chef - [chef] Dynamically modifying files from a package Chef just installed

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Dynamically modifying files from a package Chef just installed

From: Rob Curtis < >
To:
Subject: [chef] Dynamically modifying files from a package Chef just installed
Date: Fri, 11 Oct 2013 08:12:16 -0700 (PDT)

Executive Summary:
I'm using Chef to install a package and then update (ownership, permissions)
many of the files installed with the package.  Because the files don't exist
before the package is installed in the execution phase, resources for those
files can't be dynamically generated in the compile phase.  What is the most
correct (idempotent, efficient) way to update the package's files after
install?  Do I just use a Ruby block to chown/chmod the files?  Do I create an
explicit resource for each and every file?

The longer version:
We are using Chef to install and configure a particular software bundle (Mule
ESB).  In keeping with what we understand to be the best practices, we have a
library cookbook that simply does the bare-bones install and a policy cookbook
that wraps the library cookbook and performs our own customization.

Most of the customization we want to perform is modifying the ownership and
permissions on many of the files that get installed by the library cookbook to
make our security guys happy.  My first cut at the default recipe in the
policy
cookbook looks something like this:

### Do things that happen before installing Mule ###
Chef::Log.debug("Pre-Mule")

### Install Mule ###
include_recipe "mule"

### Do things that happen after installing Mule ###
Chef::Log.debug("Post-Mule")

# Remove example applications
directory "#{node[:mule][:home]}/examples" do
    recursive true
    action :delete
end

# Restrict access to config files
Dir[ "#{node[:mule][:home]}/conf/*" ].each do |path|
    file path do
        owner node[:mule-policy][:user]
        group node[:mule-policy][:group]
        mode "0640"
    end if File.file?(path)
end
### End of cookbook snippet ###

The problem is that when I run the mule-policy cookbook on a fresh VM, Chef
attempts to create the config file resources during the compile phase but
since
Mule doesn't actually get installed until the execution phase, there are no
config files for which to generate resources.  It's not a huge deal with the
config files since there are only 3 of them, but it's a bigger problem when we
start getting into the /lib directory, which contains dozens of .jar files and
the security guys want those locked down, too.

Any advice would be greatly appreciated.

Thanks,

-Rob

[chef] Dynamically modifying files from a package Chef just installed, Rob Curtis, 10/11/2013
- [chef] Re: Dynamically modifying files from a package Chef just installed, Andrew Gross, 10/11/2013
  - [chef] Re: Re: Dynamically modifying files from a package Chef just installed, Rob Curtis, 10/11/2013
    - [chef] Re: Re: Re: Dynamically modifying files from a package Chef just installed, Andrew Gross, 10/11/2013
      - [chef] Re: Re: Re: Re: Dynamically modifying files from a package Chef just installed, Rob Curtis, 10/11/2013
      - [chef] Re: Re: Re: Re: Dynamically modifying files from a package Chef just installed, steve ., 10/11/2013
        
        [chef] Re: Re: Re: Re: Re: Dynamically modifying files from a package Chef just installed, Andrew Gross, 10/11/2013