1. 技术文章
  2. Adding a sudoers file in chef fails at verification

Adding a sudoers file in chef fails at verification

自闭症网瘾萝莉.ら 提交于 2019-12-24 18:58:11

问题


goal

I'm trying to add/edit a sudoers file in Chef.

After a lot of serach (and broken sudoers) I found this question and the answer seemed to be exactly what I am after.

My cookbook

So in my chef I added the following visudo cookbook:

The recipe: ~/chef-repo/cookbook/visudo/recipes/allowUpgrade.rb

template '/etc/sudoers.d/allowUpgrade' do
    cookbook 'visudo'
    source 'allowUpgrade.erb'

    owner'root'
    group 'root'
    mode '0440'

    verify "visudo -c -f %{path}"
end

My template: ~/chef-repo/cookbooks/visudo/templates/allowUpgrade.erb

username ALL=(ALL) NOPASSWD: /usr/local/bin/upgrade

Template and verification works manually

When I put this line/file there manually using

sudo nano /etc/sudoers.d/allowUpgrade

(I know one shouldn't) and then verify it using

visudo -c -f /etc/sudoers.d/allowUpgrade

I get

/etc/sudoers.d/allowUpgrade: parsed OK

and it works meaning I can run

sudo upgrade

without beeing prompted for the sudo password.

Verification fails running Chef

However it is not working using Chef. I'm trying it first on the local machine using

sudo chef-client -z --runlist 'recipe[visudo::allowUpgrade]'

But I get this error

Error executing action `create` on resource 'template[/etc/sudoers.d/allowUpgrade]'

Chef::Exceptions::ValidationFailed

Why is the verification failing in chef? What am I doing wrong?

Here the complete error message

Recipe: visudo::allowUpgrade
  * template[/etc/sudoers.d/allowUpgrade] action create[2017-12-07T08:24:50+01:00] INFO: Processing template[/etc/sudoers.d/allowUpgrade] action create (visudo::                                         allowUpgrade line 7)


    ================================================================================
    Error executing action `create` on resource 'template[/etc/sudoers.d/allowUpgrade]'
    ================================================================================

    Chef::Exceptions::ValidationFailed
    ----------------------------------
    Proposed content for /etc/sudoers.d/allowUpgrade failed verification #<Chef::Resource::File::Verification:0x0000000004070c48>

    Resource Declaration:
    ---------------------
    # In /home/username/chef-repo/.chef/local-mode-cache/cache/cookbooks/visudo/recipes/allowUpgrade.rb

      7: template '/etc/sudoers.d/allowUpgrade' do
      8:     owner'root'
      9:     group 'root'
     10:     mode '0440'
     11:     source 'allowUpgrade.erb'
     12:     verify 'visudo -c -f %{path}'
     13: end

    Compiled Resource:
    ------------------
    # Declared in /home/username/chef-repo/.chef/local-mode-cache/cache/cookbooks/visudo/recipes/allowUpgrade.rb:7:in `from_file'

    template("/etc/sudoers.d/allowUpgrade") do
      action [:create]
      default_guard_interpreter :default
      source "allowUpgrade.erb"
      declared_type :template
      cookbook_name "visudo"
      recipe_name "allowUpgrade"
      owner "root"
      group "root"
      mode "0440"
      verifications [#<Chef::Resource::File::Verification:0x0000000004070c48 @command_opts={},
          @command="visudo -c -f %{path}", @block=nil, @parent_resource=<template[/etc/sudoers.d/allowUpgrade] 
          @name: "/etc/sudoers.d/allowUpgrade" @before: nil @params: {} 
          @provider: nil @allowed_actions: [:nothing, :create, :delete, :touch, :create_if_missing] 
          @action: [:create] @updated: false @updated_by_last_action: false 
          @source_line: "/home/username/chef-repo/.chef/local-mode-cache/cache/cookbooks/visudo/recipes/allowUpgrade.rb:7:in `from_file'" 
          @guard_interpreter: nil @default_guard_interpreter: :default 
          @elapsed_time: 0 @source: "allowUpgrade.erb" @cookbook: nil 
          @local: false @variables: {} @inline_helper_blocks: {} 
          @inline_helper_modules: [] @helper_modules: [] @declared_type: :template 
          @cookbook_name: "visudo" @recipe_name: "allowUpgrade" @owner: "root" @group: "root" @mode: "0440" 
          @verifications: [...] @path: "/etc/sudoers.d/allowUpgrade">>]
      path "/etc/sudoers.d/allowUpgrade"
    end

Update:

When I leave the verification out and just do

template '/etc/sudoers.d/allowUpgrade' do
    cookbook 'visudo'
    source 'allowUpgrade.erb'

    owner 'root'
    group 'root'
    mode '0440'

    verify { 1 == 1 }
end

The sudo is broken! In recovery mode and the root console I checked and it looks just the same as when I insert it manually (what works fine)?!


回答1:


Thanks to the help of Tensibai here in the comments and the hint to lineendings I could finally solve this problem.

Indeed the issue was lineendings as noted in this ancient Issue

I generated the cookbooks, recipes and templates on an Ubuntu Server 16.04 but do all m editing on the repository in Brackets.io on Windows.

This made template (and other) files have CRLF instead of LF lineendings because Brackets seems to use automatically the lineendings of the OS it is running on. This ofcourse made the /etc/sudoers.d/allowUpgrade file brake the sudoers because it has to end in a new line.

After some research I found this was an old known Issue and could be solved by the Plug-In Newline.

After installing this Plug-In indeed I could see that the file had CRLF lineendings.

I switched it to LF thanks to the Plug-In by clicking on the CRLF. Now my cookbook runs as expected and I'm able to run

sudo upgrade

without beeng prompted for the password - meaning it works.



来源:https://stackoverflow.com/questions/47690081/adding-a-sudoers-file-in-chef-fails-at-verification

标签
ruby
chef
verification
sudoers
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!