[libvirt] Broken OpenVZ RPM deps on CentOS 7 (Re: [jenkins-ci PATCH v2 1/3] guests: add openvz repository on) CentOS 7

Daniel P. Berrangé berrange at redhat.com
Mon Dec 9 10:40:04 UTC 2019 

CC'ing Nikolay on this to raise the issue of broken deps in the OpenVZ
repo for CentOS 7 & incorrectly documented GPG keys ...

On Fri, Dec 06, 2019 at 06:53:38PM +0000, Daniel P. Berrangé wrote:
> The OpenVZ site provides a yum repo built against RHEL-7 that includes
> the prlsdk-devel RPM needed for the VZ driver. This repo has quite alot
> of packages that replace stuff from standard RHEL repos, so the yum
> config file is set to whitelist only the minimal RPMs we need to do
> builds. Fortunately they have no deps which would cause replacement of
> standard RHEL RPMs.
> 
> Note this does not use the latest OpenVZ repo link, since that currently
> has broken dependencies present

Originally I was using this URL for yum:

   https://download.openvz.org/virtuozzo/releases/7.0/x86_64/os/

Which results in this broken dep at install time:

> Error: Package: libprlcommon-7.0.183-1.vz7.x86_64 (vz)
>            Requires: libjson-c.so.2(libjson-c.so.2)(64bit)
> 
> The Requires line ought to be
> 
>    libjson-c.so.2()(64bit)

This appears to be a recent problem from the Dec 4th release of
openvz-7.0.12-283 - the previous openvz-7.0.11-235 has correctly
resolving deps.


The other issue that I forgot to mention is that the GPG keys used for
signing the RPMs on download.openvz.org are incorrectly / misleadingly
documented.

In the README at:

  https://download.openvz.org/

it documents & links to https://download.openvz.org/RPM-GPG-Key-OpenVZ
saying this is used to sign RPMs on download.openvz.org

This doc is repeated at https://wiki.openvz.org/Package_signatures

That key has key ID a7a1d4b6 as identified as
"OpenVZ Project <security at openvz.org>"

This documentation is all wrong though, as this key is not used
to sign the RPMs for CentOS7 at least

The RPMs in

   https://download.openvz.org/virtuozzo/releases/7.0/x86_64/os/

at signed by key with ID 44cdad2a. It took me a long time to find
this key, but eventually I discovered a link to it from

   https://docs.virtuozzo.com/keys/

Section 2, 2. Virtuozzo 7, Virtuozzo Automator 7, and Virtuozzo
PowerPanel Signing Key

  https://docs.virtuozzo.com/keys/VIRTUOZZO_GPG_KEY

which identifies itself as "Virtuozzo Team (GPG key signature 
for packages) <security at virtuozzo.com>"


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list