Hi,

I have some trouble with "notifies".. hope it's easy to explain to a chef-starter

I've modified the "users" cookbook [1] to set an empty password and (usermod -p "") and forcing password change on next login (chage -d 0).

Therefore I've extended the cookbook inside the

search(:users, 'groups:sysadmin') do |u|

loop with the following block:

script "set_empty_password" do
interpreter "bash"
user "root"
action :nothing

code <<-EOH
echo Running for #{u[:id]}
# set empty password
usermod -p "" #{u[:id]}
# force password change on next login
chage -d 0 #{u[:id]}
EOH

end

To notify it upon user creation, I've added

notifies :run, "script[set_empty_password]", :immediately

to the following block:

user u['id'] do
uid u['uid']
gid u['gid']
shell u['shell']
comment u['comment']
supports :manage_home => true
home home_dir
notifies :run, "script[set_empty_password]", :immediately
notifies :create, "ruby_block[reset group list]", :immediately
end

My problem, however, is that in the bash script, #{u[:id]} is always the user name of the user returned as last from search (so for every user it always modifies the same one). set_empty_password is executed, but with wrong data..

I've uploaded the complete file here:

Can you tell me the reason for this?

Thanks a lot for your help!

Steffen

I think I might see the problem. During the compile step, the
"set_empty_password" script resource is, in fact, compiled once for each
user. However, because it has the same name attribute each time, you end up
over-writing the resource; hence the last user in the list wins.

You could fix this with something like

script "set_empty_password_for_#{u[:id]}" do
...
end

And putting

notifies :run, "script[set_empty_password_for_#{u[:id]}]"

in your user block.

My solution feels a little hackey, though, so perhaps there's a better way
to achieve what you're looking for. I'm pretty new to this whole thing,

-Matt Moretti

On Tue, Dec 27, 2011 at 8:03 AM, Steffen Gebert st+opscode@st-g.de wrote:

Hi,

I have some trouble with "notifies".. hope it's easy to explain to a
chef-starter

I've modified the "users" cookbook [1] to set an empty password and
(usermod -p "") and forcing password change on next login (chage -d 0).

Therefore I've extended the cookbook inside the

search(:users, 'groups:sysadmin') do |u|

loop with the following block:

script "set_empty_password" do
interpreter "bash"
user "root"
action :nothing

code <<-EOH
echo Running for #{u[:id]}
# set empty password
usermod -p "" #{u[:id]}
# force password change on next login
chage -d 0 #{u[:id]}
EOH

end

To notify it upon user creation, I've added

notifies :run, "script[set_empty_password]", :immediately

to the following block:

user u['id'] do
uid u['uid']
gid u['gid']
shell u['shell']
comment u['comment']
supports :manage_home => true
home home_dir
notifies :run, "script[set_empty_password]", :immediately
notifies :create, "ruby_block[reset group list]", :immediately
end

My problem, however, is that in the bash script, #{u[:id]} is always the
user name of the user returned as last from search (so for every user it
always modifies the same one). set_empty_password is executed, but with
wrong data..

I've uploaded the complete file here:
Users cookbook with enforcement to choose password upon first login · GitHub

Can you tell me the reason for this?

Thanks a lot for your help!

Steffen

notifies :run, "script[set_empty_password_for_#{u[:id]}]"

Thanks a lot, Matt. That makes sense and works!

You see it commented out in the code (Users cookbook with enforcement to choose password upon first login · GitHub):
Before I had action :run and checked with
only_if do { File.open("/etc/shadow", "rb").read().index(/^#{u[:id]}:!:/) != nil }

What do you consider "cleaner"? Checking only_if during every run of chef-client or this "hack"? In fact.. latter one seems also to require this hack.. so I will go for your solution, thanks

Steffen

On 27.12.2011, at 18:05, Matthew Moretti wrote:

I think I might see the problem. During the compile step, the "set_empty_password" script resource is, in fact, compiled once for each user. However, because it has the same name attribute each time, you end up over-writing the resource; hence the last user in the list wins.

You could fix this with something like

script "set_empty_password_for_#{u[:id]}" do
...
end

And putting

notifies :run, "script[set_empty_password_for_#{u[:id]}]"

in your user block.

My solution feels a little hackey, though, so perhaps there's a better way to achieve what you're looking for. I'm pretty new to this whole thing,

-Matt Moretti

On Tue, Dec 27, 2011 at 8:03 AM, Steffen Gebert st+opscode@st-g.de wrote:
Hi,

I have some trouble with "notifies".. hope it's easy to explain to a chef-starter

I've modified the "users" cookbook [1] to set an empty password and (usermod -p "") and forcing password change on next login (chage -d 0).

Therefore I've extended the cookbook inside the

search(:users, 'groups:sysadmin') do |u|

loop with the following block:

script "set_empty_password" do
interpreter "bash"
user "root"
action :nothing

code <<-EOH
echo Running for #{u[:id]}

set empty password

usermod -p "" #{u[:id]}

force password change on next login

chage -d 0 #{u[:id]}
EOH
end

To notify it upon user creation, I've added

notifies :run, "script[set_empty_password]", :immediately

to the following block:

user u['id'] do
uid u['uid']
gid u['gid']
shell u['shell']
comment u['comment']
supports :manage_home => true
home home_dir
notifies :run, "script[set_empty_password]", :immediately
notifies :create, "ruby_block[reset group list]", :immediately
end

My problem, however, is that in the bash script, #{u[:id]} is always the user name of the user returned as last from search (so for every user it always modifies the same one). set_empty_password is executed, but with wrong data..

I've uploaded the complete file here:
Users cookbook with enforcement to choose password upon first login · GitHub

Can you tell me the reason for this?

Thanks a lot for your help!

Steffen