chef introductory workshop
TRANSCRIPT
-
7/23/2019 Chef Introductory Workshop
1/224
[email protected]://opscode.com/training
-
7/23/2019 Chef Introductory Workshop
2/224
-
7/23/2019 Chef Introductory Workshop
3/224
-
7/23/2019 Chef Introductory Workshop
4/224
-
7/23/2019 Chef Introductory Workshop
5/224
-
7/23/2019 Chef Introductory Workshop
6/224
Setup workstation environment
Anatomy of a Chef Run
Hands on exercises
Lunch
More hands on exercises
We will take breaks, of course!
-
7/23/2019 Chef Introductory Workshop
7/224
Automate common system administrationtasks with Chef.
Understand Chef's architecture.
Be familiar with Chef's various tools.
Know how to get further help.
-
7/23/2019 Chef Introductory Workshop
8/224
This is a one day workshop, not a
comprehensive course.
We will do several hands on exercises.
We want to focus on being immediatelyproductive solving common tasks.
You should be equipped to hit the groundrunning and know where to go next.
-
7/23/2019 Chef Introductory Workshop
9/224
You bring the domain expertise about yourbusiness and problems
Chef provides a framework for solving thoseproblems
Our job is to work together to teach you how toexpress solutions to your problems with Chef
The exercises cover common problems to
system administration use cases
Ask questions when they come to you.
Ask for help when you need it.
-
7/23/2019 Chef Introductory Workshop
10/224
We will be doing things the hard way
Were going to do a lot of typing
You cant be late
You wont be left behind
We will troubleshoot and fix bugs on the
spot
The result is you reaching fluency fast
-
7/23/2019 Chef Introductory Workshop
11/224
What is this thing again?
-
7/23/2019 Chef Introductory Workshop
12/224
Just build it
Keep notes in server.txt
Move notes to the wiki
Custom scripts (in scm?!)
Snapshot & Clone
-
7/23/2019 Chef Introductory Workshop
13/224
Chef is an automation platform for developers & systems engineers to continuouslydefine, build, and manage infrastructure.
CHEF USES:
Recipesand Cookbooksthat describe Infrastructure as Code.
Chef enables people to easily build &manage complex & dynamic applicationsat massive scale
New model for describing infrastructure thatpromotes reuse
Programmatically provision and configure
Reconstruct business from code repository,data backup, and bare metal resources
-
7/23/2019 Chef Introductory Workshop
14/224
http://www.flickr.com/photos/steffenz/337700069/http://www.flickr.com/photos/kky/704056791/
-
7/23/2019 Chef Introductory Workshop
15/224
http://www.flickr.com/photos/sbh/462754460/
-
7/23/2019 Chef Introductory Workshop
16/224
http://www.flickr.com/photos/philliecasablanca/3354734116/
Networking
Files
Directories
Symlinks
Mounts
Routes
Users
Groups
Tasks
Packages
Software
Services
Configuration
Other Stuff
-
7/23/2019 Chef Introductory Workshop
17/224
Code Sample
http://www.flickr.com/photos/glowjangles/4081048126/
-
7/23/2019 Chef Introductory Workshop
18/224
Code Sample
http://www.flickr.com/photos/28309157@N08/3743455858/
-
7/23/2019 Chef Introductory Workshop
19/224
http://www.flickr.com/photos/16339684@N00/2681435235/
-
7/23/2019 Chef Introductory Workshop
20/224
Application Server
-
7/23/2019 Chef Introductory Workshop
21/224
Application Server
Application Database
-
7/23/2019 Chef Introductory Workshop
22/224
Application Server
Application Databases
-
7/23/2019 Chef Introductory Workshop
23/224
Application Servers
Application Databases
-
7/23/2019 Chef Introductory Workshop
24/224
Application Servers
Application Databases
Load Balancer
-
7/23/2019 Chef Introductory Workshop
25/224
Application Servers
Application Databases
Load Balancers
-
7/23/2019 Chef Introductory Workshop
26/224
Application Servers
Application Database Cache
Load Balancers
Application Databases
-
7/23/2019 Chef Introductory Workshop
27/224
Application Servers
Application Database Cache
Load Balancers
Application Databases
-
7/23/2019 Chef Introductory Workshop
28/224
Application Servers
Application Database Cache
Load Balancers
Floating IP?
Application Databases
-
7/23/2019 Chef Introductory Workshop
29/224
Load Balancers
A lication Servers
NoSQL
Database Slaves
ApplicationCache
Database Cache
Database
-
7/23/2019 Chef Introductory Workshop
30/224
DC1
DC3
DC2
-
7/23/2019 Chef Introductory Workshop
31/224
Configuration Management
http://www.flickr.com/photos/philliecasablanca/3354734116/
-
7/23/2019 Chef Introductory Workshop
32/224
Gold is heavy
Hard to transport
Hard to mold
Easy to lose
configuration detail
http://www.flickr.com/photos/garysoup/2977173063/
-
7/23/2019 Chef Introductory Workshop
33/224
Jboss App
Memcache
Postgres Slaves
Postgres Master
NagiosGraphite
-
7/23/2019 Chef Introductory Workshop
34/224
Jboss App
Memcache
Postgres Slaves
Postgres Master
NagiosGraphite
Move SSH off port 22
Lets put it on 2022
-
7/23/2019 Chef Introductory Workshop
35/224
Jboss App
Memcache
Postgres Slaves
Postgres Master
NagiosGraphite
edit /etc/ssh/sshd_config
1 2
3
4
5
6
-
7/23/2019 Chef Introductory Workshop
36/224
Jboss App
Memcache
Postgres Slaves
Postgres Master
NagiosGraphite
Delete, launch
1 2
3 4 5 6 7
8 9
10 11
12
Repeat
Typically manually
-
7/23/2019 Chef Introductory Workshop
37/224
Dont break anything!
Bob just got fired =(
5
Jboss App
Memcache
Postgres Slaves
Postgres Master
NagiosGraphite 1 2
4 5 6 7
8 9
10 11
12
3
-
7/23/2019 Chef Introductory Workshop
38/224
Jboss App
Memcache
Postgres Slaves
Postgres Master
NagiosGraphite
Invalid configs!
-
7/23/2019 Chef Introductory Workshop
39/224
Code Sample
http://www.flickr.com/photos/francoforeshock/5716969942/
-
7/23/2019 Chef Introductory Workshop
40/224
But you already
guessed that, didnt
you?
-
7/23/2019 Chef Introductory Workshop
41/224
http://www.flickr.com/photos/louisb/4555295187/
Programmatically provisionand configure
Treat like any other code base
Reconstruct business fromcode repository, data backup,and bare metal resources.
-
7/23/2019 Chef Introductory Workshop
42/224
http://www.flickr.com/photos/ssoosay/5126146763/
Chef generates configurations
directly on nodes from theirrun list
Reduce managementcomplexity throughabstraction
Store the configuration of your
programs in version control
-
7/23/2019 Chef Introductory Workshop
43/224
-
7/23/2019 Chef Introductory Workshop
44/224
package "ntp" do action :installend
service "ntpd" do action [:enable,:start]end
template "/etc/ntpd.conf" do
source "ntpd.conf.erb" owner "root" group "root" mode 0644 action :create variables(:time_server => time.example.com) notifies :restart, service[ntpd]end
-
7/23/2019 Chef Introductory Workshop
45/224
Jboss App
Memcache
Postgres Slaves
Postgres Master
NagiosGraphite
-
7/23/2019 Chef Introductory Workshop
46/224
Jboss App
Memcache
Postgres Slaves
Postgres Master
NagiosGraphite
-
7/23/2019 Chef Introductory Workshop
47/224
Jboss App
Memcache
Postgres Slaves
Postgres Master
NagiosGraphite
-
7/23/2019 Chef Introductory Workshop
48/224
NagiosGraphite
Jboss App
Memcache
Postgres Slaves
12+ resource changes for 1 node addition
-
7/23/2019 Chef Introductory Workshop
49/224
-
7/23/2019 Chef Introductory Workshop
50/224
Workstation Setup
Chef Server Account
Chef Repository
Remote target managed node
-
7/23/2019 Chef Introductory Workshop
51/224
Code Sample
-
7/23/2019 Chef Introductory Workshop
52/224
Install Chef (if not alreadyinstalled)
https://www.opscode.com/chef/install/
-
7/23/2019 Chef Introductory Workshop
53/224
Set up Chef Server Account
Opscode Hosted Chef
https://manage.opscode.com
-
7/23/2019 Chef Introductory Workshop
54/224
-
7/23/2019 Chef Introductory Workshop
55/224
-
7/23/2019 Chef Introductory Workshop
56/224
Organization Short Name must be GLOBALLY unique!
-
7/23/2019 Chef Introductory Workshop
57/224
-
7/23/2019 Chef Introductory Workshop
58/224
Only if you dont haveyour user key with you today!
-
7/23/2019 Chef Introductory Workshop
59/224
ec2-based Instance
ec2-STUDENT_ID.compute-1.amazonaws.com
Ubuntu 12.04
SSH
Username: opscode
Password: opscode
-
7/23/2019 Chef Introductory Workshop
60/224
# copy your user key, validation key and knife config:> cp ~/Downloads/ORGNAME-validator.pem .chef
> cp ~/Downloads/USERNAME.pem .chef> cp ~/Downloads/knife.rb .chef
> ls .chefORGNAME-validator.pemUSERNAME.pem
knife.rb
-
7/23/2019 Chef Introductory Workshop
61/224
> knife --versionChef: 11.4.0
> knife client listORGNAME-validator
Your version may differ, that's okay!
-
7/23/2019 Chef Introductory Workshop
62/224
-
7/23/2019 Chef Introductory Workshop
63/224
> knife bootstrap IPADDRESS --sudo -x USERNAME -P PASSWORD
Bootstrapping Chef on targettarget Starting Chef Client, version 11.4.0
-
7/23/2019 Chef Introductory Workshop
64/224
Opscode Hosted Chef
localworkstation
managednode (VM)
chef-client
knife bootstrap IPADDRESS --sudo -x USERNAME -P PASSWORD
chef_server_urlvalidation_client_name
validation_key
SSH!bash -c '
install chef
configure client
run chef'
-
7/23/2019 Chef Introductory Workshop
65/224
-
7/23/2019 Chef Introductory Workshop
66/224
-
7/23/2019 Chef Introductory Workshop
67/224
-
7/23/2019 Chef Introductory Workshop
68/224
The server has the public key
-
7/23/2019 Chef Introductory Workshop
69/224
-
7/23/2019 Chef Introductory Workshop
70/224
-
7/23/2019 Chef Introductory Workshop
71/224
-
7/23/2019 Chef Introductory Workshop
72/224
> knife node listtarget1
> knife client list target1
ORGNAME-validator
> knife node show target1Node Name: target1Environment: _defaultFQDN: target1IP: 10.12.13.201
Run List:Roles:Recipes:Platform: ubuntu 12.04
-
7/23/2019 Chef Introductory Workshop
73/224
> knife node show --help
> knife help node
-
7/23/2019 Chef Introductory Workshop
74/224
> ssh opscode@target
opscode@target1:~$ ls /etc/chefclient.pem client.rb first-boot.json validation.pem
-
7/23/2019 Chef Introductory Workshop
75/224
$ cat /etc/chef/client.rblog_level :autolog_location STDOUTchef_server_url "https://chef.local/organizations/ORGNAME"validation_client_name "ORGNAME-validator"# Using default node name (fqdn)
-
7/23/2019 Chef Introductory Workshop
76/224
$ cat /etc/chef/first-boot.json{"run_list":[]}
$ chef-client -h | grep -i json -j JSON_ATTRIBS, Load attributes from a JSON file or URL --json-attributes
-
7/23/2019 Chef Introductory Workshop
77/224
Remember from the authentication cycle:Chef Server requires keys to authenticate.
client.pem - private key for API client
validation.pem - private key forORGNAME-validator
-
7/23/2019 Chef Introductory Workshop
78/224
Packages, Cookbook Files, and Services
-
7/23/2019 Chef Introductory Workshop
79/224
Understand what a cookbookis
Know how to create a new cookbook
Understand what a recipeis
Understand how to use the package, service, andcookbook_fileresources
Know how to upload a cookbookto the ChefServer
Understand what a run list is, and how to set it for anode via knife
How to read the output of a chef-client run
-
7/23/2019 Chef Introductory Workshop
80/224
A cookbook is like a package for Chef recipes.
It contains all the recipes, files, templates,
libraries, etc. required to configure a portion of
your infrastructure
Typically they map 1:1 to a piece of software or
functionality.
-
7/23/2019 Chef Introductory Workshop
81/224
The Problem: We need a web serverconfigured to serve up our home page.
Success Criteria: We can see the homepage ina web browser.
-
7/23/2019 Chef Introductory Workshop
82/224
Install Apache
Start the service, and make sure it will startwhen the machine boots
Write out the home page
-
7/23/2019 Chef Introductory Workshop
83/224
$ knife cookbook create apache
** Creating cookbook apache** Creating README for cookbook: apache** Creating CHANGELOG for cookbook: apache** Creating metadata for cookbook: apache
-
7/23/2019 Chef Introductory Workshop
84/224
$ ls -la cookbooks/apache
total 23
drwxr-xr-x 12 opscode pandas 442 Oct 22 18:57 .drwxr-xr-x 4 opscode pandas 136 Oct 22 18:57 ..-rw-r--r-- 1 opscode pandas 413 Oct 22 18:57 CHANGELOG.md-rw-r--r-- 1 opscode pandas 88 Oct 22 18:57 README.mddrwxr-xr-x 2 opscode pandas 68 Oct 22 18:57 attributesdrwxr-xr-x 2 opscode pandas 68 Oct 22 18:57 definitionsdrwxr-xr-x 3 opscode pandas 102 Oct 22 18:57 filesdrwxr-xr-x 2 opscode pandas 68 Oct 22 18:57 libraries-rw-r--r-- 1 opscode pandas 250 Oct 22 18:57 metadata.rbdrwxr-xr-x 2 opscode pandas 68 Oct 22 18:57 providersdrwxr-xr-x 3 opscode pandas 102 Oct 22 18:57 recipesdrwxr-xr-x 2 opscode pandas 68 Oct 22 18:57 resourcesdrwxr-xr-x 3 opscode pandas 102 Oct 22 18:57 templates
-
7/23/2019 Chef Introductory Workshop
85/224
$ vi cookbooks/apache/recipes/default.rb
-
7/23/2019 Chef Introductory Workshop
86/224
The default.rb recipe for a given
cookbook is referred to by the name ofthe cookbook (apache)
If we added another recipe to this
cookbook named mod_ssl.rb, we would
refer to it as apache::mod_ssl
-
7/23/2019 Chef Introductory Workshop
87/224
Add the following to cookbooks/apache/recipes/default.rb
-
7/23/2019 Chef Introductory Workshop
88/224
Have a type.
Have a name.
Have parameters.
Take action to put the resource
in the declared state.
Can send notifications to otherresources.
package "haproxy" do action :installend
template "/etc/haproxy/haproxy.cfg" do source "haproxy.cfg.erb"
owner "root" group "root" mode 0644 notifies :restart, "service[haproxy]"end
service "haproxy" do
supports :restart => true action [:enable, :start]end
-
7/23/2019 Chef Introductory Workshop
89/224
Is a packageresource
Whose nameis apache2
With an installaction
-
7/23/2019 Chef Introductory Workshop
90/224
Resources are declarative- that means we
say whatwe want to have happen, ratherthanhow
Chef uses what platformthe node isrunning to determine the correct provider
for a resource
-
7/23/2019 Chef Introductory Workshop
91/224
Add the following to cookbooks/apache/recipes/default.rb
-
7/23/2019 Chef Introductory Workshop
92/224
Is a serviceresource
Whose nameis apache2
With two actions: startand enable
-
7/23/2019 Chef Introductory Workshop
93/224
The order you write resources in a recipe
is the order they will be executed in
-
7/23/2019 Chef Introductory Workshop
94/224
Add the following to cookbooks/apache/recipes/default.rb
-
7/23/2019 Chef Introductory Workshop
95/224
Is a cookbook_fileresource
Whose nameis /var/www/index.html
With two parameters:
sourceofindex.html
modeof 0644
-
7/23/2019 Chef Introductory Workshop
96/224
Has no action!
If you omit the
action in Chef, wedefault to the mostcommon positiveaction. In this case,it is the :create
action.
-
7/23/2019 Chef Introductory Workshop
97/224
-
7/23/2019 Chef Introductory Workshop
98/224
Using what we have learned so far,can we make the recipe shorter?
-
7/23/2019 Chef Introductory Workshop
99/224
-
7/23/2019 Chef Introductory Workshop
100/224
Add the following to cookbooks/apache/files/default/index.html
-
7/23/2019 Chef Introductory Workshop
101/224
-
7/23/2019 Chef Introductory Workshop
102/224
$ knife cookbook upload apache
Uploading apache [0.1.0]Uploaded 1 cookbook.
-
7/23/2019 Chef Introductory Workshop
103/224
$ knife node edit target1.local
-
7/23/2019 Chef Introductory Workshop
104/224
Add recipe[apache] to the run_list, saveand close.
-
7/23/2019 Chef Introductory Workshop
105/224
Run lists specify what recipes or roles the
node should run, along with the order theyshould be run in
Run lists are represented by an array
Recipes are specified by recipe[name]
Roles are specified by role[name]
-
7/23/2019 Chef Introductory Workshop
106/224
$ sudo chef-client -Fdoc -lfatal
Starting Chef Client, version 11.4.0resolving cookbooks for run list: ["apache"]Synchronizing Cookbooks: - apacheCompiling Cookbooks...Converging 3 resourcesRecipe: apache::default * package[apache2] action install - install version 2.2.22-1ubuntu1 of package apache2
* service[apache2] action enable (up to date) * service[apache2] action start (up to date) * cookbook_file[/var/www/index.html] action create - create a new cookbook_file /var/www/index.html --- /tmp/chef-tempfile20130215-12136-mlqrm6 2013-02-15 13:47:53.136288008 -0800 +++ /var/chef/cache/cookbooks/apache/files/default/index.html2013-02-15 13:33:26.685884277 -0800
@@ -0,0 +1,5 @@ + + + Hello world + +
Chef Client finished, 3 resources updated
-
7/23/2019 Chef Introductory Workshop
107/224
-
7/23/2019 Chef Introductory Workshop
108/224
You have just written your first Chef
cookbook!
(clap!)
-
7/23/2019 Chef Introductory Workshop
109/224
Starting Chef Client, version 11.4.0INFO: *** Chef 11.4.0 ***INFO: [inet6] no default interface, picking the first ipaddressINFO: Run List is [recipe[apache]]INFO: Run List expands to [apache]INFO: Starting Chef Run for target.localINFO: Running start handlersINFO: Start handlers complete.
We tell you the nodes Run List
The expanded Run List is the completelist, after nested roles are expanded
-
7/23/2019 Chef Introductory Workshop
110/224
INFO: Loading cookbooks [apache]INFO: Storing updated cookbooks/apache/recipes/default.rb in thecache.INFO: Storing updated cookbooks/apache/CHANGELOG.md in the cache.INFO: Storing updated cookbooks/apache/metadata.rb in the cache.INFO: Storing updated cookbooks/apache/README.md in the cache.
We start loading the cookbooks in the orderspecified by the run list
We download any files we are missing from theserver
-
7/23/2019 Chef Introductory Workshop
111/224
Recipe: apache::default * package[apache2] action install - install version 2.2.22-1ubuntu1 of packageapache2
We are checking to see if the package apache2 isinstalled
It was not, and so we installed version2.2.22-1ubuntu1 (yours may be different)
-
7/23/2019 Chef Introductory Workshop
112/224
* service[apache2] action enable (up to date) * service[apache2] action start (up to date)
We check to see if apache2 is already started -and it is, so we do nothing
We check to see if apache2 is already enabled torun at boot - and it is, so we do nothing
-
7/23/2019 Chef Introductory Workshop
113/224
Actions on resources in Chef are designed to beconvergent
In practical terms, this means they only changethe state of the system if they have to
If a resource in Chef is properly configured, wemove on to the next resource
Convergent resources are idempotent
Idempotent functions yield the same result withevery application
-
7/23/2019 Chef Introductory Workshop
114/224
* service[apache2] action enable (up to date) * service[apache2] action start (up to date) * cookbook_file[/var/www/index.html] action create - create a new cookbook_file /var/www/index.html --- /tmp/chef-tempfile20130215-12136-mlqrm6 2013-02-15 13:47:53.136288008 -0800 +++ /var/chef/cache/cookbooks/apache/files/default/index.html 2013-02-1513:33:26.685884277 -0800 @@ -0,0 +1,5 @@ +
+ + Hello world + +
We check to see if we need to create theindex.html file
There is already one in place, whose contents aredifferent than ours, so we back it up
We also set the permissions appropriately
-
7/23/2019 Chef Introductory Workshop
115/224
We see Chef Run complete, with the time it took
for the run to finish Report and exception handlers are now run
INFO: Chef Run complete in 13.761588783 secondsINFO: Running report handlersINFO: Report handlers complete
-
7/23/2019 Chef Introductory Workshop
116/224
$ sudo chef-client -Fdoc -lfatal
Starting Chef Client, version 11.4.0resolving cookbooks for run list: ["apache"]Synchronizing Cookbooks: - apacheCompiling Cookbooks...Converging 3 resourcesRecipe: apache::default * package[apache2] action install (up to date)
* service[apache2] action enable (up to date) * service[apache2] action start (up to date) * cookbook_file[/var/www/index.html] action create (up to date)Chef Client finished, 0 resources updated
-
7/23/2019 Chef Introductory Workshop
117/224
What is a cookbook?
How do you create a new cookbook?
What is a recipe?
What is a resource?
How do you upload a cookbook to the ChefServer?
What is a run list?
-
7/23/2019 Chef Introductory Workshop
118/224
-
7/23/2019 Chef Introductory Workshop
119/224
build node authenticate
sync
cookbooks
load
cookbooks
converge
node.savenotification
handlersexception
Yes
No
chef-client
success?
expanded run list(recipes)
Ohai!
node_name
platform
platform_version
-
7/23/2019 Chef Introductory Workshop
120/224
/etc/chef/client.pem?
/etc/chef/validation.pem?
401!
Request API
Client
Sign Requests client.pem
Yes
No No
Yes
-
7/23/2019 Chef Introductory Workshop
121/224
-
7/23/2019 Chef Introductory Workshop
122/224
> git clone git://github.com/opscode/chef-repo-workshop-sysadmin
> cd chef-repo-workstop-sysadmin> rm -rf .git> mkdir -p .chef
-
7/23/2019 Chef Introductory Workshop
123/224
-
7/23/2019 Chef Introductory Workshop
124/224
> knife cookbook upload -a
> knife role from file roles/*.rb
> knife data bag create users
> knife data bag from file users nagiosadmin.json
-
7/23/2019 Chef Introductory Workshop
125/224
Opscode Hosted Chef
ChefRepository
.chef/knife.rbcookbooks/data_bags/
roles/
cookbooks
data bags
roles
chef_server_url
node_name
client_key
knife cookbook upload -a
knife role from file base.rb
knife data bag from file ...
local
workstation
-
7/23/2019 Chef Introductory Workshop
126/224
$ knife node edit target1.local
$ knife node run_list add target1.local \
role[base],role[monitoring]
$ knife node run_list remove target1.local \ recipe[apache]
-
7/23/2019 Chef Introductory Workshop
127/224
-
7/23/2019 Chef Introductory Workshop
128/224
$ knife ssh "role:base"
-
7/23/2019 Chef Introductory Workshop
129/224
$ knife ssh role:base "sudo chef-client" -x opscode -P opscode
-
7/23/2019 Chef Introductory Workshop
130/224
Navigate to http://PUBLIC_HOSTNAME
Username: nagiosadmin
Password: nagios
U i d i
-
7/23/2019 Chef Introductory Workshop
131/224
Username: nagiosadmin
Password: nagios
-
7/23/2019 Chef Introductory Workshop
132/224
Nagios installation and management is acommon pain point.
The Nagios cookbook makes heavy use ofChef's search feature.
Dynamic host groups, service checks, etc.
Detailed discussion about the cookbook is
outside the scope of this workshop.
-
7/23/2019 Chef Introductory Workshop
133/224
name "base" description "Base role applied to all nodes." run_list( "recipe[apt]",
"recipe[nagios::client]" )
default_attributes( "nagios"=> { "server_role"=> "monitoring" } )
-
7/23/2019 Chef Introductory Workshop
134/224
name "monitoring" description "Monitoring server" run_list(
"recipe[nagios::server]" )
default_attributes( "nagios"=> { "server_auth_method"=> "htauth"
} )
-
7/23/2019 Chef Introductory Workshop
135/224
-
7/23/2019 Chef Introductory Workshop
136/224
Download cookbooks from ChefCommunity Site with Knife.
Extractthe cookbook's .tar.gz intocookbooks directory.
Reviewthe code you're going to run asroot.
Uploadthe cookbook to the Chef Server.
Apply the cookbook to your node(s) with a
role. Edit role's run list(base, monitoring)
Modif attributesas re uired
-
7/23/2019 Chef Introductory Workshop
137/224
> knife cookbook site download COOKBOOK
> tar -zxvf COOKBOOK*.tar.gz -C cookbooks
> less cookbooks/COOKBOOK/README.md> less cookbooks/COOKBOOK/recipes/default.rb
> knife cookbook upload COOKBOOK
-
7/23/2019 Chef Introductory Workshop
138/224
Opscode Hosted Chef
ChefRepository
.chef/knife.rbcookbooks/data_bags/
roles/
local
workstation
Chef Community Site
knife cookbooksite
download
knife cookbook upload
cookbook
tar -zxvf cb.tar.gz -C cookbooks
cookbooks/COOKBOOK
"##metadata.rb"##recipes$ #default.rb#templates #default
#my-tmpl.erb
-
7/23/2019 Chef Introductory Workshop
139/224
-
7/23/2019 Chef Introductory Workshop
140/224
Policy statement:Delete the validation key.
New concepts:
Obtain cookbooks
Upload cookbooks
Chef resources
Chef Configuration in recipes
Roles Ruby DSL
Run list items
"Knife SSH"
-
7/23/2019 Chef Introductory Workshop
141/224
Download the chef-clientcookbook.
Extract it to the cookbooks directory.
Upload it to the Chef Server.
Add "recipe[chef-client::delete_validation]" to the baserole's run list.
Run Chef on the target managed node.
-
7/23/2019 Chef Introductory Workshop
142/224
> knife cookbook site download chef-client> tar -zxvf chef-client*.tar.gz -C cookbooks
> knife cookbook upload chef-client
FAIL!
-
7/23/2019 Chef Introductory Workshop
143/224
> knife cookbook upload chef-clientUploading chef-client [2.1.10]
ERROR: Cookbook chef-client depends on cookbook 'cron'version '>= 0.0.0',ERROR: which is not currently being uploaded andcannot be found on the server.
-
7/23/2019 Chef Introductory Workshop
144/224
file Chef::Config[:validation_key] do action :delete backup false only_if { ::File.exists?(Chef::Config[:client_key]) } end
-
7/23/2019 Chef Introductory Workshop
145/224
Have a type.
Have a name.
Have parameters.
Take action to put the resourcein the declared state.
Can send notifications to other
resources.
package "haproxy" do action :installend
template "/etc/haproxy/haproxy.cfg" do source "haproxy.cfg.erb"
owner "root" group "root" mode 0644 notifies :restart, "service[haproxy]"end
service "haproxy" do supports :restart => true
action [:enable, :start]end
-
7/23/2019 Chef Introductory Workshop
146/224
Chef pros use the Chef Documentationpage for resource documentation.
http://docs.opscode.com/chef/resources.html
Bookmark the page and refer to it often!
-
7/23/2019 Chef Introductory Workshop
147/224
Roles are located in the "roles" directory.
The base role is "roles/base.rb".
We uploaded this earlier with knife. Nowwe're going to edit it.
-
7/23/2019 Chef Introductory Workshop
148/224
name "base" description "Base role applied to all nodes." run_list( "recipe[apt]", "recipe[nagios::client]", "recipe[chef-client::delete_validation]" )
default_attributes( "nagios"=> {
"server_role"=> "monitoring" } )
-
7/23/2019 Chef Introductory Workshop
149/224
> knife role from file base.rb
> knife role show base
-
7/23/2019 Chef Introductory Workshop
150/224
> knife ssh role:base "sudo chef-client" \ -x USERNAME -P PASSWORD -a cloud.public_ipv4
...Recipe: chef-client::delete_validation * file[/etc/chef/validation.pem] action delete - delete file /etc/chef/validation.pem
-
7/23/2019 Chef Introductory Workshop
151/224
Knife SSH performs a search for nodes onthe Chef Server with the query "role:base".
Knife opens an SSH connection to thenodes' IP address (-a ipaddress or -acloud.public_ipv4).
The SSH session will connect as the user (-xopscode) with the password (-P opscode).
The command "sudo chef-client" is passedto SSH and run on the node.
knife ssh role:base "sudo chef-client" \ -x USERNAME -P PASSWORD -a cloud.public_ipv4
-
7/23/2019 Chef Introductory Workshop
152/224
-
7/23/2019 Chef Introductory Workshop
153/224
What is that cloud.public_ipv4?
knife ssh role:base "sudo chef-client" \ -x USERNAME -P PASSWORD -a cloud.public_ipv4
-
7/23/2019 Chef Introductory Workshop
154/224
> ssh opscode@IPADDRESSopscode@IPADDRESS's password:
opscode@target1:~$ sudo ohai
"memory": {
"hostname": "server-1","fqdn": "server 1 example com"
-
7/23/2019 Chef Introductory Workshop
155/224
memory : { "swap": { "cached": "0kB", "total": "4128760kB", "free": "4128760kB" }, "total": "2055676kB", "free": "1646524kB", "buffers": "35032kB", "cached": "210276kB", "active": "125336kB", "inactive": "142884kB", "dirty": "8kB", "writeback": "0kB",
"anon_pages": "22976kB", "mapped": "8416kB", "slab": "121512kB", "slab_reclaimable": "41148kB", "slab_unreclaim": "80364kB", "page_tables": "1784kB", "nfs_unstable": "0kB", "bounce": "0kB", "commit_limit": "5156596kB", "committed_as": "74980kB",
"vmalloc_total": "34359738367kB", "vmalloc_used": "274512kB", "vmalloc_chunk": "34359449936kB" },
"block_device": { "ram0": { "size": "32768", "removable": "0" }, "ram1": { "size": "32768", "removable": "0" }, "ram2": { "size": "32768",
"removable": "0" },
fqdn : server-1.example.com , "domain": "example.com", "network": {
"interfaces": { "eth0": { "type": "eth", "number": "0", "encapsulation": "Ethernet", "addresses": { "00:0C:29:43:26:C5": { "family": "lladdr"
}, "192.168.177.138": { "family": "inet", "broadcast": "192.168.177.255", "netmask": "255.255.255.0" }, "fe80::20c:29ff:fe43:26c5": { "family": "inet6",
"prefixlen": "64", "scope": "Link" } },
-
7/23/2019 Chef Introductory Workshop
156/224
-
7/23/2019 Chef Introductory Workshop
157/224
-
7/23/2019 Chef Introductory Workshop
158/224
-
7/23/2019 Chef Introductory Workshop
159/224
The server has the public key
-
7/23/2019 Chef Introductory Workshop
160/224
-
7/23/2019 Chef Introductory Workshop
161/224
Attributes are indexed forsearchon the Chef Server
-
7/23/2019 Chef Introductory Workshop
162/224
The list of roles or recipes to applyin order
-
7/23/2019 Chef Introductory Workshop
163/224
The list of roles or recipes to applyin order
-
7/23/2019 Chef Introductory Workshop
164/224
-
7/23/2019 Chef Introductory Workshop
165/224
Resources describe what, not how.
-
7/23/2019 Chef Introductory Workshop
166/224
-
7/23/2019 Chef Introductory Workshop
167/224
-
7/23/2019 Chef Introductory Workshop
168/224
Resources are applied in the orderthey're written in recipes
-
7/23/2019 Chef Introductory Workshop
169/224
-
7/23/2019 Chef Introductory Workshop
170/224
-
7/23/2019 Chef Introductory Workshop
171/224
-
7/23/2019 Chef Introductory Workshop
172/224
Policy statement:Show which roles areapplied by Chef on this node when users
login with SSH.New concepts:
Node object methods
Template resources
ERb syntax
-
7/23/2019 Chef Introductory Workshop
173/224
Download the motd-tailcookbook.
Extract it to the cookbooks directory.
Upload it to the Chef Server.
Add "recipe[motd-tail]" to the base role'srun list.
Run Chef on the target managed node.
-
7/23/2019 Chef Introductory Workshop
174/224
name "base" description "Base role applied to all nodes." run_list( "recipe[apt]", "recipe[nagios::client]",
"recipe[chef-client::delete_validation]", "recipe[motd-tail]" )
default_attributes( "nagios"=> {
"server_role"=> "monitoring" } )
-
7/23/2019 Chef Introductory Workshop
175/224
template "/etc/motd.tail"do source "motd.tail.erb"
group "root" owner "root" mode 00644 backup 0 end
-
7/23/2019 Chef Introductory Workshop
176/224
To embed a value in an ERb template:
Start with
This inserts the result of the value in the
output file
-
7/23/2019 Chef Introductory Workshop
177/224
Use any Ruby statement in a template
Starting with does not insert a line inthe resulting file
-
7/23/2019 Chef Introductory Workshop
178/224
-
7/23/2019 Chef Introductory Workshop
179/224
-
7/23/2019 Chef Introductory Workshop
180/224
-
7/23/2019 Chef Introductory Workshop
181/224
-
7/23/2019 Chef Introductory Workshop
182/224
-
7/23/2019 Chef Introductory Workshop
183/224
Policy statement:User privileges will bemanaged through sudoers entries.
New concepts:
Attribute priority
Setting attributes in Cookbooks andRoles
Using attributes in a template
Ruby array iteration
Package resource
File backups
-
7/23/2019 Chef Introductory Workshop
184/224
-
7/23/2019 Chef Introductory Workshop
185/224
Download the sudocookbook.
Extract it to the cookbooks directory.
Upload it to the Chef Server.
Add "recipe[sudo]" to the base role's runlist.
Modify sudo-specific attributes in the baserole.
Run Chef on the target managed node.
-
7/23/2019 Chef Introductory Workshop
186/224
name "base" description "Base role applied to all nodes." run_list( "recipe[apt]",
"recipe[nagios::client]", "recipe[chef-client::delete_validation]", "recipe[motd-tail]", "recipe[sudo]" )
-
7/23/2019 Chef Introductory Workshop
187/224
-
7/23/2019 Chef Introductory Workshop
188/224
default['authorization']['sudo']['groups'] =[]
default['authorization']['sudo']['users'] =[] default['authorization']['sudo']['passwordless'] =false default['authorization']['sudo']['include_sudoers_d'] =false default['authorization']['sudo']['agent_forwarding'] =false
-
7/23/2019 Chef Introductory Workshop
189/224
package 'sudo'do action :install end
ifnode['authorization']['sudo']['include_sudoers_d'] directory '/etc/sudoers.d'{ ... } cookbook_file '/etc/sudoers.d/README'{ ... } end
template '/etc/sudoers'do source 'sudoers.erb' mode '0440' owner 'root' group 'root' variables(:sudoers_groups=> node['authorization']['sudo']['groups'], :sudoers_users=> node['authorization']['sudo']['users'], :passwordless=> node['authorization']['sudo']['passwordless'],
:include_sudoers_d=> node['authorization']['sudo']['include_sudoers_d'] :agent_forwarding=> node['authorization']['sudo']['agent_forwarding']) end
-
7/23/2019 Chef Introductory Workshop
190/224
root ALL=(ALL) ALL
ALL=(ALL) ALL
# Members of the sysadmin group may gain root privileges %sysadmin ALL=(ALL) ALL
# Members of the group '' may gain root privileges % ALL=(ALL) ALL
-
7/23/2019 Chef Introductory Workshop
191/224
-
7/23/2019 Chef Introductory Workshop
192/224
"file", "template", "cookbook_file" and"remote_file"
Default backup location is /var/chef/backup, configurable with"file_backup_path" in /etc/chef/client.rb
5 backups are kept by default, change thiswith the "backup" parameter in the
resource.
-
7/23/2019 Chef Introductory Workshop
193/224
% ssh opscode@IPADDRESS
opscode@target1:~$ sudo -l
(ALL) NOPASSWD: ALL (ALL) NOPASSWD: ALL
-
7/23/2019 Chef Introductory Workshop
194/224
-
7/23/2019 Chef Introductory Workshop
195/224
Policy statement:All sysadmins will bemanaged users from a common data bag.
New concepts:
Data bags
Encapsulating repeated functionality incustom resources (LWRP)
Data driven recipes
-
7/23/2019 Chef Introductory Workshop
196/224
Download the userscookbook.
Extract it to the cookbooks directory.
Upload it to the Chef Server.
Add "recipe[users::sysadmins]" to thebase role's run list.
Create a data bag of user items in JSON.
Run Chef on the target managed node.
-
7/23/2019 Chef Introductory Workshop
197/224
name "base" description "Base role applied to all nodes." run_list(
"recipe[apt]", "recipe[nagios::client]", "recipe[chef-client::delete_validation]", "recipe[motd-tail]", "recipe[sudo]", "recipe[users::sysadmins]"
)
-
7/23/2019 Chef Introductory Workshop
198/224
{ "id": "yourusername", "groups": ["sysadmin"],
"uid": 2001, "shell": "/bin/bash", "comment": "Your Name", "nagios": { "email": "[email protected]" }
}
-
7/23/2019 Chef Introductory Workshop
199/224
> knife data bag from file users yourusername.json
-
7/23/2019 Chef Introductory Workshop
200/224
users_manage "sysadmin"do group_id 2300 action [ :remove, :create] end
Detailed discussion about LWRP is outside scope of this workshop.
-
7/23/2019 Chef Introductory Workshop
201/224
Search the "users" data bag forsearch_group ("sysadmin").
Creates a group for the user.
Creates the user.
Creates user's .ssh directory and createsan authorized_keys with public SSH keys.
Creates the specified group ("sysadmin")
Detailed discussion about LWRP is outside scope of this workshop.
-
7/23/2019 Chef Introductory Workshop
202/224
-
7/23/2019 Chef Introductory Workshop
203/224
-
7/23/2019 Chef Introductory Workshop
204/224
{ "id": "yourusername", "groups": ["sysadmin"], "uid": 2001,
"shell": "/bin/bash", "comment": "Your Name", "nagios": { "email": "[email protected]" }, "ssh_keys": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsj... SNIP" }
-
7/23/2019 Chef Introductory Workshop
205/224
Upload the data bag item again using theprevious command.
Run chef-client on the target managednode.
-
7/23/2019 Chef Introductory Workshop
206/224
* template[/home/yourusername/.ssh/authorized_keys] actioncreate - create template[/home/yourusername/.ssh/authorized_keys] --- /tmp/chef-tempfile20130212-24676-14thg55
2013-02-12 10:05:38.032047311 +0000 +++ /tmp/chef-rendered-template20130212-24676-tpk3ow2013-02-12 10:05:38.032047311 +0000 @@ -0,0 +1,4 @@ +# Generated by Chef forip-10-145-232-156.ec2.internal +# Local modifications will be overwritten.
+ +ssh-rsa AAAA...local
-
7/23/2019 Chef Introductory Workshop
207/224
> ssh -i chef-workshop yourusername@IPADDRESS
yourusername@target1:~$iduid=2001(yourusername) gid=2001(yourusername)
groups=2001(yourusername),2300(sysadmin)
yourusername@target1:~$sudo -l
User yourusername may run the following commands onthis host: (ALL) NOPASSWD: ALL
-
7/23/2019 Chef Introductory Workshop
208/224
-
7/23/2019 Chef Introductory Workshop
209/224
USE SOMETHING.
Distributed Version Control
Git, GitHub, BitBucket
http://git-scm.com
https://github.com
https://bitbucket.org
Workflows, CI
-
7/23/2019 Chef Introductory Workshop
210/224
Recipe DSL
Libraries, "LWRPs" and more
Knife plugins
Report/exception handlers
chef-shell
-
7/23/2019 Chef Introductory Workshop
211/224
Chef 10.14+, "why run" mode
Test Kitchen (RubyGem)
Vagrant
http://vagrantup.com
Minitest - cookbook, handler
Cucumber - cucumber-chef
http://www.cucumber-chef.org/
-
7/23/2019 Chef Introductory Workshop
212/224
Community Site:
community.opscode.com
IRC: #chef, #chef-hacking
irc.freenode.net
Mailing list:
lists.opscode.com
ChefConf, Community Summits, UserGroups, Hack days and more
-
7/23/2019 Chef Introductory Workshop
213/224
Apache 2 Software License
Continually growing number ofcontributors!
Developmentrepositories:
http://github.com/opscode
http://github.com/opscode-cookbooks
-
7/23/2019 Chef Introductory Workshop
214/224
-
7/23/2019 Chef Introductory Workshop
215/224
-
7/23/2019 Chef Introductory Workshop
216/224
http://opscode.com/
http://learnchef.com
http://community.opscode.com/
http://docs.opscode.com
http://wiki.opscode.com/
http://lists.opscode.com
http://youtube.com/user/Opscode
-
7/23/2019 Chef Introductory Workshop
217/224
http://foodfightshow.org
The Podcast Where DevOps Chef Do Battle
Regular updates about new Cookbooks,Knife-plugins, and more
Best Practices for working with Chef
-
7/23/2019 Chef Introductory Workshop
218/224
Tex
-
7/23/2019 Chef Introductory Workshop
219/224
-
7/23/2019 Chef Introductory Workshop
220/224
Policy statement:The database connectionshould be dynamically generated based ona search and encrypted credentials
New concepts:
Creating Cookbooks
Search
Environments
Encrypted Data bags
-
7/23/2019 Chef Introductory Workshop
221/224
Create an Environment
Update your nodes Environment
Create an encrypted data bag item withdatabase credentials
Create a cookbook
Write a file that uses
Search for the host
Encrypted Data Bag for the Credentials
-
7/23/2019 Chef Introductory Workshop
222/224
staging: host: foo.example.com username: yourusername password: yourpassword
-
7/23/2019 Chef Introductory Workshop
223/224
Useful cookbooks
DNS: djbdns, pdns, dnsimple,dynect, route53
Monitoring: nagios, munin,
zenoss, zabbix Package repos: yum, apt,
freebsd
Security: ossec, snort,cis_benchmark
Logging: rsyslog, syslog-ng,logstash, logwatch
Application cookbooks:
application, database
python, java, php, ruby
Plugins
Cloud: knife-ec2, knife-rackspace, knife-openstack,knife-hp
Windows: knife-windows
http://wiki.opscode.com/display/chef/Community+Plugins
When you combine precedence and merge order, you getthe complete picture of node attribute setting
-
7/23/2019 Chef Introductory Workshop
224/224
AttributeFiles
Node/Recipe
Environment Role
Default
Force DefaultNormal
Override
Force Override
1 2 3 4
5 6
7 8
9 10 12 11
13 14