Audit mode with Vagrant only


#1

Hello!

I’m trying to get audit-mode to work just with vagrant and chef-client
12.2.1. Since there’s no option in Vagrant yet I tried passing it in the
chef.arguments, but get this error -

$ cat Vagrantfile | grep audit
chef.arguments = “–audit-mode enabled”

$ vagrant provision
==> default: Running provisioner: chef_zero…
==> default: Detected Chef (12.2.1) is already installed
Generating chef JSON and uploading…
==> default: Running chef-zero…
==> default: /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/mixlib-cli-1.5.0/lib/mixlib/cli.rb:191:in
parse_options' ==> default: : ==> default: invalid option: --audit-mode (OptionParser::InvalidOption) ==> default: from /opt/chef/embedded/apps/chef/lib/chef/application.rb:86:inconfigure_chef’
==> default: from
/opt/chef/embedded/apps/chef/lib/chef/application.rb:48:in
reconfigure' ==> default: from /opt/chef/embedded/apps/chef/lib/chef/application/solo.rb:190:inreconfigure’
==> default: from
/opt/chef/embedded/apps/chef/lib/chef/application.rb:58:in run' ==> default: from /opt/chef/embedded/apps/chef/bin/chef-solo:25:in<top (required)>’
==> default: from /usr/bin/chef-solo:51:in load' ==> default: from /usr/bin/chef-solo:51:in'
Chef never successfully completed! Any errors should be visible in the
output above. Please fix your recipes so that they properly complete.

Also tried passing in a chef.custom_config_path = ‘path/to/client.rb’ with
audit_mode :enabled but those options don’t seem to get picked up.

Thanks,
-Eric Helgeson
@nulleric https://twitter.com/nulleric
https://usingchef.com


#2

Ohai,

I’m running audit mode via test kitchen in the audit-cis cookbook. The
.kitchen.yml has:

provisioner:
name: chef_zero
client_rb:
audit_mode: :enabled

Test Kitchen 1.4.0 is required for this - it’s not released but the RC is
in ChefDK 0.5.0.

And I have some other discussion about this on my blog post here:

http://jtimberman.housepub.org/blog/2015/04/03/chef-audit-mode-introduction/

I’m not sure how to do this in vanilla Vagrant though.

On Wed, Apr 22, 2015 at 8:26 AM, Eric Helgeson erichelgeson@gmail.com
wrote:

Hello!

I’m trying to get audit-mode to work just with vagrant and chef-client
12.2.1. Since there’s no option in Vagrant yet I tried passing it in the
chef.arguments, but get this error -

$ cat Vagrantfile | grep audit
chef.arguments = “–audit-mode enabled”

$ vagrant provision
==> default: Running provisioner: chef_zero…
==> default: Detected Chef (12.2.1) is already installed
Generating chef JSON and uploading…
==> default: Running chef-zero…
==> default: /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/mixlib-cli-1.5.0/lib/mixlib/cli.rb:191:in parse_options' ==> default: : ==> default: invalid option: --audit-mode (OptionParser::InvalidOption) ==> default: from /opt/chef/embedded/apps/chef/lib/chef/application.rb:86:inconfigure_chef’
==> default: from /opt/chef/embedded/apps/chef/lib/chef/application.rb:48:in reconfigure' ==> default: from /opt/chef/embedded/apps/chef/lib/chef/application/solo.rb:190:inreconfigure’
==> default: from /opt/chef/embedded/apps/chef/lib/chef/application.rb:58:in run' ==> default: from /opt/chef/embedded/apps/chef/bin/chef-solo:25:in<top (required)>’
==> default: from /usr/bin/chef-solo:51:in load' ==> default: from /usr/bin/chef-solo:51:in'
Chef never successfully completed! Any errors should be visible in the
output above. Please fix your recipes so that they properly complete.

Also tried passing in a chef.custom_config_path = ‘path/to/client.rb’ with
audit_mode :enabled but those options don’t seem to get picked up.

Thanks,
-Eric Helgeson
@nulleric https://twitter.com/nulleric
https://usingchef.com


Joshua Timberman


#3

I believe it’s due to Vagrant extending the chef-solo command for
local-mode vs chef-client

I’d think that should be a bug? local-mode is more akin to chef-client than
chef-solo.

*$ *chef-solo --audit-mode enabled
/opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/mixlib-cli-1.5.0/lib/mixlib/cli.rb:191:in
parse_options': invalid option: --audit-mode (OptionParser::InvalidOption) from /opt/chefdk/embedded/apps/chef/lib/chef/application.rb:86:inconfigure_chef’
from /opt/chefdk/embedded/apps/chef/lib/chef/application.rb:48:in
reconfigure' from /opt/chefdk/embedded/apps/chef/lib/chef/application/solo.rb:190:inreconfigure’
from /opt/chefdk/embedded/apps/chef/lib/chef/application.rb:58:in run' from /opt/chefdk/embedded/apps/chef/bin/chef-solo:25:in<top (required)>'
from /usr/bin/chef-solo:51:in load' from /usr/bin/chef-solo:51:in

*$ *chef-client --audit-mode enabled

[2015-04-22T10:57:23-05:00] WARN: Chef-client has been configured to audit
after it converges. Audit mode is an experimental feature currently under
development. API changes may occur. Use at your own risk.

  • To enable audit mode after converge, use command line option
    --audit-mode enabled or set :audit_mode = :enabled in your config file.
  • To disable audit mode, use command line option --audit-mode disabled or
    set :audit_mode = :disabled in your config file.
  • To only run audit mode, use command line option --audit-mode audit-only
    or set :audit_mode = :audit_only in your config file.
    Audit mode is disabled by default.
    Starting Chef Client, version 12.2.1

-Eric Helgeson
@nulleric https://twitter.com/nulleric
https://usingchef.com

On Wed, Apr 22, 2015 at 9:57 AM, Joshua Timberman joshua@chef.io wrote:

Ohai,

I’m running audit mode via test kitchen in the audit-cis cookbook. The
.kitchen.yml has:

provisioner:
name: chef_zero
client_rb:
audit_mode: :enabled

Test Kitchen 1.4.0 is required for this - it’s not released but the RC is
in ChefDK 0.5.0.

And I have some other discussion about this on my blog post here:

http://jtimberman.housepub.org/blog/2015/04/03/chef-audit-mode-introduction/

I’m not sure how to do this in vanilla Vagrant though.

On Wed, Apr 22, 2015 at 8:26 AM, Eric Helgeson erichelgeson@gmail.com
wrote:

Hello!

I’m trying to get audit-mode to work just with vagrant and chef-client
12.2.1. Since there’s no option in Vagrant yet I tried passing it in the
chef.arguments, but get this error -

$ cat Vagrantfile | grep audit
chef.arguments = “–audit-mode enabled”

$ vagrant provision
==> default: Running provisioner: chef_zero…
==> default: Detected Chef (12.2.1) is already installed
Generating chef JSON and uploading…
==> default: Running chef-zero…
==> default: /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/mixlib-cli-1.5.0/lib/mixlib/cli.rb:191:in parse_options' ==> default: : ==> default: invalid option: --audit-mode (OptionParser::InvalidOption) ==> default: from /opt/chef/embedded/apps/chef/lib/chef/application.rb:86:inconfigure_chef’
==> default: from /opt/chef/embedded/apps/chef/lib/chef/application.rb:48:in reconfigure' ==> default: from /opt/chef/embedded/apps/chef/lib/chef/application/solo.rb:190:inreconfigure’
==> default: from /opt/chef/embedded/apps/chef/lib/chef/application.rb:58:in run' ==> default: from /opt/chef/embedded/apps/chef/bin/chef-solo:25:in<top (required)>’
==> default: from /usr/bin/chef-solo:51:in load' ==> default: from /usr/bin/chef-solo:51:in'
Chef never successfully completed! Any errors should be visible in the
output above. Please fix your recipes so that they properly complete.

Also tried passing in a chef.custom_config_path = 'path/to/client.rb’
with audit_mode :enabled but those options don’t seem to get picked up.

Thanks,
-Eric Helgeson
@nulleric https://twitter.com/nulleric
https://usingchef.com


Joshua Timberman


#4

On Wed, 22 Apr 2015, Eric Helgeson wrote:

I believe it’s due to Vagrant extending the chef-solo command for
local-mode vs chef-client

https://github.com/mitchellh/vagrant/blob/ea8de92c59102f40f942865423a0a71ffcb6bdc9/plugins/provisioners/chef/provisioner/chef_zero.rb#L9

I’d think that should be a bug? local-mode is more akin to chef-client
than chef-solo.

Yeah, I would regard it as a bug in Vagrant. Solo doesn’t support audit
mode… it might eventually, but there aren’t any plans to right now.

  • Julian

[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#5

Looks like someone filed a bug just before I noticed the issue -
https://github.com/mitchellh/vagrant/issues/5619

Thanks,

-Eric Helgeson
@nulleric https://twitter.com/nulleric
https://usingchef.com

On Thu, Apr 23, 2015 at 8:58 AM, Julian C. Dunn jdunn@aquezada.com wrote:

On Wed, 22 Apr 2015, Eric Helgeson wrote:

I believe it’s due to Vagrant extending the chef-solo command for

local-mode vs chef-client

https://github.com/mitchellh/vagrant/blob/ea8de92c59102f40f942865423a0a71ffcb6bdc9/plugins/provisioners/chef/provisioner/chef_zero.rb#L9

I’d think that should be a bug? local-mode is more akin to chef-client
than chef-solo.

Yeah, I would regard it as a bug in Vagrant. Solo doesn’t support audit
mode… it might eventually, but there aren’t any plans to right now.

  • Julian

[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]