jtimberman's Code Blog

Chef, Ops, Ruby, Linux/Unix. Opinions are mine, not my employer's (CHEF).

Quick Tip: Policyfile Run Lists

As I indicated on Twitter earlier tonight, I’m working with the new Policyfile feature of ChefDK. While converting my personal systems’ repository to use Policyfile instead of roles, I found myself writing this Policyfile:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
name 'home_server'
default_source :community
run_list(
         'build-essential',
         'packages',
         'users',
         'sudo',
         'runit',
         'ntp',
         'openssh',
         'postfix'
        )

cookbook 'build-essential'
cookbook 'packages', git: 'https://github.com/mattray/packages-cookbook', branch: 'multipackage'
cookbook 'users', path: '../housepub-chef-repo/cookbooks/users'
cookbook 'sudo'
cookbook 'runit'
cookbook 'ntp'
cookbook 'openssh'
cookbook 'postfix'

No big deal, but I found the repetition… redundant. Several of these cookbooks are fine floating on the latest version from Supermarket – everything but packages and users. So I thought, “wouldn’t it be great if entries in the run list were automatically added as dependencies?”

Then, I added chef-client-runit to the run list, but I didn’t add it as a cookbook entry, performed the chef update, and reran my chef provision command, and wound up with chef-client-runit being converged.

To illustrate this with a really simple example, I confirmed with zsh:

% cd ~/Development/sandbox/test
% chef generate policyfile

Then edit the Policyfile.rb:

1
2
3
name "example_application"
default_source :community
run_list "zsh"

Note that there is no cookbook line here.

% chef install
Building policy example_application
Expanded run list: recipe[zsh]
Caching Cookbooks...
Using      zsh 1.0.1

Lockfile written to /Users/jtimberman/Development/sandbox/test/Policyfile.lock.json

And if we examine the Policyfile.lock.json, we see:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
{
  "revision_id": "e8b5b48d35f4a8efcd037ef6c9cc8e34f901561ffef160bd0a57ca1b612a1179",
  "name": "example_application",
  "run_list": [
    "recipe[zsh::default]"
  ],
  "cookbook_locks": {
    "zsh": {
      "version": "1.0.1",
      "identifier": "b512ef33af29b8d34ad7e4e9b6ad38d42dea4945",
      "dotted_decimal_identifier": "50967789358229944.59473511204894381.62483954551109",
      "cache_key": "zsh-1.0.1-supermarket.chef.io",
      "origin": "https://supermarket.chef.io/api/v1/cookbooks/zsh/versions/1.0.1/download",
      "source_options": {
        "artifactserver": "https://supermarket.chef.io/api/v1/cookbooks/zsh/versions/1.0.1/download",
        "version": "1.0.1"
      }
    }
  } <SNIP>

Yay! Shoutout to Dan DeLeo for preemptively implementing features I didn’t even know I wanted yet :–).

Quick Tip: ChefDK Provision

Earlier today, ChefDK 0.6.0 was released. In this post, I will illustrate a fairly simple walkthrough using Amazon EC2, based on information in the document. This example will include Policyfile use, too. Let’s get started.

First, install ChefDK 0.6.0. You can get it from the Chef Downloads page.

Next, setup AWS credentials. Ensure that they are exported to the current shell environment.

AWS_ACCESS_KEY_ID=secrets
AWS_SECRET_ACCESS_KEY=secrets
AWS_DEFAULT_REGION=us-east-1
AWS_SSH_KEY=your_ssh_key_name
AWS_ACCESS_KEY=secrets
AWS_SECRET_KEY=secrets

I’m going to use Hosted Chef as my Chef Server. I already have my user API key and configuration in ~/.chef, and I’m going to rely on the automatic configuration detection in the chef command for that.

Generate a new repository using the chef generate command. Further commands run from this directory.

chef generate repo chefdk-provision-demo
cd chefdk-provision-demo

Generate a provision cookbook. This is the required name, and it must be in the current directory.

chef generate cookbook provision

Edit the default recipe, $EDITOR provision/recipes/default.rb.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
context = ChefDK::ProvisioningData.context
with_driver 'aws::us-west-2'
options = {
  ssh_username: 'admin',
  use_private_ip_for_ssh: false,
  bootstrap_options: {
    key_name: 'jtimberman',
    image_id: 'ami-0d5b6c3d',
    instance_type: 'm3.medium',
  },
  convergence_options: context.convergence_options,
}
machine context.node_name do
  machine_options options
  action context.action
  converge true
end

To break this down, first we get the ChefDK provisioning context that will pass in options to chef-provisioning. Then we tell chef-provisioning to use the AWS driver, and in the us-west-2 region. The options hash is used to setup the instance. We’re using Debian 8, which uses the admin user to log in, an SSH key that exists in the AWS region, the actual AMI, and finally the instance type. Then, we’re going to set the convergence options automatically from ChefDK. This is the important part that will ensure the node has the right run list.

Generate a Policyfile.rb.

chef generate policyfile

And edit its content, $EDITOR Policyfile.rb.

1
2
3
4
name            "chefdk-provision-demo"
default_source  :community
run_list        "recipe[libuuid-user]"
cookbook        "libuuid-user"

Here we’re simply getting the libuuid-user cookbook from Supermarket and applying the default recipe to the nodes that have this policy.

The next step is to install the Policyfile. This generates the Policyfile.lock.json, and downloads the cookbooks to the cache, ~/.chefdk/cache/cookbooks. If this isn’t run, chef will complain, with a reminder to run it.

chef install

Finally, we can provision a testing system with this policy:

chef provision testing --sync -n debian-libuuid

This will result in output similar to this:

Uploading policy to policy group testing
Uploaded libuuid-user 1.0.1 (c3220a49)
Compiling Cookbooks...
Recipe: provision::default
  * machine[debian-libuuid] action converge
    - Create debian-libuuid with AMI ami-0d5b6c3d in us-west-2
    - create node debian-libuuid at https://chef-api.example.com/organizations/testing
    -   add normal.tags = nil
    -   add normal.chef_provisioning = {"hash" => "of options"}
    - waiting for debian-libuuid (i-251f1cec on aws::us-west-2) to be connectable (transport up and running) ...
    - been waiting 60/120 -- sleeping 10 seconds for debian-libuuid (i-251f1cec on aws::us-west-2) to be connectable ...
    - debian-libuuid is now connectable        - generate private key (2048 bits)
    - create directory /etc/chef on debian-libuuid
    - write file /etc/chef/client.pem on debian-libuuid
    - create client debian-libuuid at clients
    -   add public_key = "-----BEGIN PUBLIC KEY-----\n..."
    - Add debian-libuuid to client read ACLs
    - Add debian-libuuid to client update ACLs
    - create directory /etc/chef/ohai/hints on debian-libuuid
    - write file /etc/chef/ohai/hints/ec2.json on debian-libuuid
    - write file /etc/chef/client.rb on debian-libuuid
    - write file /tmp/chef-install.sh on debian-libuuid
    - run 'bash -c ' bash /tmp/chef-install.sh'' on debian-libuuid
    [debian-libuuid] Starting Chef Client, version 12.3.0
                     [2015-05-15T22:42:43+00:00] WARN: Using experimental Policyfile feature
                     resolving cookbooks for run list: ["libuuid-user::default@1.0.1 (c3220a4)", "libuuid-user::verify@1.0.1 (c3220a4)"]
                     Synchronizing Cookbooks:
                       - libuuid-user
                     Compiling Cookbooks...
                     Converging 1 resources
                     Recipe: libuuid-user::default
                       * user[libuuid] action create
                       - create user libuuid

                     Running handlers:
                     Running handlers complete
                     Chef Client finished, 1/1 resources updated in 5.29666495 seconds
    - run 'chef-client -l auto' on debian-libuuid

Chef Audit Mode Introduction

I’ve started working with the audit mode feature introduced in Chef version 12.1.0. Audit mode allows users to write custom rules (controls) in Chef recipes using new DSL helpers. In his ChefConf 2015 talk, “Compliance At Velocity,” James Casey goes into more of the background and reasoning for this. For now, I wanted to share a few tips with users who may be experimenting with this feature on their own, too.

First, we need to update ChefDK to version 0.5.0, as that includes a version of test kitchen that allows us to configure audit mode for chef-client.

1
curl -L https://chef.io/chef/install.sh | sudo bash -s -- -P chefdk

Next, create a new cookbook for the audit mode tests.

1
2
chef generate cookbook audit-test
cd audit-test

Then, modify the audit-test cookbook’s .kitchen.yml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
---
driver:
  name: vagrant

provisioner:
  name: chef_zero
  client_rb:
    audit_mode: :audit_only

platforms:
  - name: ubuntu-12.04
  - name: centos-6.5

suites:
  - name: default
    run_list:
      - recipe[audit-test::default]
    attributes:

This is the generated .kitchen.yml with client_rb added to the provisioner config. Note that we must use the Ruby symbol syntax for the config value, :audit_only. The other valid values for audit_mode are :enabled and :disabled. This will be translated to an actual Ruby symbol in the generated config file (/tmp/kitchen/client.rb):

1
audit_mode :audit_only

Next, let’s write a control rule to test. Since we’re using the default .kitchen.yml, which includes Ubuntu 12.04 and uses SSH to connect, we can assume that SSH is running, so port 22 is listening. The following control asserts this is true.

1
2
3
4
5
6
7
control_group 'Blog Post Examples' do
  control 'SSH' do
    it 'should be listening on port 22' do
      expect(port(22)).to be_listening
    end
  end
end

Now run kitchen converge ubuntu to run Chef, but not tear down the VM aftward – we’ll use it again for another example. Here’s the audit phase output from the Chef run:

% kitchen converge ubuntu
Synchronizing Cookbooks:
  - audit-test
Compiling Cookbooks...
Starting audit phase

Blog Post Examples
  SSH
    should be listening on port 22

Finished in 0.10453 seconds (files took 0.37536 seconds to load)
1 example, 0 failures
Auditing complete

Cool! So we have asserted that the node complies with this control by default. But what does a failing control look like? Let’s write one. Since we’re working with SSH already, let’s use the SSHd configuration. By default in the Vagrant base box we’re using, root login is permitted, so this value is present:

1
PermitRootLogin yes

However, our security policy mandates that we set this to no, and we want to audit that.

1
2
3
4
5
6
7
8
9
10
11
control_group 'Blog Post Examples' do
  control 'SSH' do
    it 'should be listening on port 22' do
      expect(port(22)).to be_listening
    end

    it 'disables root logins over ssh' do
      expect(file('/etc/ssh/sshd_config')).to contain('PermitRootLogin no')
    end
  end
end

Rerun kitchen converge ubuntu and we see the validation fails.

Starting audit phase

Blog Post Examples
  SSH
    should be listening on port 22
    disables root logins over ssh (FAILED - 1)

Failures:

  1) Blog Post Examples SSH disables root logins over ssh
     Failure/Error: expect(file('/etc/ssh/sshd_config')).to contain('PermitRootLogin no')
expected File "/etc/ssh/sshd_config" to contain "PermitRootLogin no"
     # /tmp/kitchen/cache/cookbooks/audit-test/recipes/default.rb:8:in `block (3 levels) in from_file'

Finished in 0.13067 seconds (files took 0.32089 seconds to load)
2 examples, 1 failure

Failed examples:

rspec  # Blog Post Examples SSH disables root logins over ssh
[2015-04-04T03:29:41+00:00] ERROR: Audit phase failed with error message: Audit phase found failures - 1/2 controls failed

Audit phase exception:
Audit phase found failures - 1/2 controls failed

When we have a failure, we’ll have contextual information about the failure, including the line number in the recipe where itwas found, and a stack trace (cut from the output here), in case more information is required for debugging. To fix the test, we can simply edit the config file to have the desired setting, or we can manage the file with Chef to set the value accordingly. Either way, after updating the file, the validation will pass, and all will be well.

We can put as many control_group and control blocks with the it validation rules as required to audit our policy. If we have many validations, it can be difficult to follow with all the output if there are failures. Chef’s audit mode is based on Serverspec, which is based on RSpec. We can use the filter_tag configuration feature of RSpec to only run the control blocks or it statements that we’re interested in debugging. To do this, we need an RSpec.configuration block within the control_group – due to the way that audit mode is implemented, we can’t do it outside of control_group.

For example, we could debug our root login configuration:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
control_group 'Blog Post Examples' do
  ::RSpec.configure do |c|
    c.filter_run focus: true
  end

  control 'SSH' do
    it 'should be listening on port 22' do
      expect(port(22)).to be_listening
    end

    it 'disables root logins over ssh', focus: true do
      expect(file('/etc/ssh/sshd_config')).to contain('PermitRootLogin no')
    end
  end
end

The key here is to pass the argument focus: true (or if you like hash rockets, :focus => true) on the it block. This could also be used on a control block:

1
2
3
control 'SSH', focus: true do
  it 'does stuff...'
end

Then, when running kitchen converge ubuntu, we see only that validation:

Starting audit phase

Blog Post Examples
  SSH
    disables root logins over ssh (FAILED - 1)

Failures:

  1) Blog Post Examples SSH disables root logins over ssh
     Failure/Error: expect(file('/etc/ssh/sshd_config')).to contain('PermitRootLogin no')

This example is simple enough that this isn’t necessary, but if we were implementing audit mode checks for our entire security policy, that could be dozens or even hundreds of controls.

As of this writing, audit mode is still under development, and is considered an experimental feature. There will be further information, guides, and documentation about it coming to the Chef blog and docs site, and I’ll have a post coming soon with something I’m working on, so stay tuned!

Missing Transitive Dependencies

One of my home projects while I’m on vacation this week is rebuilding my server with Fedora 21 (Server). In order to do this, I needed to add Fedora support to the runit cookbook, since I use runit for a number of services on my system. That’s really neither here nor there, as the topic of this blog post isn’t specific to Fedora, nor runit.

The topic is actually about an issue with transitive dependencies and how Chef dependency resolution works.

Here’s the scenario:

  1. I run chef on my node
  2. The runit cookbook is synchronized
  3. An older version of the runit cookbook is downloaded
  4. The new changes I expected were not made
  5. WTFs ensue

So what happened?

The runit cookbook itself is updated to use Ian Meyer’s Package Cloud repository – at least, the version I want to use is, which is on GitHub. When I submitted the PR for adding this repository for RHEL platforms, Ian had not yet added Fedora packages. That’s okay because Fedora is not listed as supported in the cookbook. However, I wanted to use it, and figured folks in the community using Fedora Server might benefit too.

I digress. Ian pushed a Fedora package earlier today, so I added “fedora” to the various platform family conditionals, in the cookbook and opened the PR linked earlier. All was well in test kitchen. So I change my local repository’s Berksfile:

1
cookbook 'runit', github: 'hw-cookbooks/runit', ref: 'jtimberman/fedora-21'

Then a quick berks update runit and berks upload runit, and I was in business.

Or so I thought. Enter scenario listed above. The problem is, that when I did the berks upload, it only uploaded runit. However in the latest runit cookbook from that branch, it also adds a dependency on Computology’s packagecloud cookbook, since it uses that to add the repository. When the runit cookbook is specified on the berks upload command, it doesn’t upload the transitive dependencies when the location is a git URI. This appears to be by design.

What happens in Chef is that the server solves the graph, seeing that the node needs the runit cookbook. But the latest version of the runit cookbook depends on packagecloud, which hasn’t yet been uploaded. So the dependency solver looks for the latest version of the runit cookbook that meets the constraint (none), and doesn’t have the packagecloud cookbook. Thus, I end up with runit version 1.5.18 on my node, but it fails to converge because it doesn’t have the changes required for Fedora, which are in 1.5.20.

The simple solution here is to upload the packagecloud cookbook. This can be done with berks upload packagecloud, as it does exist in the Berksfile.lock and has been cached in the berkshelf. Alternatively, berks upload will also upload the cookbook, as that operates on all cookbooks in the Berksfile.lock.

I hope this helps anyone who’s faced this issue with transitive dependencies when working on a cookbook “in development.”

Chef Gem Compile Time Compatibility

TL;DR, if you’re using Chef 11 and chef-sugar, upgrade chef-sugar to version 3.0.1. If you cannot upgrade, use the following in your chef_gem resources in your recipes:

1
compile_time true if Chef::Resource::ChefGem.instance_methods(false).include?(:compile_time)

As you may be aware, Chef 12.1.0 introduces a change to the chef_gem resource that prints out warning messages like this:

WARN: chef_gem[chef-vault] chef_gem compile_time installation is deprecated
WARN: chef_gem[chef-vault] Please set `compile_time false` on the resource to use the new behavior.
WARN: chef_gem[chef-vault] or set `compile_time true` on the resource if compile_time behavior is required.

These messages are just warnings, but if you’re installing a lot of gems in your recipes, you may be annoyed by the output. As the warning indicates, you can set compile_time true property. This doesn’t work on versions of Chef before 12.1, though:

NoMethodError: undefined method `compile_time' for Chef::Resource::ChefGem

So, as a workaround, we can ask whether we respond to the compile_time method in the chef_gem resource:

1
2
3
chef_gem 'chef-vault' do
  compile_time false if respond_to?(:compile_time)
end

This appears to get around the problem for most cases. However, if you’re using chef-sugar, you’ll note that until version 3.0.0, chef-sugar includes a compile_time DSL method that gets injected into Chef::Resource (and Chef::Recipe). This has been modified to at_compile_time in chef-sugar version 3.0.0 to work around Chef’s introduction of a compile_time method in the chef_gem resource. The simple thing to do is make sure that your chef-sugar gem/cookbook are updated to v3.0.1. However if that isn’t an option for some reason, you can use this conditional check:

1
2
3
chef_gem 'chef-vault' do
  compile_time true if Chef::Resource::ChefGem.instance_methods(false).include?(:compile_time)
end

Hat tip to Anthony Scalisi, who added this in a pull request for the aws cookbook. The instance_methods method comes from Ruby’s Module class. Per the documentation:

Returns an array containing the names of the public and protected instance methods in the receiver. For a module, these are the public and protected methods; for a class, they are the instance (not singleton) methods. If the optional parameter is false, the methods of any ancestors are not included.

If we look at this in, e.g., chef-shell under Chef 12.1.0:

1
2
chef:recipe > Chef::Resource::ChefGem.instance_methods(false)
 => [:gem_binary, :compile_time, :after_created]

And in Chef 12.0.3 or 11.18.6:

1
2
chef > Chef::Resource::ChefGem.instance_methods(false)
 => [:gem_binary, :after_created]

Awesome Syntax Highlighting in Keynote

I am working on my presentation for ChefConf. I plan to have quite a lot of code samples. I’ve found the options for getting code samples with nice syntax highlight a lackluster endeavour, with various GUI editors like TextMate, Sublime, and Atom having “Copy as RTF” plugins, but none of them being easily customizable.

So I did a quick Google search and happened on a gist I hadn’t seen before. It describes the following steps:

  1. Install Homebrew (done, I have that covered with Chef ;)).
  2. Install “highlight” with brew install highlight.
  3. Use highlight to transform the source code file to RTF and copy it to the clipboard.
  4. Paste the clipboard into Keynote.app.

This isn’t much different than the other solutions, except one super cool thing I learned about highlight.

It has styles.

1
2
3
highlight -w

<OMG LIST OF EIGHTY TWO DIFFERENT STYLES!!!>

That’s right, at least at the time of this writing highlight has 82 different styles available. Including my favorite(s) solarized – both light and dark. Note that the --help output says that this option is deprecated in the version I’ve installed (3.18_1), but the styles are in /usr/local/Cellar/highlight/VERSION/share/themes.

Highlight knows the syntax highlighting for a lot of languages, these are in /usr/local/Cellar/highlight/VERSION/share/langDefs. For example I can get my Ruby recipe highlighted with this:

1
highlight -s solarized-light -O rtf recipes/client.rb | pbcopy

This will use Courier New as the font, and depending on the theme/style used, some of the highlighting may be bold or italic. This is easy enough to change in Keynote though.

For up to date documentation and information about highlight, visit the author’s page.

Quick Tip: Create a Provisioner Node

This quick tip is brought to you by my preparation for my ChefConf talk about using Chef Provisioning to build a Chef Server Cluster, which is based on my blog post about the same. In the blog post I used chef-zero as my Chef Server, but for the talk I’m using Hosted Chef.

In order for the Chef Provisioning recipe to work the provisioning node – the node that runs chef-client – needs to have the appropriate permissions to manage objects on the Chef Server. This is easy with chef-zero – there are no ACLs at all. However in Hosted Chef, like any regular Chef Server, the ACLs don’t allow nodes’ API clients to modify other nodes, or API clients.

Fortunately we can do all the work necessary using knife, with the knife-acl plugin. In this quick tip, I’ll create a group for provisioning nodes, and give that group the proper permissions for the Chef Provisioning recipe to create the machines’ nodes and clients.

First of all, I’m using ChefDK, and it’s my Ruby environment too, so install the gem:

1
chef gem install knife-acl

Next, use the knife group subcommand to create the new group. Groups are a number of users and/or API clients. By default, an organization on Hosted Chef will have admins, billing-admins, clients, and users. Let’s create provisioners now.

1
knife group create provisioners

The Role-based access control (RBAC) system in the Chef Server allows us to assign read, create, update, grant, and delete permissions to various objects in the organization. Containers are a special holder of other types of objects, in this case we need to add permissions for the clients and nodes containers. This is what allows the Chef Provisioning recipe’s machine resources to have their Chef objects created.

1
2
3
4
5
6
7
8
9
for i in read create update grant delete
do
  knife acl add containers clients $i group provisioners
done

for i in read create update grant delete
do
  knife acl add containers nodes $i group provisioners
done

Next, we need the API client that will be used by the Chef Provisioning node to authenticate with the Chef Server, and the node needs to be created as well. By default the client will automatically have permissions for the node object that has the same name.

1
2
knife client create -d chefconf-provisioner > ~/.chef/chefconf-provisioner.pem
knife node create -d chefconf-provisioner

Finally, we need to put the new API client into the provisioners group that was created earlier. First we need to get a mapping of the actors in the organization. Then we can add the client to the group.

1
2
knife actor map
knife group add actor provisioners chefconf-provisioner

The knife actor map command will generate a YAML file like this:

1
2
3
4
5
6
7
8
9
---
:user_map:
  :users:
    jtimberman: 12345678901234567890123456780123
  :usags:
    12345678901234567890123456780123: jtimberman
:clients:
  chefconf-provisioner: chefconf-provisioner
  jtimberman-chefconf-validator: jtimberman-chefconf-validator

This maps users to their USAG and stores a list of clients. More information about this is in the knife-acl README

At this point, we have a node, with the private key in ~/.chef that can be used with the Chef Server to use Chef Provisioning’s machine resource. We can also perform additional tasks that require having a node object, such as create secrets as Chef Vault items:

1
knife vault create secrets dnsimple -M client -J data_bags/secrets/dnsimple.json -A jtimberman -S 'name:chefconf-provisioner'

The entire series of commands is below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
chef gem install knife-acl
knife group create provisioners

for i in read create update grant delete
do
  knife acl add containers clients $i group provisioners
done

for i in read create update grant delete
do
  knife acl add containers nodes $i group provisioners
done

knife client create -d chefconf-provisioner > ~/.chef/chefconf-provisioner.pem
knife node create -d chefconf-provisioner
knife actor map
knife group add actor provisioners chefconf-provisioner

knife vault create secrets dnsimple -M client -J data_bags/secrets/dnsimple.json -A jtimberman -S 'name:chefconf-provisioner'

Hopefully this helps you out with your use of Chef Provisioning, and a non-zero Chef server. If you have further questions, find me at ChefConf!

Quick Tip: Define Resources to Notifiy in LWRPs

In this quick tip, I’ll explain why you may need to create resources to notify in a provider, even if the resource exists in a recipe, when using use_inline_resources in Chef’s LWRP DSL.

I’ll use an example cookbook, notif, to illustrate. First, I’ve created cookbooks/notif/resources/default.rb, with the following content.

1
2
actions :write
default_action :write

Then, I have written cookbooks/notif/providers/default.rb like this:

1
2
3
4
5
6
7
use_inline_resources

action :write do
  log 'notifer' do
    notifies :create, 'file[notified]'
  end
end

Then the default recipe, where I’ll use the resource automatically generated from the resource directory, notif.

1
2
3
4
5
6
file 'notified' do
  content 'something'
  action :nothing
end

notif 'doer'

When I run Chef, I’ll get an error like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 Recipe: notif::default
   * file[notified] action nothing (skipped due to action :nothing)
   * notif[doer] action write

     ================================================================================
     Error executing action `write` on resource 'notif[doer]'
     ================================================================================

     Chef::Exceptions::ResourceNotFound
     ----------------------------------
     resource log[notifer] is configured to notify resource file[notified] with action create, but file[notified] cannot be found in the resource collection. log[notifer] is defined in /tmp/kitchen/cookbooks/notif/providers/default.rb:4:in `block in class_from_file'

     Resource Declaration:
     ---------------------
     # In /tmp/kitchen/cookbooks/notif/recipes/default.rb

      12: notif 'doer'

     Compiled Resource:
 ------------------
     # Declared in /tmp/kitchen/cookbooks/notif/recipes/default.rb:12:in `from_file'

     notif("doer") do
       action :write
       retries 0
       retry_delay 2
       default_guard_interpreter :default
       declared_type :notif

       recipe_name "default"
     end

To fix this, I define the file resource in the provider:

1
2
3
4
5
6
7
8
9
10
11
use_inline_resources

action :write do
  log 'notifer' do
    notifies :create, 'file[notified]'
  end

  file 'notified' do
    content new_resource.name
  end
end

Then when I run Chef, it will converge and notify the file resource to be configured.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Recipe: notif::default
  * file[notified] action nothing (skipped due to action :nothing)
  * notif[doer] action write
    * log[notifer] action write

    * file[notified] action create
      - create new file notified
      - update content in file notified from none to 935e8e
      --- notified       2015-01-18 05:47:49.186399317 +0000
      +++ ./.notified20150118-15795-om5fiw       2015-01-18 05:47:49.186399317 +0000
      @@ -1 +1,2 @@
      +doer
    * file[notified] action create (up to date)

Running handlers:
Running handlers complete
Chef Client finished, 3/4 resources updated in 1.298990565 seconds

Why does this happen?

The reason for this is because use_inline_resources tells Chef that in this provider, we’re using inline resources that will be added to their own run context, with their own resource collection. We don’t have access to the resource collection from the recipe. Even though the file[notified] resource exists from the recipe, it doesn’t actually get inherited in the provider’s run context, raising the error we saw before.

We can turn off use_inline_resources by removing it, and the custom resource will be configured:

1
2
3
4
5
action :write do
  log 'notifer' do
    notifies :create, 'file[notified]'
  end
end

Then run Chef:

1
2
3
4
5
6
7
8
9
10
11
Recipe: notif::default
  * file[notified] action nothing (skipped due to action :nothing)
  * notif[doer] action write (up to date)
  * log[notifer] action write
  * file[notified] action create
    - update content in file notified from 935e8e to 3fc9b6
    --- notified 2015-01-18 05:47:49.186399317 +0000
    +++ ./.notified20150118-16159-r18q7z 2015-01-18 05:50:57.832140405 +0000
    @@ -1,2 +1,2 @@
    -doer
    +something

Notice that the file[notified] resource wasn’t updated at the start of the run, when it was encountered in the recipe, but it was when notified by the log resource in the provider action, changing the content.

Use inline compile mode!

The use_inline_resources method in the lightweight provider DSL is strongly recommended. It makes it easier to send notifications from the custom resource itself to other resources in the recipe’s resource collection. Read more about the inline compile mode in the Chef docs.

Also, define the resources that you need to notify when you’re doing this in your provider’s actions. A common example is within a provider that writes configuration for a service, and needs to tell that service to restart.

Quick Tip: Testing Conditionals in ChefSpec

This tip is brought to you by the homebrew cookbook.

ChefSpec is a great way to create tests for Chef recipes to catch regressions. Sometimes recipes end up having branching conditional logic that can have very different outcomes based on external factors – attributes, existing system state, or cross-platform support.

The homebrew cookbook only supports OS X, so we don’t have cross-platform support to test there. However, its default recipe has four conditionals to test. You can read the entire default_spec.rb for full context, I’m going to focus on just one aspect here:

  • Installing homebrew should only happen if the brew binary does not exist.

This is a common use case in Chef recipes. The best way to go about converging your node to the desired state involves running some arbitrary command. In this case, it’s the installation of Homebrew itself. Normally for installations we want to use an idempotent, convergent resource like package. However, since homebrew is to be our package management system, we have to do something else. As it turns out the homebrew project provides an installation script and that script will install a binary, /usr/local/bin/brew. We will assume that if Chef converged on a node after running the script, and the brew binary exists, then we don’t need to attempt reinstallation. There’s more robust ways to go about it (e.g., running brew gives some desired output), but this works for example purposes today.

From the recipe, here’s the resource:

1
2
3
4
5
execute 'install homebrew' do
  command homebrew_go
  user node['homebrew']['owner'] || homebrew_owner
  not_if { ::File.exist? '/usr/local/bin/brew' }
end

command is a script, called homebrew_go, which is a local variable set to a path in Chef::Config[:file_cache_path]. It is retrieved in the recipe with remote_file. The resource used to have execute homebrew_go, but when ChefSpec runs, it does so in a random temporary directory, which we cannot predict the name.

The astute observer will note that the user parameter has another conditional (designated by the ||). That’s actually the subject of another post. In this post, I’m concerned only with testing the guard, not_if.

The not_if is a Ruby block, which means the Ruby code is evaluated inline during the Chef run. How we go about testing that is the subject of this post.

First, we need to mock the return result of sending the #exist? method to the File class. There are two reasons. First, we want to control the conditional so we can write a test for each outcome. Second, someone running the test (like me) might have already installed homebrew on their local system (which I have), and so /usr/local/bin/brew will exist. To do this, in our context, we have a before block that stubs the return to false:

1
2
3
4
5
6
before(:each) do
  allow_any_instance_of(Chef::Resource).to receive(:homebrew_owner).and_return('vagrant')
  allow_any_instance_of(Chef::Recipe).to receive(:homebrew_owner).and_return('vagrant')
  allow(File).to receive(:exist?).and_return(false)
  stub_command('which git').and_return(true)
end

There’s some other mocked values here. I’ll talk about the vagrant user for homebrew_owner in a moment, though again, that’s the subject of another post.

The actual spec will test that the installation script will actually get executed when we run chef, and as the vagrant user.

1
2
3
4
5
it 'runs homebrew installation as the default user' do
  expect(chef_run).to run_execute('install homebrew').with(
    :user => 'vagrant'
  )
end

When rspec runs, we see this is the case:

1
2
3
homebrew::default
  default user
    runs homebrew installation as the default user

If I didn’t mock the user, it would be jtimberman, as that is the user that is running Chef via rspec/ChefSpec. The test would fail. If you’re looking at the full file, there’s some other details we’re going to look at shortly. If I didn’t mock the return for File.exist?, the execute wouldn’t run at all.

To test what happens when /usr/local/bin/brew exists, I set up a new context in rspec, and create a new before block.

1
2
3
4
5
6
7
8
9
10
context '/usr/local/bin/brew exists' do
  before(:each) do
    allow(File).to receive(:exist?).and_return(true)
    stub_command('which git').and_return(true)
  end

  it 'does not run homebrew installation' do
    expect(chef_run).to_not run_execute('install homebrew')
  end
end

We don’t need the vagrant mocks earlier, but we do need to stub File.exist?. This test would pass on my system without it, but not on, e.g., a Linux system that doesn’t have homebrew.

Then running rspec, we see:

1
2
3
4
5
homebrew::default
  /usr/local/bin/brew exists
    does not run homebrew installation
  default user
    runs homebrew installation as the default user

In a coming post, I will walk through the conditionals related to the homebrew_owner.

Quick Tip: Serverspec Spec_helper in Test Kitchen

Recently, I’ve started refactoring some old cookbooks I wrote ages ago. I’m adding Serverspec coverage that can be run with kitchen verify. In this quicktip, I’ll describe how to create a spec_helper that can be used in all the specs. This is a convention used by many in the Ruby community to add configuration for RSpec.

For Chef, we can run integration tests after convergence using Test Kitchen using Serverspec. To do that, we need to require Serverspec, and then set its backend. In some cookbooks, the author/developer may have written spec_helper files in the various test/integration/SUITE/serverspec/ directories, but this will use a single shared file for them all. Let’s get started.

In the .kitchen.yml, add the data_path configuration directive in the provisioner.

1
2
3
provisioner:
  name: chef_zero
  data_path: test/shared

Then, create the test/shared directory in the cookbook, and create the spec_helper.rb in it.

1
2
mkdir test/shared
$EDITOR test/shared/spec_helper.rb

Minimally, it should look like this:

1
2
3
require 'serverspec'

set :backend, :exec

Then in your specs, for example test/integration/default/serverspec/default_spec.rb, require the spec_helper. On the instances under test, the file will be copied to /tmp/kitchen/data/spec_helper.rb.

1
require_relative '../../../kitchen/data/spec_helper'

That’s it, now when running kitchen test, or kitchen verify on a converged instance, the helper will be used.