Copying Files as a Part of Chef Recipie

Greetings Pro’s

I am trying to install symantec AV for linux for that we need to update JCE policy first, for that we need to copy the files the home dir to target path when im trying tho do this step through chef it throws an error as the file couldnot be copied and i came to know the root cause because my chef -bootstrap doesnot run in root mode for that i tried to include sudo in recipe

command 'unzip -o /home/ec2-user/ -d /home/ec2-user/UnlimitedJCEPolicyJDK8’
command ’ sudo bash cp /home/ec2-user/UnlimitedJCEPolicyJDK8/UnlimitedJCEPolicyJDK8/local_policy.jar US_export_policy.jar /usr/java/latest/jre/lib/security -n’
owner :root

if i try adding sudo i get this error " STDERR: sudo: sorry, you must have a tty to run sudo"

i tried using Sudo knife command “sudo knife bootstrap 10.0.x.x.x -i /opt/chef-ws/.chef/atlinuxkey.pem -x ec2-user --run-list ‘recipe[symantec-linux]’ --sudo -N cheftest_2 -y” but still i get the same error cant we mv or cp files from home to root mode through chef?

Please help me…!


First of all, if you allow sudo bash, you have bigger problems. The idea of doing everything with sudo was introduced with Ubuntu which targeted home users. It is a major security vulnerability. Prefixing everything with “sudo” doesn’t magically create more security - in the contrary, it allows everybody to do operations that should be restricted to root. The technical term for it is privilege escalation.

</rant over>

Generally, chef is designed to run as root. You can run it as non-root user, but you will run into many issues like this. On top of that, any time you have to use “command” that is an indication that you are breaking chef. Sometimes that is unavoidable, but you should keep it to a minimum.

To answer your specific question:

First, change the command - you don’t have to invoke bash because cp is available as a binary:

command ’ sudo /bin/cp /home/ec2-user/UnlimitedJCEPolicyJDK8/UnlimitedJCEPolicyJDK8/local_policy.jar US_export_policy.jar /usr/java/latest/jre/lib/security -n’

Then edit your sudoers file to allow this, and only this, command, and only for the chef user (whoever runs the chef client). Let’s say that user is called “chefclient”

chefclient ALL=(ALL) NOPASSWD: /bin/cp /home/ec2-user/UnlimitedJCEPolicyJDK8/UnlimitedJCEPolicyJDK8/local_policy.jar US_export_policy.jar /usr/java/latest/jre/lib/security -n
Defaults: chefclient !requiretty

Hope that helps!

Kevin Keane
Whom the IT Pros Call
The NetTech
Our values: Privacy, Liberty, Justice