When downloading software to install, always add the ability to verify the downloaded file using a checksum (preferably SHA1 or higher)

After startup of Nexus, you will be prompted with an error message regarding to increase the actual file limit:
tail -f /opt/sonatype-work/nexus3/log/nexus.log

2017-10-11 09:04:20,224+0200 INFO [FelixStartLevel] *SYSTEM org.sonatype.nexus.extender.NexusBundleTracker - ACTIVATING org.sonatype.nexus.core [197]
2017-10-11 09:04:20,598+0200 WARN [FelixStartLevel] *SYSTEM org.sonatype.nexus.internal.system.FileDescriptorServiceImpl - WARNING: ****************************************************************************
2017-10-11 09:04:20,598+0200 WARN [FelixStartLevel] *SYSTEM org.sonatype.nexus.internal.system.FileDescriptorServiceImpl - WARNING: The open file descriptor limit is 4096 which is below the minimum recommended value of 65536.
2017-10-11 09:04:20,599+0200 WARN [FelixStartLevel] *SYSTEM org.sonatype.nexus.internal.system.FileDescriptorServiceImpl - WARNING: Please see: http://links.sonatype.com/products/nexus/system-reqs#filehandles
2017-10-11 09:04:20,599+0200 WARN [FelixStartLevel] *SYSTEM org.sonatype.nexus.internal.system.FileDescriptorServiceImpl - WARNING: ****************************************************************************

This issue has already been fixed by (Andrew Grimberg => [email protected]), see Pull-Request:
#94

Using manage_config = false doesn't create the resource Class[Nexus::Config] and this breaks the dependency chain at the end of nexus main class

There exists a module for doing configuration via the REST interface.

https://forge.puppetlabs.com/atlassian/nexus_rest

New to this module,

just trying to get it up and running.

I notice that it is not working for the latest version of nexus neither on 2.x or 3.x

I haven't looked in depth, but looks like:

in 3.x the config file has changed back to what it was in 2.x
in 2.x the package file nomemclature seems to have changed.

Has anybody noticed? or am I doing something wrong...

Beside fixing or reporting this issues. How can I know which are the latest working versions on each 2.x 3.x branch?

For now there are no systemd unit handling in service.pp. If Nexus service is stopped, puppet agent sync can't start it.
I think if following code will be added to service.pp is should fix this.
elsif ($::operatingsystem == 'RedHat') or ($::operatingsystem == 'CentOS') { file { '/etc/systemd/system/nexus.service': mode => '0644', owner => 'root', group => 'root', content => template('nexus/nexus.systemd.erb'), } -> service { 'nexus': ensure => running, name => 'nexus', enable => true, } }

The README states

NOTE:
If you wish to use Nexus 3, nexus_work_dir_manage need to be set to false because this module support only Nexus 3 installation

I think this no longer applies. nexus_work_dir_manage must be set to true otherwise the etc directory does not get created and the work dir uid/gid is not set correctly. Or am I missing something?

" This module has been deprecated by its author since July 24, 2018.
The reason given was:
This module has been adopted by Vox Populi.
The author has suggested puppet-wget as its replacement."
But puppet-wget is deprecated too and you should use puppet-archive

Greetings,

I am a security researcher, who is looking for security smells in Puppet scripts. I noticed instances of binding to 0.0.0.0. Binding an address to 0.0.0.0 indicates allowing connections from all IP addresses. I would like to draw attention to these instances. Binding to 0.0.0.0 may lead to denial of service attacks. Practitioners have reported how binding to 0.0.0.0 facilitated security issues for MySQL (https://serversforhackers.com/c/mysql-network-security), Memcached (https://news.ycombinator.com/item?id=16493480), and Kibana (https://www.elastic.co/guide/en/kibana/5.0/breaking-changes-5.0.html).

I suggest to use a dedicated IP address other than 0.0.0.0.

Any feedback is appreciated.

Source: https://github.com/hubspotdevops/puppet-nexus/blob/master/manifests/params.pp

We've observed high memory usage of puppet (> 1g) but only on nodes with Nexus and with a work folder consisting of artefacts. This was traced to the running of file ownership checks which puppet internally builds an object for each file found recursively.

In the metadata.json the current author's email address bounces back. For a project I am working on I need a contact person to reach out to. Is there anyone that is available for this? Who is the current maintainer?

Just wanted to check if you run the spec tests, do they pass. Locally and on Travis I am getting lots of test failures. Just want to rule out my environment setup. Looks like the tests are not inline with what the code is doing??

Here is a sample of what I see
https://travis-ci.org/peterabbott/puppet-nexus/jobs/155485350

We have the following setup (with Nexus 3.0.0):

  class{ '::nexus':
    version               => '3.0.0',
    revision              => '03',
    download_site         => 'http://download.sonatype.com/nexus/3',
    nexus_type            => 'unix',
    nexus_work_dir_manage => false,
  }

Despite nexus_work_dir_manage being set to false, since recurse is set to true in file{ $nexus_home_real:, with default settings, the work dir seems to be inside the main nexus home anyway, so Puppet creates a resource for each of those files. This is creating massive reports and long Puppet run times.

# grep -c "resource: File" /var/lib/puppet/state/last_run_report.yaml 
47371

      resource: File[/srv/nexus-3.0.0-03/data/blobs/default/content/vol-08/chap-38/9bfbb901-705f-4ed1-921e-82d4262e71ee.properties]

Is the goal to ensure permissions on the initial installation, or to preserve them?

You might also look into replacing wget + exec with the archive module?

Could not set 'present' on ensure: No such file or directory @ rb_sysopen - /srv/sonatype-work/nexus3/etc/nexus.properties at 49:/etc/puppetlabs/code/environments/dev/modules/nexus/manifests/config.pp

Should it be looking under the /srv/nexus/etc folder for the nexus.properties? A wrong variable seems to be used somewhere.

I tried to use use 2.11.1-01 as the version and received a number of errors.

Error: /Stage[main]/Nexus::Config/File_line[nexus-work]: Could not evaluate: No such file or directory - /usr/local/nexus/conf/nexus.properties
Error: /Stage[main]/Nexus::Config/File_line[nexus-appliction-host]: Could not evaluate: No such file or directory - /usr/local/nexus/conf/nexus.properties
Error: /Stage[main]/Nexus::Config/File_line[nexus-appliction-port]: Could not evaluate: No such file or directory - /usr/local/nexus/conf/nexus.properties
Error: /Stage[main]/Nexus::Config/File_line[nexus-webapp-context-path]: Could not evaluate: No such file or directory - /usr/local/nexus/conf/nexus.properties
Warning: /Stage[main]/Nexus::Service/File_line[nexus_NEXUS_HOME]: Skipping because of failed dependencies
Warning: /Stage[main]/Nexus::Service/File_line[nexus_RUN_AS_USER]: Skipping because of failed dependencies
Warning: /Stage[main]/Nexus::Service/File[/etc/init.d/nexus]: Skipping because of failed dependencies
Warning: /Stage[main]/Nexus::Service/Service[nexus]: Skipping because of failed dependencies
Error: /Stage[main]/Nexus::Service/Service[nexus]: Failed to call refresh: Could not find init script or upstart conf file for 'nexus'
Error: /Stage[main]/Nexus::Service/Service[nexus]: Could not find init script or upstart conf file for 'nexus'
Warning: /Stage[main]/Nexus/Anchor[nexus::end]: Skipping because of failed dependencies

The work dir is static to sonatype-work in the same folder that nexus is installed (${nexus_root}). This shouldn't always be the case (Though maybe it's the default). My sonatype-work dir exists on a different mount point as it takes up a LOT of disk space.

When realizing the nexus class a version and revision parameter must be passed. Those values are used to construct the download URL and determine the name of the directory the application was extracted to. This means that the Nexus module does not work OOB and requires configuration and heading to the Nexus website on the first try to figure out the version and revision. Additionally, that information is found on the download archive page and not the main page.

I'd like to instead default version and revision to 'latest'. When version is set to latest it will download from the following URL:
http://download.sonatype.com/nexus/oss/nexus-latest-bundle.tar.gz

If version is set to a version and revision is still latest it will download from the following URL:
http://download.sonatype.com/nexus/oss/nexus-${version}-bundle.tar.gz

If both version and revision are set it will download from the following URL:
http://download.sonatype.com/nexus/oss/nexus-${version}-${revision}-bundle.tar.gz

An inline function will then determine the version that was downloaded and set $full_version in nexus::package appropriately.

Thoughts @Saheba and @sstarcher?

Given I'm left wondering this myself, the README does not state whether this module lets you simply upgrade the version of Nexus in-place or whether there is some procedure expected of you.

Often software documentation details upgrade procedures such as updating of symlinks but when puppet is used, questions are raised mentally as to what's going to happen.

https://github.com/hubspotdevops/puppet-nexus/blob/master/README.md#-no-longer-maintained-

Hi there,

I am trying to install 3.3.2 02 and seeing the below issues. Please could you confirm what will be the latest version does this module supports? 3.0.0 03 seems working ok.

Errors
Error: /Stage[main]/Nexus::Config/File_line[nexus-work]: Could not evaluate: No such file or directory - /opt/nexus/etc/org.sonatype.nexus.cfg
Error: /Stage[main]/Nexus::Config/File_line[nexus-application-host]: Could not evaluate: No such file or directory - /opt/nexus/etc/org.sonatype.nexus.cfg
Error: /Stage[main]/Nexus::Config/File_line[nexus-webapp-context-path]: Could not evaluate: No such file or directory - /opt/nexus/etc/org.sonatype.nexus.cfg
Error: /Stage[main]/Nexus::Config/File_line[nexus-application-port]: Could not evaluate: No such file or directory - /opt/nexus/etc/org.sonatype.nexus.cfg

Is there any fix available?

Last friday, 5/22/2015, certificate download issues:

Notice: /Stage[main]/Nexus::Package/Wget::Fetch[nexus-2.11.2-bundle.tar.gz]/Exec[wget-nexus-2.11.2-bundle.tar.gz]/returns: ERROR: certificate common name “a.ssl.fastly.net” doesn’t match requested host name “sonatype-download.global.ssl.fastly.net

Notice: /Stage[main]/Nexus::Package/Wget::Fetch[nexus-2.11.2-bundle.tar.gz]/Exec[wget-nexus-2.11.2-bundle.tar.gz]/returns: To connect to sonatype-download.global.ssl.fastly.net insecurely, use ‘--no-check-certificate’.

recommend adding option to the wget section to allow unvalidated/unsecure downloads for --no-check-certificate pass-thru.

There's an error in line 56 of manifests/init.pp where the work directory is detected and set, it reads:
$real_nexus_work_dirc = $nexus_work_dir
I think it should read:
$real_nexus_work_dir = $nexus_work_dir

When I pass in a work dir it leaves the value undef because it references $real_nexus_work_dir as a variable, looks like a typo with the ending 'c' to that variable setting. I have checked this locally and patched and it works...

More detail:
When specified like this:
class { 'nexus':
version => '2.10.0',
revision => '02',
nexus_user => 'nexus',
nexus_root => '/opt',
nexus_work_dir => '/var/lib/nexus/work'
}

It yields in puppet:
2014-10-28 12:09:16 +0000 Puppet (err): Parameter path failed on File[undef]: File paths must be fully qualified, not 'undef' at /etc/puppet/modules/nexus/manifests/package.pp:94
Wrapped exception:
File paths must be fully qualified, not 'undef'

https://github.com/hubspotdevops/puppet-nexus/blame/master/README.md#L35

Readme contains this paragraph:

Nexus does not adequately support HTTP and HTTPS simultaneously.  Below forces all connections to HTTPS.  Be sure to login after the app is up and head to Administration -> Server.  Change the base URL to "https" and check "Force Base URL". 

In Nexus 2.8x, you will hopefully find this statement not true. Provided you have a keystore jetty can use and ./conf/jetty-https.xml is configured to use it, then:

1. Edit nexus.properties, add application-port-ssl=8443
2. Edit bin/jsw/conf/wrapper.conf, add wrapper.app.parameter.3=./conf/jetty-https.xml

Start Nexus. http on port 8081/ https on port 8443

If you want to always force redirection from http to https, then additionally

1. Edit bin/jsw/conf/wrapper.conf, add wrapper.app.parameter.4=./conf/jetty-http-redirect-to-https.xml

At each call of puppet master, the processing of puppet catalog takes 90% CPU for 10 min.

After investigation, it seems that the recurse parameter causes problem.

  # NOTE: $nexus_work_dir in later releases was moved to a directory not
  # under the application.  This is why we do not make recursing optional
  # for this resource but do for $nexus_work_dir.
  file{ $nexus_home_real:
    ensure                  => directory,
    owner                   => $nexus_user,
    group                   => $nexus_group,
    recurse                 => true,
    selinux_ignore_defaults => $nexus_selinux_ignore_defaults,
    require                 => Exec[ 'nexus-untar']
}

My platform is centos 7.2. My nexus data folder has nearly 70000 files.

How to fix this problem ?
Does this step is mandatory ?

The default URL from where to download Nexus 3.x.x sources does not work. This is what is happening during a Puppet run:

Notice: /Stage[main]/Nexus::Package/Wget::Fetch[nexus-3.1.0-04-bundle.tar.gz]/Exec[wget-nexus-3.1.0-04-bundle.tar.gz]/returns: https://sonatype-download.global.ssl.fastly.net/nexus/oss/nexus-3.1.0-04-bundle.tar.gz:
Notice: /Stage[main]/Nexus::Package/Wget::Fetch[nexus-3.1.0-04-bundle.tar.gz]/Exec[wget-nexus-3.1.0-04-bundle.tar.gz]/returns: 2016-11-04 07:46:53 ERROR 404: Not Found.
Error: wget --no-verbose --output-document="/srv/nexus-3.1.0-04-bundle.tar.gz" "http://download.sonatype.com/nexus/oss/nexus-3.1.0-04-bundle.tar.gz" returned 8 instead of one of [0]
Error: /Stage[main]/Nexus::Package/Wget::Fetch[nexus-3.1.0-04-bundle.tar.gz]/Exec[wget-nexus-3.1.0-04-bundle.tar.gz]/returns: change from notrun to 0 failed: wget --no-verbose --output-document="/srv/nexus-3.1.0-04-bundle.tar.gz" "http://download.sonatype.com/nexus/oss/nexus-3.1.0-04-bundle.tar.gz" returned 8 instead of one of [0]

When using home directory aside from /home/ you will be prompted with the following error message:
tail -f /srv/sonatype-work/nexus3/log/nexus.log

Couldn't flush user prefs: java.util.prefs.BackingStoreException: Couldn't get file lock.

Nexus 3.1 wouln't start up because of file locking issues.

Nexus won't start in case of a missing nexus configuration, because there is no default configuration in place after deployment:
/srv/sonatype-work/nexus3/etc/nexus.properties

We should provide a default configuration with (at least) the following definitions:

## DO NOT EDIT - PUPPET MAINTAINS THIS FILE
##
# Jetty section
application-port=8081
application-host=0.0.0.0
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-requestlog.xml

# Nexus section
nexus-edition=nexus-pro-edition
nexus-features=\
 nexus-pro-feature

Looks like the "status" on the nexus service is using the root user instead of ${nexus_user} so it's not detecting that the actual service is running.

Hi,

Using this module and the defaults for the home directory (ie. /srv), the ownership of this directory chowned to the nexus user, and so nexus isn't able to create the /srv/.java folder in order to store preferences. Leading to errors similar to:

https://issues.sonatype.org/browse/NEXUS-3671

I see that v1.3.3 was cut a few days ago. Are we going to see a release to forge soon?

I see the metadata.json was updated to version 1.3.2 after all the updates I submitted got merged. That was nearly a month ago now. Is this going to be released to the forge anytime soon?