-
Notifications
You must be signed in to change notification settings - Fork 170
Policyfile: Can't use both internal and community Supermarket sources #524
Comments
You'd need to have 2 cf. #450 |
@danielsdeleo Thanks for the prompt reply. |
If you only have one or two conflicts, you have to have a cookbook "apt", artifactserver: "https://supermarket.chef.io:443/api/v1/cookbooks/apt/versions/2.8.2/download" |
@danielsdeleo
The above also fails with the conflict error. Even though I am not requiring any opensource cookbook. Also the interesting thing to note is that conflict is for another cookbook called chef which is in the internal and opensource Supermarket. So seems like it is doing some kind of indexing at the beginning itself. This is a problem if somebody uploads a cookbook to the internal site with the same name as a cookbook in opensource supermarket. That will break it for everyone else, no one will be able to do 'chef install'. |
The conflict part is (mostly) by design. ChefDK is just feeding all the dependency data into a solver library, so there's not an easy way to know if any of the conflicting cookbooks end up influencing the eventual dependency solution. Though it could be done by searching all valid versions of all of the dependencies of the items in your run list. If there are in fact any conflicts, ChefDK has no way to tell if (for example) the "mysql" cookbook on your internal supermarket bears any resemblance to the one on the public supermarket. So generally it's recommended that you either:
Where I think ChefDK could be improved is:
What I would prefer to avoid is, silently merging the two dependency graphs from the two sources, as this would mean you could get a cookbook from one source when you expected it to come from the other one. |
Our internal supermarket has only internal cookbooks. The conflicting 'chef' cookbook is quite different from the opensource one and made solely for the purpose of internal use. Only the name is conflicting. Any thoughts/feedback? To your point about silently merging: |
It might be useful to be able to tag sources with a name and then use the name later in a cookbook statement or something like that. There's some interesting issues and solutions here in rubygems-world: http://stackoverflow.com/questions/16072412/ruby-bundler-multiple-sources-in-gemfile I kinda like wrapping the gem line in a source block, that is fairly neat. |
CVE against rubygems for an attack leveraging the ambiguity that @danielsdeleo is talking about: |
As per https://github.com/chef/chef-dk/blob/master/POLICYFILE_README.md
My policyfile looks like :
But it doesn't fetch the rabbitmq(opensource) cookbook from supermarket.chef.io
It doesn't allow to specify multiple community sources either.
The error I get:
The text was updated successfully, but these errors were encountered: