Chef services user

Mark_Rechler · April 7, 2011, 8:24pm

I have just freshly installed chef on centos 5.4 via gems. After running the
server bootstrap I found the webui to be unresponsive(ie. can’t login) when
running as the chef user. When running the webui as root however, everything
works normally. Is there a way to actually have the webui run as chef? Also if
not, do all chef related services need to run as root?

Thanks,
Mark

kallistec · April 7, 2011, 9:03pm

On Thursday, April 7, 2011 at 1:24 PM, mrechler@brightcove.com wrote:
I have just freshly installed chef on centos 5.4 via gems. After running the

server bootstrap I found the webui to be unresponsive(ie. can't login) when
running as the chef user. When running the webui as root however, everything
works normally. Is there a way to actually have the webui run as chef? Also if
not, do all chef related services need to run as root?

Thanks,
Mark
The webui is stateless and doesn't need to do anything with the underlying system. Perhaps you could include the error message from the webui's logs?

I imagine the webui server is unable to read the /etc/chef/webui.pem key when you're running as non-root, so chmod/chowning that file should resolve the issue.

HTH,

--
Dan DeLeo

Mark_Rechler · April 7, 2011, 9:14pm

Hi Dan,

Appreciate the help. I have tried changing the permissions and even
ownership (chef:root) for the pem files (webui and validation) to be very
liberal (a+rw) which did not help. The following is the only thing that
really appears in the logs (no errors):

merb : chef-server-webui : worker (port 4040) ~

merb : chef-server-webui : worker (port 4040) ~ Started request handling:
Thu Apr 07 14:07:53 -0700 2011
merb : chef-server-webui : worker (port 4040) ~ Params: {"name"=>"admin",
"action"=>"login_exec", "controller"=>"users", "password"=>"[FILTERED]",
"form_submit"=>"login"}
merb : chef-server-webui : worker (port 4040) ~ {:dispatch_time=>0.034691,
:action_time=>0.033662, :after_filters_time=>2.9e-05,
:before_filters_time=>5.8e-05}
merb : chef-server-webui : worker (port 4040) ~

merb : chef-server (api) : worker (port 4000) ~

merb : chef-server (api) : worker (port 4000) ~ Started request handling:
Thu Apr 07 14:07:53 -0700 2011
merb : chef-server (api) : worker (port 4000) ~ Params: {"format"=>nil,
"action"=>"show", "id"=>"admin", "controller"=>"users"}
merb : chef-server (api) : worker (port 4000) ~ {:action_time=>0.013155,
:after_filters_time=>2.6e-05, :before_filters_time=>0.007762,
:dispatch_time=>0.013818}
merb : chef-server (api) : worker (port 4000) ~

Thanks again,
Mark

On Thu, Apr 7, 2011 at 5:03 PM, Daniel DeLeo dan@kallistec.com wrote:

On Thursday, April 7, 2011 at 1:24 PM, mrechler@brightcove.com wrote:

I have just freshly installed chef on centos 5.4 via gems. After running
the
server bootstrap I found the webui to be unresponsive(ie. can't login) when
running as the chef user. When running the webui as root however,
everything
works normally. Is there a way to actually have the webui run as chef? Also
if
not, do all chef related services need to run as root?

Thanks,
Mark

The webui is stateless and doesn't need to do anything with the underlying
system. Perhaps you could include the error message from the webui's logs?

I imagine the webui server is unable to read the /etc/chef/webui.pem key
when you're running as non-root, so chmod/chowning that file should resolve
the issue.

HTH,

--
Dan DeLeo

kallistec · April 8, 2011, 2:48pm

On Thursday, April 7, 2011 at 2:14 PM, Mark Rechler wrote:
Hi Dan,

Appreciate the help. I have tried changing the permissions and even ownership (chef:root) for the pem files (webui and validation) to be very liberal (a+rw) which did not help. The following is the only thing that really appears in the logs (no errors):

merb : chef-server-webui : worker (port 4040) ~

merb : chef-server-webui : worker (port 4040) ~ Started request handling: Thu Apr 07 14:07:53 -0700 2011
merb : chef-server-webui : worker (port 4040) ~ Params: {"name"=>"admin", "action"=>"login_exec", "controller"=>"users", "password"=>"[FILTERED]", "form_submit"=>"login"}
merb : chef-server-webui : worker (port 4040) ~ {:dispatch_time=>0.034691, :action_time=>0.033662, :after_filters_time=>2.9e-05, :before_filters_time=>5.8e-05}
merb : chef-server-webui : worker (port 4040) ~

merb : chef-server (api) : worker (port 4000) ~

merb : chef-server (api) : worker (port 4000) ~ Started request handling: Thu Apr 07 14:07:53 -0700 2011
merb : chef-server (api) : worker (port 4000) ~ Params: {"format"=>nil, "action"=>"show", "id"=>"admin", "controller"=>"users"}
merb : chef-server (api) : worker (port 4000) ~ {:action_time=>0.013155, :after_filters_time=>2.6e-05, :before_filters_time=>0.007762, :dispatch_time=>0.013818}
merb : chef-server (api) : worker (port 4000) ~

Thanks again,
Mark

Try running both servers with debug logging to see if you get more info out of them. Perhaps your configuration file can only be read by root?

--
Dan DeLeo

Mark_Rechler · April 8, 2011, 2:59pm

You read my mind, after running the server and webui in dev mode as the chef
user, I found:
FATAL: Failed to access
/usr/lib/ruby/gems/1.8/gems/chef-server-api-0.9.14/log/merb.4000.pid,
permission denied.

Changing the ownership of all the chef related gem dirs fixed everything.

Thanks,
Mark

On Fri, Apr 8, 2011 at 10:48 AM, Daniel DeLeo dan@kallistec.com wrote:

On Thursday, April 7, 2011 at 2:14 PM, Mark Rechler wrote:

Hi Dan,

Appreciate the help. I have tried changing the permissions and even
ownership (chef:root) for the pem files (webui and validation) to be very
liberal (a+rw) which did not help. The following is the only thing that
really appears in the logs (no errors):

merb : chef-server-webui : worker (port 4040) ~

merb : chef-server-webui : worker (port 4040) ~ Started request handling:
Thu Apr 07 14:07:53 -0700 2011
merb : chef-server-webui : worker (port 4040) ~ Params: {"name"=>"admin",
"action"=>"login_exec", "controller"=>"users", "password"=>"[FILTERED]",
"form_submit"=>"login"}
merb : chef-server-webui : worker (port 4040) ~ {:dispatch_time=>0.034691,
:action_time=>0.033662, :after_filters_time=>2.9e-05,
:before_filters_time=>5.8e-05}
merb : chef-server-webui : worker (port 4040) ~

merb : chef-server (api) : worker (port 4000) ~

merb : chef-server (api) : worker (port 4000) ~ Started request handling:
Thu Apr 07 14:07:53 -0700 2011
merb : chef-server (api) : worker (port 4000) ~ Params: {"format"=>nil,
"action"=>"show", "id"=>"admin", "controller"=>"users"}
merb : chef-server (api) : worker (port 4000) ~ {:action_time=>0.013155,
:after_filters_time=>2.6e-05, :before_filters_time=>0.007762,
:dispatch_time=>0.013818}
merb : chef-server (api) : worker (port 4000) ~

Thanks again,
Mark

Try running both servers with debug logging to see if you get more info out
of them. Perhaps your configuration file can only be read by root?

--
Dan DeLeo

kallistec · April 8, 2011, 3:03pm

On Friday, April 8, 2011 at 7:59 AM, Mark Rechler wrote:
You read my mind, after running the server and webui in dev mode as the chef user, I found:

FATAL: Failed to access /usr/lib/ruby/gems/1.8/gems/chef-server-api-0.9.14/log/merb.4000.pid, permission denied.

Changing the ownership of all the chef related gem dirs fixed everything.

Thanks,
Mark

Wow, we shouldn't be sticking any pidfiles there by default. Can you file a bug for this? tickets.opscode.com

Thanks,

--
Dan DeLeo

On Fri, Apr 8, 2011 at 10:48 AM, Daniel DeLeo dan@kallistec.com wrote:

On Thursday, April 7, 2011 at 2:14 PM, Mark Rechler wrote:

Hi Dan,

Appreciate the help. I have tried changing the permissions and even ownership (chef:root) for the pem files (webui and validation) to be very liberal (a+rw) which did not help. The following is the only thing that really appears in the logs (no errors):

merb : chef-server-webui : worker (port 4040) ~

merb : chef-server-webui : worker (port 4040) ~ Started request handling: Thu Apr 07 14:07:53 -0700 2011
merb : chef-server-webui : worker (port 4040) ~ Params: {"name"=>"admin", "action"=>"login_exec", "controller"=>"users", "password"=>"[FILTERED]", "form_submit"=>"login"}
merb : chef-server-webui : worker (port 4040) ~ {:dispatch_time=>0.034691, :action_time=>0.033662, :after_filters_time=>2.9e-05, :before_filters_time=>5.8e-05}
merb : chef-server-webui : worker (port 4040) ~

merb : chef-server (api) : worker (port 4000) ~

merb : chef-server (api) : worker (port 4000) ~ Started request handling: Thu Apr 07 14:07:53 -0700 2011
merb : chef-server (api) : worker (port 4000) ~ Params: {"format"=>nil, "action"=>"show", "id"=>"admin", "controller"=>"users"}
merb : chef-server (api) : worker (port 4000) ~ {:action_time=>0.013155, :after_filters_time=>2.6e-05, :before_filters_time=>0.007762, :dispatch_time=>0.013818}
merb : chef-server (api) : worker (port 4000) ~

Thanks again,
Mark

Try running both servers with debug logging to see if you get more info out of them. Perhaps your configuration file can only be read by root?

--
Dan DeLeo

Mark_Rechler · April 8, 2011, 3:29pm

Hi Dan,

I have filed CHEF-2199. Appreciate the help.

Thanks,
Mark

On Fri, Apr 8, 2011 at 11:03 AM, Daniel DeLeo dan@kallistec.com wrote:

On Friday, April 8, 2011 at 7:59 AM, Mark Rechler wrote:

You read my mind, after running the server and webui in dev mode as the
chef user, I found:
FATAL: Failed to access
/usr/lib/ruby/gems/1.8/gems/chef-server-api-0.9.14/log/merb.4000.pid,
permission denied.

Changing the ownership of all the chef related gem dirs fixed everything.

Thanks,
Mark

Wow, we shouldn't be sticking any pidfiles there by default. Can you file a
bug for this? tickets.opscode.com

Thanks,

--
Dan DeLeo

On Fri, Apr 8, 2011 at 10:48 AM, Daniel DeLeo dan@kallistec.com wrote:

On Thursday, April 7, 2011 at 2:14 PM, Mark Rechler wrote:

Hi Dan,

Appreciate the help. I have tried changing the permissions and even
ownership (chef:root) for the pem files (webui and validation) to be very
liberal (a+rw) which did not help. The following is the only thing that
really appears in the logs (no errors):

merb : chef-server-webui : worker (port 4040) ~

merb : chef-server-webui : worker (port 4040) ~ Started request handling:
Thu Apr 07 14:07:53 -0700 2011
merb : chef-server-webui : worker (port 4040) ~ Params: {"name"=>"admin",
"action"=>"login_exec", "controller"=>"users", "password"=>"[FILTERED]",
"form_submit"=>"login"}
merb : chef-server-webui : worker (port 4040) ~ {:dispatch_time=>0.034691,
:action_time=>0.033662, :after_filters_time=>2.9e-05,
:before_filters_time=>5.8e-05}
merb : chef-server-webui : worker (port 4040) ~

merb : chef-server (api) : worker (port 4000) ~

merb : chef-server (api) : worker (port 4000) ~ Started request handling:
Thu Apr 07 14:07:53 -0700 2011
merb : chef-server (api) : worker (port 4000) ~ Params: {"format"=>nil,
"action"=>"show", "id"=>"admin", "controller"=>"users"}
merb : chef-server (api) : worker (port 4000) ~ {:action_time=>0.013155,
:after_filters_time=>2.6e-05, :before_filters_time=>0.007762,
:dispatch_time=>0.013818}
merb : chef-server (api) : worker (port 4000) ~

Thanks again,
Mark

Try running both servers with debug logging to see if you get more info out
of them. Perhaps your configuration file can only be read by root?

--
Dan DeLeo

Topic		Replies	Views
Chef WebUI doesn´t work Chef Infra (archive)	4	1184	November 12, 2013
Upgrade from 0.10.4 to 0.10.8 via Ubuntu packages prevents logins Chef Infra (archive)	2	273	February 23, 2012
Webui 500 error Chef Infra (archive)	5	1035	August 21, 2014
Chef Server bootstrap fails on CentOS 6.2 Chef Infra (archive)	6	333	March 6, 2012
Rack vulnerabilities in chef-server-webui in Chef Server 11 Chef Infra (archive)	10	348	February 12, 2013

Chef services user

Related topics