Building Authoritative Resource Sets

Building Authoritative Resource Sets

chef is additive by nature. Removing resource definitions from recipes will not remove the resources from the system. This can be confusing for beginner chefs. An authoritative resource set is a term used to describe a resource set containing only the resources defined in the chef recipes.

The "zap" pattern emerged as a way to build authoritative resource sets. The LWRPs from the zap cookbook, https://github.com/nvwls/zap, will be presented as well as various use cases.

This talk was presented at ChefConf 2014.

7baf2273dbe613e6500a3568649c55e2?s=128

Joe Nuspl

April 17, 2014
Tweet

Transcript

  1. Building Authoritative Resource Sets @JoeNuspl nuspl@nvwls.com ChefConf 2014

  2. Who? • Who am I?

  3. What ? • “Building Authoritative Resource Sets”

  4. Where? • Regency

  5. When? • Now • 2:20 Pacific Time

  6. “Authoritative Resource Sets” • Blame Matt Ray for the name!

  7. “Authoritative Resource Sets” • A set of resources that only

    contains resources defined by chef. • Chef is action based. action is a keyword. • action :create • action :delete
  8. Example package ‘foo’ cron ‘email 503 report’ do minute ‘59’

    hour ‘23’ command ‘grep ,503, /var/log/httpd/access.log | mail noc -s “503 Report”’ end package ‘bar’
  9. Day 5 • WOOT! Flakey switch port!

  10. Day 6 • WOOT! Zero 503 errors!

  11. Day 10 • Still zero 503 errors. Problem solved. •

    “We don’t need the 503 report anymore.”
  12. Day 11 package ‘foo’ package ‘bar’

  13. Day 13 • NOC calls… • Why are we still

    receiving the 503 email?
  14. Ah-ha! • Chef is action-based

  15. Solution #1 package ‘foo’ cron ‘email 503 report’ do action

    :delete end package ‘bar’
  16. Solution #2 package ‘foo’ # Remove after 05/01 cron ‘email

    503 report’ do action :delete end package ‘bar’
  17. Solution #3 package ‘foo’ # Remove after 05/01 cron ‘email

    503 report’ do action :delete only_if { ::Crontab.exists?(‘email 503 report’) } end package ‘bar’
  18. Still yuck! • This example was benign. • /etc/iptables.d/11-open-rsh

  19. “Authoritative resource sets” • Chef should automagically delete resources that

    are not defined as part of the resource set of the current run
  20. The “zap” pattern • github.com/youscribe/sysctl • github.com/nvwls/zap

  21. Yet Another Solution zap_crontab ‘root’

  22. Behind the scenes INFO: Processing cron[ossec] action create (zap::test line

    19) INFO: Processing cron[tmpwatcher] action create (zap::test line 23) … INFO: Processing zap_crontab[root] action delete (zap::test line 27) INFO: zap_crontab[root] keeping cron[ossec] INFO: zap_crontab[root] keeping cron[tmpwatcher] INFO: zap_crontab[root] zapping cron[503 report] … INFO: Processing cron[503 report] action delete (dynamically defined) INFO: cron[503 report] deleted crontab entry
  23. zap_directory zap_directory ‘/etc/iptables.d’ do filter ‘*.conf’ notifies :run, ‘execute[rebuild-iptables]’ end

  24. Coming soon • zap::services • zap::users • zap::groups

  25. Warning!!! • “Don’t we zap that?”

  26. Challenge • “There’s a zap for that!”

  27. Hangover Epiphany • Authoritative Resources Sets • Zap: Garbage Collecting

    System Resources
  28. Thanks • github.com/nvwls • Pull requests welcome