[chef] Re: Dynamically modifying files from a package Chef just installed

[Andrew Gross < >]

Hey Rob,

The normal pattern for this sort of thing is to have the post install modification use 'action :nothing' and then send them a notification from the package install to kick off a chain of events. Something similar to this:

package "foo" do

  version "bar"

  action :install

  notifies :create, "file[/etc/foo/bar]", :immediately

end

file "/etc/foo/bar" do

  mode 00644

  action :nothing

end

On Fri, Oct 11, 2013 at 11:12 AM, Rob Curtis < " target="_blank"> > wrote:

Executive Summary:
I'm using Chef to install a package and then update (ownership, permissions)
many of the files installed with the package.  Because the files don't exist
before the package is installed in the execution phase, resources for those
files can't be dynamically generated in the compile phase.  What is the most
correct (idempotent, efficient) way to update the package's files after
install?  Do I just use a Ruby block to chown/chmod the files?  Do I create an
explicit resource for each and every file?

The longer version:
We are using Chef to install and configure a particular software bundle (Mule
ESB).  In keeping with what we understand to be the best practices, we have a
library cookbook that simply does the bare-bones install and a policy cookbook
that wraps the library cookbook and performs our own customization.

Most of the customization we want to perform is modifying the ownership and
permissions on many of the files that get installed by the library cookbook to
make our security guys happy.  My first cut at the default recipe in the policy
cookbook looks something like this:

### Do things that happen before installing Mule ###
Chef::Log.debug("Pre-Mule")

### Install Mule ###
include_recipe "mule"

### Do things that happen after installing Mule ###
Chef::Log.debug("Post-Mule")

# Remove example applications
directory "#{node[:mule][:home]}/examples" do
    recursive true
    action :delete
end

# Restrict access to config files
Dir[ "#{node[:mule][:home]}/conf/*" ].each do |path|
    file path do
        owner node[:mule-policy][:user]
        group node[:mule-policy][:group]
        mode "0640"
    end if File.file?(path)
end
### End of cookbook snippet ###

The problem is that when I run the mule-policy cookbook on a fresh VM, Chef
attempts to create the config file resources during the compile phase but since
Mule doesn't actually get installed until the execution phase, there are no
config files for which to generate resources.  It's not a huge deal with the
config files since there are only 3 of them, but it's a bigger problem when we
start getting into the /lib directory, which contains dozens of .jar files and
the security guys want those locked down, too.

Any advice would be greatly appreciated.

Thanks,

-Rob