Apt-get update fails inside container yarn repo not signed

I have a github action that builds images and it’s failing when it tries to do an apt-get update. I’m still looking at what’s up with that, but on an install I did 2 hours ago, I get this error if I do an apt-get update inside the container.

root@monstera-web-only:/# apt-get update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]                                                                                           
Get:3 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]                  
Get:4 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]         
Get:5 http://deb.debian.org/debian bullseye-backports InRelease [49.0 kB]  
Get:6 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg InRelease [91.7 kB]
Get:7 http://deb.debian.org/debian bullseye/main amd64 Packages [8,183 kB]     
Err:2 https://dl.yarnpkg.com/debian stable InRelease                                   
  The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
Get:8 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [216 kB]             
Get:9 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [14.6 kB]                           
Get:10 http://deb.debian.org/debian bullseye-backports/main amd64 Packages [384 kB]
Get:11 https://deb.nodesource.com/node_18.x bullseye InRelease [4,586 B]   
Get:12 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg/main amd64 Packages [268 kB]
Get:13 https://deb.nodesource.com/node_18.x bullseye/main amd64 Packages [774 B]
Reading package lists... Done                            
W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I don’t see any errors in our daily image building CI. Can you share the output of cat /VERSION from inside the container?

I swear this is a standard install. . .

# cat /VERSION 
2.0.20230116

I’m still looking at my CI to see if I have something stupid there (which is totally possible). I’m not clear what’s even doing an apt-get update.

EDIT: My CI has a template that installs vim. It does an apt-get update. Nothing in a normal install does an apt-get update that I can see, so that explains why your CI isn’t failing.

Many of the import templates and the postgres upgrade templates (listed below) do an apt-get update, so this will be an issue at some point.

root@monstera:/var/discourse# grep -lr 'apt-get update'
templates/postgres.9.5.template.yml
templates/postgres.13.template.yml
templates/postgres.template.yml
templates/import/mbox.template.yml
templates/import/mysql-dep.template.yml
templates/import/vanilla.template.yml
templates/import/chrome-dep.template.yml
templates/import/phpbb3.template.yml
templates/postgres.10.template.yml
templates/postgres.12.template.yml
image/base/slim.Dockerfile

Yeah, that would be my next question as running an update like that isn’t default and will introduce variance that is hard to track down, because most sites use a static OS and rely on a new image to update OS level stuff.

If the yarn apt repo breaks I’d assume it will break our CI too.

I can check this next week. Maybe we need to release a new base image for it.

Sounds good. Just to confirm, I need to build a new phpbb3 import container and can’t. Here’s how to fix it.

Here’s this:

But it recommends using curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - but apt-key is deprecated.

If I do this in the container:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg -o /usr/share/keyrings/yarn-keyring.asc \
    && sed -i '1s;^deb;deb [signed-by=/usr/share/keyrings/yarn-keyring.asc];' /etc/apt/sources.list.d/yarn.list

Then I can to this:

root@monstera-web-only:/# apt-get update
Hit:1 https://deb.nodesource.com/node_18.x bullseye InRelease
Hit:2 http://deb.debian.org/debian bullseye InRelease                                             
Get:3 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]                                    
Get:4 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]                              
Hit:5 http://deb.debian.org/debian bullseye-updates InRelease                           
Hit:6 http://deb.debian.org/debian bullseye-backports InRelease
Get:7 https://dl.yarnpkg.com/debian stable/main all Packages [10.9 kB]
Get:8 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [216 kB] 
Hit:9 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg InRelease    
Get:10 https://dl.yarnpkg.com/debian stable/main amd64 Packages [10.9 kB]
Fetched 286 kB in 0s (849 kB/s)     
Reading package lists... Done

Similarly, if I add

          - curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg -o /usr/share/keyrings/yarn-keyring.asc && sed -i '1s;^deb;deb [signed-by=/usr/share/keyrings/yarn-keyring.asc];' /etc/apt/sources.list.d/yarn.list

before the apt-get update in templates/import/phpbb3.template.yml I’m able to build a new container.

@Falco Sorry for my duplicate post!

@pfaffman Thanks very much! I confirm this workaround works with the mysql-dep.template.yml too.

I am getting what looks like similar errors on an update.

Err:7 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
Get:13 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg/main amd64 Packages [268 kB]
Reading package lists...

FAILED

--------------------

Pups::ExecError: cd /var/www/discourse && apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y libsqlite3-dev failed with return #<Process::Status: pid 532 exit 100>

Location of failure: /usr/local/lib/ruby/gems/3.1.0/gems/pups-1.1.1/lib/pups/exec_command.rb:117:in `spawn'

exec failed with the params {"cd"=>"$home", "cmd"=>["apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y libsqlite3-dev", "echo \"gem 'sqlite3'\" >> Gemfile", "su discourse -`Preformatted text`c 'bundle config unset deployment'", "su discourse -c 'bundle install --no-deployment --path vendor/bundle --jobs 4 --without test development'"]}

From discourse-doctor I get:

Checking your domain name . . .

Connection to xxx succeeded.

You should probably remove any non-standard plugins and rebuild.

Attempting to restart existing container. . .

x86_64 arch detected.

WARNING: containers/app.yml file is world-readable. You can secure this file by running: chmod o-rwx containers/app.yml

starting up existing container

+ /usr/bin/docker start app

Error response from daemon: driver failed programming external connectivity on endpoint app (c143632e34e1ae05e48759bdf163b4bbe5dc9aaf895f1fb7521f7e3784c26577): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use

Error: failed to start containers: app

Failed to restart the container.

Anything I might be able do other than a new install?

I’ve slipped this over to this topic @fidelio to keep the reports grouped together.

As I am an ‘ambitious amateur’, a quick question:
How do I execute the Curl command ‘inside the container’?

In a post above I include that the curl command can be included in the template that does the apt-get. Apt-get update fails inside container yarn repo not signed - #6 by rahim123

@fidelio Hi there, do you need to connect to another database like SQLite from within your Discourse instance, i.e. are you performing a data import from another forum? Otherwise you can disable that functionality and the normal Discourse app container will rebuild fine.

My guess is that he’s not upgraded to PG 13 and is using the pg12 template? That’s a problem that should be solved anyway. And it’s a good bet that the os needs to be upgraded and moving to a new vm is what to do.

Hi @rahim123 . No i don’t need to do either of those at this stage. How do I disable the functionality?

@pfaffman Ah, it just seemed weird that his error log was complaining about trying to install libsqlite3-dev , or does Discourse normally use that for something?

@fidelio Could you paste here the templates: section of your /var/discourse/containers/app.yml file? Make sure not to include any passwords that are present farther down in the file. You can also run /var/discourse/discourse-doctor and it will help you generate a publicly shareable report of how your system is configured.

@rahim123 Sure here is the discourse-doctor report:

Found containers/app.yml

==================== YML SETTINGS ====================
DISCOURSE_HOSTNAME=community.bfs-filmeditor.de
SMTP_ADDRESS=in-v3.mailjet.com
DEVELOPER_EMAILS=xxx
SMTP_PASSWORD=xxx
SMTP_PORT=25
SMTP_USER_NAME=xxx
LETSENCRYPT_ACCOUNT_EMAIL=xxx

==================== DOCKER INFO ====================
DOCKER VERSION: Docker version 18.06.1-ce, build e68fc7a

DOCKER PROCESSES (docker ps -a)

CONTAINER ID        IMAGE                           COMMAND             CREATED             STATUS              PORTS                                      NAMES
ce58652241d9        local_discourse/app             "/sbin/boot"        2 weeks ago         Up 14 minutes       0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   app
8e6b8ec432b4        local_discourse/mail-receiver   "/sbin/boot"        11 months ago       Up 11 months        0.0.0.0:25->25/tcp                         mail-receiver

ce58652241d9        local_discourse/app             "/sbin/boot"        2 weeks ago         Up 14 minutes       0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   app

Discourse container app is running


==================== PLUGINS ====================
          - git clone https://github.com/discourse/docker_manager.git
          - git clone  https://github.com/davidtaylorhq/discourse-whos-online.git
          - git clone https://github.com/gdpelican/babble.git
          - git clone https://github.com/angusmcleod/discourse-quick-messages.git
          - git clone https://github.com/angusmcleod/discourse-events.git
          - git clone https://github.com/discourse/discourse-calendar.git
          - git clone https://github.com/discourse/discourse-data-explorer.git
          - git clone https://github.com/davidtaylorhq/discourse-telegram-notifications.git

WARNING:
You have what appear to be non-official plugins.
If you are having trouble, you should disable them and try rebuilding again.

See https://github.com/discourse/discourse/blob/main/lib/plugin/metadata.rb for the official list.

========================================
Discourse version at community.bfs-filmeditor.de: TYPO3 CMS
Discourse version at localhost: TYPO3 CMS


==================== MEMORY INFORMATION ====================
RAM (MB): 4039

              total        used        free      shared  buff/cache   available
Mem:           3944        1272        1236        1067        1436        1364
Swap:             0           0           0

==================== DISK SPACE CHECK ====================
---------- OS Disk Space ----------
Filesystem      Size  Used Avail Use% Mounted on
/dev/vda1        78G   60G   18G  78% /

---------- Container Disk Space ----------
Filesystem      Size  Used Avail Use% Mounted on
overlay          78G   60G   18G  78% /
/dev/vda1        78G   60G   18G  78% /shared
/dev/vda1        78G   60G   18G  78% /var/log

==================== DISK INFORMATION ====================
Disk /dev/vda: 80 GiB, 85899345920 bytes, 167772160 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: C1F9A1FE-534C-4DAC-9299-5CC180C29DCE

Device      Start       End   Sectors  Size Type
/dev/vda1  227328 167772126 167544799 79.9G Linux filesystem
/dev/vda14   2048     10239      8192    4M BIOS boot
/dev/vda15  10240    227327    217088  106M Microsoft basic data

Partition table entries are not in disk order.

==================== END DISK INFORMATION ====================

I have disabled quick messages but not yet removed it.

FWIW, I think babble has been broken for some time:

I thought that discourse-doctor showed which templates are enabled, guess not. Could you also please post this?

It doesn’t. Though it seems like it might be a good idea, this is the first time that I remember that it was important.

Here it is:

 GNU nano 2.9.3                                                                         containers/app.yml                                                                                   


## this is the all-in-one, standalone Discourse Docker container template
##
## After making changes to this file, you MUST rebuild
## /var/discourse/launcher rebuild app
##
## BE *VERY* CAREFUL WHEN EDITING!
## YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT!
## visit http://www.yamllint.com/ to validate this file as needed

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
  - "templates/web.ssl.template.yml"
  - "templates/web.letsencrypt.ssl.template.yml"
  - "templates/import/mbox.template.yml"
## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
  - "80:80"   # http
  - "443:443" # https

params:
  db_default_text_search_config: "pg_catalog.english"

  ## Set db_shared_buffers to a max of 25% of the total memory.
  ## will be set automatically by bootstrap based on detected RAM, or you can override
  db_shared_buffers: "1024MB"

  ## can improve sorting performance, but adds memory usage per-connection
  #db_work_mem: "40MB"

  ## Which Git revision should this container use? (default: tests-passed)
  #version: tests-passed

env:
  LANG: en_US.UTF-8
  # DISCOURSE_DEFAULT_LOCALE: en

  ## How many concurrent web requests are supported? Depends on memory and CPU cores.
  ## will be set automatically by bootstrap based on detected CPUs, or you can override
  UNICORN_WORKERS: 4

This is the problem I think, try putting a # in front of it and doing a ./launcher rebuild app .