Chef:Install windows_feature with guard clause not_if - ruby

I'm using Chef 12.4 and using chef-client in local mode. I'm trying to install windows features and detect their current status before I do the installation, or removal. The reason for using the not if, is because when using DISM it takes for ever to check the current state.
Currently I have a server that takes 45 minutes to build and then 20 minutes to run chef even when there is nothing to do.
I used the following Powershell script 'service-check.ps1' to output the status of the package, this is put in place by the recipe itself:
$content = Get-Content .\features.txt
$feature = $args[0]
function grep($f) {
foreach($_ in $content){
$data = $_.split("|")
%{if($($data[0]) -match $f) {return "$($data[1])"}}
}
}
grep $feature
The recipe I'm using writes the 'features.txt' file to the location where Chef is being run, by querying dism for the current features and their status. The recipe file is as follows:
#Check the features and their current state
powershell_script 'installed_features' do
code <<-EOH
dism /online /get-features /format:table > c://chef//features.txt
EOH
end
cookbook_file 'C:\Scripts\service-check.ps1' do
source 'service-check.ps1'
end
windows_feature 'TelnetClient' do
action :remove
only_if {
status = powershell_out("Powershell -f C:\\scripts\\service-check.ps1 TelnetClient").stdout.chop
Disabled != status
}
end
I have tried many different formats in the only_if {} segment, however none of them have worked. I used the example that is here:
http://pdalinis.blogspot.co.uk/2013/09/chef-using-powershell-as-conditional.html
The output I get is:
* windows_feature[TelnetClient] action remove
================================================================================
Error executing action `remove` on resource 'windows_feature[TelnetClient]'
================================================================================
NameError
---------
uninitialized constant Chef::Recipe::Disabled
Resource Declaration:
---------------------
# In C:/chef/local-mode-cache/cache/cookbooks/tester/recipes/default.rb
12: windows_feature 'TelnetClient' do
13: action :remove
14: only_if {
15: status = powershell_out("Powershell -f C:\\scripts\\service-check.ps1 TelnetClient").stdout.chop
16: Disabled != status
17: }
18: end
Compiled Resource:
------------------
# Declared in C:/chef/local-mode-cache/cache/cookbooks/tester/recipes/default.rb:12:in `from_file'
windows_feature("TelnetClient") do
provider LWRP provider windows_feature_dism from cookbook windows
action [:remove]
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :windows_feature
cookbook_name "tester"
recipe_name "default"
only_if { #code block }
end
I'm a novice at Chef, Ruby and Powershell. I'm assuming that the only_if or not_if are expecting a true or false result, however this seems to be appending the written status that I've added the check against (in this script, disabled).
I have checked the powershell script, it does indeed output Enabed / Disabled depending on the status.
My questions are:
Is it possible to use windows_feature and powershell_out in this way, according to the example it's using powershell_script, but I'd rather use the windows_feature specification to install features.
If it is possible, what am I doing wrong? I have a feeling it might be the output of the script as it seems to insert a space:
" Enabled"
" Disabled"
If it isn't possible, is there another way to do it?
I'd be very grateful for any assistance.
Thank you.

is it possible you just need to quote "Disabled"? Otherwise Ruby is trying to figure out what it is, but doesn't know about any variable or class with that name.

Related

fail2ban "command not found" when executing banaction

One of the actions for fail2ban is configured to run a ruby script; however, fail2ban fails when trying to execute the ruby script with a "Command not found" error. I don't understand this error because I'm providing the full path to the ruby script and it has execution permissions:
Here's my fail2ban action:
[root:a17924e746f0:~]# cat /etc/fail2ban/action.d/404.conf
# Fail2Ban action configuration file for Subzero/Core
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /root/ban_modify.rb ban <ip>
actionunban = /root/ban_modify.rb unban <ip>
Here are the contents to the /root/ban_modify.rb script:
#!/usr/bin/env ruby
command = ARGV[0]
ip_address = ARGV[1]
blacklist = File.open("/root/blacklist.txt").read.split("\n")
if command == "unban"
if blacklist.include? "#{ip_address} deny"
blacklist.delete "#{ip_address} deny"
end
elsif command == "ban"
blacklist << "#{ip_address} deny"
end
File.open("/root/blacklist.txt", "w") {|f| f.write(blacklist.join("\n"))}
Very simple. This blacklist.txt file is used by Apache to permanently ban individuals from the web server when a fail2ban condition is met.
However, when I issue the following command: sudo /usr/bin/fail2ban-client set 404 unbanip <my ip>
I get the following error:
2019-08-19 20:56:43,508 fail2ban.utils [16176]: Level 39 7ff7395873f0 -- exec: ban_modify.rb ban <myip>
2019-08-19 20:56:43,509 fail2ban.utils [16176]: ERROR 7ff7395873f0 -- stderr: '/bin/sh: 1: ban_modify.rb: not found'
2019-08-19 20:56:43,509 fail2ban.utils [16176]: ERROR 7ff7395873f0 -- returned 127
2019-08-19 20:56:43,509 fail2ban.utils [16176]: INFO HINT on 127: "Command not found". Make sure that all commands in 'ban_modify.rb ban <myip>' are in the PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ). You may want to start "fail2ban-server -f" separately, initiate it with "fail2ban-client reload" in another shell session and observe if additional informative error messages appear in the terminals.
2019-08-19 20:56:43,509 fail2ban.actions [16176]: ERROR Failed to execute ban jail '404' action '404' info 'ActionInfo({'ip': '<myip>', 'family': 'inet4', 'ip-rev': '<myip>.', 'ip-host': '<myip>', 'fid': '<myip>', 'failures': 1, 'time': 1566266203.3465006, 'matches': '', 'restored': 0, 'F-*': {'matches': [], 'failures': 1}, 'ipmatches': '', 'ipjailmatches': '', 'ipfailures': 1, 'ipjailfailures': 1})': Error banning <myip>
I'm not sure why this error is happening if the actionban is pointing to the full path of a ruby script.
I even tried changing the contents of /root/ban_modify.rb to just simply puts "Hello World". Tried changing the banaction to iptables-allports and that still failed. It seems like banaction just simply doesn't work.
You can enable fail2ban debug mode & check fail2ban log for more details.
# change fail2ban log level
sudo nano /etc/fail2ban/fail2ban.conf
loglevel = DEBUG
# restart fail2ban
sudo systemctl restart fail2ban
# check logs
tail -f /var/log/fail2ban.log
You can restart the fail2ban and check it again:
sudo systemctl restart fail2ban

Does $argv behave the same between Centos and RHEL systems

I am trying to troubleshoot an old TCL accounting script called GOTS - Grant Of The System. What it does is creates a time stamped logfile entry for each user login and another for the logout. The problem is it is not creating the second log file entry on logout. I think I tracked down the area where it is going wrong and I have attached it here. FYI the log file exists and it does not exit with the error "GOTS was called incorrectly!!". It should be executing the if then for [string match "$argv" "end_session"]
This software runs properly on RHEL Linux 6.9 but fails as described on Centos 7. I am thinking that there is a system variable or difference in the $argv argument vector for the different systems that creates this behavior.
Am I correct in suspecting $argv and if not does anyone see the true problem?
How do I print or display the $argv values on logout?
# Find out if we're beginning or ending a session
if { [string match "$argv" "end_session"] } {
if { ![file writable $Log] } {
onErrorNotify "4 LOG"
}
set ifd [open $Log a]
puts $ifd "[clock format [clock seconds]]\t$Instrument\t$LogName\t$GroupName"
close $ifd
unset ifd
exit 0
} elseif { [string match "$argv" "begin_session"] == 0 } {
puts stderr "GOTS was called incorrectly!!"
exit -1
}
end_session is populated by the /etc/gdm/PostSession/Default file
#!/bin/sh
### Begin GOTS PostSession
# Do not run GOTS if root is logging out
if test "${USER}" == "root" ; then
exit 0
fi
/usr/local/lib/GOTS/gots end_session > /var/tmp/gots_postsession.log 2> /var/tmp/gots_postsession.log
exit 0
### End GOTS PostSession
This is the postsession log file:
Application initialization failed: couldn't connect to display ":1"
Error in startup script: invalid command name "option"
while executing
"option add *Font "-adobe-new century schoolbook-medium-r-*-*-*-140-*-*-*-*-*-*""
(file "/usr/local/lib/GOTS/gots" line 26)
After a lot of troubleshooting we have determined that for whatever reason Centos is not allowing part of the /etc/gdm/PostSession/default file to execute:
fi
/usr/local/lib/GOTS/gots end_session
But it does update the PostSession.log file as it should .. . Does anyone have any idea what could be interfering with only part of the PostSession/default?
Does anyone have any idea what could be interfereing with PostSession/default?
Could it be that you are hitting Bug 851769?
That said, am I correct in stating that, as your investigation shows, this is not a Tcl-related issue or question anymore?
So it turns out that our script has certain elements that depend upon the Xserver running on logout to display some of the GUI error messages. This from:
Gnome Configuration
"When a user terminates their session, GDM will run the PostSession script. Note that the Xserver will have been stopped by the time this script is run, so it should not be accessed.
Note that the PostSession script will be run even when the display fails to respond due to an I/O error or similar. Thus, there is no guarantee that X applications will work during script execution."
We are having to rewrite those error message callouts so they simply write the errors to a file instead of depending on the display. The errors are for things that should be there in the beginning anyway.

How to use special characters in Chef?

I am writing Chef recipes using chef-solo, where I need to run commands which include + but Chef returns an error if I use the + character.
bash "testing" do
code <<-EOH
/bin/grep '^+:' /etc/shadow >>/var/info
EOH
end
Method 1: put code in any script.sh file and use it as:
execute " script running " do
command "sh /path/script.sh"
end
but I don't want to use it. Is there any other way to use special characters?
Note: I tried using back-slash ("\").
update : got below error when i use code
bash "testing" do
code "/bin/grep '^+:' /etc/shadow >>/var/info"
end
Error:
chef-solo -c solo.rb -j web.json
Starting Chef Client, version 11.8.2
Compiling Cookbooks...
Converging 1 resources
Recipe: test::test
* bash[testing] action run
================================================================================
Error executing action `run` on resource 'bash[testing]'
================================================================================
Mixlib::ShellOut::ShellCommandFailed
------------------------------------
Expected process to exit with [0], but received '1'
---- Begin output of "bash" "/tmp/chef-script20150822-12224-kbivpd" ----
STDOUT:
STDERR:
---- End output of "bash" "/tmp/chef-script20150822-12224-kbivpd" ----
Ran "bash" "/tmp/chef-script20150822-12224-kbivpd" returned 1
Resource Declaration:
---------------------
# In /home/new/cookbooks/test/recipes/test.rb
1: bash "testing" do
2: code "/bin/grep '^+:' /etc/shadow >>/var/info"
3: end
Compiled Resource:
------------------
# Declared in /home/new/cookbooks/test/recipes/test.rb:1:in `from_file'
bash("testing") do
action "run"
retries 0
retry_delay 2
command "\"bash\" \"/tmp/chef-script20150822-12224-kbivpd\""
backup 5
returns 0
code "/bin/grep '^+:' /etc/shadow >>/var/info"
interpreter "bash"
cookbook_name :test
recipe_name "test"
end
[2015-08-22T19:49:52+05:30] ERROR: Running exception handlers
[2015-08-22T19:49:52+05:30] ERROR: Exception handlers complete
[2015-08-22T19:49:52+05:30] FATAL: Stacktrace dumped to /home/chef-solo/chef-stacktrace.out
Chef Client failed. 0 resources updated
[2015-08-22T19:49:52+05:30] ERROR: bash[testing] (test::test line 1) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
---- Begin output of "bash" "/tmp/chef-script20150822-12224-kbivpd" ----
STDOUT:
STDERR:
---- End output of "bash" "/tmp/chef-script20150822-12224-kbivpd" ----
Ran "bash" "/tmp/chef-script20150822-12224-kbivpd" returned 1
[2015-08-22T19:49:52+05:30] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
This has nothing to do with the + in the command !
There's nothing wrong, chef works as expected:
# grep '^+' /etc/shadow; echo $?
1
This command returns a status code of 1 as nothing is found (quote of man grep emphasis is mine):
EXIT STATUS
The exit status is 0 if selected lines are found, and 1 if not found. If an error occurred the exit status is 2. (Note: POSIX
error handling
code should check for '2' or greater.)
And chef tell's you exactly this:
Expected process to exit with [0], but received '1'
Reading the bash resource documentation we see there's a returns attribute with this description:
returns Ruby Types: Integer, Array
The return value for a command. This may be an array of accepted
values. An exception is raised when the return value(s) do not match.
Default value: 0.
So if you want to accept this command return 0 or 1:
bash "testing" do
code "/bin/grep '^+:' /etc/shadow >>/var/info"
return [0,1]
end
So this may not solve your problem as you didn't describe what you're trying to achieve, we're on a XY problem here
Chef recipes are pure ruby, so you can write something like this without any problems:
bash "testing" do
code "/bin/grep '^+:' /etc/shadow >>/var/info"
end
If you need to use double quotes inside your command, you can escape it with back slash "\".
i solved my problem using
`/bin/grep '^+:' /etc/passwd >> /var/output`
this is ruby method to execute system command using backticks in which global variable $? is set through the backticks automatically

Vagrant argv input on terminal complains about machine name

I am trying to pass in arguments (via known ruby methods) to my vagrant up command line, but am getting machine not found errors. What is the correct way to do this in Vagrant?
Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
# Parse options
options = {}
options[:keyfile] = ARGV[1] || false # Your Github authentication keyfile
options[:boxtype] = ARGV[2] || 'virtualbox' # Type of virtual appliance to load
options[:version] = ARGV[3] || 'latest' # Box version to load (not used currently)
ARGV.delete_at(1)
ARGV.delete_at(1)
ARGV.delete_at(1)
Vagrant.configure("2") do | config |
puts ("==> [info] Looking for #{options[:keyfile]}")
if File.file?(options[:keyfile])
config.vm.provision :shell, :inline => "echo -e '#{File.read(options[:keyfile])}' > '/home/vagrant/.ssh/GitKey'"
else
puts ("==> [error] The require RSA key: #{options[:keyfile]} does not exist, exiting.")
abort
end
end
Error
$ vagrant up ~/.ssh/github_rsa
The machine with the name '/Users/ehime/.ssh/github_rsa' was not found configured for
this Vagrant environment.
EDIT
Trying this a different way gives me some slightly more promising results
require 'optparse'
require 'ostruct'
....
options = OpenStruct.new
OptionParser.new do | opt |
opt.on('-v', '--version VERSION', 'Box version to load (not used currently)') { | o | options.version = o }
opt.on('-k', '--keyfile KEYFILE', 'Your Github authentication keyfile') { | o | options.keyfile = o }
opt.on('-b', '--boxfile BOXTYPE', 'Type of virtual appliance to load') { | o | options.boxtype = o }
end.parse!
Vagrant.configure("2") do | config |
puts ("==> [info] Looking for #{options.keyfile}")
if File.file?(options.keyfile)
config.vm.provision :shell, :inline => "echo -e '#{File.read(options.keyfile)}' > '/home/vagrant/.ssh/GitKey'"
else
puts ("==> [error] The require RSA key: #{options.keyfile} does not exist, exiting.")
abort
end
....
Gets me pretty close as well, but it needs the flags unset somehow so they don't conflict with vagrant. At least the help flag works
$ vagrant up -k /Users/ehime/.ssh/github_rsa
==> [info] Looking for /Users/ehime/.ssh/github_rsa
An invalid option was specified. The help for this command
is available below.
Usage: vagrant up [options] [name]
Options:
--[no-]provision Enable or disable provisioning
--provision-with x,y,z Enable only certain provisioners, by type.
--[no-]destroy-on-error Destroy machine if any fatal error happens (default to true)
--[no-]parallel Enable or disable parallelism if provider supports it
--provider PROVIDER Back the machine with a specific provider
-h, --help Print this help
Help
$ vagrant up -h
Usage: vagrant up [options] [name]
Options:
--[no-]provision Enable or disable provisioning
--provision-with x,y,z Enable only certain provisioners, by type.
--[no-]destroy-on-error Destroy machine if any fatal error happens (default to true)
--[no-]parallel Enable or disable parallelism if provider supports it
--provider PROVIDER Back the machine with a specific provider
-h, --help Print this help
Usage: vagrant [options]
-v, --version VERSION Box version to load (not used currently)
-k, --keyfile KEYFILE Your Github authentication keyfile
-b, --boxfile BOXTYPE Type of virtual appliance to load
The Vagrantfile is not executed directly so you cannot just pass in the arguments as you would with a normal script. vagrant looks for the file inside cwd() and bring it in.
Would go the route of the env vars or a template file which you generate before running vagrant.

Chef recipe node hash doesn't have the same data as in chef server node data

I have a conditional in a recipe that checks for some node data:
if node[:etc][:group].has_key?('someuser') and node[:etc][:group][:someuser][:gid] == 12345
# do something...
else
# do something else...
end
And I used knife node edit hostname.mydomain.com to add this data to my node object, as shown by
$ knife node show hostname.mydomain.com -m
Node Name: hostname.mydomain.com
Environment: ...
FQDN: hostname.mydomain.com
IP: ...
Run List: ...
Roles: ...
Recipes: ...
Platform: ...
Tags: ...
Attributes:..
etc:
group:
someuser:
gid: 12345
members:
tags: ...
However, the else clause is being executed instead of the if clause. I checked that this is the version of the recipe that is being run on the node (looked at the recipe that was downloaded to the node). I thought I had set up my node correctly to execute the if clause so why is the else clause executing? Thanks.
The node etc key is created by ohai (and is under a automatic key) and rewritten at each run, trying to set thoose attributes in node object won't work.
You can't override automatic attributes.
You can have more details on what is done on a chef run here and details about attributes here
What you can do here is creating the group in your recipe with the group resource and reload ohai data before entering the loop.
Exemple (heavily inspired from the doc ):
ohai "reload_passwd" do
action :nothing
plugin "etc"
end
group 'somegroup' do
gid 12345
notifies :reload, "ohai[reload_passwd]", :immediately
end
ruby_block "your code" do # in a ruby block to be run at converge time and not at compile time.
if node[:etc][:group].has_key?('someuser') and node[:etc][:group][:someuser][:gid] == 12345
# do something...
else
# do something else...
end
end
But the group creation could be in your else block, and next chef run will enter the if block as the group will exist.

Resources