feat(setup): add chef version configuration option

This is based on a work done by @inopinatus here:
<https://github.com/inopinatus/chef-upgrade>. Introduces new node
parameter `chef-version`, which allows to update chef version on an
opsworks instance.

Gemfile.lock

@@ -21,7 +21,7 @@ GEM
       ridley (~> 5.0)
       solve (~> 4.0)
       thor (~> 0.19, < 0.19.2)
-    brakeman (4.5.1)
+    brakeman (4.6.1)
     buff-config (2.0.0)
       buff-extensions (~> 2.0)
       varia_model (~> 0.6)
@@ -83,8 +83,8 @@ GEM
       chef (>= 12.0)
       fauxhai (>= 3.6, < 5)
       rspec (~> 3.0)
-    childprocess (0.9.0)
-      ffi (~> 1.0, >= 1.0.11)
+    childprocess (1.0.1)
+      rake (< 13.0)
     cleanroom (1.0.0)
     colorize (0.8.1)
     concurrent-ruby (1.1.5)
@@ -149,7 +149,7 @@ GEM
     json (2.2.0)
     kitchen-docker (2.9.0)
       test-kitchen (>= 1.0.0)
-    kitchen-vagrant (1.5.2)
+    kitchen-vagrant (1.6.0)
       test-kitchen (>= 1.4, < 3)
     kramdown (1.17.0)
     launchy (2.4.3)
@@ -169,14 +169,14 @@ GEM
       mixlib-cli (~> 1.7, >= 1.7.0)
       mixlib-config (~> 2.2, >= 2.2.1)
     mini_portile2 (2.4.0)
-    minitar (0.8)
+    minitar (0.9)
     mixlib-archive (0.4.20)
       mixlib-log
     mixlib-authentication (1.4.2)
     mixlib-cli (1.7.0)
     mixlib-config (2.2.18)
       tomlrb
-    mixlib-install (3.11.18)
+    mixlib-install (3.11.21)
       mixlib-shellout
       mixlib-versioning
       thor
@@ -200,8 +200,8 @@ GEM
       net-ssh (>= 2.6.5)
       net-ssh-gateway (>= 1.2.0)
     net-telnet (0.1.1)
-    nio4r (2.4.0)
-    nokogiri (1.10.3)
+    nio4r (2.5.1)
+    nokogiri (1.10.4)
       mini_portile2 (~> 2.4.0)
     nori (2.6.0)
     octokit (4.14.0)
@@ -218,11 +218,11 @@ GEM
       plist (~> 3.1)
       systemu (~> 2.6.4)
       wmi-lite (~> 1.0)
-    overcommit (0.48.1)
-      childprocess (~> 0.6, >= 0.6.3)
+    overcommit (0.49.1)
+      childprocess (>= 0.6.3, < 2.0)
       iniparse (~> 1.4)
     parallel (1.17.0)
-    parser (2.6.3.0)
+    parser (2.6.4.0)
       ast (~> 2.4.0)
     pastel (0.7.3)
       equatable (~> 0.6)
@@ -235,7 +235,7 @@ GEM
       websocket (~> 1.0)
     rack (2.0.7)
     rainbow (3.0.0)
-    rake (12.3.2)
+    rake (12.3.3)
     retryable (2.0.4)
     ridley (5.1.1)
       addressable
@@ -274,26 +274,26 @@ GEM
     rspec_junit_formatter (0.2.3)
       builder (< 4)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (0.72.0)
+    rubocop (0.74.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
       parser (>= 2.6)
       rainbow (>= 2.2.2, < 4.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 1.7)
-    rubocop-performance (1.4.0)
+    rubocop-performance (1.4.1)
       rubocop (>= 0.71.0)
     ruby-progressbar (1.10.1)
     ruby_parser (3.13.1)
       sexp_processor (~> 4.9)
     rubyntlm (0.6.2)
-    rubyzip (1.2.3)
+    rubyzip (1.2.4)
     rufus-lru (1.1.0)
     sawyer (0.8.2)
       addressable (>= 2.3.5)
       faraday (> 0.8, < 2.0)
     semverse (2.0.0)
-    serverspec (2.41.4)
+    serverspec (2.41.5)
       multi_json
       rspec (~> 3.0)
       rspec-its
@@ -308,12 +308,12 @@ GEM
     solve (4.0.2)
       molinillo (~> 0.6)
       semverse (>= 1.1, < 4.0)
-    specinfra (2.78.2)
+    specinfra (2.81.0)
       net-scp
       net-ssh (>= 2.7)
       net-telnet (= 0.1.1)
       sfl
-    strings (0.1.5)
+    strings (0.1.6)
       strings-ansi (~> 0.1)
       unicode-display_width (~> 1.5)
       unicode_utils (~> 1.4)
@@ -322,12 +322,12 @@ GEM
     systemu (2.6.5)
     term-ansicolor (1.7.1)
       tins (~> 1.0)
-    test-kitchen (2.2.5)
+    test-kitchen (2.3.2)
       bcrypt_pbkdf (~> 1.0)
       ed25519 (~> 1.2)
       license-acceptance (~> 1.0, >= 1.0.11)
       mixlib-install (~> 3.6)
-      mixlib-shellout (>= 1.2, < 3.0)
+      mixlib-shellout (>= 1.2, < 4.0)
       net-scp (>= 1.1, < 3.0)
       net-ssh (>= 2.9, < 6.0)
       net-ssh-gateway (>= 1.2, < 3.0)
@@ -338,7 +338,7 @@ GEM
     thor (0.19.1)
     timers (4.0.4)
       hitimes
-    tins (1.21.0)
+    tins (1.21.1)
     tomlrb (1.2.8)
     travis (1.8.10)
       backports
@@ -351,9 +351,9 @@ GEM
       typhoeus (~> 0.6, >= 0.6.8)
     treetop (1.6.10)
       polyglot (~> 0.3)
-    tty-box (0.4.0)
+    tty-box (0.4.1)
       pastel (~> 0.7.2)
-      strings (~> 0.1.5)
+      strings (~> 0.1.6)
       tty-cursor (~> 0.7)
     tty-color (0.5.0)
     tty-cursor (0.7.0)

README.md

@@ -45,6 +45,7 @@ Author: [Igor Rzegocki](https://www.rzegocki.pl/) ([@ajgon](https://github.com/a
 * Marcos Beirigo ([@marcosbeirigo](https://github.com/marcosbeirigo))
 * John Calvin Young ([@johncalvinyoung](https://github.com/johncalvinyoung))
 * Rich Seviora ([@richseviora](https://github.com/richseviora))
+* Josh Goodall ([@inopinatus](https://github.com/inopinatus))
 
 ## License
 

attributes/default.rb

@@ -1,5 +1,12 @@
 # frozen_string_literal: true
 
+# chef client updater
+if node['chef-version']
+  chef_version = node['chef-version'].to_s.to_i
+  default['chef_client_updater']['post_install_action'] = 'exec'
+  default['chef_client_updater']['version'] = chef_version.positive? ? chef_version.to_s : 'latest'
+end
+
 # deployer
 default['deployer']['user'] = 'deploy'
 default['deployer']['group'] = 'deploy'

docs/source/attributes.rst

@@ -53,6 +53,15 @@ convention).
   -  If enabled, a nodejs and yarn will be installed on a machine, to provide support
      for webpack and assets precompilation.
 
+-  ``node['chef-version']``
+
+  -  **Type:** integer or boolean
+  -  **Default:** ``false``
+  -  If enabled current chef on OpsWorks will be updated to provided version (if integer
+     provided) or the the latest version (if ``true``).
+     **Important** plase note, that ``true`` is hazardous, because it allows uncontrolled
+     upgrade to a potentially major version, i.e. breaking change could occur.
+
 Cross-application attributes
 ----------------------------
 

files/debian_downgrade_protection.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+# Original package: <https://github.com/inopinatus/chef-upgrade>
+
+# Extend the Debian package providers & resources to guard against inadvertent downgrade
+shim = Module.new do
+  def target_version_already_installed?(current_version, target_version)
+    return super unless @new_resource.downgrade_guard
+    return false unless current_version && target_version
+
+    Chef::Log.info("#{@new_resource} downgrade guard, comparing current=#{current_version} to target=#{target_version}")
+    !shell_out('dpkg', '--compare-versions', current_version.to_s, 'ge', target_version.to_s).error?
+  end
+end
+
+Chef::Provider::Package::Dpkg.prepend shim
+Chef::Resource::DpkgPackage.property :downgrade_guard, [true, false], default: true
+
+Chef::Provider::Package::Apt.prepend shim
+Chef::Resource::AptPackage.property :downgrade_guard, [true, false], default: true
+
+Ohai.plugin(:DebianDowngradeProtectionPlugin)

libraries/chef_patches.rb

@@ -10,3 +10,12 @@ def shell_out_with_timeout!(*command_args)
     end
   end
 end
+
+# Taken from: <https://github.com/inopinatus/chef-upgrade>
+module CannotSelfTerminate
+  def eval_post_install_action
+    Chef::Log.info '>>>>>>>>>>>>>>>>>                         <<<<<<<<<<<<<<<<'
+    Chef::Log.info '>>>>>>>>>>>>>>>>> I cannot self terminate <<<<<<<<<<<<<<<<'
+    Chef::Log.info '>>>>>>>>>>>>>>>>>                         <<<<<<<<<<<<<<<<'
+  end
+end

metadata.rb

@@ -7,9 +7,11 @@
 description 'Set of chef recipes for OpsWorks based Ruby projects'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version '1.15.0'
-chef_version '~> 12.0' if respond_to?(:chef_version)
+chef_version '>= 12.0' if respond_to?(:chef_version)
 
 depends 'apt', '< 7.0'
+depends 'chef_client_updater'
+depends 'deploy_resource'
 depends 'logrotate'
 depends 'nginx', '< 9.0'
 depends 'nodejs'

recipes/setup.rb

@@ -9,6 +9,30 @@
 
 prepare_recipe
 
+# Upgrade chef
+# Taken from `chef-upgrade` cookbook <https://github.com/inopinatus/chef-upgrade> by Josh Goodall
+# The Chef updater will try to kill its own process. This causes setup failure.
+# We force it to accept our "exec" configuration by monkey-patching the LWRP.
+if node['chef-version']
+  update_provider = Chef.provider_handler_map.get(node, :chef_client_updater)
+  update_provider.prepend(CannotSelfTerminate)
+  include_recipe 'chef_client_updater::default'
+
+  directory '/opt/aws/opsworks/current/plugins' do
+    owner 'root'
+    group 'aws'
+    mode '0755'
+    recursive true
+  end
+
+  cookbook_file '/opt/aws/opsworks/current/plugins/debian_downgrade_protection.rb' do
+    source 'debian_downgrade_protection.rb'
+    owner 'root'
+    group 'aws'
+    mode '0644'
+  end
+end
+
 # Create deployer user
 group node['deployer']['group'] do
   gid 5000

spec/unit/recipes/setup_spec.rb

@@ -32,6 +32,40 @@
     stub_command('which nginx').and_return(false)
   end
 
+  context 'Chef version' do
+    it 'not set' do
+      expect(chef_run).not_to create_directory('/opt/aws/opsworks/current/plugins')
+    end
+
+    it 'set to false' do
+      chef_run = ChefSpec::SoloRunner.new(platform: 'ubuntu', version: '14.04') do |solo_node|
+        solo_node.set['chef-version'] = false
+      end.converge(described_recipe)
+
+      expect(chef_run).not_to create_directory('/opt/aws/opsworks/current/plugins')
+    end
+
+    it 'set to 14' do
+      chef_run = ChefSpec::SoloRunner.new(platform: 'ubuntu', version: '14.04') do |solo_node|
+        solo_node.set['chef-version'] = '14'
+      end.converge(described_recipe)
+
+      expect(chef_run).to create_directory('/opt/aws/opsworks/current/plugins').with(
+        owner: 'root',
+        group: 'aws',
+        mode: '0755',
+        recursive: true
+      )
+      expect(chef_run).to create_cookbook_file('/opt/aws/opsworks/current/plugins/debian_downgrade_protection.rb').with(
+        source: 'debian_downgrade_protection.rb',
+        owner: 'root',
+        group: 'aws',
+        mode: '0644'
+      )
+      expect(chef_run).to update_chef_client_updater('update chef-client')
+    end
+  end
+
   context 'Deployer' do
     it 'debian user' do
       expect(chef_run).to create_group('deploy').with(gid: 5000)