Hi,
There is a way to use a recipe to remove from run list another recipe?
I’m thinking in a way to use a recipe like recipe[tmux] to maintain the configurations of Tmux (just for example). So, if I put the recipe[tmux:remove] in run list, the tmux will be removed AND the recipe remove itself from run list after complete.
It is possible?
Thank you very much!
You could, as long as your recipes are in the node’s run list and not coming from the expanded run list, e.g. coming from a role.
ruby_block "remove recipes" do
block do
node.run_list.remove('recipe[tmux]')
node.run_list.remove('recipe[tmux::remove]')
end
end
Note that this wouldn’t work if you’re using --override-runlist or -o because the node isn’t saved at the end of those runs.
i still dont think this is very safe… ive seen some CI that does stuff via CLI etc or equivalent… but just be careful with something like that in general
Really if tmux isn’t supposed to be installed you should be asserting that it isn’t installed on every run, which is more declarative. If the config management system really owns the state then it should be reasserting that constantly. That way the only way that tmux gets enabled is via going through the system.
You could make it so that the last recipe in your run_list was a ‘disable’ recipe which did something like:
include_recipe "tmux::remove" unless node.recipes.include?("recipe[tmux::default]")
include_recipe "bind::remove" unless node.recipes.include?("recipe[bind::default]")
include_recipe "dhcp::remove" unless node.recipes.include?("recipe[dhcp::default]")
Then you don’t need to have 80 recipes to disable things in every run_list, and dont have to fuss with making sure that when you enable a thing that you disable the disabler for it in the run_list.
That kind of approach will make SOX auditors smile. You now have prevent controls around someone firing up a rogue DHCP or DNS server since Chef will always run the ‘recipe[dhcp::disable]’ on all nodes that you haven’t explicitly enabled a dhcp server on.