Encrypted databags with chef solo

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Encrypted databags with chef solo

Yoann DAVID
I've read the source code of chef-solo provisionner (https://github.com/mitchellh/vagrant/blob/a1b16fd96d80439fca0c40470a608710b3439f50/lib/vagrant/provisioners/chef_solo.rb), from my comprehension it seems to have 2 varaible for working with encrypted databags and chef solo :

    encrypted_data_bag_secret_key_path = path of the secret file (used to encrypt databag) to the local file system
    encrypted_data_bag_secret = path and filename of the same secret file in the vagrant box

I understand that Vagrant upload the secret file from the encrypted_data_bag_secret_key_path on the local FS to encrypted_data_bag_secret in the Vagrant box

So I put this in my VagrantFile :
    encrypted_data_bag_secret_key_path = "./data_bag_key"

(my secret file is named data_bag_key and in the same directory than the VagrantFile)

    encrypted_data_bag_secret = "/tmp/my_data_bag_key"

But when I launch the vagrant box I've got the following error :

Errno::ENOENT: No such file or directory - file not found '/tmp/encrypted_data_bag_secret'
 
I saw in the source file that the encrypted_data_bag_secret variable can take /tmp/encrypted_data_bag_secret value by default, but why my variable is set.

Why I connect throught ssh to my box, no /tmp/my_data_bag_key, none /tmp/encrypted_data_bag_secret

If I upload the secret file in /tmp/my_data_bag_key, launch vagrant provision andmy cookbook works fine...

Can you help me ?
What I have misunderstood ?

Thanks a lot

Yoann
Reply | Threaded
Open this post in threaded view
|

Re: Encrypted databags with chef solo

James Cuzella
Hi Yoann,

I was able to get encrypted data bags working by only setting chef.encrypted_data_bag_secret_key_path to the path of my host laptop's encrypted_data_bag_secret.  I then run vagrant up, and it appears that it was placed in /tmp/encrypted_data_bag_secret inside the Vagrant VM.

So, in my Vagrantfile, I have:

config.vm.provision :chef_solo do |chef|
    chef.cookbooks_path = [ 'chef/cookbooks', 'chef/cookbooks-sources' ]

    # Set chef provisioner log level [ :debug, :info, :warn, :error, :fatal ]
    chef.log_level = :debug

    chef.data_bags_path    = './data_bags'
    chef.encrypted_data_bag_secret_key_path = "#{ENV['HOME']}/.chef/encrypted_data_bag_secret"
    
    # Add any recipes you like
    chef.add_recipe 'mycookbook::myrecipe'

    # Add any attributes you want
    chef.json.merge!({ mycookbook: { attr1: '1', attr2: '2' } })
end

In the Vagrant VM, I also noticed that the paths were configured in /tmp/vagrant-chef-1/solo.rb like this:

    encrypted_data_bag_secret "/tmp/encrypted_data_bag_secret"

    data_bag_path "/tmp/vagrant-chef-1/chef-solo-3/data_bags"

As there is no official documentation of this feature yet, I hope this helps!

- James

On Friday, January 18, 2013 1:22:50 PM UTC-7, Yoann DAVID wrote:
I've read the source code of chef-solo provisionner (https://github.com/mitchellh/vagrant/blob/a1b16fd96d80439fca0c40470a608710b3439f50/lib/vagrant/provisioners/chef_solo.rb), from my comprehension it seems to have 2 varaible for working with encrypted databags and chef solo :

    encrypted_data_bag_secret_key_path = path of the secret file (used to encrypt databag) to the local file system
    encrypted_data_bag_secret = path and filename of the same secret file in the vagrant box

I understand that Vagrant upload the secret file from the encrypted_data_bag_secret_key_path on the local FS to encrypted_data_bag_secret in the Vagrant box

So I put this in my VagrantFile :
    encrypted_data_bag_secret_key_path = "./data_bag_key"

(my secret file is named data_bag_key and in the same directory than the VagrantFile)

    encrypted_data_bag_secret = "/tmp/my_data_bag_key"

But when I launch the vagrant box I've got the following error :

Errno::ENOENT: No such file or directory - file not found '/tmp/encrypted_data_bag_secret'
 
I saw in the source file that the encrypted_data_bag_secret variable can take /tmp/encrypted_data_bag_secret value by default, but why my variable is set.

Why I connect throught ssh to my box, no /tmp/my_data_bag_key, none /tmp/encrypted_data_bag_secret

If I upload the secret file in /tmp/my_data_bag_key, launch vagrant provision andmy cookbook works fine...

Can you help me ?
What I have misunderstood ?

Thanks a lot

Yoann

--
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/groups/opt_out.