LXC ERROR: Unable to fetch GPG key from keyserver

root · August 9, 2019, 11:00am

Hi guys
I can not create a container
When trying to download a template, an error occurs with the GPG

LXC node create in cloud VM

Please HELP

lxc-create --logfile ~/log/ubuntu-xenial-create.log --logpriority TRACE -t download -n ubuntu-xenial -- -d ubuntu -r xenial -a amd64

Permission denied - Failed to open ttyPermission denied - Failed to open ttyPermission denied - Failed to open ttySetting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver
lxc-create: ubuntu-xenial: lxccontainer.c: create_run_template: 1617 Failed to create container from template
lxc-create: ubuntu-xenial: tools/lxc_create.c: main: 327 Failed to create container ubuntu-xenial

Do not working:
lxc-create -t download -n my_lxc – --keyserver hkp://p80.pool.sks-keyservers.net:80
DOWNLOAD_KEYSERVER=“keyserver.ubuntu.com” lxc-create -t download -n test

proxy - not use

simos · August 9, 2019, 6:27pm

There are generally two common issues here.
Either you are affected by ipv6 issues when connecting to a particular keyserver, or the key server is swamped with too many requests and your connection fails.

You can try to setup this keyserver, http://keyserver.ubuntu.com/

root · August 9, 2019, 6:56pm

DOWNLOAD_KEYSERVER=“keyserver.ubuntu.com” lxc-create -t download -n test
do not work for me
tell me please, what kind of trouble with ipv6

gpatel-fr · August 9, 2019, 8:20pm

you can’t have IP6 troubles with keyserver.ubuntu.com, this server is IPV4 only (dig keyserver.ubuntu.com AAAA) unless your server is ipv6 only.
Maybe your cloud provider is managing the ports for your VM ? the keyserver port is uncommon (11371), maybe you need to configure it in your panel (if any)
Maybe you could test this with the trick in this page of using ```
– --keyserver hkp://p80.pool.sks-keyservers.net:80
(but this one is IPV6)

root · August 12, 2019, 12:56pm

Hetzner Support
Dear Client,
we do not block any ports or something like that. So there is no issue on our side which might cause this.

I can’t understand what the problem is, ipv4 does not work, they don’t lock ports …
any ideas?

root · August 12, 2019, 1:38pm

some kind of configuration error

gpatel-fr · August 12, 2019, 2:43pm

did you try to check if your gpg connectivity works actually ? That’s easy by connecting directly to dirmngr. First kill it if it’s loaded by

gpgconf --kill dirmngr

then load it in debug mode by

dirmngr --server --standard-resolver --debug-all
after adding standard-resolver to your personal config file ~/.gnupg/dirmngr.conf

then at the dirmngr prompt try a simple search (here an Ubuntu key but you can use any mail address of a person you know to have a public gpg key)

OK Dirmngr 2.2.4 at your service
ks_search 790BC7277767219C42C86F933B4FE6ACC0B21F32
(…lot of stuff skipped…)
dirmngr[23358.0]: DBG: >> Host: hkps.pool.sks-keyservers.net\r\n
(…lot of stuff skipped…)
dirmngr[23358.0]: DBG: chan_3 -> D uid:Ubuntu Archive Automatic Signing Key (2012) ftpmaster@ubuntu.com:1336770936::%0A
D uid:Ubuntu Archive Automatic Signing Key (2012) ftpmaster@ubuntu.com:1336770936::%0A
dirmngr[23358.0]: DBG: chan_3 -> D %0D%0A
D %0D%0A
dirmngr[23358.0]: DBG: chan_3 -> OK
OK
bye
dirmngr[23358.0]: DBG: chan_3 <- bye
dirmngr[23358.0]: DBG: chan_3 -> OK closing connection
OK closing connection

simos · August 12, 2019, 4:41pm

ubuntu@mycontainer:~$ sudo lxc-create -t download -n mycontainer -- -d ubuntu -r xenial -a amd64
Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver
lxc-create: mycontainer: lxccontainer.c: create_run_template: 1617 Failed to create container from template
lxc-create: mycontainer: tools/lxc_create.c: main: 327 Failed to create container mycontainer
ubuntu@mycontainer:~$ sudo lxc-create -t download -n mycontainer -- -d ubuntu -r xenial -a amd64 --keyserver hkp://keyserver.ubuntu.com
Setting up the GPG keyring
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs

---
You just created an Ubuntu xenial amd64 (20190812_07:42) container.

To enable SSH, run: apt install openssh-server
No default root or user password are set by LXC.
ubuntu@mycontainer:~$

That is, to use the Ubuntu keyserver, use lxc-create as in

sudo lxc-create -t download -n mycontainer -- \ 
                -d ubuntu -r xenial -a amd64 --keyserver hkp://keyserver.ubuntu.com

It appears that some keyservers are under attack (DOS),

gist.github.com

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

keyservers.md

# SKS Keyserver Network Under Attack

_This work is released under a [Creative Commons Attribution-NoDerivatives 4.0 International License](http://creativecommons.org/licenses/by-nd/4.0/)._

## Terminological Note

"OpenPGP" refers to the OpenPGP protocol, in much the same way that HTML refers to the protocol that specifies how to write a web page.  "GnuPG", "SequoiaPGP", "OpenPGP.js", and others are implementations of the OpenPGP protocol in the same way that Mozilla Firefox, Google Chromium, and Microsoft Edge refer to software packages that process HTML data.

## Who am I?

This file has been truncated. show original

Also, see this,

There is an effort to make changes to LXC not to use keyservers.

If you really have no preference between LXC and LXD, I suggest to use LXD.

root · August 12, 2019, 7:10pm

Thanks guys
The problem was in the configuration, I set it up again and was able to download, but the error remained

wisdomlight · January 31, 2022, 10:27pm

Hi
I am having some issues.
I know it was long ago - what was your configuration problem??

root · February 1, 2022, 8:32am

Sorry, it’s been so long ago. I made some stupid mistake in config. When i reconfigured node, i can noticed an error and solve the problem.