Non-standard Policy Locks get rebuilt on every chef push

[danielcbright]

Description

When using a non-standard policyfile lock json, every time a chef push is performed, the lock file gets rebuilt and thus gets a new Revision ID. The same behavior for a standard Policyfile.lock.json is not observed as it works as intended.

Here is some output:

# initial generation of lock file

base-policies/base-test/chef install pg_base.rb
Building policy pg_base
Expanded run list: recipe[base-test::default]
Caching Cookbooks...
Installing base-test >= 0.0.0 from path
Using      nginx     10.1.0
Using      ohai      5.3.0

Lockfile written to ..base-policies/base-test/pg_base.lock.json
Policy revision id: e2b3aee77089da447571f983914c981d7594acb0ae131f265fbe1523bc14848a

# initial push to Chef Infra Server (notice the revision ID has already changed)

base-policies/base-test/chef push dev pg_base.lock.json
Uploading policy pg_base (31e7b15855) to policy group dev
Using    nginx     10.1.0 (bf3272b0)
Using    ohai      5.3.0  (3ad58179)
Uploaded base-test 0.1.0  (bace9d33)

# second push to Chef Infra Server (it's changed again)

base-policies/base-test/chef push dev pg_base.lock.json
Uploading policy pg_base (d93feb8b5b) to policy group dev
Using    nginx     10.1.0 (bf3272b0)
Using    ohai      5.3.0  (3ad58179)
Uploaded base-test 0.1.0  (182406f4)

# and final

base-policies/base-test/chef push dev pg_base.lock.json
Uploading policy pg_base (bd01245c5a) to policy group dev
Using    nginx     10.1.0 (bf3272b0)
Using    ohai      5.3.0  (3ad58179)
Uploaded base-test 0.1.0  (a2126f62)

# Now I do the same with a "standard" lock file

base-policies/base-test/chef push dev Policyfile.lock.json
Uploading policy base-test (47ad04450a) to policy group dev
Using    nginx     10.1.0 (bf3272b0)
Using    ohai      5.3.0  (3ad58179)
Uploaded base-test 0.1.0  (96c50b28)

# Revision ID is the same

base-policies/base-test/chef push dev Policyfile.lock.json
Uploading policy base-test (47ad04450a) to policy group dev
Using    base-test 0.1.0  (96c50b28)
Using    nginx     10.1.0 (bf3272b0)
Using    ohai      5.3.0  (3ad58179)

# chef export seems to be a decent workaround for now

base-policies/base-test/chef export pg_base.lock.json ./output -a
Exported policy 'pg_base' to /Users/dbright/git/local/policyfiles/PFP/base-policies/base-test/output/pg_base-f986e10ca22356ed6cd86dd162a091ffc645f81203e8c818429b0cf7aa444d4d.tgz

# Revision ID stays the same

base-policies/base-test/chef push-archive dev output/pg_base-f986e10ca22356ed6cd86dd162a091ffc645f81203e8c818429b0cf7aa444d4d.tgz
Uploading policy pg_base (f986e10ca2) to policy group dev
Using    base-test 0.1.0  (96c50b28)
Using    nginx     10.1.0 (bf3272b0)
Using    ohai      5.3.0  (3ad58179)

# again

base-policies/base-test/chef push-archive dev output/pg_base-f986e10ca22356ed6cd86dd162a091ffc645f81203e8c818429b0cf7aa444d4d.tgz
Uploading policy pg_base (f986e10ca2) to policy group dev
Using    base-test 0.1.0  (96c50b28)
Using    nginx     10.1.0 (bf3272b0)
Using    ohai      5.3.0  (3ad58179)

Chef Workstation Version

Chef Workstation version: 20.7.96
Chef Infra Client version: 16.2.73
Chef InSpec version: 4.21.3
Chef CLI version: 3.0.11
Test Kitchen version: 2.5.3
Cookstyle version: 6.12.6

Platform Version

Mac OS/X also confirmed on: Centos 7/8

Aha! Link: https://chef.aha.io/features/SH-2705

[tyler-ball]

Thanks for filing this @danielcbright - by non standard do you just mean the name of the file is not Policyfile.rb?

[danielcbright]

@tyler-ball yes, exactly, if the name of the file is not Policyfile.rb.

[smackmybitsup]

We are about to refactor our Chef to use policyfiles that are delivered via Jenkins pipelines so it would be really nice to see this issue resolved.

[kmf]

@smackmybitsup I found these super useful https://github.com/chef-cft/chef-examples/tree/master/examples/pipelines

[marcparadise]

@danielcbright I think this was resolved in 20.9.136 with the cookbook-omnifetch change. I'm closing this, but please re-open if you're finding this still occurs.