chef - [chef] Re: Re: How to I install a package as root

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: How to I install a package as root

From: Lamont Granquist < >
To: < >
Subject: [chef] Re: Re: How to I install a package as root
Date: Sun, 26 May 2013 14:54:05 -0700

The user attribute just gets passed through to mixlib-shellout which sets Process.{euid,uid} to the user (most likely just setreuid(2) getting directly called by ruby). If chef-client itself is not running as root, this is unlikely to work -- it works going from root to other users because root can switch to anyone.

The easiest solution is to run chef-client (or chef-solo) as root and to use sudo to invoke it: "sudo chef-client"

If the client isn't running as root, then /etc/sudoers needs to be setup so that the user running chef-client can execute pip and fluentd as root with the NOPASSWD setting so that the user isn't prompted for a password. Trying to be this fine-grained is foolish, though, since once you've allowed 'pip install' you can probably backdoor python and get root on the box fairly easily. The user trying to do this install must, therefore, inherently be trusted, and so the easiest way to solve the problem is to run chef itself as root.

On 5/26/13 2:36 PM, Cassiano Leal wrote:

" type="cite">
You should probably not use sudo in the script, and pass the user resource attribute to bash:

bash "compile_td-agent" do

cwd "#{Chef::Config[:file_cache_path]}"

code <<-EOH

curl -L http://toolbelt.treasure-data.com/sh/install-ubuntu-precise.sh | sh

pip install fluent-logger

fluentd --setup /etc/fluent

EOH

user 'root'

not_if {File.exists?("#{Chef::Config[:file_cache_path]}/fluent_install")}

end

- cassiano

On Sunday, May 26, 2013 at 18:02, David Montgomery wrote:

Hi,

I am getting this error that is rather annoying.....

Of course not using chef and I run the code ..yup install works. What to I have to do to get chef to install . I am running ubuntu on ec2.

bash "compile_td-agent" do
cwd "#{Chef::Config[:file_cache_path]}"
code <<-EOH
curl -L http://toolbelt.treasure-data.com/sh/install-ubuntu-precise.sh | sh
sudo pip install fluent-logger
sudo fluentd --setup /etc/fluent
EOH
not_if {File.exists?("#{Chef::Config[:file_cache_path]}/fluent_install")}
end

================================================================================
Error executing action `run` on resource 'bash[compile_td-agent]'
================================================================================

Mixlib::ShellOut::ShellCommandFailed
------------------------------------
Expected process to exit with [0], but received '1'
---- Begin output of "bash" "/tmp/chef-script20130526-7026-1f02aju" ----
STDOUT: This script requires superuser access to install apt packages.
You will be prompted for your password by sudo.
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise Release.gpg
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates Release.gpg
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise Release
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates Release
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/main Sources
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/universe Sources
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/main amd64 Packages
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/universe amd64 Packages
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/main i386 Packages
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/universe i386 Packages
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/main TranslationIndex
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/universe TranslationIndex
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/main Sources
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/universe Sources
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/main amd64 Packages
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/universe amd64 Packages
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/main i386 Packages
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/universe i386 Packages
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/main TranslationIndex
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/universe TranslationIndex
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/main Translation-en
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/universe Translation-en
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/main Translation-en
Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/universe Translation-en
Hit http://security.ubuntu.com precise-security Release.gpg
Hit http://security.ubuntu.com precise-security Release
Ign http://packages.treasure-data.com precise Release.gpg
Hit http://security.ubuntu.com precise-security/main Sources
Hit http://packages.treasure-data.com precise Release
Hit http://security.ubuntu.com precise-security/universe Sources
Ign http://packages.treasure-data.com precise/contrib amd64 Packages/DiffIndex
Hit http://security.ubuntu.com precise-security/main amd64 Packages
Ign http://packages.treasure-data.com precise/contrib i386 Packages/DiffIndex
Hit http://security.ubuntu.com precise-security/universe amd64 Packages
Ign http://packages.treasure-data.com precise/contrib TranslationIndex
Hit http://security.ubuntu.com precise-security/main i386 Packages
Hit http://security.ubuntu.com precise-security/universe i386 Packages
Hit http://security.ubuntu.com precise-security/main TranslationIndex
Hit http://security.ubuntu.com precise-security/universe TranslationIndex
Hit http://security.ubuntu.com precise-security/main Translation-en
Hit http://security.ubuntu.com precise-security/universe Translation-en
Hit http://packages.treasure-data.com precise/contrib amd64 Packages
Hit http://packages.treasure-data.com precise/contrib i386 Packages
Ign http://packages.treasure-data.com precise/contrib Translation-en
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
td-agent is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Requirement already satisfied (use --upgrade to upgrade): fluent-logger in /usr/local/lib/python2.7/dist-packages
Requirement already satisfied (use --upgrade to upgrade): msgpack-python in /usr/local/lib/python2.7/dist-packages (from fluent-logger)
Cleaning up...
STDERR: % Total    % Received % Xferd Average Speed   Time    Time     Time Current
                                 Dload Upload   Total   Spent    Left Speed
100   483 100   483    0     0    605      0 --:--:-- --:--:-- --:--:-- 1568
sudo: fluentd: command not found
---- End output of "bash" "/tmp/chef-script20130526-7026-1f02aju" ----
Ran "bash" "/tmp/chef-script20130526-7026-1f02aju" returned 1

Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/fluentd/recipes/default.rb

10: bash "compile_td-agent" do
11:   user "root"
12:   cwd "#{Chef::Config[:file_cache_path]}"
13:   code <<-EOH
14:   curl -L http://toolbelt.treasure-data.com/sh/install-ubuntu-precise.sh | sh
15:   sudo pip install fluent-logger
16:   sudo fluentd --setup /etc/fluent
17:   EOH
18:   not_if {File.exists?("#{Chef::Config[:file_cache_path]}/fluent_install")}
19: end
20:

Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/fluentd/recipes/default.rb:10:in `from_file'

bash("compile_td-agent") do
action "run"
retries 0
retry_delay 2
command "\"bash\" \"/tmp/chef-script20130526-7026-1f02aju\""
backup 5
cwd "/var/chef/cache"
returns 0
user "root"
code " curl -L http://toolbelt.treasure-data.com/sh/install-ubuntu-precise.sh | sh\n sudo pip install fluent-logger\n sudo fluentd --setup /etc/fluent\n"
interpreter "bash"
cookbook_name "fluentd"
recipe_name "default"
not_if { #code block }
end

[2013-05-26T20:55:07+00:00] INFO: Running queued delayed notifications before re-raising exception
[2013-05-26T20:55:07+00:00] ERROR: Running exception handlers
[2013-05-26T20:55:07+00:00] ERROR: Creating JSON exception report
[2013-05-26T20:55:07+00:00] FATAL: Saving node information to /var/chef/cache/failed-run-data.json
[2013-05-26T20:55:07+00:00] ERROR: Exception handlers complete
Chef Client failed. 3 resources updated
[2013-05-26T20:55:07+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2013-05-26T20:55:07+00:00] FATAL: Mixlib::ShellOut::ShellCommandFailed: bash[compile_td-agent] (fluentd::default line 10) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'

[chef] How to I install a package as root, David Montgomery, 05/26/2013
- [chef] Re: How to I install a package as root, Cassiano Leal, 05/26/2013
  - [chef] Re: Re: How to I install a package as root, David Montgomery, 05/26/2013
  - [chef] Re: Re: How to I install a package as root, Lamont Granquist, 05/26/2013
    - [chef] Re: Re: Re: How to I install a package as root, David Montgomery, 05/26/2013
      - [chef] Re: Re: Re: Re: How to I install a package as root, AJ Christensen, 05/26/2013
        
        [chef] Re: Re: Re: Re: Re: How to I install a package as root, Lamont Granquist, 05/27/2013