[Bug?] Chef is not passing single quote to bash script


#1

Hi all,

My wish is to create a MySQL user using chef…
To prevent passing the MySQL-password as a command line arg I’m using /usr/bin/expect.

My CHEF recipe looks like this (I’ve removed the CHEF variables and substituted the username and password):

bash "create-mysql-user" do
user "root"
code <<-EOF
    /usr/bin/expect -c 'spawn  mysql -uroot -p
    expect "Enter password: "
    send "root_password"
    expect "MariaDB*none*>*"
    send "CREATE USER `test123`@`localhost` IDENTIFIED BY '\''some_pass'\'';\r"
    expect "MariaDB*none*>*"
    send "QUIT;"
    expect EOF'
    EOF
end

Runing chef-client with -l debug produces the following output:

[2017-02-26T19:09:04+01:00] DEBUG: Providers for generic bash resource enabled on node include: [Chef::Provider::Script]
[2017-02-26T19:09:04+01:00] DEBUG: Provider for action run on resource bash[create-mysql-user] is Chef::Provider::Script

[execute] spawn mysql -uroot -p
          Enter password:
          Welcome to the MariaDB monitor.  Commands end with ; or \g.
          Your MariaDB connection id is 616
          Server version: 10.1.21-MariaDB-1~jessie mariadb.org binary distribution

          Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

          Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

          MariaDB [(none)]> CREATE USER `test123`@`localhost` IDENTIFIED BY some_pass;
          ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'some_pass' at line 1
          MariaDB [(none)]> QUIT;
          Bye
          [2017-02-26T19:09:04+01:00] INFO: bash[create-mysql-user] ran successfully

- execute "bash"  "/tmp/chef-script20170226-14374-1asy43m"

As you can see: the single quotes around some_pass aren’t passend to the script.

Can someone help me out please if this is a bug or a problem with my recipe?

Chef: 12.16.42, Debian 8

Thanks in advance.


#2

You seem to be nesting single quotes improperly. The whole spawn block is surrounded by single quotes, and then you are using single quotes again around the password.

Incidentally, you may be able to do the whole thing simpler. There really is no need to spawn or work with expect at all. Simply put the following into a execute resource:

mysql -u root -p CREATE USER test123@localhost IDENTIFIED BY ‘some_pass’;

Normally, specifying the password on the command line is discouraged for security concerns, but in this case, the bash resource has a similar problem already. The whole script, including root password, is first written to a file. So using the execute resource may actually be less problematic.

An even better solution is to create a .my.cnf file into /root and set the permissions to 0600.

Kevin Keane
Whom the IT Pros Call
The NetTech
http://www.4nettech.com
Our values: Privacy, Liberty, Justice
See https://www.4nettech.com/corp/the-nettech-values.html