chef - [chef] Re: Re: Skip a recipe on a specific node

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Skip a recipe on a specific node

From: Juan Jesús Ojeda Croissier < >
To:
Subject: [chef] Re: Re: Skip a recipe on a specific node
Date: Fri, 16 Mar 2012 01:12:04 +0000

On Fri, Mar 16, 2012 at 12:15 AM, Joshua Timberman
< >
wrote:
> Hello!
>
> On Thu, Mar 15, 2012 at 3:43 PM, Jesse Campbell
> < >
> wrote:
>>
>> I have a standard base role that includes such things as ldap
>> authentication, sudoers, ntp, timezone, etc.
>> It also configures the timing of the chef client runs and removes the
>> validation key.
>>
>> I manage the chef server machine the same as any other node in the
>> environment, but if the validation key gets removed from the server
>> node, all sorts of badness happens.
>>
>> What is the best way to exclude running the remove validation key
>> recipe on just the chef server node?
>> I can think of a few ways to handle it:
>> 1. Different role for the chef server that doesn't include that recipe
>> 2. remove validation key in its own role
>> 3. modify the validation key removal recipe to check for the existence
>> of /etc/chef/server.rb and does nothing if it sees that file
>
> The Opscode chef-client cookbook has a "delete_validation" recipe that
> will not delete the validation key if the node also has the
> "chef-server" recipe.
>
> The "chef-server" recipe by default does database compaction, which
> you probably want so the Chef CouchDB database doesn't grow out of
> control.
>

I guess this is the best way to do that in this particular case.
For other cases, I think the best way is the first option you mention.
For example, in this case, if there weren't "delete_validation" recipe
that take care of this, you probably could have done something like:
- role[base] -> ldap authentication, sudoers, ntp, timezone, install
and configure the chef-client
- role[client] -> removes the validation key and any other client specific
stuff
- role[server] -> install and configure chef-server and whatever

Now you add role[base] to all the nodes (included the server),
role[server] just to the server and role[client] to the rest. That way
you don't need to duplicate the base role into the server role, just
add both and put the common stuff in the base. Remember that you can
add all the roles you want to any node.

This is also interesting to be able to do operation just on the
clients or the servers using searchs:

knife ssh role:client "sudo chef-client"

This would force to launch the chef-client just on the nodes with the
role[client] installed.

Make this sense to you?

--
Juanje

[chef] Skip a recipe on a specific node, Jesse Campbell, 03/15/2012
- [chef] Re: Skip a recipe on a specific node, Peter Donald, 03/15/2012
- [chef] Re: Skip a recipe on a specific node, Joshua Timberman, 03/15/2012
  - [chef] Re: Re: Skip a recipe on a specific node, AJ Christensen, 03/15/2012
  - [chef] Re: Re: Skip a recipe on a specific node, Juan Jesús Ojeda Croissier, 03/15/2012