LXC ERROR: Unable to fetch GPG key from keyserver

Hi guys
I can not create a container
When trying to download a template, an error occurs with the GPG

LXC node create in cloud VM

Please HELP

lxc-create --logfile ~/log/ubuntu-xenial-create.log --logpriority TRACE -t download -n ubuntu-xenial -- -d ubuntu -r xenial -a amd64

Permission denied - Failed to open ttyPermission denied - Failed to open ttyPermission denied - Failed to open ttySetting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver
lxc-create: ubuntu-xenial: lxccontainer.c: create_run_template: 1617 Failed to create container from template
lxc-create: ubuntu-xenial: tools/lxc_create.c: main: 327 Failed to create container ubuntu-xenial

Do not working:
lxc-create -t download -n my_lxc – --keyserver hkp://p80.pool.sks-keyservers.net:80
DOWNLOAD_KEYSERVER=“keyserver.ubuntu.com” lxc-create -t download -n test

proxy - not use

There are generally two common issues here.
Either you are affected by ipv6 issues when connecting to a particular keyserver, or the key server is swamped with too many requests and your connection fails.

You can try to setup this keyserver, http://keyserver.ubuntu.com/

DOWNLOAD_KEYSERVER=“keyserver.ubuntu.com” lxc-create -t download -n test
do not work for me
tell me please, what kind of trouble with ipv6

you can’t have IP6 troubles with keyserver.ubuntu.com, this server is IPV4 only (dig keyserver.ubuntu.com AAAA) unless your server is ipv6 only.
Maybe your cloud provider is managing the ports for your VM ? the keyserver port is uncommon (11371), maybe you need to configure it in your panel (if any)
Maybe you could test this with the trick in this page of using ```
– --keyserver hkp://p80.pool.sks-keyservers.net:80
(but this one is IPV6)

Hetzner Support
Dear Client,
we do not block any ports or something like that. So there is no issue on our side which might cause this.

I can’t understand what the problem is, ipv4 does not work, they don’t lock ports …
any ideas?

some kind of configuration error

did you try to check if your gpg connectivity works actually ? That’s easy by connecting directly to dirmngr. First kill it if it’s loaded by

gpgconf --kill dirmngr

then load it in debug mode by

dirmngr --server --standard-resolver --debug-all
after adding standard-resolver to your personal config file ~/.gnupg/dirmngr.conf

then at the dirmngr prompt try a simple search (here an Ubuntu key but you can use any mail address of a person you know to have a public gpg key)

OK Dirmngr 2.2.4 at your service
ks_search 790BC7277767219C42C86F933B4FE6ACC0B21F32
(…lot of stuff skipped…)
dirmngr[23358.0]: DBG: >> Host: hkps.pool.sks-keyservers.net\r\n
(…lot of stuff skipped…)
dirmngr[23358.0]: DBG: chan_3 -> D uid:Ubuntu Archive Automatic Signing Key (2012) ftpmaster@ubuntu.com:1336770936::%0A
D uid:Ubuntu Archive Automatic Signing Key (2012) ftpmaster@ubuntu.com:1336770936::%0A
dirmngr[23358.0]: DBG: chan_3 -> D %0D%0A
D %0D%0A
dirmngr[23358.0]: DBG: chan_3 -> OK
OK
bye
dirmngr[23358.0]: DBG: chan_3 <- bye
dirmngr[23358.0]: DBG: chan_3 -> OK closing connection
OK closing connection

ubuntu@mycontainer:~$ sudo lxc-create -t download -n mycontainer -- -d ubuntu -r xenial -a amd64
Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver
lxc-create: mycontainer: lxccontainer.c: create_run_template: 1617 Failed to create container from template
lxc-create: mycontainer: tools/lxc_create.c: main: 327 Failed to create container mycontainer
ubuntu@mycontainer:~$ sudo lxc-create -t download -n mycontainer -- -d ubuntu -r xenial -a amd64 --keyserver hkp://keyserver.ubuntu.com
Setting up the GPG keyring
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs

---
You just created an Ubuntu xenial amd64 (20190812_07:42) container.

To enable SSH, run: apt install openssh-server
No default root or user password are set by LXC.
ubuntu@mycontainer:~$ 

That is, to use the Ubuntu keyserver, use lxc-create as in

sudo lxc-create -t download -n mycontainer -- \ 
                -d ubuntu -r xenial -a amd64 --keyserver hkp://keyserver.ubuntu.com

It appears that some keyservers are under attack (DOS),

Also, see this,


There is an effort to make changes to LXC not to use keyservers.

If you really have no preference between LXC and LXD, I suggest to use LXD.

Thanks guys
The problem was in the configuration, I set it up again and was able to download, but the error remained

Permission denied - Failed to open ttyPermission denied - Failed to open ttyPermission denied - Failed to open ttySetting up the GPG keyring

I will dig

now the container does not start

lxc-start -n ubuntu-xenial
lxc-start: ubuntu-xenial: lxccontainer.c: wait_on_daemonized_start: 833 No such file or directory - Failed to receive the container state
lxc-start: ubuntu-xenial: tools/lxc_start.c: main: 330 The container failed to start
lxc-start: ubuntu-xenial: tools/lxc_start.c: main: 333 To get more details, run the container in foreground mode
lxc-start: ubuntu-xenial: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options