chef - [chef] data bag problems when upgrading from 10.12 to 10.14 and up

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] data bag problems when upgrading from 10.12 to 10.14 and up

From:
To: chef < >
Subject: [chef] data bag problems when upgrading from 10.12 to 10.14 and up
Date: Tue, 22 Jan 2013 23:45:29 -0800

hiya.

i'm trying to upgrade my chef clients from chef-full-0.10.10-1 to 10.18, and
i just discovered a problem pulling values out of an encrypted data bag when
upgrading. during my tests, my example recipe (below) works with
chef-full-0.10.10-1 and chef-10.12.0-1, but breaks when i try chef-10.14.4-2
(and 10.16 and 10.18).

is this a known bug? or, do i need to do something differently?

here's a brief recipe that illustrates what's happening:

  aws_creds = Chef::EncryptedDataBagItem.load("secrets","aws-creds-quux")
  grab_cert   = "MEEP_X509_SERVERCERT"
  grab_key    = "MEEP_X509_PRIVATEKEY"
  grab_access = "MEEP_AWS_ACCESS_KEY_ID"
  grab_secret = "MEEP_AWS_SECRET_ACCESS_KEY"

  x509_cert  = aws_creds["#{grab_cert}"]
  x509_key   = aws_creds["#{grab_key}"]
  aws_access = aws_creds["#{grab_access}"]
  aws_secret = aws_creds["#{grab_secret}"]
  Chef::Log.debug("HIGGS-BOSON: AWS CREDS #{aws_creds.class} ")
  Chef::Log.debug("HIGGS-BOSON: AWS CREDS #{aws_creds.inspect} ")
  Chef::Log.debug("HIGGS-BOSON: AWS CERT pulled out of data bag is
#{x509_cert}")
  Chef::Log.debug("HIGGS-BOSON: AWS KEY pulled out of data bag is
#{x509_key}")
  Chef::Log.debug("HIGGS-BOSON: AWS ACCESS pulled out of data bag is
#{aws_access}")
  Chef::Log.debug("HIGGS-BOSON: AWS SECRET pulled out of data bag is
#{aws_secret}")

here's the logging results when the client runs 10.14. pardon the ugly data
bag
inspection ... snipped for brevity.

[2013-01-23T06:18:32+00:00] DEBUG: HIGGS-BOSON: AWS CREDS
Chef::EncryptedDataBagItem
[2013-01-23T06:18:32+00:00] DEBUG: HIGGS-BOSON: AWS CREDS
#<Chef::EncryptedDataBagItem:0x00000002f8e358
@enc_hash=data_bag_item["secrets", "aws-creds-quux",

{"BOOP_X509_SERVERCERT"=>"z8qqqqqqqqqqqqqqqqqqqnr9mWxzzzzzzzzzzzzzz/sPYH7Cyw/\nQ9ftouk8RRRRRRRRRRRRF9Ryl/fmkkkkkkkkkkkkkkkkkkkkk0EFegz\nenmy1K2/VZph1kdE7DXxxxSNIP\n",

"MEEP_AWS_SECRET_ACCESS_KEY"=>"OJ9xxxxxxxxxxZFxxxxxxxxxxwMxxxxxxxxxxxux/rdPpxxxxxxxxxxoffff\ne2ec\n",
"id"=>"aws-creds-quux",
"BOOP_AWS_SECRET_ACCESS_KEY"=>"m1xxxxxxxxxxrKpwh/dixxxxxxxxxxZkuxxxxxxxxxxpoxxxxxxxxxx1cr4\nEpmQ\n",
"MEEP_AWS_ACCESS_KEY_ID"=>"vtxxxxxxxxxxdCg/0xxxxxxxxxxloZxxxxxxxxxxx5hQ=\n",
"BOOP_X509_PRIVATEKEY"=>"NU99999999999999999999A6IEMUUKf7IccccccccccccccccccvtodL\nTy444444444444lQnePuuuuuuuuuuuuuuuuuuuuuuuDbuFB/hws\nSNIPxxxxxCHEXXjDk+oHWWWWWWefXHgQ999999SNIP\n",

"MEEP_X509_PRIVATEKEY"=>"xa99999999999999999999dI0sfAjoDW999999999999999999998SPWBoAu\nC9qLxxxxxxxxxxxxxxxxxxxK+AN58y9999999999999999999999\n
NDYFZjeNqDY8rAsnnnnnnnnipppppppBA=\n",
"MEEP_X509_SERVERCERT"=>"LkuXuuuuuuuuuuuuuuuuuuuuuuEkyjjxxxxxxxxjD0GRCyH\nfZSfffffffffRrZxxxxxxSNIPxx=">
[2013-01-23T06:18:32+00:00] DEBUG: HIGGS-BOSON: AWS CERT pulled out of data
bag is
[2013-01-23T06:18:32+00:00] DEBUG: HIGGS-BOSON: AWS KEY pulled out of data
bag is
[2013-01-23T06:18:32+00:00] DEBUG: HIGGS-BOSON: AWS ACCESS pulled out of data
bag is AKIsuperthankforaskingXX
[2013-01-23T06:18:32+00:00] DEBUG: HIGGS-BOSON: AWS SECRET pulled out of data
bag is Z1DbeverlyhillbillieslexnLKzKF4xxxxxxnNQ

above, you can see i'm getting no value for x509_cert and x509_key, but i am
for
aws_access and aws_secret. i tossed a couple more lines into the recipe to
look
at #{x509_cert.class} and #{x509_cert.inspect}, and i can see it's an empty
String; it's not nil.

when i run chef client 0.10.10 or 10.12, i get this:

[Wed, 23 Jan 2013 06:17:34 +0000] DEBUG: HIGGS-BOSON: AWS CERT pulled out of
data bag is MIIDjjCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[Wed, 23 Jan 2013 06:17:34 +0000] DEBUG: HIGGS-BOSON: AWS KEY pulled out of
data bag is MIICXQyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
[Wed, 23 Jan 2013 06:17:34 +0000] DEBUG: HIGGS-BOSON: AWS ACCESS pulled out
of data bag is AKIsuperthankforaskingXX
[Wed, 23 Jan 2013 06:17:34 +0000] DEBUG: HIGGS-BOSON: AWS SECRET pulled out
of data bag is Z1DbeverlyhillbillieslexnLKzKF4xxxxxxnNQ

the result i get works because i use x509_cert and x509_key to populate x509
certs via a template. (but i do wonder why only the content of each is printed
in the log up to the first newline.)

thanks!
kallen

[chef] data bag problems when upgrading from 10.12 to 10.14 and up, kallen, 01/22/2013
- [chef] Re: data bag problems when upgrading from 10.12 to 10.14 and up, Jake Vanderdray, 01/23/2013
  - [chef] Re: Re: data bag problems when upgrading from 10.12 to 10.14 and up, Daniel DeLeo, 01/23/2013
    - [chef] Re: Re: Re: data bag problems when upgrading from 10.12 to 10.14 and up, kallen, 01/23/2013