search

sous-chefs / nginx

Development repository for the nginx cookbook
https://supermarket.chef.io/cookbooks/nginx
Apache License 2.0
551 stars 810 forks source link

geoip module: "Checksum on resource (79ff10) does not match checksum on content (fb6583)" #354

Closed ponyfleisch closed 6 years ago

ponyfleisch commented 9 years ago

I'm using chef 12.2 and the nginx cookbook version 2.7.6. This is the error i'm getting:

xx.xx.xx.xxx Recipe: nginx::http_geoip_module
xx.xx.xx.xxx   * remote_file[/var/chef/cache/GeoIP-1.6.3.tar.gz] action create (up to date)
xx.xx.xx.xxx   * bash[extract_geolib] action run (up to date)
xx.xx.xx.xxx   * directory[/srv/geoip] action create (up to date)
xx.xx.xx.xxx   * remote_file[/var/chef/cache/GeoIP.dat.gz] action create
xx.xx.xx.xxx     
xx.xx.xx.xxx     ================================================================================
xx.xx.xx.xxx     Error executing action `create` on resource 'remote_file[/var/chef/cache/GeoIP.dat.gz]'
xx.xx.xx.xxx     ================================================================================
xx.xx.xx.xxx     
xx.xx.xx.xxx     Chef::Exceptions::ChecksumMismatch
xx.xx.xx.xxx     ----------------------------------
xx.xx.xx.xxx     Checksum on resource (79ff10) does not match checksum on content (fb6583)
xx.xx.xx.xxx     
xx.xx.xx.xxx     Resource Declaration:
xx.xx.xx.xxx     ---------------------
xx.xx.xx.xxx     # In /var/chef/cache/cookbooks/nginx/recipes/http_geoip_module.rb
xx.xx.xx.xxx     
xx.xx.xx.xxx      59: remote_file country_src_filepath do
xx.xx.xx.xxx      60:   not_if do
xx.xx.xx.xxx      61:     File.exist?(country_src_filepath) &&
xx.xx.xx.xxx      62:       File.mtime(country_src_filepath) > Time.now - 86_400
xx.xx.xx.xxx      63:   end
xx.xx.xx.xxx      64:   source   node['nginx']['geoip']['country_dat_url']
xx.xx.xx.xxx      65:   checksum node['nginx']['geoip']['country_dat_checksum']
xx.xx.xx.xxx      66:   owner    'root'
xx.xx.xx.xxx      67:   group    node['root_group']
xx.xx.xx.xxx      68:   mode     '0644'
xx.xx.xx.xxx      69: end
xx.xx.xx.xxx      70: 
xx.xx.xx.xxx     
xx.xx.xx.xxx     Compiled Resource:
xx.xx.xx.xxx     ------------------
xx.xx.xx.xxx     # Declared in /var/chef/cache/cookbooks/nginx/recipes/http_geoip_module.rb:59:in `from_file'
xx.xx.xx.xxx     
xx.xx.xx.xxx     remote_file("/var/chef/cache/GeoIP.dat.gz") do
xx.xx.xx.xxx       provider Chef::Provider::RemoteFile
xx.xx.xx.xxx       action "create"
xx.xx.xx.xxx       retries 0
xx.xx.xx.xxx       retry_delay 2
xx.xx.xx.xxx       default_guard_interpreter :default
xx.xx.xx.xxx       path "/var/chef/cache/GeoIP.dat.gz"
xx.xx.xx.xxx       backup 5
xx.xx.xx.xxx       atomic_update true
xx.xx.xx.xxx       source ["http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"]
xx.xx.xx.xxx       use_etag true
xx.xx.xx.xxx       use_last_modified true
xx.xx.xx.xxx       declared_type :remote_file
xx.xx.xx.xxx       cookbook_name "nginx"
xx.xx.xx.xxx       recipe_name "http_geoip_module"
xx.xx.xx.xxx       checksum "79ff1099e96c2dc1c2539c9a18aaa13a9afd085cae477df60d95f1644d42bc07"
xx.xx.xx.xxx       owner "root"
xx.xx.xx.xxx       group "root"
xx.xx.xx.xxx       mode "0644"
xx.xx.xx.xxx       not_if { #code block }
xx.xx.xx.xxx     end
xx.xx.xx.xxx     
xx.xx.xx.xxx 
xx.xx.xx.xxx Running handlers:
xx.xx.xx.xxx [2015-05-07T08:46:25+00:00] ERROR: Running exception handlers
xx.xx.xx.xxx Running handlers complete
xx.xx.xx.xxx [2015-05-07T08:46:25+00:00] ERROR: Exception handlers complete
xx.xx.xx.xxx [2015-05-07T08:46:25+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
xx.xx.xx.xxx Chef Client failed. 1 resources updated in 10.518462718 seconds
xx.xx.xx.xxx [2015-05-07T08:46:26+00:00] ERROR: remote_file[/var/chef/cache/GeoIP.dat.gz] (nginx::http_geoip_module line 59) had an error: Chef::Exceptions::ChecksumMismatch: Checksum on resource (79ff10) does not match checksum on content (fb6583)
xx.xx.xx.xxx [2015-05-07T08:46:26+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
rmoriz commented 9 years ago

Looks like the geoip-files at maxmind.com have changed. I suggest you manually download them, get the updated checksums and overwrite the attribute(s).

See:

https://github.com/miketheman/nginx/blob/master/attributes/geoip.rb#L24-L31

Maxmind doesn't offer "versioned" files, but it looks like they are offering to download the files using https - so we may get rid of the checksums.

mansona commented 8 years ago

I think we should now swap over to doing https for the downloads and remove the need for checksums, this issue causes our deployment to randomly break whenever they update the files.

Having something like this hanging around in our chef deployment feels like it breaks some of the main concepts of using chef for deployment. So much so that even if they didn't support https urls I would vote for removing the checksum check on these files completely and make it optional for people who want that extra security.

allaire commented 8 years ago

:+1: would you accept a PR that remove checksum checks @miketheman ?

miketheman commented 8 years ago

I am reluctant to spend any further time on the 2.7.x branch. https://github.com/miketheman/nginx/tree/2.7.x#read-this-first

To that end, the nginx cookbook will no longer be responsible for downloading & compiling a binary on every production server. That procedure should happen outside of a given Chef run.

allaire commented 8 years ago

@miketheman Thanks for the prompt reply and happy holidays!

So if nginx cookbook is not responsible of installing nginx, who is? I use Chef to make sure all of my machines have all dependencies/softwares I need before deployment, I don't see why I should install nginx outside chef?

Thanks!

miketheman commented 8 years ago

@allaire Happy holidays to you as well!

I think there's a distinction between "installing" and "downloading [from source, injecting modules] & compiling" - and that's the point I want to make clear.

The nginx cookbook had become a complex compiler - resulting in pull requests like these - where modules need to be compiled into the binary, and then supporting files need to be placed somewhere, and configs updated, etc.

Building & packaging a desired nginx binary should be outside the scope of installing & configuring nginx on a production-level system - that is something that one might use a project like fpm-cookery.

For example, here's a custom build of nginx (with installation instructions via Chef!): https://packagecloud.io/darron/nginx/install#chef built from this definition: https://github.com/darron/nginx-build/blob/master/fpm-recipes/nginx/recipe.rb

So the software is "built once, deploy many".

Supporting files like GeoIP.dat are remote_file resources, and since the hashes change frequently, these are better supported on the end-user's side - where you can control what versions you want, how often to update, instead of waiting for an upstream maintainer to do so.

Does that make sense?

allaire commented 8 years ago

Yes makes sense, I understand the decision, nginx cookbook is by far the most complex one in my chef's stack. Will have to dig deeper in fpm and base images.

Thanks again!

tas50 commented 8 years ago

The GeoIP file checksums have been updated with #422, but they will soon become out of date again as those files are constantly updated and not versioned. You should really pull a known working file to a host somewhere in your environment and set the URL and checksum attributes.

tas50 commented 8 years ago

This particular issue has been pulled into the chef_nginx cookbook 2.8.0 release. The chef_nginx cookbook is a fork of this cookbook with many of the outstanding issues in the 2.7.6 release resolved. The release is backwards compatible with this cookbook outside of the name change, which obviously requires updating runlist and and metadata dependencies. I'd highly suggest giving it a try to see if this resolves you nginx cookbook woes.

https://github.com/chef-cookbooks/chef_nginx https://supermarket.chef.io/cookbooks/chef_nginx#changelog

tas50 commented 6 years ago

Thanks for opening this issue. Just today we merged the changes from the chef_nginx fork of this cookbook back to master here. It’s a pretty huge change set and includes over a year of active development that resulted in several major releases. I think there’s a very high chance that this issue has been resolved with that work and at this point I’m going to close this issue out. I’d encourage you to checkout the master branch and please open this issue back up if you’re still having the problem there.

Here’s the changes that were just merged in: https://github.com/chef-cookbooks/nginx/pull/435

lock[bot] commented 4 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.