dockercurlansibleansible-2.xgpg-signature

curl command with pipe not working in Ansible

I am trying to execute below command which is part of Docker installation, but it got stuck.

The gpg part of the command got stuck, if I remove gpg after pipe, it works.

---
- hosts: all
  become: yes

  tasks:

    - name: add docker GPG key
      shell: "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
Solution

  • General Ansible advise: if you just feed all your command lines in shell tasks in Ansible, then you are doing it wrong.
    Ansible does have existing module, that are purposed to serve the idempotency idea that is at the root of Ansible goal and that will greatly simplify all tasks you will try to achieve.

    This being said, you now have to understand what that specific line of the Docker manual is trying to achieve.

    curl -fsSL https://download.docker.com/linux/ubuntu/gpg \ 
| gpg --dearmor -o /etc/apt/keyrings/docker.gpg

    This command would add the GPG key of Docker to a trusted keyring on the node, so it can validate the authenticity of the package you will later use in a package task.

    In more recent versions of Debian and Ubuntu, the key can be passed as is — meaning, without the need to dearmor it — as long as it is used in the asc format and defined in the signed-by option of the repository.

    So, those two task would

    1. download the repository key, in asc format
    2. define the repository along with the signed-by option

    Mind that those two tasks require you to gather a minimal set of facts from the nodes in order to resolve the variable ansible_distribution_release.

    - get_url:
    url:  https://download.docker.com/linux/ubuntu/gpg
    dest: /etc/apt/keyrings/docker.asc
    mode: '0644'

- apt_repository:
    repo: >-
      deb
      [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc]
      https://download.docker.com/linux/ubuntu
      {{ ansible_distribution_release }}
      stable

    Since version 2.15, there is a new module deb822_repository that allows for everything to be done in one go — adding the GPG key that would sign the repository along with the repository itself.

    Mind that this one needs the package python3-debian installed on the targeted host(s)

    The two tasks described above now sums up to:

    - deb822_repository:
    name: docker
    types: deb
    uris: https://download.docker.com/linux/ubuntu
    suites: "{{ ansible_distribution_release }}"
    components: stable
    architectures: amd64
    signed_by: https://download.docker.com/linux/ubuntu/gpg

    Previously, this was the purpose of the module apt_key, which still exists but since the underlaying apt-key command has been deprecated, is just kept for backward compatibility purpose.

    Using that module the task to add an apt key would have been:

    - name: add docker GPG key
  apt_key:
    url: https://download.docker.com/linux/ubuntu/gpg