Apt MySQL Client fails to install due to incorrect GPG Key

[NadimYounes]

Apache Airflow version

2.0.2

What happened

When attempting to rebuild an apache airflow image, we are getting failures during our builds when trying to run apt-get update.

The error we see:

#5 3.879 W: GPG error: http://repo.mysql.com/apt/debian buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29
#5 3.879 E: The repository 'http://repo.mysql.com/apt/debian buster InRelease' is not signed.

What you expected to happen

This behaviour shouldn't occur but it looks like some changes were published to the mysql apt repository this morning which is when we started experiencing issues.

I think we just need to update the airflow script which installs mysql and has a key already hardcoded here.

How to reproduce

Create a Dockerfile. Add the following lines to the Dockerfile:

FROM apache/airflow:2.0.2-python3.7 as airflow_main
USER root
RUN apt-get update

In a shell
run command -> docker build .

Operating System

Debian 10

Versions of Apache Airflow Providers

No response

Deployment

Docker-Compose

Deployment details

No response

Anything else

We were able to fix this by running the following command before the apt-get update

FROM apache/airflow:2.0.2-python3.7 as airflow_main
USER root
RUN sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467B942D3A79BD29
RUN apt-get update

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[potiuk]

Yep. OUR CI builds started to fail this morning too. Switching to the new mysql public key now.

[NadimYounes]

@potiuk Will this fix be applied to all Airflow 2* or will it only go into the latest?

[potiuk]

I am just refreshing all the images down to 2.1.0. We have a "reproducible" Docker prod imge preparation system that allows us to do this.

[potiuk]

Most of the images 2.1.1+ are refreshed now (I will refresh even older images - down to 2.0.0). Can you please @NadimYounes verify that your image works after refresh (I see that you use 2.0.2 They should refresh in ~ 2 hours or so).

[NadimYounes]

@potiuk Sure. I will check in a couple hours and let you know. Thanks

[NadimYounes]

@potiuk confirming that this now works on 2.0.2.

[potiuk]

Thanks @NadimYounes ~ I will run some extra checks to see if the images are all good.

[a-nasstrom]

@potiuk Hello, 2.1.3 doesn't work

[potiuk]

Did you pull it @a-lukashenka? You need to make sure you run docker build --pull or pull the image before if you want to make sure the new version is used if the image has been pulled before.

[potiuk]

This docker file:

[jarek@Hyperion:~/test] 8s % cat Dockerfile-mysql 
FROM apache/airflow:2.1.3
USER root

Works nicely for mie:

[jarek@Hyperion:~/test] 30s % docker build --pull -f Dockerfile-mysql .
Sending build context to Docker daemon  3.705MB
Step 1/3 : FROM apache/airflow:2.1.3
 ---> 98186fae5632
Step 2/3 : USER root
 ---> Running in b48fefdd97f9
Removing intermediate container b48fefdd97f9
 ---> 54eb63a8c726
Step 3/3 : RUN apt-get update
 ---> Running in 4e0d3a627c2a
Get:1 http://repo.mysql.com/apt/debian buster InRelease [22.1 kB]
Get:2 http://deb.debian.org/debian buster InRelease [122 kB]
Get:3 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:4 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:5 https://packages.microsoft.com/debian/10/prod buster InRelease [29.8 kB]
Get:6 http://repo.mysql.com/apt/debian buster/mysql-8.0 amd64 Packages [8421 B]
Get:7 http://security.debian.org/debian-security buster/updates/main amd64 Packages [311 kB]
Get:8 http://deb.debian.org/debian buster/main amd64 Packages [7906 kB]
Get:9 https://packages.microsoft.com/debian/10/prod buster/main all Packages [3847 B]
Get:10 https://packages.microsoft.com/debian/10/prod buster/main amd64 Packages [140 kB]
Get:11 http://deb.debian.org/debian buster-updates/main amd64 Packages [15.5 kB]
Fetched 8676 kB in 3s (2986 kB/s)
Reading package lists...
Removing intermediate container 4e0d3a627c2a
 ---> 612e6219d915
Successfully built 612e6219d915

[timcroydon]

For info, I've just run into this same issue using 1.10.14 (which we're stuck on for uninteresting reasons!)

Manually applying the fix mentioned in the PR here fixes the issue.

[potiuk]

Yep. it wil be in all versions. But we corrected it only in Airflow 2 as 1.10 is end-of-life as of June 2021 and you are on your own to apply corrections (that's the consequence of being end-of-life).

[shaharke-af]

hello
this is hitting us with 2.1.4
is there a workaround ?

[potiuk]

hello this is hitting us with 2.1.4 is there a workaround ?

You need to pull new image - the images were refreshed including the new key.

[razi-ahmad]

I'm getting the same error with the following command
FROM mysql:5.7.34

RUN apt-get update -y
&& apt-get install -y git

[potiuk]

I think you need to direct it to MySQL team :). Likely they refreshed some of their images (maybe latest from each minor version) with the new key as well. But that's nothing we can help here.

[zt50tz]

In ubuntu you can run this command
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467B942D3A79BD29

[hros]

Yep. OUR CI builds started to fail this morning too. Switching to the new mysql public key now.

I have the same error:

Err:8 http://repo.mysql.com/apt/ubuntu focal InRelease                         
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29

How do you update the public key for the mysql repository?

[potiuk]

I propose you start answering the questions:

• Have you read the messages above?
• Have you puled the latest airflow image?
• if you use ubuntu/focal you are surely not using airflow image which use ubuntu?
• have you read the answers above and understood what they mean?

I suggest you start with those questions.

[hros]

I propose you start answering the questions:

• Have you read the messages above?
• Have you puled the latest airflow image?
• if you use ubuntu/focal you are surely not using airflow image which use ubuntu?
• have you read the answers above and understood what they mean?

I suggest you start with those questions.

thanks for your reply

• I have read the above messages
• I am not using the airflow image
• I am using Ubuntu 20.04, and followed the instructions in this link to add a mysql repository
• I have read the previous answers, which suggest to update the public key, bu could not find the proper way to do that in my situation

thanks

[potiuk]

If you have not seen how you solve your issue, looking at the changes above, I suggest you reach-out to mysql support. the changes implemented to fix it are straightforward to look at, but appently - since you cannot figure it out- you should reach out to mysql team that caused the problem, not airflow, who implemented the fix and hoped you can spend a few minutes of your time to apply the same fixes.

[potiuk]

Paid support from Oracle to MySQL changes is always an option

[potiuk]

https://github.com/apache/airflow/pull/20912/files - this is a fix for us. Somethng like that might work for you. If you can't get it work reach out to paid support of MySQL.

[janklan]

The actual fix for this, on the OS level, is sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467B942D3A79BD29 (or whatever key ID are you missing)