Chef bash resource not executing as specified user


#1

I’m writing a Chef cookbook to install Hubot. In the recipe, I do the
following:

bash “install hubot” do
user hubot_user
group hubot_group
cwd install_dir
code <<-EOH
wget
https://github.com/downloads/github/hubot/hubot-#{node[‘hubot’][‘version’]}.tar.gz&&

tar xzvf hubot-#{node[‘hubot’][‘version’]}.tar.gz &&
cd hubot &&
npm install
EOH
end

However, when I try to run chef-client on the server installing the
cookbook, I’m getting a permission denied writing to the directory of the
user that runs chef-client, not the hubot user. For some reason, npm is
trying to run under the wrong user, not the user specified in the bash
resource.

I am able to run sudo su - hubot -c "npm install /usr/local/hubot/hubot"
manually, and this gets the result I want (installs hubot as the hubot
user). However, it seems chef-client isn’t executing the command as the
hubot user. Below you’ll find the chef-client execution. Thank you in
advance.

Saving to: `hubot-2.1.0.tar.gz’

 0K ......                                                100%

563K=0.01s

2012-01-23 12:32:55 (563 KB/s) - `hubot-2.1.0.tar.gz’ saved [7115/7115]

npm ERR! Could not create
/home//.npm/log/1.2.0/package.tgz
npm ERR! Failed creating the tarball.
npm ERR! couldn’t pack
/tmp/npm-1327339976597/1327339976597-0.13104878342710435/contents/package
to /home//.npm/log/1.2.0/package.tgz
npm ERR! error installing hubot@2.1.0 Error: EACCES, permission denied
’/home//.npm/log’

npm not ok
---- End output of “bash” “/tmp/chef-script20120123-25024-u9nps2-0” ----
Ran “bash” “/tmp/chef-script20120123-25024-u9nps2-0” returned 1


Arthur Kalmenson


#2

Are you running chef-client as root, e.g. with sudo?

2012/1/25 Arthur Kalmenson arthur.kalm@gmail.com

I’m writing a Chef cookbook to install Hubot. In the recipe, I do the
following:

bash “install hubot” do
user hubot_user
group hubot_group
cwd install_dir
code <<-EOH
wget
https://github.com/downloads/github/hubot/hubot-#{node[‘hubot’][‘version’]}.tar.gz&&
tar xzvf hubot-#{node[‘hubot’][‘version’]}.tar.gz &&
cd hubot &&
npm install
EOH
end

However, when I try to run chef-client on the server installing the
cookbook, I’m getting a permission denied writing to the directory of the
user that runs chef-client, not the hubot user. For some reason, npm is
trying to run under the wrong user, not the user specified in the bash
resource.

I am able to run sudo su - hubot -c "npm install /usr/local/hubot/hubot"
manually, and this gets the result I want (installs hubot as the hubot
user). However, it seems chef-client isn’t executing the command as the
hubot user. Below you’ll find the chef-client execution. Thank you in
advance.

Saving to: `hubot-2.1.0.tar.gz’

 0K ......                                                100%

563K=0.01s

2012-01-23 12:32:55 (563 KB/s) - `hubot-2.1.0.tar.gz’ saved [7115/7115]

npm ERR! Could not create
/home//.npm/log/1.2.0/package.tgz
npm ERR! Failed creating the tarball.
npm ERR! couldn’t pack
/tmp/npm-1327339976597/1327339976597-0.13104878342710435/contents/package
to /home//.npm/log/1.2.0/package.tgz
npm ERR! error installing hubot@2.1.0 Error: EACCES, permission denied
’/home//.npm/log’

npm not ok
---- End output of “bash” “/tmp/chef-script20120123-25024-u9nps2-0” ----
Ran “bash” “/tmp/chef-script20120123-25024-u9nps2-0” returned 1


Arthur Kalmenson

Leonardo Gamas
Software Engineer
T +55 (71) 3494-3514
C +55 (75) 8134-7440
leogamas@jusbrasil.com.br


#3

Hi Arthur,

The problem is that the normal environment for hubot_user isn’t being loaded during the bash resource run. Because the hubot-user is running the npm command, but has the environment of the chef-client-user, it is writing the npm logs to the chef-client-user’s home folder, which it doesn’t have permissions for.

At least that’s what it looks like to me.

Joe

On Jan 25, 2012, at 9:32 AM, Arthur Kalmenson wrote:

I’m writing a Chef cookbook to install Hubot. In the recipe, I do the following:

bash “install hubot” do
user hubot_user
group hubot_group
cwd install_dir
code <<-EOH
wget https://github.com/downloads/github/hubot/hubot-#{node[‘hubot’][‘version’]}.tar.gz &&
tar xzvf hubot-#{node[‘hubot’][‘version’]}.tar.gz &&
cd hubot &&
npm install
EOH
end

However, when I try to run chef-client on the server installing the cookbook, I’m getting a permission denied writing to the directory of the user that runs chef-client, not the hubot user. For some reason, npm is trying to run under the wrong user, not the user specified in the bash resource.

I am able to run sudo su - hubot -c “npm install /usr/local/hubot/hubot” manually, and this gets the result I want (installs hubot as the hubot user). However, it seems chef-client isn’t executing the command as the hubot user. Below you’ll find the chef-client execution. Thank you in advance.

Saving to: `hubot-2.1.0.tar.gz’

 0K ......                                                100%  563K=0.01s

2012-01-23 12:32:55 (563 KB/s) - `hubot-2.1.0.tar.gz’ saved [7115/7115]

npm ERR! Could not create /home//.npm/log/1.2.0/package.tgz
npm ERR! Failed creating the tarball.
npm ERR! couldn’t pack /tmp/npm-1327339976597/1327339976597-0.13104878342710435/contents/package to /home//.npm/log/1.2.0/package.tgz
npm ERR! error installing hubot@2.1.0 Error: EACCES, permission denied ‘/home//.npm/log’

npm not ok
---- End output of “bash” “/tmp/chef-script20120123-25024-u9nps2-0” ----
Ran “bash” “/tmp/chef-script20120123-25024-u9nps2-0” returned 1


Arthur Kalmenson


#4

On Wednesday, January 25, 2012 at 7:23 AM, Joseph Reynolds wrote:

Hi Arthur,

The problem is that the normal environment for hubot_user isn’t being loaded during the bash resource run. Because the hubot-user is running the npm command, but has the environment of the chef-client-user, it is writing the npm logs to the chef-client-user’s home folder, which it doesn’t have permissions for.

At least that’s what it looks like to me.

Joe
Setting the user in a script or execute resource will change the UID that the process runs as, but this is not the same as logging in as that user at the console. In particular, profile and rc scripts will not be sourced as they would during a normal login. The man page for bash explains this under the “Invocation” section:

http://linux.die.net/man/1/bash


Dan DeLeo


#5

Leonardo,
Yes, running as sudo

Joseph,
Yeah, it looks the same to me as well. But how would I work around that?

Daniel,
That makes sense, but is there a way to source it so it runs as if it’s
logged in?

Thank you all for your help.


Arthur Kalmenson

On Wed, Jan 25, 2012 at 11:18 AM, Daniel DeLeo dan@kallistec.com wrote:

On Wednesday, January 25, 2012 at 7:23 AM, Joseph Reynolds wrote:

Hi Arthur,

The problem is that the normal environment for hubot_user isn’t being
loaded during the bash resource run. Because the hubot-user is running the
npm command, but has the environment of the chef-client-user, it is writing
the npm logs to the chef-client-user’s home folder, which it doesn’t have
permissions for.

At least that’s what it looks like to me.

Joe
Setting the user in a script or execute resource will change the UID that
the process runs as, but this is not the same as logging in as that user at
the console. In particular, profile and rc scripts will not be sourced as
they would during a normal login. The man page for bash explains this under
the “Invocation” section:

http://linux.die.net/man/1/bash


Dan DeLeo


#6

On Wednesday, January 25, 2012 at 8:32 AM, Arthur Kalmenson wrote:

Leonardo,
Yes, running as sudo

Joseph,
Yeah, it looks the same to me as well. But how would I work around that?

Daniel,
That makes sense, but is there a way to source it so it runs as if it’s logged in?

You could try adding the -l flag to the bash resource, and setting the HOME environment variable using the environment attribute of the bash resource.

I created an improvement request for this: http://tickets.opscode.com/browse/CHEF-2288 There are some workarounds posted.

Thank you all for your help.


Arthur Kalmenson


Dan DeLeo


#7

Arthur,
FWIW this is the recipe we at Opscode use to deploy our instance of hubot:

One thing to note is an explicit execution of ‘npm install’ is not required since the hubot bin file does that for you every time hubot launches.

Hope that helps!


Seth Chisamore
Software Design Engineer, Opscode, Inc.
IRC, Skype, Twitter, Github: schisamo

On Wednesday, January 25, 2012 at 8:42 AM, Daniel DeLeo wrote:

On Wednesday, January 25, 2012 at 8:32 AM, Arthur Kalmenson wrote:

Leonardo,
Yes, running as sudo

Joseph,
Yeah, it looks the same to me as well. But how would I work around that?

Daniel,
That makes sense, but is there a way to source it so it runs as if it’s logged in?

You could try adding the -l flag to the bash resource, and setting the HOME environment variable using the environment attribute of the bash resource.

I created an improvement request for this: http://tickets.opscode.com/browse/CHEF-2288 There are some workarounds posted.

Thank you all for your help.


Arthur Kalmenson


Dan DeLeo


#8

Daniel,
Thanks, setting the “environment” attribute worked. I’ve voted and watched
that issue, so we’ll see where it goes.

Seth,
Thanks for that Gist, it gave me good ideas on how to implement it, and it
helped a lot. Any chance of integrating a similar cookbook with the current
opscode cookbooks? I guess I could tweak mine to be similar and make a pull
request for that…


Arthur Kalmenson

On Wed, Jan 25, 2012 at 12:37 PM, Seth Chisamore schisamo@opscode.comwrote:

Arthur,
FWIW this is the recipe we at Opscode use to deploy our instance of hubot:
https://gist.github.com/6e4b07ec2a650baa7ac3

One thing to note is an explicit execution of ‘npm install’ is not
required since the hubot bin file does that for you every time hubot
launches.

Hope that helps!


Seth Chisamore
Software Design Engineer, Opscode, Inc.
IRC, Skype, Twitter, Github: schisamo

On Wednesday, January 25, 2012 at 8:42 AM, Daniel DeLeo wrote:

On Wednesday, January 25, 2012 at 8:32 AM, Arthur Kalmenson wrote:

Leonardo,
Yes, running as sudo

Joseph,
Yeah, it looks the same to me as well. But how would I work around that?

Daniel,
That makes sense, but is there a way to source it so it runs as if it’s
logged in?

You could try adding the -l flag to the bash resource, and setting the
HOME environment variable using the environment attribute of the bash
resource.
I created an improvement request for this:
http://tickets.opscode.com/browse/CHEF-2288 There are some workarounds
posted.

Thank you all for your help.


Arthur Kalmenson


Dan DeLeo