sign those those releases. For buster, they seem to be available here:
https://lists.debian.org/debian-devel-announce/2019/04/msg00008.html

cd /tmp
wget https://ftp-master.debian.org/keys/archive-key-10.asc https://ftp-master.debian.org/keys/archive-key-10-security.asc
gpg --import archive-key-10.asc
gpg --import archive-key-10-security.asc
lxc-create -n deb -t debian -- -r buster

Also "lxc-create -n deb -t download -- -r buster" may work better for you too. 

(I'm currently not around my lxc machine)
Comment 3 Chris Smith 2020-10-16 15:28:12 UTC 
(In reply to Joonas Niilola from comment #2)
> 
> Also "lxc-create -n deb -t download -- -r buster" may work better for you
> too. 
> 

Yes, that works. Thanks!