Due to how enterprise envs work, none of our internal servers can contact the Internet directly, all packages come in through Katello or Satellite Server.
Is there an option to not install this package or do i need to filter it out on my Katello instance?
If i do filter it out, will something else break or some update not go through?
This is on RHEL-based systems, i can see when updating hosts that it comes in as a “weak dependency” but am unsure what would happen if i simply block the keyring package.
Hi. For context, RHEL systems (obviously) use RPMs and InfluxData signs its RPMs and unless you disable RPM signature verification (not recommended), users will need to have the InfluxData signing key available on systems where InfluxData RPMs are installed, regardless of if those systems are air-gapped or otherwise not connected to the internet. The influxdata-archive-keyring package provides a means for users to obtain the signing key used in RPM verification, and the InfluxData blog post on this subject describes this is in more detail.
For you particular question:
If you are using a yum/dnf proxy/etc, then you might want to add influxdata-archive-keyring to the list of RPMs it is proxying. You might want to do this to ensure that the signing key to verify InfluxData RPMs is on the system
If you don’t want to use the influxdata-archive-keyring package and fully manage the signing key yourself, as a weak depends, the InfluxData RPMs will function fine without the influxdata-archive-keyring package, but you’ll have to update your install/update methods to tell yum/dnf to not install weak dependencies
Considering that the influxdata-archive-keyring RPM ships the key and does not reach out to the internet itself, it may make sense to let yum/dnf install this weak dependency to avoid special casing InfluxData install/update methods. Due to how RPM works, influxdata-archive-keyring necessarily uses a timer/cron job to create the yum repo file at /etc/yum.repos.d/influxdata.repo that uses a file:// URL to the signing key (good for an air-gapped system), but sets the baseurl to https://repos.influxdata.com which you’ll need to address for an air-gapped system. This file is self-documenting and says:
# NOTICE: This file was installed by "influxdata-archive-keyring". In
# general, modifying this file for your site’s specific needs (eg, local
# mirror, etc) is safe since changes to it prevent further automatic
# updates.
#
# To restore managed behavior, remove this file then run:
#
# /usr/lib/influxdata-archive-keyring/influxdata-keyring upgrade
#
# The management of this file is handled by the influxdata-keyring.timer
# on systemd systems and /etc/cron.daily/influxdata-keyring. It is safe
# to disable this timer/cron job if desired.
#
# If you prefer to rely on rpm to download keys automatically, you can
# configure ‘gpgkey’ to be:
#
# gpgkey = https://repos.influxdata.com/influxdata-archive.key
#
[influxdata]
name = InfluxData Repository - Stable
baseurl = https://repos.influxdata.com/stable/$basearch/main
enabled = 1
gpgcheck = 1
gpgkey = file:///usr/share/influxdata-archive-keyring/keyrings/influxdata-archive.asc
While you are of course free to do what you need using the above information, if you’re looking for advice, I suggest a) adjusting your proxy to serve influxdata-archive-keyring, b) moving your InfluxData yum/dnf configuration to /etc/yum.repos.d/influxdata.repo and c) adjusting baseurl in /etc/yum.repos.d/influxdata.repo to use your proxy. By doing this one time, when InfluxData periodically rotates its signing key you won’t have to take further actions since the updated influxdata-archive-keyring RPM that contains it will be installed via the proxy via normal upgrade processes, updating the key material but leaving the repo file (and your modified baseurl) untouched.
The main issue for me is that Katello (or Satellite Server) already have a mechanism for distributing the key alongside the repo info and since i have no interest in maintaining an extra .repo file on all 500+ servers, I’ll go ahead and disable this for now and just keep updating the gpg key as we’ve already been doing (might script/automate it now, if you are rotating the keys with any frequency)
Fyi, assuming you download the key from https://repos.influxdata.com/influxdata-archive.key, we are in the process of updating it within the next day or two (the current signing key expires on 2026-01-17). After that, we plan to rotate no more often than every 18 months (barring a revocation event).
