0

I am in process of setting up of environment for my applications. This would involve converging of various CHEF recipes,e.g. package installation, Folder creation, nfs mount, etc.

I have to perform these into about 5k+ servers, hencei would like to have some sort of validation for action of the recipes;

To do: Recipe should validate the result of it's actions and log the status so that it can be parsed and populated to a status dashboard later

Consider this as a generic recipe for directory creation.

node['my_cookbook']['directory'].each do |directory|
  directory "Applying #{directory['path']} directory configuration" do
    path directory['path']
    group directory['group']
    owner directory['owner']
    mode directory['mode']
    recursive directory['recursive'] || true
    action directory['action'] || :create
  end
end

Considering the above what should be the approach?

Is there any specific CHEF resources which we can use to validate?

maverick
  • 266
  • 4
  • 18

1 Answers1

0

there are several tests frameworks which you can use:

  • chefspec (unit\intentional testing)

    Use ChefSpec to simulate the convergence of resources on a node:

    • Is an extension of RSpec, a behavior-driven development (BDD) framework for Ruby
    • Is the fastest way to test resources and recipes ChefSpec is a framework that tests resources and recipes as part of a simulated chef-client run. ChefSpec tests execute very quickly. When used as part of the cookbook authoring workflow, ChefSpec tests are often the first indicator of problems that may exist within a cookbook.

    ChefSpec runs your recipe code with all the resource actions disabled. This means that ChefSpec excels at testing complex logic in a cookbook, but can't actually tell you if a cookbook is doing the right thing.

  • test-kitchen (integration and system testing)

    Test Kitchen is an integration tool for developing and testing infrastructure code and software on isolated target platforms.

  • inspec (system testing)

    Turn your compliance, security, and other policy requirements into automated tests.

one could integrate inspec installation as a part of chef-client run and created a an handler for invoking inspec at the end of the chef-client run. as a part of it, serializing the node object and deserializing it in inspec to access the node attributes with ease ;)

Mr.
  • 9,429
  • 13
  • 58
  • 82
  • 1
    Thanks, We do have chefspec, testkitchen and inspec implementation in our framework. However these will test/check cookbook implementation in virtual environments or simulates the converge on some dummy servers. My requirement is to check the cookbook implementation on the actual target node, for example if my cookbook is intended to create a custom directory, i should be able to check that whether the cookbook convergence is successful, meaning not just chef-client success but also verify that the correct folder was created, at the correct location, with proper permission, owners and group. – maverick Jan 25 '19 at 04:54
  • @baggi: i've updated my post. hope it covers your concerns (by the way, what i described i working flawless for me) :) – Mr. Jan 26 '19 at 12:50
  • thanks. I read through the handlers doc. As mentioned there;lets say that I need to initialize the handler in the recipe itself, can you please suggest what should go in to the existing recipe file, w.r.t the example in my first post, i.e. folder creation? – maverick Jan 28 '19 at 05:21
  • I have decided to implement this as below: `# Creating folder` directory path do` ` recursive true` ` action :create` ` end` ` # Logging the status if the folder is created` ` log "[#{role}][#{recipe_name}]: Folder '#{path}' creation - OK" do` ` only_if { Dir.exist?(path) }` ` end` I need to do similar checks for folder permission, and owner. Can you please suggest if there is any way to check/verify folder attributes? – maverick Jan 29 '19 at 09:12
  • @baggi: hard to read such thing within the comment. anyhow, i might release an implementation for that in the upcoming week. i will update it here once i did so. – Mr. Jan 30 '19 at 06:50
  • were you able to implement any solution – maverick May 08 '19 at 06:27
  • @baggi: i have an implementation, but i have to strip some of its implementation and i haven't released it yet. i also see that you didn't except my answer so... :) – Mr. May 10 '19 at 07:43
  • I would still like a solution for this. I feel that the solution would be more apt with an inspec control. I have detailed out my thinking in another query; https://stackoverflow.com/questions/55920053/infrastructure-compliance-via-inspec. – maverick May 13 '19 at 04:59