Adding a sudoers file in chef fails at verification - ruby

goal
I'm trying to add/edit a sudoers file in Chef.
After a lot of serach (and broken sudoers) I found this question and the answer seemed to be exactly what I am after.
My cookbook
So in my chef I added the following visudo cookbook:
The recipe: ~/chef-repo/cookbook/visudo/recipes/allowUpgrade.rb
template '/etc/sudoers.d/allowUpgrade' do
cookbook 'visudo'
source 'allowUpgrade.erb'
owner'root'
group 'root'
mode '0440'
verify "visudo -c -f %{path}"
end
My template: ~/chef-repo/cookbooks/visudo/templates/allowUpgrade.erb
username ALL=(ALL) NOPASSWD: /usr/local/bin/upgrade
Template and verification works manually
When I put this line/file there manually using
sudo nano /etc/sudoers.d/allowUpgrade
(I know one shouldn't) and then verify it using
visudo -c -f /etc/sudoers.d/allowUpgrade
I get
/etc/sudoers.d/allowUpgrade: parsed OK
and it works meaning I can run
sudo upgrade
without beeing prompted for the sudo password.
Verification fails running Chef
However it is not working using Chef. I'm trying it first on the local machine using
sudo chef-client -z --runlist 'recipe[visudo::allowUpgrade]'
But I get this error
Error executing action `create` on resource 'template[/etc/sudoers.d/allowUpgrade]'
Chef::Exceptions::ValidationFailed
Why is the verification failing in chef? What am I doing wrong?
Here the complete error message
Recipe: visudo::allowUpgrade
* template[/etc/sudoers.d/allowUpgrade] action create[2017-12-07T08:24:50+01:00] INFO: Processing template[/etc/sudoers.d/allowUpgrade] action create (visudo:: allowUpgrade line 7)
================================================================================
Error executing action `create` on resource 'template[/etc/sudoers.d/allowUpgrade]'
================================================================================
Chef::Exceptions::ValidationFailed
----------------------------------
Proposed content for /etc/sudoers.d/allowUpgrade failed verification #<Chef::Resource::File::Verification:0x0000000004070c48>
Resource Declaration:
---------------------
# In /home/username/chef-repo/.chef/local-mode-cache/cache/cookbooks/visudo/recipes/allowUpgrade.rb
7: template '/etc/sudoers.d/allowUpgrade' do
8: owner'root'
9: group 'root'
10: mode '0440'
11: source 'allowUpgrade.erb'
12: verify 'visudo -c -f %{path}'
13: end
Compiled Resource:
------------------
# Declared in /home/username/chef-repo/.chef/local-mode-cache/cache/cookbooks/visudo/recipes/allowUpgrade.rb:7:in `from_file'
template("/etc/sudoers.d/allowUpgrade") do
action [:create]
default_guard_interpreter :default
source "allowUpgrade.erb"
declared_type :template
cookbook_name "visudo"
recipe_name "allowUpgrade"
owner "root"
group "root"
mode "0440"
verifications [#<Chef::Resource::File::Verification:0x0000000004070c48 #command_opts={},
#command="visudo -c -f %{path}", #block=nil, #parent_resource=<template[/etc/sudoers.d/allowUpgrade]
#name: "/etc/sudoers.d/allowUpgrade" #before: nil #params: {}
#provider: nil #allowed_actions: [:nothing, :create, :delete, :touch, :create_if_missing]
#action: [:create] #updated: false #updated_by_last_action: false
#source_line: "/home/username/chef-repo/.chef/local-mode-cache/cache/cookbooks/visudo/recipes/allowUpgrade.rb:7:in `from_file'"
#guard_interpreter: nil #default_guard_interpreter: :default
#elapsed_time: 0 #source: "allowUpgrade.erb" #cookbook: nil
#local: false #variables: {} #inline_helper_blocks: {}
#inline_helper_modules: [] #helper_modules: [] #declared_type: :template
#cookbook_name: "visudo" #recipe_name: "allowUpgrade" #owner: "root" #group: "root" #mode: "0440"
#verifications: [...] #path: "/etc/sudoers.d/allowUpgrade">>]
path "/etc/sudoers.d/allowUpgrade"
end
Update:
When I leave the verification out and just do
template '/etc/sudoers.d/allowUpgrade' do
cookbook 'visudo'
source 'allowUpgrade.erb'
owner 'root'
group 'root'
mode '0440'
verify { 1 == 1 }
end
The sudo is broken! In recovery mode and the root console I checked and it looks just the same as when I insert it manually (what works fine)?!

Thanks to the help of Tensibai here in the comments and the hint to lineendings I could finally solve this problem.
Indeed the issue was lineendings as noted in this ancient Issue
I generated the cookbooks, recipes and templates on an Ubuntu Server 16.04 but do all m editing on the repository in Brackets.io on Windows.
This made template (and other) files have CRLF instead of LF lineendings because Brackets seems to use automatically the lineendings of the OS it is running on. This ofcourse made the /etc/sudoers.d/allowUpgrade file brake the sudoers because it has to end in a new line.
After some research I found this was an old known Issue and could be solved by the Plug-In Newline.
After installing this Plug-In indeed I could see that the file had CRLF lineendings.
I switched it to LF thanks to the Plug-In by clicking on the CRLF. Now my cookbook runs as expected and I'm able to run
sudo upgrade
without beeng prompted for the password - meaning it works.

Related

Chef - Installing a Windows Package from a Mapped Drive

I am trying to install a package from a mapped drive. However, chef says my source path is an invalid location even though I know it is the correct location. Do I need to map the drive first, before Chef recognizes the source path? I looked online in a couple places and could not find an answer.
case node['platform']
when 'windows'
windows_package 'QualysCloudAgent' do
source '\\Server#\Location1\Qualys_agent\QualysCloudAgent.exe'
options '-argumentlist "CustomerId={etc...etc...etc..} ActivationId={etc...etc..etc...}"'
installer_type :custom
action :install
end
end
The error that I get when the chef client runs is that the source location is in invalid source, even though I can get to the source location by typing it in on the server itself. Any help would be appreciated. Thank you. Error That I receive is below.
* Source for package QualysCloudAgent does not exist
================================================================================
Error executing action `install` on resource 'windows_package[QualysCloudAgent]'
================================================================================
Chef::Exceptions::Package
-------------------------
Source for package QualysCloudAgent does not exist
Resource Declaration:
---------------------
# In c:/chef/cache/cookbooks/qualys/recipes/qualys_configure.rb
18: windows_package 'QualysCloudAgent' do
19: source '\\Server#\Location1\Qualys_agent\QualysCloudAgent.exe'
20: options '-argumentlist "CustomerId={etc...etc...etc...} ActivationId={etc...etc...etc...}"'
21: installer_type :custom
22: action :install
23: end
24: end
Compiled Resource:
------------------
# Declared in c:/chef/cache/cookbooks/qualys/recipes/qualys_configure.rb:18:in `from_file'
windows_package("QualysCloudAgent") do
package_name "QualysCloudAgent"
action [:install]
default_guard_interpreter :default
declared_type :windows_package
cookbook_name "qualys"
recipe_name "qualys_configure"
source "p:\\Server#\\Location1\\qualys_agent\\qualyscloudagent.exe"
options "-argumentlist \"CustomerId={etc...etc...etc...} ActivationId={etc...etc...etc...}\""
installer_type :custom
end
System Info:
------------
chef_version=14.14.25
platform=windows
platform_version=6.3.9600
ruby=ruby 2.5.7p206 (2019-10-01 revision 67816) [x64-mingw32]
program_name=C:/opscode/chef/bin/chef-client
executable=C:/opscode/chef/bin/chef-client
2020-01-12T22:21:50-08:00] INFO: Running queued delayed notifications before re-raising exception
unning handlers:
2020-01-12T22:21:50-08:00] ERROR: Running exception handlers
unning handlers complete
2020-01-12T22:21:50-08:00] ERROR: Exception handlers complete
hef Client failed. 0 resources updated in 14 seconds
2020-01-12T22:21:51-08:00] FATAL: Stacktrace dumped to c:/chef/cache/chef-stacktrace.out
2020-01-12T22:21:51-08:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
2020-01-12T22:21:51-08:00] FATAL: Chef::Exceptions::Package: windows_package[QualysCloudAgent] (qualys::qualys_configur
line 18) had an error: Chef::Exceptions::Package: Source for package QualysCloudAgent does not exist
Since you're installing a package, it's safe to assume you are running chef-client with elevated permissions. Any network drives you map that are visible in Explorer, will not be usable in an elevated process. You will either need to:
Use the UNC path in place of a letter drive
Map the drive during the Chef run (required if the full UNC path would exceed 255 characters)
If you opt for the latter approach, you can use the mount resource to map a network drive.

Chef windows_share resource path required

windows cookbook version 3.1.1
chef client 13.2.20
Trying to create a window share on server 2016 with the following code.
include_recipe "windows"
directory 'c:\share' do
rights :full_control, "Administrators"
action :create
end
windows_share "share" do
action :create
path 'c:\share'
full_users ["Administrators"]
end
Chef creates the folder ok, but returns the following output on creation of the share:
Error executing action `create` on resource 'windows_share[share]'
=========================================================
Chef::Exceptions::ValidationFailed
----------------------------------
path is required
I clear have path set. Any ideas on why this would fail?
You should use 'c:\\share'. Backslash is an escape character in strings.
Reverting from windows 3.1.1 to windows 3.1.0 has addressed the issue altogether and I'm now able to create shares with windows_share.
Commit fc2691f changed the property to required instead of raising an exception that it was missing.
https://github.com/chef-cookbooks/windows/issues/482

Chef LWRP recipe Errno::ENOENT: No such file or directory # dir_s_mkdir

I am using the chef community java cookbook to install java on CentOS 7.2. I have an LWRP recipe that is not working
I build up my install parameters via the java_ark section
op_sys = node['os']
# Used to get the required java update from the environment file
java_ver_update = node['java_ver']
# Logic for each OS
if op_sys == 'linux'
# Java_ark, which is used to define the correct install attributes for each OS type (win/linux)
install_dir = node['install_dir']
java_ark "jdk" do
url 'http://sv-dc01.sv.local/install_artifacts/java/oracle/JRE/jre-'+"#{java_ver_update}"+'-linux-x64.tar.gz'
app_home install_dir
owner 'root'
group 'wheel'
app_home_mode 774
action :install
end
# Set the folder permissions
execute "chown-dir" do
command "chmod -R 774 #{install_dir}"
action :run
end
end
Here is my environment file where I have set some node attributes to be called in the main recipe
name 'env_workstation_dubbo'
description "Environment Workstation Dubbo"
cookbook_versions({
"ohai" => "> 0.0.1",
"java" => "> 0.1.0",
"install_java" => "> 0.0.1"
})
$environment = Hash.new{|h,k| h[k]=Hash.new(&h.default_proc) }
$override = Hash.new{|h,k| h[k]=Hash.new(&h.default_proc) }
$override['java']['jdk_version'] = '8'
$override['java']['install_flavor'] = 'oracle'
$override['java']['oracle']['accept_oracle_download_terms'] = true
$override['java']['set_default'] = false
# Custom attributes/variables to be placed here
$override['java_ver'] = '8u77'
$override['install_dir'] = '/applications/'
default_attributes(Chef::Mixin::DeepMerge.merge($_default_environment, $environment))
override_attributes($override)
And here is what happens during the sudo chef-client run on the CentOS machine I am using for testing:
Starting Chef Client, version 12.16.42
resolving cookbooks for run list: ["install_java"]
Synchronizing Cookbooks:
- install_java (0.2.0)
- java (1.43.0)
- compat_resource (12.16.2)
- ohai (4.2.2)
- seven_zip (2.0.2)
- homebrew (2.1.2)
- apt (5.0.0)
- build-essential (7.0.2)
- windows (2.1.1)
- mingw (1.2.4)
- ark (2.1.0)
Installing Cookbook Gems:
Compiling Cookbooks...
[2016-12-12T11:04:24+13:00] WARN: Chef::Provider::AptRepository already exists! Cannot create deprecation class for LWRP provider apt_repository from cookbook apt
[2016-12-12T11:04:24+13:00] WARN: AptRepository already exists! Deprecation class overwrites Custom resource apt_repository from cookbook apt
Converging 8 resources
Recipe: install_java::default
* java_ark[jdk] action install
================================================================================
Error executing action `install` on resource 'java_ark[jdk]'
================================================================================
Errno::ENOENT
-------------
No such file or directory # dir_s_mkdir -
Cookbook Trace:
---------------
/var/chef/cache/cookbooks/java/providers/ark.rb:116:in `block (2 levels) in class_from_file'
/var/chef/cache/cookbooks/java/providers/ark.rb:115:in `block in class_from_file'
Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/install_java/recipes/default.rb
18: java_ark "jdk" do
19: url 'http://sv-dc01.sv.local/install_artifacts/java/oracle/JRE/jre-'+"#{java_ver_update}"+'-linux-x64.tar.gz'
20: app_home install_dir
21: owner 'root'
22: group 'wheel'
23: app_home_mode 774
24: action :install
25: end
26:
Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/install_java/recipes/default.rb:18:in `from_file'
java_ark("jdk") do
action [:install]
supports {:report=>true, :exception=>true}
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :java_ark
cookbook_name "install_java"
recipe_name "default"
url "http://sv-dc01.sv.local/install_artifacts/java/oracle/JRE/jre-8u77-linux-x64.tar.gz"
app_home "/applications/"
owner "root"
group "wheel"
app_home_mode 774
end
Platform:
---------
x86_64-linux
Running handlers:
[2016-12-12T11:04:25+13:00] ERROR: Running exception handlers
Running handlers complete
[2016-12-12T11:04:25+13:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 17 seconds
[2016-12-12T11:04:25+13:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2016-12-12T11:04:25+13:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-12-12T11:04:25+13:00] ERROR: java_ark[jdk] (install_java::default line 18) had an error: Errno::ENOENT: No such file or directory # dir_s_mkdir -
[2016-12-12T11:04:25+13:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
I can't for the life of me figure out why it can't find the file or directory or get a completed install of Java working???
Maybe your environment is not applied correctly. I mean, if you machine is not using your 'env_workstation_dubbo' environment, the node['install_dir'] attribute will not be correctly set. You can read how to set the environment for a node here.
Another possibility is that you are using a modified version of the java cookbook that uses mkdir instead of mkdir_p. I say that because I have not been able to find your 2.0.0 java cookbook version in the supermarket. Where are you getting that cookbook from?
Update after downgraded to java cookbook version v1.43.0
The problem is that the install_dir must be at least 2 directory level deep, following the app_root/app_name format. For example "/applications/default".
If you use "/applications" as install_dir, app_name will be "applications", app_root will be empty and the latter will cause the mkdir error when trying to create the application root directory.

Unable to set jdoconfig.xml and appname.properties templates for the war file deployed in tomcat7/webapps

Recipe:
include_recipe "lgjava"
include_recipe "lgtomcat"
remote_file "/usr/local/tomcat7/webapps/web.war" do #this file places web.war in the specified path
source "http://path/to/web.war"
action :create_if_missing
end
template "jdoconfig.xml" do
source "jdoconfig.xml.erb"
path "/usr/local/tomcat7/webapps/web/WEB-INF/classes/META-INF/jdoconfig.xml"
action :create_if_missing
mode "0755"
end
template "appname.properties" do
source "appname.properties.erb"
path "/usr/local/tomcat7/webapps/web/WEB-INF/classes/appname.properties"
action :create_if_missing
mode "0755"
end
Execution:
Recipe: lgwebapp::default
* remote_file[/usr/local/tomcat7/webapps/web.war] action create_if_missing
- create new file /usr/local/tomcat7/webapps/web.war
- update content in file /usr/local/tomcat7/webapps/web.war from none to ac4b77
(file sizes exceed 10000000 bytes, diff output suppressed)
- restore selinux security context
* template[jdoconfig.xml] action create_if_missing
* Parent directory /usr/local/tomcat7/webapps/web/WEB-INF/classes/META-INF does not exist.
================================================================================
Error executing action `create_if_missing` on resource 'template[jdoconfig.xml]'
================================================================================
Chef::Exceptions::EnclosingDirectoryDoesNotExist
------------------------------------------------
Parent directory /usr/local/tomcat7/webapps/web/WEB-INF/classes/META-INF does not exist.
Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/lgwebapp/recipes/default.rb
20: template "jdoconfig.xml" do
21: source "jdoconfig.xml.erb"
22: path "/usr/local/tomcat7/webapps/web/WEB-INF/classes/META-INF/jdoconfig.xml"
23: action :create_if_missing
24: mode "0755"
25: end
26:
Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/lgwebapp/recipes/default.rb:20:in `from_file'
template("jdoconfig.xml") do
provider Chef::Provider::Template
action [:create_if_missing]
retries 0
retry_delay 2
guard_interpreter :default
path "/usr/local/tomcat7/webapps/web/WEB-INF/classes/META-INF/jdoconfig.xml"
backup 5
atomic_update true
source "jdoconfig.xml.erb"
cookbook_name "lgwebapp"
recipe_name "default"
mode "0755"
end
Recipe: lgtomcat::default
* service[tomcat7] action restart
- restart service service[tomcat7]
Running handlers:
[2015-01-14T10:38:44+00:00] ERROR: Running exception handlers
Running handlers complete
[2015-01-14T10:38:44+00:00] ERROR: Exception handlers complete
[2015-01-14T10:38:44+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 6 resources updated in 6.532117395 seconds
[2015-01-14T10:38:44+00:00] ERROR: template[jdoconfig.xml] (lgwebapp::default line 20) had an error: Chef::Exceptions::EnclosingDirectoryDoesNotExist: Parent directory /usr/local/tomcat7/webapps/web/WEB-INF/classes/META-INF does not exist.
[2015-01-14T10:38:44+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
P.S: the web.war file is deployed under tomcat7/webapps and its extracted too. I manually checked it, the file exists in the specific location. Why is that it's not able to locate using 'templates'?
Take it as stream:
Chef deploys the war then renders the template and try to compare with existing file.
The problem is that when chef tries to get the target file info, Tomcat probably has not yet unpacked the war file at all.
We do this kind of deployment with an ark resource out of tomcat, render the templates and then copy or link (depending on the cases) the temp deploy dir to the webapps tomcat dir.
The below code solved my problem:
ruby_block 'wait for tomcat' do
block do
true until ::File.exists?("#{node['webapp']['webinf_dir']}")
end
end

Recipe fails on crete_if_missing

I am following this tutorial: http://www.gotealeaf.com/blog/chef-basics-for-rails-developers , where they have us making our own recipe. The code bellow is the recipe. The problem is with the block of code that starts with cookbook_file "id_rsa" and ends right before the, # Add Github as known host, comment. I was able to get past the cookbook_file "id_rsa" block and the cookbook_file "id_rsa.pub" block by moving my id_rsa and id_rsa.pub files into the rails-stack/files/default/ directory, but now it breaks when it attempts the sudo_without_password block. Surprisingly, if I provision vagrant after every error thrown by the action: create_if_missing blocks the configuration gets as far as the cookbooks_file "authorization keys" block but it gets stuck there; even after provisioning when I get the error the first time. Any ideas about what is happening? Please be as descriptive as you can, I am relatively new to devops and only know a few of the ins and outs of vagrant and chef. Thanks in advance!
execute "apt-get update" do
command "apt-get update"
end
# OS Dendencies
%w(git ruby-dev build-essential libsqlite3-dev libssl-dev).each do |pkg|
package pkg
end
# Deployer user, sudoer and with known RSA keys
user_account 'deployer' do
create_group true
end
group "sudo" do
action :modify
members "deployer"
append true
end
cookbook_file "id_rsa" do
source "id_rsa"
path "/home/deployer/.ssh/id_rsa"
group "deployer"
owner "deployer"
mode 0600
action :create_if_missing
end
cookbook_file "id_rsa.pub" do
source "id_rsa.pub"
path "/home/deployer/.ssh/id_rsa.pub"
group "deployer"
owner "deployer"
mode 0644
action :create_if_missing
end
# Allow sudo command without password for sudoers
cookbook_file "sudo_without_password" do
source "sudo_without_password"
path "/etc/sudoers.d/sudo_without_password"
group "root"
owner "root"
mode 0440
action :create_if_missing
end
# Authorize yourself to connect to server
cookbook_file "authorized_keys" do
source "authorized_keys"
path "/home/deployer/.ssh/authorized_keys"
group "deployer"
owner "deployer"
mode 0600
action :create
end
# Add Github as known host
ssh_known_hosts_entry 'github.com'
# Install Ruby Version
include_recipe 'ruby_build'
ruby_build_ruby '2.1.2'
link "/usr/bin/ruby" do
to "/usr/local/ruby/2.1.2/bin/ruby"
end
gem_package 'bundler' do
options '--no-ri --no-rdoc'
end
# Install Rails Application
include_recipe "runit"
application 'capistrano-first-steps' do
owner 'deployer'
group 'deployer'
path '/var/www/capistrano-first-steps'
repository 'git#github.com:gotealeaf/capistrano-first-steps.git'
rails do
bundler true
database do
adapter "sqlite3"
database "db/production.sqlite3"
end
end
unicorn do
worker_processes 2
end
end
****EDIT*******
Since writing the question the first time, I've commented out the sudo_without_password block and was able to find a work around by adding
ssh_keygen true
to the user_account 'deployer' block.
I also put an empty authorized_keys file in rails-stack/files/default/ and that helps the cookbook_file 'authorized_keys' block run without errors.
Now I get this error when vagrant/chef tries to pull the example repo
==> default: [2014-12-04T22:44:18+00:00] ERROR: deploy_revision[capistrano-first-steps] (/tmp/vagrant-chef-3/chef-solo-2/cookbooks/application/providers/default.rb line 123) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '128'
==> default: ---- Begin output of git ls-remote "git#github.com:gotealeaf/capistrano-first-steps.git" "HEAD" ----
==> default: STDOUT:
==> default: STDERR: Warning: Permanently added the RSA host key for IP address '192.30.252.129' to the list of known hosts.
==> default: Permission denied (publickey).
==> default: fatal: Could not read from remote repository.
==> default:
==> default: Please make sure you have the correct access rights
==> default: and the repository exists.
==> default: ---- End output of git ls-remote "git#github.com:gotealeaf/capistrano-first-steps.git" "HEAD" ----
==> default: Ran git ls-remote "git#github.com:gotealeaf/capistrano-first-steps.git" "HEAD" returned 128
==> default: [2014-12-04T22:44:18+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
The answer is simple, after I remembered I had a similar issue with puppet. For some reason, not sure why using
git#github.com:gotealeaf/capistrano-first-steps.git
Does not sit well with vagrant/chef/puppet. So, what I did was change the above line to
https://github.com/gotealeaf/capistrano-first-steps
and that did it, my config of the box worked and there were no problems!
You probably have to point the application resource to the private key that will be used used to clone the repo.
application 'capistrano-first-steps' do
...
deploy_key lazy { File.read("/home/deployer/.ssh/id_rsa") }
...
end
More info -- https://supermarket.chef.io/cookbooks/application

Resources