Page MenuHomePhabricator
Paste P2810

scap::target
ActivePublic

Authored by mmodell on Mar 24 2016, 1:43 AM.
scap::target { 'ores-wikimedia-config':
deploy_user => 'ladsgroup',
public_key_content => secret('some-secret-key'),
sudo_rules => [
'ALL=(root) NOPASSWD: /usr/sbin/service ores *',
],
}

Event Timeline

I made this but I got error

scap::target { 'ores-wikimedia-config':
    deploy_user => 'ladsgroup',
    public_key_source => "puppet:///modules/test/pub.pub",
    sudo_rules        => [
        'ALL=(root) NOPASSWD: /usr/sbin/service ores *',
    ],
}
ladsgroup@ores-staging-web-01:/etc/puppet/modules/test/manifests$ sudo puppet apply --noop test.pp
Error: Puppet::Parser::AST::Resource failed with error ArgumentError: Invalid resource type scap::target at /etc/puppet/modules/test/manifests/test.pp:7 on node ores-staging-web-01.ores-staging.eqiad.wmflabs
Wrapped exception:
Invalid resource type scap::target
Error: Puppet::Parser::AST::Resource failed with error ArgumentError: Invalid resource type scap::target at /etc/puppet/modules/test/manifests/test.pp:7 on node ores-staging-web-01.ores-staging.eqiad.wmflabs

I don't want to go through code review in operations/puppet to test this and when I do this target. it doesn't work because it can't find scap.

I found a way around and now this gives me this error:

ladsgroup@ores-staging-web-01:/etc/puppet/modules/test$ sudo puppet apply --noop --modulepath /etc/puppet/puppet/modules/ manifests/test.pp
Warning: Config file /etc/puppet/hiera.yaml not found, using Hiera defaults
Notice: Compiled catalog for ores-staging-web-01.ores-staging.eqiad.wmflabs in environment production in 1.49 seconds
Notice: /Stage[main]/Main/Scap::Target[ores-wikimedia-config]/User[ladsgroup]/home: current_value /home/ladsgroup, should be /var/lib/scap (noop)
Notice: /Stage[main]/Main/Scap::Target[ores-wikimedia-config]/Ssh::Userkey[ladsgroup]/File[/etc/ssh/userkeys/ladsgroup]/ensure: current_value absent, should be file (noop)
Notice: Ssh::Userkey[ladsgroup]: Would have triggered 'refresh' from 1 events
Notice: /Stage[main]/Packages::Python_psutil/Package[python-psutil]/ensure: current_value purged, should be present (noop)
Notice: Class[Packages::Python_psutil]: Would have triggered 'refresh' from 1 events
Notice: /Stage[main]/Packages::Python_netifaces/Package[python-netifaces]/ensure: current_value purged, should be present (noop)
Notice: Class[Packages::Python_netifaces]: Would have triggered 'refresh' from 1 events
Notice: /Stage[main]/Sudo/Package[sudo]/ensure: current_value absent, should be present (noop)
Notice: Class[Sudo]: Would have triggered 'refresh' from 1 events
Notice: /Stage[main]/Main/Scap::Target[ores-wikimedia-config]/Sudo::User[scap_ladsgroup]/File[/etc/sudoers.d/scap_ladsgroup]/ensure: current_value absent, should be present (noop)
Notice: /Stage[main]/Main/Scap::Target[ores-wikimedia-config]/Sudo::User[scap_ladsgroup]/Exec[sudo_user_scap_ladsgroup_linting]: Would have triggered 'refresh' from 1 events
Notice: Sudo::User[scap_ladsgroup]: Would have triggered 'refresh' from 2 events
Notice: /Stage[main]/Scap/Package[scap]/ensure: current_value purged, should be 3.0.3-1 (noop)
Notice: /Stage[main]/Scap/File[/etc/scap.cfg]/ensure: current_value absent, should be file (noop)
Notice: Class[Scap]: Would have triggered 'refresh' from 2 events
Error: /Package[ores-wikimedia-config]: Provider scap3 is not functional on this host
Notice: Scap::Target[ores-wikimedia-config]: Would have triggered 'refresh' from 3 events
Notice: Class[Main]: Would have triggered 'refresh' from 1 events
Notice: Stage[main]: Would have triggered 'refresh' from 5 events
Notice: Finished catalog run in 0.57 seconds

Running in debug mode gave me better description of what's wrong:

Debug: Puppet::Type::Package::ProviderScap3: file /usr/bin/deploy-local does not exist
Error: /Package[ores-wikimedia-config]: Provider scap3 is not functional on this host

So it means provider scap3 can't create /usr/bin/deploy-local because it doesn't have permission, simply because the user defined doesn't have access.

I put my puppet here if anyone wants to work on:

scap::target { 'ores-wikimedia-config':
    deploy_user => 'ladsgroup',
    public_key_source => "puppet:///modules/test/pub.pub",
    sudo_rules        => [
        'ALL=(root) NOPASSWD: /usr/sbin/service uwsgi-ores-web *',
    ],
}

Yup:

ladsgroup@ores-staging-web-01:/usr/bin$ mkdir a
mkdir: cannot create directory ‘a’: Permission denied

@Ladsgroup: the scap package should be installed on that host, and that installs deploy-local. Let me see if I can get to the bottom of it.

Running in debug mode gave me better description of what's wrong:

Debug: Puppet::Type::Package::ProviderScap3: file /usr/bin/deploy-local does not exist
Error: /Package[ores-wikimedia-config]: Provider scap3 is not functional on this host

Looks like the scap package just needs to be installed on the target. This is provided by the scap puppet class. We split out scap and scap::target so that it could be used for both targets and deployment servers (via the scap::master class).

Adding scap to your puppet inventory along with the puppet you pasted above should be enough to get a clean puppet run on the target.

when I add "require package('scap') it returns error saying it's already declared

hmm. What about:

include scap

​scap::target { 'ores-wikimedia-config':
​    deploy_user => 'ladsgroup',
​    public_key_content => secret('some-secret-key'),
​    sudo_rules        => [
​        'ALL=(root) NOPASSWD: /usr/sbin/service ores *',
​    ],
​}

It returns /usr/bin not found error but I thought maybe because I run it in noop mode (to test and not to make changes) maybe it doesn't create the folder. When I ran it without noop it returns this error:

Error: Could not set home on user[ladsgroup]: Execution of '/usr/sbin/usermod -d /var/lib/scap ladsgroup' returned 8: usermod: user ladsgroup is currently used by process 24228
Error: /Stage[main]/Main/Scap::Target[ores-wikimedia-config]/User[ladsgroup]/home: change from /home/ladsgroup to /var/lib/scap failed: Could not set home on user[ladsgroup]: Execution of '/usr/sbin/usermod -d /var/lib/scap ladsgroup' returned 8: usermod: user ladsgroup is currently used by process 24228

so It's obvious, we had this error. I'm not sure how to fix it but I find a way.

Looks like it's just erroring-out since scap::target is trying to create your user.

Try adding the manage_user => false param:

include scap

​scap::target { 'ores-wikimedia-config':
​    deploy_user => 'ladsgroup',
    manage_user => false,
​    public_key_content => secret('some-secret-key'),
​    sudo_rules => [
​        'ALL=(root) NOPASSWD: /usr/sbin/service ores *',
​    ],
​}

Why are you even trying to run the service under your user? That's not representative of how it will be run in prod, and, if you ask me, it's generally a bad practice. Services (especially unprivileged ones) should run under limited, system uids.

Why are you even trying to run the service under your user? That's not representative of how it will be run in prod, and, if you ask me, it's generally a bad practice. Services (especially unprivileged ones) should run under limited, system uids.

Really?

Looks like it's just erroring-out since scap::target is trying to create your user.

Try adding the manage_user => false param:

include scap

​scap::target { 'ores-wikimedia-config':
​    deploy_user => 'ladsgroup',
    manage_user => false,
​    public_key_content => secret('some-secret-key'),
​    sudo_rules => [
​        'ALL=(root) NOPASSWD: /usr/sbin/service ores *',
​    ],
​}

I tried it before and I tried it again. Same error:

Error: Could not find resource 'User[ladsgroup]' for relationship on 'Scap::Target[ores-wikimedia-config]' on node ores-staging-web-01.ores-staging.eqiad.wmflabs
Error: Could not find resource 'User[ladsgroup]' for relationship on 'Scap::Target[ores-wikimedia-config]' on node ores-staging-web-01.ores-staging.eqiad.wmflabs

Ah blerg, missed that.

So when scap::target tries to create the user it fails because it tries to modify the existing usser to use the home directory: /var/lib/scap . This is failing (probably thankfully :D) because the user is managed via LDAP instead of puppet.

However, when you pass manage_user => false scap::target fails because it expects to find the user definition in puppet for the deployment user: https://github.com/wikimedia/operations-puppet/blob/production/modules/scap/manifests/target.pp#L61

So there are 2 options for fixing this:

  1. Create a new user to deploy with that you define in puppet
  2. Use puppet to ensure your current user exists

Option 2 might be easier for testing:

user { 'ladsgroup':
    ensure => present,
}

include scap

​scap::target { 'ores-wikimedia-config':
​    deploy_user => 'ladsgroup',
    manage_user => false,
​    public_key_content => secret('some-secret-key'),
​    sudo_rules => [
​        'ALL=(root) NOPASSWD: /usr/sbin/service ores *',
​    ],
​}

Here's a test that @Ladsgroup asked me to run

$ puppet apply --modulepath /etc/puppet/puppet/modules/ test/manifests/test.pp --debug
Debug: Runtime environment: puppet_version=3.7.2, ruby_version=2.1.5, run_mode=user, default_encoding=UTF-8
Info: Loading facts
Debug: Loading facts from /etc/puppet/puppet/modules/ganeti/lib/facter/ganeti.rb
Info: Loading facts
Debug: Loading facts from /etc/puppet/puppet/modules/stdlib/lib/facter/root_home.rb
Debug: Loading facts from /etc/puppet/puppet/modules/stdlib/lib/facter/pe_version.rb
Debug: Loading facts from /etc/puppet/puppet/modules/stdlib/lib/facter/puppet_vardir.rb
Info: Loading facts
Debug: Loading facts from /etc/puppet/puppet/modules/base/lib/facter/lldp.rb
Debug: Loading facts from /etc/puppet/puppet/modules/base/lib/facter/initsystem.rb
Debug: Loading facts from /etc/puppet/puppet/modules/base/lib/facter/physicalcorecount.rb
Debug: Loading facts from /etc/puppet/puppet/modules/base/lib/facter/labsprojectfrommetadata.rb
Info: Loading facts
Debug: Loading facts from /etc/puppet/puppet/modules/apt/lib/facter/apt.rb
Info: Loading facts
Debug: Loading facts from /etc/puppet/puppet/modules/puppet_statsd/lib/facter/puppet_config_dir.rb
Debug: importing '/etc/puppet/puppet/modules/scap/manifests/init.pp' in environment production
Debug: Automatically imported scap from scap into production
Warning: Config file /home/halfak/.puppet/hiera.yaml not found, using Hiera defaults
Debug: hiera(): Hiera YAML backend starting
Debug: hiera(): Looking up scap::deployment_server in YAML backend
Debug: hiera(): Looking for data source common
Debug: hiera(): Cannot find datafile /var/lib/hiera/common.yaml, skipping
Debug: Scope(Class[Scap]): Retrieving template scap/scap.cfg.erb
Debug: template[/etc/puppet/puppet/modules/scap/templates/scap.cfg.erb]: Bound template variables for /etc/puppet/puppet/modules/scap/templates/scap.cfg.erb in 0.00 seconds
Debug: template[/etc/puppet/puppet/modules/scap/templates/scap.cfg.erb]: Interpolated template /etc/puppet/puppet/modules/scap/templates/scap.cfg.erb in 0.00 seconds
Debug: Failed to load library 'selinux' for feature 'selinux'
Debug: importing '/etc/puppet/puppet/modules/scap/manifests/target.pp' in environment production
Debug: Automatically imported scap::target from scap/target into production
Debug: importing '/etc/puppet/puppet/modules/scap/manifests/ferm.pp' in environment production
Debug: Automatically imported scap::ferm from scap/ferm into production
Debug: importing '/etc/puppet/puppet/modules/ferm/manifests/init.pp' in environment production
Debug: importing '/etc/puppet/puppet/modules/ferm/manifests/rule.pp' in environment production
Debug: Automatically imported ferm::rule from ferm/rule into production
Debug: importing '/etc/puppet/puppet/modules/ssh/manifests/init.pp' in environment production
Debug: importing '/etc/puppet/puppet/modules/ssh/manifests/userkey.pp' in environment production
Debug: Automatically imported ssh::userkey from ssh/userkey into production
Debug: importing '/etc/puppet/puppet/modules/sudo/manifests/init.pp' in environment production
Debug: importing '/etc/puppet/puppet/modules/sudo/manifests/user.pp' in environment production
Debug: Automatically imported sudo::user from sudo/user into production
Debug: Scope(Ferm::Rule[deployment-ssh]): Retrieving template ferm/rule.erb
Debug: template[/etc/puppet/puppet/modules/ferm/templates/rule.erb]: Bound template variables for /etc/puppet/puppet/modules/ferm/templates/rule.erb in 0.00 seconds
Debug: template[/etc/puppet/puppet/modules/ferm/templates/rule.erb]: Interpolated template /etc/puppet/puppet/modules/ferm/templates/rule.erb in 0.00 seconds
Debug: Scope(Sudo::User[scap_ladsgroup]): Retrieving template sudo/sudoers.erb
Debug: template[/etc/puppet/puppet/modules/sudo/templates/sudoers.erb]: Bound template variables for /etc/puppet/puppet/modules/sudo/templates/sudoers.erb in 0.00 seconds
Debug: template[/etc/puppet/puppet/modules/sudo/templates/sudoers.erb]: Interpolated template /etc/puppet/puppet/modules/sudo/templates/sudoers.erb in 0.00 seconds
Error: Could not find resource 'User[ladsgroup]' for relationship on 'Scap::Target[ores-wikimedia-config]' on node ores-staging-web-01.ores-staging.eqiad.wmflabs
Error: Could not find resource 'User[ladsgroup]' for relationship on 'Scap::Target[ores-wikimedia-config]' on node ores-staging-web-01.ores-staging.eqiad.wmflabs

Ah blerg, missed that.

So when scap::target tries to create the user it fails because it tries to modify the existing usser to use the home directory: /var/lib/scap . This is failing (probably thankfully :D) because the user is managed via LDAP instead of puppet.

However, when you pass manage_user => false scap::target fails because it expects to find the user definition in puppet for the deployment user: https://github.com/wikimedia/operations-puppet/blob/production/modules/scap/manifests/target.pp#L61

So there are 2 options for fixing this:

  1. Create a new user to deploy with that you define in puppet
  2. Use puppet to ensure your current user exists

Option 2 might be easier for testing:

user { 'ladsgroup':
    ensure => present,
}

include scap

​scap::target { 'ores-wikimedia-config':
​    deploy_user => 'ladsgroup',
    manage_user => false,
​    public_key_content => secret('some-secret-key'),
​    sudo_rules => [
​        'ALL=(root) NOPASSWD: /usr/sbin/service ores *',
​    ],
​}

option two seems to be working but it gave me a new and rather strange error:

Debug: Executing '/usr/bin/deploy-local --repo ores-wikimedia-config -D log_json:False'
Error: Execution of '/usr/bin/deploy-local --repo ores-wikimedia-config -D log_json:False' returned 70: 
Error: /Stage[main]/Main/Scap::Target[ores-wikimedia-config]/Package[ores-wikimedia-config]/ensure: change from absent to present failed: Execution of '/usr/bin/deploy-local --repo ores-wikimedia-config -D log_json:False' returned 70:

AFAIK /usr/bin/deploy-local --repo ores-wikimedia-config should be ran via deploy not puppet.

puppet has to run the initial deploy, to make sure that everything is set up correctly from the start. This is mostly for production provisioning purposes.