[chef] RE: Re: Enforce certain recipe in run_list

[Phil Oliva < >]

Daniel,

We're trying to enforce some governance on all the nodes that bootstrapped to 
our chef server. Coming from a large organization and trying to onboard many 
groups to our ha chef server infrastructure on our Opennebula based private 
cloud. 

We provided a single bash context script (coined "one init.sh script to rule 
them all") as a point of entry that groups can put in their vm template 
context along and with some standardized chef related template variables 
(chef_server_url, validator_key, bootstrap_json, chef_environment, etc..). 
Our bash script installs the recommended chef client package version (our 
team determines which version will get used) then runs chef-apply blocks to 
setup vm networking (nice because resources work on RH + Ubuntu ) and then 
setups up the /etc/chef/chef-client.rb properly and runs chef-client based on 
variables provided. This approach has worked well thus far.

We also wrote a hook for our hypervisors to cleanup node/client data when vms 
get deleted/recreated. Our chef server has a special admin account for that 
hypervisors can use to run pychef and manage it. 

That was all the logic we wanted to add to init.sh script. Anything that 
needs to be done to node after chef-client is assumed to be in a cookbook. 
Don't want to modify the init.sh very often (ideally never).

So I wanted to create a base cookbook that has a recipe that forces nodes 
checking every 15 minutes into server with chef-client runs using a cron or 
chef-client daemon. This recipe would need to survive a DR scenarios if our 
chef server ended up needing to be recreated and data loss was present. 
Example if node/client data not on server and vm still has client.pem (delete 
client.pem if getting "Failed to authenticate to .* with key 
/etc/chef/client.pem" message).

My question came about because I had an idea that I wanted our staging HA 
chef server to force people to run this recipe/cookbook even if they didn't 
specify it in their own run_list. This way people would learn if their 
cookbooks were truly idempotent (which is our end goal) in testing lab before 
it ended up in production. If people choose to proceed to production with 
non-idempotent cookbooks well then operators would need to know they would 
need to destroy vm and recreate any time they want cookbook rerun. 

Phil

----Original Message-----
From: Daniel DeLeo 
[mailto:
 
 On Behalf Of Daniel DeLeo
Sent: Wednesday, September 24, 2014 4:47 PM
To: 

 
Subject: [chef] Re: Enforce certain recipe in run_list



On Wednesday, September 24, 2014 at 10:03 AM, Phil Oliva wrote:

> Hi all,
>  
> Is there a way to enforce all nodes that bootstrap with chef-client to 
> certain chef-server run extra recipe(s) on top of their specified run list? 
> Basically want to create a base cookbook for my organization and ensure all 
> managed bootstrap nodes have run certain recipes from this cookbook.
>  
> Phil Oliva


To start this one over from the beginning, what do you mean by "ensure all 
managed bootstrap nodes have run certain recipes from this cookbook?” Are you 
worried that users in your organization will unintentionally create nodes 
without these recipes? Or that users will intentionally create nodes without 
these recipes? Do you need to manage the set of “required” base recipes over 
time? What kinds of users create new nodes, and how do they specify their 
customizations?

--  
Daniel DeLeo