1

Here is my cookbook code,

include_recipe 'aws'

require 'aws-sdk'

client = Aws::S3::Client.new(region: 'us-east-1')
bucket = client.get_object(bucket:'chefconfig', key: 'encrypted_data_bag_secret')

# Read content to variable
file_content = bucket.body.read 

# Log output (optional)
Chef::Log.info(file_content)

# Write content to file
file '/etc/chef/encrypted_data_bag_secret' do
  owner 'root'
  group 'root'
  mode '0755'
  content file_content
  action :create
end

password_secret = Chef::EncryptedDataBagItem.load_secret('/etc/chef/encrypted_data_bag_secret')
docker_password_data_bag_item = Chef::EncryptedDataBagItem.load('passwords', 'docker_server_master_password', password_secret)

docker_service 'default' do
  action [:create, :start]
end

docker_registry 'https://index.docker.io/v1/' do
  username node['docker']['username']
  password docker_password_data_bag_item['password']
  email node['docker']['email']
end

I thought file resource will create /etc/chef/encrypted_data_bag_secret first and will be available for Chef::EncryptedDataBagItem.load_secret but when I run this cookbook I start getting following error message. 

================================================================================
  Recipe Compile Error in /var/chef/cache/cookbooks/appservers/recipes/default.rb
  ================================================================================

  Errno::ENOENT
  -------------
  No such file or directory - file not found '/etc/chef/encrypted_data_bag_secret'

  Cookbook Trace:
  ---------------
    /var/chef/cache/cookbooks/appservers/recipes/docker.rb:29:in `from_file'
    /var/chef/cache/cookbooks/appservers/recipes/default.rb:9:in `from_file'

Since I am adding this cookbook while bootstrapping node so I have no idea how to supply secret file during bootstrap.

Balkrishna
  • 2,897
  • 3
  • 23
  • 31
  • 1
    Possible duplicate of [Please explain compile time vs. run time in chef recipes?](http://stackoverflow.com/questions/25980820/please-explain-compile-time-vs-run-time-in-chef-recipes) – Tensibai Nov 06 '15 at 13:36
  • 2
    The duplicate not being the same question has answer explaining why you end with this behavior, mainly Tejay answer. – Tensibai Nov 06 '15 at 13:36
  • Thank you for pointing to right direction. I solved the issue. For future reference and others I am adding the solution here. – Balkrishna Nov 09 '15 at 10:43
  • Will it bring something new to the problem ? – Tensibai Nov 09 '15 at 10:50
  • Yes I was still not able to assign value to docker_registry. But I manage to solve it please read my answer below. – Balkrishna Nov 09 '15 at 10:55

1 Answers1

0

As @tensibai mentioned in comment the problem is well explained in stack overflow question compile time vs run time in chef recipes

Here how I manage to solve my problem.

I wrap 'password_secret' and 'docker_password_data_bag_item' in ruby_block as follows,

ruby_block 'load_databag_secret' do
  block do
    password_secret = Chef::EncryptedDataBagItem.load_secret('/etc/chef/encrypted_data_bag_secret')
    docker_password_data_bag_item = Chef::EncryptedDataBagItem.load('passwords', 'docker_server_master_password', password_secret)
    node.set['docker']['password'] = docker_password_data_bag_item['password']
  end
end

And changed my docker registry code as follows,

docker_registry 'https://index.docker.io/v1/' do
  username node['docker']['username']
  password lazy {node['docker']['password']}
  email node['docker']['email']
end

Please note lazy keyword in docker_registry resource. If you are curious you can know more about it here.

how-to-pass-value-from-one-resource-to-another-resource-in-chef-recipe

Community
  • 1
  • 1
Balkrishna
  • 2,897
  • 3
  • 23
  • 31
  • 1
    You really should avoid storing the password in the node object, it's freely readable to any other node. Use `node.run_state['docker']['password']` to store transient variables like password. – Tensibai Nov 09 '15 at 10:58