cookbooks issueshttps://git.gsi.de/groups/chef/cookbooks/-/issues2023-11-30T17:22:10Zhttps://git.gsi.de/chef/cookbooks/sys/-/issues/44regex in sys_module load guard too broad2023-11-30T17:22:10ZChristopher Huhnregex in sys_module load guard too broad`lsmod | grep #{module_name}` will match if the module name is contained as a substring of another loaded module and the module will not be loaded.
Eg. `msr` and `intel_rapl_msr`.
`"grep '^#{module_name} ' /proc/modules"` seems to be a...`lsmod | grep #{module_name}` will match if the module name is contained as a substring of another loaded module and the module will not be loaded.
Eg. `msr` and `intel_rapl_msr`.
`"grep '^#{module_name} ' /proc/modules"` seems to be a better solution.Debian Bookwormhttps://git.gsi.de/chef/cookbooks/sys/-/issues/45kernel_up2date no longer works on Bullseye (and Bookworm)2023-12-01T14:46:40ZChristopher Huhnkernel_up2date no longer works on Bullseye (and Bookworm)`kernel_up2date` no longer detects the newest running kernel correctly on Bullseye.
The culprit seems to be that `grep-status -n -s Depends -P linux-image-amd64` not only reports the package name but also a package version eg.
```
λ › g...`kernel_up2date` no longer detects the newest running kernel correctly on Bullseye.
The culprit seems to be that `grep-status -n -s Depends -P linux-image-amd64` not only reports the package name but also a package version eg.
```
λ › grep-status -n -s Depends -P linux-image-amd64
linux-image-5.10.0-26-amd64 (= 5.10.197-1)
```
Also effects the 5.10 backports kernel on Buster.Debian Bullseyehttps://git.gsi.de/chef/cookbooks/sys/-/issues/41Get rid of treetop dependency2023-03-23T16:49:25ZChristopher HuhnGet rid of treetop dependencyThe lsi ohai plugin depends on the treetop gem. While it is easy to install `ruby-treetop` Debian package on nodes with system-installed chef-client, it is a PITA to deploy the gem as a `chef_gem` on Omnibus-installed chef/cing nodes, es...The lsi ohai plugin depends on the treetop gem. While it is easy to install `ruby-treetop` Debian package on nodes with system-installed chef-client, it is a PITA to deploy the gem as a `chef_gem` on Omnibus-installed chef/cing nodes, esp. on machines without internet access.
Best way forward would be to drop the treetop dependency. Maybe the lsi ohai plugin has been superseded by the storcli plugin anyhow?Debian Bullseyem.pauschm.pauschhttps://git.gsi.de/chef/cookbooks/sys/-/issues/18`chef_zero/server` Ruby module not found in Serverspec test for omnibus--inst...2022-06-09T16:38:10ZChristopher Huhn`chef_zero/server` Ruby module not found in Serverspec test for omnibus--installed chef-clients`require 'chef_zero/server'` fails in `kitchen verify` with serverspec when an omnibus-packages chef client is installed.
chef-zero is installed beneath `/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/` and can be loaded inside `/opt/chef/...`require 'chef_zero/server'` fails in `kitchen verify` with serverspec when an omnibus-packages chef client is installed.
chef-zero is installed beneath `/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/` and can be loaded inside `/opt/chef/embedded/irb` without problems.Debian Bullseyehttps://git.gsi.de/chef/cookbooks/fai/-/issues/1Manage apt repository keys2020-05-28T10:10:05ZChristopher HuhnManage apt repository keysAdd possibility to add apt repo keys to installation nfsroots via `/etc/fai/apt/keys/` and `/etc/fai/flavors/[flavor]/apt/keys/`
Also requires the addition of `gnupg` to the nfsroot via `debootstrap`:
```
FAI_DEBOOTSTRAP_OPTS='[…] --inc...Add possibility to add apt repo keys to installation nfsroots via `/etc/fai/apt/keys/` and `/etc/fai/flavors/[flavor]/apt/keys/`
Also requires the addition of `gnupg` to the nfsroot via `debootstrap`:
```
FAI_DEBOOTSTRAP_OPTS='[…] --include=gnupg'
```Debian Busterhttps://git.gsi.de/chef/cookbooks/sys/-/issues/48sys::nftables pointd to the non-existent sys::firewall2024-02-19T10:45:08ZChristopher Huhnsys::nftables pointd to the non-existent sys::firewall`sys::nftables` emits a warning recommending to use `sys::firewall` instead. The latter doesn't seem to exist.`sys::nftables` emits a warning recommending to use `sys::firewall` instead. The latter doesn't seem to exist.m.pauschm.pauschhttps://git.gsi.de/chef/cookbooks/sys/-/issues/46Ohai plugin names must not be capitalized in ohai.disabled_plugins in /etc/ch...2023-12-13T18:21:36ZChristopher HuhnOhai plugin names must not be capitalized in ohai.disabled_plugins in /etc/chef/client.rbThe template for /etc/chef/client.rb treats every plugin to be disabled with `capitalize.to_sym`.
Example: This unconditionally turns `:CPU` or `'UNACCEPTABLE'` into `:Cpu` or `:Unacceptable` making it unpossible to turn of CPU informat...The template for /etc/chef/client.rb treats every plugin to be disabled with `capitalize.to_sym`.
Example: This unconditionally turns `:CPU` or `'UNACCEPTABLE'` into `:Cpu` or `:Unacceptable` making it unpossible to turn of CPU information gatheringhttps://git.gsi.de/chef/cookbooks/sys/-/issues/27Flawed logic in sys::pam2022-02-08T15:04:35ZChristopher HuhnFlawed logic in sys::pamLooking at possible ways to make `sys::pam` configure `pam_krb5` without existing Kerberos keytab I stumbled upon [this code](recipes/pam.rb#L115-119).
It makes the strong assumption that a section with the hard-coded descriptive name *...Looking at possible ways to make `sys::pam` configure `pam_krb5` without existing Kerberos keytab I stumbled upon [this code](recipes/pam.rb#L115-119).
It makes the strong assumption that a section with the hard-coded descriptive name *Kerberos authentication* should not be enabled if a hard-coded file `/etc/krb5.keytab` does not exist.
This is strongly coupled to the GSI specific setup in our wrapper cookbook and does not belong here IMHO.
The logic should be deleted here and move to the wrapper cookbook.
In the big picture it may be completely superfluous:
1. The *Kerberos authentication* `pamupdate` stanza is defined with `Default = 'no'` in the wrapper cookbook and has to be turned on explicitly.
2. The configuration of the `pam_krb5` module *must not* break logins in case of misconfiguration or inoperable Kerberos infrastructure.m.pauschm.pauschhttps://git.gsi.de/chef/cookbooks/fai/-/issues/2Eliminate GSI specifics from FAI sources.list2022-01-18T11:21:09ZChristopher HuhnEliminate GSI specifics from FAI sources.listThe [addition of the security updates repo](templates/default/fai_sources.list.erb#L6-22) is totally GSI-specific and does not work for security.d.o.
Also for Bullseye and beyond the suite name changed from `[codename]/updates` to `[cod...The [addition of the security updates repo](templates/default/fai_sources.list.erb#L6-22) is totally GSI-specific and does not work for security.d.o.
Also for Bullseye and beyond the suite name changed from `[codename]/updates` to `[codename]-security`.https://git.gsi.de/chef/cookbooks/sys/-/issues/26journald support2022-07-18T09:48:07ZChristopher Huhnjournald supportProperly configure `journald`:
- [ ] create `/var/log/journal`
- [ ] configure sensible retentions in `/etc/journald.conf`
- [ ] manage `systemd-journald` group membership?
- [ ] investigate relation to syslog (avoid duplication of logs...Properly configure `journald`:
- [ ] create `/var/log/journal`
- [ ] configure sensible retentions in `/etc/journald.conf`
- [ ] manage `systemd-journald` group membership?
- [ ] investigate relation to syslog (avoid duplication of logs etc.)https://git.gsi.de/chef/cookbooks/sys/-/issues/25No DNS-RR-Names in autofs.conf?2021-10-19T10:55:05ZChristopher HuhnNo DNS-RR-Names in autofs.conf?It seems like DNS-RR-Names (multiple A-Records for the same domain name eg. ldap.hpc.gsi.de) cannot be used [here](templates/default/etc_autofs.conf.erb#L11) in `/etc/autofs.conf` (aka `node['sys']['autofs']['ldap']['servers']`).
* Is t...It seems like DNS-RR-Names (multiple A-Records for the same domain name eg. ldap.hpc.gsi.de) cannot be used [here](templates/default/etc_autofs.conf.erb#L11) in `/etc/autofs.conf` (aka `node['sys']['autofs']['ldap']['servers']`).
* Is this a known problem?
* Is it a bug?
* If not: what is the reasoning behind it?
* Is it documented somewhere?m.pauschm.pauschhttps://git.gsi.de/chef/cookbooks/sys/-/issues/24Mail config w/o relay host2021-08-16T12:07:44ZChristopher HuhnMail config w/o relay host`sys::mail` does nothing unless a smart host is to be configured.
This should not be mandatory, standalone mail config with local spooling might be desirable too.`sys::mail` does nothing unless a smart host is to be configured.
This should not be mandatory, standalone mail config with local spooling might be desirable too.https://git.gsi.de/chef/cookbooks/sys/-/issues/23Reset symlinks of unit files2021-08-16T12:04:22Zm.pauschReset symlinks of unit filesWhen a systemd unit file changes on disk, only `systemctl daemon-reload` is run. Systemd will then consider all the new attributes, that are set in the unit file, except for attributes of the '[Install]' section, which require a change ...When a systemd unit file changes on disk, only `systemctl daemon-reload` is run. Systemd will then consider all the new attributes, that are set in the unit file, except for attributes of the '[Install]' section, which require a change of the symlinks that are created when the unit is first enabled.
This should be fixed by running `systemctl reenable unit.type` whenever the `[Install]` section of the unit changes.m.pauschm.pauschhttps://git.gsi.de/chef/cookbooks/sys/-/issues/22Handle arrays in sys::banner2021-08-16T12:05:01ZChristopher HuhnHandle arrays in sys::banner`sys::banner` should be able to handle arrays (by joining them with newlines instead of the implicit `to_s`).
```
node['sys']['banner']['footer'] = [ "line 1", "line 2" ]
```
should result in
```
line 1
line 2
```
instead of
```
["line ...`sys::banner` should be able to handle arrays (by joining them with newlines instead of the implicit `to_s`).
```
node['sys']['banner']['footer'] = [ "line 1", "line 2" ]
```
should result in
```
line 1
line 2
```
instead of
```
["line 1", "line 2"]
```
in `/etc/motd`.https://git.gsi.de/chef/cookbooks/sys/-/issues/21Allow arrays of groups for node['sys']['pam']['group']2022-11-23T10:41:02ZChristopher HuhnAllow arrays of groups for node['sys']['pam']['group']```
sys: {
pam: {
group: [
{ usr: 'john', grp: %[group1 group2] }
]
},
}
```
renders to
```
*;*;john;Al0000-2400;["group1", "group2"]
```
instead of
```
*;*;john;Al0000-2400;group1,group2
``````
sys: {
pam: {
group: [
{ usr: 'john', grp: %[group1 group2] }
]
},
}
```
renders to
```
*;*;john;Al0000-2400;["group1", "group2"]
```
instead of
```
*;*;john;Al0000-2400;group1,group2
```https://git.gsi.de/chef/cookbooks/sys/-/issues/17template_header helper output for LWRPs2020-11-27T15:55:31ZChristopher Huhntemplate_header helper output for LWRPsFor config files created by LWRPs (like `sys_apt_conf`) `@recipe_name` is `nil` and the output looks like:
```
# Created by sys:: (line 32) from template …
```For config files created by LWRPs (like `sys_apt_conf`) `@recipe_name` is `nil` and the output looks like:
```
# Created by sys:: (line 32) from template …
```https://git.gsi.de/chef/cookbooks/sys/-/issues/16Monkey patch apt_repository on Stretch2020-07-17T07:39:55ZChristopher HuhnMonkey patch apt_repository on StretchKey management does not work on Stretch, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858265
and
https://github.com/chef/chef/commit/d7ac39bb7a7f710726bfd1adcf32ea07e6cb711dKey management does not work on Stretch, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858265
and
https://github.com/chef/chef/commit/d7ac39bb7a7f710726bfd1adcf32ea07e6cb711dhttps://git.gsi.de/chef/cookbooks/sys/-/issues/15Add SSH keys from account data bags2023-02-17T15:50:59ZChristopher HuhnAdd SSH keys from account data bagsCurrently no logic exists to automatically add SSH keys from account data bags to `~/authorized_keys`.Currently no logic exists to automatically add SSH keys from account data bags to `~/authorized_keys`.https://git.gsi.de/chef/cookbooks/sys/-/issues/14node['sys']['ssh']['config'] and node['sys']['ssh']['ssh_config'] handle opti...2020-05-29T15:06:26ZChristopher Huhnnode['sys']['ssh']['config'] and node['sys']['ssh']['ssh_config'] handle options differently`node['sys']['ssh']['config']` takes a hash as config:
```
{ host_pattern1: { key: value, … }, … }
```
In contrast `node['sys']['ssh']['ssh_config']` takes an array as config:
```
[ {host_pattern1: { key: value, … }}, … ]
```
I see no ...`node['sys']['ssh']['config']` takes a hash as config:
```
{ host_pattern1: { key: value, … }, … }
```
In contrast `node['sys']['ssh']['ssh_config']` takes an array as config:
```
[ {host_pattern1: { key: value, … }}, … ]
```
I see no reason to have the same host pattern multiple times w/o merging.
OTOH ordering may be relevant (→ array).
Anyhow these attributes should behave similar.https://git.gsi.de/chef/cookbooks/sys/-/issues/11[sys::hosts] Drop managing '/etc/hosts' as a template2019-11-13T14:27:04ZChristopher Huhn[sys::hosts] Drop managing '/etc/hosts' as a templateI think that managing ''/etc/hosts' as a template is a rather bad idea and should be dropped completely.
Cf. https://github.com/GSI-HPC/sys-chef-cookbook/issues/8I think that managing ''/etc/hosts' as a template is a rather bad idea and should be dropped completely.
Cf. https://github.com/GSI-HPC/sys-chef-cookbook/issues/8