-
-
Notifications
You must be signed in to change notification settings - Fork 606
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wp-cli install (signature check) stuck in case of incorrect download #1295
Comments
Fixes #1295 Sometimes gpg signature verification for WP-CLI could fail due to network reasons (the downloaded phar or asc files were corrupt). In those cases the playbook will be a "stuck" state unless the files are manually deleted from the server. This improves error handling by deleting both the phar and asc files which will allow Ansible to re-download them next time.
I'm tempted to just say "wont fix" because the manual solution isn't that difficult? Plus I imagine this is fairly rare. But I was curious how I'd solve this with Ansible and I learned about block rescues. Does #1296 make sense as a solution? |
#1296 looks good. Alternatively, we can |
I like this approach. |
Fixes #1295 Sometimes gpg signature verification for WP-CLI could fail due to network reasons (the downloaded phar or asc files were corrupt). In those cases the playbook will be a "stuck" state unless the files are manually deleted from the server. This improves error handling by deleting both the phar and asc files which will allow Ansible to re-download them next time.
Fixes roots#1295 Sometimes gpg signature verification for WP-CLI could fail due to network reasons (the downloaded phar or asc files were corrupt). In those cases the playbook will be a "stuck" state unless the files are manually deleted from the server. This improves error handling by deleting both the phar and asc files which will allow Ansible to re-download them next time.
* Use versioned php module for memcached and xdebug * Set universal_newlines for renew-certs script Using `universal_newlines` is better for Python 2/3 compatibility since it will return a string and not bytes to ensure it's the same regardless of the version. * Remove prestissimo from composer_global_packages `hirak/prestissimo` is a composer plugin that speeded up `composer install` by downloading packages in parallel. It's not incompatible with Composer 2.0 and not needed since 2.0 has parallel downloading built-in. * v1.6.0 * Ubuntu 20.04 support Officially support and recommend Ubuntu 20.04 Focal. The only tangible change is bumping the Vagrant box from 18.04 to 20.04. Trellis has been made compatible with 20.04 already. * Validate that letsencrypt_contact_emails is a list We already validate that `letsencrypt_contact_emails` needs to be defined. This further validates that it's defined as a list and not a string. * Update CHANGELOG * Manually update Ansible Galaxy role `geerlingguy.composer` * Manually update Ansible Galaxy role `geerlingguy.ntp` * Manually update Ansible Galaxy role `oefenweb.swapfile` * Fix security issue with empty password If no password is defined for user "web", insert "!" to disable authentication without a password. * Update README.md Update to Ubuntu 20 Focal. * Add config for PHP CLI * Add roots#1261 to CHANGELOG * Use correct template file for PHP CLI env * Remove PHP option track_errors `track_errors` was deprecated as of PHP 7.2 so we're removing it entirely. * Extend failed connection to remote repo msg Due to no_log for git clone on deploy you are unable to see the exact output error message, adding the branch being used to the fail message may help when incorrect branch name is used. * CHANGELOG for roots#1265 * v1.7.1 * Migrate to Xdebug v3 (roots#1260) * Remove unnecessary block * CHANGELOG for roots#1260 * Bump vagrant_ansible_version * Vagrant: use python3 Pip doesn't support Python2 anymore so we're defaulting Vagrant to python3. This defines a new config option `vagrant_ansible_python_interpreter` which defaults to `/usr/bin/python3`. * Update CHANGELOG * Set file permissions explicitly Fixes ansible-lint violations * File permissions: Use strings instead of octal numbers Follow up roots#1270 Fix: https://discourse.roots.io/t/mode-must-be-in-octal-or-symbolic-form/20038 * Add ` wp_post_revisions: true` to `wordpress_env_defaults` Complementing roots/bedrock#572 * v1.8.0 * Update sponsors [ci skip] * Update required Ubuntu version in README.md * CircleCI: Remove `ansible-lint` * Update sponsors [ci skip] * Improve handling of PHP versions Refactors how PHP and its extensions are installed per version. Previously all version references were hardcoded and updating to a new version (ie from `7.4` to `8.0`) meant replacing a bunch of version numbers across lots of files which made it difficult to use a different version than Trellis' default. Now to switch to another PHP version that Trellis supports, only the `php_version` variable needs to be changed. And to support a new version, only a single version specific vars file needs to be created (example: `roles/php/vars/8.0.yml`). * Update CHANGELOG for roots#1284 * Update sponsors [ci skip] * Update `wp_cli_version` to 2.5.0 * Add php-intl extension Per the WordPress Hosting Team recommendation: https://make.wordpress.org/hosting/2021/05/20/why-hosters-should-install-the-php-intl-extension/ * Replace GD with ImageMagick; Add bc_math extension and ghostscript * Enable PDF thumbnail generation * Correct logrotate error using reload over rotate * Changelog entry for roots#1292 * CHANGELOG entry for roots#1293 * Remove PHP version from messages. * overridden ansible_ssh_extra_args should always take precedence * Add php-bcmath extension This commit was missing from roots#1292. It adds the PHP bc_math extension. * GitHub: Add issue forms * Update bug_report.yml * Titilize form labels * Update default value wordings * Improve handling of WP-CLI failed verification Fixes roots#1295 Sometimes gpg signature verification for WP-CLI could fail due to network reasons (the downloaded phar or asc files were corrupt). In those cases the playbook will be a "stuck" state unless the files are manually deleted from the server. This improves error handling by deleting both the phar and asc files which will allow Ansible to re-download them next time. * Allow customizing PHP CLI `memory_limit` Close roots#1277 * Default PHP CLI memory limit to -1 * Replace dist folder with public * Update Trellis configurations * Restore Princexml and Redis roles * Update sponsors [ci skip] * Removing princexml from galaxy.yml and making it a role in Trellis * Adding php7.4-gd as a package requirement * Fixing syntax error for redis state change check * hh package has been renamed to hstr in bash-for-pressbooks-dev * Removing syntax error for package_vars_wrong_format * Adding --yes to wp login install because it was hanging on a prompt * Add default for composer_authentications * Remove explicit permission for site directory Fixes roots#1311 The `mode` option was set in roots#1270 for linting purposes. However, this can result in the permissions changing on local site files causing them to appear as changed in Git. Since this directory is guaranteed to exist, we don't need to set `mode`. The purpose of this task is just to set the owner + group recursively. * Fix display output in logs Background: roots#1235 (comment) Ansible bases the log level based on colour (yeah, it's dumb) when logging is enabled. `bright gray` was a valid log level mapping. Instead of trying to pick some other colur supported in both contexts, we can just set `screen_only` to skip these messages which are meant for STDOUT anyway. * Bump version_tested_max to 2.10.7 * Update CHANGELOG * v1.9.0 * Remove explicit arch deb options Apt defaults to the architecture supported by `dpkg`, which defaults to the actual architecture of the OS (as it should). Removing this explicit `arc=amd64` option just means we'll get the smart default which improves support for `arm64` (Apple M1 CPUs primarily). * Change MariaDB mirror source Digitalocean has proven to be an unreliable mirror so let's switch to another one (from the official MariaDB site). * 1.9.1 Changelog * CHANGELOG update * Default to proper box for M1 macs * Update default PHP version to 8.0 * Enable pipelining for local connections Enabling pipelining for SSH connections only means that `become` behaves differently for vagrant, than it does VMs over SSH. Moving this config to the defaults makes both vagrant and VMs behave the same in regards to become, and perhaps we will see some local speed improvements on local provisions as a result. * Add GitHub SSH ed25519 key to known hosts * Update CHANGELOG * v1.10.0 * Update README.md * Add PHP 8.1 support * chore(github): fix typos in issue templates [skip ci] Co-authored-by: QWp6t <hi@qwp6t.me> * Remove ssl_dhparam and Diffie-Hellman group This was needed to prevent Logjam attacks but those only applied to DHE cyphers which haven't been supported in Trellis for 2 years. * Update CHANGELOG * Remove issue closer * Update docs links [ci skp] * Bump vagrant_ansible_version to 2.10.7 * Require Vagrant < 2.2.19 2.2.19 has a bug affecting macOS Big Sur and should be avoided. * Set default for ansible_ssh_extra_args ansible-base in 2.10.16 changed how SSH option defaults worked breaking this. Just ensuring it has a proper default instead of undefined solves the issue. * v1.11.0 * Add ansible-base to requirements Bumps minimum required Ansible to >= 2.10 as well. The Ansible ecosystem has changed how their versions and packages work causing the main `ansible` package versions to no longer determine the version of `ansible-playbook`. Instead, the new `ansible-base` package is what matters. Background: https://blog.while-true-do.io/ansible-release-3-0-0/ For example, installing `ansible==2.10.7` would result in `ansible-playbook==2.10.16` which was confusing. By adding `ansible-base` to our `requirements.txt`, we'll get more consistent and predictable version constraints. Installing `ansible-base==2.10.16` would result in `ansible-playbook==2.10.16` as you'd expect. * Remove old version checks * Simplify README This removes the "manual" docs from the README and focuses on the trellis-cli workflow. This README isn't meant to be the full documentation anyway. * Fix roots#1331 - Improve passlib instructions Updates the error message when `passlib` isn't installed on macOS. This recommends using trellis-cli as the main solution but still provides a manual method including better options for install pip. * Fixes roots#1319 - Improve how ssh_args are loaded This refactors how `ssh_args` are loaded since the private method `_ssh_args` on `PlayContext` has been removed in Ansible 2.11. Instead, we load the ssh plugin and get the option directly. * Update CHANGELOG * Remove old WP customizer frame options hack * Update default vagrant_ip Changes the default `vagrant_ip` from `192.168.50.5` to `192.168.56.5` (note the subtle change from `50` -> `56`). A recent change in VirtualBox means that only IP addresses in the 192.168.56.0/21 range are allowed. Vagrant is now validating that the IP is within this range as well (hashicorp/vagrant#12564). * Add support for public keys for deploys Adding a deploy specific SSH public key to a Trellis server is a common task to enable CI/CD deploys (such as GitHub Actions). This creates a standard folder (`public_keys`) for them. Any public SSH keys in that folder (ending in `.pub`) will be automatically added to the `web_user` as an authorized key. * Update sponsors section in README * Revert "Default to proper box for M1 macs" * v1.12.0 * Switch CI to GitHub Actions * Use trellis-cli for Vagrant galaxy install This replaces the default galaxy command (`ansible-galaxy install`) with the much better `trellis galaxy install` if trellis-cli is available on the host machine. With trellis-cli's command, there should be no reason to use the annoying `SKIP_GALAXY` env var which was added to prevent Vagrant from always installing the roles each time. `trellis galaxy install` is efficient and quickly skips already installed roles. * Update default ssh key paths Adds id_ed25519 in addition to the existing id_rsa entry and sets `errors='ignore'` to both. If that local path doesn't exist, Ansible will still show a helpful warning but won't fail. * Fix roots#970 - Improve git clone failure error Outputs the original stderr message as well in case of failure. * Update CHANGELOG * Remove issue templates * Disable install_recommends for php packages php8.1-cli is being installed due to another package recommending it. Right now this breaks WordPress installation due to WP-CLI being incompatible. However, 8.1 shouldn't be installed anyway when the `php_version` is set to `8.0`. This fixes the root cause by setting `install_recommends: no` which disables the feature in `apt`. More background: /~https://github.com/oerdnj/deb.sury.org/wiki/Frequently-Asked-Questions#why-is-phpdefaultversion-cli-always-installed and oerdnj/deb.sury.org#1711 * v1.13.0 * Deploy hook build example: Update Sage build command * chore(project): Remove .circleci and add .github to .gitattributes * Update `wp_cli_version` to 2.6.0 * Remove bin scripts These scripts were created as better interfaces to running the deploy and xdebug tunnel Ansible playbooks (since the Ansible CLI developer experience isn't the best when arguments are needed). They've been superceded by the much better trellis-cli now. If you don't want to use trellis-cli, then the `ansible-playbook` commands that these scripts ran can always be used. * Create mysql my.cnf credentials file earlier In some situations the "Set root user password" task might fail because it tries to connect with no root password. Moving the my.cnf credentials file task above it fixes that situation and also just makes more sense in general. * Update README.md * allow to copy subfolders between releases * Add integration test using trellis-cli Uses trellis-cli to create a new Trellis project from the current SHA. The project is provisioned and deployed all using trellis-cli. Finally the site is verified that WordPress was actually installed and working. The steps are a little more complex than someone provisioning a normal remote server for a few reasons: 1. GitHub's Ubuntu image has a lot of software installed by default including mysql-server which needs to be purged completely. 2. there's a few workarounds to force Ansible to use a local connection since we aren't actually SSHing into a remote server. * Ensure correct PHP version is set Background: roots#1354 roots#1355 fixed half of this problem, but there's still situations where php-cli ends up defaulting to 8.1. This ensures the correct version of PHP is always set based on `php_version` by using the `update-alternatives` command. * Run integration tests on pull requests * v1.14.0 * Remove python2 support Python 2 has been EOL for a while now anad is unsupported. macOS is removing it as well as of 12.3 Trellis was compatible with both Python 2 or 3 but it took some extra work and complexity. This removes all workarounds for python2 and makes python3 a requirement. * Require python3 in code * Add HTTPS site to integration tests * 📝 remove getting started ref * Updating Vagrantfile to allow for vagrant 2.2.19, changing example.com to pressbooks.test * Support Ansible >= 2.10 This removes the upper version constraint and supports Ansible versions up to 5.4.0 (ansible-core 2.12) * Add Discourse release topic workflow * Add ansible version to integration tests * Update CHANGELOG * 📄 update name * Updating ntp role to latest (2.3.1) * ✨ add `build-after` placeholder (roots#1377) * Replace git with https * replacing hardcoded values with parameter * Add built-in fail2ban filters Trellis supported default fail2ban services previously but they were restricted to filters built into fail2ban itself (like `sshd`). This adds filters defined by Trellis as well now by automatically creating the filter configuration files from templates. Importantly, these filters will be _disabled_ by default. Any time a new filter is added, it will also be added to `fail2ban_services_custom` with enabled set to `false.` This achieves a few goals: 1. makes it very easy to enable the built-in filters, which 2. brings more awareness to them by adding them to `group_vars/all/security.yml` 3. hopefully encourages more fail2ban filters to be created and used Currently there's only one built-in filter for banning requests to WordPress' `xmlrpc.php` endpoint which is a common DDoS attack vector. * Remove redundant ansible_connection=local and comments * Fix typo * Do not disallow up to date Vagrant vers. on Linux When this version restriction was introduced, I found out from the changelog or an issue that this was specifically because of a mac OS issue. I have successfully ran Vagrant versions that ship with Open SUSE Tumbleweed (Not sure), Ubuntu 21.10 and Ubuntu 22.04. AFAIK there is no reason to shut Linux users out of up-to-date Vagrant versions. * Change MariaDB PPA link * 💬 update README * Split is installed check into a non-multisite and a mulitsite specific one. * Fix `when` for defining variable used in multisite-specific check. * Group "WordPress Installed" non-multisite and multisite tasks into Ansible blocks. * Fix when lines. * Make `strpos` `empty needle` PHP warning match less strict (omit line number). * fix: set mjs as application/javascript in h5bp (roots#1383) * Improve task names (invoke). * Using apt to install epubcheck from Ubuntu Universe instead of fetching a 3rd party binary * Only add hstr when using x86, as this currently doesn't have an ARM build * Use chromium and chromedriver from Ubuntu instead of this binary and deb * ObjectCache Pro needs php7.4-redis * Fix discourse release tags * [skip ci] Update discourse release tags * Change is-installed check to exempt DB error dump PHP warning for not yet set up multisite sites. * Clean up now unused `tmp_multisite_constants.php`. * Improve name. * Remove unused `tmp_multisite_constants.php` source file. * Bumping geerlingguy.mailhog. Geerlingguy merged our PR into master and released 2.3.0 to support arm * Adding a temporary condidtional for princexml until there's a .deb package or a proper installer script ported to ansible Co-authored-by: Mockey <dev@medienpensionat.com> Co-authored-by: Scott Walkinshaw <scott.walkinshaw@gmail.com> Co-authored-by: Raphael <raph-topo@posteo.net> Co-authored-by: arusa <alex@rusa.at> Co-authored-by: Mike iLL Kilmer <mike@mzoo.org> Co-authored-by: Andrew Kovalyov <andrew.kovalyoff@gmail.com> Co-authored-by: Tang Rufus <tangrufus@gmail.com> Co-authored-by: Chris <chris@bigbellyoak.co.uk> Co-authored-by: Adam Bergman <adam@fransvilhelm.com> Co-authored-by: Ben Word <ben@benword.com> Co-authored-by: Lukas Besch <accounts@lukasbesch.com> Co-authored-by: Joshua Fredrickson <joshua@orangepineapple.com> Co-authored-by: Dale Grant <dale@codeand.com.au> Co-authored-by: strarsis <strarsis@gmail.com> Co-authored-by: Daniel Robinson <d.robinson004@gmail.com> Co-authored-by: José Debuchy <jdebuchy@40q.com.ar> Co-authored-by: Christopher Murtagh <christopher@pressbooks.com> Co-authored-by: Craig Pearson <hello@craigpearson.co.uk> Co-authored-by: Nathan Knowler <nathan@knowler.me> Co-authored-by: QWp6t <hi@qwp6t.me> Co-authored-by: Lucas DEMEA <lucas@digital-swing.com> Co-authored-by: Paul Brzeski <mail@paulbrzeski.com> Co-authored-by: Hemang Ajmera <hemang.ajmera@teliacompany.com> Co-authored-by: nextgenthemes <nextgenthemes@users.noreply.github.com> Co-authored-by: jakobmeusburger <48139550+jakobmeusburger@users.noreply.github.com> Co-authored-by: Kelly Mears <developers@tinypixel.dev>
Description
When a wp cli phar file was downloaded (to
/tmp
) that doesn't match the signature file, e.g. a failed/corrupted download or using a development phar, the ansible task for installing wp-cli fails at the signature verification step.It can only be manually fixed by renaming/removing the non-matching wp-cli phar file.
Steps to reproduce
1.. Simulate an incorrect wp cli phar in
/tmp
(e.g. download the nightly build phar).2. Apply the trellis playbook.
Notice that the playbook run fails now as the wp cli phar doesn't match the signature file.
3. After manually renaming/removing the
/tmp/wp-cli-*.phar
and/or cleaning up the signature file/tmp/wp-cli-*.phar.asc
,the playbook is applied and the specific WP CLI release is installed successfully.
Expected behavior:
ansible-playbook
applies correctly, installing the specified WP CLI release.Actual behavior:
ansible-playbook
fails to apply in specific instances where the wp cli phar file is corrupted/changed/nightly.Reproduces how often: When this issue happened, the issue reproduces until the wp cli phar file is renamed/cleaned up.
Versions
Fix #1284 - Update logrotate postrotate Nginx command (#1293)
The text was updated successfully, but these errors were encountered: