Chef and Ohai use the Etc library in Ruby, which in turn uses the standard
getpw* and getgr* calls. These are configured by nsswitch.conf. If you go
look this up, you'll see that that file is only read once for a given process
and there is no universal way to clear the config. Some libcs offer
non-standard calls for it, but I doubt any of those are exposed to Ruby.
--Noah
On Jan 26, 2015, at 3:29 PM, Douglas Garstang
< >
wrote:
Sorry to have to repeat myself, but I can't use 'owner' and 'group' on
resources. Even thought LDAP is configured, chef isn't able to see the users
and groups.
David suggested I reload ohai. I had no idea this was necessary or required,
but I tried it anyway. I put this at the end of my ldap cookbook.
ohai "reload_passwd" do
plugin "etc"
end
log node['etc']['passwd']
What I am seeing, (I'm using vagrant), is that on the first chef run, the
LDAP users are not in in the node structure. However, if I reprovision,
(without making any changes), then the users ARE there.
In hindsight, isn't this just the typical node[] not being populated until
after the chef run issue?
Doug.
On Mon, Jan 26, 2015 at 3:22 PM, Lamont Granquist
< >
wrote:
On 1/26/15 2:29 PM, Douglas Garstang wrote:
I'm having trouble setting up users authorized keys. A cookbook that runsYeah the warning is trying to tell you the problem. You're defining multiple
earlier in the runlist sets up LDAP. However, due to reasons I don't
understand, none of that user information is available during the chef run. I
previously posted about this once before. As a result, I can't simply create
files and directories and use 'owner' and 'group.
I came up with the below idea. I'm iterating over the ssh keys in a data bag
and then for each user running a command as this user. That makes PAM do all
the home directory setup for me. I create the ~/.ssh directory in a similar
fashion, as the user. All works ok. However, I'm having an issue with adding
the array of ssh_keys pulled from the data bag to the users authorized keys
file.
include_recipe "slice-ldap"
bag = data_bag("ssh-keys")
for item in bag do
user = data_bag_item('ssh-keys', item)
user_name = user['id']
ssh_keys = user['ssh_keys']
execute "create_home_#{user_name}" do
command "su - #{user_name} -c \"ls\""
creates "/home/#{user_name}"
notifies :run, "execute[create_ssh_dir_#{user_name}]", :immediately
end
execute "create_ssh_dir_#{user_name}" do
command "su - #{user_name} -c \"mkdir /home/#{user_name}/.ssh\""
notifies :run, "execute[install_public_rsa_#{user_name}]", :immediately
creates "/home/#{user_name}/.ssh"
end
ssh_keys.each_with_index do |k, index|
log "k = #{k}"
execute "install_public_rsa_#{user_name}" do
command "su - #{user_name} -c \"echo '#{k}' >>
/home/#{user_name}/.ssh/authorized_keys\""
action :nothing
end
end
end
However, I'm having an issue with adding the array of ssh_keys pulled from
the data bag to the users authorized keys file. The loop at the end does
this, but chef also gives me this warning:
==> default: [2015-01-26T22:23:47+00:00] WARN: Previous
execute[install_public_rsa_doug]:
/tmp/vagrant-chef-3/chef-solo-1/cookbooks/slice-ssh-keys/recipes/default.rb:38:in
`block (2 levels) in from_file'
==> default: [2015-01-26T22:23:47+00:00] WARN: Current
execute[install_public_rsa_doug]:
/tmp/vagrant-chef-3/chef-solo-1/cookbooks/slice-ssh-keys/recipes/default.rb:38:in
`block (2 levels) in from_file'
Apart from the warning, only the last ssh keys is being added to the
authorized_keys file. Even though I'm using echo and >>, the last one is not
there. The log statement shows each key, so I know the loop is iterating over both.
What gives?
Doug
resources called `execute[install_public_rsa_doug]` and the resource
collection and the way notifies and subscribes is implemented requires unique
names. So you're getting resource cloning and you're only notifying one of
those blocks. You could add the index to then name and then subscribe to the
previous resources:
ssh_keys.each_with_index do |k, index|
log "k = #{k}"
execute "install_public_rsa_#{user_name}_#{index}" do
command "su - #{user_name} -c \"echo '#{k}' >>
/home/#{user_name}/.ssh/authorized_keys\""
subscribes :run, "execute[#{create_ssh_dir_#{user_name}]"
subscribes :run, "execute[#{create_home_#{user_name}]"
action :nothing
end
end
You'll be way better off just doing this though:
file "/home/#{user_name}" do
owner user_name
group user_name # or "users" or whatever
mode "0600"
end
file "/home/#{user_name}/.ssh" do
owner user_name
group user_name
mode "0600"
end
file "/home/#{user_name}/.ssh/authorized_keys" do
owner user_name
group user_name
mode "0600"
content ssh_keys.join("\n")
end
That's idempotent, you don't need the action :nothing or any notifications or
subscriptions, you can push new keys out and it'll correctly update, gets the
job done with fewer resources, etc. Similarly executing to su is a huge
antipattern, so you can replace the rest of that.
--
Regards,
Douglas Garstang
http://www.linkedin.com/in/garstang
Email:
Cell: +1-805-340-5627
Archive powered by MHonArc 2.6.16.