Older releases of Automate tested with Inspec 1.51.25, Inspec 2.2.41, and Automate 1.8.68
Likely still happening as late as Automate 2 20200131* . External and A2-embedded Inspec versions don't seem to matter. Support folks see: https://getchef.zendesk.com/agent/tickets/24889
Profile versions with two element versions in their inspec.yml, for example "1.2" will silently fail to install when uploaded through the UI, and will be visible in the UI, but cannot be retrieved by Inspec runs. The failure to retrieve the improperly versioned profile will look like a 404, like this
root@node-1:~# inspec exec compliance://admin/stig-rhel6 -l debug [648/1646] [2018-07-24T15:46:09+00:00] DEBUG: Option backend_cache is enabled [2018-07-24T15:46:09+00:00] DEBUG: Resolve compliance://admin/stig-rhel6 into cache /root/.inspec/cache [2018-07-24T15:46:09+00:00] DEBUG: Fetching URL: https://automate.lxc/compliance/profiles/admin/stig-rhel6/tar /opt/inspec/embedded/lib/ruby/2.4.0/open-uri.rb:363:in `open_http': 404 Not Found (OpenURI::HTTPError) from /opt/inspec/embedded/lib/ruby/2.4.0/open-uri.rb:741:in `buffer_open' from /opt/inspec/embedded/lib/ruby/2.4.0/open-uri.rb:212:in `block in open_loop' from /opt/inspec/embedded/lib/ruby/2.4.0/open-uri.rb:210:in `catch' from /opt/inspec/embedded/lib/ruby/2.4.0/open-uri.rb:210:in `open_loop' from /opt/inspec/embedded/lib/ruby/2.4.0/open-uri.rb:151:in `open_uri' from /opt/inspec/embedded/lib/ruby/2.4.0/open-uri.rb:721:in `open' from /opt/inspec/embedded/lib/ruby/2.4.0/open-uri.rb:35:in `open' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.2.41/lib/fetchers/url.rb:189:in `download_archive_to_temp' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.2.41/lib/fetchers/url.rb:142:in `temp_archive_path' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.2.41/lib/fetchers/url.rb:122:in `sha256' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.2.41/lib/fetchers/url.rb:112:in `cache_key' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.2.41/lib/inspec/cached_fetcher.rb:32:in `cache_key' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.2.41/lib/inspec/cached_fetcher.rb:39:in `fetch'
Profiles should follow semver for the version number both in the profile tar name and in the profile's
inspec.yml. For example in
cis-rhel7-level2-server-2.1.1-20.tar.gz the profile's version number is
2.1.1 is the version of the benchmark and
-20 is our incrementing profile release number. This is not fully semver compliant because it should actually be
+20 (see here) - https://github.com/chef/compliance-profiles/issues/595 will address this.
See the Cause above. Automate gets confused about whether it has a given version of a profile available when the profile is stored with a two digit version number, like "x.y". When this confusion occurs, Automate will respond with 404s when an audit cookbook or plain Inspec run attempts to download the improperly specified profile. This is confusing, because the upload of the profile appears to succeed and the profile with the two digit version is visible afterwards as a possible choice for download in the Automate Profiles area.
These are unavailable externally, but will help Support figure out what is going on.