OSX: homebrew package_method & non-privileged user
275 views
Skip to first unread message
Francois Tiffreau
Sep 18, 2013, 10:54:42 AM9/18/13
to help-c...@googlegroups.com, fran...@esl-education.org
Hi all,
I've created this package_method for homebrew (http://brew.sh)
body package_method homebrew
{
package_changes => "bulk";
package_add_command => "/usr/local/bin/brew install";
package_delete_command => "/usr/local/bin/brew uninstall";
package_delete_convention => "$(name)";
package_installed_regex => ".*";
package_list_command => "/usr/local/bin/brew list --versions";
package_list_name_regex => "([\S]+)\s[\S]+";
package_list_update_command => "/usr/local/bin/brew update";
package_list_update_ifelapsed => "240";
package_list_version_regex => "[\S]+\s([\S]+)";
package_name_convention => "$(name)";
package_verify_command => "/usr/local/bin/brew list";
package_noverify_returncode => "1";
package_update_command => "/usr/local/bin/brew upgrade";
}
The downside is that homebrew expects a regular (non-root) user to install packages.
So if I execute this :
bundle agent nrpe
{
packages:
"nrpe"
package_policy => "add",
package_method => brew;
}
I get this error :
acme:~ adminesl$ sudo /usr/local/bin/cf-agent -KIl -f ./test-brew.cf
Q: brew update ...:Already up-to-date.
Installing nrpe...
Q: brew install nrpe ...:Error: Cowardly refusing to `sudo brew install`
Q: brew install nrpe ...:You can use brew with sudo, but only if the brew executable is owned by root.
Q: brew install nrpe ...:However, this is both not recommended and completely unsupported so do so at
Q: brew install nrpe ...:your own risk.
Finished command related to promiser 'nrpe' -- an error occurred, returned 1
Bulk package schedule execution failed somewhere - unknown outcome for 'nrpe'
acme:~ adminesl$
whereas if I change
package_add_command => "/usr/local/bin/brew install";
to
package_add_command => "sudo -u adminesl /usr/local/bin/brew install";
adminesl being:
acme:~ adminesl$ id adminesl
uid=501(adminesl) gid=20(staff) groups=20(staff),404(com.apple.sharepoint.group.2),405(com.apple.sharepoint.group.3),402(com.apple.access_ssh),403(com.apple.sharepoint.group.1),401(com.apple.access_screensharing),12(everyone),33(_appstore),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),100(_lpoperator),204(_developer)
it works :
acme:~ adminesl$ sudo /usr/local/bin/cf-agent -KIl -f ./test-brew.cf
Q: brew update ...:Already up-to-date.
Installing nrpe...
Q: ...:==> Downloading http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz
Q: ...:Already downloaded: /Library/Caches/Homebrew/nrpe-2.15.tar.gz
Q: ...:==> ./configure --prefix=/usr/local/Cellar/nrpe/2.15 --libexecdir=/usr/local/Cellar/nrpe/2.15/sbin --with-nrpe-user=adminesl --with-nrpe-group=staff --with-nagios-user=adminesl --with-nagios-group=staff --enable-ssl --enable-command-args
Q: ...:==> make all
Q: ...:==> make install
Q: ...:==> make install-daemon-config
Q: ...:==> Caveats
Q: ...:The nagios plugin check_nrpe has been installed in:
Q: ...: /usr/local/sbin
Q: ...:
Q: ...:You can start the daemon with
Q: ...: /usr/local/Cellar/nrpe/2.15/bin/nrpe -c /usr/local/etc/nrpe.cfg -d
Q: ...:==> Summary
Q: ...:🍺 /usr/local/Cellar/nrpe/2.15: 6 files, 112K, built in 8 seconds
acme:~ adminesl$
My question is : is there a better way to specify which user the command should execute ?
Brian Bennett
Sep 18, 2013, 11:03:01 AM9/18/13
to Francois Tiffreau, help-c...@googlegroups.com, fran...@esl-education.org
I don't believe package install methods support contain bodies. I think sudo is a good approach.
I have three suggestions for your package method:
* Name it just `brew`. Where possible I like to name them directly after the command being used.
* Add `user` as a parameter to the `brew` package method.
* Open a pull request and contribute :-)
--
Brian
> --
> You received this message because you are subscribed to the Google Groups "help-cfengine" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
> To post to this group, send email to help-c...@googlegroups.com.
> Visit this group at http://groups.google.com/group/help-cfengine.
> For more options, visit https://groups.google.com/groups/opt_out.
I have three suggestions for your package method:
* Name it just `brew`. Where possible I like to name them directly after the command being used.
* Add `user` as a parameter to the `brew` package method.
* Open a pull request and contribute :-)
--
Brian
> You received this message because you are subscribed to the Google Groups "help-cfengine" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
> To post to this group, send email to help-c...@googlegroups.com.
> Visit this group at http://groups.google.com/group/help-cfengine.
> For more options, visit https://groups.google.com/groups/opt_out.
Francois Tiffreau
Sep 19, 2013, 3:55:49 AM9/19/13
to help-c...@googlegroups.com, Francois Tiffreau, fran...@esl-education.org
Thanks Brian,
Here's the gist:
I will make a pull request next week, after some in production tests.
the downside of using sudo is that CFEngine names the package_method internally as "sudo":
- /usr/local/var/cfengine/state/software_packages.csv => tokyo-cabinet,1.4.48,default,sudo
- cf3> Reading package list from sudo
I wonder if it could break something else.
Francois
Ted Zlatanov
Sep 23, 2013, 9:33:52 AM9/23/13
to help-c...@googlegroups.com
On Thu, 19 Sep 2013 00:55:49 -0700 (PDT) Francois Tiffreau <d4c...@gmail.com> wrote:
FT> Thanks Brian,
FT> Here's the gist:
FT> https://gist.github.com/esl-francois/88ec2d32b634d6acfe20
FT> I will make a pull request next week, after some in production tests.
FT> the downside of using sudo is that CFEngine names the package_method
FT> internally as "sudo":
FT> - /usr/local/var/cfengine/state/software_packages.csv
FT> => tokyo-cabinet,1.4.48,default,sudo
FT> - cf3> Reading package list from sudo
FT> I wonder if it could break something else.
For now it's OK (so go ahead and do the PR please when you can), but
will need to be fixed in master so we can do this better in 3.6.
FWIW my preferred direction would be to apply "contain" bodies to every
promise, including packages. But I don't know if that will ever happen,
it's just an idea.
Ted
FT> Thanks Brian,
FT> Here's the gist:
FT> https://gist.github.com/esl-francois/88ec2d32b634d6acfe20
FT> I will make a pull request next week, after some in production tests.
FT> the downside of using sudo is that CFEngine names the package_method
FT> internally as "sudo":
FT> - /usr/local/var/cfengine/state/software_packages.csv
FT> => tokyo-cabinet,1.4.48,default,sudo
FT> - cf3> Reading package list from sudo
FT> I wonder if it could break something else.
For now it's OK (so go ahead and do the PR please when you can), but
will need to be fixed in master so we can do this better in 3.6.
FWIW my preferred direction would be to apply "contain" bodies to every
promise, including packages. But I don't know if that will ever happen,
it's just an idea.
Ted
Francois Tiffreau
Sep 24, 2013, 2:08:11 AM9/24/13
to help-c...@googlegroups.com
Hi Ted,
So here's the pull request :
I tested it on Mac OS X 10.8.5 + Homebrew + CFEngine 3.5.2
Thanks !
Francois
Ted Zlatanov
Sep 24, 2013, 12:12:56 PM9/24/13
to help-c...@googlegroups.com
On Mon, 23 Sep 2013 23:08:11 -0700 (PDT) Francois Tiffreau <d4c...@gmail.com> wrote:
FT> So here's the pull request :
FT> https://github.com/cfengine/masterfiles/pull/15
FT> I tested it on Mac OS X 10.8.5 + Homebrew + CFEngine 3.5.2
Merged. Thank you again for the contribution.
Ted
FT> So here's the pull request :
FT> https://github.com/cfengine/masterfiles/pull/15
FT> I tested it on Mac OS X 10.8.5 + Homebrew + CFEngine 3.5.2
Merged. Thank you again for the contribution.
Ted
Reply all
Reply to author
Forward
0 new messages