- Fixes Issue [sous-chefs#204](sous-chefs#204 Please enter the commit…

… message for your changes. Lines starting

- Addresses linting issues
- Fixes an issue with the `user-seed.conf` file
- Ensures that splunk is installed prior to anything in the `chef-splunk::service` recipe executes
- Fixes Chef Delivery job in Github Actions: checks out `main` branch instead of `master` branch
- Changes the `#systemd?` helper method to remove the reliance on the node data (workaround to a Chef 17 compatibility issue)
- Removes `chef-vault` as a dependency in the metadata.rb, as chef-vault was included in Chef Infra Client 13.4+
- Increase the minimum supported Chef version to 15.3 for unified mode

Signed-off-by: Dang H. Nguyen <[email protected]>

.github/workflows/ci.yml

@@ -12,27 +12,27 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@master
+        uses: actions/checkout@main
       - name: Run Chef Delivery
-        uses: actionshub/chef-delivery@master
+        uses: actionshub/chef-delivery@1.0.0
         env:
           CHEF_LICENSE: accept-no-persist
 
   yamllint:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@master
+        uses: actions/checkout@main
       - name: Run yaml Lint
-        uses: actionshub/yamllint@master
+        uses: actionshub/yamllint@1.0.0
 
   mdl:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@master
+        uses: actions/checkout@main
       - name: Run Markdown Lint
-        uses: actionshub/markdownlint@master
+        uses: actionshub/markdownlint@2.0.2
 
   dokken:
     needs: [mdl, yamllint, delivery]
@@ -66,11 +66,11 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@master
+        uses: actions/checkout@main
       - name: Install Chef
-        uses: actionshub/chef-install@master
+        uses: actionshub/chef-install@2.0.1
       - name: Dokken
-        uses: actionshub/kitchen-dokken@master
+        uses: actionshub/kitchen-dokken@1.0.1
         env:
           CHEF_LICENSE: accept-no-persist
           KITCHEN_LOCAL_YAML: kitchen.dokken.yml
@@ -82,11 +82,11 @@ jobs:
         run: |
             set -x
             sudo journalctl -l --since today
-            KITCHEN_LOCAL_YAML=kitchen.dokken.yml /usr/bin/kitchen exec ${{ matrix.suite }}-${{ matrix.os }} -c "journalctl -l"
+            KITCHEN_LOCAL_YAML=kitchen.dokken.yml kitchen exec ${{ matrix.suite }}-${{ matrix.os }} -c "journalctl -l"
 
   final:
     needs: [dokken]
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@master
+        uses: actions/checkout@main

.rubocop_todo.yml

@@ -1,14 +1,13 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2020-06-30 20:30:26 -0700 using RuboCop version 0.75.1.
+# on 2021-03-15 22:17:31 UTC using RuboCop version 1.7.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
 # Offense count: 1
----
-ChefCorrectness/NodeNormal:
+Chef/Correctness/NodeNormal:
   Exclude:
     - '**/metadata.rb'
     - '**/Berksfile'

CHANGELOG.md

@@ -4,6 +4,15 @@ This file is used to list changes made in each version of the splunk cookbook.
 
 ## Unreleased
 
+- Fixes Issue [#204](https://github.com/sous-chefs/chef-splunk/issues/204)# Please enter the commit message for your changes. Lines starting
+- Addresses linting issues
+- Fixes an issue with the `user-seed.conf` file
+- Ensures that splunk is installed prior to anything in the `chef-splunk::service` recipe executes
+- Fixes Chef Delivery job in Github Actions: checks out `main` branch instead of `master` branch
+- Changes the `#systemd?` helper method to remove the reliance on the node data (workaround to a Chef 17 compatibility issue)
+- Removes `chef-vault` as a dependency in the metadata.rb, as chef-vault was included in Chef Infra Client 13.4+
+- Increase the minimum supported Chef version to 15.3 for unified mode
+
 ## 7.2.0 - *2021-03-12*
 
 - Sous Chefs Adoption

kitchen.dokken.yml

@@ -1,8 +1,9 @@
 driver:
   name: dokken
   privileged: true  # because Docker and SystemD/Upstart
-  chef_version: <%= ENV['CHEF_VERSION'] || 'current' %>
+  chef_version: <%= ENV['CHEF_VERSION'] || 'latest' %>
   chef_license: accept-no-persist
+  clean_dokken_sandbox: true
 
 transport:
   name: dokken

kitchen.yml

@@ -1,6 +1,6 @@
 ---
 provisioner:
-  deprecations_as_errors: true
+  deprecations_as_errors: false
   multiple_converge: 2  # The second converge here is to pass specefic tests that need Splunk to be restarted
   chef_license: accept
   data_bags_path: test/integration/data_bags
@@ -55,6 +55,7 @@ suites:
     attributes:
       splunk:
         accept_license: true
+        is_server: false
 
   - name: client-inputs-outputs
     run_list:

libraries/helpers.rb

@@ -110,7 +110,7 @@ def splunk_auth(auth)
 
     def splunk_login_successful?
       return false unless splunk_installed?
-      login = shell_out(splunk_cmd(%w(login -auth node.run_state['splunk_auth_info'])))
+      login = shell_out(splunk_cmd(['login', '-auth', node.run_state['splunk_auth_info']]))
       login.stderr.strip.empty? && login.stdout.strip.empty? && login.exitstatus == 0
     end
 
@@ -124,7 +124,7 @@ def splunk_runas_user
     end
 
     def splunk_service_provider
-      if node['init_package'] == 'systemd'
+      if systemd?
         Chef::Provider::Service::Systemd
       else
         Chef::Provider::Service::Init
@@ -269,7 +269,8 @@ def upgrade_enabled?
     end
 
     def systemd?
-      node['init_package'] == 'systemd'
+      ps1 = shell_out('ps --no-headers 1')
+      ps1.stdout.strip.match?(/systemd$/)
     end
   end
 end

metadata.rb

@@ -6,16 +6,12 @@
 version           '7.2.0'
 source_url        'https://github.com/sous-chefs/chef-splunk'
 issues_url        'https://github.com/sous-chefs/chef-splunk/issues'
-chef_version      '>= 13.11'
+chef_version      '>= 15.3'
 
 supports 'amazon'
 supports 'centos'
 supports 'debian'
 supports 'redhat'
 supports 'ubuntu'
 
-# please read the README.md section regarding data bag fallback if you
-# do not use chef-vault
-
-depends 'chef-vault', '>= 4.0'
 depends 'ec2-tags-ohai-plugin', '>= 0.2.4'

recipes/server.rb

@@ -16,6 +16,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+unless license_accepted?
+  Chef::Log.fatal('You did not accept the license (set node["splunk"]["accept_license"] to true)')
+  raise 'Splunk license was not accepted'
+end
+
 node.default['splunk']['is_server'] = true
 
 include_recipe 'chef-splunk::user' unless run_as_root?
@@ -24,7 +29,7 @@
 include_recipe 'chef-splunk::setup_auth' if setup_auth?
 
 execute 'update-splunk-mgmt-port' do
-  command splunk_cmd("set splunkd-port #{node['splunk']['mgmt_port']} -auth '#{node.run_state['splunk_auth_info']}'")
+  command splunk_cmd("set splunkd-port #{node['splunk']['mgmt_port']} -auth '#{node.run_state['splunk_auth_info']}' --accept-license")
   sensitive true unless Chef::Log.debug?
   not_if { current_mgmt_port == node['splunk']['mgmt_port'] }
   notifies :restart, 'service[splunk]' unless disabled?
@@ -33,7 +38,7 @@
 ruby_block 'enable-splunk-receiver-port' do
   sensitive true unless Chef::Log.debug?
   block do
-    splunk = Mixlib::ShellOut.new(splunk_cmd("enable listen #{node['splunk']['receiver_port']} -auth #{node.run_state['splunk_auth_info']}"))
+    splunk = Mixlib::ShellOut.new(splunk_cmd("enable listen #{node['splunk']['receiver_port']} -auth #{node.run_state['splunk_auth_info']} --accept-license"))
     splunk.run_command
     true if splunk.stderr.include?("Configuration for port #{node['splunk']['receiver_port']} already exists")
   end

recipes/service.rb

@@ -21,6 +21,8 @@
   raise 'Splunk license was not accepted'
 end
 
+include_recipe 'chef-splunk' unless splunk_installed?
+
 if server?
   directory splunk_dir do
     owner splunk_runas_user
@@ -105,8 +107,9 @@
   status_command svc_command('status')
   timeout 1800
   provider splunk_service_provider
+  only_if { ::File.exist?(node['splunk']['startup_script']) }
   unless disabled?
-    subscribes :restart, 'template[user-seed.conf]', :immediately
+    subscribes :restart, 'file[user-seed.conf]', :immediately
     subscribes :restart, "user[#{node['splunk']['user']['username']}]", :immediately
   end
 end

recipes/setup_auth.rb

@@ -29,9 +29,13 @@
 
 _user, pw = node.run_state['splunk_auth_info'].split(':')
 
-# Splunk will delete this file the first time splunk is started
-# it's a secure way of automating the initial admin password when installing Splunk
-# I dont believe this happens anymore. But when given a password here it re-writes the file to hold the hash of the password.
+# Per https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/User-seedconf,
+#
+# Use HASHED_PASSWORD for a more secure installation. To hash a clear-text password,
+# use the 'splunk hash-passwd' command then copy the output to this file.
+#
+# This file also gets removed by Splunkd after a successful restart, which reads the admin's
+# initial password.
 file 'user-seed.conf' do
   path "#{splunk_dir}/etc/system/local/user-seed.conf"
   content lazy {
@@ -44,5 +48,5 @@
   owner splunk_runas_user
   group splunk_runas_user
   mode '0640'
-  not_if { ::File.exist?("#{splunk_dir}/etc/system/local/.user-seed.conf") || splunk_login_successful? }
+  not_if { ::File.exist?("#{splunk_dir}/etc/passwd") }
 end

resources/splunk_installer.rb

@@ -14,6 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+
 provides :splunk_installer
 resource_name :splunk_installer
 
@@ -22,6 +23,8 @@
 property :version, String
 
 action_class do
+  include ::ChefSplunk::Helpers
+
   def package_file
     if new_resource.url.empty? || new_resource.url.nil?
       "#{new_resource.package_name}-#{new_resource.version}"

spec/recipes/server_spec.rb

@@ -58,7 +58,7 @@
 
     it 'updates splunkd management port' do
       expect(chef_run).to run_execute('update-splunk-mgmt-port').with(
-        command: "/opt/splunk/bin/splunk set splunkd-port 9089 -auth 'admin:notarealpassword'",
+        command: "/opt/splunk/bin/splunk set splunkd-port 9089 -auth 'admin:notarealpassword' --accept-license",
         sensitive: true
       )
     end

spec/recipes/service_spec.rb

@@ -8,11 +8,19 @@
         node.force_default['splunk']['accept_license'] = true
         node.force_default['splunk']['is_server'] = true
         node.force_default['splunk']['startup_script'] = '/etc/systemd/system/Splunkd.service'
+        node.automatic['init_package'] = 'systemd'
       end.converge(described_recipe)
     end
 
-    it 'included setup_auth recipe' do
-      expect(chef_run).to include_recipe('chef-splunk::setup_auth')
+    before do
+      allow(::File).to receive(:exist?).and_call_original
+      allow(::File).to receive(:exist?).with('/etc/systemd/system/Splunkd.service').and_return(true)
+    end
+
+    %w(chef-splunk::setup_auth chef-splunk).each do |recipe|
+      it "included #{recipe} recipe" do
+        expect(chef_run).to include_recipe(recipe)
+      end
     end
 
     it 'creates directory /opt/splunk' do
@@ -39,6 +47,10 @@
         .with(sensitive: false, retries: 3, creates: '/etc/systemd/system/Splunkd.service')
     end
 
+    it 'links the startup script' do
+      expect(chef_run).to create_link('/etc/systemd/system/splunk.service')
+    end
+
     it 'started splunk service' do
       expect(chef_run).to start_service('splunk')
     end
@@ -51,11 +63,19 @@
         node.force_default['splunk']['accept_license'] = true
         node.force_default['splunk']['is_server'] = false
         node.force_default['splunk']['startup_script'] = '/etc/systemd/system/SplunkForwarder.service'
+        node.automatic['init_package'] = 'systemd'
       end.converge(described_recipe)
     end
 
-    it 'included setup_auth recipe' do
-      expect(chef_run).to include_recipe('chef-splunk::setup_auth')
+    before do
+      allow(::File).to receive(:exist?).and_call_original
+      allow(::File).to receive(:exist?).with('/etc/systemd/system/SplunkForwarder.service').and_return(true)
+    end
+
+    %w(chef-splunk::setup_auth chef-splunk).each do |recipe|
+      it "included #{recipe} recipe" do
+        expect(chef_run).to include_recipe(recipe)
+      end
     end
 
     it 'creates directory /opt/splunk' do

test/fixtures/cookbooks/test/metadata.rb

@@ -1,5 +1,5 @@
 name 'test'
-version '0.0.2'
+version '0.1.0'
 
 depends 'chef-splunk'
 depends 'yum-centos', '>= 3.1.0'

test/fixtures/cookbooks/test/recipes/uninstall_forwarder.rb

@@ -17,6 +17,5 @@
 splunk_installer 'splunkforwarder' do
   url node['splunk']['forwarder']['url']
   version node['splunk']['forwarder']['version']
-  action :nothing
-  subscribes :remove, 'service[splunk]'
+  action :remove
 end

test/integration/server-runas-root/inspec/server_runas_root_spec.rb

@@ -78,8 +78,7 @@
   only_if { os.linux? }
 
   describe file("#{SPLUNK_HOME}/etc/system/local/user-seed.conf") do
-    it { should exist }
-    its('content') { should match /HASHED_PASSWORD/ }
+    it { should_not exist }
   end
 
   describe.one do

test/integration/server-runas-splunk/inspec/server_runas_splunk_spec.rb

@@ -78,8 +78,11 @@
   only_if { os.linux? }
 
   describe file("#{SPLUNK_HOME}/etc/system/local/user-seed.conf") do
+    it { should_not exist }
+  end
+
+  describe file("#{SPLUNK_HOME}/etc/passwd") do
     it { should exist }
-    its('content') { should match /HASHED_PASSWORD/ }
   end
 
   describe.one do