Permissions are not being set right


#1

Hello chefs once more,

I am wrinting a cookbook[1] and i see the permissions are not being properly set for some
weird reaseon (please refer to the #7-client-recipe branch). Here is a kitchen converge.

$ kitchen converge client
kitchen-----> Starting Kitchen (v1.1.1)
-----> Converging …
Preparing files for transfer
Resolving cookbook dependencies with Berkshelf…
Removing non-cookbook files before transfer
Preparing data bags
Transfering files to
[2014-01-22T17:38:04+00:00] INFO: Starting chef-zero on port 8889 with repository at repository at /tmp/kitchen
One version per cookbook

[2014-01-22T17:38:04+00:00] INFO: Forking chef instance to converge…
Starting Chef Client, version 11.8.2
[2014-01-22T17:38:04+00:00] INFO: *** Chef 11.8.2 ***
[2014-01-22T17:38:04+00:00] INFO: Chef-client pid: 3357
[2014-01-22T17:38:04+00:00] INFO: Setting the run_list to [“recipe[postgresql::server]”, “recipe[pgbarman::client]”] from JSON
[2014-01-22T17:38:04+00:00] INFO: Run List is [recipe[postgresql::server], recipe[pgbarman::client]]
[2014-01-22T17:38:04+00:00] INFO: Run List expands to [postgresql::server, pgbarman::client]
[2014-01-22T17:38:04+00:00] INFO: Starting Chef Run for client-centos-64
[2014-01-22T17:38:04+00:00] INFO: Running start handlers
[2014-01-22T17:38:04+00:00] INFO: Start handlers complete.
[2014-01-22T17:38:04+00:00] INFO: HTTP Request Returned 404 Not Found: Object not found: /reports/nodes/client-centos-64/runs
resolving cookbooks for run list: [“postgresql::server”, “pgbarman::client”]
[2014-01-22T17:38:05+00:00] INFO: Loading cookbooks [apt, build-essential, openssl, pgbarman, postgresql, python, rsync, yum]
Synchronizing Cookbooks:

  • postgresql
    [2014-01-22T17:38:05+00:00] INFO: Storing updated cookbooks/pgbarman/recipes/client.rb in the cache.
  • pgbarman
  • apt
  • build-essential
  • openssl
  • python
  • rsync
  • yum
    Compiling Cookbooks…
    Converging 15 resources
    Recipe: postgresql::client
  • package[postgresql-devel] action install[2014-01-22T17:38:05+00:00] INFO: Processing package[postgresql-devel] action install (postgresql::client line 36)
    (up to date)
    Recipe: postgresql::server_redhat
  • group[postgres] action create[2014-01-22T17:38:06+00:00] INFO: Processing group[postgres] action create (postgresql::server_redhat line 27)
    (up to date)
  • user[postgres] action create[2014-01-22T17:38:06+00:00] INFO: Processing user[postgres] action create (postgresql::server_redhat line 31)
    (up to date)
  • directory[/var/lib/pgsql/data] action create[2014-01-22T17:38:06+00:00] INFO: Processing directory[/var/lib/pgsql/data] action create (postgresql::server_redhat line 41)
    (up to date)
  • package[postgresql-server] action install[2014-01-22T17:38:06+00:00] INFO: Processing package[postgresql-server] action install (postgresql::server_redhat line 50)
    (up to date)
  • template[/etc/sysconfig/pgsql/postgresql] action create[2014-01-22T17:38:06+00:00] INFO: Processing template[/etc/sysconfig/pgsql/postgresql] action create (postgresql::server_redhat line 54)
    (up to date)
  • execute[/sbin/service postgresql initdb ] action run[2014-01-22T17:38:06+00:00] INFO: Processing execute[/sbin/service postgresql initdb ] action run (postgresql::server_redhat line 62)
    (skipped due to not_if)
  • service[postgresql] action enable[2014-01-22T17:38:06+00:00] INFO: Processing service[postgresql] action enable (postgresql::server_redhat line 68)
    (up to date)
  • service[postgresql] action start[2014-01-22T17:38:07+00:00] INFO: Processing service[postgresql] action start (postgresql::server_redhat line 68)
    (up to date)
    Recipe: postgresql::server
  • template[/var/lib/pgsql/data/postgresql.conf] action create[2014-01-22T17:38:07+00:00] INFO: Processing template[/var/lib/pgsql/data/postgresql.conf] action create (postgresql::server line 62)
    (up to date)
  • template[/var/lib/pgsql/data/pg_hba.conf] action create[2014-01-22T17:38:07+00:00] INFO: Processing template[/var/lib/pgsql/data/pg_hba.conf] action create (postgresql::server line 70)
    (up to date)
  • bash[assign-postgres-password] action run[2014-01-22T17:38:07+00:00] INFO: Processing bash[assign-postgres-password] action run (postgresql::server line 86)
    ALTER ROLE
    [2014-01-22T17:38:07+00:00] INFO: bash[assign-postgres-password] ran successfully
  • execute “bash” “/tmp/chef-script20140122-3357-vfelon”

Recipe: pgbarman::client

  • user[barman] action create[2014-01-22T17:38:07+00:00] INFO: Processing user[barman] action create (pgbarman::client line 8)
    (up to date)
  • directory[/home/barman/.ssh] action create[2014-01-22T17:38:07+00:00] INFO: Processing directory[/home/barman/.ssh] action create (pgbarman::client line 15)
    [2014-01-22T17:38:07+00:00] INFO: directory[/home/barman/.ssh] mode changed to 640
  • change mode from ‘0600’ to ‘0640’

  • restore selinux security context

  • file[/home/barman/.ssh/id_rsa] action create[2014-01-22T17:38:07+00:00] INFO: Processing file[/home/barman/.ssh/id_rsa] action create (pgbarman::client line 21)
    [2014-01-22T17:38:07+00:00] INFO: file[/home/barman/.ssh/id_rsa] mode changed to 640
  • change mode from ‘0600’ to ‘0640’

  • restore selinux security context

  • file[/home/barman/.ssh/authozized_keys] action create[2014-01-22T17:38:07+00:00] INFO: Processing file[/home/barman/.ssh/authozized_keys] action create (pgbarman::client line 28)
    [2014-01-22T17:38:07+00:00] INFO: file[/home/barman/.ssh/authozized_keys] mode changed to 640
  • change mode from ‘0600’ to ‘0640’

  • restore selinux security context

[2014-01-22T17:38:07+00:00] INFO: Chef Run complete in 2.940750803 seconds
[2014-01-22T17:38:07+00:00] INFO: Running report handlers
[2014-01-22T17:38:07+00:00] INFO: Report handlers complete
Chef Client finished, 4 resources updated
Finished converging (0m10.74s).

Its all seems fine but:

kitchen login client kitchenLast login: Wed Jan 22 17:38:03 2014 from 10.0.2.2 [vagrant@client-centos-64 ~] sudo -s
[root@client-centos-64 vagrant]# su - barman
[barman@client-centos-64 ~] ls [barman@client-centos-64 ~] ls -als
total 28
4 drwx------. 3 barman barman 4096 Jan 22 17:37 .
4 drwxr-xr-x. 4 root root 4096 Jan 22 17:36 …
4 -rw-------. 1 barman barman 97 Jan 22 17:37 .bash_history
4 -rw-r–r--. 1 barman barman 18 Feb 21 2013 .bash_logout
4 -rw-r–r--. 1 barman barman 176 Feb 21 2013 .bash_profile
4 -rw-r–r--. 1 barman barman 124 Feb 21 2013 .bashrc
4 drw-r-----. 2 barman barman 4096 Jan 22 17:36 .ssh
[barman@client-centos-64 ~]$ cd .ssh/
-bash: cd: .ssh/: Permission denied

What gives to this ? If I had a bash block with chown -R barman:barman .ssh i can access the directory.

Is it the directory block ? Am I doing something wrong ?

[1] https://github.com/geoforce/cookbook-pgbarman/tree/%237-client-recipe


Regards,
Alfredo Palhares


#2

On Wednesday, January 22, 2014 at 9:54 AM, Alfredo Palhares wrote:

Hello chefs once more,

I am wrinting a cookbook[1] and i see the permissions are not being properly set for some
weird reaseon (please refer to the #7-client-recipe branch). Here is a kitchen converge.

$ kitchen converge client

snip…

  • directory[/home/barman/.ssh] action create[2014-01-22T17:38:07+00:00] INFO: Processing directory[/home/barman/.ssh] action create (pgbarman::client line 15)
    [2014-01-22T17:38:07+00:00] INFO: directory[/home/barman/.ssh] mode changed to 640
  • change mode from ‘0600’ to ‘0640’

  • restore selinux security context
    snip…
    Its all seems fine but:

kitchen login client kitchenLast login: Wed Jan 22 17:38:03 2014 from 10.0.2.2 [vagrant@client-centos-64 ~] sudo -s
[root@client-centos-64 vagrant]# su - barman
[barman@client-centos-64 ~] ls [barman@client-centos-64 ~] ls -als
total 28
4 drwx------. 3 barman barman 4096 Jan 22 17:37 .
4 drwxr-xr-x. 4 root root 4096 Jan 22 17:36 …
4 -rw-------. 1 barman barman 97 Jan 22 17:37 .bash_history
4 -rw-r–r--. 1 barman barman 18 Feb 21 2013 .bash_logout
4 -rw-r–r--. 1 barman barman 176 Feb 21 2013 .bash_profile
4 -rw-r–r--. 1 barman barman 124 Feb 21 2013 .bashrc
4 drw-r-----. 2 barman barman 4096 Jan 22 17:36 .ssh
[barman@client-centos-64 ~]$ cd .ssh/
-bash: cd: .ssh/: Permission denied

What gives to this ? If I had a bash block with chown -R barman:barman .ssh i can access the directory.

Is it the directory block ? Am I doing something wrong ?

[1] https://github.com/geoforce/cookbook-pgbarman/tree/%237-client-recipe


Regards,
Alfredo Palhares

Don’t you want mode 7XX for a directory? If it’s not that, then it could be selinux configuration, you could see if disabling selinux changes anything.


Daniel DeLeo


#3

Alfredo Palhares masterkorp@masterkorp.net writes:

Hello chefs once more,

I am wrinting a cookbook[1] and i see the permissions are not being properly set for some
weird reaseon (please refer to the #7-client-recipe branch). Here is a kitchen converge.

$ kitchen converge client
kitchen-----> Starting Kitchen (v1.1.1)
-----> Converging …
Preparing files for transfer
Resolving cookbook dependencies with Berkshelf…
Removing non-cookbook files before transfer
Preparing data bags
Transfering files to
[2014-01-22T17:38:04+00:00] INFO: Starting chef-zero on port 8889 with repository at repository at /tmp/kitchen
One version per cookbook

[2014-01-22T17:38:04+00:00] INFO: Forking chef instance to converge…
Starting Chef Client, version 11.8.2
[2014-01-22T17:38:04+00:00] INFO: *** Chef 11.8.2 ***
[2014-01-22T17:38:04+00:00] INFO: Chef-client pid: 3357
[2014-01-22T17:38:04+00:00] INFO: Setting the run_list to [“recipe[postgresql::server]”, “recipe[pgbarman::client]”] from JSON
[2014-01-22T17:38:04+00:00] INFO: Run List is [recipe[postgresql::server], recipe[pgbarman::client]]
[2014-01-22T17:38:04+00:00] INFO: Run List expands to [postgresql::server, pgbarman::client]
[2014-01-22T17:38:04+00:00] INFO: Starting Chef Run for client-centos-64
[2014-01-22T17:38:04+00:00] INFO: Running start handlers
[2014-01-22T17:38:04+00:00] INFO: Start handlers complete.
[2014-01-22T17:38:04+00:00] INFO: HTTP Request Returned 404 Not Found: Object not found: /reports/nodes/client-centos-64/runs
resolving cookbooks for run list: [“postgresql::server”, “pgbarman::client”]
[2014-01-22T17:38:05+00:00] INFO: Loading cookbooks [apt, build-essential, openssl, pgbarman, postgresql, python, rsync, yum]
Synchronizing Cookbooks:

  • postgresql
    [2014-01-22T17:38:05+00:00] INFO: Storing updated cookbooks/pgbarman/recipes/client.rb in the cache.
  • pgbarman
  • apt
  • build-essential
  • openssl
  • python
  • rsync
  • yum
    Compiling Cookbooks…
    Converging 15 resources
    Recipe: postgresql::client
  • package[postgresql-devel] action install[2014-01-22T17:38:05+00:00] INFO: Processing package[postgresql-devel] action install (postgresql::client line 36)
    (up to date)
    Recipe: postgresql::server_redhat
  • group[postgres] action create[2014-01-22T17:38:06+00:00] INFO: Processing group[postgres] action create (postgresql::server_redhat line 27)
    (up to date)
  • user[postgres] action create[2014-01-22T17:38:06+00:00] INFO: Processing user[postgres] action create (postgresql::server_redhat line 31)
    (up to date)
  • directory[/var/lib/pgsql/data] action create[2014-01-22T17:38:06+00:00] INFO: Processing directory[/var/lib/pgsql/data] action create (postgresql::server_redhat line 41)
    (up to date)
  • package[postgresql-server] action install[2014-01-22T17:38:06+00:00] INFO: Processing package[postgresql-server] action install (postgresql::server_redhat line 50)
    (up to date)
  • template[/etc/sysconfig/pgsql/postgresql] action create[2014-01-22T17:38:06+00:00] INFO: Processing template[/etc/sysconfig/pgsql/postgresql] action create (postgresql::server_redhat line 54)
    (up to date)
  • execute[/sbin/service postgresql initdb ] action run[2014-01-22T17:38:06+00:00] INFO: Processing execute[/sbin/service postgresql initdb ] action run (postgresql::server_redhat line 62)
    (skipped due to not_if)
  • service[postgresql] action enable[2014-01-22T17:38:06+00:00] INFO: Processing service[postgresql] action enable (postgresql::server_redhat line 68)
    (up to date)
  • service[postgresql] action start[2014-01-22T17:38:07+00:00] INFO: Processing service[postgresql] action start (postgresql::server_redhat line 68)
    (up to date)
    Recipe: postgresql::server
  • template[/var/lib/pgsql/data/postgresql.conf] action create[2014-01-22T17:38:07+00:00] INFO: Processing template[/var/lib/pgsql/data/postgresql.conf] action create (postgresql::server line 62)
    (up to date)
  • template[/var/lib/pgsql/data/pg_hba.conf] action create[2014-01-22T17:38:07+00:00] INFO: Processing template[/var/lib/pgsql/data/pg_hba.conf] action create (postgresql::server line 70)
    (up to date)
  • bash[assign-postgres-password] action run[2014-01-22T17:38:07+00:00] INFO: Processing bash[assign-postgres-password] action run (postgresql::server line 86)
    ALTER ROLE
    [2014-01-22T17:38:07+00:00] INFO: bash[assign-postgres-password] ran successfully
  • execute “bash” “/tmp/chef-script20140122-3357-vfelon”

Recipe: pgbarman::client

  • user[barman] action create[2014-01-22T17:38:07+00:00] INFO: Processing user[barman] action create (pgbarman::client line 8)
    (up to date)
  • directory[/home/barman/.ssh] action create[2014-01-22T17:38:07+00:00] INFO: Processing directory[/home/barman/.ssh] action create (pgbarman::client line 15)
    [2014-01-22T17:38:07+00:00] INFO: directory[/home/barman/.ssh] mode changed to 640
  • change mode from ‘0600’ to ‘0640’

  • restore selinux security context

  • file[/home/barman/.ssh/id_rsa] action create[2014-01-22T17:38:07+00:00] INFO: Processing file[/home/barman/.ssh/id_rsa] action create (pgbarman::client line 21)
    [2014-01-22T17:38:07+00:00] INFO: file[/home/barman/.ssh/id_rsa] mode changed to 640
  • change mode from ‘0600’ to ‘0640’

  • restore selinux security context

  • file[/home/barman/.ssh/authozized_keys] action create[2014-01-22T17:38:07+00:00] INFO: Processing file[/home/barman/.ssh/authozized_keys] action create (pgbarman::client line 28)
    [2014-01-22T17:38:07+00:00] INFO: file[/home/barman/.ssh/authozized_keys] mode changed to 640
  • change mode from ‘0600’ to ‘0640’

  • restore selinux security context

[2014-01-22T17:38:07+00:00] INFO: Chef Run complete in 2.940750803 seconds
[2014-01-22T17:38:07+00:00] INFO: Running report handlers
[2014-01-22T17:38:07+00:00] INFO: Report handlers complete
Chef Client finished, 4 resources updated
Finished converging (0m10.74s).

Its all seems fine but:

kitchen login client kitchenLast login: Wed Jan 22 17:38:03 2014 from 10.0.2.2 [vagrant@client-centos-64 ~] sudo -s
[root@client-centos-64 vagrant]# su - barman
[barman@client-centos-64 ~] ls [barman@client-centos-64 ~] ls -als
total 28
4 drwx------. 3 barman barman 4096 Jan 22 17:37 .
4 drwxr-xr-x. 4 root root 4096 Jan 22 17:36 …
4 -rw-------. 1 barman barman 97 Jan 22 17:37 .bash_history
4 -rw-r–r--. 1 barman barman 18 Feb 21 2013 .bash_logout
4 -rw-r–r--. 1 barman barman 176 Feb 21 2013 .bash_profile
4 -rw-r–r--. 1 barman barman 124 Feb 21 2013 .bashrc
4 drw-r-----. 2 barman barman 4096 Jan 22 17:36 .ssh
[barman@client-centos-64 ~]$ cd .ssh/
-bash: cd: .ssh/: Permission denied

What gives to this ? If I had a bash block with chown -R barman:barman .ssh i can access the directory.

Is it the directory block ? Am I doing something wrong ?

Directories need execute permission, in the output it looks like you’re
not setting that:

  • directory[/home/barman/.ssh] action create[2014-01-22T17:38:07+00:00] INFO: Processing directory[/home/barman/.ssh] action create
    (pgbarman::client line 15)
    [2014-01-22T17:38:07+00:00] INFO: directory[/home/barman/.ssh] mode changed to 640
  • change mode from ‘0600’ to ‘0640’

should be 0700 on that directory.

Also, the linked to recipe on github doesn’t use the directory resource,
so I’m guessing you have local changes that aren’t pushed yet. A
gist of the current recipe that’s failing would help.

[1] https://github.com/geoforce/cookbook-pgbarman/tree/%237-client-recipe


Regards,
Alfredo Palhares


-sean