The Chef Win Series is a response to: "How has Chef changed our operations for the better, in the past 2 years since our shop adopted it?"  Example:

If you've been in IT very long, you've been burned by binaries changing underneath you as you are working. It could be in a Ruby update, or "DLL Hell" as we used to call it in the old client-server days. Or it could be jar hell in java, where a new binary slips in, and a JVM changes behaviors underfoot.

When an underlying binary changes and breaks your app, you have no idea which of the dozens of binaries it is, or how to restore it to a working version. In many respects, you're simply effed.

When you're building machines by hand, the process is already so cumbersome that you just have to accept the risks associated with changing binaries. With any luck, you remember where you put all the "proven" binaries. But it's all by hand.


This information is offered as a sidebar: There is a reference written called 12factor that clarifies the dangers of this and many other related issues, and prescribes an approach for dealing with this as a system.


Unexpected Win: Locked Binaries

Here's what happened to us when we began using Chef.

Because we're not doing things manually, everything is code, right? But what that means is we quite literally lock in our binaries, in code. Big win!  If we mean "go get the java JRE", we don't say "go get the java JRE". We say "go get jdk-7u75-linux-x64.tar.gz" and we get exactly what we want, not some close approximation. Niiice.

Unexpected Win: Locked and Loaded

Ahah! You point out that, even though we put no effort into this happy and serendipitous fix, there is still one potential problem. Someone could still insert a new binary, name it the same, and when we go get it from the remote server that we don't control, we retrieve a different binary! Foiled!

Don't give up so easily. Copy your binaries to your own static server - the simplest static Apache server will work. Do your remote fetch from there. Problem solved.

Or go one step further, and fetch remote to local on the first hit. Now when you build a new box, you're sped up by a large factor. Especially nice for fast, bulletproof client demos. Recommended.


Last year "delight" was the big Chef marketing mantra. Locked binaries, after a career of fighting this problem, is worthy of this marketing mantra.

I'm going to go out on a limb here and cite this as an example of how easy it is to misunderstand the value of a powerful platform such as Chef. If it only had two features, and one of them was locked binaries, users might make a big deal about it - "because i really need that feature badly".

But when you have a super powerful platform that does so many things, you might actually become less enthusiastic about that one feature - even though it really is important to you. It just gets lost in the huge array of cool and just necessary features. Psyche!