search

chef / chef-server

Chef Infra Server is a hub for configuration data; storing cookbooks, node policies and metadata of managed nodes.
https://www.chef.io/chef/
Apache License 2.0
289 stars 210 forks source link

Habitat chef-server-ctl bug #1535

Open jsirex opened 6 years ago

jsirex commented 6 years ago

Chef server ctl uses secrets-bootstrap.rb which in turn calls

system "hab config apply chef-server-ctl.default #{version} {{pkg.svc_data_path}}/hab-secrets-modified.toml"

In plan.sh service is running under hab user. Habitat supervisor runs under root, so I'm getting:

Aug 03 09:34:17 dokken hab[14447]: chef-server-ctl.default(O): Changed Secrets need to be applied.
Aug 03 09:34:17 dokken hab[14447]: chef-server-ctl.default(O): ✗✗✗
Aug 03 09:34:17 dokken hab[14447]: chef-server-ctl.default(O): ✗✗✗ [Err: 1] IoError while reading or writing ctl secret, /hab/sup/default/CTL_SECRET, Permission denied (os error 13)
Aug 03 09:34:17 dokken hab[14447]: chef-server-ctl.default(O): ✗✗✗

Probably we must run ctl as root when bootstrapping secrets.

jeremymv2 commented 6 years ago

This is somewhat related to https://github.com/habitat-sh/habitat/issues/5390.

Right now, chef-server-ctl habitat package and Habitat Supervisor >= 0.56.0 requires some additional considerations such as appropriate permissions on the CTL_SECRET.