ONE-TIME Run of Chef Recipe

Is there a way to run a chef recipe only one-time on the node. I want to do some OS configuration tasks (Rename computer, join to domain etc.) and want the recipe to run only during the first boot. Is there a way to do this directly in Chef?

As a general “best-practice” is it better to put guards in recipe rather than running it only one-time for such a use case (renaming computer, adding to domain, etc.) and leave this recipe in the run-list of the node?
Just thinking if it is a good idea to let it run (even with guards in place) on every chef-client run.

Any help or information would be highly appreciated!


Yes I think it is much better to use guards. Thats likely gonna be more reusable, readable and portable. So for example in the case of a domain join. I would have the guard look to see if it is already domain joined and, if so, it is is the desired domain.

1 Like

Chef-client -o ‘recipe(my-cookbook::my-recipe)’

1 Like

I’d vote for the guards approach as well. Just make sure to write good unit tests for them to make sure they do what you want them to do.

you can also use any programming tactic that you care in place of guards as well. for example:

unless File.exist?("#{Chef::Config[:file_cache_path]|/first-boot-configuration")
  include_recipe "::first_boot"
  FileUtils.touch "#{Chef::Config[:file_cache_path]|/first-boot-configuration"

then the whole “first_boot” recipe is protected by that sentinel file, and you can nuke the sentinel file in order to re-run the recipe (or you can run it with -o itself and bypass this check as well).

if you wind up with 30 resources in that first_boot recipe you probably don’t want to have 30 guards around your resources…

of course taking the time to carefully guard each one against its intended state is more correct and idempotent, but that also takes a lot more time and thought, and can potentially be more error prone if you’re not aware of all your edge conditions. sentinel files are lazier, but also brutally simple to reason about.


Yes it is a good idea (and safe) since you can tests guards easily.

Thanks for your feedback and suggestions guys!