issue with using on a deployment server : ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE.

[harshguptaserver]

Hello,

aim : use nginx_pypi_cache as a central cache for pip cache in container builds

error : while running the container as described below and testing I am getting error

build steps:

git clone https://github.com/hauntsaninja/nginx_pypi_cache.git
docker build . -t nginx_pypi_cache:latest
docker run -p 81:80 nginx_pypi_cache:latest

then while it is running testing on other machine:

python3 -m pip install --index-url=http://192.168.88.70:81/simple --trusted-host 192.168.88.70 flask

Defaulting to user installation because normal site-packages is not writeable
Looking in indexes: http://192.168.88.70:81/simple
Collecting flask
  Downloading http://192.168.88.70/packages/61/80/ffe1da13ad9300f87c93af113edd0638c75138c42a0994becfacac078c06/flask-3.0.3-py3-none-any.whl.metadata (785 bytes)
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    flask from http://192.168.88.70/packages/61/80/ffe1da13ad9300f87c93af113edd0638c75138c42a0994becfacac078c06/flask-3.0.3-py3-none-any.whl:
        Expected sha256 7b13da872e1a6a18d5fa662a77da9be4734ff21681fc8c53b9aa2da12bc2b5a8
             Got        861b25d703512b9fc49160bf4df4c6f762e0451e2b5790ef66259df1ad48fd61

Container log:

docker run -p 81:80 nginx_pypi_cache:latest
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up

192.168.88.228 - 192.168.88.70 [06/Nov/2024:16:01:24 +0000] request_time=0.109 upstream_time=0.108 cache_status=MISS    200 "GET /simple/flask/ HTTP/1.1" 15363
192.168.88.228 - 192.168.88.70 [06/Nov/2024:16:01:42 +0000] request_time=0.000 upstream_time=- cache_status=HIT         200 "GET /simple/flask/ HTTP/1.1" 15363

Please advise

[harshguptaserver]

Also,

I quickly tested

https://github.com/EpicWink/proxpi

and this works flawlessly

build/run/logs:

docker run -p 5000:5000 epicwink/proxpi
Unable to find image 'epicwink/proxpi:latest' locally
latest: Pulling from epicwink/proxpi
43c4264eed91: Pull complete 
4d1b2996acac: Pull complete 
b3125c671f19: Pull complete 
c72d76b06fd3: Pull complete 
a967893e1984: Pull complete 
Digest: sha256:bf9832683416985679e1e5b6a6d2cb34bfe9c8d3ce2b07b2095ca5943242d632
Status: Downloaded newer image for epicwink/proxpi:latest
2024-11-06 16:13:56 [    INFO] proxpi.server: proxpi version: 1.2.1rc0
2024-11-06 16:13:56 [    INFO] proxpi.server: Cache: Cache(root_cache=_IndexCache('https://pypi.org/simple/', 1800), file_cache=_FileCache(5368709120, '/tmp/tmppwvz0ot8', <proxpi._cache.Session object at 0x7f01c58a49e0>), extra_caches=[])
2024-11-06 16:13:56 [    INFO] gunicorn.error: Starting gunicorn 22.0.0
2024-11-06 16:13:56 [    INFO] gunicorn.error: Listening at: http://0.0.0.0:5000 (1)
2024-11-06 16:13:56 [    INFO] gunicorn.error: Using worker: gthread
2024-11-06 16:13:56 [    INFO] gunicorn.error: Booting worker with pid: 7
2024-11-06 16:14:44 [    INFO] gunicorn.access: 192.168.88.228 "GET /index/flask/ HTTP/1.1" 200 6790 146ms
2024-11-06 16:14:44 [    INFO] gunicorn.access: 192.168.88.228 "GET /index/flask/flask-3.0.3-py3-none-any.whl.metadata HTTP/1.1" 200 0 129ms
2024-11-06 16:14:44 [    INFO] gunicorn.access: 192.168.88.228 "GET /index/werkzeug/ HTTP/1.1" 200 11875 67ms
2024-11-06 16:14:44 [    INFO] gunicorn.access: 192.168.88.228 "GET /index/werkzeug/werkzeug-3.1.2-py3-none-any.whl.metadata HTTP/1.1" 200 0 42ms
2024-11-06 16:14:44 [    INFO] gunicorn.access: 192.168.88.228 "GET /index/itsdangerous/ HTTP/1.1" 200 2374 50ms
2024-11-06 16:14:44 [    INFO] gunicorn.access: 192.168.88.228 "GET /index/itsdangerous/itsdangerous-2.2.0-py3-none-any.whl.metadata HTTP/1.1" 200 0 40ms
2024-11-06 16:14:44 [    INFO] gunicorn.access: 192.168.88.228 "GET /index/flask/flask-3.0.3-py3-none-any.whl HTTP/1.1" 200 0 69ms
2024-11-06 16:14:44 [    INFO] gunicorn.access: 192.168.88.228 "GET /index/itsdangerous/itsdangerous-2.2.0-py3-none-any.whl HTTP/1.1" 200 0 35ms
2024-11-06 16:14:45 [    INFO] gunicorn.access: 192.168.88.228 "GET /index/werkzeug/werkzeug-3.1.2-py3-none-any.whl HTTP/1.1" 200 0 103ms

test/run on client :

python3 -m pip install  --index-url=http://192.168.88.70:5000/index/ --trusted-host 192.168.88.70  flask
Defaulting to user installation because normal site-packages is not writeable
Looking in indexes: http://192.168.88.70:5000/index/
Collecting flask
  Downloading http://192.168.88.70:5000/index/flask/flask-3.0.3-py3-none-any.whl.metadata (3.2 kB)
Collecting Werkzeug>=3.0.0 (from flask)
  Downloading http://192.168.88.70:5000/index/werkzeug/werkzeug-3.1.2-py3-none-any.whl.metadata (3.7 kB)
Requirement already satisfied: Jinja2>=3.1.2 in /usr/lib/python3/dist-packages (from flask) (3.1.2)
Collecting itsdangerous>=2.1.2 (from flask)
  Downloading http://192.168.88.70:5000/index/itsdangerous/itsdangerous-2.2.0-py3-none-any.whl.metadata (1.9 kB)
Requirement already satisfied: click>=8.1.3 in /usr/lib/python3/dist-packages (from flask) (8.1.6)
Requirement already satisfied: blinker>=1.6.2 in /usr/lib/python3/dist-packages (from flask) (1.7.0)
Requirement already satisfied: MarkupSafe>=2.1.1 in /usr/lib/python3/dist-packages (from Werkzeug>=3.0.0->flask) (2.1.5)
Downloading http://192.168.88.70:5000/index/flask/flask-3.0.3-py3-none-any.whl (101 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 101.7/101.7 kB 6.0 MB/s eta 0:00:00
Downloading http://192.168.88.70:5000/index/itsdangerous/itsdangerous-2.2.0-py3-none-any.whl (16 kB)
Downloading http://192.168.88.70:5000/index/werkzeug/werkzeug-3.1.2-py3-none-any.whl (224 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 224.4/224.4 kB 13.3 MB/s eta 0:00:00
Installing collected packages: Werkzeug, itsdangerous, flask
Successfully installed Werkzeug-3.1.2 flask-3.0.3 itsdangerous-2.2.0

Please help me identify my mistake with nginx_pypi_cache :-)

[hauntsaninja]

Hm, I can't repro... can you consistently repro?

Where are you getting your hashes from? It's not mentioned in your description. This is usually a requirements.txt file with hashes in it (hence the THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE message from pip)

When I generate hashes for that flask version against upstream PyPI or an nginx mirror, I get the following, which does not match either of the hashes in your description (expected or actual):

flask==3.0.3 \
    --hash=sha256:34e815dfaa43340d1d15a5c3a02b8476004037eb4840b34910c6e21679d288f3 \
    --hash=sha256:ceb27b0af3823ea2737928a4d99d125a06175b8512c445cbd9a9ce200ef76842

It would also be good to use the --no-cache-dir --force-reinstall flags to pip, to rule out some potential sources of funkiness

[harshguptaserver]

Hello @hauntsaninja ,

Thank you for the quick response.

I am able to reproduce it while testing on multiple systems and multiple python versions. I am not using any requirements or any other setting apart from simple python installed and command that i am executing.

Please Note: I am not explicitly setting any mirror in my python or the docker container for nginx_pypi_cache.

Here is another trail that I did on a python3.10 vm :

python3 -m pip install --index-url=http://192.168.88.70:81/simple --trusted-host 192.168.88.70 pip
Defaulting to user installation because normal site-packages is not writeable
Looking in indexes: http://192.168.88.70:81/simple
Requirement already satisfied: pip in /usr/local/lib/python3.10/dist-packages (24.2)

[notice] A new release of pip is available: 24.2 -> 24.3.1
[notice] To update, run: python3 -m pip install --upgrade pip

listing works & following line is present in docker ( docker run -p 81:80 nginx_pypi_cache:latest )

192.168.88.14 - 192.168.88.70 [07/Nov/2024:12:43:57 +0000] request_time=0.097 upstream_time=0.097 cache_status=MISS     200 "GET /simple/pip/ HTTP/1.1" 39161

192.168.88.14 - 192.168.88.70 [07/Nov/2024:12:44:33 +0000] request_time=0.000 upstream_time=- cache_status=HIT  200 "GET /simple/pip/ HTTP/1.1" 39161
192.168.88.14 - 192.168.88.70 [07/Nov/2024:12:45:19 +0000] request_time=0.000 upstream_time=- cache_status=HIT  200 "GET /simple/pip/ HTTP/1.1" 39161
192.168.88.14 - 192.168.88.70 [07/Nov/2024:12:45:20 +0000] request_time=0.000 upstream_time=- cache_status=HIT  200 "GET /simple/pip/ HTTP/1.1" 39161

this works great for listing. However, when i issue an install command I automatically get the error as follows:

python3 -m pip install --index-url=http://192.168.88.70:81/simple --trusted-host 192.168.88.70 --upgrade  pip
Defaulting to user installation because normal site-packages is not writeable
Looking in indexes: http://192.168.88.70:81/simple
Requirement already satisfied: pip in /usr/local/lib/python3.10/dist-packages (24.2)
Collecting pip
  Downloading http://192.168.88.70/packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl.metadata (785 bytes)

[notice] A new release of pip is available: 24.2 -> 24.3.1
[notice] To update, run: python3 -m pip install --upgrade pip
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pip from http://192.168.88.70/packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl:
        Expected sha256 57c88234ad4661b0bcd8f5ac2ccb0048387d00ee2f7a871194ce0f9fdab62852
             Got        861b25d703512b9fc49160bf4df4c6f762e0451e2b5790ef66259df1ad48fd61

This issue seems consistent, perhaps I am doing something wrong in setting up container or in issuing the command.
Kindly advise.

Also, it seems to not have making a call as the docker do not seem to print any error in the docker run -p ( without -d ) .

[harshguptaserver]

@hauntsaninja if there are any commands that can help me produce more logs to help troubleshoot please let me know.

I have tried removing the pip cache and everything, the result is same(this time on my desktop):

harsh@desktop:~$ sudo rm -rf ~/.cache/pip/
harsh@desktop:~$ python3 -m pip install --index-url=http://192.168.88.70:81/simple --trusted-host 192.168.88.70 --upgrade  pip
Defaulting to user installation because normal site-packages is not writeable
Looking in indexes: http://192.168.88.70:81/simple
Requirement already satisfied: pip in ./.local/lib/python3.10/site-packages (24.0)
Collecting pip
  Downloading http://192.168.88.70/packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl.metadata (785 bytes)
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pip from http://192.168.88.70/packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl:
        Expected sha256 57c88234ad4661b0bcd8f5ac2ccb0048387d00ee2f7a871194ce0f9fdab62852
             Got        861b25d703512b9fc49160bf4df4c6f762e0451e2b5790ef66259df1ad48fd61


[notice] A new release of pip is available: 24.0 -> 24.3.1
[notice] To update, run: python3 -m pip install --upgrade pip

Here is another trial:

python3 -m pip cache purge
Files removed: 1574
harsh@desktop:~$ python3 -m pip install --index-url=http://192.168.88.70:81/simple --trusted-host 192.168.88.70 --upgrade  pip
Defaulting to user installation because normal site-packages is not writeable
Looking in indexes: http://192.168.88.70:81/simple
Requirement already satisfied: pip in ./.local/lib/python3.10/site-packages (24.0)
Collecting pip
  Downloading http://192.168.88.70/packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl.metadata (785 bytes)
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pip from http://192.168.88.70/packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl:
        Expected sha256 57c88234ad4661b0bcd8f5ac2ccb0048387d00ee2f7a871194ce0f9fdab62852
             Got        861b25d703512b9fc49160bf4df4c6f762e0451e2b5790ef66259df1ad48fd61


[notice] A new release of pip is available: 24.0 -> 24.3.1
[notice] To update, run: python3 -m pip install --upgrade pip

harsh@desktop:~$ python3 -m pip install --index-url=http://192.168.88.70:81/simple --trusted-host 192.168.88.70 --upgrade  pip  --no-cache-dir 
Defaulting to user installation because normal site-packages is not writeable
Looking in indexes: http://192.168.88.70:81/simple
Requirement already satisfied: pip in ./.local/lib/python3.10/site-packages (24.0)
Collecting pip
  Downloading http://192.168.88.70/packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl.metadata (785 bytes)
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
    pip from http://192.168.88.70/packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl:
        Expected sha256 57c88234ad4661b0bcd8f5ac2ccb0048387d00ee2f7a871194ce0f9fdab62852
             Got        861b25d703512b9fc49160bf4df4c6f762e0451e2b5790ef66259df1ad48fd61


[notice] A new release of pip is available: 24.0 -> 24.3.1
[notice] To update, run: python3 -m pip install --upgrade pip

Here are the docker logs during these tests:

192.168.88.227 - 192.168.88.70 [07/Nov/2024:12:54:46 +0000] request_time=0.129 upstream_time=0.128 cache_status=EXPIRED         200 "GET /simple/pip/ HTTP/1.1" 39161
192.168.88.227 - 192.168.88.70 [07/Nov/2024:12:55:58 +0000] request_time=0.000 upstream_time=- cache_status=HIT         200 "GET /simple/pip/ HTTP/1.1" 39161
192.168.88.227 - 192.168.88.70 [07/Nov/2024:12:56:21 +0000] request_time=0.000 upstream_time=- cache_status=HIT         200 "GET /simple/pip/ HTTP/1.1" 39161
192.168.88.227 - 192.168.88.70 [07/Nov/2024:12:56:24 +0000] request_time=0.000 upstream_time=- cache_status=HIT         200 "GET /simple/pip/ HTTP/1.1" 39161
192.168.88.227 - 192.168.88.70 [07/Nov/2024:12:57:34 +0000] request_time=0.000 upstream_time=- cache_status=HIT         200 "GET /simple/pip/ HTTP/1.1" 39161
192.168.88.227 - 192.168.88.70 [07/Nov/2024:12:57:38 +0000] request_time=0.000 upstream_time=- cache_status=HIT         200 "GET /simple/pip/ HTTP/1.1" 39161

[hauntsaninja]

It looks like the hash mismatch is on the metadata file, which is interesting.

What do you see when you download the file http://192.168.88.70/packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl.metadata and compare it to the equivalent from the upstream (files.pythonhosted.org)?

[harshguptaserver]

Apologies for the delay in response.

I tried again today ( with latest version of code package from git and now it seems i am not even able to get it to work )

build code :

git clone https://github.com/hauntsaninja/nginx_pypi_cache.git
cd nginx_pypi_cache/
docker build . -t nginx_pypi_cache:latest
 docker run -p 5001:80 nginx_pypi_cache:latest

app output:

docker run -p 5001:80 nginx_pypi_cache:latest
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
192.168.88.228 - 192.168.88.12 [19/Jan/2025:10:23:05 +0000] request_time=0.146 upstream_time=0.147 cache_status=MISS    404 "GET /index/fastapi/ HTTP/1.1" 2101
192.168.88.228 - 192.168.88.12 [19/Jan/2025:10:23:25 +0000] request_time=0.104 upstream_time=0.103 cache_status=MISS    200 "GET /simple/fastapi/ HTTP/1.1" 64077
192.168.88.228 - 192.168.88.12 [19/Jan/2025:10:23:51 +0000] request_time=0.000 upstream_time=- cache_status=HIT         200 "GET /simple/fastapi/ HTTP/1.1" 64070
192.168.88.228 - 192.168.88.12 [19/Jan/2025:10:24:47 +0000] request_time=0.171 upstream_time=0.171 cache_status=MISS    200 "GET /simple/pip/ HTTP/1.1" 39155

run call:

python3 -m pip install --index-url=http://192.168.88.12:5001/simple --trusted-host 192.168.88.12 --upgrade  pip
Defaulting to user installation because normal site-packages is not writeable
Looking in indexes: http://192.168.88.12:5001/simple
Requirement already satisfied: pip in /usr/lib/python3/dist-packages (24.0)
Collecting pip
  WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPConnection object at 0x783edb412a20>: Failed to establish a new connection: [Errno 111] Connection refused')': /packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl.metadata
  WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPConnection object at 0x783edb4133e0>: Failed to establish a new connection: [Errno 111] Connection refused')': /packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl.metadata
  WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPConnection object at 0x783edb413140>: Failed to establish a new connection: [Errno 111] Connection refused')': /packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl.metadata
  WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPConnection object at 0x783edb413980>: Failed to establish a new connection: [Errno 111] Connection refused')': /packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl.metadata
  WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPConnection object at 0x783edb413110>: Failed to establish a new connection: [Errno 111] Connection refused')': /packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl.metadata
ERROR: Could not install packages due to an OSError: HTTPConnectionPool(host='192.168.88.12', port=80): Max retries exceeded with url: /packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl.metadata (Caused by NewConnectionError('<pip._vendor.urllib3.connection.HTTPConnection object at 0x783edb413770>: Failed to establish a new connection: [Errno 111] Connection refused'))