Skip a recipe on a specific node


#1

Hello!
This has probably been asked a hundred times, and I probably just suck
at searching…

I have a standard base role that includes such things as ldap
authentication, sudoers, ntp, timezone, etc.
It also configures the timing of the chef client runs and removes the
validation key.

I manage the chef server machine the same as any other node in the
environment, but if the validation key gets removed from the server
node, all sorts of badness happens.

What is the best way to exclude running the remove validation key
recipe on just the chef server node?
I can think of a few ways to handle it:

  1. Different role for the chef server that doesn’t include that recipe
  2. remove validation key in its own role
  3. modify the validation key removal recipe to check for the existence
    of /etc/chef/server.rb and does nothing if it sees that file

1 means needing to remember to copy any additions to base into the
chef server role
2 means remembering to include the remove validation key role every time
3 means modifying the cookbook as supplied

I like 3 the best because it doesn’t require anyone to remember
something… but are there better options I’m not thinking of?

Can you include something that says “skip recipe X” for a node (or role)?


#2

On Friday, March 16, 2012, Jesse Campbell hikeit@gmail.com wrote:

What is the best way to exclude running the remove validation key
recipe on just the chef server node?
I can think of a few ways to handle it:

  1. Different role for the chef server that doesn’t include that recipe
  2. remove validation key in its own role
  3. modify the validation key removal recipe to check for the existence
    of /etc/chef/server.rb and does nothing if it sees that file

1 means needing to remember to copy any additions to base into the
chef server role
2 means remembering to include the remove validation key role every time
3 means modifying the cookbook as supplied

I like 3 the best because it doesn’t require anyone to remember
something… but are there better options I’m not thinking of?

We tried other approaches but after a mistake that resulted in trauling
through backups we ended up deciding 3 was the best approach. We also
talked about supplying the recipe in the initial bootstrap and having it
remove itself after it had completed but never went down that path


Cheers,

Peter Donald


#3

Hello!

On Thu, Mar 15, 2012 at 3:43 PM, Jesse Campbell hikeit@gmail.com wrote:

I have a standard base role that includes such things as ldap
authentication, sudoers, ntp, timezone, etc.
It also configures the timing of the chef client runs and removes the
validation key.

I manage the chef server machine the same as any other node in the
environment, but if the validation key gets removed from the server
node, all sorts of badness happens.

What is the best way to exclude running the remove validation key
recipe on just the chef server node?
I can think of a few ways to handle it:

  1. Different role for the chef server that doesn’t include that recipe
  2. remove validation key in its own role
  3. modify the validation key removal recipe to check for the existence
    of /etc/chef/server.rb and does nothing if it sees that file

The Opscode chef-client cookbook has a “delete_validation” recipe that
will not delete the validation key if the node also has the
"chef-server" recipe.

The “chef-server” recipe by default does database compaction, which
you probably want so the Chef CouchDB database doesn’t grow out of
control.


Opscode, Inc
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman


#4

Hello all,

Sorry for the top post. Heavy Water currently has some code in flight
for ‘partial run list application’ by way of approved/restricted run
lists. These can be applied temporally on the command line or config
file variables.

There is some controversy around this feature (‘what happened to my
state? oh there it is’), so I’m sure the first version will be rapidly
iterated.

I will post more when I know more.

–AJ

On 16 March 2012 13:15, Joshua Timberman joshua@opscode.com wrote:

Hello!

On Thu, Mar 15, 2012 at 3:43 PM, Jesse Campbell hikeit@gmail.com wrote:

I have a standard base role that includes such things as ldap
authentication, sudoers, ntp, timezone, etc.
It also configures the timing of the chef client runs and removes the
validation key.

I manage the chef server machine the same as any other node in the
environment, but if the validation key gets removed from the server
node, all sorts of badness happens.

What is the best way to exclude running the remove validation key
recipe on just the chef server node?
I can think of a few ways to handle it:

  1. Different role for the chef server that doesn’t include that recipe
  2. remove validation key in its own role
  3. modify the validation key removal recipe to check for the existence
    of /etc/chef/server.rb and does nothing if it sees that file

The Opscode chef-client cookbook has a “delete_validation” recipe that
will not delete the validation key if the node also has the
"chef-server" recipe.

The “chef-server” recipe by default does database compaction, which
you probably want so the Chef CouchDB database doesn’t grow out of
control.


Opscode, Inc
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman


#5

On Fri, Mar 16, 2012 at 12:15 AM, Joshua Timberman joshua@opscode.com wrote:

Hello!

On Thu, Mar 15, 2012 at 3:43 PM, Jesse Campbell hikeit@gmail.com wrote:

I have a standard base role that includes such things as ldap
authentication, sudoers, ntp, timezone, etc.
It also configures the timing of the chef client runs and removes the
validation key.

I manage the chef server machine the same as any other node in the
environment, but if the validation key gets removed from the server
node, all sorts of badness happens.

What is the best way to exclude running the remove validation key
recipe on just the chef server node?
I can think of a few ways to handle it:

  1. Different role for the chef server that doesn’t include that recipe
  2. remove validation key in its own role
  3. modify the validation key removal recipe to check for the existence
    of /etc/chef/server.rb and does nothing if it sees that file

The Opscode chef-client cookbook has a “delete_validation” recipe that
will not delete the validation key if the node also has the
"chef-server" recipe.

The “chef-server” recipe by default does database compaction, which
you probably want so the Chef CouchDB database doesn’t grow out of
control.

I guess this is the best way to do that in this particular case.
For other cases, I think the best way is the first option you mention.
For example, in this case, if there weren’t “delete_validation” recipe
that take care of this, you probably could have done something like:

  • role[base] -> ldap authentication, sudoers, ntp, timezone, install
    and configure the chef-client
  • role[client] -> removes the validation key and any other client specific stuff
  • role[server] -> install and configure chef-server and whatever

Now you add role[base] to all the nodes (included the server),
role[server] just to the server and role[client] to the rest. That way
you don’t need to duplicate the base role into the server role, just
add both and put the common stuff in the base. Remember that you can
add all the roles you want to any node.

This is also interesting to be able to do operation just on the
clients or the servers using searchs:

knife ssh role:client “sudo chef-client”

This would force to launch the chef-client just on the nodes with the
role[client] installed.

Make this sense to you?


Juanje