Strange template behavior?


#1

Hi all,

I’m relatively new to chef, so I hope I’m not asking a silly question, but
I can’t seem to find any information relating to my problem anywhere else.

I’ve bootstrapped some Centos 6 nodes sucessfully, both using the rbel
yum/rpm method which yields a chef-client of version 10.6 and
(alternatively) using gems which yields a chef-client of version 10.14.4.

The nodes communicate just fine with my chef-server (10.8 running on Ubuntu
11.10), but I’m seeing some behavior I can’t explain when I use templates.

I have a custom recipe that, for example, replaces /etc/sshd_config with a
template in order to change the location of the authorized_keys file. The
recipe also creates the authorized_keys file (at /etc/ssh/publicSSHkeys)
and ensures it’s there. Permissions on the files are correct, and set in
the recipe. The files are created successfully by the recipe.

However, when I restart the sshd service (either from the recipe, or from
the command line on the server itself) I get an error. Specifically,
“Starting sshd: /etc/ssh/sshd_config: Permission denied [FAILED]”. At first
I thought this may be related to the permissions on the file itself, but
those are set properly, to 600 just like the file that was created by yum
when the openssh-server package was initially installed.

It seems, for some reason, that existing files which are overwritten by
chef templates in recipes can’t then be found by the system.

The same sort of problem occurs when I use a chef recipe to install nrpe
and overwrite /etc/nrpe.cfg with a template.

The oddest part is that the exact same recipe works properly in Ubuntu
11.10/12.04, templates overwrite the conf files on the node, and the
services (sshd, nrpe) start fine.

I’ve been racking my brain about this for some time now, and
google/documentation/knowledge base haven’t provided an answer, but I must
be missing something.

Anyone have any ideas?

Charles J. Burns
charlesburns@gmail.com


#2

On Wednesday, October 10, 2012 at 10:01 AM, Charles Burns wrote:

Hi all,

I’m relatively new to chef, so I hope I’m not asking a silly question, but I can’t seem to find any information relating to my problem anywhere else.

I’ve bootstrapped some Centos 6 nodes sucessfully, both using the rbel yum/rpm method which yields a chef-client of version 10.6 and (alternatively) using gems which yields a chef-client of version 10.14.4.

The nodes communicate just fine with my chef-server (10.8 running on Ubuntu 11.10), but I’m seeing some behavior I can’t explain when I use templates.

I have a custom recipe that, for example, replaces /etc/sshd_config with a template in order to change the location of the authorized_keys file. The recipe also creates the authorized_keys file (at /etc/ssh/publicSSHkeys) and ensures it’s there. Permissions on the files are correct, and set in the recipe. The files are created successfully by the recipe.

However, when I restart the sshd service (either from the recipe, or from the command line on the server itself) I get an error. Specifically, “Starting sshd: /etc/ssh/sshd_config: Permission denied [FAILED]”. At first I thought this may be related to the permissions on the file itself, but those are set properly, to 600 just like the file that was created by yum when the openssh-server package was initially installed.

It seems, for some reason, that existing files which are overwritten by chef templates in recipes can’t then be found by the system.

The same sort of problem occurs when I use a chef recipe to install nrpe and overwrite /etc/nrpe.cfg with a template.

The oddest part is that the exact same recipe works properly in Ubuntu 11.10/12.04, templates overwrite the conf files on the node, and the services (sshd, nrpe) start fine.

I’ve been racking my brain about this for some time now, and google/documentation/knowledge base haven’t provided an answer, but I must be missing something.

Anyone have any ideas?

Charles J. Burns
charlesburns@gmail.com (mailto:charlesburns@gmail.com)
SELinux


Daniel DeLeo


#3

Daniel,

Wow, I thought I had disabled SElinux, but it appears I had not. Thank you
so much, things are making a lot more sense now!

Charles.

On Wed, Oct 10, 2012 at 1:02 PM, Daniel DeLeo dan@kallistec.com wrote:

On Wednesday, October 10, 2012 at 10:01 AM, Charles Burns wrote:

Hi all,

I’m relatively new to chef, so I hope I’m not asking a silly question, but
I can’t seem to find any information relating to my problem anywhere else.

I’ve bootstrapped some Centos 6 nodes sucessfully, both using the rbel
yum/rpm method which yields a chef-client of version 10.6 and
(alternatively) using gems which yields a chef-client of version 10.14.4.

The nodes communicate just fine with my chef-server (10.8 running on
Ubuntu 11.10), but I’m seeing some behavior I can’t explain when I use
templates.

I have a custom recipe that, for example, replaces /etc/sshd_config with a
template in order to change the location of the authorized_keys file. The
recipe also creates the authorized_keys file (at /etc/ssh/publicSSHkeys)
and ensures it’s there. Permissions on the files are correct, and set in
the recipe. The files are created successfully by the recipe.

However, when I restart the sshd service (either from the recipe, or from
the command line on the server itself) I get an error. Specifically,
“Starting sshd: /etc/ssh/sshd_config: Permission denied [FAILED]”. At first
I thought this may be related to the permissions on the file itself, but
those are set properly, to 600 just like the file that was created by yum
when the openssh-server package was initially installed.

It seems, for some reason, that existing files which are overwritten by
chef templates in recipes can’t then be found by the system.

The same sort of problem occurs when I use a chef recipe to install nrpe
and overwrite /etc/nrpe.cfg with a template.

The oddest part is that the exact same recipe works properly in Ubuntu
11.10/12.04, templates overwrite the conf files on the node, and the
services (sshd, nrpe) start fine.

I’ve been racking my brain about this for some time now, and
google/documentation/knowledge base haven’t provided an answer, but I must
be missing something.

Anyone have any ideas?

Charles J. Burns
charlesburns@gmail.com

SELinux


Daniel DeLeo

Charles J. Burns
charlesburns@gmail.com


#4

I’m just gonna throw this out there:
http://community.opscode.com/cookbooks/annoyances

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray


From: Charles Burns [charlesburns@gmail.com]
Sent: Wednesday, October 10, 2012 12:10 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: Strange template behavior?

Daniel,

Wow, I thought I had disabled SElinux, but it appears I had not. Thank you so much, things are making a lot more sense now!

Charles.

On Wed, Oct 10, 2012 at 1:02 PM, Daniel DeLeo <dan@kallistec.commailto:dan@kallistec.com> wrote:

On Wednesday, October 10, 2012 at 10:01 AM, Charles Burns wrote:

Hi all,

I’m relatively new to chef, so I hope I’m not asking a silly question, but I can’t seem to find any information relating to my problem anywhere else.

I’ve bootstrapped some Centos 6 nodes sucessfully, both using the rbel yum/rpm method which yields a chef-client of version 10.6 and (alternatively) using gems which yields a chef-client of version 10.14.4.

The nodes communicate just fine with my chef-server (10.8 running on Ubuntu 11.10), but I’m seeing some behavior I can’t explain when I use templates.

I have a custom recipe that, for example, replaces /etc/sshd_config with a template in order to change the location of the authorized_keys file. The recipe also creates the authorized_keys file (at /etc/ssh/publicSSHkeys) and ensures it’s there. Permissions on the files are correct, and set in the recipe. The files are created successfully by the recipe.

However, when I restart the sshd service (either from the recipe, or from the command line on the server itself) I get an error. Specifically, “Starting sshd: /etc/ssh/sshd_config: Permission denied [FAILED]”. At first I thought this may be related to the permissions on the file itself, but those are set properly, to 600 just like the file that was created by yum when the openssh-server package was initially installed.

It seems, for some reason, that existing files which are overwritten by chef templates in recipes can’t then be found by the system.

The same sort of problem occurs when I use a chef recipe to install nrpe and overwrite /etc/nrpe.cfg with a template.

The oddest part is that the exact same recipe works properly in Ubuntu 11.10/12.04, templates overwrite the conf files on the node, and the services (sshd, nrpe) start fine.

I’ve been racking my brain about this for some time now, and google/documentation/knowledge base haven’t provided an answer, but I must be missing something.

Anyone have any ideas?

Charles J. Burns
charlesburns@gmail.commailto:charlesburns@gmail.com
SELinux


Daniel DeLeo

Charles J. Burns
charlesburns@gmail.commailto:charlesburns@gmail.com