不能使用未加密的数据包将厨师保险库数据存入厨房测试

时间:2018-02-20 21:35:35

标签: chef test-kitchen chef-vault

Chef Development Kit版本:2.4.17
chef-client版本:13.6.4
交货版本:master(73ebb72a6c42b3d2ff5370c476be800fee7e5427)
berks版本:6.3.1
厨房版:1.19.2
inspec版本:1.45.13

我正在尝试使用kitchen-ec2驱动程序通过创建未加密的数据包来测试我的chef-vault实现。我已经尝试过解决方案posted here(这是为了使用w / vagrant驱动程序),但没有成功。我不确定Kitchen是否正在尝试使用加密的保险库,或者没有正确解析测试数据包。

编辑我应该提到我可以在普通实例上成功使用chef-vault。我遇到的问题是在使用Kitchen在Kitchen旋转的节点(通过ec2-driver)上运行测试时使用chef-vault中的值,该节点未注册到Chef服务器。

我的厨师目录中的树:

+--- .kitchen
|   +--- default-centos-7.yml
|   +--- logs
|   |   +--- default-centos-7.log
|   |   +--- kitchen.log
+--- cookbooks
|   +--- fcctrs
|   |   +--- .kitchen
|   |   |   +--- default-centos-7.yml
|   |   |   +--- logs
|   |   |   |   +--- default-centos-7.log
|   |   |   |   +--- kitchen.log
|   |   +--- .kitchen.yml
|   |   +--- Berksfile
|   |   +--- Berksfile.lock
|   |   +--- chefignore
|   |   +--- metadata.rb
|   |   +--- recipes
|   |   |   +--- default.rb
|   |   |   +--- users.rb
|   |   +--- resources
|   |   |   +--- adminuser.rb
|   |   +--- spec
|   |   |   +--- spec_helper.rb
|   |   |   +--- unit
|   |   |   |   +--- recipes
|   |   |   |   |   +--- default_spec.rb
|   |   +--- test
|   |   |   +--- integration
|   |   |   |   +--- data_bags
|   |   |   |   |   +--- SSH_KEYS
|   |   |   |   |   |   +--- user.json
|   |   |   |   |   |   +--- user.json
|   |   |   +--- smoke
|   |   |   |   +--- default
|   |   |   |   |   +--- default_test.rb
+--- data_bags
|   +--- SSH_KEYS
|   |   +--- user.json
|   |   +--- user.json
+--- README.md

users.rb文件:

chef_gem 'chef-vault' do
  compile_time true if respond_to?(:compile_time)
end
#
require 'chef-vault'

node.normal['chef-vault']['databag_fallback'] = true

adminuser "user" do
    action :create
    comment 'Some User'
    ssh_keys [ 
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgg95tJuAz7Utgov1tT94w1uLL7256mJK5v4jQzpaQ4gVdKnVCMGwRV72msL4NVTLwda41L0xDbv3o/ya+1flT7F8OvbTk6SSx9llSdMn/FGTVmpTMP8513aV8q4OmcAeciB4gaB50IqR8HiGEymV63bx6/8QCWtXydbs1x4q5ym0Sa7AYpx+EpV1Aa0AZ1VxILYyvwf3aB49Nac0FAoKze4Ohnunfb+WIUFwlDWDdUimf/Vbv9D3oExZKGQvZUVfSvpMSuOZ6hT0iTyGjm3F3jKZWhyzPuGPMQmW5uT7SrvjyoDu0bynbhUUtsuSNyjQgDqwidNELM+qt5n4485it"
    ]
    private_key ChefVault::Item.load("SSH_KEYS","user")["private"]
end

user.json:

{"public":"someKey","private":"someKey"}

.kitchen.yml:

driver:
        #name: vagrant
  name: ec2
  aws_ssh_key_id: smasoudv2
  security_group_ids: [sg-4b609036,sg-2066965d]
  availability_zone: d
  subnet_id: subnet-cbf129e6
  require_chef_omnibus: true
  associate_public_ip: true
  instance_type: t2.micro

provisioner:
  name: chef_zero
  http_proxy: http://10.202.1.215:3128
  https_proxy: http://10.202.1.215:3128
  no_proxy: chef.server
  data_bags_path: "../../data_bags"
  always_update_cookbooks: true
  client_rb:
    client_key: /etc/chef/client.pem # added this as per referenced SO post

verifier:
  name: inspec

platforms:
  - name: centos-7
    driver:
      image_id: ami-46c1b650
transport:
  ssh_key: ~/Documents/MobaXterm/home/smasoudv2.pem
  username: centos

suites:
  - name: default
    run_list:
      - recipe[fcctrs::default]
      - recipe[user_shadow]
              #verifier:
                #inspec_tests:
                  #- test/smoke/default
    data_bags_path: '../../data_bags' # This is relative to the directory with .kitchen.yml
    attributes:
      chef-vault:
        databags_fallback: true # added this as per GitHub question within referenced SO post

堆栈追踪:

PS C:\Users\smasoud\tools\AWS\chef\cookbooks\fcctrs> kitchen converge
-----> Starting Kitchen (v1.19.2)
-----> Converging <default-centos-7>...
       Preparing files for transfer
       Preparing dna.json
       Resolving cookbook dependencies with Berkshelf 6.3.1...
       Removing non-cookbook files before transfer
       Preparing data_bags
       Preparing validation.pem
       Preparing client.rb
-----> Chef Omnibus installation detected (install only if missing)
       Transferring files to <default-centos-7>
       Starting Chef Client, version 13.7.16
       resolving cookbooks for run list: ["fcctrs::default", "user_shadow"]
       Synchronizing Cookbooks:
         - fcctrs (0.1.1)
         - user_shadow (0.1.5)
       Installing Cookbook Gems:
       Compiling Cookbooks...
       Recipe: fcctrs::mitreusers
         * chef_gem[chef-vault] action install (up to date)

         ================================================================================
         Recipe Compile Error in /tmp/kitchen/cache/cookbooks/fcctrs/recipes/default.rb
         ================================================================================

         ChefVault::Exceptions::SecretDecryption
         ---------------------------------------
         SSH_KEYS/user is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!

         Cookbook Trace:
         ---------------
           /tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:40:in `block in from_file'
           /tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:33:in `from_file'
           /tmp/kitchen/cache/cookbooks/fcctrs/recipes/default.rb:31:in `from_file'

         Relevant File Content:
         ----------------------
         /tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:

          33:  mitre_baseline_adminuser "user" do
          34:      action :create
          35:      comment 'Some User'
          36:      #uid 650
          37:      ssh_keys [
          38:          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgg95tJuAz7Utgov1tT94w1uLL7256mJK5v4jQzpaQ4gVdKnVCMGwRV72msL4NVTLwda41L0xDbv3o/ya+1flT7F8OvbTk6SSx9llSdMn/FGTVmpTMP8513aV8q4OmcAeciB4gaB50IqR8HiGEymV63bx6/8QCWtXydbs1x4q5ym0Sa7AYpx+EpV1Aa0AZ1VxILYyvwf3aB49Nac0FAoKze4Ohnunfb+WIUFwlDWDdUimf/Vbv9D3oExZKGQvZUVfSvpMSuOZ6hT0iTyGjm3F3jKZWhyzPuGPMQmW5uT7SrvjyoDu0bynbhUUtsuSNyjQgDqwidNELM+qt5n4485it"
          39:      ]
          40>>     private_key ChefVault::Item.load("SSH_KEYS","user")["private"]
          41:  end
          42:

         System Info:
         ------------
         chef_version=13.7.16
         platform=centos
         platform_version=7.3.1611
         ruby=ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux]
         program_name=chef-client worker: ppid=22289;start=19:59:41;
         executable=/opt/chef/bin/chef-client


         Running handlers:
       [2018-02-20T19:59:43+00:00] ERROR: Running exception handlers
         Running handlers complete
       [2018-02-20T19:59:43+00:00] ERROR: Exception handlers complete
         Chef Client failed. 0 resources updated in 01 seconds
       [2018-02-20T19:59:43+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2018-02-20T19:59:43+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2018-02-20T19:59:43+00:00] ERROR: SSH_KEYS/user is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!
       [2018-02-20T19:59:43+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>>     Converge failed on instance <default-centos-7>.  Please see .kitchen/logs/default-centos-7.log for more details
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration

1 个答案:

答案 0 :(得分:0)

上面发布的数据库项目user.json似乎不正确。它缺少id,即数据包项目名称。我相信根据你的代码,它应该是用户。它应该采用这种格式

{"id": "user", "public":"someKey", "private":"someKey" }

在您的代码中,我不知道您在数据库项目中使用公钥的位置,在配方中查看硬编码值。您必须在数据库项目中使用公钥。这似乎也是错误的问题

以上答案的更正:

您正在使用自定义资源管理员来创建保管库用户。根据{{​​3}}的运行方式,只有现有的管理员才能将新用户添加到保管库。因此,我认为您无法从配方向Vault用户添加新的管理员。您需要使用刀具命令。鉴于admin1已存在,您可以使用

knife vault update VAULTNAME VAULTITEM -A "admin1,admin2"

相关问题
最新问题