We added these bits to one of our base cookbooks that gets applied to every node.
Because apt doesn't allow you to specify a minimum version for a package to be installed, I had to build an approximation of that logic in this recipe. Basically, what we do is check for a bash
package version that is less than what is specified in the node attributes for that platform. If and only if the installed version is less than the min_pkg_ver
attribute, we notify apt_package[bash]
to run the :upgrade
action. That ought to prevent us from updating bash unnecessarily, but also ensuring that we are never running an unpatched bash.
(Also, handy thing to note is the execute[apt-get update]
- that's using the apt cookbook to force an apt-get update
to run immediately. If you don't do that, bash won't update until apt has updated AND this chef recipe runs again.