How to uninstall stale(or old packages) that are not in the cookbook with Chef and maintain integrity?

Question

We seem to have installed 'expect' package long time back via some old cookbook. Currently, we install 'pexpect' these days via updated cookbook. And the 'expect' package is still available on the system that I don't want.

rpm -qa | grep expect
expect-5.45
pexpect-2.3

Most of the cookbooks maintain their tests, but we don't do tests on what shouldn't be there, or packages that might cause a system to deviate.

I also understand that if we installed a package with a cookbook, I would hope we added a resource to remove that package as well.

Is there an easy way that ohai or some other techniques(best practices) that can determine the version deviations and stale packages and report back or perhaps trigger package removal process?

Answer 1

Your cookbooks and recipes are making declarations about what certain resources on your system should look like, some declarations being things that should be there and others that should not be there. However, there are lots of things about which your cookbooks don't care. For instance, even if you install some users with the user resource, you're not signing up to manage all of the users in /etc/passwd (assuming you have a *nix host).

So, if your cookbooks don't mention expect at all, then it means you don't care whether it's installed. If it is important for your system not to have expect installed, then you should :remove the package.

Your cookbook shouldn't assume that it's the only reason that a given package is installed, so it's not always the right thing to do to uninstall a package that it installed previously.

Finally, trust the packaging system. If pexpect can't operate on a host where expect is installed, then it should declare that it either conflicts or obsoletes expect.

Answer 2

Point is you should not really care, if the system has some additional packages installed whether manually or through an older automation, until they start interfere with your processes. In this case, when several things provide one and the same functionality, your cookbook that installs pexpect, should also remove the interfering package expect.

Hardly there exist some techniques that find the deviations from the recipes, because the initial system may have been configured differently. At the same time you do not really need those, because if you have your system configured automatically, you can just drop the existing machine (reinstall clean OS) and apply the recipes to get it up to date.