Packer: Packer inspec provisioner test failing with \r error

Created on 16 Apr 2019  Â·  12Comments  Â·  Source: hashicorp/packer

Packer inspec provisioner incorrectly determines a files user and owner

  • Packer version 1.3.5 and 1.4.0
  • Host platform RHEL 6, 7, and Amazon Linux 2, using the amazon-ebs builder

This is my provisioners section of my template:

"provisioners": [{
    "type": "inspec",
    "profile": "./file.rb"
 }]

file.rb has:

describe file('/etc/ssh/sshd_config') do
  its('mode') { should cmp '0600' }
  it { should be_owned_by 'root' }
  its('group') { should eq 'root' }
end

The output from packer shows:

    amazon-ebs:
    amazon-ebs: Profile: tests from ./file.rb (tests from ..file.rb)
    amazon-ebs: Version: (not specified)
    amazon-ebs: Target:  ssh://[email protected]:59032
    amazon-ebs:
    amazon-ebs:   File /etc/ssh/sshd_config
    amazon-ebs:      ×  should be owned by "root"
    amazon-ebs:      expected `File /etc/ssh/sshd_config.owned_by?("root")` to return true, got false
    amazon-ebs:      ✔  mode should cmp == "0600"
    amazon-ebs:      ×  group should eq "root"
    amazon-ebs:
    amazon-ebs:      expected: "root"
    amazon-ebs:           got: "root\r"
    amazon-ebs:
    amazon-ebs:      (compared using ==)
    amazon-ebs:
    amazon-ebs:
    amazon-ebs: Test Summary: 1 successful, 2 failures, 0 skipped
==> amazon-ebs: Error executing Inspec: Non-zero exit status: exit status 100

If I run the same inspec test file, but directly using the inspec command outside of packer to the same host I get:

```Profile: tests from ./file.rb (tests from ..file.rb)
Version: (not specified)
Target: ssh://[email protected]:22

File /etc/ssh/sshd_config
✔ should be owned by "root"
✔ mode should cmp == "0600"
✔ group should eq "root"

Test Summary: 3 successful, 0 failures, 0 skipped
```

bug community-supported plugin provisioneinspec
Source
picture thompsm

Most helpful comment

@xinau Any chance you can take a peek at this?

picture SwampDragons on 16 Apr 2019
👍4

All 12 comments

@xinau Any chance you can take a peek at this?

SwampDragons picture SwampDragons on 16 Apr 2019
👍4

@SwampDragons I will take a look at it, but I'm not sure how much time I can invest the upcoming weeks.

xinau picture xinau on 16 Apr 2019

@SwampDragons / @xinau +1 from me! This is also affecting my packer workflows.

In my particular case, I'm trying to build templates in Azure.

I'm using:

Managed agent on CentOS 7
Packer 1.4.0
Using the azure-arm builder

jaca783 picture jaca783 on 19 Apr 2019

@jaca783 @SwampDragons

I'm currently trying to find a way to 'normalise' the data before the assertion. No joy yet. But for now, a hacky work-around for this would be to substitute the file resource with a command resource.

So for example for the file permissions

describe command('stat -f '%A %a %n' /etc/ssh/sshd_config' | cut -d " " -f1') do
its('stdout') should_match /600/
end

The other assertions something similar could be done?

christianclarke picture christianclarke on 9 May 2019

@christianclarke I was playing around with .strip() to try and keep the changes to the tests to a minimum but I'm using profiles which are prepared by others (like DevSec or CIS) and did not want to make that many changes to the individual controls as there are dozens/hundreds. But if I have to I will use a workaround.

jaca783 picture jaca783 on 16 May 2019

I ran into something similar. In my case I had this set in my template: "ssh_pty": true. When I switched this to false my tests passed.

russellcardullo picture russellcardullo on 16 May 2019
👍2

I ran into something similar. In my case I had this set in my template: "ssh_pty": true. When I switched this to false my tests passed.

Thanks this fixed it for me as well!

seanschade picture seanschade on 21 May 2019

Hey guys - that's good news. I'm just wondering in what part of the packer.json config do you set that to? Is it in the provisioner itself? If you could share any examples I would really appreciate it. Thanks!

jaca783 picture jaca783 on 23 May 2019

@jaca783, in the builder section: https://www.packer.io/docs/templates/communicator.html#ssh_pty

In Packer's code the communicator struct is embedded in the builder struct.

azr picture azr on 23 May 2019

I ran into something similar. In my case I had this set in my template: "ssh_pty": true. When I switched this to false my tests passed.

Thanks this fixed it for me as well!

Finally got round to testing the "ssh-pty": false setting and it fixes it for me too. Also I'm now using packer 1.4.1 and with "ssh-pty": true, it still fails with the \r issue so the original bug is still present.

thompsm picture thompsm on 31 May 2019
👍2

this is a problem for me too. our build requires "ssh-pty": true. getting \r in user/group checks

drewmullen picture drewmullen on 7 Nov 2019

I use "amazon-ebs" builder to create AMI for different platforms(Debian9, Debian10, Ubuntu16, Ubuntu18, CentOS7 and Amazon-2).
Tests are failed only for RHEL based system(CentOS and Amazon-2) when ones run it via Inspec provioner(if I run locally, all tests are passed)
Packer 1.5.6
Do you have any updates on this issue?

aisachenka picture aisachenka on 3 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

shashanksinha89 picture shashanksinha89  Â·  3Comments
craigsimon picture craigsimon  Â·  3Comments
tleyden picture tleyden  Â·  3Comments
DanielBo picture DanielBo  Â·  3Comments
wduncanfraser picture wduncanfraser  Â·  3Comments