[BUG] chef-client hangs occasionally on Windows during writing or removing dd username or password using windows_env #935
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
In the Windows recipe _install-windows.rb the dd agent username and password is retrieved from encrypted databag, during the chef infra client run from task-scheduler in SYSTEM context.
The username and password is written to the environment variable using windows_env and removed at the end of the recipe.
This has 2 risks, 1 is the password is written in cleartext in the environment variables and if removal fails due to the hanging issue it stays stored (when ruby process is killed as chef-client will hang in a running state).
The issue happens when there is a race condition in access to windows_env which is locked by another process, there is no error handling in the recipe which results in hanging chef-client in the stage of this recipe during writing or removing the dd username or password in windows environment for SYSTEM.
Implementing a change to use node.run_state instead of windows_env prevents the issue from happening and makes sure the credentials aren't leaked because they aren't stored.
For this change I opened a PR on this recipe:
#934
Could you please take a look at this suggested improvement and solution PR?
The text was updated successfully, but these errors were encountered: