systemd is-enabled check does not handle backcompat with sysv-init scripts (e.g. ntp on Ubuntu 16.04)

[lamont-granquist]

Description

False failure for ntp and nscd services being enabled.

InSpec and Platform Version

Ubuntu 16.04
inspec (0.20.1)
kitchen-inspec (0.12.5)

Replication Case

• use the default nscd and/or ntp chef cookbooks to configure nscd/ntp.
• service[ntp] will run with :enable and :start actions
• service[nscd] will run with :enable and :start actions
• inspec tests will fail with these tests:

describe service('ntp') do
  it { should be_enabled }
end

describe service('nscd') do
  it { should be_enabled }
end

Possible Solutions

• note that the service is called 'ntp' in the first case but the process that is launched is called 'ntpd', that might be causing issues if you're doing scans of ps output.
• ubuntu 16.04 is all systemd-ified so that might be causing issues.

Stacktrace

Failures:

  1) Service nscd should be enabled
     Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
       expected that `Service nscd` is enabled
     # ./test/integration/webapp/default_spec.rb:15:in `block (2 levels) in load'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/inspec-0.20.1/lib/inspec/runner_rspec.rb:67:in `run'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/kitchen-inspec-0.12.5/lib/kitchen/verifier/inspec.rb:47:in `call'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:423:in `block in verify_action'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:513:in `call'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:513:in `synchronize_or_call'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:478:in `block in action'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:477:in `action'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:415:in `verify_action'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:348:in `block in transition_to'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:347:in `each'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:347:in `transition_to'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:160:in `verify'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/command.rb:176:in `public_send'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/command.rb:176:in `block (2 levels) in run_action'

  2) Service ntp should be enabled
     Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
       expected that `Service ntp` is enabled
     # ./test/integration/webapp/default_spec.rb:45:in `block (2 levels) in load'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/inspec-0.20.1/lib/inspec/runner_rspec.rb:67:in `run'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/kitchen-inspec-0.12.5/lib/kitchen/verifier/inspec.rb:47:in `call'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:423:in `block in verify_action'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:513:in `call'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:513:in `synchronize_or_call'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:478:in `block in action'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:477:in `action'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:415:in `verify_action'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:348:in `block in transition_to'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:347:in `each'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:347:in `transition_to'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/instance.rb:160:in `verify'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/command.rb:176:in `public_send'
     # /Users/lamont/.rvm/gems/ruby-2.2.5/gems/test-kitchen-1.8.0/lib/kitchen/command.rb:176:in `block (2 levels) in run_action'

Finished in 0.16498 seconds (files took 0.70271 seconds to load)
16 examples, 2 failures

Failed examples:

rspec  # Service nscd should be enabled
rspec  # Service ntp should be enabled

[lamont-granquist]

but 'fail2ban' and 'ssh' seem to work, so..... ???

[chris-rock]

So Ubuntu 16.04 should use systemd by default https://github.com/chef/inspec/blob/master/lib/resources/service.rb#L117-L121:

if version < 15.04
  Upstart.new(inspec, service_ctl)
else
  Systemd.new(inspec, service_ctl)
end

[chris-rock]

We also have a systemd_service, is it working with that resource?

[chris-rock]

Do you use the systemd name for ntp?

[lamont-granquist]

so there's no systemd_service documented at https://github.com/chef/inspec/blob/master/docs/resources.rst

[lamont-granquist]

and i just tried ntp.service but that failed as well.

this might help:

# systemctl is-enabled ntp
ntp.service is not a native service, redirecting to systemd-sysv-install
Executing /lib/systemd/systemd-sysv-install is-enabled ntp
enabled

[lamont-granquist]

probably a more accurate title based on the behavior i'm seeing... could be as simple as checking that the last line from stdout is "enabled" rather than checking if the output == "enabled"?

[viq]

Just a note that I'm seeing problems with is_enabled on debian 8 (systemd) as well .