Simplify and improve chef attribute handling

Set the attributes in a Ruby file under /etc/chef/client.d/ instead of
editing /etc/chef/client.rb
Now uses the new whitelist attribute:
https://docs.chef.io/client/19/cookbooks/attributes/attribute_persistence/

Local chef config also uses the same file. That means there is no longer
a need to use the sanitize script to remove override and default
attributes from nodes.
This commit is contained in:
2026-07-11 17:24:45 +02:00
parent 736d4effa4
commit 1759af98b8
4 changed files with 32 additions and 76 deletions
@@ -0,0 +1,8 @@
allowed_automatic_attributes ["fqdn", "os", "os_version", "hostname",
"ipaddress", "roles", "recipes", "ipaddress",
"platform", "platform_version", "cloud",
"cloud_v2", "chef_packages", "zerotier"]
allowed_default_attributes []
allowed_override_attributes []
allowed_normal_attributes ["knife_zero", "kosmos_kvm", "kosmos-ejabberd",
"openresty", "vm_host"]
@@ -1,6 +0,0 @@
---
- knife_zero
- kosmos_kvm
- kosmos-ejabberd
- openresty
- vm_host
+22 -48
View File
@@ -2,57 +2,31 @@
# Cookbook Name:: kosmos-base
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
ruby_block "cleanup client.rb" do
block do
fe = Chef::Util::FileEdit.new("/etc/chef/client.rb")
# Delete old attributes, replaced by allow_*_attributes
fe.search_file_delete_line(/^.*_attribute_whitelist.*/)
fe.write_file
end
end
cookbook_file "/etc/chef/client.d/attributes.rb" do
source "chef_attributes.rb"
mode "0644"
notifies :create, "ruby_block[reload_client_config]", :immediately
end
ruby_block "reload_client_config" do
block do
Chef::Config.from_file("/etc/chef/client.rb")
end
action :nothing
end
include_recipe "apt"
cookbook_file "/etc/chef/chef_normal_attributes.yml" do
source "chef_normal_attributes.yml"
owner "root"
group "root"
mode "0644"
end
ruby_block "update allowed_normal_attributes in client.rb" do
block do
whitelist = YAML.load_file("/etc/chef/chef_normal_attributes.yml")
fe = Chef::Util::FileEdit.new("/etc/chef/client.rb")
fe.search_file_replace_line(
/^allowed_normal_attributes.*/,
"allowed_normal_attributes #{whitelist.inspect}"
)
fe.write_file
Chef::Config[:allowed_normal_attributes] = whitelist
Chef::Config[:normal_attribute_allowlist] = whitelist
end
not_if do
whitelist = YAML.load_file("/etc/chef/chef_normal_attributes.yml")
client_rb = ::File.read("/etc/chef/client.rb")
whitelist.all? { |attr| client_rb.include?(attr) }
end
end
directory "/etc/apt/keyrings" do
mode "0755"
action :create