1

Chef Development Kit 版本:2.4.17
chef-client 版本:13.6.4
交付版本:master (73ebb72a6c42b3d2ff5370c476be800fee7e5427)
berks 版本:6.3.1
kitchen 版本:1.19.2
inspec 版本:1.45.13

我正在尝试通过创建未加密的数据包来使用kitchen-ec2驱动程序测试我的 chef-vault 实现。我已经尝试过这里发布的解决方案(不过,这是与 vagrant 驱动程序一起使用的),但没有成功。我不确定 Kitchen 是否正在尝试使用加密保险库,或者没有正确解析测试数据包。

编辑我应该提到我可以在正常情况下成功使用 chef-vault。我遇到的问题是使用 Chef-vault 中的值,同时使用 Kitchen 在 Kitchen 启动的节点上运行测试(通过 ec2-driver),该节点未注册到 Chef 服务器。

我的厨师目录树:

+--- .kitchen
|   +--- default-centos-7.yml
|   +--- logs
|   |   +--- default-centos-7.log
|   |   +--- kitchen.log
+--- cookbooks
|   +--- fcctrs
|   |   +--- .kitchen
|   |   |   +--- default-centos-7.yml
|   |   |   +--- logs
|   |   |   |   +--- default-centos-7.log
|   |   |   |   +--- kitchen.log
|   |   +--- .kitchen.yml
|   |   +--- Berksfile
|   |   +--- Berksfile.lock
|   |   +--- chefignore
|   |   +--- metadata.rb
|   |   +--- recipes
|   |   |   +--- default.rb
|   |   |   +--- users.rb
|   |   +--- resources
|   |   |   +--- adminuser.rb
|   |   +--- spec
|   |   |   +--- spec_helper.rb
|   |   |   +--- unit
|   |   |   |   +--- recipes
|   |   |   |   |   +--- default_spec.rb
|   |   +--- test
|   |   |   +--- integration
|   |   |   |   +--- data_bags
|   |   |   |   |   +--- SSH_KEYS
|   |   |   |   |   |   +--- user.json
|   |   |   |   |   |   +--- user.json
|   |   |   +--- smoke
|   |   |   |   +--- default
|   |   |   |   |   +--- default_test.rb
+--- data_bags
|   +--- SSH_KEYS
|   |   +--- user.json
|   |   +--- user.json
+--- README.md

users.rb 文件:

chef_gem 'chef-vault' do
  compile_time true if respond_to?(:compile_time)
end
#
require 'chef-vault'

node.normal['chef-vault']['databag_fallback'] = true

adminuser "user" do
    action :create
    comment 'Some User'
    ssh_keys [ 
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgg95tJuAz7Utgov1tT94w1uLL7256mJK5v4jQzpaQ4gVdKnVCMGwRV72msL4NVTLwda41L0xDbv3o/ya+1flT7F8OvbTk6SSx9llSdMn/FGTVmpTMP8513aV8q4OmcAeciB4gaB50IqR8HiGEymV63bx6/8QCWtXydbs1x4q5ym0Sa7AYpx+EpV1Aa0AZ1VxILYyvwf3aB49Nac0FAoKze4Ohnunfb+WIUFwlDWDdUimf/Vbv9D3oExZKGQvZUVfSvpMSuOZ6hT0iTyGjm3F3jKZWhyzPuGPMQmW5uT7SrvjyoDu0bynbhUUtsuSNyjQgDqwidNELM+qt5n4485it"
    ]
    private_key ChefVault::Item.load("SSH_KEYS","user")["private"]
end

用户.json:

{"public":"someKey","private":"someKey"}

.kitchen.yml:

driver:
        #name: vagrant
  name: ec2
  aws_ssh_key_id: smasoudv2
  security_group_ids: [sg-4b609036,sg-2066965d]
  availability_zone: d
  subnet_id: subnet-cbf129e6
  require_chef_omnibus: true
  associate_public_ip: true
  instance_type: t2.micro

provisioner:
  name: chef_zero
  http_proxy: http://10.202.1.215:3128
  https_proxy: http://10.202.1.215:3128
  no_proxy: chef.server
  data_bags_path: "../../data_bags"
  always_update_cookbooks: true
  client_rb:
    client_key: /etc/chef/client.pem # added this as per referenced SO post

verifier:
  name: inspec

platforms:
  - name: centos-7
    driver:
      image_id: ami-46c1b650
transport:
  ssh_key: ~/Documents/MobaXterm/home/smasoudv2.pem
  username: centos

suites:
  - name: default
    run_list:
      - recipe[fcctrs::default]
      - recipe[user_shadow]
              #verifier:
                #inspec_tests:
                  #- test/smoke/default
    data_bags_path: '../../data_bags' # This is relative to the directory with .kitchen.yml
    attributes:
      chef-vault:
        databags_fallback: true # added this as per GitHub question within referenced SO post

堆栈跟踪:

PS C:\Users\smasoud\tools\AWS\chef\cookbooks\fcctrs> kitchen converge
-----> Starting Kitchen (v1.19.2)
-----> Converging <default-centos-7>...
       Preparing files for transfer
       Preparing dna.json
       Resolving cookbook dependencies with Berkshelf 6.3.1...
       Removing non-cookbook files before transfer
       Preparing data_bags
       Preparing validation.pem
       Preparing client.rb
-----> Chef Omnibus installation detected (install only if missing)
       Transferring files to <default-centos-7>
       Starting Chef Client, version 13.7.16
       resolving cookbooks for run list: ["fcctrs::default", "user_shadow"]
       Synchronizing Cookbooks:
         - fcctrs (0.1.1)
         - user_shadow (0.1.5)
       Installing Cookbook Gems:
       Compiling Cookbooks...
       Recipe: fcctrs::mitreusers
         * chef_gem[chef-vault] action install (up to date)

         ================================================================================
         Recipe Compile Error in /tmp/kitchen/cache/cookbooks/fcctrs/recipes/default.rb
         ================================================================================

         ChefVault::Exceptions::SecretDecryption
         ---------------------------------------
         SSH_KEYS/user is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!

         Cookbook Trace:
         ---------------
           /tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:40:in `block in from_file'
           /tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:33:in `from_file'
           /tmp/kitchen/cache/cookbooks/fcctrs/recipes/default.rb:31:in `from_file'

         Relevant File Content:
         ----------------------
         /tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:

          33:  mitre_baseline_adminuser "user" do
          34:      action :create
          35:      comment 'Some User'
          36:      #uid 650
          37:      ssh_keys [
          38:          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgg95tJuAz7Utgov1tT94w1uLL7256mJK5v4jQzpaQ4gVdKnVCMGwRV72msL4NVTLwda41L0xDbv3o/ya+1flT7F8OvbTk6SSx9llSdMn/FGTVmpTMP8513aV8q4OmcAeciB4gaB50IqR8HiGEymV63bx6/8QCWtXydbs1x4q5ym0Sa7AYpx+EpV1Aa0AZ1VxILYyvwf3aB49Nac0FAoKze4Ohnunfb+WIUFwlDWDdUimf/Vbv9D3oExZKGQvZUVfSvpMSuOZ6hT0iTyGjm3F3jKZWhyzPuGPMQmW5uT7SrvjyoDu0bynbhUUtsuSNyjQgDqwidNELM+qt5n4485it"
          39:      ]
          40>>     private_key ChefVault::Item.load("SSH_KEYS","user")["private"]
          41:  end
          42:

         System Info:
         ------------
         chef_version=13.7.16
         platform=centos
         platform_version=7.3.1611
         ruby=ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux]
         program_name=chef-client worker: ppid=22289;start=19:59:41;
         executable=/opt/chef/bin/chef-client


         Running handlers:
       [2018-02-20T19:59:43+00:00] ERROR: Running exception handlers
         Running handlers complete
       [2018-02-20T19:59:43+00:00] ERROR: Exception handlers complete
         Chef Client failed. 0 resources updated in 01 seconds
       [2018-02-20T19:59:43+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2018-02-20T19:59:43+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2018-02-20T19:59:43+00:00] ERROR: SSH_KEYS/user is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!
       [2018-02-20T19:59:43+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>>     Converge failed on instance <default-centos-7>.  Please see .kitchen/logs/default-centos-7.log for more details
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration
4

1 回答 1

0

上面发布的数据包项 user.json 似乎不正确。它缺少作为数据包项目名称的 id。我相信根据您的代码,它应该使用。应该是这种格式

{"id": "user", "public":"someKey", "private":"someKey" }

在您的代码中,我看不到您在哪里使用了数据包项中定义的公钥,在配方中看到了硬编码值。为此,您必须使用数据包项中的公钥。这似乎也是错误的问题

对上述答案的更正:

您正在使用自定义资源 adminuser 来创建保管库用户。根据保管库的功能,只有现有管理员可以将新用户添加到保管库。因此,我认为您无法从配方中将新管理员添加到保管库用户。您需要为此使用刀命令。鉴于 admin1 已经存在,您可以使用

knife vault update VAULTNAME VAULTITEM -A "admin1,admin2"

于 2018-03-13T17:29:04.087 回答