New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add the ability to install inspec as package when specified #165
Conversation
0ae0553
to
bbde422
Compare
action :upgrade | ||
end | ||
|
||
load_inspec_libs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you tested this with the package?
The package seems to have /opt/inspec/embedded/lib
as its base path. I don't think that's in Chef-client's $LOAD_PATH..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That appears to be the case:
root@node:/tmp# /opt/chef/embedded/bin/irb
irb(main):001:0> require 'inspec'
=> true
irb(main):002:0>
root@node:/tmp# /opt/chef/embedded/bin/gem which inspec
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib/inspec.rb
root@node:/tmp# /opt/chef/embedded/bin/gem uninstall inspec
Remove executables:
inspec
in addition to the gem? [Yn] y
Removing inspec
Successfully uninstalled inspec-1.4.1
root@node:/tmp# /opt/chef/embedded/bin/irb
irb(main):001:0> require 'inspec'
LoadError: cannot load such file -- inspec
from /opt/chef/embedded/lib/ruby/site_ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /opt/chef/embedded/lib/ruby/site_ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from (irb):1
from /opt/chef/embedded/bin/irb:11:in `<main>'
irb(main):002:0> libpath = '/opt/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib'
=> "/opt/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib"
irb(main):003:0> $LOAD_PATH.unshift(libpath) unless $LOAD_PATH.include?(libpath)
=> ["/opt/inspec/embedded/lib/ruby/gems/2.3.0/gems/inspec-1.4.1/lib", "/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib", "/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/rb-readline-0.5.3/lib", "/opt/chef/embedded/lib/ruby/site_ruby/2.3.0", "/opt/chef/embedded/lib/ruby/site_ruby/2.3.0/x86_64-linux", "/opt/chef/embedded/lib/ruby/site_ruby", "/opt/chef/embedded/lib/ruby/vendor_ruby/2.3.0", "/opt/chef/embedded/lib/ruby/vendor_ruby/2.3.0/x86_64-linux", "/opt/chef/embedded/lib/ruby/vendor_ruby", "/opt/chef/embedded/lib/ruby/2.3.0", "/opt/chef/embedded/lib/ruby/2.3.0/x86_64-linux"]
irb(main):004:0> require 'inspec'
=> true
irb(main):005:0>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh shoot i think i had some leftover gem cruft in there when i tested. right, ok, so we would need to set the load path like you did there. sounds like there are some other issues too (looking in compliance-support) in that chef-ingredient uses mixlib install gem. so we could go the remote file and execute route. and then there's the problem of having gem and package installed....we could do a check to get around that i suppose
I see the value in installing via package. I am pretty sure though that enterprises are not going to pull the package down from our own repos but will want to host it internally on theirs. Specifying the package source would need to be a capability in my opinion, as we are for the gem. |
oh, yup -- definitely @jeremymv2 good idea, thank you! |
ok so things to do here are:
does that sound right @stephenlauck @jeremymv2 ?? |
Here's a time proven example of chef_ingredient installing supermarket rpm including potentially from custom repo: https://github.com/chef-cookbooks/supermarket-omnibus-cookbook/blob/master/resources/supermarket_server.rb The |
Would it be possible for the Inspec package install to configure itself and be ready to be loaded so the recipe is only does a package install and Inspec is ready to go? |
from discussion: it might be preferable to vendor the gem in the cookbook. 4+ big customers would benefit from a vendored setup |
I would like to keep this in mind: #112 |
Vendoring a gem and its dependencies in a cookbook is not really a pattern that is commonly used. If hosting the gem is internally is not an option, then this could be an alternative strategy you might consider: You can bundle up the gems you need into a tarball, host that as an artifact internally, then download and extract via recipe in your wrapper cookbook:
|
5ed9d44
to
822d176
Compare
@@ -17,7 +17,7 @@ | |||
# See the License for the specific language governing permissions and | |||
# limitations under the License. | |||
|
|||
if node['audit']['inspec_package_source'] | |||
if node['audit']['inspec_package']['source'] | |||
include_recipe 'audit::inspec_package' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curious if there is a reason to break out inspec installation into two separate recipes? Would it be tighter to just include_recipe 'audit::inspec'
here and let the inspec
recipe have the conditional logic to decide whether to install from package or from gem within an if statement?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, ya, that makes sense @jeremymv2 i like that.
@@ -72,33 +72,26 @@ | |||
context 'When a package install is specified' do | |||
let(:chef_run) do | |||
ChefSpec::ServerRunner.new do |node| | |||
node.override['audit']['inspec_package'] = true | |||
node.override['audit']['inspec_package']['source'] = 'http://path/to/fake.rpm' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the inspec package installation tests should be moved into a inspec_spec.rb
file under spec/unit/recipes
since the best practice is for the unit test file name to be <recipe_name>_spec.rb
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
pushed a commit to address your comments @jeremymv2 ; thank you for reviewing. Also went ahead and added info to readme. |
This doesn't work on Ubuntu since the default package provider selected is
|
huh....shouldn't the chef package resource be doing that for us? |
The package resource is making a decision, since each platform could potentially have any number of valid package providers, it needs to make an assumption and select the "best" one to make default when the recipe isn't specific. It's choosing the wrong one in this case, when |
k...so doing something along these lines is working for me:
....it's not awesome...and this is all feeling more and more hacky by the moment...but not sure what we could do that would be better.. |
Cool. Need to handle when !ubuntu && !centos |
k...so how much is a reasonable scope? we can make the default one package, as is, which covers centos...then dpkg package for ubuntu, bff package for aix, freebsd package for freebsd, solaris package for solaris, windows package for windows....so we end up with something like:
:/ anything from that list that 'isn't really worth it' or anything that should be added? |
Browsing the chef-client code base under
|
oh good, that's much nicer! |
648e9f8
to
c49c6f8
Compare
Great @vjeffrey Awesome improvement to the cookbook! 👍 |
c49c6f8
to
1a3e184
Compare
Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io>
Load inspec lib from package
1a3e184
to
92fc02f
Compare
Signed-off-by: Victoria Jeffrey <vjeffrey@chef.io>
92fc02f
to
6ff4724
Compare
InSpec gem is part of Chef 13, therefore we do not need to work on alternatives anymore. |
Thank you @vjeffrey and @jeremymv2 for raising the issue. This helped us to bring inspec into chef-client! |
Description
@stephenlauck came up with a nice recipe to do this (https://github.com/stephenlauck/audit/blob/lauck/inspec_package/recipes/inspec_package.rb), just filling in the details to get it working with attributes, etc
Adds the ability to install inspec as package when specified. @stephenlauck does this fit what you were thinking??
Issues Resolved
fixes: #164
Check List