[小ネタ] ECS Anywhere で Amazon Linux 2023 を登録すると GPG エラーになるときの対処法
アノテーション・テクニカルサポートチームの hato です。
Amazon Linux 2023 のインスタンスを、ECS Anywhere の外部インスタンスとして登録するコマンドを実行したところ、GnuPG のエラーとなりました。
# Trying to verify the signature of amazon-ecs-init package ...
/usr/bin/gpg
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: key BCE9D9A42D51784F: 1 signature not checked due to a missing key
gpg: key BCE9D9A42D51784F: public key "Amazon ECS <ecs-security@amazon.com>" imported
gpg: error running '/usr/bin/gpg-agent': probably not installed
gpg: failed to start gpg-agent '/usr/bin/gpg-agent': Configuration error
gpg: can't connect to the gpg-agent: Configuration error
gpg: WARNING: key BCE9D9A42D51784F contains preferences for unavailable
algorithms on these user IDs:
gpg: "Amazon ECS <ecs-security@amazon.com>": preference for compression algorithm ZLIB
gpg: "Amazon ECS <ecs-security@amazon.com>": preference for compression algorithm 3
gpg: "Amazon ECS <ecs-security@amazon.com>": preference for compression algorithm ZIP
gpg: it is strongly suggested that you update your preferences and
gpg: re-distribute this key to avoid potential algorithm mismatch problems
gpg: error running '/usr/bin/gpg-agent': probably not installed
gpg: failed to start gpg-agent '/usr/bin/gpg-agent': Configuration error
gpg: can't connect to the gpg-agent: Configuration error
Need the secret key to do this.
Key not changed so no update needed.
gpg: Total number processed: 1
gpg: imported: 1
対処法
インスタンス上で次のコマンドを実行してください。
dnf swap gnupg2-minimal gnupg2-full
Amazon Linux 2023 にデフォルトでインストールされているgnupg2-minimal
は最低限の機能のみを提供します。
フル機能が必要な場合はgnupg2-full
に切り替える必要があります。
GNU プライバシーガード (GNUPG) - Amazon Linux 2023
AL2023 は、gnupg2 パッケージの最低限の機能や完全な機能を gnupg2-minimal と gnupg2-full パッケージに分離しています。デフォルトで gnupg2-minimal パッケージのみがインストールされています。これにより、rpm パッケージのデジタル署名を検証するのに必要な最小限の機能が提供されます。
gnupg2-full
に切り替えた場合はコマンドが最後まで実行され、外部インスタンスとして正常に登録できました。
正常時の出力例
# curl --proto "https" -o "/tmp/ecs-anywhere-install.sh" "https://amazon-ecs-agent.s3.amazonaws.com/ecs-anywhere-install-latest.sh" && bash /tmp/ecs-anywhere-install.sh --region "ap-northeast-1" --cluster "hato-ecsanywhere-cluster" --activation-id "hato-id" --activation-code "hato-code"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 21510 100 21510 0 0 46090 0 --:--:-- --:--:-- --:--:-- 46059
Running ECS install script on amzn 2023
###
Last metadata expiration check: 0:01:55 ago on Fri Nov 1 06:58:07 2024.
Package jq-1.7.1-48.amzn2023.0.1.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
##########################
# Trying to install ssm agent ...
SSM agent is already installed.
##########################
# Trying to Register SSM agent ...
Error occurred fetching the seelog config file path: open /etc/amazon/ssm/seelog.xml: no such file or directory
Initializing new seelog logger
New Seelog Logger Creation Complete
2024-11-01 04:07:43 WARN Could not read InstanceFingerprint file: InstanceFingerprint does not exist
2024-11-01 04:07:43 INFO No initial fingerprint detected, generating fingerprint file...
2024-11-01 04:07:43 INFO Successfully registered the instance with AWS SSM using Managed instance-id: mi-123456789abcd
SSM agent has been registered.
# ok
##########################
# ok
##########################
docker is already installed, skipping installation
Copying certs for exec feature
Using /etc/ssl/certs/ca-certificates.crt
/etc/ssl/certs/ca-certificates.crt: OK
# ok
##########################
Downloading SSM binaries for exec feature
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 31.2M 100 31.2M 0 0 76.5M 0 --:--:-- --:--:-- --:--:-- 76.5M
amazon-ssm-agent
ssm-agent-worker
ssm-document-worker
ssm-session-worker
ssm-session-logger
ssm-cli
# ok
##########################
##########################
# Trying to install ecs agent ...
##########################
# Trying to verify the signature of amazon-ecs-init package ...
/usr/bin/gpg
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: key BCE9D9A42D51784F: 1 signature not checked due to a missing key
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key BCE9D9A42D51784F: public key "Amazon ECS <ecs-security@amazon.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
gpg: Signature made Fri Oct 11 16:20:19 2024 UTC
gpg: using RSA key 50DECCC4710E61AF
gpg: Good signature from "Amazon ECS <ecs-security@amazon.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F34C 3DDA E729 26B0 79BE AEC6 BCE9 D9A4 2D51 784F
Subkey fingerprint: D64B B6F9 0CF3 77E9 B5FB 346F 50DE CCC4 710E 61AF
amazon-ecs-init GPG verification passed. Install amazon-ecs-init.
# ok
##########################
Last metadata expiration check: 0:02:36 ago on Fri Nov 1 06:58:07 2024.
Dependencies resolved.
======================================================================================================================================================================
Package Architecture Version Repository Size
======================================================================================================================================================================
Installing:
amazon-ecs-init x86_64 1.86.0-1 @commandline 28 M
Transaction Summary
======================================================================================================================================================================
Install 1 Package
Total size: 28 M
Installed size: 107 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : amazon-ecs-init-1.86.0-1.x86_64 1/1
Running scriptlet: amazon-ecs-init-1.86.0-1.x86_64 1/1
Verifying : amazon-ecs-init-1.86.0-1.x86_64 1/1
Installed:
amazon-ecs-init-1.86.0-1.x86_64
Complete!
Created symlink /etc/systemd/system/multi-user.target.wants/ecs.service → /usr/lib/systemd/system/ecs.service.
# ok
##########################
##########################
# Trying to wait for ECS agent to start ...
Ping ECS Agent registered successfully! Container instance arn: "arn:aws:ecs:ap-northeast-1:123456789012:container-instance/hato-ecsanywhere-cluster/abcd123456789"
You can check your ECS cluster here https://console.aws.amazon.com/ecs/home?region=ap-northeast-1#/clusters/hato-ecsanywhere-cluster
# ok
##########################
##########################
This script installed three open source packages that all use Apache License 2.0.
You can view their license information here:
- ECS Agent https://github.com/aws/amazon-ecs-agent/blob/master/LICENSE
- SSM Agent https://github.com/aws/amazon-ssm-agent/blob/master/LICENSE
- Docker engine https://github.com/moby/moby/blob/master/LICENSE
##########################
参考資料
サポートされるオペレーティングシステムとシステムアーキテクチャ
以下は、サポートされるオペレーティングシステムとシステムアーキテクチャのリストです。
- Amazon Linux 2
- Amazon Linux 2023