New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pam_passwdqc package install idempotence #134

Closed
rjhornsby opened this Issue Dec 14, 2016 · 2 comments

Comments

Projects
None yet
2 participants
@rjhornsby

rjhornsby commented Dec 14, 2016

In some situations, there's an idempotence issue with (at least) the pam_passwdqc package. If the package is already installed, the chef run will fail and error out:

       Recipe Compile Error in /tmp/kitchen/cache/cookbooks/os-hardening/recipes/default.rb
       ================================================================================

       Chef::Exceptions::ValidationFailed
       ----------------------------------
       Property package_name must be one of: String, Array!  You passed {"epoch"=>"0", "version"=>"1.0.5", "release"=>"8.el6", "installdate"=>"1481734892", "arch"=>"x86_64"}.

       Cookbook Trace:
       ---------------
         /tmp/kitchen/cache/cookbooks/os-hardening/recipes/pam.rb:110:in `block in from_file'
         /tmp/kitchen/cache/cookbooks/os-hardening/recipes/pam.rb:109:in `from_file'
         /tmp/kitchen/cache/cookbooks/os-hardening/recipes/default.rb:26:in `from_file'

       Relevant File Content:
       ----------------------
       /tmp/kitchen/cache/cookbooks/os-hardening/recipes/pam.rb:

       103:      # remove pam_cracklib, because it does not play nice with passwdqc in versions less than 7
       104:      package 'pam-cracklib' do
       105:        package_name node['packages']['pam_cracklib']
       106:        action node['auth']['pam']['passwdqc']['enable'] ? :remove : :nothing
       107:      end
       108:
       109:      package 'pam-passwdqc' do
       110>>       package_name node['packages']['pam_passwdqc']
       111:        action node['auth']['pam']['passwdqc']['enable'] ? :install : :remove
       112:      end
       113:    else
       114:      # In RH-family distros > 7, 'pam_pwquality' obsoletes both pam_cracklib and pam_passwdqc
       115:      # See https://linux.web.cern.ch/linux/rhel/releasenotes/RELEASE-NOTES-7.0-x86_64/
       116:      package 'pam_pwquality' do
       117:        package_name node['packages']['pam_pwquality']
       118:      end
       119:    end

This problem can be reproduced by converging twice. It wouldn't be picked up by automated testing because the first run is fine. I discovered the issue because I'm trying to use the cookbook on images which already have the pam_passwdqc package installed.

However, the issue does not appear to be consistent across platforms listed in the test kitchen configuration. For example, centos-6.4 and centos-6.5 exhibit the problem behavior, but centos-7.1 does not.

It looks like the hash in the error that the package resource is trying to process (rather than the string or array it was expecting) might be coming from ohai.

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Dec 14, 2016

Member

@rjhornsby thank you for bug report!

Yes, ohai populates the node['packages'] and probably we have a namespace clash in the currently released versions of this cookbook. This was already fixed in the master (dev-sec/chef-os-hardening#116 and dev-sec/chef-os-hardening#114) and it is planned for 2.0 release (it will take some time)

I tested the current master on centos-6.8 and can not reproduce it:

$ export KITCHEN_YAML=.kitchen.vagrant.yml
$ kitchen converge default-centos-68
...
$ kitchen converge default-centos-68
...
       Chef Client finished, 4/50 resources updated in 07 seconds
       Finished converging <default-centos-68> (0m17.44s).
-----> Kitchen is finished. (0m18.26s)

Can you reproduce the issue on master?

Member

artem-sidorenko commented Dec 14, 2016

@rjhornsby thank you for bug report!

Yes, ohai populates the node['packages'] and probably we have a namespace clash in the currently released versions of this cookbook. This was already fixed in the master (dev-sec/chef-os-hardening#116 and dev-sec/chef-os-hardening#114) and it is planned for 2.0 release (it will take some time)

I tested the current master on centos-6.8 and can not reproduce it:

$ export KITCHEN_YAML=.kitchen.vagrant.yml
$ kitchen converge default-centos-68
...
$ kitchen converge default-centos-68
...
       Chef Client finished, 4/50 resources updated in 07 seconds
       Finished converging <default-centos-68> (0m17.44s).
-----> Kitchen is finished. (0m18.26s)

Can you reproduce the issue on master?

@rjhornsby

This comment has been minimized.

Show comment
Hide comment
@rjhornsby

rjhornsby Dec 14, 2016

Thanks @artem-sidorenko. You're right - the namespace collision does appear to be fixed in master. I was using 1.4.1.

Apologies for not looking to see that master was ahead of the latest tagged release.

rjhornsby commented Dec 14, 2016

Thanks @artem-sidorenko. You're right - the namespace collision does appear to be fixed in master. I was using 1.4.1.

Apologies for not looking to see that master was ahead of the latest tagged release.

@rjhornsby rjhornsby closed this Dec 14, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment