:bug: Fix microdnf segfault by removing unsupported GPG keys by elfosardo · Pull Request #894 · metal3-io/ironic-image

elfosardo · 2026-01-27T09:47:15Z

Remove problematic GPG keys (CentOS-SIG-Extras, centosofficial-PQC)
and explicitly import valid keys before package installation in
both Dockerfile wheel-builder stages and prepare-image.sh.
This preventsa microdnf segfault caused by attempting to use
unsupported keys.

elfosardo · 2026-01-27T09:57:01Z

/cc @tuminoid @Rozzii @dtantsur @lentzi90

elfosardo · 2026-01-27T10:18:01Z

/hold
testing a different workaround

elfosardo · 2026-01-27T10:43:57Z

/test metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main

Copilot

Pull request overview

This PR addresses a microdnf segfault issue in CentOS environments by removing problematic GPG keys and dynamically importing available official CentOS keys to ensure compatibility across CentOS 9 and 10.

Changes:

Remove two specific GPG keys (RPM-GPG-KEY-CentOS-SIG-Extras and RPM-GPG-KEY-centosofficial-PQC) that cause microdnf to segfault
Dynamically import remaining CentOS GPG keys using a wildcard pattern to handle naming variations between CentOS versions
Refactor dnf configuration in Dockerfile to use printf with overwrite instead of echo with append

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 11 comments.

File	Description
prepare-image.sh	Adds GPG key cleanup and dynamic import logic before package installation in the main image preparation script
Dockerfile	Applies the same GPG key fix to the deps-wheel-builder stage and updates the dnf.conf creation approach

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

prepare-image.sh

Dockerfile

prepare-image.sh

Dockerfile

prepare-image.sh

Dockerfile

prepare-image.sh

Dockerfile

tuminoid

IMO this level failure at DNF should not be worked around as it surely is major issue over all. This has been reported to microdnf maintainers, so I'd like to wait for some comments/timeline estimates before merging this, regardless that it might block ironic-image release for a day or two.

Rozzii

I have no additional comments on top of the co-pilote comments, co-pilote concers seem to be very minor issues or rather considerations.

But I can't argue against @tuminoid 's request either as it is reasonable. I agree that we should not rush the release or the CI unblocking until at least we have an ETA for a real fix.

elfosardo · 2026-01-27T11:08:38Z

/test metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main

elfosardo · 2026-01-28T10:08:06Z

a new CS base image has been uploaded, local builds work again
let's leave this on hold for the time being, just in case

Rozzii · 2026-01-29T08:01:35Z

@elfosardo should we close this?

elfosardo · 2026-01-29T14:34:49Z

closing as the new images have fixed the gpg keys

Remove problematic GPG keys (CentOS-SIG-Extras, centosofficial-PQC) and explicitly import valid keys before package installation in both Dockerfile wheel-builder stages and prepare-image.sh. This preventsa microdnf segfault caused by attempting to use unsupported keys. Signed-off-by: Riccardo Pittau <elfosardo@gmail.com>

elfosardo · 2026-02-10T08:23:17Z

/test metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main

tuminoid · 2026-02-10T08:23:18Z

Do we plan to backport this? At least 34.0 needs this.

elfosardo · 2026-02-10T08:23:22Z

/unhold

elfosardo · 2026-02-10T08:24:23Z

Do we plan to backport this? At least 34.0 needs this.

@tuminoid we could, I hope this is not actually needed for too long though

tuminoid

OK, builds passed. I'm not going to nit about the bash as we hopefully revert this in nearby future.

/lgtm

Rozzii

/approve

metal3-io-bot · 2026-02-11T07:23:34Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Rozzii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [Rozzii]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

tuminoid · 2026-02-11T07:44:55Z

/cherry-pick release-34.0

metal3-io-bot · 2026-02-11T07:45:32Z

@tuminoid: #894 failed to apply on top of branch "release-34.0":

Applying: Fix microdnf segfault by removing unsupported GPG keys
Using index info to reconstruct a base tree...
M	Dockerfile
Falling back to patching base and 3-way merge...
Auto-merging Dockerfile
CONFLICT (content): Merge conflict in Dockerfile
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 Fix microdnf segfault by removing unsupported GPG keys

Details

In response to this:

/cherry-pick release-34.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

metal3-io-bot requested review from iurygregory and zaneb January 27, 2026 09:47

metal3-io-bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jan 27, 2026

elfosardo force-pushed the fix-microdnf-sigfault branch 2 times, most recently from 78e3f80 to 07149e8 Compare January 27, 2026 09:55

metal3-io-bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jan 27, 2026

metal3-io-bot requested review from Rozzii, dtantsur, lentzi90 and tuminoid January 27, 2026 09:57

metal3-io-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 27, 2026

elfosardo force-pushed the fix-microdnf-sigfault branch 3 times, most recently from 82ff02c to ee1e227 Compare January 27, 2026 10:35

Rozzii requested a review from Copilot January 27, 2026 10:40

Copilot started reviewing on behalf of Rozzii January 27, 2026 10:41 View session

Copilot AI reviewed Jan 27, 2026

View reviewed changes

tuminoid reviewed Jan 27, 2026

View reviewed changes

Rozzii reviewed Jan 27, 2026

View reviewed changes

elfosardo force-pushed the fix-microdnf-sigfault branch from ee1e227 to 72d4720 Compare January 27, 2026 11:07

metal3-io-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 27, 2026

Rozzii mentioned this pull request Jan 28, 2026

🐛 Update pinned iPXE release #893

Merged

2 tasks

elfosardo closed this Jan 29, 2026

elfosardo reopened this Feb 10, 2026

metal3-io-bot added the needs-rebase Indicates that a PR cannot be merged because it has merge conflicts with HEAD. label Feb 10, 2026

elfosardo force-pushed the fix-microdnf-sigfault branch from 72d4720 to ade1378 Compare February 10, 2026 08:09

metal3-io-bot removed the needs-rebase Indicates that a PR cannot be merged because it has merge conflicts with HEAD. label Feb 10, 2026

elfosardo changed the title ~~🐛 Fix for microdnf segfault~~ 🐛 Workaround for unsupported keys Feb 10, 2026

elfosardo force-pushed the fix-microdnf-sigfault branch from ade1378 to a85a0f9 Compare February 10, 2026 08:12

elfosardo changed the title ~~🐛 Workaround for unsupported keys~~ 🐛 Fix microdnf segfault by removing unsupported GPG keys Feb 10, 2026

elfosardo requested review from Rozzii and tuminoid February 10, 2026 08:13

metal3-io-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 10, 2026

elfosardo mentioned this pull request Feb 10, 2026

🌱 Update dependency setuptools to v81 (release-34.0) - autoclosed #909

Closed

1 task

tuminoid reviewed Feb 10, 2026

View reviewed changes

metal3-io-bot added the lgtm Indicates that a PR is ready to be merged. label Feb 10, 2026

Rozzii reviewed Feb 11, 2026

View reviewed changes

metal3-io-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 11, 2026

metal3-io-bot merged commit bf6b8e7 into metal3-io:main Feb 11, 2026
32 checks passed

metal3-io-bot added this to the ironic-image - v35.0 milestone Feb 11, 2026

Conversation

elfosardo commented Jan 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

elfosardo commented Jan 27, 2026

Uh oh!

elfosardo commented Jan 27, 2026

Uh oh!

elfosardo commented Jan 27, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

tuminoid left a comment

Choose a reason for hiding this comment

Uh oh!

Rozzii left a comment

Choose a reason for hiding this comment

Uh oh!

elfosardo commented Jan 27, 2026

Uh oh!

elfosardo commented Jan 28, 2026

Uh oh!

Rozzii commented Jan 29, 2026

Uh oh!

elfosardo commented Jan 29, 2026

Uh oh!

elfosardo commented Feb 10, 2026

Uh oh!

tuminoid commented Feb 10, 2026

Uh oh!

elfosardo commented Feb 10, 2026

Uh oh!

elfosardo commented Feb 10, 2026

Uh oh!

tuminoid left a comment

Choose a reason for hiding this comment

Uh oh!

Rozzii left a comment

Choose a reason for hiding this comment

Uh oh!

metal3-io-bot commented Feb 11, 2026

Uh oh!

Uh oh!

tuminoid commented Feb 11, 2026

Uh oh!

metal3-io-bot commented Feb 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

elfosardo commented Jan 27, 2026 •

edited

Loading