Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using pull-through cache for longer alpine package retention #1138

Open
kolloch opened this issue May 28, 2024 · 0 comments
Open

Using pull-through cache for longer alpine package retention #1138

kolloch opened this issue May 28, 2024 · 0 comments

Comments

@kolloch
Copy link

kolloch commented May 28, 2024

Context:

  1. Alpine main/community: We are using alpine (not wolfi).
  2. Checked-in lockfiles: In our repository, we check in the lock files to get reproducible lock files.

Sample apko.yaml:

contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/v3.19/main
    - https://dl-cdn.alpinelinux.org/alpine/v3.19/community
  packages:
    - alpine-base
    - java-cacerts

archs:
  - amd64
  - arm64

This works well BUT in alpine old package files are apparently quickly deleted when not referenced by the index anymore. That makes our builds often fail even only a few hours/days after the last update.

To work around this, we tried to use a pull through cache:

https://jfrog.com/help/r/jfrog-artifactory-documentation/alpine-linux-repositories

In our first tries, we hard-coded our credentials into the repositories URLs in the apko.yaml file.

We got this error:

Error: failed to get package list for image: error getting package dependencies: error getting repository indexes: no key found to verify signature for keyfile [email protected]; tried all other keys as well
2024/05/28 14:25:08 error during command execution: failed to get package list for image: error getting package dependencies: error getting repository indexes: no key found to verify signature for keyfile [email protected]; tried all other keys as well

I assume the logic that automagically loads the correct keys for the standard URLs doesn't trigger here?

Anyways, we can then add the keyring files individually:

  keyring:
    - https://alpinelinux.org/keys/[email protected]
    - https://alpinelinux.org/keys/[email protected]
    - https://alpinelinux.org/keys/[email protected]

But it doesn't work for all keys?

Error: failed to get package list for image: error getting package dependencies: error getting repository indexes: no key found to verify signature for keyfile [email protected]; tried all other keys as well
2024/05/28 14:26:58 error during command execution: failed to get package list for image: error getting package dependencies: error getting repository indexes: no key found to verify signature for keyfile [email protected]; tried all other keys as well
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kolloch