Chef bash resource not executing as specified user

amaltson · January 25, 2012, 2:32pm

I’m writing a Chef cookbook to install Hubot. In the recipe, I do the
following:

bash “install hubot” do
user hubot_user
group hubot_group
cwd install_dir
code <<-EOH
wget
https://github.com/downloads/github/hubot/hubot-#{node[‘hubot’][‘version’]}.tar.gz&&

tar xzvf hubot-#{node[‘hubot’][‘version’]}.tar.gz &&
cd hubot &&
npm install
EOH
end

However, when I try to run chef-client on the server installing the
cookbook, I’m getting a permission denied writing to the directory of the
user that runs chef-client, not the hubot user. For some reason, npm is
trying to run under the wrong user, not the user specified in the bash
resource.

I am able to run sudo su - hubot -c "npm install /usr/local/hubot/hubot"
manually, and this gets the result I want (installs hubot as the hubot
user). However, it seems chef-client isn’t executing the command as the
hubot user. Below you’ll find the chef-client execution. Thank you in
advance.

Saving to: `hubot-2.1.0.tar.gz’

 0K ......                                                100%

563K=0.01s

2012-01-23 12:32:55 (563 KB/s) - `hubot-2.1.0.tar.gz’ saved [7115/7115]

npm ERR! Could not create
/home//.npm/log/1.2.0/package.tgz
npm ERR! Failed creating the tarball.
npm ERR! couldn’t pack
/tmp/npm-1327339976597/1327339976597-0.13104878342710435/contents/package
to /home//.npm/log/1.2.0/package.tgz
npm ERR! error installing hubot@2.1.0 Error: EACCES, permission denied
’/home//.npm/log’

…

npm not ok
---- End output of “bash” “/tmp/chef-script20120123-25024-u9nps2-0” ----
Ran “bash” “/tmp/chef-script20120123-25024-u9nps2-0” returned 1

–
Arthur Kalmenson

Leonardo_Gamas · January 25, 2012, 2:38pm

Are you running chef-client as root, e.g. with sudo?

2012/1/25 Arthur Kalmenson arthur.kalm@gmail.com

I'm writing a Chef cookbook to install Hubot. In the recipe, I do the
following:

bash "install hubot" do
user hubot_user
group hubot_group
cwd install_dir
code <<-EOH
wget
https://github.com/downloads/github/hubot/hubot-#{node['hubot']['version']}.tar.gz&&
tar xzvf hubot-#{node['hubot']['version']}.tar.gz &&
cd hubot &&
npm install
EOH
end

However, when I try to run chef-client on the server installing the
cookbook, I'm getting a permission denied writing to the directory of the
user that runs chef-client, not the hubot user. For some reason, npm is
trying to run under the wrong user, not the user specified in the bash
resource.

I am able to run sudo su - hubot -c "npm install /usr/local/hubot/hubot"
manually, and this gets the result I want (installs hubot as the hubot
user). However, it seems chef-client isn't executing the command as the
hubot user. Below you'll find the chef-client execution. Thank you in
advance.

Saving to: `hubot-2.1.0.tar.gz'
 0K ......                                                100%
563K=0.01s

2012-01-23 12:32:55 (563 KB/s) - `hubot-2.1.0.tar.gz' saved [7115/7115]

npm ERR! Could not create
/home//.npm/log/1.2.0/package.tgz
npm ERR! Failed creating the tarball.
npm ERR! couldn't pack
/tmp/npm-1327339976597/1327339976597-0.13104878342710435/contents/package
to /home//.npm/log/1.2.0/package.tgz
npm ERR! error installing hubot@2.1.0 Error: EACCES, permission denied
'/home//.npm/log'

...

npm not ok
---- End output of "bash" "/tmp/chef-script20120123-25024-u9nps2-0" ----
Ran "bash" "/tmp/chef-script20120123-25024-u9nps2-0" returned 1

--
Arthur Kalmenson

--

Leonardo Gamas
Software Engineer
T +55 (71) 3494-3514
C +55 (75) 8134-7440
leogamas@jusbrasil.com.br
www.jusbrasil.com.br

Joseph_Reynolds · January 25, 2012, 3:23pm

Hi Arthur,

The problem is that the normal environment for hubot_user isn't being loaded during the bash resource run. Because the hubot-user is running the npm command, but has the environment of the chef-client-user, it is writing the npm logs to the chef-client-user's home folder, which it doesn't have permissions for.

At least that's what it looks like to me.

Joe

On Jan 25, 2012, at 9:32 AM, Arthur Kalmenson wrote:

I'm writing a Chef cookbook to install Hubot. In the recipe, I do the following:

bash "install hubot" do
user hubot_user
group hubot_group
cwd install_dir
code <<-EOH
wget https://github.com/downloads/github/hubot/hubot-#{node['hubot']['version']}.tar.gz &&
tar xzvf hubot-#{node['hubot']['version']}.tar.gz &&
cd hubot &&
npm install
EOH
end

However, when I try to run chef-client on the server installing the cookbook, I'm getting a permission denied writing to the directory of the user that runs chef-client, not the hubot user. For some reason, npm is trying to run under the wrong user, not the user specified in the bash resource.

I am able to run sudo su - hubot -c "npm install /usr/local/hubot/hubot" manually, and this gets the result I want (installs hubot as the hubot user). However, it seems chef-client isn't executing the command as the hubot user. Below you'll find the chef-client execution. Thank you in advance.

Saving to: `hubot-2.1.0.tar.gz'
 0K ......                                                100%  563K=0.01s
2012-01-23 12:32:55 (563 KB/s) - `hubot-2.1.0.tar.gz' saved [7115/7115]

npm ERR! Could not create /home//.npm/log/1.2.0/package.tgz
npm ERR! Failed creating the tarball.
npm ERR! couldn't pack /tmp/npm-1327339976597/1327339976597-0.13104878342710435/contents/package to /home//.npm/log/1.2.0/package.tgz
npm ERR! error installing hubot@2.1.0 Error: EACCES, permission denied '/home//.npm/log'

...

npm not ok
---- End output of "bash" "/tmp/chef-script20120123-25024-u9nps2-0" ----
Ran "bash" "/tmp/chef-script20120123-25024-u9nps2-0" returned 1

--
Arthur Kalmenson

kallistec · January 25, 2012, 4:18pm

On Wednesday, January 25, 2012 at 7:23 AM, Joseph Reynolds wrote:

Hi Arthur,

The problem is that the normal environment for hubot_user isn't being loaded during the bash resource run. Because the hubot-user is running the npm command, but has the environment of the chef-client-user, it is writing the npm logs to the chef-client-user's home folder, which it doesn't have permissions for.

At least that's what it looks like to me.

Joe
Setting the user in a script or execute resource will change the UID that the process runs as, but this is not the same as logging in as that user at the console. In particular, profile and rc scripts will not be sourced as they would during a normal login. The man page for bash explains this under the "Invocation" section:

--
Dan DeLeo

amaltson · January 25, 2012, 4:32pm

Leonardo,
Yes, running as sudo

Joseph,
Yeah, it looks the same to me as well. But how would I work around that?

Daniel,
That makes sense, but is there a way to source it so it runs as if it's
logged in?

Thank you all for your help.

--
Arthur Kalmenson

On Wed, Jan 25, 2012 at 11:18 AM, Daniel DeLeo dan@kallistec.com wrote:

On Wednesday, January 25, 2012 at 7:23 AM, Joseph Reynolds wrote:

Hi Arthur,

The problem is that the normal environment for hubot_user isn't being
loaded during the bash resource run. Because the hubot-user is running the
npm command, but has the environment of the chef-client-user, it is writing
the npm logs to the chef-client-user's home folder, which it doesn't have
permissions for.

At least that's what it looks like to me.

Joe
Setting the user in a script or execute resource will change the UID that
the process runs as, but this is not the same as logging in as that user at
the console. In particular, profile and rc scripts will not be sourced as
they would during a normal login. The man page for bash explains this under
the "Invocation" section:

http://linux.die.net/man/1/bash

--
Dan DeLeo

kallistec · January 25, 2012, 4:42pm

On Wednesday, January 25, 2012 at 8:32 AM, Arthur Kalmenson wrote:

Leonardo,
Yes, running as sudo

Joseph,
Yeah, it looks the same to me as well. But how would I work around that?

Daniel,
That makes sense, but is there a way to source it so it runs as if it's logged in?

You could try adding the -l flag to the bash resource, and setting the HOME environment variable using the environment attribute of the bash resource.

I created an improvement request for this: http://tickets.opscode.com/browse/CHEF-2288 There are some workarounds posted.

Thank you all for your help.

--
Arthur Kalmenson

--
Dan DeLeo

Seth_Chisamore · January 25, 2012, 5:37pm

Arthur,
FWIW this is the recipe we at Opscode use to deploy our instance of hubot:

gist.github.com

https://gist.github.com/schisamo/6e4b07ec2a650baa7ac3

README.md

Description
===========

Requirements
============

Attributes
==========

Usage

This file has been truncated. show original

default.rb

#
# Cookbook Name:: opscode-hubot
# Recipe:: default
#
# Copyright 2011, Opscode
#
# All rights reserved - Do Not Redistribute
#

include_recipe "node"

This file has been truncated. show original

metadata.rb

maintainer       "Opscode Dev Team"
maintainer_email "dev@opscode.com"
license          "All rights reserved"
description      "Installs/Configures opscode-hubot"
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version          "0.0.1"

depends "node"
depends "opscode-github"
depends "runit"

There are more than three files. show original

One thing to note is an explicit execution of 'npm install' is not required since the hubot bin file does that for you every time hubot launches.

Hope that helps!

--
Seth Chisamore
Software Design Engineer, Opscode, Inc.
IRC, Skype, Twitter, Github: schisamo

On Wednesday, January 25, 2012 at 8:42 AM, Daniel DeLeo wrote:

On Wednesday, January 25, 2012 at 8:32 AM, Arthur Kalmenson wrote:

Leonardo,
Yes, running as sudo

Joseph,
Yeah, it looks the same to me as well. But how would I work around that?

Daniel,
That makes sense, but is there a way to source it so it runs as if it's logged in?

You could try adding the -l flag to the bash resource, and setting the HOME environment variable using the environment attribute of the bash resource.

I created an improvement request for this: http://tickets.opscode.com/browse/CHEF-2288 There are some workarounds posted.

Thank you all for your help.

--
Arthur Kalmenson

--
Dan DeLeo

amaltson · January 26, 2012, 6:10pm

Daniel,
Thanks, setting the "environment" attribute worked. I've voted and watched
that issue, so we'll see where it goes.

Seth,
Thanks for that Gist, it gave me good ideas on how to implement it, and it
helped a lot. Any chance of integrating a similar cookbook with the current
opscode cookbooks? I guess I could tweak mine to be similar and make a pull
request for that..

--
Arthur Kalmenson

On Wed, Jan 25, 2012 at 12:37 PM, Seth Chisamore schisamo@opscode.comwrote:

Arthur,
FWIW this is the recipe we at Opscode use to deploy our instance of hubot:
hubot deploy cookbook · GitHub

One thing to note is an explicit execution of 'npm install' is not
required since the hubot bin file does that for you every time hubot
launches.

Hope that helps!

--
Seth Chisamore
Software Design Engineer, Opscode, Inc.
IRC, Skype, Twitter, Github: schisamo

On Wednesday, January 25, 2012 at 8:42 AM, Daniel DeLeo wrote:

On Wednesday, January 25, 2012 at 8:32 AM, Arthur Kalmenson wrote:

Leonardo,
Yes, running as sudo

Joseph,
Yeah, it looks the same to me as well. But how would I work around that?

Daniel,
That makes sense, but is there a way to source it so it runs as if it's
logged in?

You could try adding the -l flag to the bash resource, and setting the
HOME environment variable using the environment attribute of the bash
resource.
I created an improvement request for this:
http://tickets.opscode.com/browse/CHEF-2288 There are some workarounds
posted.

Thank you all for your help.

--
Arthur Kalmenson

--
Dan DeLeo

Topic		Replies	Views
Can't seem to run command in bash resource as another user? Chef Infra (archive)	4	673	July 22, 2015
Using not_if in bash block still causes file to be downloaded Chef Infra (archive)	3	314	February 3, 2012
Run entire chef recipe as 'ubuntu' user, not 'root' user Chef Infra (archive)	7	6756	April 5, 2016
Chef_user & chef_organization Chef Infra (archive)	1	606	March 24, 2017
Run Chef in another user Chef Infra (archive)	2	406	August 13, 2014

Chef bash resource not executing as specified user

Related topics