Вопрос
I'm following the method described in this post for creating a DNS record for a new server as Chef provisions it. I've created an encrypted data bag item for my AWS credentials:
https://stackoverflow.com/questions/18319367
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian$ knife data bag show passwords aws --secret-file .chef/encryted_data_bag_secret
aws_access_key: <my_access_key>
aws_secret_key: <my_secret_key>
id: aws
However, when I run the chef client, this line...
aws_creds = Chef::EncryptedDataBagItem.load('passwords', 'aws')
produces this error:
TypeError: can't convert nil into String
I've tried searching for the error, but while I can see evidence that other people have encountered this, it's not clear what their problem was or how it was resolved. What's going on here, and how can I fix it?
Решение
I hit this error today too. For me, the node was missing the encrypted_data_bag_secret.
According to this bug (http://tickets.opscode.com/browse/CHEF-4441), the error (in my case) would have been clearer in Chef 11.4.4:
No such file or directory - file not found '/etc/chef/encrypted_data_bag_secret'
I hope that's helpful.
Другие советы
Regarding the order of execution on the recipes, (comment to rgnever's answer) you are correct that some things seem to happen out of order. Here is an Opscode article on Chef Recipe execution:
Chef processes recipes in two phases, Compile and Execute.
- During the compile phase, the recipes are evaluated as Ruby code and recognized resources are added to the resource collection.
- During the execute phase, Chef takes the appropriate Provider action on each resource.
I haven't found a document that explicitly confirms this, but the behavior is clearly that Data Bags are one such resource type that gets evaluated during compile time. Therefore, that part of your recipe does in fact break the order of the run list, jumping ahead of whatever other recipe you had to actually load in the secret file.
We were able to work around this by using the trick the described in that document (adapted to the cookbook_file resource).
cb_file = cookbook_file "/etc/chef/encrypted_data_bag_secret" do
source "chef_secret_file"
mode 0755
owner "root"
group "root"
end
cb_file.run_action(:create)
Note that the :nothing action is not supported for the cookbook_file resource, and the lack of an action in the resource block there will default to :create, which will actually overwrite your secret file during the execute phase of the recipe as well.
