Skip to content
This repository has been archived by the owner on Jul 14, 2021. It is now read-only.

Chef Linux Group Provider is not indempotent #336

Closed
tokenrain opened this issue Mar 19, 2015 · 3 comments
Closed

Chef Linux Group Provider is not indempotent #336

tokenrain opened this issue Mar 19, 2015 · 3 comments

Comments

@tokenrain
Copy link

The basic Linux Group provider in Chef is, IMHO, a bit broken which given the base nature of provider I would classify this as a bug. From my experience there is only two ways to get the Group provider to act in a Idempotent fashion from a Chef perspective

group "foo" do
gid 1234
members [ "user1", "user2", "user ]
action :create
end

group "foo" do
append true
excluded_members [ "user1"]
action :modify
end

The following is one example of using the Group provider which triggers on every convergence

group "ssl-cert" do
append "true
members [ "www-data" ]
action :modify
end

There are numerous issues with this resource triggering when no action should be taken - the biggest being that I can not notifications reliably.

At the end of the day what I really want the group provider to be able to do is add a user or set of users to an existing group and not add them if they are already part of the group. This is something that I think is a reasonable expectation for base level of an action

@tokenrain
Copy link
Author

To add more color I think the problem simply lies in the fact that group creation does "more than it should"

For me what is happening is that on recipe one I say

group "foo" do
gid 12345
action :create
end

to simply make sure the group exists so I can lay down files with that owner ship.

The problem is that definition in reality is saying not only make sure that the group exists but that there are no members.

If I have a later recipe that adds a user to that group then on the next run the original group resource will zero out the member list and all other resources on the group retrigger.

It makes sense to me that a group resource that does not specify any members should not take action on the members of a group which the bare group create does.

I know that you may not want to break backwards compat so maybe adding an attribute to the resource which prevents the zero out of the groups is the way to go.

I personally think the current behavior is wrong but my opinion and $2.75 gets you on the NYC subway system.

For now I am getting around this with not_if guards BTW

@danielsdeleo
Copy link
Contributor

Hey, this is good feedback, but not quite the right place. I'll copy your content over to Chef's issues if there's not already a bug report there.

@danielsdeleo
Copy link
Contributor

Issue moved to Chef.

@chef-boneyard chef-boneyard locked and limited conversation to collaborators Feb 14, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

No branches or pull requests

2 participants