chef - Re: some questions

First login ?
Lost password ?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

Re: some questions

From: David Lee <david.lee@kanji.com.au>
To: chef@lists.opscode.com
Subject: Re: some questions
Date: Thu, 23 Apr 2009 17:42:46 +1000

Adam Jacob wrote:

Scanning the recipes on the server is something I'm trying really hard
to avoid. The prime reason is a strong desire to not be executing
arbitrary code on the system responsible for distributing the
configuration information to the edges.

With the approach Miguel outlined, I would imagine you would be reading the files as text (not interpreting them as templates ) and simply matching any occurences of include_recipe.

The parser would need to be intelligent enough to deal with recursion sanely, but it should still be something you'd accomplish in an evening or so.

Aside: apart from the security advantages, delivering a subset of recipes would also prevent some quite unexpected behaviour which is possible due to the fact attributes are executed for ALL recipes, not just ones that the node is supposed to execute: you would no longer need to add guards to attribute files to prevent this.

Additional intelligence could be added to the parser later to take into account roles / etc.

cheers,
David

--

David Lee

Application Development Coordinator
Kanji Group Pty Ltd

02 8272 9483
david.lee@kanji.com.au

---
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.

This email message does not constitute legal, financial or any other kind of advice and reliance must not be placed on its contents. Any advice will be prefixed with a notice to that effect - and unless such a notice is affixed all liability for the contents of this email is disclaimed. The integrity of this email, its contents or any attachments is not certified in any way by the sender.

Liability limited by a scheme approved under Professional Standards Legislation

Re: some questions, (continued)