Run entire chef recipe as 'ubuntu' user, not 'root' user

efficacyio · April 2, 2016, 7:34pm

Hi guys,

I’m new to chef and am trying to setup my AWS OpsWorks instances using a pretty simple chef script.

I need all of these commands to be run as ‘ubuntu’ user from the ‘/home/ubuntu’ directory, but I haven’t found a way to do this successfully.

I’ve tried pretty much every solution I can find to no avail, including…

adding ‘user’ or ‘owner’ parameters to all to all the recipes
all the solutions here http://serverfault.com/questions/402881/execute-as-vagrant-user-not-root-with-chef-solo

It seems like this should be some thing easily solved in the metadata.rb file right? This is best practice for all server management and AWS doesn’t even allow root ssh access by default so I think this needs to be better clarified in the documentation, unless I’ve just missed something obvious.

Thanks for any help!

~ Kyle

nclemons · April 2, 2016, 11:52pm

So you can run bash/execute/etc resources as another user, typically needing to set the user and environment variables. That said, Chef is designed to configure servers and most of those operations will require root-level access to perform, so that’s not exactly a traditional use case to run an entire recipe as another user.

Nathan Clemons

DevOps Engineer

Moxie Cloud Services (MCS)

O +1.425.467.5075

M +1.360.861.6291

E nclemons@gomoxie.com

W www.gomoxie.com http://www.gomoxie.com/

Shubby · April 3, 2016, 6:44pm

Can I ask what you’re actually trying to achieve in more detail? Like why do you need it to run as the ubuntu user? Chef expects to run as root and while it is possible to run certain pieces of a recipe as another user if you want or need to, you probably won’t be able to run an entire Chef run as a non-root user, even a privileged non-root user.

ameir · April 4, 2016, 4:08am

You should be able to achieve this by leaving out owner/user/group on all of your resources, and running chef-client as the ubuntu user.

Quick test:

$ whoami
centos
$ echo "directory '/tmp/directory'" > dir.rb
$ chef-apply dir.rb
Recipe: (chef-apply cookbook)::(chef-apply recipe)
  * directory[/tmp/directory] action create
    - create new directory /tmp/directory
$ ls -ld /tmp/directory
drwxrwxr-x 2 centos centos 6 Apr  4 04:07 /tmp/directory

efficacyio · April 5, 2016, 8:52pm

I’d prefer to install and run my node.js and nginx servers and as non-root & non-sudo user…

How/why does npm recommend not running as root?

I’ve managed to get the result I need using a bunch of theses commands…

execute 'start nginx' do                                    
  cwd "/home/ubuntu"                                                           
  user "ubuntu"                                                                
  action :run   
  environment ({'HOME' => '/home/ubuntu', 'USER' => 'ubuntu'})                                                             
  command 'service nginx restart'
end

but I’m repeating myself quite a but and figured there’s a better way out there.

efficacyio · April 5, 2016, 9:06pm

Thanks for the help @ameir,

Right now Im just using AWS OpsWorks to configure the servers so its running chef-client for me. (Sorry I’m a nood at chef and am not fully clear on the different moving parts)

Is there a way to do the same thing with my current set-up? I’ve gotten around my problem using this the code in my last comment, but would love a cleaner way run the entire recipe as different user.

nclemons · April 5, 2016, 9:59pm

That’s fine up until you want to run nginx on port 80, at which point you need to be root.