apt 的 invalid signatures / public key is not available (NO_PUBKEY/EXPKEYSIG/KEYEXPIRED) 問題處理方式

症狀 – apt / apt-get 操作時出現以下錯誤:

Err:4 https://dl.winehq.org/wine-builds/ubuntu xenial InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 76F1A20FF987672F
Reading package lists... Done
W: GPG error: https://dl.winehq.org/wine-builds/ubuntu xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 76F1A20FF987672F
E: The repository 'https://dl.winehq.org/wine-builds/ubuntu xenial InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://deb.torproject.org/torproject.org bionic InRelease: The following signatures were invalid: EXPKEYSIG 74A941BA219EC810 deb.torproject.org archive signing key
W: Failed to fetch https://deb.torproject.org/torproject.org/dists/bionic/InRelease  The following signatures were invalid: EXPKEYSIG 74A941BA219EC810 deb.torproject.org archive signing key
W: Some index files failed to download. They have been ignored, or old ones used instead.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://apt.puppetlabs.com trusty Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7F438280EF8D349F
W: Failed to fetch http://apt.puppetlabs.com/dists/trusty/Release
W: Some index files failed to download. They have been ignored, or old ones used instead.

可以看到上面缺的 key 分別是 76F1A20FF987672F74A941BA219EC8107F438280EF8D349F ,這種情況有可能是新增了新的 apt repository 但沒有對應的 key,或是舊有的 apt repository 所使用的 key已經過期了

通常可以到對應軟體提供者的網站上找到正確的 key ,並放到 /etc/apt/trusted.gpg 這個檔案、或 /etc/apt/trusted.gpg.d 目錄下,或是透過 apt-key 的指令從 keyserver 進行下載匯入,像是這樣(以 Yarn 和 Google Cloud 的套件庫為例):

  • curl -sS https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add –
  • curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -

我們也可以透過將有問題/闕漏的 key 直接拿去問 OpenPGP keyserver ,透過 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys XXXXXXXX 的指令,像這樣:

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7F438280EF8D349F
Executing: /tmp/apt-key-gpghome.VyE6MFMrnc/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 7F438280EF8D349F
gpg: key 7F438280EF8D349F: public key "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 74A941BA219EC810
Executing: /tmp/apt-key-gpghome.lRWvuhWnPw/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 74A941BA219EC810
gpg: key EE8CBC9E886DDD89: public key "deb.torproject.org archive signing key" imported
gpg: Total number processed: 1
gpg:               imported: 1
閱讀全文

在 Ubuntu ≥ 18.04 使用密碼登入 MySQL 及建立資料庫

在 Ubuntu 18.04 之前的版本,直接透過 apt 安裝 Ubuntu 套件庫中的 MySQL 資料庫 (sudo apt install mysql-server) 過程中會有設定 root 密碼的提示畫面:

在 Ubuntu 16.04 LTS 上透過系統預設的 apt 套件庫安裝 MySQL 5.7 的 root 密碼設定提示畫面

但從 Ubuntu 18.04 開始,安裝預設套件庫提供的 MySQL 就已經不會在安裝過程中提示設定 MySQL 的 root 使用者密碼,因為 root 帳戶預設已經不再使用密碼的來做驗證,對於不熟悉 MySQL 操作的使用者可能會造成一些困擾,畢竟這樣就無法直接在安裝 MySQL 後透過 phpMyAdmin 的方式來操作資料庫或建立使用者了,更別說有些使用者可能會直接使用 root 的帳戶給應用程式如 WordPress 或 Joomla 、Drupal 等系統使用,那如果想要透過密碼登入 MySQL 資料庫該怎麼做呢?

  1. 把 root 改為使用密碼驗證登入
  2. 另外建立一個透過密碼驗證登入的使用者

建議使用第二種方式會比較安全一些,這樣一來就只有能取得本機 root 權限的使用者能夠登入 root 帳戶,而不用擔心從應用程式面可以進行密碼暴力攻擊。兩種做法都必須使用到 MySQL command-line client 來操做,但過程並不會很複雜,以下簡單說明

閱讀全文

A rapid way to erase multiple partition tables on Ubuntu/Debian Linux

When doing labs / playing with ZFS on Linux, ZFS pool may creates a few partitions on each drive, we may want to erase all the playground partition table to start from scratch again(though it may not be required), if we have many drives like more than 10, and we want to erase them all, it’ll take a while to finish the job.

Here is a rapid method to do it, using the non-interactive command sgdisk from package gdisk – the GPT fdisk text-mode partitioning tool, with parameter -Z or -o (both work in my case):

$ sudo sgdisk -Z /dev/sda
GPT data structures destroyed! You may now partition the disk using fdisk or other utilities.
$ sudo sgdisk -o /dev/sdb
The operation has completed successfully.

According to the help message, by specifing parameters -Z, it’ll zap (destroy) the GPT and MBR data structures and exit, and by specifing parameters -o, it’ll clear out all partition data. This includes GPT header data, all partition definitions, and the protective MBR.

Because the command sgdisk is non-interactive, so we can simply integrate the whole massive partition clean up job with shell scripts, for example:

#!/bin/bash
sudo sgdisk -Z /dev/sda &
sudo sgdisk -Z /dev/sdb &
sudo sgdisk -Z /dev/sdc &
sudo sgdisk -Z /dev/sdd &
sudo sgdisk -Z /dev/sde &
sudo sgdisk -Z /dev/sdf &
sudo sgdisk -Z /dev/sdg &

That’s it! Happy hacking!

ZFS on Ubuntu 18.04 基本設定/初始化

Ubuntu 在 15.10 開始測試 ZFS16.04 LTS 的時候正式加入了 ZFS 的支援,背後用的是 ZFS On Linux 的實做,這邊筆記一下已經使用在 Ubuntu 18.04 上了好一陣子的 ZFS 初始化過程

先安裝所需要的套件:

$ sudo apt install zfsutils-linux -y

接著建立 ZFS Pool

接著會使用到 zpool 這個指令,相關的操作都需要要有 root 權限,我這邊是要直接拿完整的整顆硬碟來用,不另外做分割,測試的時候方便起見可以直接用 /dev/sda /dev/sdb 這樣的路徑,所以一路從 sda 用到 sdz,名稱取叫 pool-ftp ,做 raidz3 讓這組 pool 一次最多可以掉三顆硬碟不掉資料,不怕掉資料可以不加這個設定、效果會等同 RAID0 ,硬碟數量如果沒這麼多但想要有個保險也可以用 raidz 或 raidz2 就好,分別為容許一顆和兩顆的硬碟失效,要 RAID1 的效果可以用 mirror 這個選項:

$ sudo zpool create pool-ftp raidz3 /dev/sda /dev/sdd /dev/sde /dev/sdf /dev/sdg /dev/sdh /dev/sdi /dev/sdj /dev/sdk /dev/sdl /dev/sdm /dev/sdn /dev/sdo /dev/sdp /dev/sdq /dev/sdr /dev/sds /dev/sdt /dev/sdu /dev/sdv /dev/sdw /dev/sdx /dev/sdy /dev/sdz

不過正式環境還是建議不要使用 sda / sdb 而是使用 Disk ID / Label / UUID 的方式來認硬碟,就不用擔心未來順序可能改變或亂掉的問題,如果是整批相同型號的硬碟要做處理,透過 Disk ID 其實也很方便,例如:

$ command ls /dev/disk/by-id/ata-ST8000NM0055* | xargs sudo zpool create ftp-pool

如果過程中出現了這樣的訊息,在確認硬碟上沒有其他資料的情況下可以加 -f 的參數:

/dev/sdz does not contain an EFI label but it may contain partition information in the MBR.
閱讀全文