不能存根厨师-用未加密的数据包进行厨房测试

Question

厨师开发工具包版本: 2.4.17

主厨-客户版: 13.6.4

交付版本:主版(73 Ebb72a6c42b3d2ff5370c476be800f7e5427)

berks版本: 6.3.1

厨房版本: 1.19.2

inspec版本: 1.45.13

我正在尝试通过创建未加密的数据包来测试我的主厨库实现，使用厨房-EC2驱动程序。我尝试过解决方案贴在这里 (这是使用w/流浪汉驱动)，但没有成功。我不确定Kitchen是在尝试使用加密的金库，还是没有正确地解析测试数据包。

编辑我应该提到我可以在正常情况下成功地使用厨师库。我遇到的问题是在使用Kitchen在Kitchen上运行一个节点(通过EC2驱动程序)上运行测试时，使用厨师库中的值，该节点未注册到主厨服务器。

我的厨师目录树：

+--- .kitchen
|   +--- default-centos-7.yml
|   +--- logs
|   |   +--- default-centos-7.log
|   |   +--- kitchen.log
+--- cookbooks
|   +--- fcctrs
|   |   +--- .kitchen
|   |   |   +--- default-centos-7.yml
|   |   |   +--- logs
|   |   |   |   +--- default-centos-7.log
|   |   |   |   +--- kitchen.log
|   |   +--- .kitchen.yml
|   |   +--- Berksfile
|   |   +--- Berksfile.lock
|   |   +--- chefignore
|   |   +--- metadata.rb
|   |   +--- recipes
|   |   |   +--- default.rb
|   |   |   +--- users.rb
|   |   +--- resources
|   |   |   +--- adminuser.rb
|   |   +--- spec
|   |   |   +--- spec_helper.rb
|   |   |   +--- unit
|   |   |   |   +--- recipes
|   |   |   |   |   +--- default_spec.rb
|   |   +--- test
|   |   |   +--- integration
|   |   |   |   +--- data_bags
|   |   |   |   |   +--- SSH_KEYS
|   |   |   |   |   |   +--- user.json
|   |   |   |   |   |   +--- user.json
|   |   |   +--- smoke
|   |   |   |   +--- default
|   |   |   |   |   +--- default_test.rb
+--- data_bags
|   +--- SSH_KEYS
|   |   +--- user.json
|   |   +--- user.json
+--- README.md

users.rb文件：

chef_gem 'chef-vault' do
  compile_time true if respond_to?(:compile_time)
end
#
require 'chef-vault'

node.normal['chef-vault']['databag_fallback'] = true

adminuser "user" do
    action :create
    comment 'Some User'
    ssh_keys [ 
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgg95tJuAz7Utgov1tT94w1uLL7256mJK5v4jQzpaQ4gVdKnVCMGwRV72msL4NVTLwda41L0xDbv3o/ya+1flT7F8OvbTk6SSx9llSdMn/FGTVmpTMP8513aV8q4OmcAeciB4gaB50IqR8HiGEymV63bx6/8QCWtXydbs1x4q5ym0Sa7AYpx+EpV1Aa0AZ1VxILYyvwf3aB49Nac0FAoKze4Ohnunfb+WIUFwlDWDdUimf/Vbv9D3oExZKGQvZUVfSvpMSuOZ6hT0iTyGjm3F3jKZWhyzPuGPMQmW5uT7SrvjyoDu0bynbhUUtsuSNyjQgDqwidNELM+qt5n4485it"
    ]
    private_key ChefVault::Item.load("SSH_KEYS","user")["private"]
end

user.json：

{"public":"someKey","private":"someKey"}

.kitchen.yml：

driver:
        #name: vagrant
  name: ec2
  aws_ssh_key_id: smasoudv2
  security_group_ids: [sg-4b609036,sg-2066965d]
  availability_zone: d
  subnet_id: subnet-cbf129e6
  require_chef_omnibus: true
  associate_public_ip: true
  instance_type: t2.micro

provisioner:
  name: chef_zero
  http_proxy: http://10.202.1.215:3128
  https_proxy: http://10.202.1.215:3128
  no_proxy: chef.server
  data_bags_path: "../../data_bags"
  always_update_cookbooks: true
  client_rb:
    client_key: /etc/chef/client.pem # added this as per referenced SO post

verifier:
  name: inspec

platforms:
  - name: centos-7
    driver:
      image_id: ami-46c1b650
transport:
  ssh_key: ~/Documents/MobaXterm/home/smasoudv2.pem
  username: centos

suites:
  - name: default
    run_list:
      - recipe[fcctrs::default]
      - recipe[user_shadow]
              #verifier:
                #inspec_tests:
                  #- test/smoke/default
    data_bags_path: '../../data_bags' # This is relative to the directory with .kitchen.yml
    attributes:
      chef-vault:
        databags_fallback: true # added this as per GitHub question within referenced SO post

堆栈跟踪：

PS C:\Users\smasoud\tools\AWS\chef\cookbooks\fcctrs> kitchen converge
-----> Starting Kitchen (v1.19.2)
-----> Converging <default-centos-7>...
       Preparing files for transfer
       Preparing dna.json
       Resolving cookbook dependencies with Berkshelf 6.3.1...
       Removing non-cookbook files before transfer
       Preparing data_bags
       Preparing validation.pem
       Preparing client.rb
-----> Chef Omnibus installation detected (install only if missing)
       Transferring files to <default-centos-7>
       Starting Chef Client, version 13.7.16
       resolving cookbooks for run list: ["fcctrs::default", "user_shadow"]
       Synchronizing Cookbooks:
         - fcctrs (0.1.1)
         - user_shadow (0.1.5)
       Installing Cookbook Gems:
       Compiling Cookbooks...
       Recipe: fcctrs::mitreusers
         * chef_gem[chef-vault] action install (up to date)

         ================================================================================
         Recipe Compile Error in /tmp/kitchen/cache/cookbooks/fcctrs/recipes/default.rb
         ================================================================================

         ChefVault::Exceptions::SecretDecryption
         ---------------------------------------
         SSH_KEYS/user is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!

         Cookbook Trace:
         ---------------
           /tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:40:in `block in from_file'
           /tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:33:in `from_file'
           /tmp/kitchen/cache/cookbooks/fcctrs/recipes/default.rb:31:in `from_file'

         Relevant File Content:
         ----------------------
         /tmp/kitchen/cache/cookbooks/fcctrs/recipes/users.rb:

          33:  mitre_baseline_adminuser "user" do
          34:      action :create
          35:      comment 'Some User'
          36:      #uid 650
          37:      ssh_keys [
          38:          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgg95tJuAz7Utgov1tT94w1uLL7256mJK5v4jQzpaQ4gVdKnVCMGwRV72msL4NVTLwda41L0xDbv3o/ya+1flT7F8OvbTk6SSx9llSdMn/FGTVmpTMP8513aV8q4OmcAeciB4gaB50IqR8HiGEymV63bx6/8QCWtXydbs1x4q5ym0Sa7AYpx+EpV1Aa0AZ1VxILYyvwf3aB49Nac0FAoKze4Ohnunfb+WIUFwlDWDdUimf/Vbv9D3oExZKGQvZUVfSvpMSuOZ6hT0iTyGjm3F3jKZWhyzPuGPMQmW5uT7SrvjyoDu0bynbhUUtsuSNyjQgDqwidNELM+qt5n4485it"
          39:      ]
          40>>     private_key ChefVault::Item.load("SSH_KEYS","user")["private"]
          41:  end
          42:

         System Info:
         ------------
         chef_version=13.7.16
         platform=centos
         platform_version=7.3.1611
         ruby=ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux]
         program_name=chef-client worker: ppid=22289;start=19:59:41;
         executable=/opt/chef/bin/chef-client


         Running handlers:
       [2018-02-20T19:59:43+00:00] ERROR: Running exception handlers
         Running handlers complete
       [2018-02-20T19:59:43+00:00] ERROR: Exception handlers complete
         Chef Client failed. 0 resources updated in 01 seconds
       [2018-02-20T19:59:43+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2018-02-20T19:59:43+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2018-02-20T19:59:43+00:00] ERROR: SSH_KEYS/user is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!
       [2018-02-20T19:59:43+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>>     Converge failed on instance <default-centos-7>.  Please see .kitchen/logs/default-centos-7.log for more details
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration

Answer 1

上面发布的数据库项目user.json似乎不正确。它缺少id，这是数据袋项目的名称。我相信根据您的代码，它应该使用。它应该是这样的格式

{"id": "user", "public":"someKey", "private":"someKey" }

在您的代码中，我看不到您在哪里使用了在数据库项中定义的公钥，在菜谱中看到了一个硬编码值。为此，您必须使用数据库项中的公钥。这似乎也是错误造成的。

上述答案的修正：

您正在使用自定义资源管理员来创建保险库用户。根据金库的工作方式，只有现有管理员才能将新用户添加到保险库中。因此，我不认为你将能够添加新的管理员，以确保用户从食谱。你需要使用刀子命令。鉴于admin1已经存在，您可以使用

knife vault update VAULTNAME VAULTITEM -A "admin1,admin2"