Reputation: 39
Group resource in chef is not being idempotent
As part of certain requirements I was asked to create 2 groups 'group1' and 'group2' with specific GIDs. And also 'user1' user with a particular UID. I specified the name of the group and and their ID as hash in the attributes as follows:
default['abc']['groups'] = {'group1' => 45xxx, 'group2' => 45xxx}
I called this in my recipe as follows. What I am trying to do here is first create the two groups. And then create the user. And then modify the group to add the user.
#Create Groups
node['abc']['groups'].each_key do |group|
group group do
gid node['abc']['groups'][group]
end
end
# Create the user.
user 'user1' do
uid 45xxx
end
# Configure the user.
# Make it a member of the appropriate supplementary groups, and
# ensure its environment will be set up properly upon login.
node['abc']['groups'].each_key do |grp|
group grp do
members ['user1']
append true
action :modify
end
end
It works fine on the first run. Then when I run it again, this is what happens:
Recipe: abc::recipename
* group[group1] action create
- alter group group1
- replace group members with new list of members
* group[group2] action create
- alter group group2
- replace group members with new list of members
* user[user1] action create (up to date)
* group[group1] action modify
- modify group group1
- add missing member(s): user1
* group[group2] action modify
- modify group group2
- add missing member(s): user1
What it's doing is, on rerun when it hits the first block, it's altering the group to remove all users. And in the second block it again modifies the group to add the user. Now the first group block is only for creation of the groups. If the group is already present, then why is it modifying it, even when we are not mentioning anything about members in the first block ? It should just see it as up to date and move on. Please help me understand why is it behaving like. I cannot understand if I am missing something here
Upvotes: 1
Views: 337
Answers (1)
Reputation: 54211
members defaults to [] so by not specifying it you are telling it to set the members to be empty. If you set append true and members [] on the first group resource it will make it not try to manage the member list which I think is what you want. Chef generally operates in terms of object-level modeling and you are trying to use it in a more procedural manner, so things look a little weird.
Upvotes: 2
Related Questions
- can't bootstrap node when user is in admin group
- Get list of directories mid chef run
- Can not create a machine with Vagrant and Chef
- How can I conditionally run a block of resources or a recipe in chef?
- chef-rewind: issue unwinding part of an upstream recipe (ceph::mon)
- Chef: How to test that a node attribute is not stored on Chef Server?
- Ruby chef script .exe file format installer installation
- switch chef-client user during bootstrap
- troubles with data bags in chef/knife