We use the default recipe for this cookbook, and because hosts are only ever added via the ssh_known_hosts_entry provider, old nodes that have been removed from the chef server are never removed from the known_hosts file.
In addition, when building the known hosts file, the provider must do a regex scan, and then a file write and replace for every new host that's added. This causes the chef run to slow down considerably when there's a few hundred hosts to in the file.
There should be an attribute flag that allows the recipe to completely replace the ssh_known_hosts file every time chef runs, with only keys that are currently in chef, and without doing a regex search.
We use the default recipe for this cookbook, and because hosts are only ever added via the
ssh_known_hosts_entryprovider, old nodes that have been removed from the chef server are never removed from the known_hosts file.In addition, when building the known hosts file, the provider must do a regex scan, and then a file write and replace for every new host that's added. This causes the chef run to slow down considerably when there's a few hundred hosts to in the file.
There should be an attribute flag that allows the recipe to completely replace the ssh_known_hosts file every time chef runs, with only keys that are currently in chef, and without doing a regex search.