Using Policyfile

Knife-Zero supports Policyfile.

Requirements

Strategy

If you are using a Policyfile at Knife-Zero, select the usage from the following two.

Case: Use chef export.

Add the following to knife.rb.

use_policyfile true
versioned_cookbooks true
policy_document_native_api false

Workflow

First, reflect the contents of the Policyfile to Chef-Repo.

  1. Run chef install or chef update to create Policyfile.lock.json.
  2. Run chef export ./ -f to update following directories in your Chef-Repo.
    • cookbooks/
    • data_bags/policyfiles/
    • policies
    • policy_groups

Bootstrap

Use --policy-name with zero bootstrap.

$ knife zero bootstrap HOST_NAME --policy-name POLICY_NAME -N NODE_NAME

For example, It’ll add the following to client.rb when passed --policy-name build.

use_policyfile true
versioned_cookbooks true
policy_document_native_api true
policy_name build
policy_group local

Converge

There is no change to the zero converge normaly.

$ knife zero converge "QUERY"

You can -n/--named-run-list to use named runlist.

$ knife zero converge "QUERY" -n NAMED_RUNLIST

Tighter Integration

If you want to every time surely apply the update of Policyfile, you can append the following to the knife.rb.

knife[:before_bootstrap] = 'chef update && chef export ./ -f'
knife[:before_converge]  = 'chef update && chef export ./ -f'

Case: Use combination of knife serve and chef push

Add the following to knife.rb.

use_policyfile true
versioned_cookbooks true
policy_document_native_api false
chef_server_url "http://localhost:8889"  # for `chef push`

Workflow

First, launch a local Chef-Zero. It is necessary only when you manage policies by chef command, such as the chef push or chef show-policy or others.

$ knife serve
Serving files from:
repository at /Users/sawanoboriyu/worktemp/knife-zero_policy
  Multiple versions per cookbook

>> Starting Chef Zero (v4.5.0)...
...

Open another terminal, then run chef push with specific group name.

$ chef push -c knife.rb mygroup policies/mypolicy.rb

After push, you should terminate knife serve.

Bootstrap

Use --policy-name and --policy-group with zero bootstrap.

$ knife zero bootstrap HOST_NAME --policy-name POLICY_NAME --policy-group POLICY_GROUP_NAME -N NODE_NAME

For example, It’ll add the following to client.rb when passed --policy-name mypolicy and --policy-group mygroup.

use_policyfile true
versioned_cookbooks true
policy_document_native_api true
policy_name mypolicy
policy_group mygroup

Converge

There is no change to the zero converge normaly.

$ knife zero converge "QUERY"

You can -n/--named-run-list to use named runlist.

$ knife zero converge "QUERY" -n NAMED_RUNLIST
Fork me on GitHub