A chef user recently ran into a problem with the service resource
where a service was disabled on their system by debian policy
unbeknownst to them. The underlying script that the resource asked to
start the service returned successfully, however it did not actually
start the service because of the system policy.
There are varying opinions as to what should be done here.
- Nothing. Chef shouldn’t fix your system for you.
- Warn. Chef should tell you if it thinks you are doing it wrong.
- Fail. Chef should throw an exception if you asked it to do
something it couldn’t (by checking policy first).
CHEF-2880  proposes:
- Always due #2 from above.
- Add an option to the resource to run "invoke-rc.d --disclose-deny"
which will cause #3 above to happen.
We’re not crazy about adding resource method solely for this. The
simplest solution is to just run “invoke-rc.d --disclose-deny” all the
time. The big question here, is there a use case where you would have
the service disabled by policy but still want Chef to keep running if
you ask it to start it? Laurent? Thom? Tollef? (CHEF-597 )
The argument is that, if you ask Chef to do something and it cannot,
it should fail. Or you shouldn’t ask it to try. But we usually trust
the underlying system, if there is a bug, perhaps it is in invoke-rc.d
lying to us unless we use --disclose-deny. In any case, it isn’t as if
we’re going to start running ps after a service resource action to
verify if it worked or not.
Bryan McLellan | opscode | technical program manager
© 206.607.7108 | (t) @btmspox | (b) http://blog.loftninjas.org