search

sous-chefs / apt

Development repository for the apt cookbook
https://supermarket.chef.io/cookbooks/apt
Apache License 2.0
202 stars 266 forks source link

Request to add attribute allow-unauthenticated config option #232

Closed swapnil-jaiswal closed 7 years ago

swapnil-jaiswal commented 7 years ago

Cookbook version

"version":"6.1.3"

Chef-client version

Chef client version to 12.18.31

Platform Details

Ubuntu 16.04 LTS ; AWS OpsWorks

Scenario:

Trying to install nginx-extras using the marketplace recipe chef_nginx Getting error : STDERR: E: There were unauthenticated packages and -y was used without --allow-unauthenticated

Steps to Reproduce:

Try installing nginx-passenger on Ubuntu 16.04 LTS using chef_nginx This cookbook tries to install a dependency package default['nginx']['package_name'] = 'nginx-extras'

But same fails due to the above mentioned error.

Expected Result:

Package nginx-extras should get installed in ubuntu 16.04 (Same steps work on ubuntu 14.04 LTS )

Actual Result:

Getting error : STDERR: E: There were unauthenticated packages and -y was used without --allow-unauthenticated

Suggested Resolution :

Please add an additional parameter in apt cookbook attributes to allow unauthenticated package install.

swapnil-jaiswal commented 7 years ago

Detailed error log 


================================================================================
Error executing action `install` on resource 'apt_package[nginx-extras]'
================================================================================

Mixlib::ShellOut::ShellCommandFailed
------------------------------------
Expected process to exit with [0], but received '100'
---- Begin output of apt-get -q -y install nginx-extras=1:1.12.1-8.5.1.8~xenial1 ----
STDOUT: Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
fontconfig-config fonts-dejavu-core libcurl3 libfontconfig1 libgd3 libjbig0
libjpeg-turbo8 libjpeg8 libluajit-5.1-2 libluajit-5.1-common libtiff5
libvpx3 libxpm4 nginx-common passenger passenger-dev passenger-doc ruby-rack
Suggested packages:
libgd-tools fcgiwrap nginx-doc www-browser
The following NEW packages will be installed:
fontconfig-config fonts-dejavu-core libcurl3 libfontconfig1 libgd3 libjbig0
libjpeg-turbo8 libjpeg8 libluajit-5.1-2 libluajit-5.1-common libtiff5
libvpx3 libxpm4 nginx-common nginx-extras passenger passenger-dev
passenger-doc ruby-rack
0 upgraded, 19 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.0 MB of archives.
After this operation, 54.8 MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
nginx-common passenger passenger-dev passenger-doc nginx-extras
STDERR: E: There were unauthenticated packages and -y was used without --allow-unauthenticated
---- End output of apt-get -q -y install nginx-extras=1:1.12.1-8.5.1.8~xenial1 ----
Ran apt-get -q -y install nginx-extras=1:1.12.1-8.5.1.8~xenial1 returned 100

Resource Declaration:
---------------------
# In /var/chef/runs/57664272-5e11-4065-9e0d-d7c0a87dfe34/local-mode-cache/cache/cookbooks/chef_nginx/recipes/passenger.rb

43:   package node['nginx']['package_name']
44:   package 'passenger'
iennae commented 7 years ago

@swapnil-jaiswal The chef_nginx cookbook is tested for installation of passenger as per https://github.com/chef-cookbooks/chef_nginx/blob/bd3518194495e0a567bb994584f208a9c0a6c6ce/.kitchen.dokken.yml. As you don't include the full logs it's hard to see what is happening.

Are you specifying all the required attributes (this is in kitchen.yml format):

attributes:
  nginx:
    repo_source: 'passenger'
    package_name: 'nginx-extras'
    passenger:
      install_method: 'package'
swapnil-jaiswal commented 7 years ago

Yes i have specified all attributes as specified in README.MD Following is the code snippet .

case node['platform_family']
when 'debian'
  default['nginx']['user'] = 'www-data'
    default['nginx']['repo_source'] = 'passenger'
    default['nginx']['package_name'] = 'nginx-extras'
    default['nginx']['passenger']['install_method'] = 'package'
        if node['platform'] == 'ubuntu' && node['platform_version'].to_f >= 14.04
            default['nginx']['pid'] = '/run/nginx.pid'
        end

Version of Chef Nginx cookbook ## 5.1.3 (2017-03-24)

Reason for sticking to 5.x releases as per release notes . - Support for Runit as an init system has been removed. If you require runit you will need to pin to the 5.X cookbook release.

Since most of our application is running on Amazon linux we cannot upgrade further. We are using OpsWorks based chef cluster for our application. For ruby passenger layer we are exploring Ubuntu 16.04 LTS since want to stick to package based nginx installation.

PFA the complete logs Working correctly - chef_nginx_ubuntu_14.04.txt Not Working - chef_nginx_ubuntu_16.04.txt

Please suggest any workaround so that we can allow unauthenticated packages to be installed in Ubuntu 16.04.

iennae commented 7 years ago

Thanks for including logs. There is a lot going on here that adds to the confusion. Do you have a mixed environment of amazon linux and ubuntu which is why you are pinning to a version of chef_nginx that has runit?

Separately, I'm not sure where the apt cookbook is coming into use at all. Reading the logs is a bit difficult, but it looks like this is just using the apt_package resource.

The apt_package resource is a core chef resource that includes the options parameter. If you look at the log message here:

[2017-09-06T05:45:16+00:00] WARN: ####### inside Passenger.rb recipe within package install loop #######
[2017-09-06T05:45:16+00:00] WARN: ####### Passenger install loop ended inside Passenger.rb recipe  #######
[2017-09-06T05:45:16+00:00] WARN: An attempt was made to change options from "--allow-unauthenticated" to nil by calling options(nil). In Chef 12, this does a get rather than a set. In Chef 13, this will change to set the value to nil. (CHEF-5)/var/chef/runs/e155b080-b40c-4496-8d74-d1614f1fc939/local-mode-cache/cache/cookbooks/chef_nginx/recipes/package.rb:48:in `block in from_file'.
Please see https://docs.chef.io/deprecations_custom_resource_cleanups.html for further details and information on how to correct this problem. at /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31/lib/chef/event_dispatch/dispatcher.rb:43:in `call'
[2017-09-06T05:45:16+00:00] WARN: Cloning resource attributes for apt_package[nginx-extras] from prior resource
Previous apt_package[nginx-extras]: /var/chef/runs/e155b080-b40c-4496-8d74-d1614f1fc939/local-mode-cache/cache/cookbooks/chef_nginx/recipes/passenger.rb:46:in `from_file'
Current  apt_package[nginx-extras]: /var/chef/runs/e155b080-b40c-4496-8d74-d1614f1fc939/local-mode-cache/cache/cookbooks/chef_nginx/recipes/package.rb:47:in `from_file' (CHEF-3694)/var/chef/runs/e155b080-b40c-4496-8d74-d1614f1fc939/local-mode-cache/cache/cookbooks/chef_nginx/recipes/package.rb:47:in `from_file'.
Please see https://docs.chef.io/deprecations_resource_cloning.html for further details and information on how to correct this problem. at /opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31/lib/chef/event_dispatch/dispatcher.rb:43:in `call'
[2017-09-06T05:45:16+00:00] WARN: Cloning resource attributes for service[nginx] from prior resource
Previous service[nginx]: /var/chef/runs/e155b080-b40c-4496-8d74-d1614f1fc939/local-mode-cache/cache/cookbooks/timezone/recipes/default.rb:8:in `from_file'
Current  service[nginx]: /var/chef/runs/e155b080-b40c-4496-8d74-d1614f1fc939/local-mode-cache/cache/cookbooks/chef_nginx/recipes/package.rb:52:in `from_file' (CHEF-3694)/var/chef/runs/e155b080-b40c-4496-8d74-d1614f1fc939/local-mode-cache/cache/cookbooks/chef_nginx/recipes/package.rb:52:in `from_file'.

this seems to be pointing to where the issue is where the resource is getting the options of --allow-unauthenticated and no options at the same time.

The https://github.com/chef-cookbooks/chef_nginx/blob/master/recipes/repo_passenger.rb recipe is the one that sets up the keys for the repo that is installing passenger, so it shouldn't be unauthenticated at all. It looks like it's doing this based on your logs. On the Ubuntu 16.04 test that I did on the current cookbook I successfully was able to run this which tells me that there isn't an underlying current issue with the repo and installing packages.

One potential fix might for you to fork the chef_nginx cookbook at 5.1.3 and modify the recipe https://github.com/chef-cookbooks/chef_nginx/blob/31cb486a7b9d520639177b331fa167d698ef32f8/recipes/passenger.rb with the option passed to the package specification for allowing unauthenticated packages. Underneath package, apt_package will be called and the options parameter will be passed to it. Or to modify the recipe for the repo_passenger to set the trusted property for the apt_repository resource as documented here https://docs.chef.io/resource_apt_repository.html.

Finally, I did checkout 5.1.3 and also successfully had the passenger recipe run on Ubuntu 16.04. I'm not seeing the cloning error that you have in your logs so I'm not sure what's happening there.

Jennifers-MBP:chef_nginx sigje$ kitchen converge passenger-ubuntu-1604 -----> Starting Kitchen (v1.16.0) -----> Converging ... Preparing files for transfer Preparing dna.json Resolving cookbook dependencies with Berkshelf 6.2.0... Removing non-cookbook files before transfer Preparing validation.pem Preparing client.rb -----> Chef Omnibus installation detected (install only if missing) Transferring files to Starting Chef Client, version 13.3.42 resolving cookbooks for run list: ["test::passenger_packages"] Synchronizing Cookbooks:

  • build-essential (8.0.3)

  • yum-epel (2.1.2)

  • zypper (0.4.0)

  • mingw (2.0.1)

  • test (1.0.0)

  • runit (3.0.5)

  • compat_resource (12.19.0)

  • windows (3.1.2)

  • packagecloud (0.3.0)

  • chef_nginx (5.1.3)

  • ohai (5.2.0)

  • seven_zip (2.0.2) Installing Cookbook Gems: Compiling Cookbooks... /tmp/kitchen/cache/cookbooks/packagecloud/resources/repo.rb:10: warning: constant ::Fixnum is deprecated Recipe: chef_nginx::ohai_plugin

  • ohai_plugin[nginx] action create[2017-09-07T00:57:59+00:00] WARN: The Ohai plugin_path does not include /tmp/kitchen/ohai/plugins. Ohai will reload on each chef-client run in order to add this directory to the path unless you modify your client.rb configuration to add this directory to plugin_path. The plugin_path can be set via the chef-client::config recipe. See 'Ohai Settings' at https://docs.chef.io/config_rb_client.html#ohai-settings for more details. [2017-09-07T00:57:59+00:00] WARN: The Ohai plugin_path does not include /tmp/kitchen/ohai/plugins. Ohai will reload on each chef-client run in order to add this directory to the path unless you modify your client.rb configuration to add this directory to plugin_path. The plugin_path can be set via the chef-client::config recipe. See 'Ohai Settings' at https://docs.chef.io/config_rb_client.html#ohai-settings for more details. [2017-09-07T00:57:59+00:00] WARN: Adding /tmp/kitchen/ohai/plugins to the Ohai plugin path for this chef-client run only [2017-09-07T00:57:59+00:00] WARN: Adding /tmp/kitchen/ohai/plugins to the Ohai plugin path for this chef-client run only

       * directory[/tmp/kitchen/ohai/plugins] action create (skipped due to not_if)
   * template[/tmp/kitchen/ohai/plugins/nginx.rb] action create (up to date)
   * ohai[nginx] action reload
     - re-run ohai and merge results into node attributes

 Converging 28 resources

    Recipe: test::passenger_packages

  • apt_package[apt-transport-https] action install (up to date) Recipe: test::_base

  • apt_update[update] action periodic (up to date)

  • apt_package[curl] action install (up to date) Recipe: chef_nginx::ohai_plugin

  • ohai[reload_nginx] action nothing (skipped due to action :nothing)

  • ohai_plugin[nginx] action create

    • directory[/tmp/kitchen/ohai/plugins] action create (skipped due to not_if)
    • template[/tmp/kitchen/ohai/plugins/nginx.rb] action create (up to date)
    • ohai[nginx] action nothing (skipped due to action :nothing) (up to date) Recipe: chef_nginx::repo_passenger

  • apt_package[ca-certificates] action install (up to date)

  • apt_repository[phusionpassenger] action add

    • execute[install-key 561F9B9CAC40B2F7] action run (skipped due to not_if)
    • execute[apt-cache gencaches] action nothing (skipped due to action :nothing)
    • apt_update[phusionpassenger] action nothing (skipped due to action :nothing)
    • file[/etc/apt/sources.list.d/phusionpassenger.list] action create (up to date) (up to date) Recipe: chef_nginx::passenger

  • apt_package[ruby-dev] action install (up to date)

  • apt_package[libcurl4-gnutls-dev] action install (up to date)

  • gem_package[rake] action install (up to date)

  • apt_package[nginx-extras] action install (up to date)

  • apt_package[passenger] action install (up to date)

  • template[/etc/nginx/conf.d/passenger.conf] action create (up to date) Recipe: chef_nginx::package

  • apt_package[nginx-extras] action install (up to date)

  • service[nginx] action start (up to date)

  • service[nginx] action enable (up to date) Recipe: chef_nginx::commons_dir

  • directory[/etc/nginx] action create (up to date)

  • directory[/var/log/nginx] action create (up to date)

  • directory[pid file directory] action create (up to date)

  • directory[/etc/nginx/sites-available] action create (up to date)

  • directory[/etc/nginx/sites-enabled] action create (up to date)

  • directory[/etc/nginx/conf.d] action create (up to date) Recipe: chef_nginx::commons_script

  • template[/usr/sbin/nxensite] action create (up to date)

  • template[/usr/sbin/nxdissite] action create (up to date) Recipe: chef_nginx::commons_conf

  • template[nginx.conf] action create (up to date)

  • template[/etc/nginx/sites-available/default] action create (up to date)

  • chef_nginx_site[default] action enable

    • execute[nxensite default] action run

      • execute /usr/sbin/nxensite default

      Recipe: test::passenger_packages

  • chef_nginx_site[default] action enable[2017-09-07T00:58:02+00:00] WARN: The "enable" property in nginx_site is deprecated. Use "action :disable" instead. [2017-09-07T00:58:02+00:00] WARN: The "enable" property in nginx_site is deprecated. Use "action :disable" instead.

       * execute[nxdissite default] action run
     - execute /usr/sbin/nxdissite default

  • chef_nginx_site[test_site] action enable

    • template[/etc/nginx/sites-available/test_site] action create (up to date)
    • execute[nxensite test_site] action run (skipped due to not_if) (up to date) Recipe: chef_nginx::package

  • service[nginx] action reload

    • reload service service[nginx]

      Running handlers: Running handlers complete Chef Client finished, 7/45 resources updated in 05 seconds Finished converging (0m8.46s).

I'm going to go ahead and close this issue. If the suggestions I've provided aren't helpful, please take followup to the chef_nginx cookbook.

Edited to add: I'm not sure why you are getting the unauthenticated error for the repo. That signals some kind of problem but again it's hard to tell what.