Enforce certain recipe in run_list

Phil_Oliva · September 24, 2014, 5:03pm

Hi all,

Is there a way to enforce all nodes that bootstrap with chef-client to certain chef-server run extra recipe(s) on top of their specified run list? Basically want to create a base cookbook for my organization and ensure all managed bootstrap nodes have run certain recipes from this cookbook.

Phil Oliva

coderanger · September 24, 2014, 5:08pm

No, this is not a feature available in Chef. You can rig it up in any number of ways (cron job that adds a specific role, build scripts to enforce it, etc) but Chef itself will not.

--Noah

On Sep 24, 2014, at 10:03 AM, Phil Oliva poliva@blackberry.com wrote:

Hi all,

Is there a way to enforce all nodes that bootstrap with chef-client to certain chef-server run extra recipe(s) on top of their specified run list? Basically want to create a base cookbook for my organization and ensure all managed bootstrap nodes have run certain recipes from this cookbook.

Phil Oliva

Scott_Hain · September 24, 2014, 5:12pm

I'm not sure if this will fit your use case exactly, but during the
bootstrap itself you can specific a specific run list with a json file
using knife bootstrap with the -j flag as documented here:

If you are looking for 'extra' recipes not on the runlist, Noah is correct.

On Wed, Sep 24, 2014 at 10:08 AM, Noah Kantrowitz noah@coderanger.net
wrote:

No, this is not a feature available in Chef. You can rig it up in any
number of ways (cron job that adds a specific role, build scripts to
enforce it, etc) but Chef itself will not.

--Noah

On Sep 24, 2014, at 10:03 AM, Phil Oliva poliva@blackberry.com wrote:

Hi all,

Is there a way to enforce all nodes that bootstrap with chef-client to
certain chef-server run extra recipe(s) on top of their specified run list?
Basically want to create a base cookbook for my organization and ensure all
managed bootstrap nodes have run certain recipes from this cookbook.

Phil Oliva

--

Scott Hain — Software Development Engineer

360.360.7433 – shain@getchef.com – *my: *Linkedin http://www.linkedin.com/
Twitter http://www.twitter.com/elejia

CHEF

GETCHEF.COM http://www.getchef.com/

TM

getchef.com http://www.getchef.com/ Blog
http://www.opscode.com/blog/ Facebook
https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube https://www.youtube.com/getchef

Phil_Oliva · September 24, 2014, 5:12pm

Thanks Noah, I will try one of your suggested options.

-----Original Message-----
From: Noah Kantrowitz [mailto:noah@coderanger.net]
Sent: Wednesday, September 24, 2014 1:09 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Enforce certain recipe in run_list

No, this is not a feature available in Chef. You can rig it up in any number of ways (cron job that adds a specific role, build scripts to enforce it, etc) but Chef itself will not.

--Noah

On Sep 24, 2014, at 10:03 AM, Phil Oliva poliva@blackberry.com wrote:

Hi all,

Is there a way to enforce all nodes that bootstrap with chef-client to certain chef-server run extra recipe(s) on top of their specified run list? Basically want to create a base cookbook for my organization and ensure all managed bootstrap nodes have run certain recipes from this cookbook.

Phil Oliva

Phil_Oliva · September 24, 2014, 5:20pm

Yes, I am familiar with the –j option. We use ‘chef-client –j http://fakefile.json’ quite often to specify vm instance attributes. Just a co-worker suggested to me that you could get specify something on chef-server to enforce ‘extra’ recipes to be run for all nodes but couldn’t find any documentation related to this claim. Just thought I’d ask.

From: Scott Hain [mailto:shain@getchef.com]
Sent: Wednesday, September 24, 2014 1:12 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: Enforce certain recipe in run_list

I'm not sure if this will fit your use case exactly, but during the bootstrap itself you can specific a specific run list with a json file using knife bootstrap with the -j flag as documented here: http://docs.getchef.com/install_bootstrap.html

If you are looking for 'extra' recipes not on the runlist, Noah is correct.

On Wed, Sep 24, 2014 at 10:08 AM, Noah Kantrowitz <noah@coderanger.net mailto:noah@coderanger.net> wrote:
No, this is not a feature available in Chef. You can rig it up in any number of ways (cron job that adds a specific role, build scripts to enforce it, etc) but Chef itself will not.

--Noah

On Sep 24, 2014, at 10:03 AM, Phil Oliva <poliva@blackberry.com mailto:poliva@blackberry.com> wrote:

Hi all,

Is there a way to enforce all nodes that bootstrap with chef-client to certain chef-server run extra recipe(s) on top of their specified run list? Basically want to create a base cookbook for my organization and ensure all managed bootstrap nodes have run certain recipes from this cookbook.

Phil Oliva

--

Scott Hain — Software Development Engineer

360.360.7433 – shain@getchef.com mailto:shain@getchef.com – my: Linkedinhttp://www.linkedin.com/ Twitterhttp://www.twitter.com/elejia

CHEF

GETCHEF.COM http://www.getchef.com/

TM

getchef.com http://www.getchef.com/ Bloghttp://www.opscode.com/blog/ Facebookhttps://www.facebook.com/getchefdotcom Twitterhttps://twitter.com/chef Youtubehttps://www.youtube.com/getchef

Ranjib_Dey2 · September 24, 2014, 5:25pm

You can use environment run list to enforce certain roles or recipes across
all nodes from that environment. You have to specify these across all
environments.
Base roles are more popular for this use case
On Sep 24, 2014 10:03 AM, "Phil Oliva" poliva@blackberry.com wrote:

Hi all,

Is there a way to enforce all nodes that bootstrap with chef-client to
certain chef-server run extra recipe(s) on top of their specified run list?
Basically want to create a base cookbook for my organization and ensure all
managed bootstrap nodes have run certain recipes from this cookbook.

Phil Oliva

coderanger · September 24, 2014, 5:28pm

On Sep 24, 2014, at 10:25 AM, Ranjib Dey ranjib@pagerduty.com wrote:

You can use environment run list to enforce certain roles or recipes across all nodes from that environment. You have to specify these across all environments.
Base roles are more popular for this use case

No, environments do not have run lists. Also the default "_default" environment is immutable anyway.

--Noah

Olivier_Bazoud · September 24, 2014, 6:42pm

This could be an interesting feature
Le 24 sept. 2014 19:29, "Noah Kantrowitz" noah@coderanger.net a écrit :

On Sep 24, 2014, at 10:25 AM, Ranjib Dey ranjib@pagerduty.com wrote:

You can use environment run list to enforce certain roles or recipes
across all nodes from that environment. You have to specify these across
all environments.
Base roles are more popular for this use case

No, environments do not have run lists. Also the default "_default"
environment is immutable anyway.

--Noah

Lamont_Granquist_OLD · September 24, 2014, 7:27pm

Probably a good one for an RFC and/or discussion at the Chef Summit.

On Wed Sep 24 11:42:05 2014, Olivier Bazoud wrote:

This could be an interesting feature

Le 24 sept. 2014 19:29, "Noah Kantrowitz" <noah@coderanger.net
mailto:noah@coderanger.net> a écrit :

On Sep 24, 2014, at 10:25 AM, Ranjib Dey <ranjib@pagerduty.com
<mailto:ranjib@pagerduty.com>> wrote:

> You can use environment run list to enforce certain roles or
recipes across all nodes from that environment. You have to
specify these across all environments.
> Base roles are more popular for this use case :-)
>

No, environments do not have run lists. Also the default
"_default" environment is immutable anyway.

--Noah

Aimelyne_Mochiron · September 24, 2014, 8:20pm

Roles can declare environment-specific run lists though: https://docs.getchef.com/essentials_roles.html#set-per-environment-run-lists

Maybe this is what Ranjib meant?

am

On 24 Sep 2014, at 22:27, Lamont Granquist lamont@opscode.com wrote:

Probably a good one for an RFC and/or discussion at the Chef Summit.

On Wed Sep 24 11:42:05 2014, Olivier Bazoud wrote:

This could be an interesting feature

Le 24 sept. 2014 19:29, "Noah Kantrowitz" <noah@coderanger.net
mailto:noah@coderanger.net> a écrit :

On Sep 24, 2014, at 10:25 AM, Ranjib Dey <ranjib@pagerduty.com
mailto:ranjib@pagerduty.com> wrote:

You can use environment run list to enforce certain roles or
recipes across all nodes from that environment. You have to
specify these across all environments.
Base roles are more popular for this use case

No, environments do not have run lists. Also the default
"_default" environment is immutable anyway.

--Noah

Ranjib_Dey2 · September 24, 2014, 8:35pm

yeah., but as noah mentioned, and i just confirmed with pry., i dont see a
run_list on the Chef::Environment objects. neither i can find any reference
on lib/chef/environment.rb. But this is the same link i had read (long time
before), may be this is wrong documentation, or a deprecated feature..

On Wed, Sep 24, 2014 at 1:20 PM, Aimelyne Mochiron aimelynem@gmail.com
wrote:

Roles can declare environment-specific run lists though:
https://docs.getchef.com/essentials_roles.html#set-per-environment-run-lists

Maybe this is what Ranjib meant?

am

On 24 Sep 2014, at 22:27, Lamont Granquist lamont@opscode.com wrote:

Probably a good one for an RFC and/or discussion at the Chef Summit.

On Wed Sep 24 11:42:05 2014, Olivier Bazoud wrote:

This could be an interesting feature

Le 24 sept. 2014 19:29, "Noah Kantrowitz" <noah@coderanger.net
mailto:noah@coderanger.net> a écrit :

On Sep 24, 2014, at 10:25 AM, Ranjib Dey <ranjib@pagerduty.com
mailto:ranjib@pagerduty.com> wrote:

You can use environment run list to enforce certain roles or
recipes across all nodes from that environment. You have to
specify these across all environments.
Base roles are more popular for this use case

No, environments do not have run lists. Also the default
"_default" environment is immutable anyway.

--Noah

Ranjib · September 24, 2014, 8:41pm

I think you can specify a run list using environments, but only roles will
be catered

github.com

chef/chef/blob/main/lib/chef/run_list/run_list_expansion.rb#L151


      
          end
          
          def errors
            @missing_roles_with_including_role.map(&:first)
          end
          
          def to_json(*a)
            Chef::JSONCompat.to_json(to_h, *a)
          end
          
          def to_h
            seen_items = { recipe: {}, role: {} }
            { id: @environment, run_list: convert_run_list_trace("top level", seen_items) }
          end
          
          alias_method :to_hash, :to_h
          
          private
          
          # these methods modifies internal state based on arguments, so hide it.

@dan am I right here?

On Wed, Sep 24, 2014 at 1:35 PM, Ranjib Dey ranjib@pagerduty.com wrote:

yeah., but as noah mentioned, and i just confirmed with pry., i dont see a
run_list on the Chef::Environment objects. neither i can find any reference
on lib/chef/environment.rb. But this is the same link i had read (long time
before), may be this is wrong documentation, or a deprecated feature..

On Wed, Sep 24, 2014 at 1:20 PM, Aimelyne Mochiron aimelynem@gmail.com
wrote:

Roles can declare environment-specific run lists though:
https://docs.getchef.com/essentials_roles.html#set-per-environment-run-lists

Maybe this is what Ranjib meant?

am

On 24 Sep 2014, at 22:27, Lamont Granquist lamont@opscode.com wrote:

Probably a good one for an RFC and/or discussion at the Chef Summit.

On Wed Sep 24 11:42:05 2014, Olivier Bazoud wrote:

This could be an interesting feature

Le 24 sept. 2014 19:29, "Noah Kantrowitz" <noah@coderanger.net
mailto:noah@coderanger.net> a écrit :

On Sep 24, 2014, at 10:25 AM, Ranjib Dey <ranjib@pagerduty.com
mailto:ranjib@pagerduty.com> wrote:

You can use environment run list to enforce certain roles or
recipes across all nodes from that environment. You have to
specify these across all environments.
Base roles are more popular for this use case

No, environments do not have run lists. Also the default
"_default" environment is immutable anyway.

--Noah

kallistec · September 24, 2014, 8:42pm

On Wednesday, September 24, 2014 at 1:41 PM, Ranjib Dey wrote:

I think you can specify a run list using environments, but only roles will be catered
https://github.com/opscode/chef/blob/master/lib/chef/run_list/run_list_expansion.rb#L151

@dan am I right here?
That line just selects the environment-specific run list for the role.

--
Daniel DeLeo

Tensibai · September 24, 2014, 8:44pm

Nothing deprecated nor wrong. It is role run list per environment. You still have to add the role to the node running, so it's not answering the problem.

The only way I think of is a cron searching nodes without the recipe and adding it.

Maybe with something like knife-audit (unsure of the name) or a search pattern...

Envoyé à partir de mon smartphone Sony Xperia™

---- Ranjib Dey a écrit ----

yeah., but as noah mentioned, and i just confirmed with pry., i dont see a run_list on the Chef::Environment objects. neither i can find any reference on lib/chef/environment.rb. But this is the same link i had read (long time before), may be this is wrong documentation, or a deprecated feature..

On Wed, Sep 24, 2014 at 1:20 PM, Aimelyne Mochiron aimelynem@gmail.com wrote:

Roles can declare environment-specific run lists though: https://docs.getchef.com/essentials_roles.html#set-per-environment-run-lists

Maybe this is what Ranjib meant?

am

On 24 Sep 2014, at 22:27, Lamont Granquist lamont@opscode.com wrote:

Probably a good one for an RFC and/or discussion at the Chef Summit.

On Wed Sep 24 11:42:05 2014, Olivier Bazoud wrote:

This could be an interesting feature

Le 24 sept. 2014 19:29, "Noah Kantrowitz" <noah@coderanger.net
mailto:noah@coderanger.net> a écrit :

On Sep 24, 2014, at 10:25 AM, Ranjib Dey <ranjib@pagerduty.com
mailto:ranjib@pagerduty.com> wrote:

You can use environment run list to enforce certain roles or
recipes across all nodes from that environment. You have to
specify these across all environments.
Base roles are more popular for this use case

No, environments do not have run lists. Also the default
"_default" environment is immutable anyway.

--Noah

kallistec · September 24, 2014, 8:46pm

On Wednesday, September 24, 2014 at 10:03 AM, Phil Oliva wrote:

Hi all,

Is there a way to enforce all nodes that bootstrap with chef-client to certain chef-server run extra recipe(s) on top of their specified run list? Basically want to create a base cookbook for my organization and ensure all managed bootstrap nodes have run certain recipes from this cookbook.

Phil Oliva

To start this one over from the beginning, what do you mean by "ensure all managed bootstrap nodes have run certain recipes from this cookbook?” Are you worried that users in your organization will unintentionally create nodes without these recipes? Or that users will intentionally create nodes without these recipes? Do you need to manage the set of “required” base recipes over time? What kinds of users create new nodes, and how do they specify their customizations?

--
Daniel DeLeo

Phil_Oliva · September 25, 2014, 3:53pm

Daniel,

We're trying to enforce some governance on all the nodes that bootstrapped to our chef server. Coming from a large organization and trying to onboard many groups to our ha chef server infrastructure on our Opennebula based private cloud.

We provided a single bash context script (coined "one init.sh script to rule them all") as a point of entry that groups can put in their vm template context along and with some standardized chef related template variables (chef_server_url, validator_key, bootstrap_json, chef_environment, etc..). Our bash script installs the recommended chef client package version (our team determines which version will get used) then runs chef-apply blocks to setup vm networking (nice because resources work on RH + Ubuntu ) and then setups up the /etc/chef/chef-client.rb properly and runs chef-client based on variables provided. This approach has worked well thus far.

We also wrote a hook for our hypervisors to cleanup node/client data when vms get deleted/recreated. Our chef server has a special admin account for that hypervisors can use to run pychef and manage it.

That was all the logic we wanted to add to init.sh script. Anything that needs to be done to node after chef-client is assumed to be in a cookbook. Don't want to modify the init.sh very often (ideally never).

So I wanted to create a base cookbook that has a recipe that forces nodes checking every 15 minutes into server with chef-client runs using a cron or chef-client daemon. This recipe would need to survive a DR scenarios if our chef server ended up needing to be recreated and data loss was present. Example if node/client data not on server and vm still has client.pem (delete client.pem if getting "Failed to authenticate to .* with key /etc/chef/client.pem" message).

My question came about because I had an idea that I wanted our staging HA chef server to force people to run this recipe/cookbook even if they didn't specify it in their own run_list. This way people would learn if their cookbooks were truly idempotent (which is our end goal) in testing lab before it ended up in production. If people choose to proceed to production with non-idempotent cookbooks well then operators would need to know they would need to destroy vm and recreate any time they want cookbook rerun.

Phil

----Original Message-----
From: Daniel DeLeo [mailto:ddeleo@kallistec.com] On Behalf Of Daniel DeLeo
Sent: Wednesday, September 24, 2014 4:47 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Enforce certain recipe in run_list

On Wednesday, September 24, 2014 at 10:03 AM, Phil Oliva wrote:

Hi all,

Is there a way to enforce all nodes that bootstrap with chef-client to certain chef-server run extra recipe(s) on top of their specified run list? Basically want to create a base cookbook for my organization and ensure all managed bootstrap nodes have run certain recipes from this cookbook.

Phil Oliva

To start this one over from the beginning, what do you mean by "ensure all managed bootstrap nodes have run certain recipes from this cookbook?” Are you worried that users in your organization will unintentionally create nodes without these recipes? Or that users will intentionally create nodes without these recipes? Do you need to manage the set of “required” base recipes over time? What kinds of users create new nodes, and how do they specify their customizations?

--
Daniel DeLeo

Michael_Hart · September 25, 2014, 6:40pm

I can’t think of a way to enforce that except for a “thou shalt always add the X role to thy VM’s” and a cluebat to enforce it. Perhaps someone else can think of something.

We have a ‘base’ role that gets applied to absolutely every node we have, VM’s or not, that contain things like chef client config, ntp, timezone, base syslog, collectd, etc, and while we’ve never had to enforce it (small team etc) if I had to start enforcing it I’d probably setup a script that polled the node configs and add the base role back into the run_list if it wasn’t there already. And then haul out the aforementioned cluebat and chase down the offender.

cheers
mike

–
Michael Hart
Arctic Wolf Networks
M: 226-388-4773

On Sep 25, 2014, at 11:53, Phil Oliva <poliva@blackberry.com mailto:poliva@blackberry.com> wrote:

Daniel,

We’re trying to enforce some governance on all the nodes that bootstrapped to our chef server. Coming from a large organization and trying to onboard many groups to our ha chef server infrastructure on our Opennebula based private cloud.

We provided a single bash context script (coined “one init.sh script to rule them all”) as a point of entry that groups can put in their vm template context along and with some standardized chef related template variables (chef_server_url, validator_key, bootstrap_json, chef_environment, etc…). Our bash script installs the recommended chef client package version (our team determines which version will get used) then runs chef-apply blocks to setup vm networking (nice because resources work on RH + Ubuntu ) and then setups up the /etc/chef/chef-client.rb properly and runs chef-client based on variables provided. This approach has worked well thus far.

We also wrote a hook for our hypervisors to cleanup node/client data when vms get deleted/recreated. Our chef server has a special admin account for that hypervisors can use to run pychef and manage it.

That was all the logic we wanted to add to init.sh script. Anything that needs to be done to node after chef-client is assumed to be in a cookbook. Don’t want to modify the init.sh very often (ideally never).

So I wanted to create a base cookbook that has a recipe that forces nodes checking every 15 minutes into server with chef-client runs using a cron or chef-client daemon. This recipe would need to survive a DR scenarios if our chef server ended up needing to be recreated and data loss was present. Example if node/client data not on server and vm still has client.pem (delete client.pem if getting “Failed to authenticate to .* with key /etc/chef/client.pem” message).

My question came about because I had an idea that I wanted our staging HA chef server to force people to run this recipe/cookbook even if they didn’t specify it in their own run_list. This way people would learn if their cookbooks were truly idempotent (which is our end goal) in testing lab before it ended up in production. If people choose to proceed to production with non-idempotent cookbooks well then operators would need to know they would need to destroy vm and recreate any time they want cookbook rerun.

Phil

----Original Message-----
From: Daniel DeLeo [mailto:ddeleo@kallistec.com] On Behalf Of Daniel DeLeo
Sent: Wednesday, September 24, 2014 4:47 PM
To: chef@lists.opscode.com mailto:chef@lists.opscode.com
Subject: [chef] Re: Enforce certain recipe in run_list

On Wednesday, September 24, 2014 at 10:03 AM, Phil Oliva wrote:

Hi all,

Is there a way to enforce all nodes that bootstrap with chef-client to certain chef-server run extra recipe(s) on top of their specified run list? Basically want to create a base cookbook for my organization and ensure all managed bootstrap nodes have run certain recipes from this cookbook.

Phil Oliva

To start this one over from the beginning, what do you mean by "ensure all managed bootstrap nodes have run certain recipes from this cookbook?” Are you worried that users in your organization will unintentionally create nodes without these recipes? Or that users will intentionally create nodes without these recipes? Do you need to manage the set of “required” base recipes over time? What kinds of users create new nodes, and how do they specify their customizations?

–
Daniel DeLeo

ameir · September 25, 2014, 6:53pm

This isn’t really a “solution” and won’t work if your other cookbooks need to inherit anything, but you could potentially do, on a cron, something like:

chef-client -o my-enforced-cookbook

That’d ensure that the cookbook is run, but it’d be wholly-independent from your standard chef-client runs. Nothing is saved to the server with this method, which may or may not break the functionality you’re looking for.

Having this enforced via other means sounds like a pretty useful feature.

-Ameir
From: michael.hart@arcticwolf.com michael.hart@arcticwolf.com
To: chef@lists.opscode.com chef@lists.opscode.com
Sent: Thursday, September 25, 2014
Subject: [chef] Re: Enforce certain recipe in run_list

I can’t think of a way to enforce that except for a “thou shalt always add the X role to thy VM’s” and a cluebat to enforce it. Perhaps someone else can think of something.

We have a ‘base’ role that gets applied to absolutely every node we have, VM’s or not, that contain things like chef client config, ntp, timezone, base syslog, collectd, etc, and while we’ve never had to enforce it (small team etc) if I had to start enforcing
it I’d probably setup a script that polled the node configs and add the base role back into the run_list if it wasn’t there already. And then haul out the aforementioned cluebat and chase down the offender.

cheers

mike

–

Michael Hart

Arctic Wolf Networks

M: 226-388-4773

On Sep 25, 2014, at 11:53, Phil Oliva poliva@blackberry.com wrote:

Daniel,

We’re trying to enforce some governance on all the nodes that bootstrapped to our chef server. Coming from a large organization and trying to onboard many groups to our ha chef server infrastructure on our Opennebula based private cloud.

We provided a single bash context script (coined “one init.sh script to rule them all”) as a point of entry that groups can put in their vm template context along and with some standardized chef related template variables (chef_server_url, validator_key, bootstrap_json,
chef_environment, etc…). Our bash script installs the recommended chef client package version (our team determines which version will get used) then runs chef-apply blocks to setup vm networking (nice because resources work on RH + Ubuntu ) and then setups
up the /etc/chef/chef-client.rb properly and runs chef-client based on variables provided. This approach has worked well thus far.

We also wrote a hook for our hypervisors to cleanup node/client data when vms get deleted/recreated. Our chef server has a special admin account for that hypervisors can use to run pychef and manage it.

That was all the logic we wanted to add to init.sh script. Anything that needs to be done to node after chef-client is assumed to be in a cookbook. Don’t want to modify the init.sh very often (ideally never).

So I wanted to create a base cookbook that has a recipe that forces nodes checking every 15 minutes into server with chef-client runs using a cron or chef-client daemon. This recipe would need to survive a DR scenarios if our chef server ended up needing to
be recreated and data loss was present. Example if node/client data not on server and vm still has client.pem (delete client.pem if getting “Failed to authenticate to .* with key /etc/chef/client.pem” message).

My question came about because I had an idea that I wanted our staging HA chef server to force people to run this recipe/cookbook even if they didn’t specify it in their own run_list. This way people would learn if their cookbooks were truly idempotent (which
is our end goal) in testing lab before it ended up in production. If people choose to proceed to production with non-idempotent cookbooks well then operators would need to know they would need to destroy vm and recreate any time they want cookbook rerun.

Phil

----Original Message-----

From: Daniel DeLeo [mailto:ddeleo@kallistec.com] On Behalf Of Daniel DeLeo

Sent: Wednesday, September 24, 2014 4:47 PM

To: chef@lists.opscode.com

Subject: [chef] Re: Enforce certain recipe in run_list

On Wednesday, September 24, 2014 at 10:03 AM, Phil Oliva wrote:

Hi all,

Is there a way to enforce all nodes that bootstrap with chef-client to certain chef-server run extra recipe(s) on top of their specified run list? Basically want to create a base cookbook for my organization and ensure all managed bootstrap nodes have run certain
recipes from this cookbook.

Phil Oliva

To start this one over from the beginning, what do you mean by "ensure all managed bootstrap nodes have run certain recipes from this cookbook?” Are you worried that users in your organization will unintentionally create nodes without these recipes? Or that
users will intentionally create nodes without these recipes? Do you need to manage the set of “required” base recipes over time? What kinds of users create new nodes, and how do they specify their customizations?

–

Daniel DeLeo

Lamont_Granquist_OLD · September 25, 2014, 9:41pm

On 9/25/14, 11:40 AM, Michael Hart wrote:

I can’t think of a way to enforce that except for a “thou shalt always
add the X role to thy VM’s” and a cluebat to enforce it. Perhaps
someone else can think of something.

We have a ‘base’ role that gets applied to absolutely every node we
have, VM’s or not, that contain things like chef client config, ntp,
timezone, base syslog, collectd, etc, and while we’ve never had to
enforce it (small team etc) if I had to start enforcing it I’d
probably setup a script that polled the node configs and add the base
role back into the run_list if it wasn’t there already. And then haul
out the aforementioned cluebat and chase down the offender.

In an organization where you've got a couple dozen people of various
skill levels working on config management code and they are coming and
going, the cluebat means that you're just going to constantly be angry
at the junior SA someone hired a month ago who did the wrong thing
without knowing any better. Its a lot better to put the cluebat aside
and just not let anyone have a choice over screwing the policy up.

I'll mention again that writing up an RFC for this and/or mentioning it
at the summit would be good.

Michael_Hart · September 26, 2014, 11:56am

I agree the cluebat approach isn’t really good, I wrote it partially due to inside joke from when I worked at the same place the original poster.

cheers
mike

–
Michael Hart
Arctic Wolf Networks
M: 226-388-4773

On Sep 25, 2014, at 17:41, Lamont Granquist <lamont@opscode.com mailto:lamont@opscode.com> wrote:

On 9/25/14, 11:40 AM, Michael Hart wrote:
I can’t think of a way to enforce that except for a “thou shalt always add the X role to thy VM’s” and a cluebat to enforce it. Perhaps someone else can think of something.

We have a ‘base’ role that gets applied to absolutely every node we have, VM’s or not, that contain things like chef client config, ntp, timezone, base syslog, collectd, etc, and while we’ve never had to enforce it (small team etc) if I had to start enforcing it I’d probably setup a script that polled the node configs and add the base role back into the run_list if it wasn’t there already. And then haul out the aforementioned cluebat and chase down the offender.

In an organization where you’ve got a couple dozen people of various skill levels working on config management code and they are coming and going, the cluebat means that you’re just going to constantly be angry at the junior SA someone hired a month ago who did the wrong thing without knowing any better. Its a lot better to put the cluebat aside and just not let anyone have a choice over screwing the policy up.

I’ll mention again that writing up an RFC for this and/or mentioning it at the summit would be good.

Topic		Replies	Views
Chef-client running Chef Infra (archive)	4	416	October 1, 2018
How to check chef boot strap on client Chef Infra (archive)	1	597	June 13, 2022
Chef client -o "recipe should not do node save Chef Infra (archive)	1	401	October 8, 2013
Adding a recipe to an existing role in chef-server Chef Infra (archive)	5	431	January 27, 2011
Command to run only part of run list one a node Chef Infra (archive)	11	2248	September 6, 2013

Enforce certain recipe in run_list

Related Topics