Running Chef in the background on Windows
// Chef Blog
One of the most common sets of questions we hear regarding running Chef on Windows surrounds how to run Chef continuously as a background process. There are two primary methods to do this on Windows:
- Windows Service Manager
- Windows Task Scheduler
Either can get the job done and both are supported and will continue to be supported. The choice you make here will impact the amount of friction you encounter administering the Chef client, but before I give you our opinion on which technology to use, let's explore both options.
Windows Service Manager
When it comes to running Windows applications in the background, I think most are more accustomed to managing these applications via the Windows Service Manager. Sql Server and IIS are a couple key example services that run as a service. These services run 24/7. They are always listening for requests from the outside, maintaining internal state and exposing multiple endpoints for querying and manipulating this state. These applications are truly alive at all times and must remain so. Their sophistication lies in their unique application code or service internal logic and not in the service manager. Nearly all the service manager provides is a means to start, pause and stop the service. That's all.
Windows Task Scheduler
Then there are other background operations: System Restore, File History, Windows Backup, Google updater, and dozens of other critical tasks that either run on a set schedule or are triggered by specific events. These programs do not listen for connections from other applications. They just need to do their thing when it is time and then do absolutely nothing the rest of the time. These are tasks that live in the Windows Task Scheduler. Many of these tasks are critical to Windows being able to maintain a healthy state, but they expose no knobs to the administrator. However the task scheduler itself does expose a fair amount of options and flexibility in controlling when and how often these tasks run.
Which to choose
So now lets think about where the Chef client falls. It sure seems like more of a task by nature. It doesn't wait for connections from other programs. Once it starts, it simply runs until the run list completes. It does not run continuously. Furthermore, as an administrator, one wants firm control over when and how often the Chef client runs. This is where running the Chef client as a scheduled task shines and its also where running the Chef client as a service can become quite painful.
So now I'll just say it:
Run the Chef client as a scheduled task
- More control over scheduling. The scheduled task API makes it very straight forward to set a variety of schedule types and change them at any time.
- More visibility into the current state of the task. You can see if it is running the client, when it last ran and the exit code it last ended with.
- Easier to upgrade the Chef client. When the client is not running, there is nothing else running – holding and locking up resurces that prevent the client from upgrading.
- More reliable – If the Chef service fails to start on node boot up perhaps related to a number of issues a Windows node can encounter in its state just after startup, that node may never run the client and you must then manually intervene to revive the client.
- Less prone to memory leaks – As a service, the same ruby process runs for the lifetime of the service. If there are resources consumed and not released either in low level ruby code or in chef implementation, the ruby process memory footprint may balloon until the service is restarted.
- Log Rotation – The Chef client log file has a constant lock maintained by the code running under the service manager. You simply cannot rotate the logs while the service is running.
Configuring the Chef client to run as a scheduled task
There are two recommended ways to get the Chef client running as a scheduled task.
Task recipe of the Chef-Client cookbook
This recipe can create a scheduled task for running the Chef client and it can also modify an existing task schedule. Setting these node attributes controls how the
task recipe configures the scheduled task:
node['chef_client']['task']['frequency'] - Frequency with which to run the chef-client scheduled task (e.g., 'hourly', 'daily', etc.) Default is 'minute'. node['chef_client']['task']['frequency_modifier'] - Numeric value to go with the scheduled task frequency. Default is node['chef_client']['interval'].to_i / 60 node['chef_client']['task']['start_time'] - The start time for the task in HH:mm format. If the frequency is minute default start time will be Time.now plus the frequency_modifier number of minutes. node['chef_client']['task']['user'] - The user the scheduled task will run as, defaults to 'SYSTEM'. node['chef_client']['task']['password'] - The password for the user the scheduled task will run as, defaults to nil because the default user, 'SYSTEM', does not need a password.
Chef client MSI installer options
As of Chef 12.18, you can now have Chef installed as a scheduled task as an option from the MSI "wizard" or as a commandline option to
msiexec when installing the Chef client MSI:
msiexec /qn /log 'c:/chef/log.txt' /i 'chef-installer.msi' ADDLOCAL='ChefClientFeature,ChefSchTaskFeature'
This creates a scheduled task that runs the Chef client every 30 minutes. You can later change this interval via the chef-client cookbook mentioned above.
Can I still run as a Windows Service?
You can. Most who choose to run as a Windows service fall into one of three camps:
- Running as a service seemed the obvious choice since most of their other background applications run as a service and historically that was the only unattended execution option exposed by the Chef client MSI installer.
- There has been an investment in Server monitoring infrastructure optimized for monitoring Windows services.
- The user is following antiquated security guidance recommending that the task scheduler should be disabled. Microsoft now advises users not to disable the task scheduler.
We understand that sometimes for your environment, which you know best, running as a Windows service may be the right option at the present time. We continue to support running the Chef client as a service but our experience working with many customers has proven that a scheduled task provides the best experience for running Chef in the background on Windows.
Afterwards – Cafe
Just as this post was authored Michael Hedgpeth introduced a new project, cafe, to address many of the above mentioned friction points running Chef as a service on Windows. The project is young but definitely worth keeping an eye on!
Shared via my feedly newsfeed
Sent from my iPhone