Make sys resource-driven
The sys
-cookbook uses recipes which do nothing by default, an can be activated via including them in a run list and configuring the right attributes. This design is from a time where custom resources were not well supported, if at all.
The chef-community is moving to resource-driven cookbooks, which means, that cookbooks are written, that just contain custom resources, and do not use any attributes. This has some advantages over using actual recipes as building blocks that are configured via attributes:
- Easier to test
- Cleaner interface
- Less code in
sys
- More flexibility
- Easier to understand
- Easier to support other platforms.
Disadvantages might be:
- Less code in
sys
means more code somewhere else, e.g.gsi-sys
- You have know custom resoures a little to know whats going on.
sys::ssl
as an example:
The recipe gets an x509
-certificate and private key from a databag and vault, and puts it in the right places. It does not restart any services, like apache. From the recipe, it is not clear at first glance, what all the attributes are, that one can use to configure where to put the files. It is also not obvious what to do, if you want to restart a service. You could write a wrapper-cookbook, where some resource subscribes to the file "/etc/ssl/certs/#{node['fqdn']}"
and restarts apache, which defeats the purpose of configuring the recipe only via attributes. So, in order to do what you want, you would have to include sys:ssl
in the runlist, configure the right attributes, add some notification-attribute to sys::ssl
or write similiar functionality in a wrapper cookbook, and hope that the recipe is not included in the runlist by some other recipes, and hope that your attributes are not messed up during merging.
resources/sys_x509_certificate.rb
:
To use the custom-resource you have to depend on sys
, use a wrapper cookbook, in the wrapper cookbook you would write something like
sys_x509_certificate node['fqdn'] do
notifies 'service[slapd]', :restart
end
No attribute headache, notification was easy, recipes/ssl.rb
might be removed entirely when it is not needed anymore.