无法以非 root 用户身份运行 Chef cron 配方答案

【问题标题】：Unable to run Chef cron recipe as non-root user无法以非 root 用户身份运行 Chef cron 配方
【发布时间】：2016-11-08 06:23:57
【问题描述】：

我正在建立一个新环境，其中 Chef 节点必须以非 root 用户身份运行 chef-client。（我创建了一个chef-user 并具有rwx 特权/etc/chef/，并且client.rb 指向每个another SO question 的正确客户端密钥。）以下是我的测试配方：

cron "clientrun2m" do
  minute '*/2'
  command "/bin/chef-client"
  action :create
  user "chef-user"
end

当我以chef-user 登录到目标节点时，我尝试（未成功）执行chef-client（不使用sudo）并获取以下信息。似乎错误与资源的融合有关，与用户权限或私钥无关。（我可以运行这本食谱，减去 user "chef-user" 行，并在另一个节点上使用 sudo 并没有问题。）知道为什么这个食谱不适用于我的非 root 用户吗？

Installing Cookbook Gems:
Compiling Cookbooks...
Converging 2 resources
Recipe: cron-delvalidate2m::2min_cu
  * cron[clientrun2m] action create[2016-11-07T11:53:22-05:00] INFO: Processing cron[clientrun2m] action create (cron-delvalidate2m::2min_cu line 7)


    ================================================================================
    Error executing action `create` on resource 'cron[clientrun2m]'
    ================================================================================

    Chef::Exceptions::Cron
    ----------------------
    Error updating state of clientrun2m, exit: 1

    Resource Declaration:
    ---------------------
    # In /home/chef-user/.chef/cache/cookbooks/cron-delvalidate2m/recipes/2min_cu.rb

      7: cron "clientrun2m" do
      8:   minute '*/2'
      9:   command "/bin/chef-client"
     10:   action :create
     11:   user "chef-user"
     12: end
     13:

    Compiled Resource:
    ------------------
    # Declared in /home/chef-user/.chef/cache/cookbooks/cron-delvalidate2m/recipes/2min_cu.rb:7:in `from_file'

    cron("clientrun2m") do
      action [:create]
      retries 0
      retry_delay 2
      default_guard_interpreter :default
      minute "*/2"
      hour "*"
      day "*"
      month "*"
      weekday "*"
      command "/bin/chef-client"
      user "chef-user"
      declared_type :cron
      cookbook_name "cron-delvalidate2m"
      recipe_name "2min_cu"
    end

    Platform:
    ---------
    x86_64-linux

[2016-11-07T11:53:22-05:00] INFO: Running queued delayed notifications before re-raising exception

Running handlers:
[2016-11-07T11:53:22-05:00] ERROR: Running exception handlers
Running handlers complete
[2016-11-07T11:53:22-05:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 01 seconds
[2016-11-07T11:53:22-05:00] INFO: Sending resource update report (run-id: 92566ddb-e078-44b2-b862-be34da4a18b4)
[2016-11-07T11:53:22-05:00] INFO: Unable to access cache at /var/chef. Switching cache to /home/chef-user/.chef
[2016-11-07T11:53:22-05:00] INFO: Unable to access cache at /var/chef. Switching cache to /home/chef-user/.chef
[2016-11-07T11:53:22-05:00] FATAL: Stacktrace dumped to /home/chef-user/.chef/cache/chef-stacktrace.out
[2016-11-07T11:53:22-05:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-11-07T11:53:22-05:00] ERROR: cron[clientrun2m] (cron-delvalidate2m::2min_cu line 7) had an error: Chef::Exceptions::Cron: Error updating state of clientrun2m, exit: 1
[2016-11-07T11:53:22-05:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

还有上面倒数第三行提到的stacktrace.out文件。

[chef-user@ip-10-0-0-230 ~]$ cat /home/chef-user/.chef/cache/chef-stacktrace.out
Generated at 2016-11-07 11:53:22 -0500
Chef::Exceptions::Cron: cron[clientrun2m] (cron-delvalidate2m::2min_cu line 7) had an error: Chef::Exceptions::Cron: Error updating state of clientrun2m, exit: 1
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/provider/cron.rb:231:in `write_crontab'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/provider/cron.rb:157:in `block in action_create'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/mixin/why_run.rb:52:in `add_action'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/provider.rb:176:in `converge_by'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/provider/cron.rb:156:in `action_create'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/provider.rb:145:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource.rb:603:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/runner.rb:69:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/runner.rb:97:in `block (2 levels) in converge'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/runner.rb:97:in `each'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/runner.rb:97:in `block in converge'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource_collection/resource_list.rb:94:in `block in execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource_collection/stepable_iterator.rb:114:in `call_iterator_block'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource_collection/stepable_iterator.rb:103:in `iterate'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource_collection/resource_list.rb:92:in `execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/runner.rb:96:in `converge'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:669:in `block in converge'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:664:in `catch'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:664:in `converge'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:703:in `converge_and_save'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:283:in `run'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:302:in `block in fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:290:in `fork'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:290:in `fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:255:in `block in run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/local_mode.rb:44:in `with_server_connectivity'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:243:in `run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:464:in `sleep_then_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:451:in `block in interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:450:in `loop'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:450:in `interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:434:in `run_application'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:60:in `run'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/bin/chef-client:26:in `<top (required)>'
/bin/chef-client:54:in `load'
/bin/chef-client:54:in `<main>'

>>>> Caused by Chef::Exceptions::Cron: Error updating state of clientrun2m, exit: 1
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/provider/cron.rb:231:in `write_crontab'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/provider/cron.rb:157:in `block in action_create'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/mixin/why_run.rb:52:in `add_action'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/provider.rb:176:in `converge_by'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/provider/cron.rb:156:in `action_create'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/provider.rb:145:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource.rb:603:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/runner.rb:69:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/runner.rb:97:in `block (2 levels) in converge'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/runner.rb:97:in `each'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/runner.rb:97:in `block in converge'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource_collection/resource_list.rb:94:in `block in execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource_collection/stepable_iterator.rb:114:in `call_iterator_block'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource_collection/stepable_iterator.rb:103:in `iterate'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/resource_collection/resource_list.rb:92:in `execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/runner.rb:96:in `converge'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:669:in `block in converge'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:664:in `catch'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:664:in `converge'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:703:in `converge_and_save'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/client.rb:283:in `run'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:302:in `block in fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:290:in `fork'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:290:in `fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:255:in `block in run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/local_mode.rb:44:in `with_server_connectivity'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:243:in `run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:464:in `sleep_then_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:451:in `block in interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:450:in `loop'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:450:in `interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application/client.rb:434:in `run_application'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/lib/chef/application.rb:60:in `run'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-12.15.19/bin/chef-client:26:in `<top (required)>'
/bin/chef-client:54:in `load'

【问题讨论】：

如日志中所述（两条 FATAL 级别行），stacktrace 将非常有助于找到故障的根本原因。替换 crontab 时似乎是一个错误（或在错误的位置写入，假设为 root），但帮助我们通过提供它来帮助您，而不必重现它。
相关代码应该在 [这里](read_crontab) 尝试命令 crontab -l -u chef-user as chef-user 看看它是否会报错。
@Tensibai，很抱歉我在第一次阅读输出时错过了那个堆栈跟踪文件。现在附上。当我运行您的 crontab 时，我得到“必须有权使用 -u”，看起来这是 Chef 的 cron 提供程序 [1] 的 [突出问题或争论点][1]：github.com/chef/chef/issues/2491
抱歉，如果您觉得有必要道歉，我应该很粗鲁，您确实遇到了“错误”。是的，您确实找到了根本原因，因为它使用 -u 来设置 crontab，它应该是 root （Chef 主要是根据这个假设编写的），但我认为 cron 资源可以针对这种情况进行修复。我明天看看我能做什么。您能否提供有关您的节点的更多详细信息（分发、selinux 激活或 nor，或任何其他强化）？
@Tensibai，不用担心。这是我的信息：chef-client:v12.15.19；厨师服务器核心：v12.9.1.el7x86； RHEL：7.2（所有盒子）； selinux-policy(epoch: 0;version: 3.13.1) 我从服务器上的 Node 属性中找到，不确定这是否是您要查找的内容。否则，如果需要更多信息，请告诉我。

标签： chef-infra chef-recipe

【解决方案1】：

我确实找到了this open issue。当指定非 root 用户时，Chef 的 cron 提供程序无法与节点的 crontab 命令正确交互。修复程序可能在积压中。

为了我自己的使用，我需要让我的节点以非 root 用户运行。我能够破解一些自定义配方来复制我需要的功能。

Recipe1：将 chef-client 添加到 crontab

# Removes any crontab job of 'chef-client' before inserting the new 'chef-client' crontab job (for every 2 mins)
execute "clientrun2m" do
  command "crontab -l | grep -v chef-client | crontab - && (crontab -l; echo \"*/2 * * * * /bin/chef-client\") | crontab -"
  action :run
end

# Delete the validation.pem for security reasons
file "/etc/chef/validation.pem" do
  action :delete
end

从 crontab 中删除 chef-client

# Removes any crontab job of 'chef-client'
execute "clientrun2m" do
  command "crontab -l | grep -v chef-client | crontab -"
  action :run
end

# Delete the validation.pem for security reasons
file "/etc/chef/validation.pem" do
  action :delete
end

【讨论】：

这个答案作为一种解决方法是正确的，但只是为了说明它：除非有人为我们更新补丁，否则这不太可能得到修复。一般来说，我们只真正地支持（因为投入大量资源来改进）以非 root 用户身份运行以进行工作站管理，而 cron 在该用例中并没有出现太多。抱歉给您带来了困难，我建议您考虑一下是否可以改为以 root 身份运行 Chef。
@coderanger，很抱歉吹毛求疵，但为了清楚起见：“...通常 [Chef?] 仅真正支持以 [root?] 身份运行以进行工作站管理...”？否则你能否澄清你的第二句话，也许是特定于 cron 的？谢谢。
是的，我们 == Chef 维护者。主要的非 root 用户用例用于 Mac 和 Windows 工作站管理，为此我们既能确保工作顺利进行，又有足够的用户在出现问题时告诉我们。作为非 root 用户在 Chef 中做 unix-y server-y 的东西只是一个非常小众的领域，因此没有经过很好的测试，也没有太多的开发时间。