Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wp-cli install (signature check) stuck in case of incorrect download #1295

Closed
4 tasks done
strarsis opened this issue Jun 1, 2021 · 3 comments · Fixed by #1296
Closed
4 tasks done

wp-cli install (signature check) stuck in case of incorrect download #1295

strarsis opened this issue Jun 1, 2021 · 3 comments · Fixed by #1296

Comments

@strarsis
Copy link
Contributor

strarsis commented Jun 1, 2021

Description

When a wp cli phar file was downloaded (to /tmp) that doesn't match the signature file, e.g. a failed/corrupted download or using a development phar, the ansible task for installing wp-cli fails at the signature verification step.
It can only be manually fixed by renaming/removing the non-matching wp-cli phar file.

Steps to reproduce

1.. Simulate an incorrect wp cli phar in /tmp (e.g. download the nightly build phar).
2. Apply the trellis playbook.
Notice that the playbook run fails now as the wp cli phar doesn't match the signature file.
3. After manually renaming/removing the /tmp/wp-cli-*.phar and/or cleaning up the signature file /tmp/wp-cli-*.phar.asc,
the playbook is applied and the specific WP CLI release is installed successfully.

Expected behavior: ansible-playbook applies correctly, installing the specified WP CLI release.

Actual behavior: ansible-playbook fails to apply in specific instances where the wp cli phar file is corrupted/changed/nightly.

Reproduces how often: When this issue happened, the issue reproduces until the wp cli phar file is renamed/cleaned up.

Versions

Fix #1284 - Update logrotate postrotate Nginx command (#1293)

swalkinshaw added a commit that referenced this issue Jun 2, 2021
Fixes #1295

Sometimes gpg signature verification for WP-CLI could fail due to
network reasons (the downloaded phar or asc files were corrupt). In
those cases the playbook will be a "stuck" state unless the files are
manually deleted from the server.

This improves error handling by deleting both the phar and asc files
which will allow Ansible to re-download them next time.
@swalkinshaw
Copy link
Member

I'm tempted to just say "wont fix" because the manual solution isn't that difficult? Plus I imagine this is fairly rare. But I was curious how I'd solve this with Ansible and I learned about block rescues.

Does #1296 make sense as a solution?

@tangrufus
Copy link
Member

#1296 looks good.

Alternatively, we can force the two get_url tasks.
See: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-force

@strarsis
Copy link
Contributor Author

strarsis commented Jun 2, 2021

I like this approach.

swalkinshaw added a commit that referenced this issue Jul 14, 2021
Fixes #1295

Sometimes gpg signature verification for WP-CLI could fail due to
network reasons (the downloaded phar or asc files were corrupt). In
those cases the playbook will be a "stuck" state unless the files are
manually deleted from the server.

This improves error handling by deleting both the phar and asc files
which will allow Ansible to re-download them next time.
kennyr87 pushed a commit to kennyr87/trellis that referenced this issue Oct 21, 2021
Fixes roots#1295

Sometimes gpg signature verification for WP-CLI could fail due to
network reasons (the downloaded phar or asc files were corrupt). In
those cases the playbook will be a "stuck" state unless the files are
manually deleted from the server.

This improves error handling by deleting both the phar and asc files
which will allow Ansible to re-download them next time.
cmurtagh added a commit to pressbooks/trellis that referenced this issue Jun 23, 2022
* Use versioned php module for memcached and xdebug

* Set universal_newlines for renew-certs script

Using `universal_newlines` is better for Python 2/3 compatibility since
it will return a string and not bytes to ensure it's the same regardless
of the version.

* Remove prestissimo from composer_global_packages

`hirak/prestissimo` is a composer plugin that speeded up `composer install`
by downloading packages in parallel.

It's not incompatible with Composer 2.0 and not needed since 2.0 has
parallel downloading built-in.

* v1.6.0

* Ubuntu 20.04 support

Officially support and recommend Ubuntu 20.04 Focal.
The only tangible change is bumping the Vagrant box from 18.04 to 20.04.
Trellis has been made compatible with 20.04 already.

* Validate that letsencrypt_contact_emails is a list

We already validate that `letsencrypt_contact_emails` needs to be
defined. This further validates that it's defined as a list and not a
string.

* Update CHANGELOG

* Manually update Ansible Galaxy role `geerlingguy.composer`

* Manually update Ansible Galaxy role `geerlingguy.ntp`

* Manually update Ansible Galaxy role `oefenweb.swapfile`

* Fix security issue with empty password

If no password is defined for user "web", insert "!" to disable authentication without a password.

* Update README.md

Update to Ubuntu 20 Focal.

* Add config for PHP CLI

* Add roots#1261 to CHANGELOG

* Use correct template file for PHP CLI env

* Remove PHP option track_errors

`track_errors` was deprecated as of PHP 7.2 so we're removing it
entirely.

* Extend failed connection to remote repo msg

Due to no_log for git clone on deploy you are unable to see the exact
output error message, adding the branch being used to the fail message
may help when incorrect branch name is used.

* CHANGELOG for roots#1265

* v1.7.1

* Migrate to Xdebug v3 (roots#1260)

* Remove unnecessary block

* CHANGELOG for roots#1260

* Bump vagrant_ansible_version

* Vagrant: use python3

Pip doesn't support Python2 anymore so we're defaulting Vagrant to
python3.

This defines a new config option `vagrant_ansible_python_interpreter`
which defaults to `/usr/bin/python3`.

* Update CHANGELOG

* Set file permissions explicitly

Fixes ansible-lint violations

* File permissions: Use strings instead of octal numbers

Follow up roots#1270
Fix: https://discourse.roots.io/t/mode-must-be-in-octal-or-symbolic-form/20038

* Add ` wp_post_revisions: true` to `wordpress_env_defaults` 

Complementing roots/bedrock#572

* v1.8.0

* Update sponsors [ci skip]

* Update required Ubuntu version in README.md

* CircleCI: Remove `ansible-lint`

* Update sponsors [ci skip]

* Improve handling of PHP versions

Refactors how PHP and its extensions are installed per version.
Previously all version references were hardcoded and updating to a new
version (ie from `7.4` to `8.0`) meant replacing a bunch of version
numbers across lots of files which made it difficult to use a different
version than Trellis' default.

Now to switch to another PHP version that Trellis supports, only the
`php_version` variable needs to be changed. And to support a new
version, only a single version specific vars file needs to be created
(example: `roles/php/vars/8.0.yml`).

* Update CHANGELOG for roots#1284

* Update sponsors [ci skip]

* Update `wp_cli_version` to 2.5.0

* Add php-intl extension

Per the WordPress Hosting Team recommendation: https://make.wordpress.org/hosting/2021/05/20/why-hosters-should-install-the-php-intl-extension/

* Replace GD with ImageMagick; Add bc_math extension and ghostscript

* Enable PDF thumbnail generation

* Correct logrotate error using reload over rotate

* Changelog entry for roots#1292

* CHANGELOG entry for roots#1293

* Remove PHP version from messages.

* overridden ansible_ssh_extra_args should always take precedence

* Add php-bcmath extension

This commit was missing from roots#1292. It adds the PHP bc_math extension.

* GitHub: Add issue forms

* Update bug_report.yml

* Titilize form labels

* Update default value wordings

* Improve handling of WP-CLI failed verification

Fixes roots#1295

Sometimes gpg signature verification for WP-CLI could fail due to
network reasons (the downloaded phar or asc files were corrupt). In
those cases the playbook will be a "stuck" state unless the files are
manually deleted from the server.

This improves error handling by deleting both the phar and asc files
which will allow Ansible to re-download them next time.

* Allow customizing PHP CLI `memory_limit`

Close roots#1277

* Default PHP CLI memory limit to -1

* Replace dist folder with public

* Update Trellis configurations

* Restore Princexml and Redis roles

* Update sponsors [ci skip]

* Removing princexml from galaxy.yml and making it a role in Trellis

* Adding php7.4-gd as a package requirement

* Fixing syntax error for redis state change check

* hh package has been renamed to hstr in bash-for-pressbooks-dev

* Removing syntax error for package_vars_wrong_format

* Adding --yes to wp login install because it was hanging on a prompt

* Add default for composer_authentications

* Remove explicit permission for site directory

Fixes roots#1311

The `mode` option was set in roots#1270
for linting purposes. However, this can result in the permissions
changing on local site files causing them to appear as changed in Git.

Since this directory is guaranteed to exist, we don't need to set
`mode`. The purpose of this task is just to set the owner + group
recursively.

* Fix display output in logs

Background:
roots#1235 (comment)

Ansible bases the log level based on colour (yeah, it's dumb) when
logging is enabled. `bright gray` was a valid log level mapping.

Instead of trying to pick some other colur supported in both contexts,
we can just set `screen_only` to skip these messages which are meant for
STDOUT anyway.

* Bump version_tested_max to 2.10.7

* Update CHANGELOG

* v1.9.0

* Remove explicit arch deb options

Apt defaults to the architecture supported by `dpkg`, which defaults to
the actual architecture of the OS (as it should). Removing this explicit
`arc=amd64` option just means we'll get the smart default which improves
support for `arm64` (Apple M1 CPUs primarily).

* Change MariaDB mirror source

Digitalocean has proven to be an unreliable mirror so let's switch to
another one (from the official MariaDB site).

* 1.9.1 Changelog

* CHANGELOG update

* Default to proper box for M1 macs

* Update default PHP version to 8.0

* Enable pipelining for local connections

Enabling pipelining for SSH connections only means that `become` behaves differently for vagrant, than it does VMs over SSH. Moving this config to the defaults makes both vagrant and VMs behave the same in regards to become, and perhaps we will see some local speed improvements on local provisions as a result.

* Add GitHub SSH ed25519 key to known hosts

* Update CHANGELOG

* v1.10.0

* Update README.md

* Add PHP 8.1 support

* chore(github): fix typos in issue templates

[skip ci]

Co-authored-by: QWp6t <hi@qwp6t.me>

* Remove ssl_dhparam and Diffie-Hellman group

This was needed to prevent Logjam attacks but those only applied to DHE
cyphers which haven't been supported in Trellis for 2 years.

* Update CHANGELOG

* Remove issue closer

* Update docs links [ci skp]

* Bump vagrant_ansible_version to 2.10.7

* Require Vagrant < 2.2.19

2.2.19 has a bug affecting macOS Big Sur and should be avoided.

* Set default for ansible_ssh_extra_args

ansible-base in 2.10.16 changed how SSH option defaults worked breaking
this. Just ensuring it has a proper default instead of undefined solves
the issue.

* v1.11.0

* Add ansible-base to requirements

Bumps minimum required Ansible to >= 2.10 as well.

The Ansible ecosystem has changed how their versions and packages work
causing the main `ansible` package versions to no longer determine the
version of `ansible-playbook`. Instead, the new `ansible-base` package
is what matters.

Background: https://blog.while-true-do.io/ansible-release-3-0-0/

For example, installing `ansible==2.10.7` would result in
`ansible-playbook==2.10.16` which was confusing.

By adding `ansible-base` to our `requirements.txt`, we'll get more
consistent and predictable version constraints.

Installing `ansible-base==2.10.16` would result in
`ansible-playbook==2.10.16` as you'd expect.

* Remove old version checks

* Simplify README

This removes the "manual" docs from the README and focuses on the
trellis-cli workflow. This README isn't meant to be the full
documentation anyway.

* Fix roots#1331 - Improve passlib instructions

Updates the error message when `passlib` isn't installed on macOS.

This recommends using trellis-cli as the main solution but still
provides a manual method including better options for install pip.

* Fixes roots#1319 - Improve how ssh_args are loaded

This refactors how `ssh_args` are loaded since the private method
`_ssh_args` on `PlayContext` has been removed in Ansible 2.11.

Instead, we load the ssh plugin and get the option directly.

* Update CHANGELOG

* Remove old WP customizer frame options hack

* Update default vagrant_ip

Changes the default `vagrant_ip` from `192.168.50.5` to `192.168.56.5`
(note the subtle change from `50` -> `56`).

A recent change in VirtualBox means that only IP addresses in the 192.168.56.0/21 range are allowed.

Vagrant is now validating that the IP is within this range as well (hashicorp/vagrant#12564).

* Add support for public keys for deploys

Adding a deploy specific SSH public key to a Trellis server is a common
task to enable CI/CD deploys (such as GitHub Actions).

This creates a standard folder (`public_keys`) for them. Any public SSH
keys in that folder (ending in `.pub`) will be automatically added to
the `web_user` as an authorized key.

* Update sponsors section in README

* Revert "Default to proper box for M1 macs"

* v1.12.0

* Switch CI to GitHub Actions

* Use trellis-cli for Vagrant galaxy install

This replaces the default galaxy command (`ansible-galaxy install`) with
the much better `trellis galaxy install` if trellis-cli is available on
the host machine.

With trellis-cli's command, there should be no reason to use the
annoying `SKIP_GALAXY` env var which was added to prevent Vagrant from
always installing the roles each time. `trellis galaxy install` is
efficient and quickly skips already installed roles.

* Update default ssh key paths

Adds id_ed25519 in addition to the existing id_rsa entry and sets
`errors='ignore'` to both. If that local path doesn't exist, Ansible
will still show a helpful warning but won't fail.

* Fix roots#970 - Improve git clone failure error

Outputs the original stderr message as well in case of failure.

* Update CHANGELOG

* Remove issue templates

* Disable install_recommends for php packages

php8.1-cli is being installed due to another package recommending it.
Right now this breaks WordPress installation due to WP-CLI being
incompatible.

However, 8.1 shouldn't be installed anyway when the `php_version` is set
to `8.0`. This fixes the root cause by setting `install_recommends: no`
which disables the feature in `apt`.

More background: /~https://github.com/oerdnj/deb.sury.org/wiki/Frequently-Asked-Questions#why-is-phpdefaultversion-cli-always-installed
and oerdnj/deb.sury.org#1711

* v1.13.0

* Deploy hook build example: Update Sage build command

* chore(project): Remove .circleci and add .github to .gitattributes

* Update `wp_cli_version` to 2.6.0

* Remove bin scripts

These scripts were created as better interfaces to running the deploy
and xdebug tunnel Ansible playbooks (since the Ansible CLI developer
experience isn't the best when arguments are needed).

They've been superceded by the much better trellis-cli now. If you don't
want to use trellis-cli, then the `ansible-playbook` commands that these
scripts ran can always be used.

* Create mysql my.cnf credentials file earlier

In some situations the "Set root user password" task might fail because
it tries to connect with no root password. Moving the my.cnf credentials
file task above it fixes that situation and also just makes more sense
in general.

* Update README.md

* allow to copy subfolders between releases

* Add integration test using trellis-cli

Uses trellis-cli to create a new Trellis project from the current SHA.
The project is provisioned and deployed all using trellis-cli.

Finally the site is verified that WordPress was actually installed and
working.

The steps are a little more complex than someone provisioning a normal
remote server for a few reasons:

1. GitHub's Ubuntu image has a lot of software installed by default
   including mysql-server which needs to be purged completely.
2. there's a few workarounds to force Ansible to use a local connection
   since we aren't actually SSHing into a remote server.

* Ensure correct PHP version is set

Background: roots#1354

roots#1355 fixed half of this problem,
but there's still situations where php-cli ends up defaulting to 8.1.

This ensures the correct version of PHP is always set based on
`php_version` by using the `update-alternatives` command.

* Run integration tests on pull requests

* v1.14.0

* Remove python2 support

Python 2 has been EOL for a while now anad is unsupported. macOS is
removing it as well as of 12.3

Trellis was compatible with both Python 2 or 3 but it took some extra
work and complexity. This removes all workarounds for python2 and makes
python3 a requirement.

* Require python3 in code

* Add HTTPS site to integration tests

* 📝 remove getting started ref

* Updating Vagrantfile to allow for vagrant 2.2.19, changing example.com to pressbooks.test

* Support Ansible >= 2.10

This removes the upper version constraint and supports Ansible versions
up to 5.4.0 (ansible-core 2.12)

* Add Discourse release topic workflow

* Add ansible version to integration tests

* Update CHANGELOG

* 📄 update name

* Updating ntp role to latest (2.3.1)

* ✨ add `build-after` placeholder (roots#1377)

* Replace git with https

* replacing hardcoded values with parameter

* Add built-in fail2ban filters

Trellis supported default fail2ban services previously but they were
restricted to filters built into fail2ban itself (like `sshd`).

This adds filters defined by Trellis as well now by automatically
creating the filter configuration files from templates.

Importantly, these filters will be _disabled_ by default. Any time a new
filter is added, it will also be added to `fail2ban_services_custom` with
enabled set to `false.`

This achieves a few goals:

1. makes it very easy to enable the built-in filters, which
2. brings more awareness to them by adding them to
   `group_vars/all/security.yml`
3. hopefully encourages more fail2ban filters to be created and used

Currently there's only one built-in filter for banning requests to
WordPress' `xmlrpc.php` endpoint which is a common DDoS attack vector.

* Remove redundant ansible_connection=local and comments

* Fix typo

* Do not disallow up to date Vagrant vers. on Linux

When this version restriction was introduced, I found out from the changelog or an issue that this was specifically because of a mac OS issue.

I have successfully ran Vagrant versions that ship with Open SUSE Tumbleweed (Not sure), Ubuntu 21.10 and Ubuntu 22.04. AFAIK there is no reason to shut Linux users out of up-to-date Vagrant versions.

* Change MariaDB PPA link

* 💬 update README

* Split is installed check into a non-multisite and a mulitsite specific one.

* Fix `when` for defining variable used in multisite-specific check.

* Group "WordPress Installed" non-multisite and multisite tasks into Ansible blocks.

* Fix when lines.

* Make `strpos` `empty needle` PHP warning match less strict (omit line number).

* fix: set mjs as application/javascript in h5bp (roots#1383)

* Improve task names (invoke).

* Using apt to install epubcheck from Ubuntu Universe instead of fetching a 3rd party binary

* Only add hstr when using x86, as this currently doesn't have an ARM build

* Use chromium and chromedriver from Ubuntu instead of this binary and deb

* ObjectCache Pro needs php7.4-redis

* Fix discourse release tags

* [skip ci] Update discourse release tags

* Change is-installed check to exempt DB error dump PHP warning for not yet set up multisite sites.

* Clean up now unused `tmp_multisite_constants.php`.

* Improve name.

* Remove unused `tmp_multisite_constants.php` source file.

* Bumping geerlingguy.mailhog. Geerlingguy merged our PR into master and released 2.3.0 to support arm

* Adding a temporary condidtional for princexml until there's a .deb package or a proper installer script ported to ansible

Co-authored-by: Mockey <dev@medienpensionat.com>
Co-authored-by: Scott Walkinshaw <scott.walkinshaw@gmail.com>
Co-authored-by: Raphael <raph-topo@posteo.net>
Co-authored-by: arusa <alex@rusa.at>
Co-authored-by: Mike iLL Kilmer <mike@mzoo.org>
Co-authored-by: Andrew Kovalyov <andrew.kovalyoff@gmail.com>
Co-authored-by: Tang Rufus <tangrufus@gmail.com>
Co-authored-by: Chris <chris@bigbellyoak.co.uk>
Co-authored-by: Adam Bergman <adam@fransvilhelm.com>
Co-authored-by: Ben Word <ben@benword.com>
Co-authored-by: Lukas Besch <accounts@lukasbesch.com>
Co-authored-by: Joshua Fredrickson <joshua@orangepineapple.com>
Co-authored-by: Dale Grant <dale@codeand.com.au>
Co-authored-by: strarsis <strarsis@gmail.com>
Co-authored-by: Daniel Robinson <d.robinson004@gmail.com>
Co-authored-by: José Debuchy <jdebuchy@40q.com.ar>
Co-authored-by: Christopher Murtagh <christopher@pressbooks.com>
Co-authored-by: Craig Pearson <hello@craigpearson.co.uk>
Co-authored-by: Nathan Knowler <nathan@knowler.me>
Co-authored-by: QWp6t <hi@qwp6t.me>
Co-authored-by: Lucas DEMEA <lucas@digital-swing.com>
Co-authored-by: Paul Brzeski <mail@paulbrzeski.com>
Co-authored-by: Hemang Ajmera <hemang.ajmera@teliacompany.com>
Co-authored-by: nextgenthemes <nextgenthemes@users.noreply.github.com>
Co-authored-by: jakobmeusburger <48139550+jakobmeusburger@users.noreply.github.com>
Co-authored-by: Kelly Mears <developers@tinypixel.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants