I’m trying to see if there is a way to cleanly set up part of a recipe so that some action will be performed on the workstation when uploading the cookbook, instead of during the chef run? Obviously, I could write a script that first performs my action, and then calls knife cookbook upload, but that’s really a one-off solution. I’d prefer to have something where you just put something into the required cookbook itself.
Here are the use cases where this could be useful:
Right now, I need to create an SELinux policy using chef. Policies work somewhat similar to C programs: a policy has a source file (with the .te extension) that is compiled into a module file (.mod), and then processed into a package file (.pp).
I would like to use shorewall-lite instead of shorewall. The idea behind shorewall-lite is that you only maintain the firewall policies on one central server, and the target machine only receives an already-compiled version of the firewall rules.
A third use case may be compiling software once on the workstation, instead of on each server.
Of course one could do the compiling during the normal chef run on the target machine, but there are benefits to only copying the pre-compiled files onto the target. For one, not having to install compiling tools reduces the attack surface.
Is there such a mechanism to run certain actions during the upload?