profile upload fails to compliance server

[poshpaws]

Description

Simple inheritance test profile (attached)
attempting to upload it yelds a 500 error : Error: Response from server was: exit status 1 [status code 500]

inspec cli upload gives a slightly more verbose output , but fails:

I, [2016-11-16T10:53:25.952791 #14377] INFO -- : Checking profile in IGM_CIS-RHEL6-L1
I, [2016-11-16T10:53:25.953354 #14377] INFO -- : Metadata OK.
I, [2016-11-16T10:53:28.170759 #14377] INFO -- : Found 167 controls.
W, [2016-11-16T10:53:28.171031 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_1.1.11_Add_nodev_Option_to_Removable_Media_Partitions has no tests defined
W, [2016-11-16T10:53:28.171343 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_1.1.12_Add_noexec_Option_to_Removable_Media_Partitions has no tests defined
W, [2016-11-16T10:53:28.171412 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_1.1.13_Add_nosuid_Option_to_Removable_Media_Partitions has no tests defined
W, [2016-11-16T10:53:28.171465 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_1.2.1_Configure_Connection_to_the_RHN_RPM_Repositories has no tests defined
W, [2016-11-16T10:53:28.171511 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_1.2.5_Obtain_Software_Package_Updates_with_yum has no tests defined
W, [2016-11-16T10:53:28.171563 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_1.2.6_Verify_Package_Integrity_Using_RPM has no tests defined
W, [2016-11-16T10:53:28.171639 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_1.7_Use_the_Latest_OS_Release has no tests defined
W, [2016-11-16T10:53:28.171788 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_4.3.1_Deactivate_Wireless_Interfaces has no tests defined
W, [2016-11-16T10:53:28.171830 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_4.4.1.1_Disable_IPv6_Router_Advertisements has no tests defined
W, [2016-11-16T10:53:28.171867 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_4.4.1.2_Disable_IPv6_Redirect_Acceptance has no tests defined
W, [2016-11-16T10:53:28.171911 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_4.4.2_Disable_IPv6 has no tests defined
W, [2016-11-16T10:53:28.171969 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_4.5.1_Install_TCP_Wrappers has no tests defined
W, [2016-11-16T10:53:28.172006 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_4.5.2_Create_etchosts.allow has no tests defined
W, [2016-11-16T10:53:28.172233 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_4.5.4_Create_etchosts.deny has no tests defined
W, [2016-11-16T10:53:28.172333 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_4.6.1_Disable_DCCP has no tests defined
W, [2016-11-16T10:53:28.172378 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_4.6.2_Disable_SCTP has no tests defined
W, [2016-11-16T10:53:28.172438 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_4.6.3_Disable_RDS has no tests defined
W, [2016-11-16T10:53:28.172483 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_4.6.4_Disable_TIPC has no tests defined
W, [2016-11-16T10:53:28.172541 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_4.8_Enable_IP6tables has no tests defined
W, [2016-11-16T10:53:28.172592 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_5.1.3_Configure_etcrsyslog.conf has no tests defined
W, [2016-11-16T10:53:28.172634 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_5.1.6_Accept_Remote_rsyslog_Messages_Only_on_Designated_Log_Hosts has no tests defined
W, [2016-11-16T10:53:28.172672 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_5.3_Configure_logrotate has no tests defined
W, [2016-11-16T10:53:28.172782 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_6.3.3_Set_Lockout_for_Failed_Password_Attempts has no tests defined
W, [2016-11-16T10:53:28.172841 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_6.4_Restrict_root_Login_to_System_Console has no tests defined
W, [2016-11-16T10:53:28.172920 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_8.3_Set_GNOME_Warning_Banner has no tests defined
W, [2016-11-16T10:53:28.172978 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_9.1.10_Find_World_Writable_Files has no tests defined
W, [2016-11-16T10:53:28.173021 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_9.1.13_Find_SUID_System_Executables has no tests defined
W, [2016-11-16T10:53:28.173058 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_9.1.14_Find_SGID_System_Executables has no tests defined
W, [2016-11-16T10:53:28.173270 #14377] WARN -- : Control xccdf_org.cisecurity.benchmarks_rule_9.2.13_Check_User_Home_Directory_Ownership has no tests defined
Profile is valid
Generate temporary profile archive at /tmp/IGM_CIS-RHEL6-L120161116-14377-ghs499.tar.gz
I, [2016-11-16T10:53:28.195366 #14377] INFO -- : Generate archive /tmp/IGM_CIS-RHEL6-L120161116-14377-ghs499.tar.gz.
I, [2016-11-16T10:53:28.200844 #14377] INFO -- : Finished archive generation.
Start upload to adm_reidga2/IGM_CIS-RHEL6-L1
Uploading to Chef Compliance
Error during profile upload:
"Failed to POST /owners/adm_reidga2/compliance/IGM_CIS-RHEL6-L1/tar."

InSpec and Platform Version

version 1.4.1 os RHEL6 & OS X 10.11.6
compliance server Version: 1.6.8

Replication Case

attempt to import profile

IGM_CIS-RHEL6-L1.zip

[donwlewis]

I seem to be having the same issue. Here is the error message I am getting on the compliance server:

2016-11-18_20:06:21.84869 20:06:21.848 ERR => DB error: sql: no rows in result set
2016-11-18_20:06:21.85024 20:06:21.850 DEB => ID of user svc_p_inf_chefcomp changed: 33156054-5183-4ee5-6c35-d89bac7d33ad -> ff9d0c98-be0b-4129-97e9-46d31a18ec27 (resetting)
2016-11-18_20:06:21.85031 20:06:21.850 DEB => Authenticated user: &{PasswordHash: Login:svc_p_inf_chefcomp Name:Chef Compliance Administrator IsOrg:false Source:{String: Valid:false} UUID:{ID:33156054-5183-4ee5-6c35-d89bac7d33ad}}
2016-11-18_20:06:21.85280 20:06:21.852 ERR => DB error: sql: no rows in result set
2016-11-18_20:06:21.85447 20:06:21.854 DEB => Extracting incoming tar to /var/opt/chef-compliance/core/runtime/compliance-profiles/upload_487262932
2016-11-18_20:06:21.85581 20:06:21.855 DEB => Extracted upload to /var/opt/chef-compliance/core/runtime/compliance-profiles/upload_487262932
2016-11-18_20:06:21.85600 20:06:21.855 DEB => Found compliance root folder in /var/opt/chef-compliance/core/runtime/compliance-profiles/upload_487262932
2016-11-18_20:06:21.85603 20:06:21.855 DEB => Run: cd /var/opt/chef-compliance/core/runtime/compliance-profiles/upload_487262932 && inspec [check . --format json --profiles-path /var/opt/chef-compliance/core/runtime/compliance-profiles]
2016-11-18_20:06:24.16811 WARN: Unresolved specs during Gem::Specification.reset:
2016-11-18_20:06:24.16815       net-ssh (< 4.0, >= 2.6.5, >= 2.9)
2016-11-18_20:06:24.16816       ffi (>= 1.0.1)
2016-11-18_20:06:24.16816       multi_json (~> 1.10)
2016-11-18_20:06:24.16816       rspec (~> 3)
2016-11-18_20:06:24.16816 WARN: Clearing out unresolved specs.
2016-11-18_20:06:24.16816 Please report a bug if this causes problems.
2016-11-18_20:06:24.48767
2016-11-18_20:06:24.48770 Cannot fetch compliance://cis/cis-rhel7-level2 because your compliance token has not been
2016-11-18_20:06:24.48770 configured.
2016-11-18_20:06:24.48770
2016-11-18_20:06:24.48770 Please login using
2016-11-18_20:06:24.48771
2016-11-18_20:06:24.48771     inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE'
2016-11-18_20:06:24.50818 20:06:24.508 ERR => Failed to POST /owners/svc_p_inf_chefcomp/compliance/security/tar.exit status 1

[donwlewis]

Seems like you are including existing controls as well. Mine is a simple include_controls only:

include_controls 'cis-rhel7-level2' do
  skip_control 'xccdf_org.cisecurity.benchmarks_rule_1.1.1_Create_Separate_Partition_for_tmp'
end

[poshpaws]

@donwlewis I tried both simple skip's and then tried the overloaded control as all the examples show the overloaded version . I figured it was worth a try.

To be honest it looks like your not running a inspec compliance login first or if you are .then maybe this is another issue ;)

[donwlewis]

Yes I am running the inspec compliance login before, and I get the same
error. But that log message is what I get from the compliance server logs
when I am trying to upload via the web UI.

On Sat, Nov 19, 2016, 12:03 AM poshpaws notifications@github.com wrote:

@donwlewis https://github.com/donwlewis I tried both simple skip's and
then tried the overloaded control as all the examples show the overloaded
version . I figured it was worth a try.

To be honest it looks like your not running a inspec compliance login
first or if you are .then maybe this is another issue ;)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#1298 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/APZDnNd5T22vwrfgggWOb600Ba84K1jJks5q_q0zgaJpZM4KzpHl
.

[username-is-already-taken2]

Hi there

I'm running inspec 1.8.0 on windows and I'm having an issue with inspec compliance upload command. it may be a sepreate issue but I think its relivent to this thread, I get POST error as above but I thought I would attempt to upload the temp profile generated by the command using a web browser and it fails. In the compliance log I get 2016-12-22_10:16:39.66759 /opt/chef-compliance/embedded/lib/ruby/2.2.0/psych.rb:370:in `parse': (<unknown>): control characters are not allowed at line 1 column 1 (Psych::SyntaxError)

I can share the profile and the archive if that helps. if I just zip the profile using 7zip and upload its fine

if you want me to raise seperate issue I will

Best Regards

Gary

[chris-rock]

You need the latest version the Chef Compliance Server 1.7.7. If the issue continues with that version, please let us know.

[smith]

@chris-rock I'm getting this running latest master.

[smith]

When profiles are uploaded the compliance server shells out to inspec check to validate the profile: https://github.com/chef/chef-compliance/blob/52cd86fd34e61677f891a677c4fb23b80c70d6a6/core/compliance/inspec.go#L312-L343

If the profile has no dependencies, this works fine, but if there are dependencies it needs to be authenticated to download them from the compliance server. If I'm not logged in and try to check the profile on my local machine:

nathansmith@opstop ~/D/IGM_CIS-RHEL6-L1> inspec check .

Cannot fetch compliance://cis/cis-rhel6-level1 because your compliance token has not been
configured.

Please login using

    inspec compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE'
nathansmith@opstop ~/D/IGM_CIS-RHEL6-L1> echo $status
1

The server is doing the same thing, since it just shells out without first authenticating.

[smith]

@donwlewis If you upload using the latest version of inspec (1.8.0 right now), it should vendor all of the dependencies before upload and you won't have this problem on the server, since the vendored dependencies will be present in the tarball that gets uploaded. See http://lollyrock.com/articles/chef-compliance-meta-profiles/ for a good explanation of how that stuff all works.

@username-is-already-taken2 Which version of the compliance server are you running? If it's the latest stable (1.7.7) please open a separate issue and we'll take a look.

Going to close this now but please reopen if this remains a problem.

[madhu2421]

@smith Is this issue resolved or being followed upon in another ticket? I am using compliance 1.9.2 and inspec version 1.20.0. I am facing the same issue as described here, unable to upload the profile which has dependencies. Failing upload with an error ""Failed to POST /owners//compliance/test-inheritance/tar."
I am just testing a simple inheritance in my profile and adding a dependency on windows chef compliance profile

[madhu2421]

In the logs i see error given below:

Cannot fetch compliance://base/windows because your compliance token has not been
2017-04-17_21:56:24.33786 configured.
2017-04-17_21:56:24.33787
2017-04-17_21:56:24.33788 Please login using
2017-04-17_21:56:24.33789
2017-04-17_21:56:24.33789 inspec compliance login https://your_compliance_server --user --insecure --token 'PASTE TOKEN HERE'
2017-04-17_21:56:24.35928 21:56:24.359 ERR => Failed to POST /owners//compliance/test-inheritance/tar.exit status 1
2017-04-17_21:56:24.35938 [GIN] 2017/04/17 - 21:56:24 | 500 | 2.301274947s | 10.74.112.127 | POST /owners/admin/compliance/test-inheritance/tar

I did login and generate the api_token for the user we are trying to upload the profile with. I can confirm this as i was able to upload other profiles without dependencies.