Unable to fetch GPG key from keyserver

(Olivier Mellina) #1


I have Debian with LXC 2.0.9. When I create a lxc unprivileged containers, I get a keyserver error :

lxc-create -t download -n my_lxc    
Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver.
lxc-create: lxccontainer.c: create_run_template: 1427 container creation template for my_lxc failed
lxc-create: tools/lxc_create.c: main: 326 Error creating container my_lxc

and it’s working fine if I specified the keyserver :

lxc-create -t download -n my_lxc -- --keyserver hkp://p80.pool.sks-keyservers.net:80                                                                                                                                                                                            
Setting up the GPG keyring
Downloading the image index

alpine  3.4     amd64   default 20180627_17:50
alpine  3.4     armhf   default 20180627_17:50
alpine  3.4     i386    default 20180627_17:50

This looks identical to this other thread. (Except) The proposed fix is a workaround.

How to create containers without always having to specify the keyservers ? Did I do something wrong ?

Thanks for your help.


Indeed, some default keyservers are overloaded and they fail intermittently. It’s bad and annoying.
I suggest to use keyserver.ubuntu.com.

I am not very familiar with LXC. The keyserver is listed in the template, so you would have to look in there and set it accordingly.
If all fails, you can create a shell alias so that the keyserver is always applied to the command line.

(Olivier Mellina) #3

I finally found the problem. I share for other the solution.
As stgraber say :

Instead, firewalls and proxies on the client side are much more common source of problems.

Firewalls block HKP traffic on TCP port. Just open the TCP port 11371 and should work.
Source : https://en.wikipedia.org/wiki/Key_server_(cryptographic)


Is that your network’s firewall or the server firewall?

(Olivier Mellina) #5

Network’s firewall for my case.
Could be a good thing to check the server-side firewall’s rules too.