Chef: How do I override default attributes in roles?

chef-infra
Milan Novota picture Milan Novota · Aug 27, 2012 · Viewed 32.8k times · Source

I'm using the opscode nginx cookbook for configuring the nginx server on my nodes. The nginx cookbook has some default attributes I'd like to override in my role ("web_server").

These are the attributes I'd like to override:

default['nginx']['version'] = "1.2.2" # in cookbooks/nginx/attributes/default.rb
default['nginx']['source']['prefix'] = "/opt/nginx-#{node['nginx']['version']}" # in cookbooks/nginx/attributes/source.rb

In my roles/web_server.rb file I have something like this:

name "web_server"
description "Setup a web server"
run_list "role[base]", "recipe[nginx]"
override_attributes 'nginx' => {
  'install_method' => "source",
  'version' => "1.2.3",
  'source' => { "prefix" => "/opt/nginx", "checksum" => nil }
}

However, when running the chef-client the nginx recipe ignores my overrides and uses the default ones.

What am I doing wrong here?

Thanks!

Answer

andrewdotn picture andrewdotn · Aug 26, 2016

According to the Chef Attribute Preference document, this should work:

name "web_server"
description "Setup a web server"
run_list "role[base]", "recipe[nginx]"
default_attributes 'nginx' => {
  'install_method' => "source",
  'version' => "1.2.3",
  'source' => { "prefix" => "/opt/nginx", "checksum" => nil }
}

You shouldn’t use override_attributes in roles. Once you start using overrides instead of defaults, you’ll quickly end up finding you’ve used the strongest possible override and have no further way to override it. Use default_overrides instead.

The precedence rules around attributes, using only the default level are actually pretty same:

  1. If there is one, the attribute from the role is used, e.g., require_two_factor_auth is forced to true with default_overrides in role[single_sign_on], even in QA
  2. If there is one, the attribute from the environment is used, e.g., require_two_factor_auth is forced to true in production
  3. If there is one, the attribute from the recipe is used, e.g., require_two_factor_auth is set to true in auth::two_factor
  4. Finally, the sane default attribute from the default attribute file is used, e.g., require_two_factor_auth = false

However, it’s extremely unusual for the same attribute to be set in all four of those places, though. If the correct value of the attribute really depends on the recipe and the role and and the environment, then usually the resulting value combines features of all three, and a different attribute is set at each level and combined in the recipe.

If this isn’t working, two possibilities are:

  • Edited role not uploaded to server
  • Overriding run list with chef-client -o "recipe[nginx]" instead of chef-client -o role[web_server] or plain chef-client

If that’s not the case, please provide more detail. I use this all the time and it’s always worked, and I’d be concerned if there were edge cases where this does not behave as documented.

Related questions

How to move/copy files locally with Chef

I haven't yet come across a Chef resource that will copy/move files locally. For example, I want to download jetty hightide and unzip it. Once done, copy all the files into a particular folder, like this: # mv /var/tmp/…

Read More
Overriding attributes in the recipe

Let's say I have a default attribute in a cookbook: default.nginx_upstreams = { 'service1' => ['service1.server.com'], 'service2' => ['service2.server.com'], } Then it gets modified and overridden in roles and environments until it finally gets to …

Read More
Which special characters need escaping in a solr query?

Update: I think this question has to do with solr syntax in general, and not Chef in particular. So while I ran into this working with Chef, I presume that anyone working with Solr will also experience this... I'm working …

Read More