cookbooks issueshttps://git.gsi.de/groups/chef/cookbooks/-/issues2022-06-23T14:14:42Zhttps://git.gsi.de/chef/cookbooks/sys/-/issues/1group databags not considered2022-06-23T14:14:42ZChristopher Huhngroup databags not consideredGroup databags are ignored when creating users and groupsGroup databags are ignored when creating users and groupshttps://git.gsi.de/chef/cookbooks/sys/-/issues/3Add support for chef-solo config2023-07-25T08:57:05ZChristopher HuhnAdd support for chef-solo configThe chef recipe bails out if `node['sys']['chef']['server_url']` is not defined.
It could drop an appropriate `/etc/chef/solo.rb` instead.The chef recipe bails out if `node['sys']['chef']['server_url']` is not defined.
It could drop an appropriate `/etc/chef/solo.rb` instead.Christopher HuhnChristopher Huhnhttps://git.gsi.de/chef/cookbooks/sys/-/issues/4Account removal not implemented2019-06-28T16:55:36ZChristopher HuhnAccount removal not implementedIn contrast with the [documentation](documents/accounts.md) accounts cannot be deleted via `sys::accounts` ie.
```
sys: {
accounts: {
qwerasdf: {
action: 'delete'
}
}
}
```
does not work as expected.In contrast with the [documentation](documents/accounts.md) accounts cannot be deleted via `sys::accounts` ie.
```
sys: {
accounts: {
qwerasdf: {
action: 'delete'
}
}
}
```
does not work as expected.https://git.gsi.de/chef/cookbooks/sys/-/issues/5sys::systemd vs sys::network vs sys::networkd2023-02-17T15:55:26Zm.pauschsys::systemd vs sys::network vs sys::networkd# Aktueller Zustand
Es gibt im Moment 3 recipes, die das Netzwerk einer Maschine konfigurieren:
1. `sys::network` für debian_version kleiner 9
2. `sys::systemd` für jessie(?) aufwärts
3. `sys::networkd` für stretch aufwärts
`sys::...# Aktueller Zustand
Es gibt im Moment 3 recipes, die das Netzwerk einer Maschine konfigurieren:
1. `sys::network` für debian_version kleiner 9
2. `sys::systemd` für jessie(?) aufwärts
3. `sys::networkd` für stretch aufwärts
`sys::systemd` und `sys::networkd` überschneiden sich, bieten aber unterschiedliche features an. In `sys::networkd` muss man alles manuell angeben, es gibt einen eigenen Namespace für die Attribute und auch ein eigenes Recipe. `sys::systemd` bietet allerlei praktische Schalter, mit denen man die aktuelle Konfiguration persistent machen kann.
# Problem
Die Konfiguration die von `sys::systemd` ist subtil kaputt, weil ipv6 nicht mit ausreichender Gründlichkeit abgeschaltet wird. Das führt dazu, dass `systemd-networkd-wait-online.service` auf die Konfiguration von ipv6 wartet und dadurch nicht erfolgreich ausgeführt wird. Das führt oft zu Problemen mit nslcd, autofs und sonstigem was auf auf das Netzwerk wartet. Ausserdem ist mir nicht klar, warum `sys::systemd` überhaupt das Netzwerk konfigurieren sollte.
`sys::networkd` bringt zwar viel Flexibilität, ist aber umständlich zu benutzen.
# Lösungsvorschlag
Da systemd-networkd mit aktuellem Debian alle Features hat die man braucht, um auch kompliziertere config wie die lxgws und Hypervisoren zu bauen, würde ich folgendes vorschlagen:
1. `sys::network` kann man wohl einfach so lassen, solange das noch benutzt wird.
2. `sys::systemd` konfiguriert nur systemd (Dateien unter `/etc/systemd/system` und `/etc/systemd/system.conf`).
3. `sys::networkd` wird mit den Features aus `sys::systemd` erweitert
# Offene Punkte
## Netzwerk managen?
Soll das Netzwerk prinzipiell gemanagt werden oder nicht? Bei der Installation bekommt man ja von FAI eine default-Konfiguration die normalerweise passt. Diese Konfiguration muss auch normalerweise nie geändert werden. Unter neuen Debian-Versionen würde ich vorschlagen alles mit systemd-networkd zu machen. Dazu muss man allerdings alle anderen Mechanismen abklemmen, wahlweise mit einem der folgenden Schritte:
1. /etc/default/networking anpassen, so dass ifupdown kein netzwerk mehr konfiguriert
2. /etc/network löschen oder umbenennen
3. Debian Paket ifupdown deinstallieren
4. Ggf. dhcpd oder sonst was deinstallieren oder abschalten.
Prinzipiell gibt es nicht besonders viele Maschinen bei denen das Netzwerk bisher gemanaged wird, was wohl auch erklärt warum sich die recipes überschneiden und in gsi-sys mit Attributen konfiguriert werden die teilweise gar keine Auswirkungen haben.
## Namensschema
Mit den neuen Interface-Namen, bei denen der Steckplatz im Rechner im Namen kodiert ist, sorgt dafür, dass die Interfaces in allen Rechnern anders heißen, was viele Dinge umständlich machen kann. Debian ist so voreingestellt, dass weiterhin das alte Namensschema verwendet wird. Maschinen die nicht das alte Schema haben, müssen allerdings eine neue initramfs bekommen und gebootet werden.https://git.gsi.de/chef/cookbooks/sys/-/issues/9Flawed logic in sys::krb52020-09-29T05:56:00ZChristopher HuhnFlawed logic in sys::krb5The [krb5 recipe](recipes/krb5.rb#L41-43) tries to deploy `/etc/krb5.keytab`.
Anyhow the [`sys_wallet` provider](providers/wallet.rb#L15) tries to acquire derived keytabs using this `/etc/krb5.keytab`.
Therefore this can never work.
R...The [krb5 recipe](recipes/krb5.rb#L41-43) tries to deploy `/etc/krb5.keytab`.
Anyhow the [`sys_wallet` provider](providers/wallet.rb#L15) tries to acquire derived keytabs using this `/etc/krb5.keytab`.
Therefore this can never work.
Remove the resource?m.pauschm.pauschhttps://git.gsi.de/chef/cookbooks/sys/-/issues/11[sys::hosts] Drop managing '/etc/hosts' as a template2019-11-13T14:27:04ZChristopher Huhn[sys::hosts] Drop managing '/etc/hosts' as a templateI think that managing ''/etc/hosts' as a template is a rather bad idea and should be dropped completely.
Cf. https://github.com/GSI-HPC/sys-chef-cookbook/issues/8I think that managing ''/etc/hosts' as a template is a rather bad idea and should be dropped completely.
Cf. https://github.com/GSI-HPC/sys-chef-cookbook/issues/8https://git.gsi.de/chef/cookbooks/fai/-/issues/1Manage apt repository keys2020-05-28T10:10:05ZChristopher HuhnManage apt repository keysAdd possibility to add apt repo keys to installation nfsroots via `/etc/fai/apt/keys/` and `/etc/fai/flavors/[flavor]/apt/keys/`
Also requires the addition of `gnupg` to the nfsroot via `debootstrap`:
```
FAI_DEBOOTSTRAP_OPTS='[…] --inc...Add possibility to add apt repo keys to installation nfsroots via `/etc/fai/apt/keys/` and `/etc/fai/flavors/[flavor]/apt/keys/`
Also requires the addition of `gnupg` to the nfsroot via `debootstrap`:
```
FAI_DEBOOTSTRAP_OPTS='[…] --include=gnupg'
```Debian Busterhttps://git.gsi.de/chef/cookbooks/sys/-/issues/14node['sys']['ssh']['config'] and node['sys']['ssh']['ssh_config'] handle opti...2020-05-29T15:06:26ZChristopher Huhnnode['sys']['ssh']['config'] and node['sys']['ssh']['ssh_config'] handle options differently`node['sys']['ssh']['config']` takes a hash as config:
```
{ host_pattern1: { key: value, … }, … }
```
In contrast `node['sys']['ssh']['ssh_config']` takes an array as config:
```
[ {host_pattern1: { key: value, … }}, … ]
```
I see no ...`node['sys']['ssh']['config']` takes a hash as config:
```
{ host_pattern1: { key: value, … }, … }
```
In contrast `node['sys']['ssh']['ssh_config']` takes an array as config:
```
[ {host_pattern1: { key: value, … }}, … ]
```
I see no reason to have the same host pattern multiple times w/o merging.
OTOH ordering may be relevant (→ array).
Anyhow these attributes should behave similar.https://git.gsi.de/chef/cookbooks/sys/-/issues/15Add SSH keys from account data bags2023-02-17T15:50:59ZChristopher HuhnAdd SSH keys from account data bagsCurrently no logic exists to automatically add SSH keys from account data bags to `~/authorized_keys`.Currently no logic exists to automatically add SSH keys from account data bags to `~/authorized_keys`.https://git.gsi.de/chef/cookbooks/sys/-/issues/16Monkey patch apt_repository on Stretch2020-07-17T07:39:55ZChristopher HuhnMonkey patch apt_repository on StretchKey management does not work on Stretch, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858265
and
https://github.com/chef/chef/commit/d7ac39bb7a7f710726bfd1adcf32ea07e6cb711dKey management does not work on Stretch, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858265
and
https://github.com/chef/chef/commit/d7ac39bb7a7f710726bfd1adcf32ea07e6cb711dhttps://git.gsi.de/chef/cookbooks/sys/-/issues/17template_header helper output for LWRPs2020-11-27T15:55:31ZChristopher Huhntemplate_header helper output for LWRPsFor config files created by LWRPs (like `sys_apt_conf`) `@recipe_name` is `nil` and the output looks like:
```
# Created by sys:: (line 32) from template …
```For config files created by LWRPs (like `sys_apt_conf`) `@recipe_name` is `nil` and the output looks like:
```
# Created by sys:: (line 32) from template …
```https://git.gsi.de/chef/cookbooks/sys/-/issues/18`chef_zero/server` Ruby module not found in Serverspec test for omnibus--inst...2022-06-09T16:38:10ZChristopher Huhn`chef_zero/server` Ruby module not found in Serverspec test for omnibus--installed chef-clients`require 'chef_zero/server'` fails in `kitchen verify` with serverspec when an omnibus-packages chef client is installed.
chef-zero is installed beneath `/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/` and can be loaded inside `/opt/chef/...`require 'chef_zero/server'` fails in `kitchen verify` with serverspec when an omnibus-packages chef client is installed.
chef-zero is installed beneath `/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/` and can be loaded inside `/opt/chef/embedded/irb` without problems.Debian Bullseyehttps://git.gsi.de/chef/cookbooks/sys/-/issues/21Allow arrays of groups for node['sys']['pam']['group']2022-11-23T10:41:02ZChristopher HuhnAllow arrays of groups for node['sys']['pam']['group']```
sys: {
pam: {
group: [
{ usr: 'john', grp: %[group1 group2] }
]
},
}
```
renders to
```
*;*;john;Al0000-2400;["group1", "group2"]
```
instead of
```
*;*;john;Al0000-2400;group1,group2
``````
sys: {
pam: {
group: [
{ usr: 'john', grp: %[group1 group2] }
]
},
}
```
renders to
```
*;*;john;Al0000-2400;["group1", "group2"]
```
instead of
```
*;*;john;Al0000-2400;group1,group2
```https://git.gsi.de/chef/cookbooks/sys/-/issues/22Handle arrays in sys::banner2021-08-16T12:05:01ZChristopher HuhnHandle arrays in sys::banner`sys::banner` should be able to handle arrays (by joining them with newlines instead of the implicit `to_s`).
```
node['sys']['banner']['footer'] = [ "line 1", "line 2" ]
```
should result in
```
line 1
line 2
```
instead of
```
["line ...`sys::banner` should be able to handle arrays (by joining them with newlines instead of the implicit `to_s`).
```
node['sys']['banner']['footer'] = [ "line 1", "line 2" ]
```
should result in
```
line 1
line 2
```
instead of
```
["line 1", "line 2"]
```
in `/etc/motd`.https://git.gsi.de/chef/cookbooks/sys/-/issues/23Reset symlinks of unit files2021-08-16T12:04:22Zm.pauschReset symlinks of unit filesWhen a systemd unit file changes on disk, only `systemctl daemon-reload` is run. Systemd will then consider all the new attributes, that are set in the unit file, except for attributes of the '[Install]' section, which require a change ...When a systemd unit file changes on disk, only `systemctl daemon-reload` is run. Systemd will then consider all the new attributes, that are set in the unit file, except for attributes of the '[Install]' section, which require a change of the symlinks that are created when the unit is first enabled.
This should be fixed by running `systemctl reenable unit.type` whenever the `[Install]` section of the unit changes.m.pauschm.pauschhttps://git.gsi.de/chef/cookbooks/sys/-/issues/24Mail config w/o relay host2021-08-16T12:07:44ZChristopher HuhnMail config w/o relay host`sys::mail` does nothing unless a smart host is to be configured.
This should not be mandatory, standalone mail config with local spooling might be desirable too.`sys::mail` does nothing unless a smart host is to be configured.
This should not be mandatory, standalone mail config with local spooling might be desirable too.https://git.gsi.de/chef/cookbooks/sys/-/issues/25No DNS-RR-Names in autofs.conf?2021-10-19T10:55:05ZChristopher HuhnNo DNS-RR-Names in autofs.conf?It seems like DNS-RR-Names (multiple A-Records for the same domain name eg. ldap.hpc.gsi.de) cannot be used [here](templates/default/etc_autofs.conf.erb#L11) in `/etc/autofs.conf` (aka `node['sys']['autofs']['ldap']['servers']`).
* Is t...It seems like DNS-RR-Names (multiple A-Records for the same domain name eg. ldap.hpc.gsi.de) cannot be used [here](templates/default/etc_autofs.conf.erb#L11) in `/etc/autofs.conf` (aka `node['sys']['autofs']['ldap']['servers']`).
* Is this a known problem?
* Is it a bug?
* If not: what is the reasoning behind it?
* Is it documented somewhere?m.pauschm.pauschhttps://git.gsi.de/chef/cookbooks/sys/-/issues/26journald support2022-07-18T09:48:07ZChristopher Huhnjournald supportProperly configure `journald`:
- [ ] create `/var/log/journal`
- [ ] configure sensible retentions in `/etc/journald.conf`
- [ ] manage `systemd-journald` group membership?
- [ ] investigate relation to syslog (avoid duplication of logs...Properly configure `journald`:
- [ ] create `/var/log/journal`
- [ ] configure sensible retentions in `/etc/journald.conf`
- [ ] manage `systemd-journald` group membership?
- [ ] investigate relation to syslog (avoid duplication of logs etc.)https://git.gsi.de/chef/cookbooks/fai/-/issues/2Eliminate GSI specifics from FAI sources.list2022-01-18T11:21:09ZChristopher HuhnEliminate GSI specifics from FAI sources.listThe [addition of the security updates repo](templates/default/fai_sources.list.erb#L6-22) is totally GSI-specific and does not work for security.d.o.
Also for Bullseye and beyond the suite name changed from `[codename]/updates` to `[cod...The [addition of the security updates repo](templates/default/fai_sources.list.erb#L6-22) is totally GSI-specific and does not work for security.d.o.
Also for Bullseye and beyond the suite name changed from `[codename]/updates` to `[codename]-security`.https://git.gsi.de/chef/cookbooks/sys/-/issues/27Flawed logic in sys::pam2022-02-08T15:04:35ZChristopher HuhnFlawed logic in sys::pamLooking at possible ways to make `sys::pam` configure `pam_krb5` without existing Kerberos keytab I stumbled upon [this code](recipes/pam.rb#L115-119).
It makes the strong assumption that a section with the hard-coded descriptive name *...Looking at possible ways to make `sys::pam` configure `pam_krb5` without existing Kerberos keytab I stumbled upon [this code](recipes/pam.rb#L115-119).
It makes the strong assumption that a section with the hard-coded descriptive name *Kerberos authentication* should not be enabled if a hard-coded file `/etc/krb5.keytab` does not exist.
This is strongly coupled to the GSI specific setup in our wrapper cookbook and does not belong here IMHO.
The logic should be deleted here and move to the wrapper cookbook.
In the big picture it may be completely superfluous:
1. The *Kerberos authentication* `pamupdate` stanza is defined with `Default = 'no'` in the wrapper cookbook and has to be turned on explicitly.
2. The configuration of the `pam_krb5` module *must not* break logins in case of misconfiguration or inoperable Kerberos infrastructure.m.pauschm.pausch