Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Authoritative Resource Sets

Building Authoritative Resource Sets

chef is additive by nature. Removing resource definitions from recipes will not remove the resources from the system. This can be confusing for beginner chefs. An authoritative resource set is a term used to describe a resource set containing only the resources defined in the chef recipes.

The "zap" pattern emerged as a way to build authoritative resource sets. The LWRPs from the zap cookbook, https://github.com/nvwls/zap, will be presented as well as various use cases.

This talk was presented at ChefConf 2014.

Joe Nuspl

April 17, 2014
Tweet

More Decks by Joe Nuspl

Other Decks in Programming

Transcript

  1. Building Authoritative
    Resource Sets
    @JoeNuspl
    [email protected]
    ChefConf 2014

    View full-size slide

  2. Who?
    • Who am I?

    View full-size slide

  3. What ?
    • “Building Authoritative Resource Sets”

    View full-size slide

  4. Where?
    • Regency

    View full-size slide

  5. When?
    • Now
    • 2:20 Pacific Time

    View full-size slide

  6. “Authoritative
    Resource Sets”
    • Blame Matt Ray for the name!

    View full-size slide

  7. “Authoritative
    Resource Sets”
    • A set of resources that only contains resources
    defined by chef.
    • Chef is action based. action is a keyword.
    • action :create
    • action :delete

    View full-size slide

  8. Example
    package ‘foo’
    cron ‘email 503 report’ do
    minute ‘59’
    hour ‘23’
    command ‘grep ,503, /var/log/httpd/access.log
    | mail noc -s “503 Report”’
    end
    package ‘bar’

    View full-size slide

  9. Day 5
    • WOOT! Flakey switch port!

    View full-size slide

  10. Day 6
    • WOOT! Zero 503 errors!

    View full-size slide

  11. Day 10
    • Still zero 503 errors. Problem solved.
    • “We don’t need the 503 report anymore.”

    View full-size slide

  12. Day 11
    package ‘foo’
    package ‘bar’

    View full-size slide

  13. Day 13
    • NOC calls…
    • Why are we still receiving the 503 email?

    View full-size slide

  14. Ah-ha!
    • Chef is action-based

    View full-size slide

  15. Solution #1
    package ‘foo’
    cron ‘email 503 report’ do
    action :delete
    end
    package ‘bar’

    View full-size slide

  16. Solution #2
    package ‘foo’
    # Remove after 05/01
    cron ‘email 503 report’ do
    action :delete
    end
    package ‘bar’

    View full-size slide

  17. Solution #3
    package ‘foo’
    # Remove after 05/01
    cron ‘email 503 report’ do
    action :delete
    only_if { ::Crontab.exists?(‘email 503
    report’) }
    end
    package ‘bar’

    View full-size slide

  18. Still yuck!
    • This example was benign.
    • /etc/iptables.d/11-open-rsh

    View full-size slide

  19. “Authoritative
    resource sets”
    • Chef should automagically delete resources that
    are not defined as part of the resource set of the
    current run

    View full-size slide

  20. The “zap” pattern
    • github.com/youscribe/sysctl
    • github.com/nvwls/zap

    View full-size slide

  21. Yet Another Solution
    zap_crontab ‘root’

    View full-size slide

  22. Behind the scenes
    INFO: Processing cron[ossec] action create (zap::test line 19)
    INFO: Processing cron[tmpwatcher] action create (zap::test line 23)

    INFO: Processing zap_crontab[root] action delete (zap::test line
    27)
    INFO: zap_crontab[root] keeping cron[ossec]
    INFO: zap_crontab[root] keeping cron[tmpwatcher]
    INFO: zap_crontab[root] zapping cron[503 report]

    INFO: Processing cron[503 report] action delete (dynamically
    defined)
    INFO: cron[503 report] deleted crontab entry

    View full-size slide

  23. zap_directory
    zap_directory ‘/etc/iptables.d’ do
    filter ‘*.conf’
    notifies :run, ‘execute[rebuild-iptables]’
    end

    View full-size slide

  24. Coming soon
    • zap::services
    • zap::users
    • zap::groups

    View full-size slide

  25. Warning!!!
    • “Don’t we zap that?”

    View full-size slide

  26. Challenge
    • “There’s a zap for that!”

    View full-size slide

  27. Hangover Epiphany
    • Authoritative Resources Sets
    • Zap: Garbage Collecting System Resources

    View full-size slide

  28. Thanks
    • github.com/nvwls
    • Pull requests welcome

    View full-size slide