[chef] Re: Re: Re: Re: How to I install a package as root

[AJ Christensen < >]

Hey David,

Have you considered splitting this script into multiple resources?

One to fetch the 'install-ubuntu-precise' script (remote_file), an
execute resource to invoke it; the python_pip resource and another
execute for fluentd?

Aside, it looks like the 'install-ubuntu-precise' script is doing some
kind of check (or something!) that the mixlib-shellout environment
that the shell command is executed with doesn't account for (phew)!

I checked the script itself and you should be able to model the entire
thing (correctly) as Chef resources.

Here is an example to get you started:
https://gist.github.com/fujin/29b14d15f318918c562d

Cheers,

AJ

On 27 May 2013 10:00, David Montgomery 
<
 >
 wrote:
> Hi,
>
> I am running chef client as root else the entire bootstrap would fail.
>
>
> On Mon, May 27, 2013 at 5:54 AM, Lamont Granquist 
> <
 >
> wrote:
>>
>>
>> The user attribute just gets passed through to mixlib-shellout which sets
>> Process.{euid,uid} to the user (most likely just setreuid(2) getting
>> directly called by ruby).  If chef-client itself is not running as root,
>> this is unlikely to work -- it works going from root to other users because
>> root can switch to anyone.
>>
>> The easiest solution is to run chef-client (or chef-solo) as root and to
>> use sudo to invoke it:  "sudo chef-client"
>>
>> If the client isn't running as root, then /etc/sudoers needs to be setup
>> so that the user running chef-client can execute pip and fluentd as root
>> with the NOPASSWD setting so that the user isn't prompted for a password.
>> Trying to be this fine-grained is foolish, though, since once you've 
>> allowed
>> 'pip install' you can probably backdoor python and get root on the box
>> fairly easily.  The user trying to do this install must, therefore,
>> inherently be trusted, and so the easiest way to solve the problem is to 
>> run
>> chef itself as root.
>>
>>
>> On 5/26/13 2:36 PM, Cassiano Leal wrote:
>>
>> You should probably not use sudo in the script, and pass the user resource
>> attribute to bash:
>>
>> bash "compile_td-agent" do
>>   cwd "#{Chef::Config[:file_cache_path]}"
>>   code <<-EOH
>>   curl -L http://toolbelt.treasure-data.com/sh/install-ubuntu-precise.sh ;|
>> sh
>>   pip install fluent-logger
>>   fluentd --setup /etc/fluent
>>   EOH
>>   user 'root'
>>   not_if
>> {File.exists?("#{Chef::Config[:file_cache_path]}/fluent_install")}
>> end
>>
>>
>> - cassiano
>>
>> On Sunday, May 26, 2013 at 18:02, David Montgomery wrote:
>>
>> Hi,
>>
>> I am getting this error that is rather annoying.....
>>
>> Of course not using chef and I run the code ..yup install works. What to I
>> have to do to get chef to install .  I am running ubuntu on ec2.
>>
>>
>>
>> bash "compile_td-agent" do
>>   cwd "#{Chef::Config[:file_cache_path]}"
>>   code <<-EOH
>>   curl -L http://toolbelt.treasure-data.com/sh/install-ubuntu-precise.sh ;|
>> sh
>>   sudo pip install fluent-logger
>>   sudo fluentd --setup /etc/fluent
>>   EOH
>>   not_if
>> {File.exists?("#{Chef::Config[:file_cache_path]}/fluent_install")}
>> end
>>
>>
>> ================================================================================
>> Error executing action `run` on resource 'bash[compile_td-agent]'
>>
>> ================================================================================
>>
>>
>> Mixlib::ShellOut::ShellCommandFailed
>> ------------------------------------
>> Expected process to exit with [0], but received '1'
>> ---- Begin output of "bash"  "/tmp/chef-script20130526-7026-1f02aju" ----
>> STDOUT: This script requires superuser access to install apt packages.
>> You will be prompted for your password by sudo.
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise Release.gpg
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates
>> Release.gpg
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise Release
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates Release
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/main Sources
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/universe Sources
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/main amd64
>> Packages
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/universe amd64
>> Packages
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/main i386
>> Packages
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/universe i386
>> Packages
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/main
>> TranslationIndex
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/universe
>> TranslationIndex
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/main
>> Sources
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/universe
>> Sources
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/main
>> amd64 Packages
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/universe
>> amd64 Packages
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/main i386
>> Packages
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/universe
>> i386 Packages
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/main
>> TranslationIndex
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/universe
>> TranslationIndex
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/main
>> Translation-en
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise/universe
>> Translation-en
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/main
>> Translation-en
>> Hit http://ap-southeast-1.ec2.archive.ubuntu.com precise-updates/universe
>> Translation-en
>> Hit http://security.ubuntu.com precise-security Release.gpg
>> Hit http://security.ubuntu.com precise-security Release
>> Ign http://packages.treasure-data.com precise Release.gpg
>> Hit http://security.ubuntu.com precise-security/main Sources
>> Hit http://packages.treasure-data.com precise Release
>> Hit http://security.ubuntu.com precise-security/universe Sources
>> Ign http://packages.treasure-data.com precise/contrib amd64
>> Packages/DiffIndex
>> Hit http://security.ubuntu.com precise-security/main amd64 Packages
>> Ign http://packages.treasure-data.com precise/contrib i386
>> Packages/DiffIndex
>> Hit http://security.ubuntu.com precise-security/universe amd64 Packages
>> Ign http://packages.treasure-data.com precise/contrib TranslationIndex
>> Hit http://security.ubuntu.com precise-security/main i386 Packages
>> Hit http://security.ubuntu.com precise-security/universe i386 Packages
>> Hit http://security.ubuntu.com precise-security/main TranslationIndex
>> Hit http://security.ubuntu.com precise-security/universe TranslationIndex
>> Hit http://security.ubuntu.com precise-security/main Translation-en
>> Hit http://security.ubuntu.com precise-security/universe Translation-en
>> Hit http://packages.treasure-data.com precise/contrib amd64 Packages
>> Hit http://packages.treasure-data.com precise/contrib i386 Packages
>> Ign http://packages.treasure-data.com precise/contrib Translation-en
>> Reading package lists...
>> Reading package lists...
>> Building dependency tree...
>> Reading state information...
>> td-agent is already the newest version.
>> 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
>> Requirement already satisfied (use --upgrade to upgrade): fluent-logger in
>> /usr/local/lib/python2.7/dist-packages
>> Requirement already satisfied (use --upgrade to upgrade): msgpack-python
>> in /usr/local/lib/python2.7/dist-packages (from fluent-logger)
>> Cleaning up...
>> STDERR: % Total    % Received % Xferd  Average Speed   Time    Time
>> Time  Current
>>                                  Dload  Upload   Total   Spent    Left
>> Speed
>> 100   483  100   483    0     0    605      0 --:--:-- --:--:-- --:--:--
>> 1568
>> sudo: fluentd: command not found
>> ---- End output of "bash"  "/tmp/chef-script20130526-7026-1f02aju" ----
>> Ran "bash"  "/tmp/chef-script20130526-7026-1f02aju" returned 1
>>
>>
>> Resource Declaration:
>> ---------------------
>> # In /var/chef/cache/cookbooks/fluentd/recipes/default.rb
>>
>>  10: bash "compile_td-agent" do
>>  11:   user "root"
>>  12:   cwd "#{Chef::Config[:file_cache_path]}"
>>  13:   code <<-EOH
>>  14:   curl -L
>> http://toolbelt.treasure-data.com/sh/install-ubuntu-precise.sh ;| sh
>>  15:   sudo pip install fluent-logger
>>  16:   sudo fluentd --setup /etc/fluent
>>  17:   EOH
>>  18:   not_if
>> {File.exists?("#{Chef::Config[:file_cache_path]}/fluent_install")}
>>  19: end
>>  20:
>>
>>
>>
>> Compiled Resource:
>> ------------------
>> # Declared in /var/chef/cache/cookbooks/fluentd/recipes/default.rb:10:in
>> `from_file'
>>
>> bash("compile_td-agent") do
>>   action "run"
>>   retries 0
>>   retry_delay 2
>>   command "\"bash\"  \"/tmp/chef-script20130526-7026-1f02aju\""
>>   backup 5
>>   cwd "/var/chef/cache"
>>   returns 0
>>   user "root"
>>   code "  curl -L
>> http://toolbelt.treasure-data.com/sh/install-ubuntu-precise.sh ;| sh\n  sudo
>> pip install fluent-logger\n  sudo fluentd --setup /etc/fluent\n"
>>   interpreter "bash"
>>   cookbook_name "fluentd"
>>   recipe_name "default"
>>   not_if { #code block }
>> end
>>
>>
>>
>> [2013-05-26T20:55:07+00:00] INFO: Running queued delayed notifications
>> before re-raising exception
>> [2013-05-26T20:55:07+00:00] ERROR: Running exception handlers
>> [2013-05-26T20:55:07+00:00] ERROR: Creating JSON exception report
>> [2013-05-26T20:55:07+00:00] FATAL: Saving node information to
>> /var/chef/cache/failed-run-data.json
>> [2013-05-26T20:55:07+00:00] ERROR: Exception handlers complete
>> Chef Client failed. 3 resources updated
>> [2013-05-26T20:55:07+00:00] FATAL: Stacktrace dumped to
>> /var/chef/cache/chef-stacktrace.out
>> [2013-05-26T20:55:07+00:00] FATAL: Mixlib::ShellOut::ShellCommandFailed:
>> bash[compile_td-agent] (fluentd::default line 10) had an error:
>> Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], 
>> but
>> received '1'
>>
>>
>>
>>
>