1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
|
#
# Author:: Adam Jacob (<adam@chef.io>)
# Author:: Tyler Cloke (<tyler@chef.io>)
# Copyright:: Copyright (c) Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require_relative "../resource"
require_relative "../dist"
class Chef
class Resource
class Execute < Chef::Resource
unified_mode true
provides :execute, target_mode: true
description <<~DESC
Use the **execute** resource to execute a single command. Commands that
are executed with this resource are (by their nature) not idempotent,
as they are typically unique to the environment in which they are run.
Use not_if and only_if to guard this resource for idempotence.
Note: Use the **script** resource to execute a script using a specific
interpreter (Ruby, Python, Perl, csh, or Bash).'
DESC
examples <<~EXAMPLES
**Run a command upon notification**:
```ruby
execute 'slapadd' do
command 'slapadd < /tmp/something.ldif'
creates '/var/lib/slapd/uid.bdb'
action :nothing
end
template '/tmp/something.ldif' do
source 'something.ldif'
notifies :run, 'execute[slapadd]', :immediately
end
```
**Run a touch file only once while running a command**:
```ruby
execute 'upgrade script' do
command 'php upgrade-application.php && touch /var/application/.upgraded'
creates '/var/application/.upgraded'
action :run
end
```
**Run a command which requires an environment variable**:
```ruby
execute 'slapadd' do
command 'slapadd < /tmp/something.ldif'
creates '/var/lib/slapd/uid.bdb'
action :run
environment ({'HOME' => '/home/my_home'})
end
```
**Delete a repository using yum to scrub the cache**:
```ruby
# the following code sample thanks to gaffneyc @ https://gist.github.com/918711
execute 'clean-yum-cache' do
command 'yum clean all'
action :nothing
end
file '/etc/yum.repos.d/bad.repo' do
action :delete
notifies :run, 'execute[clean-yum-cache]', :immediately
notifies :create, 'ruby_block[reload-internal-yum-cache]', :immediately
end
```
**Install repositories from a file, trigger a command, and force the internal cache to reload**:
The following example shows how to install new Yum repositories from a file,
where the installation of the repository triggers a creation of the Yum cache
that forces the internal cache for Chef Infra Client to reload.
```ruby
execute 'create-yum-cache' do
command 'yum -q makecache'
action :nothing
end
ruby_block 'reload-internal-yum-cache' do
block do
Chef::Provider::Package::Yum::YumCache.instance.reload
end
action :nothing
end
cookbook_file '/etc/yum.repos.d/custom.repo' do
source 'custom'
mode '0755'
notifies :run, 'execute[create-yum-cache]', :immediately
notifies :create, 'ruby_block[reload-internal-yum-cache]', :immediately
end
```
**Prevent restart and reconfigure if configuration is broken**:
Use the `:nothing` action (common to all resources) to prevent the test from
starting automatically, and then use the `subscribes` notification to run a
configuration test when a change to the template is detected.
```ruby
execute 'test-nagios-config' do
command 'nagios3 --verify-config'
action :nothing
subscribes :run, 'template[/etc/nagios3/configures-nagios.conf]', :immediately
end
```
**Notify in a specific order**:
To notify multiple resources, and then have these resources run in a certain
order, do something like the following.
```ruby
execute 'foo' do
command '...'
notifies :create, 'template[baz]', :immediately
notifies :install, 'package[bar]', :immediately
notifies :run, 'execute[final]', :immediately
end
template 'baz' do
#...
notifies :run, 'execute[restart_baz]', :immediately
end
package 'bar'
execute 'restart_baz'
execute 'final' do
command '...'
end
```
where the sequencing will be in the same order as the resources are listed in
the recipe: `execute 'foo'`, `template 'baz'`, `execute [restart_baz]`,
`package 'bar'`, and `execute 'final'`.
**Execute a command using a template**:
The following example shows how to set up IPv4 packet forwarding using the
**execute** resource to run a command named `forward_ipv4` that uses a template
defined by the **template** resource.
```ruby
execute 'forward_ipv4' do
command 'echo > /proc/.../ipv4/ip_forward'
action :nothing
end
template '/etc/file_name.conf' do
source 'routing/file_name.conf.erb'
notifies :run, 'execute[forward_ipv4]', :delayed
end
```
where the `command` property for the **execute** resource contains the command
that is to be run and the `source` property for the **template** resource
specifies which template to use. The `notifies` property for the **template**
specifies that the `execute[forward_ipv4]` (which is defined by the **execute**
resource) should be queued up and run at the end of a Chef Infra Client run.
**Add a rule to an IP table**:
The following example shows how to add a rule named `test_rule` to an IP table
using the **execute** resource to run a command using a template that is defined
by the **template** resource:
```ruby
execute 'test_rule' do
command 'command_to_run
--option value
--option value
--source \#{node[:name_of_node][:ipsec][:local][:subnet]}
-j test_rule'
action :nothing
end
template '/etc/file_name.local' do
source 'routing/file_name.local.erb'
notifies :run, 'execute[test_rule]', :delayed
end
```
where the `command` property for the **execute** resource contains the command
that is to be run and the `source` property for the **template** resource
specifies which template to use. The `notifies` property for the **template**
specifies that the `execute[test_rule]` (which is defined by the **execute**
resource) should be queued up and run at the end of a Chef Infra Client run.
**Stop a service, do stuff, and then restart it**:
The following example shows how to use the **execute**, **service**, and
**mount** resources together to ensure that a node running on Amazon EC2 is
running MySQL. This example does the following:
- Checks to see if the Amazon EC2 node has MySQL
- If the node has MySQL, stops MySQL
- Installs MySQL
- Mounts the node
- Restarts MySQL
```ruby
# the following code sample comes from the ``server_ec2``
# recipe in the following cookbook:
# https://github.com/chef-cookbooks/mysql
if (node.attribute?('ec2') && !FileTest.directory?(node['mysql']['ec2_path']))
service 'mysql' do
action :stop
end
execute 'install-mysql' do
command "mv \#{node['mysql']['data_dir']} \#{node['mysql']['ec2_path']}"
not_if do
FileTest.directory?(node['mysql']['ec2_path'])
end
end
[node['mysql']['ec2_path'], node['mysql']['data_dir']].each do |dir|
directory dir do
owner 'mysql'
group 'mysql'
end
end
mount node['mysql']['data_dir'] do
device node['mysql']['ec2_path']
fstype 'none'
options 'bind,rw'
action [:mount, :enable]
end
service 'mysql' do
action :start
end
end
```
where
- the two **service** resources are used to stop, and then restart the MySQL service
- the **execute** resource is used to install MySQL
- the **mount** resource is used to mount the node and enable MySQL
**Use the platform_family? method**:
The following is an example of using the `platform_family?` method in the Recipe
DSL to create a variable that can be used with other resources in the same
recipe. In this example, `platform_family?` is being used to ensure that a
specific binary is used for a specific platform before using the **remote_file**
resource to download a file from a remote location, and then using the
**execute** resource to install that file by running a command.
```ruby
if platform_family?('rhel')
pip_binary = '/usr/bin/pip'
else
pip_binary = '/usr/local/bin/pip'
end
remote_file "\#{Chef::Config[:file_cache_path]}/distribute_setup.py" do
source 'http://python-distribute.org/distribute_setup.py'
mode '0755'
not_if { File.exist?(pip_binary) }
end
execute 'install-pip' do
cwd Chef::Config[:file_cache_path]
command <<~EOF
# command for installing Python goes here
EOF
not_if { File.exist?(pip_binary) }
end
```
where a command for installing Python might look something like:
```ruby
\#{node['python']['binary']} distribute_setup.py \#{::File.dirname(pip_binary)}/easy_install pip
```
**Control a service using the execute resource**:
<div class="admonition-warning">
<p class="admonition-warning-title">Warning</p>
<div class="admonition-warning-text">
This is an example of something that should NOT be done. Use the **service**
resource to control a service, not the **execute** resource.
</div>
</div>
Do something like this:
```ruby
service 'tomcat' do
action :start
end
```
and NOT something like this:
```ruby
execute 'start-tomcat' do
command '/etc/init.d/tomcat6 start'
action :run
end
```
There is no reason to use the **execute** resource to control a service because
the **service** resource exposes the `start_command` property directly, which
gives a recipe full control over the command issued in a much cleaner, more
direct manner.
**Use the search recipe DSL method to find users**:
The following example shows how to use the `search` method in the Recipe DSL to
search for users:
```ruby
# the following code sample comes from the openvpn cookbook: https://github.com/chef-cookbooks/openvpn
search("users", "*:*") do |u|
execute "generate-openvpn-\#{u['id']}" do
command "./pkitool \#{u['id']}"
cwd '/etc/openvpn/easy-rsa'
environment(
'EASY_RSA' => '/etc/openvpn/easy-rsa',
'KEY_CONFIG' => '/etc/openvpn/easy-rsa/openssl.cnf',
'KEY_DIR' => node['openvpn']['key_dir'],
'CA_EXPIRE' => node['openvpn']['key']['ca_expire'].to_s,
'KEY_EXPIRE' => node['openvpn']['key']['expire'].to_s,
'KEY_SIZE' => node['openvpn']['key']['size'].to_s,
'KEY_COUNTRY' => node['openvpn']['key']['country'],
'KEY_PROVINCE' => node['openvpn']['key']['province'],
'KEY_CITY' => node['openvpn']['key']['city'],
'KEY_ORG' => node['openvpn']['key']['org'],
'KEY_EMAIL' => node['openvpn']['key']['email']
)
not_if { File.exist?("\#{node['openvpn']['key_dir']}/\#{u['id']}.crt") }
end
%w{ conf ovpn }.each do |ext|
template "\#{node['openvpn']['key_dir']}/\#{u['id']}.\#{ext}" do
source 'client.conf.erb'
variables :username => u['id']
end
end
execute "create-openvpn-tar-\#{u['id']}" do
cwd node['openvpn']['key_dir']
command <<~EOH
tar zcf \#{u['id']}.tar.gz ca.crt \#{u['id']}.crt \#{u['id']}.key \#{u['id']}.conf \#{u['id']}.ovpn
EOH
not_if { File.exist?("\#{node['openvpn']['key_dir']}/\#{u['id']}.tar.gz") }
end
end
```
where
- the search will use both of the **execute** resources, unless the condition
specified by the `not_if` commands are met
- the `environments` property in the first **execute** resource is being used to
define values that appear as variables in the OpenVPN configuration
- the **template** resource tells Chef Infra Client which template to use
**Enable remote login for macOS**:
```ruby
execute 'enable ssh' do
command '/usr/sbin/systemsetup -setremotelogin on'
not_if '/usr/sbin/systemsetup -getremotelogin | /usr/bin/grep On'
action :run
end
```
**Execute code immediately, based on the template resource**:
By default, notifications are `:delayed`, that is they are queued up as they are
triggered, and then executed at the very end of a Chef Infra Client run. To run
kan action immediately, use `:immediately`:
```ruby
template '/etc/nagios3/configures-nagios.conf' do
# other parameters
notifies :run, 'execute[test-nagios-config]', :immediately
end
```
and then Chef Infra Client would immediately run the following:
```ruby
execute 'test-nagios-config' do
command 'nagios3 --verify-config'
action :nothing
end
```
**Sourcing a file**:
The **execute** resource cannot be used to source a file (e.g. `command 'source
filename'`). The following example will fail because `source` is not an
executable:
```ruby
execute 'foo' do
command 'source /tmp/foo.sh'
end
```
Instead, use the **script** resource or one of the **script**-based resources
(**bash**, **csh**, **perl**, **python**, or **ruby**). For example:
```ruby
bash 'foo' do
code 'source /tmp/foo.sh'
end
```
**Run a Knife command**:
```ruby
execute 'create_user' do
command <<~EOM
knife user create \#{user}
--admin
--password password
--disable-editing
--file /home/vagrant/.chef/user.pem
--config /tmp/knife-admin.rb
EOM
end
```
**Run install command into virtual environment**:
The following example shows how to install a lightweight JavaScript framework
into Vagrant:
```ruby
execute "install q and zombiejs" do
cwd "/home/vagrant"
user "vagrant"
environment ({'HOME' => '/home/vagrant', 'USER' => 'vagrant'})
command "npm install -g q zombie should mocha coffee-script"
action :run
end
```
**Run a command as a named user**:
The following example shows how to run `bundle install` from a Chef Infra Client
run as a specific user. This will put the gem into the path of the user
(`vagrant`) instead of the root user (under which the Chef Infra Client runs):
```ruby
execute '/opt/chefdk/embedded/bin/bundle install' do
cwd node['chef_workstation']['bundler_path']
user node['chef_workstation']['user']
environment ({
'HOME' => "/home/\#{node['chef_workstation']['user']}",
'USER' => node['chef_workstation']['user']
})
not_if 'bundle check'
end
```
**Run a command as an alternate user**:
*Note*: When Chef is running as a service, this feature requires that the user
that Chef runs as has 'SeAssignPrimaryTokenPrivilege' (aka
'SE_ASSIGNPRIMARYTOKEN_NAME') user right. By default only LocalSystem and
NetworkService have this right when running as a service. This is necessary
even if the user is an Administrator.
This right can be added and checked in a recipe using this example:
```ruby
# Add 'SeAssignPrimaryTokenPrivilege' for the user
Chef::ReservedNames::Win32::Security.add_account_right('<user>', 'SeAssignPrimaryTokenPrivilege')
# Check if the user has 'SeAssignPrimaryTokenPrivilege' rights
Chef::ReservedNames::Win32::Security.get_account_right('<user>').include?('SeAssignPrimaryTokenPrivilege')
```
The following example shows how to run `mkdir test_dir` from a Chef Infra Client
run as an alternate user.
```ruby
# Passing only username and password
execute 'mkdir test_dir' do
cwd Chef::Config[:file_cache_path]
user "username"
password "password"
end
# Passing username and domain
execute 'mkdir test_dir' do
cwd Chef::Config[:file_cache_path]
domain "domain-name"
user "user"
password "password"
end
# Passing username = 'domain-name\\username'. No domain is passed
execute 'mkdir test_dir' do
cwd Chef::Config[:file_cache_path]
user "domain-name\\username"
password "password"
end
# Passing username = 'username@domain-name'. No domain is passed
execute 'mkdir test_dir' do
cwd Chef::Config[:file_cache_path]
user "username@domain-name"
password "password"
end
```
**Run a command with an external input file**:
execute 'md5sum' do
input File.read(__FILE__)
end
EXAMPLES
# The ResourceGuardInterpreter wraps a resource's guards in another resource. That inner resource
# needs to behave differently during (for example) why_run mode, so we flag it here. For why_run mode
# we still want to execute the guard resource even if we are not executing the wrapping resource.
# Only execute resources (and subclasses) can be guard interpreters.
attr_accessor :is_guard_interpreter
default_action :run
def initialize(name, run_context = nil)
super
@command = name
@backup = 5
@default_guard_interpreter = :execute
@is_guard_interpreter = false
end
property :command, [ String, Array ],
name_property: true,
description: "An optional property to set the command to be executed if it differs from the resource block's name."
property :umask, [ String, Integer ],
description: "The file mode creation mask, or umask."
property :creates, String,
description: "Prevent a command from creating a file when that file already exists."
property :cwd, String,
description: "The current working directory from which the command will be run."
property :environment, Hash,
description: "A Hash of environment variables in the form of ({'ENV_VARIABLE' => 'VALUE'})."
property :group, [ String, Integer ],
description: "The group name or group ID that must be changed before running a command."
property :live_stream, [ TrueClass, FalseClass ], default: false,
description: "Send the output of the command run by this execute resource block to the #{Chef::Dist::CLIENT} event stream."
# default_env defaults to `false` so that the command execution more exactly matches what the user gets on the command line without magic
property :default_env, [ TrueClass, FalseClass ], desired_state: false, default: false,
introduced: "14.2",
description: "When true this enables ENV magic to add path_sanity to the PATH and force the locale to English+UTF-8 for parsing output"
property :returns, [ Integer, Array ], default: 0,
description: "The return value for a command. This may be an array of accepted values. An exception is raised when the return value(s) do not match."
property :timeout, [ Integer, String, Float ],
default: 3600,
description: "The amount of time (in seconds) a command is to wait before timing out.",
desired_state: false
property :user, [ String, Integer ],
description: "The user name of the user identity with which to launch the new process. The user name may optionally be specified with a domain, i.e. domainuser or user@my.dns.domain.com via Universal Principal Name (UPN)format. It can also be specified without a domain simply as user if the domain is instead specified using the domain property. On Windows only, if this property is specified, the password property must be specified."
property :domain, String,
introduced: "12.21",
description: "Windows only: The domain of the user user specified by the user property. If not specified, the user name and password specified by the user and password properties will be used to resolve that user against the domain in which the system running #{Chef::Dist::PRODUCT} is joined, or if that system is not joined to a domain it will resolve the user as a local account on that system. An alternative way to specify the domain is to leave this property unspecified and specify the domain as part of the user property."
property :password, String, sensitive: true,
introduced: "12.21",
description: "Windows only: The password of the user specified by the user property. This property is mandatory if user is specified on Windows and may only be specified if user is specified. The sensitive property for this resource will automatically be set to true if password is specified."
# lazy used to set default value of sensitive to true if password is set
property :sensitive, [ TrueClass, FalseClass ],
description: "Ensure that sensitive resource data is not logged by the #{Chef::Dist::CLIENT}.",
default: lazy { password ? true : false }, default_description: "True if the password property is set. False otherwise."
property :elevated, [ TrueClass, FalseClass ], default: false,
description: "Determines whether the script will run with elevated permissions to circumvent User Access Control (UAC) interactively blocking the process.\nThis will cause the process to be run under a batch login instead of an interactive login. The user running #{Chef::Dist::CLIENT} needs the 'Replace a process level token' and 'Adjust Memory Quotas for a process' permissions. The user that is running the command needs the 'Log on as a batch job' permission.\nBecause this requires a login, the user and password properties are required.",
introduced: "13.3"
property :input, [String],
introduced: "16.2",
description: "An optional property to set the input sent to the command as STDIN."
alias :env :environment
def self.set_guard_inherited_attributes(*inherited_attributes)
@class_inherited_attributes = inherited_attributes
end
def self.guard_inherited_attributes(*inherited_attributes)
# Similar to patterns elsewhere, return attributes from this
# class and superclasses as a form of inheritance
ancestor_attributes = []
if superclass.respond_to?(:guard_inherited_attributes)
ancestor_attributes = superclass.guard_inherited_attributes
end
ancestor_attributes.concat(@class_inherited_attributes ? @class_inherited_attributes : []).uniq
end
# post resource creation validation
#
# @return [void]
def after_created
validate_identity_platform(user, password, domain, elevated)
identity = qualify_user(user, password, domain)
domain(identity[:domain])
user(identity[:user])
end
def validate_identity_platform(specified_user, password = nil, specified_domain = nil, elevated = false)
if windows?
if specified_user && password.nil?
raise ArgumentError, "A value for `password` must be specified when a value for `user` is specified on the Windows platform"
end
if elevated && !specified_user && !password
raise ArgumentError, "`elevated` option should be passed only with `username` and `password`."
end
else
if password || specified_domain
raise Exceptions::UnsupportedPlatform, "Values for `domain` and `password` are only supported on the Windows platform"
end
if elevated
raise Exceptions::UnsupportedPlatform, "Value for `elevated` is only supported on the Windows platform"
end
end
end
def qualify_user(specified_user, password = nil, specified_domain = nil)
domain = specified_domain
user = specified_user
if specified_user.nil? && ! specified_domain.nil?
raise ArgumentError, "The domain `#{specified_domain}` was specified, but no user name was given"
end
# if domain is provided in both username and domain
if specified_user && ((specified_user.include? '\\') || (specified_user.include? "@")) && specified_domain
raise ArgumentError, "The domain is provided twice. Username: `#{specified_user}`, Domain: `#{specified_domain}`. Please specify domain only once."
end
if ! specified_user.nil? && specified_domain.nil?
# Splitting username of format: Domain\Username
domain_and_user = user.split('\\')
if domain_and_user.length == 2
domain = domain_and_user[0]
user = domain_and_user[1]
elsif domain_and_user.length == 1
# Splitting username of format: Username@Domain
domain_and_user = user.split("@")
if domain_and_user.length == 2
domain = domain_and_user[1]
user = domain_and_user[0]
elsif domain_and_user.length != 1
raise ArgumentError, "The specified user name `#{user}` is not a syntactically valid user name"
end
end
end
if ( password || domain ) && user.nil?
raise ArgumentError, "A value for `password` or `domain` was specified without specification of a value for `user`"
end
{ domain: domain, user: user }
end
set_guard_inherited_attributes(
:cwd,
:environment,
:group,
:user,
:umask
)
end
end
end
|
