LWRP inside LWRP Execution Question


#1

Hi Chef experts!

Quick question on LWRP execution. I am trying to create an LWRP that will allow me to execute ruby code as a user other than root (for example: To install an RPM as myself while running Chef as root).

Currently, my LWRP forks a process, changes the runtime user / group and executes eval() on the command string passed in. This seems to work perfectly for any native Chef resource, however, it does not execute LWRPs. It looks like it loads up the resource for the LWRP and is almost like chef-client passes over the resource as if the idempotence check thinks the resource is already converged.

On a side note, it would be a great feature addition if the ruby_block resource in Chef took a “user” attribute to execute a ruby block as a different user.

Any help would be greatly appreciated!

Thanks,
Wes

================
./resources/ruby_block_run_as.rb

actions :create
default_action :create

attribute :block_name, :kind_of => String, :name_attribute => true
attribute :code, :kind_of => String, :required => true
attribute :user, :kind_of => String, :required => true

================
./providers/ruby_block_run_as.rb

require 'chef/mixin/shell_out’
include Chef::Mixin::ShellOut

def whyrun_supported?
true
end

action :create do
raise “ruby_block_run_as only supported on Linux!” if node[“platform”] == “windows”

converge_by(“Create #{@new_resource}”) do
p = shell_out(“stat -c ‘%a’ /var/chef/cache/”)
old_perms = Integer(“0#{p.stdout}”)
# Fix perms on cache dir
dir_resource = directory “/var/chef/cache/checksums” do
mode 0777
end
dir_resource.run_action(:create)

as_user(new_resource.user, new_resource.code)

dir_resource = directory "/var/chef/cache/checksums" do
  mode old_perms
end
dir_resource.run_action(:create)

end
end

def proc_from
Proc.new
end

def as_user(user, code)
p = shell_out(“getent passwd #{user}”)
uid = Integer(p.stdout.split(":")[2])
gid = Integer(p.stdout.split(":")[3])

fork_pid = fork do
Process::GID.change_privilege(gid)
Process::UID.change_privilege(uid)
eval(code)

exit

end
Process.wait(fork_pid)

new_resource.updated_by_last_action(true)
end

================
./recipes/ruby_block_run_as_test.rb

mylwrp_ruby_block_run_as “test ruby block as another user” do
user "myuser"
code <<-EOH
#### This resource (native) works fine with “myuser” owning the file
resource = file “/mnt/root_squash_mount/testFile.2” do
content(“asdf”)
end
resource.run_action(:create)

#### This resource (lwrp) never executes
resource2 = thanksgiving_common_copy "COPY" do
  srcDirName "/tmp/copy_src"
  destDirName "/tmp/copy_dest"
end
resource2.run_action(:copy)

EOH
end


#2

On Monday, November 18, 2013 at 12:22 PM, Wes Parish wrote:

LWRP inside LWRP Execution Question
Hi Chef experts!

Quick question on LWRP execution. I am trying to create an LWRP that will allow me to execute ruby code as a user other than root (for example: To install an RPM as myself while running Chef as root).

Currently, my LWRP forks a process, changes the runtime user / group and executes eval() on the command string passed in. This seems to work perfectly for any native Chef resource, however, it does not execute LWRPs. It looks like it loads up the resource for the LWRP and is almost like chef-client passes over the resource as if the idempotence check thinks the resource is already converged.

On a side note, it would be a great feature addition if the ruby_block resource in Chef took a “user” attribute to execute a ruby block as a different user.

Any help would be greatly appreciated!

Thanks,
Wes

This happens because of how LWRPs were originally implemented — they would add any native chef resources you use inside an action block to the primary resource collection after themselves. This was done so that resources inside the LWRP could notify resources outside of the LWRP. After a lot of real world experience, this doesn’t seem to be the best design, so you can opt in to a different “inline_resources” mode in Chef 11, which will run LWRPs as a nested chef run.

There’s a little more explanation of the inline resources stuff in the docs: http://docs.opscode.com/lwrp_custom_provider.html

HTH,


Daniel DeLeo