[chef] Re: Re: Re: Chef and LDAP Users

[AJ Christensen < >]

I was about to reply back and suggest that Chef may be at the mercy of
the Etc module here, it is potentially cached when the process is
launched :-(

Dan's suggestion to try closing the file may work!

I would try stracing the process and see which system calls are being
issued for the uid/gid lookup that fails, that may give us a hint as
to what part of Chef/Etc module is busted.

cheers,

--aj

On Thu, Jul 31, 2014 at 11:00 AM, Daniel DeLeo 
<
 >
 wrote:
> I don’t recall the details but I vaguely remember this being caused by some 
> sort of caching implemented in the library that provides getpwent and such 
> functions. One thing you can try is to call `Etc.endpwent` in a ruby_block 
> to make sure Chef closes and reopens the password file.
>
> --
> Daniel DeLeo
>
>
> On Wednesday, July 30, 2014 at 3:53 PM, Douglas Garstang wrote:
>
>> Replying to myself. :)
>>
>> Actually, if I put this, at the very end of the LDAP recipe...
>>
>> bash "foo1" do
>> user "root"
>> code <<-EOF
>> getent passwd doug > /tmp/foo1
>> EOF
>> end
>>
>> bash "foo" do
>> user "doug"
>> code <<-EOF
>> touch /tmp/FILE
>> EOF
>> end
>>
>> The contents of the file /tmp/foo1 have:
>>
>> 
 
>>  tmp]# cat foo1
>> doug:x:1097:2299:Doug Garstang ops team:/home/doug:/bin/bash
>>
>> which would tend to indicate to me that LDAP is functional. However, the 
>> very next bash block fails. Chef reports:
>>
>> "can't find user for doug"
>>
>> So, the user seems to exist for the system, but not for chef.
>>
>> Thanks,
>> Doug.
>>
>>
>>
>>
>> On Wed, Jul 30, 2014 at 3:39 PM, Douglas Garstang 
>> <
 
>>  
>> (mailto:
 )>
>>  wrote:
>> > All,
>> >
>> > I have a recipe that configures LDAP, and that's working fine. I have 
>> > another recipe that runs afterwards in the run list that tries to 
>> > configure individual users authorized_keys file etc.
>> >
>> > Chef complains that the user doesn't exist. However, if I log into the 
>> > VM where this happens, I can query the user and everything is fine. If I 
>> > run the chef client again, the error does not happen.
>> >
>> > I initially thought it might have been a sssd/nscd caching issue so I 
>> > disabled those. Did not help. I also put a 30 second sleep in. Also did 
>> > not help.
>> >
>> > I am wondering if this could be some sort of compile/converge issue 
>> > where chef is looking at the recipe, and checking if the users exist 
>> > before it runs. That could explain why it works a second time, but fails 
>> > on the first since LDAP hasn't been configured yet.
>> >
>> > Here's the second recipe, the one that tries to perform user operations 
>> > after LDAP is configured.
>> >
>> > include_recipe "foo-ldap"
>> >
>> > bag = data_bag("ssh-keys")
>> > for item in bag do
>> > user = data_bag_item('ssh-keys', item)
>> > user_id = user['id']
>> > group_id = user['group']
>> >
>> > bash "foo" do
>> > user "#{user_id}"
>> > code <<-EOF
>> > touch /tmp/FILE
>> > EOF
>> > end
>> >
>> > directory "/home/#{user_id}" do
>> > action :create
>> > owner "#{user_id}"
>> > group "#{group_id}"
>> > recursive true
>> > end
>> >
>> > directory "/home/#{user_id}/.ssh" do
>> > action :create
>> > owner "#{user_id}"
>> > group "#{group_id}"
>> > recursive true
>> > end
>> >
>> > end
>> >
>> > Unfortunately, I'm pretty sure that Noah Kantrowitz, who seems to have a 
>> > rather vehement dislike of me personally will probably find fault with 
>> > this question. Apologies in advance to readers of that thread if that 
>> > happens. He will probably say that I have already asked this question in 
>> > the IRC channel. I asked a similar question. He summarily dismissed me 
>> > when I asked again with added information.
>> >
>> > Regards,
>> > Douglas Garstang
>>
>>
>>
>>
>> --
>> Regards,
>>
>> Douglas Garstang
>> http://www.linkedin.com/in/garstang
>> Email: 
>> 
 
>>  
>> (mailto:
 )
>> Cell: +1-805-340-5627
>
>
>