Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InSpec tries to re-fetch profiles even if lockfile exists #1316

Closed
chris-rock opened this issue Nov 23, 2016 · 5 comments
Closed

InSpec tries to re-fetch profiles even if lockfile exists #1316

chris-rock opened this issue Nov 23, 2016 · 5 comments
Labels
Type: Bug Feature not working as expected
Milestone
meta-profile support

Comments

@chris-rock
Copy link
Contributor

InSpec creates a inspec.lock to ensure we execute the right profiles. If dependencies are vendored, we should not try to refetch profiles since they are available locally.

This is required to ship #1283
@alexpop alexpop self-assigned this Nov 23, 2016
@alexpop
Copy link
Contributor

alexpop commented Nov 24, 2016
edited
Loading

Can be reproduced with this profile: acme-inspec-profile.tar.gz

When inspec check is targeting the unpacked profile.

@alexpop
Copy link
Contributor

alexpop commented Nov 24, 2016

inspec check failure:

$ rm -rf ~/.inspec/cache/
[11:11:14 ~/git/inspec {ap/use-agent}]$

$ bundle exec inspec check ~/tmp2/good/
bundler: failed to load command: inspec (/Users/apop/.chefdk/gem/ruby/2.3.0/bin/inspec)
RuntimeError: The remote source https://github.com/dev-sec/linux-patch-benchmark/archive/master.tar.gz no longer has the requested content:

Request Content Hash: ba076c553ff3b839a15dff7813a53d6bb1f8c269a53607ebb30e0fe2b0a0d8e1
 Actual Content Hash: 54e9cd10a75f0ce7060bd67ff1d24b0c3e9255a1513adde11d9f72aa4bd1962e

For URL, supermarket, compliance, and other sources that do not
provide versioned artifacts, this likely means that the remote source
has changed since your lockfile was generated.

  /Users/apop/git/inspec/lib/inspec/cached_fetcher.rb:53:in `assert_cache_sanity!'
  /Users/apop/git/inspec/lib/inspec/cached_fetcher.rb:45:in `fetch'
  /Users/apop/git/inspec/lib/inspec/profile.rb:68:in `for_fetcher'
  /Users/apop/git/inspec/lib/inspec/dependencies/requirement.rb:107:in `profile'
  /Users/apop/git/inspec/lib/inspec/dependencies/dependency_set.rb:65:in `block in each'
  /Users/apop/git/inspec/lib/inspec/dependencies/dependency_set.rb:64:in `each'
  /Users/apop/git/inspec/lib/inspec/dependencies/dependency_set.rb:64:in `each'
  /Users/apop/git/inspec/lib/inspec/profile.rb:161:in `load_libraries'
  /Users/apop/git/inspec/lib/inspec/profile.rb:415:in `load_checks_params'
  /Users/apop/git/inspec/lib/inspec/profile.rb:409:in `load_params'
  /Users/apop/git/inspec/lib/inspec/profile.rb:133:in `params'
  /Users/apop/git/inspec/lib/inspec/profile.rb:298:in `controls_count'
  /Users/apop/git/inspec/lib/inspec/profile.rb:269:in `check'
  /Users/apop/git/inspec/lib/inspec/cli.rb:70:in `check'
  /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
  /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
  /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
  /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
  /Users/apop/git/inspec/bin/inspec:12:in `<top (required)>'
  /Users/apop/.chefdk/gem/ruby/2.3.0/bin/inspec:22:in `load'
  /Users/apop/.chefdk/gem/ruby/2.3.0/bin/inspec:22:in `<top (required)>'

@alexpop
Copy link
Contributor

alexpop commented Nov 24, 2016

Same issue with inspec json:

$ rm -rf ~/.inspec/cache/
[11:13:41 ~/git/inspec {ap/use-agent}]$

$ bundle exec inspec json ~/tmp2/good/
bundler: failed to load command: inspec (/Users/apop/.chefdk/gem/ruby/2.3.0/bin/inspec)
RuntimeError: The remote source https://github.com/dev-sec/linux-patch-benchmark/archive/master.tar.gz no longer has the requested content:

Request Content Hash: ba076c553ff3b839a15dff7813a53d6bb1f8c269a53607ebb30e0fe2b0a0d8e1
 Actual Content Hash: 54e9cd10a75f0ce7060bd67ff1d24b0c3e9255a1513adde11d9f72aa4bd1962e

For URL, supermarket, compliance, and other sources that do not
provide versioned artifacts, this likely means that the remote source
has changed since your lockfile was generated.

  /Users/apop/git/inspec/lib/inspec/cached_fetcher.rb:53:in `assert_cache_sanity!'
  /Users/apop/git/inspec/lib/inspec/cached_fetcher.rb:45:in `fetch'
  /Users/apop/git/inspec/lib/inspec/profile.rb:68:in `for_fetcher'
  /Users/apop/git/inspec/lib/inspec/dependencies/requirement.rb:107:in `profile'
  /Users/apop/git/inspec/lib/inspec/dependencies/dependency_set.rb:65:in `block in each'
  /Users/apop/git/inspec/lib/inspec/dependencies/dependency_set.rb:64:in `each'
  /Users/apop/git/inspec/lib/inspec/dependencies/dependency_set.rb:64:in `each'
  /Users/apop/git/inspec/lib/inspec/profile.rb:161:in `load_libraries'
  /Users/apop/git/inspec/lib/inspec/profile.rb:415:in `load_checks_params'
  /Users/apop/git/inspec/lib/inspec/profile.rb:409:in `load_params'
  /Users/apop/git/inspec/lib/inspec/profile.rb:133:in `params'
  /Users/apop/git/inspec/lib/inspec/profile.rb:184:in `info'
  /Users/apop/git/inspec/lib/inspec/cli.rb:43:in `json'
  /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
  /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
  /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
  /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
  /Users/apop/git/inspec/bin/inspec:12:in `<top (required)>'
  /Users/apop/.chefdk/gem/ruby/2.3.0/bin/inspec:22:in `load'
  /Users/apop/.chefdk/gem/ruby/2.3.0/bin/inspec:22:in `<top (required)>'

@alexpop alexpop added the Type: Bug Feature not working as expected label Nov 24, 2016
@alexpop
Copy link
Contributor

alexpop commented Nov 24, 2016

Running inspec check ~/profile/dir/

When the check method in cli.rb calls Inspec::Profile.for_target, it's not passing a :cache option for opts.
Because of this, the for_path method in profile.rb is not calling copy_deps_into_cache.

When running inspec exec ~/profile/dir/, runner.rb initializes @cache and passes it to Inspec::Profile.for_target. This triggers the copy_deps_into_cache in for_path(profile.rb).

Back to inspec check, without copy_deps_into_cache being called, dependencies that are not in cache, but specified in lock are retrieved. If the sha256 is not matching the one in the lockfile, 💥

@alexpop
Copy link
Contributor

alexpop commented Nov 24, 2016
edited
Loading

https://github.com/chef/inspec/compare/ap/check-vendor-cache

I fixed the check and json when targeting a profile unpacked in a directory.
Fixed check of tarball by providing system cache.

@alexpop alexpop mentioned this issue Nov 24, 2016
Merged
@chris-rock chris-rock modified the milestone: meta-profile support Nov 25, 2016
@chris-rock chris-rock removed the ready label Nov 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug Feature not working as expected
Projects
None yet
Milestone
meta-profile support
Development

No branches or pull requests
2 participants
@alexpop @chris-rock