alambike | 22 Dec 13:29 2014

chef-init (chef-container)


Chef container, and specifically chef-init, is a promising solution for the problem of converge chef inside containers.

I was facing the problem of managing services inside docker containers, and was having to trap service resources in run list and rewrite to use an specifical provider.

Thanks to chef init all of this could be avoided, just letting chef-init to patch service resource, so recipes can be made without have to worry about if convergence is happening inside a container, or in other 'recipient', and the community cookbooks could work without modification.

Maybe would be cleaner if it was integrated into chef-client and maybe, imho, runit shouldn't be into omnibus installation, and instead be part of the base image, or installed throught runit cookbook, with config files outside omnibus directory, but anyway as it is solve some of my problems.

What are the plans about this project?, is chef-init going to be continued?



meher03 | 22 Dec 01:57 2014

knife search queries

Hi, I am running the following 2 queries

First query says give me the nested attribute wiring.stackid of all nodes with
role mq. The output is as expected.

knife search node 'roles:mq' -a wiring.stackid
2 items found

  wiring.stackid: 97a2205a-87ec-11e4-9440-ae7ba1a65649

  wiring.stackid: 791d001c-87da-11e4-9560-ae7ba1a65649

The second query is a more surgical query which says give me the node with a
particular nested attribute wiring.stackid value. If you see the nested
attribute value is taken from the previous query.

 knife search node 'wiring.stackid:97a2205a-87ec-11e4-9440-ae7ba1a65649'

0 items found

Why des the second query show zero output when the first query shows there is
clearly a node with nested attribute
wiring.stackid:97a2205a-87ec-11e4-9440-ae7ba1a65649 ?


Mike Thibodeau | 20 Dec 18:11 2014

Databags vs library cookbook

What compelling reason is there for an application cookbook to use a databag vs. a library cookbook or other
artifact repo for that data? 
I am hoping for actual use cases where a databag was required or significantly better suited. 

Here are my thoughts. Please do correct me where I am wrong so I may learn. Or give me a pointer to the book I need
to read to educate myself. 

When I look at encrypted databags there is still issue of a secret written to the node which decrypts

This feels like installing a combination lock on your door, and a lock box hanging off the knob which
contains that combination, yet still placing the key to the box under the mat. 

If we use an off node key management service, there must be some other validation that authorizes giving
over my key without having one on disk.  With key in ram, any other secret, like an MySQL password, can be
delivered as a simple encrypted attribute. It can even be managed as a node attribute stored after
convergence as a uniquely encrypted string with the help of that node's unique key (from the key
management) system.  ( looking in archives I see its node.run_state ) keeping it out of chef policy files

The databag is not versioned. At convergence a node will use the data and if there is a problem there is no way
mark that as bad and to use a different version for all future convergence that is the one current version
there is no other. 

If a new cookbook version depends on the databag having different content, that databag must be backward
compatible with the old cookbook version already in play. Breaking change in a databag can not be pinned to
a new cookbook version as there is only one "current" version. 

Chef is not a database. If we need to pass real data artifacts, like some MySQL table structure or other data,
should they not be handled by our build process and placed in the artifact repo for consumption?

If we want to manage account data, would that also not need to be versioned outside chef? Ideally through an
LDAP system? ( best case there are no login accounts on your nodes beyond the initial baseline OS root,
everything else would be some sort of daemon role account like smtp, oracle, and so on, using LDAP and SUDO
to enable acting manually [but who wants to act manually or even login to even one node, never mind
thousands of nodes] ).

Joshua Timberman | 19 Dec 23:49 2014

ruby cookbook

Ohai Chefs!

I wanted to let everyone know that CHEF is going to maintain the `ruby` cookbook[0]. We're going to use this in earnest for a variety of internal projects, and we will have updates, primarily in the form of creating a resource/provider for managing Ruby installation in a cross-platform and cross-implementation manner. 

We'll do what we can to maintain backwards compatibility, and fix some outstanding bugs. The tentative plan is:

1. Release a 0.9.3 version that addresses outstanding bugs and ensures compatibility with Chef 12.
2. Release a 1.0 version that is considered stable, which will introduce a new resource/provider.
3. Release a 2.0 version that is also considered stable, which will likely remove the current recipes, and include additional providers. We'll probably also remove the definitions at this point, as the recipes are the main thing that leverage them.

There's a lot of different ways to install Ruby across a lot of different operating systems. We want this to be as flexible feature complete as is reasonable, but we cannot possibly support every single possibility. Actionable things will be tracked as issues on the ruby cookbook repository[1], so watch the project if you want to keep up to date.


Amandeep | 19 Dec 12:36 2014

Not able to execute sh file

Ohai chef,

I am facing issue of MixLib:Shellout command failure while executing file to start jboss
service using bash resource like below.

Bash "start service" do
 Code "./ -b"

I am already faced same issue while running sh file. Please guys help me in this.

Amandeep Singh
Kevin Keane Subscription | 19 Dec 09:31 2014

Passing variables between recipes?

I'm sure that this must be an FAQ but I can't really find the answer.

I am working with an application-cookbook/wrapper-cookbook pattern. Usually, in this pattern the wrapper cookbook sets up some attributes, and then calls the application cookbook to do the work.

In my case, I do not want to use attributes to pass the data from the wrapper to the application cookbook. Specifically, I dont' want the data to be saved in the node (the data in question is the password to a MySQL database).

I also would like to avoid using a data bag simply because it seems like code smell. Only the wrapper cookbook should "know" where the data is coming from.

What are my options?

Kevin Keane

The NetTech

Our values: Privacy, Liberty, Justice


Jianfeng Kong | 18 Dec 22:02 2014

Jianfeng Kong is out of the office.

I will be out of the office starting  12/18/2014 and will not return until 01/05/2015.

Ioan Covalcic will be my back up for rack 27 and  43 admin work.

Hajducko, Steven | 18 Dec 21:58 2014

ChefDK and collaborating with others

I'm somewhat new to Chef and Ruby in general, so please bear with me ( and feel free to correct any misguided statements! )

From what I understand, pre-ChefDK, people would use bundler to pin the gem versions they used to develop/test their application/cookbook.  I slap it all into a Gemfile, bundle install, commit the Gemfile.lock.  You download my repo, you bundle install and you immediately have all the same gem versions that I used.

My confusion stems with how this is supposed to work with ChefDK.  Suppose that I use ChefDK to create my cookbook, do all my development and testing and release it to a public repo.​  My colleague, however, doesn't have ChefDK and grabs my repo.  How is he supposed to know what gems I used?  My first answer would be - I either document it in the README or I just say 'Install ChefDK v0.3.5'.  Another option would be to manually create a Gemfile for everything that I used out of ChefDK and include that along with my repo?  But in both cases, I'm having to keep some extra piece of information up to date with everything I'm using out of ChefDK ( or just telling him he better install it ).  Am I missing something there?

The second scenario I'm hazy about is when you get into the situation when we start drifting between ChefDK versions.  Perhaps I haven't upgraded my ChefDK for awhile and you're on the latest and greatest.  What's keeping us in sync, so that we're using the same versions of Test Kitchen, ChefSpec, etc?  Or does it not matter, because in general, the differences between the gems provided in different ChefDK versions isn't a big enough concern?

I understand ( I think ), that if I start using 3rd party gems that aren't included in ChefDK, I should be bundle installing them and including the Gemfile.  I think it's the two scenarios above that I'm unsure about and I'm curious how others are doing this.

I've read a few blog posts and the previous mail on the list, but I think I'm still confused enough what the vision/workflow is that I had to ask.




Douglas Garstang | 18 Dec 21:02 2014

LVM Cookbook di-ruby-lvm-attrib

I just tested the community lvm cookbook out on Ubuntu, which it says it supports.

ERROR: chef_gem[di-ruby-lvm] (lvm::default line 21) had an error: Gem::DependencyError: Unable to resolve dependencies: di-ruby-lvm requires di-ruby-lvm-attrib (~> 0.0.3)

A recursive grep of di-ruby-lvm-attrib in the cookbook yielded nothing. What am I missing? I logged into the vagrant vm that I tested with, and was able to install the gem successfully.

So, either it's not mentioned at all in the cookbook (epic fail), or it's not a dependency of the di-ruby-lvm gem (also an epic fail).


Kevin Keane Subscription | 18 Dec 20:02 2014

cookbook conflict: httpd/php/mysql

I came across a problem with a combination of three supermarket cookbooks, and am wondering if this is a bug or I am doing something wrong. I am using the httpd cookbook (0.1.5) and the php cookbook (1.5.0). The php cookbook also includes mysql (6.0.3). I actually don't need that mysql cookbook directly. All this is on CentOS 6.5, although I suspect the problem will affect all OS.

When I just install httpd without php, Apache starts up flawlessly. When I add the php cookbook (and thus indirectly the mysql cookbook), /etc/httpd/conf/http.conf uses an invalid PidFile location; it uses a location that would be valid for mysql, but not for httpd. Since I'm not installing mysql, that directory doesn't exist.

My suspicion is that both the mysql and httpd cookbooks use the same name "pid_file" at some point, and thus clash. Either that, or I'm making a mistake that I'm just not seeing.

Here is the generated httpd.conf

ServerName nctc-accounting-berkshelf.vagrant
ServerRoot /etc/httpd
PidFile /var/run/mysql-default/
User apache
Group apache
Timeout 400
ErrorLog /var/log/httpd/error_log
LogLevel warn
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
DefaultType None
HostnameLookups off


Include conf.d/*.conf
Include conf.d/*.load

Kevin Keane

The NetTech

Our values: Privacy, Liberty, Justice


Ryan Kelley | 18 Dec 18:58 2014

ChefDK and Test Kitchen SSL issue

i'm running into this issue with the out of the box install of ChefDK on both a OSX system and Ubuntu. using chef generate cookbook and getting the default .kitchen.yml file and then running kitchen create to pull down and create the box. i'm getting an error at what i'm assuming is the embedded curl operation to pull down  opscode ubuntu or centos box i get this 

>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: Failed to complete #create action: [Expected process to exit with [0], but received '1'
---- Begin output of vagrant up --no-provision --provider=virtualbox ----
STDOUT: Bringing machine 'default' up with 'virtualbox' provider...
==> default: Box 'opscode-ubuntu-12.04' could not be found. Attempting to find and install...
    default: Box Provider: virtualbox
    default: Box Version: >= 0
==> default: Adding box 'opscode-ubuntu-12.04' (v0) for provider: virtualbox
   SSL certificate problem: unable to get local issuer certificate
       More details here:
       curl performs SSL certificate verification by default, using a "bundle"
        of Certificate Authority (CA) public keys (CA certs). If the default
        bundle file isn't adequate, you can specify an alternate file
        using the --cacert option.
       If this HTTPS server uses a certificate signed by a CA represented in
        the bundle, the certificate verification probably failed due to a
        problem with the certificate (it might be expired, or the name might
        not match the domain name in the URL).
       If you'd like to turn off curl's verification of the certificate, use
        the -k (or --insecure) option
this has to be a bug seeing that myself and other co-workers are getting the same error with DK 3.5.1 . 
i have tried adding the embedded SSL cert in the chefdk package to my local cert store , no dice. on my mac i have set insecure globally for curl in .curlrc which works ( i dont want this to be the fix) ,that does not work on my linux machines. i'm running the support versions of ubuntu for DK. really need to figure out what i'm doing wrong and how to fix it.