consul template executing multiple commands using sh -c does not work with 0.25.2

[pavanrangain]

Consul Template version

Run consul-template -v to show the version. If you are not
running the latest version, please upgrade before submitting an
issue.

Version : 0.25.2

Configuration

vault {
   address = "http://vault.service.consul:8200"
   token = "xxx"
   renew_token = false
}

template {
  source = "template.ctmpl"
  destination = "template.key.pem"
  command = "sh -c 'chmod 400 template.pem && chown user:group template.pem && systemctl restart nginx'"
}

Expected behavior

We want to make sure that after the certs and key generated its only readable by the intended user and not by any other user. Hence the run the chmod and chown command as given above. We know there is no way to set ownership of the file generated #461

The above command was perfectly working with 0.25.1

Actual behavior

When upgraded to 0.25.2 this command no more works. We see the error below

chmod: missing operand
Try 'chmod --help' for more information.
* failed to execute command "sh -c 'chmod 400 template.pem && chown user:group template.pem && systemctl restart nginx'" from ....
* sh -c chmod 400 template.pem 
This is assumed to be a failure. Please ensure the command
exits with a zero exit status.

If we see the second line in the error sh -c chmod 400 template.pem it looks like the quotes are removed and command is truncated at the first occurance of && operator. Thus this command becomes invalid and throwing error.

Steps to reproduce

1. Run Vault and set up approle as instructed here
2. Run CT (v 0.25.2) using the config and template from above

[medains]

Similar behaviour with a simpler command:

nginx -g 'daemon off;'

Switching to escaped double-quotes doesn't help - the execution always strips the quotes before the command runs.

[krchiper]

Another similar example

docker run --rm hashicorp/consul-template:0.25.2-light -template="whatever-template:/tmp/written-template:sh -c 'echo hello'"

Prints an empty line with 0.25.2 and successfully prints hello with 0.25.1

[eikenb]

Thanks for the report @pavanrangain and reproducing/confirming this @medains, @krchiper.
My apologies for the regression.

I've also reproduced this and it is a regression from 0.25.1->0.25.2. Bisecting results in the dependency updates commit (of course); 6213a54

It was the go-shellwords update (v1.0.5->v1.0.10) in that commit that broke things.

Going to add a test for this and dig in a bit.

[eikenb]

This issue has already been reported upstream. I've added a comment with this case and a test showing it. mattn/go-shellwords#48 (comment)

I'm considering either submitting a PR upstream or reverting our use to an earlier version. Either way I'm going to add some testing of this to help catch these sorts of issues in the future.

[krchiper]

Still not fixed in hashicorp/consul-template:latest, any plans for when the fix is rolled out?

[eikenb]

Sorry for the delays @krchiper. I'm trying to get caught up on the PRs first, then will get to the issues. I plan on including this issue in the next release which is what I'm working towards now.

[nepeat]

Was about to file an issue for this same issue. I'm hitting the behaviour with this command instead.

command = "/bin/bash -c 'systemctl reload nomad || true'

[eikenb]

I've fixed the issue in go-shellwords and made a PR. Going to switch to my fork temporarily until it is merged upstream and that should allow me to close this issue.