Use PowerShell to Generate Chef Checksums

Hit an exciting milestone in my career today… Performance tuning a Chef cookbook! When we started to get serious about infrastructure automation, I never imagined how hard it was gonna be or how long it was gonna take. But here I am, finally caring how long my chef client runs are taking. The soft silhouette begins to appear in the way off distance… A vision of managed infrastructure. Clusters of machines talking to each other, taking ownership when leaders fail. Reporting back when something isn’t right or automatically adjusting to fit the demand. The possibilities are endless! We’re not quite there but we will be, I have no doubt.

So you wanna know how the performance tuning went? I took a chef client run down from around  5 minutes to under 30 seconds and it was stupid simple! So simple, I wanted to share it. Just adding checksum values to all of the remote_file, cookbook_file, windows_package, seven_zip_archive, and all the other resources where checksum is a property. At this point, if you’re thinking “well why wouldn’t you already have the checksum values?” then you’re probably not doing cookbook development on a Windows machine. To get a SHA-256 checksum value on Windows 7 (most every enterprise machine today)… you needed to use certutil . Look at this crap:

λ certUtil -hashfile desktop.ini SHA256
SHA256 hash of file desktop.ini:
aa 97 c6 bb 5c a4 e0 fb 64 60 3e ed ba de 3a 00 39 33 b6 e5 7a dc fa 57 e6 4b 7b a1 32 c5 4b cf
CertUtil: -hashfile command completed successfully.

What the Fxxx am I supposed to do with that!? Write some cmd/bat script to take out the spaces? Too lazy. Probably could do a PowerShell one-liner...

PS C:\_source\git> (certUtil -hashfile desktop.ini SHA256)[1].Replace(' ','')

Yea that would work. I'm lucky enough to be on Windows 10 so I have access to the v4+ Get-FileHash function. If you're on Windows 7 and haven't grabbed PowerShell v5 yet... seriously, go do it! This is how I did it with Get-FileHash:

PS C:\_source\git> (Get-FileHash Desktop.ini -Algorithm SHA256 | Select -ExpandProperty Hash).ToLower()

So that's it.. I went thru and generated checksum values for all the declared resources and I am very pleased with the results! It seems so obvious now and in hindsight all of our cookbook resources should have already included the checksum values. It wasn't too long ago where getting a new cookbook to run successfully in all of our environments was miracle enough. While iterating thru several re-writes, it never made sense to do the extra step. But now, with some cookbooks being applied every few minutes... this stuff matters!

On to the next challenge... Resolving cookbook dependency issues!

As always please feel free to comment below or reach out to me on Twitter (@nhudacin) with any questions. Happy coding!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s