Logging the output/result of an only_if command


#1

Hi, Chefs –

I have a few files on which I do syntax checks after Chef has generated the
content, but before putting them into place. For example, my sudoers files
are dynamically generated, but rather than write directly to /etc/sudoers,
I first write to a temp location. Then, in the stanza that actually writes
to /etc/sudoers, I include ‘only_if “/usr/sbin/visudo -c /tmp/sudoers”’

This works fine, and has saved me from a few issues. However, it doesn’t
really do anything useful in terms of telling me why the new file isn’t
being written to the correct place. In an ideal world, I’d like to be able
to log either the output of the only_if command, or just the fact that it
returned a non-zero error code and what that return code was. However, I’m
sort of at a loss when it comes to combining a system command and a
Chef::Log stanza, conditional on the output of that system command.

Does anyone have any thoughts on how to do this?

Thanks!

  • Ian


Ian Marlier | Manager of Platform Operations
Brightcove, Inc.
290 Congress Street, 4th Floor, Boston, MA 02110
imarlier@brightcove.com


#2

Perhaps wrap that logic up in a resource/provider, and use the improved exception handling code to do the right thing, in particular with the new document formatters in 10.14 and friends?

Adam

On Oct 25, 2012, at 12:58 PM, Ian Marlier <imarlier@brightcove.commailto:imarlier@brightcove.com> wrote:

Hi, Chefs –

I have a few files on which I do syntax checks after Chef has generated the content, but before putting them into place. For example, my sudoers files are dynamically generated, but rather than write directly to /etc/sudoers, I first write to a temp location. Then, in the stanza that actually writes to /etc/sudoers, I include ‘only_if “/usr/sbin/visudo -c /tmp/sudoers”’

This works fine, and has saved me from a few issues. However, it doesn’t really do anything useful in terms of telling me why the new file isn’t being written to the correct place. In an ideal world, I’d like to be able to log either the output of the only_if command, or just the fact that it returned a non-zero error code and what that return code was. However, I’m sort of at a loss when it comes to combining a system command and a Chef::Log stanza, conditional on the output of that system command.

Does anyone have any thoughts on how to do this?

Thanks!

  • Ian


Ian Marlier | Manager of Platform Operations
Brightcove, Inc.
290 Congress Street, 4th Floor, Boston, MA 02110
imarlier@brightcove.commailto:imarlier@brightcove.com


#3

On Thursday, October 25, 2012 at 2:34 PM, Adam Jacob wrote:

Perhaps wrap that logic up in a resource/provider, and use the improved exception handling code to do the right thing, in particular with the new document formatters in 10.14 and friends?

Adam

On Oct 25, 2012, at 12:58 PM, Ian Marlier <imarlier@brightcove.com (mailto:imarlier@brightcove.com)> wrote:

Hi, Chefs –

I have a few files on which I do syntax checks after Chef has generated the content, but before putting them into place. For example, my sudoers files are dynamically generated, but rather than write directly to /etc/sudoers, I first write to a temp location. Then, in the stanza that actually writes to /etc/sudoers, I include ‘only_if “/usr/sbin/visudo -c /tmp/sudoers”’

This works fine, and has saved me from a few issues. However, it doesn’t really do anything useful in terms of telling me why the new file isn’t being written to the correct place. In an ideal world, I’d like to be able to log either the output of the only_if command, or just the fact that it returned a non-zero error code and what that return code was. However, I’m sort of at a loss when it comes to combining a system command and a Chef::Log stanza, conditional on the output of that system command.

Does anyone have any thoughts on how to do this?
You should be able to do it by chaining immediate notifications instead of using only_if, that is, template notifies execute[sanity-check] notifies ruby_block[move-to-final-location].

You could wrap this up into a LWRP pretty easily, but there’s one tricky bit, which is figuring out how the user specifies a parameterized sanity check command. For example, you might write the proposed sudoers file to /var/chef/file_cache_path/sudoers.12345, so the user needs to give you something that you could convert into /usr/sbin/visudo -c /var/chef/file_cache_path/sudoers.12345. One way you could do this is with a ruby block:

validated_file('/etc/sudoers') do
  validation_command { |temp_file| "/usr/sbin/visudo -c #{temp_file}" }
  # permissions, etc.
end

I think it would be pretty cool to have this in core chef since this would allow us to run the check command in why run mode, too. If anyone’s interested in writing a patch but needs help, start a conversation on the dev ML or in the #chef-hacking IRC channel.

Thanks!

  • Ian


Ian Marlier | Manager of Platform Operations
Brightcove, Inc.
290 Congress Street, 4th Floor, Boston, MA 02110
imarlier@brightcove.com (mailto:imarlier@brightcove.com)


Daniel DeLeo