Contributors20 minutes | Test Kitchen can help you detect and remedy failures before your change reaches production. |
In the Manage a node with Chef server module, you applied a configuration change that failed on your node. Imagine your node represents a piece of your production infrastructure. A failure in production can cause both an interruption to your team as well as reduced access to services for your users.
In this part, you'll repeat the exercise where you apply a change that, although it might appear correct, will actually fail on your test instance. You'll then remedy the failure and verify that chef-client succeeds.
In doing so, you'll see how, with Test Kitchen, you can detect and remedy failures before your change reaches production.
1. Assign read access to the IIS_IUSRS group
Let's make the same change to the web server cookbook that we did previously. By default, IIS provides access to web content to the IIS_IUSRS group. But let's modify our Chef recipe to ensure that this group has read rights to the c:\inetpub\wwwroot directory.
Recall that your default recipe looks like this.
Editor: ~/learn-chef/cookbooks/learn_chef_iis/recipes/default.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| #
# Cookbook Name:: learn_chef_iis
# Recipe:: default
#
# Copyright (c) 2016 The Authors, All Rights Reserved.
powershell_script 'Install IIS' do
code 'Add-WindowsFeature Web-Server'
guard_interpreter :powershell_script
not_if '(Get-WindowsFeature -Name Web-Server).Installed'
end
service 'w3svc' do
action [:enable, :start]
end
template 'c:\\inetpub\\wwwroot\\Default.htm' do # ~FC033
source 'Default.htm.erb'
end |
To assign read rights to the IIS_IUSRS group, you use the directory resource's rights property.
Modify your default recipe like this. You may notice this recipe has a mistake, but go ahead and copy the recipe exactly as you see it.
Editor: ~/learn-chef/cookbooks/learn_chef_iis/recipes/default.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| #
# Cookbook Name:: learn_chef_iis
# Recipe:: default
#
# Copyright (c) 2016 The Authors, All Rights Reserved.
powershell_script 'Install IIS' do
code 'Add-WindowsFeature Web-Server'
guard_interpreter :powershell_script
not_if "(Get-WindowsFeature -Name Web-Server).Installed"
end
service 'w3svc' do
action [:enable, :start]
end
directory 'c:\\inetpub\\wwwroot' do
rights :read, 'IIS_USRS'
recursive true
action :create
end
template 'c:\\inetpub\\wwwroot\\Default.htm' do
source 'Default.htm.erb'
end |
2. Apply the changes to your test instance
Now see what happens when you run kitchen converge. Because you destroyed your test instance in the previous part, Test Kitchen creates a new instance for you.
Terminal: ~/learn-chef/cookbooks/learn_chef_iis
$ | kitchen converge-----> Starting Kitchen (v1.20.0)-----> Creating <default-windows-2012r2>... Bringing machine 'default' up with 'virtualbox' provider... ==> default: Importing base box 'chef/windows-server-2012r2-standard'... ==> default: Checking if box 'chef/windows-server-2012r2-standard' is up to date... ==> default: Setting the name of the VM: default-windows-2012r2_default_1524865915838_97139 ==> default: Clearing any previously set network interfaces... ==> default: Preparing network interfaces based on configuration... default: Adapter 1: nat ==> default: Forwarding ports... default: 3389 (guest) => 3389 (host) (adapter 1) default: 5985 (guest) => 5985 (host) (adapter 1) default: 5986 (guest) => 55986 (host) (adapter 1) default: 22 (guest) => 2222 (host) (adapter 1) ==> default: Running 'pre-boot' VM customizations... ==> default: Booting VM... ==> default: Waiting for machine to boot. This may take a few minutes... default: WinRM address: 127.0.0.1:5985 default: WinRM username: vagrant default: WinRM execution_time_limit: PT2H default: WinRM transport: negotiate ==> default: Machine booted and ready! ==> default: Checking for guest additions in VM... default: The guest additions on this VM do not match the installed version of default: VirtualBox! In most cases this is fine, but in rare cases it can default: prevent things such as shared folders from working properly. If you see default: shared folder errors, please make sure the guest additions within the default: virtual machine match the version of VirtualBox you have installed on default: your host and reload your VM. default: default: Guest Additions Version: 5.1.30 default: VirtualBox Version: 5.2 ==> default: Machine not provisioned because `--no-provision` is specified. [WinRM] Established Vagrant instance <default-windows-2012r2> created. Finished creating <default-windows-2012r2> (2m48.79s).-----> Converging <default-windows-2012r2>... Preparing files for transfer Preparing dna.json Resolving cookbook dependencies with Berkshelf 6.3.1... Removing non-cookbook files before transfer Preparing validation.pem Preparing client.rb-----> Installing Chef Omnibus (install only if missing) Downloading package from https://packages.chef.io/files/stable/chef/14.0.202/windows/2016/chef-client-14.0.202-1-x64.msi Download complete. Successfully verified C:\Users\vagrant\AppData\Local\Temp\chef-client-14.0.202-1-x64.msi Installing Chef Omnibus package C:\Users\vagrant\AppData\Local\Temp\chef-client-14.0.202-1-x64.msi Installation complete Transferring files to <default-windows-2012r2> Starting Chef Client, version 14.0.202 Creating a new client identity for default-windows-2012r2 using the validator key. resolving cookbooks for run list: ["learn_chef_iis::default"] Synchronizing Cookbooks: - learn_chef_iis (0.1.0) Installing Cookbook Gems: Compiling Cookbooks... Converging 4 resources Recipe: learn_chef_iis::default * powershell_script[Install IIS] action run - execute "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/vagrant/AppData/Local/Temp/chef-script20180427-2640-edjx4b.ps1" * windows_service[w3svc] action enable * windows_service[w3svc] action start (up to date) * directory[c:\inetpub\wwwroot] action create ================================================================================ Error executing action `create` on resource 'directory[c:\inetpub\wwwroot]' ================================================================================ Chef::Exceptions::Win32APIError ------------------------------- No mapping between account names and security IDs was done. ---- Begin Win32 API output ---- System Error Code: 1332 System Error Message: No mapping between account names and security IDs was done. ---- End Win32 API output ---- Resource Declaration: --------------------- 16: directory 'c:\\inetpub\\wwwroot' do 17: rights :read, 'IIS_USRS' 18: recursive true 19: action :create 20: end 21: Compiled Resource: ------------------ directory("c:\inetpub\wwwroot") do action [:create] default_guard_interpreter :default declared_type :directory cookbook_name "learn_chef_iis" recipe_name "default" rights [{:permissions=>:read, :principals=>"IIS_USRS"}] recursive true path "c:\\inetpub\\wwwroot" group nil mode nil owner nil end System Info: ------------ chef_version=14.0.202 platform=windows platform_version=6.3.9600 ruby=ruby 2.5.1p57 (2018-03-29 revision 63029) [x64-mingw32] program_name=C:/opscode/chef/bin/chef-client executable=C:/opscode/chef/bin/chef-client Running handlers: [2018-04-27T14:55:47-07:00] ERROR: Running exception handlers [2018-04-27T14:55:47-07:00] ERROR: Running exception handlers Running handlers complete [2018-04-27T14:55:47-07:00] ERROR: Exception handlers complete [2018-04-27T14:55:47-07:00] ERROR: Exception handlers complete Chef Client failed. 1 resources updated in 40 seconds [2018-04-27T14:55:47-07:00] FATAL: Stacktrace dumped to C:/Users/vagrant/AppData/Local/Temp/kitchen/cache/chef-stacktrace.out [2018-04-27T14:55:47-07:00] FATAL: Stacktrace dumped to C:/Users/vagrant/AppData/Local/Temp/kitchen/cache/chef-stacktrace.out [2018-04-27T14:55:47-07:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report [2018-04-27T14:55:47-07:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report [2018-04-27T14:55:47-07:00] FATAL: Chef::Exceptions::Win32APIError: directory[c:\inetpub\wwwroot] (learn_chef_iis::default line 16) had an error: Chef::Exceptions::Win32APIError: No mapping between account names and security IDs was done. ---- Begin Win32 API output ---- System Error Code: 1332 System Error Message: No mapping between account names and security IDs was done. ---- End Win32 API output ---- [2018-04-27T14:55:47-07:00] FATAL: Chef::Exceptions::Win32APIError: directory[c:\inetpub\wwwroot] (learn_chef_iis::default line 16) had an error: Chef::Exceptions::Win32APIError: No mapping between account names and security IDs was done. ---- Begin Win32 API output ---- System Error Code: 1332 System Error Message: No mapping between account names and security IDs was done. ---- End Win32 API output ---- $$$$$$ C:/opscode/chef/embedded/lib/ruby/gems/2.5.0/gems/win32-service-0.8.10/lib/win32/service.rb:1081: warning: constant ::Fixnum is deprecated>>>>>> ------Exception------->>>>>> Class: Kitchen::ActionFailed>>>>>> Message: 1 actions failed.>>>>>> Converge failed on instance <default-windows-2012r2>. Please see .kitchen/logs/default-windows-2012r2.log for more details>>>>>> ---------------------->>>>>> Please see .kitchen/logs/kitchen.log for more details>>>>>> Also try running `kitchen diagnose --all` for configuration
|
Here you see the same failure that you saw previously when you ran this code on your node.
Terminal: ~
| Chef::Exceptions::Win32APIError�-------------------------------�No mapping between account names and security IDs was done.
|
You also see that Test Kitchen returns with a non-zero exit code.
Terminal: ~/learn-chef/cookbooks/learn_chef_iis
3. Resolve the failure
Now you'll resolve the failure just as you did previously.
Modify your default recipe to use the correct account name (IIS_USRS becomes IIS_IUSRS.)
Editor: ~/learn-chef/cookbooks/learn_chef_iis/recipes/default.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| #
# Cookbook Name:: learn_chef_iis
# Recipe:: default
#
# Copyright (c) 2016 The Authors, All Rights Reserved.
powershell_script 'Install IIS' do
code 'Add-WindowsFeature Web-Server'
guard_interpreter :powershell_script
not_if "(Get-WindowsFeature -Name Web-Server).Installed"
end
service 'w3svc' do
action [:enable, :start]
end
directory 'c:\\inetpub\\wwwroot' do
rights :read, 'IIS_IUSRS'
recursive true
action :create
end
template 'c:\\inetpub\\wwwroot\\Default.htm' do
source 'Default.htm.erb'
end |
Now run kitchen converge to apply the configuration.
Terminal: ~/learn-chef/cookbooks/learn_chef_iis
$ | kitchen converge-----> Starting Kitchen (v1.20.0)-----> Converging <default-windows-2012r2>... Preparing files for transfer Preparing dna.json Resolving cookbook dependencies with Berkshelf 6.3.1... Removing non-cookbook files before transfer Preparing validation.pem Preparing client.rb-----> Chef Omnibus installation detected (install only if missing) Transferring files to <default-windows-2012r2> Starting Chef Client, version 14.0.202 resolving cookbooks for run list: ["learn_chef_iis::default"] Synchronizing Cookbooks: - learn_chef_iis (0.1.0) Installing Cookbook Gems: Compiling Cookbooks... Converging 4 resources Recipe: learn_chef_iis::default * powershell_script[Install IIS] action run * windows_service[w3svc] action enable * windows_service[w3svc] action start * directory[c:\inetpub\wwwroot] action create - change dacl * template[c:\inetpub\wwwroot\Default.htm] action create - create new file c:\inetpub\wwwroot\Default.htm - update content in file c:\inetpub\wwwroot\Default.htm from none to a7298b --- c:\inetpub\wwwroot\Default.htm 2018-04-27 14:56:27.637031500 -0700 +++ c:\inetpub\wwwroot/chef-Default20180427-1196-4mqdi2.htm 2018-04-27 14:56:27.637031500 -0700 @@ -1 +1,6 @@ +<html> + <body> + <h1>hello world</h1> + </body> +</html> Running handlers: Running handlers complete Chef Client finished, 2/5 resources updated in 03 seconds Downloading files from <default-windows-2012r2> Finished converging <default-windows-2012r2> (0m31.63s).-----> Kitchen is finished. (0m33.85s)
|
As before, run kitchen exec to verify the contents of your web server's home page.
Terminal: ~/learn-chef/cookbooks/learn_chef_iis
$ | kitchen exec -c '(Invoke-WebRequest -UseBasicParsing localhost).Content'-----> Execute command on default-windows-2012r2. <html> <body> <h1>hello world</h1> </body> </html>
|
Also verify that IIS_IUSRS has read access to the c:\inetpub\wwwroot directory.
Terminal: ~/learn-chef/cookbooks/learn_chef_iis
$ | kitchen exec -c 'Get-Acl c:\inetpub\wwwroot\Default.htm | Format-List'-----> Execute command on default-windows-2012r2. Path : Microsoft.PowerShell.Core\FileSystem::C:\inetpub\wwwroot\Default.htm Owner : BUILTIN\Administrators Group : WIN-8VQRRVA7JDG\None Access : BUILTIN\IIS_IUSRS Allow Read, Synchronize NT SERVICE\TrustedInstaller Allow FullControl NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl BUILTIN\Users Allow ReadAndExecute, Synchronize Audit : Sddl : O:BAG:S-1-5-21-3865579752-229855252-580028606-513D:AI(A;ID;FR;;;IS)(A; ID;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 )(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)
|
Success! With local development, you can make changes, experiment, and verify that your configuration does what you expect using local test instances. You now have increased confidence that your change will work in production.
| Unlike in the Manage a node with Chef server module, you did not modify your cookbook's version in the metadata.rb file. You only need to increment the version number when you upload your cookbook to the Chef server. |
Feel free to experiment further with your test instance. When you're done, be sure to run kitchen destroy to delete your instance.
Conclusion
In this module, you used Test Kitchen to configure a basic web server on a Windows Server virtual machine, all from your workstation. You also saw how with local development, you can detect and resolve failures before your change appears in production.
Local development gives you the time and flexibility to experiment, iterate, and fix problems early in the development cycle. You only upload your cookbooks to the Chef server and apply them to your bootstrapped nodes after you've confirmed from your workstation that your configuration code works as you expect.
Learn more about Test Kitchen at kitchen.ci.
In the Create a web app cookbook module, you'll use the skills you've just learned to build a basic but complete web application that uses a web server, a database, and scripting. You'll learn how to leverage cookbooks that are written by the Chef community and resolve cookbook dependencies to create cookbooks that are more reusable.
