https://www.puppet.com/community logo
Join Slack
Powered by
This message was deleted.
# bolt
s
This message was deleted.
v
Tried, works fine
And it work internally fine, I have a lot of code which switch user before running in my manifests and providers. No problem when running like puppet apply
y
Interesting..
v
Something only related to run with Bolt, but what..
Copy code
bolt command run 'pwd' --targets all --run-as admin
CLI arguments ["run-as"] might be overridden by Inventory: /Users/..../inventory.yaml [ID: cli_overrides]
Started on .....
Finished on ....:
  shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied
  chdir: error retrieving current directory: getcwd: cannot access parent directories: Permission denied
  /Users/admin
Successful on 1 target: .....
Ran on 1 target in 1.47 sec
y
magic..
there is russian-speaking community in telegram FYI.. can share the link if you’d like
v
Anyway, do you know how I can get debug logs which apply the command produce in Bolt?
y
not sure about provider’s logs.. best I saw so far is bolt-debug.log in the project dir (but there are no provider logs)
v
Yes, just Bolt logs itself
y
I’d try to run 
ssh root@host sudo -u admin -c "puppet apply"
just to be sure it’ll behave in the same way
m
Is there a .ssh/config file which might have some settings that are not used by bolt's ruby ssh?
v
I’m performing 
bolt apply
as a root user, therefore that should be okay. But providers and manifests do some installs as other user.
Is there a .ssh/config file which might have some settings that are not used by bolt’s ruby ssh?
Empty on target machine, and almost nothing on mine:
Copy code
cat ~/.ssh/config

Host 10.....
  HostName 10.....
  User root

# Fig ssh integration. Keep at the bottom of this file.
Match all
  Include ~/.fig/ssh
m
I wonder if it makes a difference to use the native-ssh when running Bolt instead (am just fishing here…). Also the docs around how Bolt elevates privs is worth looking into
y
yeah, native-ssh is worth to try and compare
v
You mean to run bolt on target machine throw ssh?
Interesting one:
Copy code
bolt command run '/opt/puppetlabs/bin/puppet apply /etc/puppetlabs/code/environments/production/manifests/site.pp' --targets all
Produce my error:
Copy code
Error: Could not find package: git-lfs
  Error: /Stage[main]/Main/Package[git-lfs]/ensure: change from 'absent' to 'present' failed: Could not find package: git-lfs
But running directly throw ssh it’s working ok
m
Yes, I would try that
v
Copy code
bolt command run 'pwd' --targets all --run-as admin
CLI arguments ["run-as"] might be overridden by Inventory: /Users/vladyslt/inventory.yaml [ID: cli_overrides]
Started on 10
Finished on 10
  /Users/admin
  shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied
  chdir: error retrieving current directory: getcwd: cannot access parent directories: Permission denied
Order of 
/Users/admin
and errors changed 😅
Anyway those errors are not contributing to exit code, and I thing cause no real problems.
m
Question: Is the user 
root
allowed to log in to your macOS machine?
v
I’m logged in like 
ssh 'root@00.000.000.00'
without any issue, if I understood the question correct
m
oh wait so this actually succeeded … huh I guess this is something else then
v
Yes
m
Yes, you're correct. I was just confused for a second there.
v
That success without any problem, but logs this ‘errors’
But that was one of my research, why one of my providers works differently on Bolt
Interesting
Looks like this is a problem when provider tries to exec from other user
m
Isn't bolt executing all this from a tmp dir? Maybe this is some macOS security thing? I haven't tested Bolt against macOS so I can't play around with this 😕
v
Do we have some examples of how bolt executes things? I thought it’s the same as using a native shell login…
I have no issues with 
ssh 'root@00.000.000.00'
y
all this sounds similar to my ex-job 😄 though they do not use Bolt after I left I believe
ah, btw.. tmp is private on MacOS
so root’s tmp and admin’s tmp are different tmp dirs
IIRC there was an option to change tmpdir when using ssh transport.. cannot remember though..
v
But for what tmpdir is used? Why we need it?
m
It's where bolt is executing things from
v
Not from home directory?
m
Nope – well at least as far as I know but let me check real quickj
y
Bolt uploads stuff to the tmpdir and then do the apply from there
that’s why you can see the getcwd issues I guess
try to change the tmpdir option to be somewhere in non-/private dir
v
same errors
Anyway it execute from one directory, but connection is started from the root, when I do run-as it changes temp dir?
y
I don’t think it changes tmpdir but the user, it switched to, cannot see the tmpdir I guess
v
Ah, yes. Anyway changing to some other dir which is available to admin not working(
y
is it possible to ssh as admin?
v
Ye, any problems
y
I mean to go as admin w/o ssh-ing as root first (so no run-as needed)
1
though I guess your manifests are using different user anyway, right?
there are Exec’s with 
user
it seems
v
It uses uid of 
admin
user
But this script is running from root, and than using exec method of provider to execute from admin. Works with no problem with puppet apply from root user
y
yeah.. I mean you should do 
apply()
as root to be able to switch user in an Exec resource
v
Yes, I’m running bolt apply from the root user
Even this one:
Copy code
bolt command run '/opt/puppetlabs/bin/puppet apply /etc/puppetlabs/code/environments/production/manifests/site.pp --verbose --debug' --user root --targets all
Fails with the same error
y
btw, you should be able to get full log output with the command above.. so where does it fail?
v
/opt/homebrew/bin/brew info git-lfs
is failing due to something
But of course 
/opt/homebrew/bin/brew info git-lfs
runs as charm from admin ssh)))
y
try to run it under 
su - admin -c "..."
maybe?
v
And this command also wrong, because 
//opt/homebrew/bin/brew list --versions git-lfs
returning right output
y
I mean the brew command
brew needs some shell setup IIRC
maybe you should add some ENV vars to the Exec
v
That command is run from admin, that is a community package
y
eval "$(homebrew/bin/brew shellenv)"
<- something from here
at least I’d try to set the HOMEBREW_PREFIX
su/sudo doesn’t start a login shell so environment might be uninitialised
v
Copy code
bolt command run "sudo su - admin -c \"/opt/homebrew/bin/brew list --versions git-lfs\"" --targets all
Started on 1...
Finished on 1:
  git-lfs 3.3.0
Successful on 1 target: 1
Ran on 1 target in 3.25 sec
y
Copy code
Executing `sudo -S -H -u root -p \[sudo\]\ Bolt\ needs\ to\ run\ as\ another\ user,\ password:\  sh -c cd\;\ id`
1
this is how bolt executes a command with --run-as FYI
found this with 
--log-level=trace
v
If I do 
combine = true
I’m getting this “error” string
And no result
y
well.. maybe I should find a way to create a MacOS VM to test it
c
@Vladyslav Androshchuk: If you're running from within Terminal.app, could you temporarily try giving full disk access to see if it helps?
v
It’s not connected, access on the target machine is not connected with my current one
It looks like I fixed it by adding the setting 
cwd
as 
home
. It’s definitely some access issues to the working directory. But how to find out which repository was used before and why it isn’t available when running throw bolt.
👍🏻 1
Yep, it not changing the working directory, which was:
Copy code
/var/root
And which isn’t accessible by the 
admin
user.
y
so private directories strikes here, good you’ve found it!
does it work now? I mean brew install
v
Yep
y
great!
v
But it’s quite interesting, should Bolt handle this somehow? Because this thing causes a different behaviour between the bolt and the puppet apply if provider isn’t correct.
y
My expectation was that tmpdir setting should solve that (because things should be deployed to non-private tmpdir then). Though it doesn’t work it seems
v
Maybe bolt not changing a working directory to tmpdir, but just use it for files?
Will take a look later
y
this seems to be some gray area between Exec provider and Bolt and private directories
1
feel free to raise a ticket in the bolt github repo so someone can find that at least
Open in Slack
PreviousNext
Powered by