Make Base Fails

[nate-kennedy]

I was baking an air-gapped universe and failed during the make base step. It appears that the source for the nginx server is no longer valid. I see the following error when trying to create the base image:

Step 3/10 : RUN apt-key adv --keyserver hkp://zimmermann.mayfirst.org --recv-keys "$GPG_KEY"   || apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPG_KEY"   || apt-key adv --keyserver pool.sks-keyservers.net --recv-keys "$GPG_KEY"   || apt-key adv --keyserver keyserver.pgp.com --recv-keys "$GPG_KEY"   || apt-key adv --keyserver pgp.mit.edu --recv-keys "$GPG_KEY"   && echo "deb http://nginx.org/packages/debian/ jessie nginx" >> /etc/apt/sources.list   && apt-get update   && apt-get install --no-install-recommends --no-install-suggests -y             ca-certificates             nginx             nginx-module-xslt             nginx-module-geoip             nginx-module-image-filter             nginx-module-perl             nginx-module-njs             gettext-base   && rm -rf /var/lib/apt/lists/*
 ---> Running in 7ee646c2e73e
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.fYlLfQGqzx --no-auto-check-trustdb --trust-model always --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyserver hkp://zimmermann.mayfirst.org --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
gpg: requesting key 7BD9BF62 from hkp server zimmermann.mayfirst.org
gpg: key 7BD9BF62: public key "nginx signing key <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
Get:1 http://nginx.org jessie InRelease [2856 B]
Get:2 http://security.debian.org jessie/updates InRelease [44.9 kB]
Get:3 http://security.debian.org jessie/updates/main amd64 Packages [822 kB]
Get:4 http://nginx.org jessie/nginx amd64 Packages [16.7 kB]
Ign http://httpredir.debian.org jessie InRelease
Ign http://httpredir.debian.org jessie-updates InRelease
Get:5 http://httpredir.debian.org jessie Release.gpg [2420 B]
Ign http://httpredir.debian.org jessie-updates Release.gpg
Get:6 http://httpredir.debian.org jessie Release [148 kB]
Ign http://httpredir.debian.org jessie-updates Release
Get:7 http://httpredir.debian.org jessie/main amd64 Packages [9098 kB]
Err http://httpredir.debian.org jessie-updates/main amd64 Packages

Err http://httpredir.debian.org jessie-updates/main amd64 Packages

Err http://httpredir.debian.org jessie-updates/main amd64 Packages

Err http://httpredir.debian.org jessie-updates/main amd64 Packages

Err http://httpredir.debian.org jessie-updates/main amd64 Packages
  404  Not Found
Fetched 10.1 MB in 1s (5495 kB/s)
W: Failed to fetch http://httpredir.debian.org/debian/dists/jessie-updates/main/binary-amd64/Packages  404  Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.
The command '/bin/sh -c apt-key adv --keyserver hkp://zimmermann.mayfirst.org --recv-keys "$GPG_KEY"   || apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPG_KEY"   || apt-key adv --keyserver pool.sks-keyservers.net --recv-keys "$GPG_KEY"   || apt-key adv --keyserver keyserver.pgp.com --recv-keys "$GPG_KEY"   || apt-key adv --keyserver pgp.mit.edu --recv-keys "$GPG_KEY"   && echo "deb http://nginx.org/packages/debian/ jessie nginx" >> /etc/apt/sources.list   && apt-get update   && apt-get install --no-install-recommends --no-install-suggests -y             ca-certificates             nginx             nginx-module-xslt             nginx-module-geoip             nginx-module-image-filter             nginx-module-perl             nginx-module-njs             gettext-base   && rm -rf /var/lib/apt/lists/*' returned a non-zero code: 100
make: *** [base] Error 100

I have attempted on both my local workstation and an ec2 instance in us-east-1. In both cases make base failed at the same step.

[cneth]

Yes, nginx changed how they distribute signing keys, and Debian Jessie packages are no longer being signed.

It's not an official fix, but if you replace docker/local-universe/Dockerfile.base with the gist found here, it works:

https://gist.github.com/cneth/aaca2872f235d13a599739ca6527c54a

Keep in mind that all this stuff is really out of date and likely has many CVE's and other unpatched issues.