在Chef中添加sudoers文件无法通过验证 [英] Adding a sudoers file in chef fails at verification

问题描述

我正在尝试在厨师中添加/编辑sudoers文件.

I'm trying to add/edit a sudoers file in Chef.

经过大量的搜索(和损坏的sudoers)后，我发现答案似乎正是我所追求的.

After a lot of serach (and broken sudoers) I found this question and the answer seemed to be exactly what I am after.

因此，在我的厨师中，我添加了以下visudo食谱:

So in my chef I added the following visudo cookbook:

食谱:~/chef-repo/cookbook/visudo/recipes/allowUpgrade.rb

template '/etc/sudoers.d/allowUpgrade' do
    cookbook 'visudo'
    source 'allowUpgrade.erb'

    owner'root'
    group 'root'
    mode '0440'

    verify "visudo -c -f %{path}"
end

我的模板:~/chef-repo/cookbooks/visudo/templates/allowUpgrade.erb

username ALL=(ALL) NOPASSWD: /usr/local/bin/upgrade

---

模板和验证手动进行

当我使用以下方法手动将这一行/文件放在其中

---

Template and verification works manually

When I put this line/file there manually using

sudo nano /etc/sudoers.d/allowUpgrade

(我知道不应该这样)，然后使用

(I know one shouldn't) and then verify it using

visudo -c -f /etc/sudoers.d/allowUpgrade

我知道

/etc/sudoers.d/allowUpgrade: parsed OK

它有效意味着我可以跑步

and it works meaning I can run

sudo upgrade

没有提示输入sudo密码.

without beeing prompted for the sudo password.

但是，使用Chef无法正常工作.我先在本地计算机上尝试使用

However it is not working using Chef. I'm trying it first on the local machine using

sudo chef-client -z --runlist 'recipe[visudo::allowUpgrade]'

但是我得到这个错误

Error executing action `create` on resource 'template[/etc/sudoers.d/allowUpgrade]'

Chef::Exceptions::ValidationFailed

为什么厨师验证失败?我在做什么错了?

这里是完整的错误消息

Recipe: visudo::allowUpgrade
  * template[/etc/sudoers.d/allowUpgrade] action create[2017-12-07T08:24:50+01:00] INFO: Processing template[/etc/sudoers.d/allowUpgrade] action create (visudo::                                         allowUpgrade line 7)


    ================================================================================
    Error executing action `create` on resource 'template[/etc/sudoers.d/allowUpgrade]'
    ================================================================================

    Chef::Exceptions::ValidationFailed
    ----------------------------------
    Proposed content for /etc/sudoers.d/allowUpgrade failed verification #<Chef::Resource::File::Verification:0x0000000004070c48>

    Resource Declaration:
    ---------------------
    # In /home/username/chef-repo/.chef/local-mode-cache/cache/cookbooks/visudo/recipes/allowUpgrade.rb

      7: template '/etc/sudoers.d/allowUpgrade' do
      8:     owner'root'
      9:     group 'root'
     10:     mode '0440'
     11:     source 'allowUpgrade.erb'
     12:     verify 'visudo -c -f %{path}'
     13: end

    Compiled Resource:
    ------------------
    # Declared in /home/username/chef-repo/.chef/local-mode-cache/cache/cookbooks/visudo/recipes/allowUpgrade.rb:7:in `from_file'

    template("/etc/sudoers.d/allowUpgrade") do
      action [:create]
      default_guard_interpreter :default
      source "allowUpgrade.erb"
      declared_type :template
      cookbook_name "visudo"
      recipe_name "allowUpgrade"
      owner "root"
      group "root"
      mode "0440"
      verifications [#<Chef::Resource::File::Verification:0x0000000004070c48 @command_opts={},
          @command="visudo -c -f %{path}", @block=nil, @parent_resource=<template[/etc/sudoers.d/allowUpgrade] 
          @name: "/etc/sudoers.d/allowUpgrade" @before: nil @params: {} 
          @provider: nil @allowed_actions: [:nothing, :create, :delete, :touch, :create_if_missing] 
          @action: [:create] @updated: false @updated_by_last_action: false 
          @source_line: "/home/username/chef-repo/.chef/local-mode-cache/cache/cookbooks/visudo/recipes/allowUpgrade.rb:7:in `from_file'" 
          @guard_interpreter: nil @default_guard_interpreter: :default 
          @elapsed_time: 0 @source: "allowUpgrade.erb" @cookbook: nil 
          @local: false @variables: {} @inline_helper_blocks: {} 
          @inline_helper_modules: [] @helper_modules: [] @declared_type: :template 
          @cookbook_name: "visudo" @recipe_name: "allowUpgrade" @owner: "root" @group: "root" @mode: "0440" 
          @verifications: [...] @path: "/etc/sudoers.d/allowUpgrade">>]
      path "/etc/sudoers.d/allowUpgrade"
    end

---

更新:

---

Update:

当我不进行验证而只是做

When I leave the verification out and just do

template '/etc/sudoers.d/allowUpgrade' do
    cookbook 'visudo'
    source 'allowUpgrade.erb'

    owner 'root'
    group 'root'
    mode '0440'

    verify { 1 == 1 }
end

sudo坏了！在恢复模式和根控制台中，我检查了一下，它看起来与手动插入时的外观相同(可以正常工作)?！

The sudo is broken! In recovery mode and the root console I checked and it looks just the same as when I insert it manually (what works fine)?!

推荐答案

感谢 Tensibai 的帮助，注释和lineendings的提示，我终于可以解决这个问题.

Thanks to the help of Tensibai here in the comments and the hint to lineendings I could finally solve this problem.

实际上，问题是这个古老的问题

我在Ubuntu Server 16.04上生成了食谱，食谱和模板，但是在 Brackets.io 在Windows上.

I generated the cookbooks, recipes and templates on an Ubuntu Server 16.04 but do all m editing on the repository in Brackets.io on Windows.

此制作的模板(及其他)文件具有CRLF而不是LF行尾，因为Brackets似乎自动使用了所运行的操作系统的行尾.当然，这使/etc/sudoers.d/allowUpgrade文件制动了sudoers，因为它必须以新行结尾.

This made template (and other) files have CRLF instead of LF lineendings because Brackets seems to use automatically the lineendings of the OS it is running on. This ofcourse made the /etc/sudoers.d/allowUpgrade file brake the sudoers because it has to end in a new line.

经过一番研究，我发现这是一个旧的已知问题，可以解决通过插件换行符.

After some research I found this was an old known Issue and could be solved by the Plug-In Newline.

安装此插件后，确实可以看到文件的后缀为CRLF.

After installing this Plug-In indeed I could see that the file had CRLF lineendings.

我通过单击CRLF将其切换为LF.现在我的食谱可以按预期运行，并且可以运行

I switched it to LF thanks to the Plug-In by clicking on the CRLF. Now my cookbook runs as expected and I'm able to run

sudo upgrade

没有提示您输入密码-表示它可以正常工作.

without beeng prompted for the password - meaning it works.

这篇关于在Chef中添加sudoers文件无法通过验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！