execute[update-pam] resource fails on Ubuntu 14.04 on Azure

[sean-nixon]

Describe the bug
update-pam resource fails on Ubuntu 14.04.5 running on Azure with error Errno::ENOENT: No such file or directory - pam-auth-update. I am able to run this command locally and the error no longer occurs on the next run. However, it reappears again later. Oddly enough, I've not seen this error when running in Test Kitchen (neither on Azure nor using the bento Vagrant image for Ubuntu 14.04)

Expected behavior
The recipe will run successfully.

Actual behavior

Error Log & Stacktrace

execute[update-pam] (os-hardening::pam line 94) had an error: Errno::ENOENT: No such file or directory - pam-auth-update


Errno::ENOENT
----------------------------------------------------
No such file or directory - pam-auth-update


Resource Declaration:
----------------------------------------------------
# In /var/chef/cache/cookbooks/os-hardening/recipes/pam.rb

 94:   execute 'update-pam' do
 95:     command 'pam-auth-update --package'
 96:   end
 97:


Compiled Resource:
----------------------------------------------------
# Declared in /var/chef/cache/cookbooks/os-hardening/recipes/pam.rb:94:in `from_file'

execute("update-pam") do
  action [:run]
  default_guard_interpreter :execute
  command "pam-auth-update --package"
  backup 5
  declared_type :execute
  cookbook_name "os-hardening"
  recipe_name "pam"
  domain nil
  user nil
end


Backtrace
----------------------------------------------------
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/mixlib-shellout-2.4.4/lib/mixlib/shellout/unix.rb:340:in `exec'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/mixlib-shellout-2.4.4/lib/mixlib/shellout/unix.rb:340:in `block in fork_subprocess'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/mixlib-shellout-2.4.4/lib/mixlib/shellout/unix.rb:318:in `fork'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/mixlib-shellout-2.4.4/lib/mixlib/shellout/unix.rb:318:in `fork_subprocess'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/mixlib-shellout-2.4.4/lib/mixlib/shellout/unix.rb:95:in `run_command'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/mixlib-shellout-2.4.4/lib/mixlib/shellout.rb:267:in `run_command'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/mixin/shell_out.rb:234:in `shell_out_command'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/mixin/shell_out.rb:200:in `shell_out_compacted!'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/mixin/shell_out.rb:124:in `shell_out!'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/provider/execute.rb:58:in `block in action_run'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/mixin/why_run.rb:51:in `add_action'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/provider.rb:227:in `converge_by'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/provider/execute.rb:56:in `action_run'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/provider.rb:182:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/resource.rb:578:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/runner.rb:70:in `run_action'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/runner.rb:98:in `block (2 levels) in converge'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/runner.rb:98:in `each'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/runner.rb:98:in `block in converge'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/resource_collection/resource_list.rb:94:in `block in execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/resource_collection/stepable_iterator.rb:114:in `call_iterator_block'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/resource_collection/stepable_iterator.rb:103:in `iterate'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/resource_collection/resource_list.rb:92:in `execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/runner.rb:97:in `converge'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/client.rb:720:in `block in converge'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/client.rb:715:in `catch'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/client.rb:715:in `converge'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/client.rb:754:in `converge_and_save'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/client.rb:286:in `run'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/application.rb:303:in `run_with_graceful_exit_option'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/application.rb:279:in `block in run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/local_mode.rb:44:in `with_server_connectivity'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/application.rb:261:in `run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/application/client.rb:444:in `run_application'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/lib/chef/application.rb:66:in `run'
/opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.10.9/bin/chef-client:25:in `<top (required)>'
/usr/bin/chef-client:74:in `load'
/usr/bin/chef-client:74:in `<main>'

Example code

# From wrapper cookbook
include_recipe 'os-hardening'

# Attribute override - not sure if it is relevant
override['os-hardening']['auth']['pam']['pam_systemd']['enable'] = true

OS / Environment

Ubuntu 14.04.5 LTS Azure Latest Image

Chef Version

Chef: 14.10.9

Cookbook Version

3.1.0

Additional context
None but will happily provide any additional information needed.

[artem-sidorenko]

@sean-nixon thanks for raising this issue. Are you able to reproduce this issue?

[sean-nixon]

@artem-sidorenko I am. I just created a new Ubuntu 14.04 node in Azure and am seeing the same error. If I run chef-client directly, it works fine, however. I believe it's an environment issue with the Azure Chef extension. It's creating a crontab entry and not setting the path to include /usr/sbin. Any possibility of updating the recipe to use an absolute path?

[artem-sidorenko]

@sean-nixon I saw already similar issues in some other areas with cloud images :(

Before we discuss the option to add the full path within this cookbook, is there any option to inform the developers of Azure Chef extension about that issue? It should fail with lots of other cookbooks too, so I would like to see this issue ideally be fixed properly in the area, where it's also located...

[sean-nixon]

I've raised an issue with them. so we can see what they say.

Would it not be more secure, though, to invoke the command using the full path and not rely on it being in the path? I'm not sure if there's complexity regarding different paths on different distros/versions.

[artem-sidorenko]

@sean-nixon it should be fine as pam-auth-update gets executed only on debian family, so it's unlikely to get a mismatch on different distributions.

I had a look to the issue: the /usr/Sbin is probably the reason why it's not in the default PATH. Not sure how this gets handled.

I think it's not a problem to add /usr/sbin here for pam-auth-update. @chris-rock any other view?

[sean-nixon]

I took the liberty to submit a pull request with the suggested fix pending Chris's feedback.