[chef] Re: Enforce certain recipe in run_list

[Michael Hart < >]

I agree the cluebat approach isn’t really good, I wrote it partially due to inside joke from when I worked at the same place the original poster. :)

cheers

mike

--

Michael Hart

Arctic Wolf Networks

M: 226-388-4773

On Sep 25, 2014, at 17:41, Lamont Granquist < "> > wrote:

On 9/25/14, 11:40 AM, Michael Hart wrote:

" type="cite"> I can’t think of a way to enforce that except for a “thou shalt always add the X role to thy VM’s” and a cluebat to enforce it. Perhaps someone else can think of something.

We have a ‘base’ role that gets applied to absolutely every node we have, VM’s or not, that contain things like chef client config, ntp, timezone, base syslog, collectd, etc, and while we’ve never had to enforce it (small team etc) if I had to start enforcing it I’d probably setup a script that polled the node configs and add the base role back into the run_list if it wasn’t there already. And then haul out the aforementioned cluebat and chase down the offender. :)

In an organization where you've got a couple dozen people of various skill levels working on config management code and they are coming and going, the cluebat means that you're just going to constantly be angry at the junior SA someone hired a month ago who did the wrong thing without knowing any better.  Its a lot better to put the cluebat aside and just not let anyone have a choice over screwing the policy up.

I'll mention again that writing up an RFC for this and/or mentioning it at the summit would be good.