|
OverviewA role provides a means of grouping similar features of similar nodes, providing a mechanism for easily composing sets of functionality.At web scale, you almost never have just one of something, so you use roles to express the parts of the configuration that are shared by a group of Nodes.
|
 | Roles work with chef-solo too! You can use Roles with Chef Solo as well as the Client/Server. See the Chef Solo documentation. |
Choose Your WorkflowThere are two workflows you can use to manage your roles: you can either write your roles as ruby or JSON files and push them to the server, OR you can create roles with Knife or the Open Source Chef Server Management Console and edit them as you go along. If you create and edit roles by editing files:
If you create and edit roles with Knife and the Open Source Chef Server Management Console:
These workflows are mutually exclusive:
The Ruby DSLRoles created through this mechanism get compiled to JSON, and then are loaded in to the Chef Server. (We never execute ruby code directly on the chef server!) Each time you rake install your Chef Repository, we will re-compile the corresponding JSON and store it in the chef server. You should create these files in the 'roles' subdirectory of your chef repository - if you are using the opscode canonical Chef Repository as a baseline, the latest version includes this directory and rake tasks to manipulate roles as documented on the repository page. If your repository doesn't have this directory, create it now. Each DSL file should have a .rb suffix. A complete role file looks like this: A Very Simple Web Server Role
The Web Server Role We'll go over each section below. nameEach role must have a unique name, which is made up of [A-Z][a-z][0-9] and [_-]. Spaces are not allowed. name field descriptionA short description of what functionality is covered by this role. description field run_listThe recipes attribute is replaced with a run_list, which is identical to the one you specify for Node. This is the list of recipes or roles to apply for this role, in the order they should be applied. recipes Would apply the "apache2" recipe, the "apache2::mod_ssl" recipe, and then anything required by the role "monitor". Note: You may also see recipes used in place of run_list. These are equivalent in function, though recipes is deprecated, so you should use run_list instead. env_run_lists
In Chef 0.10.x, per environment run lists in a role allow you to specify a different run list for a role if the role is in the run list of the node in a specific environment. Before the existence of environments, each role has only one run list and it will be expanded and applied to the node when chef-client runs. With environments, in the role you can specify one run list for each environment, such as: per environment run lists If you do not specify a per environment run list for a certain environment, such as "production" and "preprod" in the above example, chef will use the default run list (like before). If it is the default run list that you desire, there is no need to specify it. Environments has an additional example, based in the JSON format that would be used for interacting directly with the REST API. default_attributesAn optional set of attributes that should be applied to all nodes with this role, assuming the node does not already have a value for that attribute. Use this to set site-wide defaults that can be overridden on a node-specific basis. The merge is 'deep', meaning that we will preserve nested attributes properly. default_attributes In the above example, all nodes with this role would have node[:apache2][:listen_ports] set to '80' and '443', assuming they do not already have a value. If more than one role attempts to set a default value for the same attribute, the last role applied will win. override_attributesAn optional set of attributes that should be applied to all nodes with this role, regardless of whether a node already has a value for that attribute. Useful for setting site-wide values that will always be set. The merge is 'deep', meaning that we will preserve nested attributes properly. override_attributes In the example above, node[:apache2][:max_children] will always be set to '50'. If more than one role attempts to set an override value for the same attribute, the last role applied will win. The parameters in role .rb files are actually Ruby method calls, so you can add parentheses and provide the attribute hashes on separate lines for clarity if specifying numerous or deeply-nested attributes: Overriding Nested Attributes Multiple attributes can be overridden like this: Overriding Multiple Attributes As JSONThe JSON format for roles maps directly to the Ruby DSL above. For the role we describe in that section, the corresponding JSON is: The two additional fields are described below. json_classThis should always be set to Chef::Role. chef_typeThis should always be set to role. Managing Roles through KnifeKnife is Chef's command line tool. Roles can be managed through Knife. Please refer to Managing Roles With Knife for how this is done. Managing Roles through the Open Source Chef Server Management ConsoleYou can create and manage roles through the Open Source Chef Server Management Console. Please refer to the Managing Roles through the Management Console articles for information about this topic. The REST APIYou can also create and manage roles directly in a running Chef Server via the REST API. Please refer to the Server API article for information.
|
|
|
11 Comments
comments.show.hideJun 08, 2009
Thorsten
I like the idea of roles, but I can't quite wrap my mind around some of the implementation here. There seems to be a global roles namespace (actually "global" isn't really defined either). Also, why do you put a role spec into a cookbook? I'd expect most roles to straddle cookbooks (else might as well create a recipe). In the end, which roles exist in the role namespace when a node starts? All this seems very ill-defined.
On implementing roles, how would the following differ from what you describe? Create a "roles" cookbook. Create a recipe for each role. The recipe munges the attributes (to implement the default/override) and then includes each recipe used for the role in turn. Is what you propose different? Is is syntactic sugar? Does it have different semantics?
Jun 08, 2009
Adam Jacob
The roles are not tied to cookbooks - they are totally separate entities (and have their own namespace entirely.) Roles definitely straddle cookbooks. The 'roles' directory we talk about above is a top-level item in the chef-repo:
/roles
/cookbooks
/site-cookbooks
And so on.
You could get similar functionality from using a 'roles' cookbook, in that you can have a recipe that performs an 'include_recipe' for each, and attribute files that implement something akin to default/override. The role concept is a higher-level abstraction, in that it exists outside of a given cookbook, can be distributed on it's own, and can be used to reason about the set of included recipes that will be run on the node (we'll still miss things that are dynamically included, but the final recipe list is still easier to grok if you compose it via roles.)
Jun 08, 2009
Thorsten
Ah, I missed that the roles dir is at the top of the repo, not the cookbook. Thanks for clarifying. I'm still not entirely clear on the roles namespace. The cookbook namespace is defined by the search path through repos (or directories). Is the roles namespace similarly defined?
Jun 08, 2009
Thorsten
Another question your role ruby DSL brought up is what "rake install" does. I haven't looked into it, but it seems to actively push data to a specific chef server. That seems to conteract the ability to publish cookbook libraries on github or similar public access repositories. It seems to me that a chef server should always extract information from files in the cookbook, and if a cookbook is updated, we may want to have ways to ping a chef server (or multiple) but that they should then come back and actively fetch the updated content. At least that's the way we've been planning to operate.
Jun 08, 2009
Adam Jacob
See above for your question about roles/cookbooks. When you run 'rake install', we create JSON representations of the role, and then load that in to the chef-server (in the same way you would by using the REST API, basically.) You can absolutely bring in the role data from external sources (eventually, this would be one of the things you can do with a shared community website.)
Feb 15, 2010
Chris Adams
This may seem obvious to most, but it just bit me now, and error logs weren't immediately obvious to me, simply returning a "Failed loading ChefServerSlice (409 "Conflict")" error.
When loading in roles from the filesystem, a role's filename (without the filetype extension) and the role name inside the file must be the same, so example_server.json must have the name value listed like so: "name": "example_server".
The first role with a mismatching name/filename combo will stop the subsequent roles being loaded, even if their names do match up as required.
Jul 29, 2010
Michael Leinartas
A syntax comment - It was unclear to me how to override multiple attributes using the Ruby DSL. After a bit of experimentation, I updated the docs above with an example. It works but seems a bit weird to me - you're making a hash without the open and close braces where the first key needs to be on the same line as the "override_attributes" method (I assume it's the same with default_attributes).
Has there been any though on changing the syntax to match that in the attributes files?
e.g. override[:apache2][:max_children] = "2"
Dec 02, 2010
Ches Martin
This is just plain Ruby, but Ruby's flexibility makes it a little confusing if you're not used to it. override_attributes is a method call, and Ruby allows you to omit parentheses and also pass a hash as the final parameter to a method without surrounding it in braces if it's not ambiguous to the parser. In other words, you could add parens and write your example something like this if you find it clearer (I do):
I'll update your example in the wiki, since it seems like the next commenter has a similar question.
Dec 02, 2010
Robert J. Berger
I agree with Michael Leinartas. I find that I have to create a superfluous cookbook to go with some roles just so I can use the cookbook style attribute. In many cases I want to have one attribute combine earlier attributes, like building paths, or like:
set[:users][:sudoers]=%w(foo bar)
set[:users][:login_names] = users[:sudoers] + %w(buz joe)
(Noticed that my markup was wrong and my intent wasn't being shown. Fixed now)
Dec 02, 2010
Ches Martin
I've just updated the text and examples following my comment to Michael above – see if that helps for your desired use case
Dec 02, 2010
Robert J. Berger
Ches, that clarifies some things, but not as far as I can tell, my question which is can I avoid having to create a matching cookbook/recipe to be able to build up attributes in a role from elements of other attributes that are also part of the override_attributes method.
I presume I can not say:
Is there a way to accomplish something like that (use an attibute tha was defined earlier in the same override_attributes method) within a role file?