Easier way to apply one condition to a set of Chef resources

chefruby

In this part of a Chef recipe, there are 4 execute resources. They should only run when a file does not exists. This is added as a condition to the first resource, which then triggers the entire chain to be run.

# Set up default SSL cert
execute "defaultcert1" do
    not_if {File.exist?("/vol/webserver/cert")}
    command "mkdir /vol/webserver/cert"
    notifies :run, "execute[defaultcert2]", :immediately
end
execute "defaultcert2" do
    action :nothing
    command "ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /vol/webserver/cert/server.crt"
    notifies :run, "execute[defaultcert3]", :immediately
end
execute "defaultcert3" do
    action :nothing
    command "ln -s /etc/ssl/private/ssl-cert-snakeoil.key /vol/webserver/cert/server.key"
    notifies :run, "execute[defaultcert4]", :immediately
end
execute "defaultcert4" do
    action :nothing
    command "chown -R ubuntu:ubuntu /vol/webserver/cert"
end

As you can see, it's a rather large bit of code to guard just 4 commands. Is there a better way to do this?

Best Answer

For your particular example, I'd suggest using Chef's directory and link resources, in preference to shelling out:

directory "/vol/webserver/cert" do
    user "ubuntu"
    group "ubuntu"
end

link "/vol/webserver/cert/server.crt" do
    to "/etc/ssl/certs/ssl-cert-snakeoil.pem"
end
link "/vol/webserver/cert/server.key" do
    to "/etc/ssl/certs/ssl-cert-snakeoil.key"
end

You don't need to guard these with not_if's and notifies - if the directory and links already exist with the correct attributes, Chef won't do anything.

On the other hand, say you want to use the snakeoil cert and key if nothing's there to begin with, but do nothing if the files already exist. In that case, I'd use not_if on the link resources:

directory "/vol/webserver/cert" do
    user "ubuntu"
    group "ubuntu"
end

link "/vol/webserver/cert/server.crt" do
    to "/etc/ssl/certs/ssl-cert-snakeoil.pem"
    not_if "test -e /vol/webserver/cert/server.crt"
end

link "/vol/webserver/cert/server.key" do
    to "/etc/ssl/certs/ssl-cert-snakeoil.key"
    not_if "test -e /vol/webserver/cert/server.key"
end

Compared to a string of execute resources, this communicates intent more clearly - it says that a directory needs to exist (with the correct user and group), and that a couple of symlinks should be created unless something is already present.

Finally, if you did have several related shell commands you needed to execute together, consider using the script resource.

Related Solutions

Idiomatic way to invoke chef-solo

By default, chef-solo reads its configuration from /etc/chef/solo.rb. The command-line parameters correspond to config values that can be set in this file. This is done using the mixlib-config library.

  option :config_file, 
    :short => "-c CONFIG",
    :long  => "--config CONFIG",
    :default => "/etc/chef/solo.rb",
    :description => "The configuration file to use"

  option :json_attribs,
    :short => "-j JSON_ATTRIBS",
    :long => "--json-attributes JSON_ATTRIBS",
    :description => "Load attributes from a JSON file or URL",
    :proc => nil

  option :recipe_url,
      :short => "-r RECIPE_URL",
      :long => "--recipe-url RECIPE_URL",
      :description => "Pull down a remote gzipped tarball of recipes and untar it to the cookbook ca
che.",
      :proc => nil

The 'option' is the config file value.

The actual config file, /etc/chef/solo.rb would look like:

file_cache_path "/tmp/chef-solo"
cookbook_path   "/tmp/chef-solo/cookbooks"
role_path       "/tmp/chef-solo/roles"
json_attribs    "/tmp/chef-solo/node.json"
recipe_url      "http://www.example.com/chef-solo.tar.gz"

Also note that the JSON file can be a remote URL, too.

json_attribs    "http://www.example.com/node.json"

You can use Ohai as a library within the config file as well, to detect the platform or other attributes to specify what JSON file to use.

require 'rubygems'
require 'ohai'
o = Ohai::System.new
o.all_plugins
file_cache_path "/tmp/chef-solo"
cookbook_path   "/tmp/chef-solo/cookbooks"
role_path       "/tmp/chef-solo/roles"
json_attribs    "/tmp/chef-solo/#{o[:platform]}.json"
recipe_url      "http://www.example.com/chef-solo.tar.gz"

And then you'd have "platform" specific JSON files, for example. Or you could use o[:hostname], o[:domain] or o[:fqdn] to use JSON files based on the hostname, domain or fqdn. But once you start having the scaffolding of servers to support this kind of dynamic configuration, you might look at running a Chef Server :-).

Multiple related resources in chef recipe

Can you share your recipe? Unfortunately I can't find a reference, but I remember reading on the Opscode site that Chef runs Resources of the same type as a batch. So, how you are calling for the install (and the subsequent add/delete) can matter.

You may want to look at the Execute Resource

Chef documenation: sometimes you want to make sure that a resource is configured before anything else.

Best Answer

Related Solutions

Idiomatic way to invoke chef-solo

Multiple related resources in chef recipe

Related Topic