[chef] Re: apt_package_hold or preventing version critical packages from being upgraded

[Holger Amann < >]

Am 19.12.2012 um 17:58 schrieb Brad Knowles < "> >:

Don't allow anyone to do that manually.  All package management should be done exclusively through Chef.  In fact, all systems management of all types should be done exclusively through Chef.

If there is ever an emergency need to have an exception to this rule, and that same emergency happens more than once, you should think about updating your Chef recipes to be able to handle that emergency so that you don't have to do that manually anymore.  Or, at the very least, you should be able to manually kick off the appropriate Chef process.

Ok, in theory, but in practice that sounds totally impossible to me. As an example - you're setting up a naked OS, and after bootstrapping you're about to install Postgres/Apache/someotherlargeservice which itself will install hundred of libraries as dependencies. If there are updates for one or more of those dependencies, how do you want to do it with chef instead of doing the upgrade step manually? Am I missing some magic chef functionality/cookbook which is able to do that?