Chef workstation builds are missing ruby-shadow

[bmhughes]

Description

Setting a user password on a node with chef-workstation installed causes a raise due to the ruby-shadow gem missing, it is present and doesn't effect nodes with just chef client installed as the gem is present.

Chef Workstation Version

21.7.526

Platform Version

Fedora 34/CentOS 7/CentOS 8

[tas50]

@bmhughes care to open a PR to add that in?

[bmhughes]

I'm not familiar with the build process but it looks to me like it should be included as it's in the Gemfile. So I'd guess the problem may lie somewhere else.

[vkarve-chef]

possibly related thread https://discourse.chef.io/t/removing-roots-password-results-in-ruby-shadow-not-installed-error/1863/10

[bastianschwarz]

I just ran into the same issue.

I'm creating my workstation using vagrant. The first converge works because chef-client is used and the users are created before anything else. My workstation cookbook then installs chef-workstation. Every converge from there on fails since the chef-workstation gems are used and ruby-shadow is not included.

bastian@buster:~$ ls -l /opt/chef/embedded/lib/ruby/gems/2.7.0/gems/ | grep shadow
drwxr-xr-x 5 root root 4096 Aug 23 17:07 ruby-shadow-2.5.0
bastian@buster:~$ ls -l /opt/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/ | grep shadow
bastian@buster:~$

Since the current version of ruby-shadow fails to compile with ruby 3.0 there's no easy workaround using the chef_gem resource using only chef.

For everyone else using Vagrant: Setting chef.install = "force" works since it just reinstalls chef so the ruby-shadow gem is available again. Not ideal but good enough as a workaround. This also assumes you're not using chef.product = "chef-workstation" since you would run into the same problem just one step earlier. ;)

[bmhughes]

In the meantime I've just updated the symlink on nodes with chef-workstation installed to use chef instead, not perfect but it works.

[cgoettel]

ruby-shadow has been updated (as of today) to 2.5.1 which allows it to build on Ruby 3.0.0 so that's no longer a blocking issue.

[a-yiorgos]

Can we get back to this please? I get the You must have ruby-shadow installed for password support! too. I am on an Ubuntu 22.04 with Chef Workstation version: 21.10.640.

The first time the recipe is run (with chef-solo), it runs OK and the user is created. The second time, I get the error.

Now, if I install gcc and make and then run /opt/chef-workstation/embedded/bin/gem install ruby-shadow this goes away, but is this the way? Wherever you want to run chef-solo to configure something a bit more elaborate, you'd need gcc too?

[KTM25]

Second getting back to this. Having to do a migration of servers along with an upgrade of chef and this issue is causing it to be a pain.

 #    The AIX provider for user currently declares it does not support ruby-shadow.
          a.failure_message Chef::Exceptions::MissingLibrary, "You must have ruby-shadow installed for password support!"
          a.whyrun "ruby-shadow is not installed. Attempts to set user password will cause failure.  Assuming that this gem will have been previously installed.

$ chef -v
Chef Workstation version: 23.5.1040
Chef InSpec version: 5.21.29
Chef CLI version: 5.6.11
Chef Habitat version: 1.6.652
Test Kitchen version: 3.5.0
Cookstyle version: 7.32.2
Chef Infra Client version: 18.2.7

[tmccombs]

I get this error even if I don't I don't set a password for the user. I wonder if there was a change in chef 18 that makes it so the library is needed even if no password is set?

[tmccombs]

Looking at the git blame for the user provider, it looks like that gem has actually been unconditionally required for at least a few years, so probably not.

[tmccombs]

Is there a good workaround for this?