Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Authoritative Resource Sets

Building Authoritative Resource Sets

chef is additive by nature. Removing resource definitions from recipes will not remove the resources from the system. This can be confusing for beginner chefs. An authoritative resource set is a term used to describe a resource set containing only the resources defined in the chef recipes.

The "zap" pattern emerged as a way to build authoritative resource sets. The LWRPs from the zap cookbook, https://github.com/nvwls/zap, will be presented as well as various use cases.

This talk was presented at ChefConf 2014.

Joe Nuspl

April 17, 2014
Tweet

More Decks by Joe Nuspl

Other Decks in Programming

Transcript

  1. Building Authoritative
    Resource Sets
    @JoeNuspl
    [email protected]
    ChefConf 2014

    View Slide

  2. Who?
    • Who am I?

    View Slide

  3. What ?
    • “Building Authoritative Resource Sets”

    View Slide

  4. Where?
    • Regency

    View Slide

  5. When?
    • Now
    • 2:20 Pacific Time

    View Slide

  6. “Authoritative
    Resource Sets”
    • Blame Matt Ray for the name!

    View Slide

  7. “Authoritative
    Resource Sets”
    • A set of resources that only contains resources
    defined by chef.
    • Chef is action based. action is a keyword.
    • action :create
    • action :delete

    View Slide

  8. Example
    package ‘foo’
    cron ‘email 503 report’ do
    minute ‘59’
    hour ‘23’
    command ‘grep ,503, /var/log/httpd/access.log
    | mail noc -s “503 Report”’
    end
    package ‘bar’

    View Slide

  9. Day 5
    • WOOT! Flakey switch port!

    View Slide

  10. Day 6
    • WOOT! Zero 503 errors!

    View Slide

  11. Day 10
    • Still zero 503 errors. Problem solved.
    • “We don’t need the 503 report anymore.”

    View Slide

  12. Day 11
    package ‘foo’
    package ‘bar’

    View Slide

  13. Day 13
    • NOC calls…
    • Why are we still receiving the 503 email?

    View Slide

  14. Ah-ha!
    • Chef is action-based

    View Slide

  15. Solution #1
    package ‘foo’
    cron ‘email 503 report’ do
    action :delete
    end
    package ‘bar’

    View Slide

  16. Solution #2
    package ‘foo’
    # Remove after 05/01
    cron ‘email 503 report’ do
    action :delete
    end
    package ‘bar’

    View Slide

  17. Solution #3
    package ‘foo’
    # Remove after 05/01
    cron ‘email 503 report’ do
    action :delete
    only_if { ::Crontab.exists?(‘email 503
    report’) }
    end
    package ‘bar’

    View Slide

  18. Still yuck!
    • This example was benign.
    • /etc/iptables.d/11-open-rsh

    View Slide

  19. “Authoritative
    resource sets”
    • Chef should automagically delete resources that
    are not defined as part of the resource set of the
    current run

    View Slide

  20. The “zap” pattern
    • github.com/youscribe/sysctl
    • github.com/nvwls/zap

    View Slide

  21. Yet Another Solution
    zap_crontab ‘root’

    View Slide

  22. Behind the scenes
    INFO: Processing cron[ossec] action create (zap::test line 19)
    INFO: Processing cron[tmpwatcher] action create (zap::test line 23)

    INFO: Processing zap_crontab[root] action delete (zap::test line
    27)
    INFO: zap_crontab[root] keeping cron[ossec]
    INFO: zap_crontab[root] keeping cron[tmpwatcher]
    INFO: zap_crontab[root] zapping cron[503 report]

    INFO: Processing cron[503 report] action delete (dynamically
    defined)
    INFO: cron[503 report] deleted crontab entry

    View Slide

  23. zap_directory
    zap_directory ‘/etc/iptables.d’ do
    filter ‘*.conf’
    notifies :run, ‘execute[rebuild-iptables]’
    end

    View Slide

  24. Coming soon
    • zap::services
    • zap::users
    • zap::groups

    View Slide

  25. Warning!!!
    • “Don’t we zap that?”

    View Slide

  26. Challenge
    • “There’s a zap for that!”

    View Slide

  27. Hangover Epiphany
    • Authoritative Resources Sets
    • Zap: Garbage Collecting System Resources

    View Slide

  28. Thanks
    • github.com/nvwls
    • Pull requests welcome

    View Slide