Ask Your Question

How does `apt::key` prevent duplicate keys?

asked 2016-09-06 11:40:39 -0600

Arney gravatar image

updated 2016-09-06 18:39:19 -0600

The puppetlabs-apt manual states that the defineapt::key makes use of the native type apt_key, but adds functionality to prevent duplicate keys.

After reading the source of key.pp the only scenario to trigger these mechanisms is

apt::key { 'F9EA4996747310AE79474F44977C43A8BA684223':
  ensure      => 'absent',

apt::key { 'duplicate':
  ensure  => 'present',
  id      => 'F9EA4996747310AE79474F44977C43A8BA684223',

But if one would instead use the manifest

apt_key { 'F9EA4996747310AE79474F44977C43A8BA684223':
  ensure      => 'absent',

apt_key { 'duplicate':
  ensure  => 'present',
  id      => 'F9EA4996747310AE79474F44977C43A8BA684223',

this would also result in catalog compilation failure

Error: Evaluation Error: Error while evaluating a Resource Statement, Cannot alias Apt_key[duplicate] to ["F9EA4996747310AE79474F44977C43A8BA684223"] at [...].pp:5; resource ["Apt_key", "F9EA4996747310AE79474F44977C43A8BA684223"] already declared at [...].pp:1 at /[...].pp:5:1 on node [...]

So what is (or was) the use of the define apt::key?

Update 1: Even on Puppet 2.7/Ruby 1.8.7, a duplicate declaration of apt_key is not possible:

Duplicate declaration: Apt_key[F9EA4996747310AE79474F44977C43A8BA684223] is already declared in file [...].pp at line 8; cannot redeclare

Update 2: The spec for apt::key describes the mechanism in question, but does not describe any additional features beyond the aforementioned.

Update 3: Even worse: apt::key does not live up to its own promise:

apt::key { 'F9EA4996747310AE79474F44977C43A8BA684223':
  ensure      => 'absent',

apt::key { 'duplicate':
  ensure  => 'absent',
  id      => 'BA684223',

passes even though the short id and the full fingerprint refer to the same key:

$ puppet apply --noop test.pp 
Warning: /Apt_key[duplicate]: The id should be a full fingerprint (40 characters), see README.
Notice: /Stage[main]/Main/Apt::Key[F9EA4996747310AE79474F44977C43A8BA684223]/Apt_key[F9EA4996747310AE79474F44977C43A8BA684223]/ensure: current_value present, should be absent (noop)
Notice: Apt::Key[F9EA4996747310AE79474F44977C43A8BA684223]: Would have triggered 'refresh' from 1 events
Notice: /Stage[main]/Main/Apt::Key[duplicate]/Apt_key[duplicate]/ensure: current_value present, should be absent (noop)
Notice: Apt::Key[duplicate]: Would have triggered 'refresh' from 1 events
Notice: Class[Main]: Would have triggered 'refresh' from 2 events
Notice: Stage[main]: Would have triggered 'refresh' from 1 events
Notice: Applied catalog in 0.28 seconds
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2016-09-06 17:05:07 -0600

apt::key enhances apt_key. The basis type is defined in lib/puppet/type. The duplicate prevention went into manifests/key.pp So only apt::key resources are resistant against multiple declaritions, while apt_key itself is not. This behavior intentional. And apt_key is not a core resource type.

edit flag offensive delete link more


As I already laid out in the original question, already `apt_key`itself cannot be multiply defined. If you disagree, please provide a full example.

Arney gravatar imageArney ( 2016-09-06 18:27:55 -0600 )edit

Yes, this is correct: `apt_key` cannot be declared multiple times. The duplicate prevention is handled by `apt::key`. `manifests/key.pp` does not modify or whatsoever the `apt_key` source code.

Kai Burghardt gravatar imageKai Burghardt ( 2016-09-07 08:55:18 -0600 )edit

Maybe your mixing your OOP experience with Puppet: `apt::key` does not inherit from `apt_key`.

Kai Burghardt gravatar imageKai Burghardt ( 2016-09-07 08:56:51 -0600 )edit

@KaiBurghardt If `apt_key` cannot be declared more than one time in a catalog, whey would you need duplicate prevention? I claim that `apt::key` is cargo cult.

Arney gravatar imageArney ( 2016-09-09 03:49:01 -0600 )edit

Because multiple repositories (`apt::source` and/or `apt::ppa`) could make use of the same GPG-key.

Kai Burghardt gravatar imageKai Burghardt ( 2016-09-09 04:29:44 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2016-09-06 11:40:39 -0600

Seen: 238 times

Last updated: Sep 06 '16