ADMIN

Recommendations

Info

Management Chef Directory Table 1: Directories in a Repository certificates/ config/ cookbooks/ roles/ site-cookbooks/ Content a package named runit (don’t install this yourself!). The Chef server also requires Sun Java SDK version 1.6.0, which the distributions love to hide in a special repository. Debian users need to enable the non-free package source for this, whereas Ubuntu users can add the partner repository with the following two lines: sudo add‐apt‐repository U "deb http://archive.canonical.com/ U lucid partner" sudo apt‐get update Theoretically, the Chef server will run with the OpenJDK, although the developers do not give you any guarantees. Lonely Kitchen Helper After fulfilling all the requirements, you can create configuration files for Chef Solo on the server and the client. This Chef variant runs the recipes directly on the client without involving the server. Without the server, Chef Solo is only useful as an SSL certificates (typically created by rake ssl_cert) General configuration files for the repository Complete cookbooks Role definitions Modified cookbooks; any cookbooks stored here will overwrite or modify the ones stored in cookbooks aid to creating simple scripts – for installing the full-fledged server and clients. To do this, create a ~/solo.rb file with the following three lines on each of the systems involved: file_cache_path "/tmp/chef‐solo" cookbook_path U "/tmp/chef‐solo/cookbooks" recipe_url U "http://s3.amazonaws.com/U chef‐solo/bootstrap‐latest.tar.gz" This tells Chef Solo where the installation recipes are located. Chef on Call Now it’s time to move on to the server candidate. On this machine, create a JSON configuration file named ~/chef.json to provide information about the node. See [Listing 3] for the file content. To match your local environment, you need to modify the server name for server_fqdn. To set up the full-fledged Chef server, give the command: sudo chef‐solo ‐c ~/solo.rb ‐j U ~/chef.json If the command terminates with a cryptic error message, try running it again. During testing, the installation ran without any errors. First, the command installs a Chef client, then RabbitMQ, CouchDB, the developer packages for zlib and xml, and the Chef server, including the indexer and a web GUI you can use later to manage the Chef server (WebUI). It then goes on to create matching configuration files and the required directories and adds init script entries for the server to round off the process. At the end of this procedure, the Chef server should be listening on port 4000; the web GUI is accessible on port 4040. Java and RabbitMQ use the Apache SOLR-based full-text search engine built into the Chef server. Among other things, it provides information about the existing infrastructure, which in turn can be referenced for recipes. For details of the search function, see the wiki page [4]. Workers Once you have the server up and running, it’s time to turn to the client. Start by creating a ~/chef.json JSON configuration file. [Listing 4] gives you the content. The server_fqdn entry here must contain the server name, not the client’s. Now you can launch Chef Solo: sudo chef‐solo ‐c ~/solo.rb U ‐j ~/chef.json U Listing 1: Template for server.rb 01 log_level :info 02 log_location STDOUT 03 ssl_verify_mode :verify_none 04 chef_server_url "http://chef.example.com:4000" 05 06 signing_ca_path "/var/chef/ca" 07 couchdb_database 'chef' 08 09 cookbook_path [ "/var/chef/cookbooks", "/var/chef/site‐cookbooks" ] 10 11 file_cache_path "/var/chef/cache" 12 node_path "/var/chef/nodes" 13 openid_store_path "/var/chef/openid/store" 14 openid_cstore_path "/var/chef/openid/cstore" 15 search_index_path "/var/chef/search_index" 16 role_path "/var/chef/roles" 17 18 validation_client_name "validator" 19 validation_key "/etc/chef/validation.pem" 20 client_key "/etc/chef/client.pem" 21 web_ui_client_name "chef‐webui" 22 web_ui_key "/etc/chef/webui.pem" 23 24 web_ui_admin_user_name "admin" 25 web_ui_admin_default_password "somerandompasswordhere" 26 27 supportdir = "/srv/chef/support" 28 solr_jetty_path File.join(supportdir, "solr", "jetty") 29 solr_data_path File.join(supportdir, "solr", "data") 30 solr_home_path File.join(supportdir, "solr", "home") 31 solr_heap_size "256M" 32 33 umask 0022 34 35 Mixlib::Log::Formatter.show_time = false 70 Admin 01 www.admin-magazine.com
Chef Management ‐r http://s3.amazonaws.com/U chef‐solo/bootstrap‐latest.tar.gz The tool creates a couple of directories, corrects the configuration files, and adds chef-client to the init scripts. The latter ensures that the client will talk to the server on booting and execute any recipe changes that have occurred in the meantime. After this, the client has to register with the server. To allow this to happen, copy the /etc/chef/validation. pem file from the server to the /etc/ chef/directory client-side and then restart the client manually: sudo chef‐client The client automatically creates a key, which you need to add to the /etc/ chef/client.pem file and which will sign every transaction with the server from this point on. Then you want to delete the validation.pem file for security reasons. Librarian Now that you have the server and the client running, the next step is to create a repository server-side for your recipes: This is simply a hierarchy of multiple, standardized (sub-)directories. Of course, you could create them all manually, but the template provided by Opscode does a quicker job; you just need to download and unpack: wget http://github.com/opscode/U chef‐repo/tarball/master tar ‐zxf opscode‐chef‐repo‐U 123454567878.tar.gz Because this cryptic number is difficult to remember in the daily grind, you might want to rename the directory (incidentally, the number comes from the versioning system and represents the Commit ID): mv opscode‐chef‐repo‐123454567878 U chef‐repo cd chef‐repo [Table 1] explains the directory hierarchy in chef-repo. The recipes stored here are injected into the server by a tool named knife. To prepare a recipe for action, run the command knife configure ‐i and confirm the default responses by pressing Enter – except, enter your own username when asked Your client user name?, and type . (dot) in response to the Path to a chef repository (or leave blank)? query. Knife then registers a new client on the Chef server, creates the above-mentioned certificate in /.chef/ my-knife.pem, and finally creates the /.chef/knife.rb configuration file. Convenience Food Multiple recipes with the same objective can be grouped in a cookbook. For example, the mysql cookbook contains all the recipes required to install and set up the free database. For an initial test, it is a good idea to look for a simple cookbook [5]. In the section that follows, I will use the cookbook for emacs from the applications group as an example. In this example, I’ll use the package manager to install the popular Emacs text editor. After downloading the Cookbook archive, unpack it in the cookbooks subdirectory, then introduce the server to the new recipes: rake upload_cookbooks The rake command automatically calls knife with the correct parameters, and knife then uploads all the cookbooks from the corresponding directory. To upload a single cookbook to the server, do this: rake upload_cookbook[emacs] The target, upload_cookbook, is defined in the Rakefile provided by the repository. GUI Management The server now knows the emacs cookbook, but the clients don’t. To change this, launch a browser and access the web front end with http:// chefserver.example.com:4040. Chef does not offer SSL encryption here. If you prefer a more secure approach, you could use Apache as a proxy. In the form that then appears, log in by typing the admin username [Figure 2]. The matching password is stored in the web_ui_admin_default_password line of the /etc/chef/server.rb file. 01 { 01 { Listing 4: ~/chef.json for the Client 02 "bootstrap": { 03 "chef": { 04 "url_type": "http", 05 "init_style": "runit", 06 "path": "/srv/chef", 07 "serve_path": "/srv/chef", 08 "server_fqdn": "chefserver.example.com" 09 } 10 }, 11 "run_list": [ "recipe[bootstrap::client]" ] 12 } Listing 3: ~/chef.json for the Server 02 "bootstrap": { 03 "chef": { 04 "url_type": "http", 05 "init_style": "runit", 06 "path": "/srv/chef", 07 "serve_path": "/srv/chef", 08 "server_fqdn": "chefserver.example.com", 09 "webui_enabled": true 10 } 11 }, 12 "run_list": [ "recipe[bootstrap::server]" ] 13 } Listing 2: SSL Certificates for the Chef Server 01 server_ssl_req="/C=US/ST=Several/L=Locality/O=Example/OU=Operations/CN=chef.example.com/ emailAddress=ops@example.com" 02 openssl genrsa 2048 > /etc/chef/validation.key 03 openssl req ‐subj "${server_ssl_req}" ‐new ‐x509 ‐nodes ‐sha1 ‐days 3650 ‐key /etc/chef/validation.key > /etc/chef/validation.crt 04 cat /etc/chef/validation.key /etc/chef/validation.crt > /etc/chef/validation.pem 05 openssl genrsa 2048 > /etc/chef/webui.key 06 openssl req ‐subj "${server_ssl_req}" ‐new ‐x509 ‐nodes ‐sha1 ‐days 3650 ‐key /etc/chef/webui.key > / etc/chef/webui.crt 07 cat /etc/chef/webui.key /etc/chef/webui.crt > /etc/chef/webui.pem www.admin-magazine.com Admin 01 71
Page 1 and 2:
ADMIN Network & Security Rescue CD
Page 3 and 4:
Welcome to Admin WELCOME ALL FOR AD
Page 5 and 6:
Table of Contents SERVICE 8 Spacewa
Page 7 and 8:
POWERHOUSE PERL 11 cool projects! F
Page 9 and 10:
Spacewalk Features configuration fi
Page 11 and 12:
Spacewalk Features Figure 2: Assign
Page 13 and 14:
Spacewalk Features kickstart profil
Page 15 and 16:
Icinga Features Table 1: States Opt
Page 17 and 18:
Icinga Features ministrators only n
Page 19 and 20: Icinga Features Figure 6: Network o
Page 21 and 22: MySQL Forks and Patches Features th
Page 23 and 24: MySQL Forks and Patches Features In
Page 25 and 26: Exchange 2010 Features © peapop, F
Page 27 and 28: they can now synchronize text messa
Page 29 and 30: Backup Software Features data. One
Page 31 and 32: Backup Software Features tended), l
Page 33 and 34: Backup Software Features Two “wiz
Page 35 and 36: Backup & Disaster Recovery Georgeto
Page 37 and 38: OCFS2 Tools ing. OCFS2 is fairly si
Page 39 and 40: OCFS2 Tools F Figure 2: Unspectacul
Page 41 and 42: To do this, you need to change the
Page 43 and 44: Synergy Tools Figure 1: Synergy as
Page 45 and 46: SystemTap Tools The SystemTap [3] t
Page 47 and 48: SystemTap Tools Instead of searchin
Page 49 and 50: Package Your Scripts Virtualization
Page 51 and 52: Linux Magazine ACADEMY curl U http:
Page 53 and 54: openVz VirtuAlizAtion live migratio
Page 55 and 56: OpenVZ Virtualization a number of c
Page 57 and 58: OpenVZ Virtualization OpenVZ kernel
Page 59 and 60: AND SAVE 30%! ADMIN Network & Secur
Page 61 and 62: Virtual Machine Manager Virtualizat
Page 63 and 64: Virtual Machine Manager Virtualizat
Page 65 and 66: Teamviewer Management and be contro
Page 67 and 68: NOV. 7-12 2010 24th Large Installat
Page 69: Chef Management Server Provides rec
Page 73 and 74: Chef Management Figure 5: The clien
Page 75 and 76: Sysinternals Management AdInsight a
Page 77 and 78: Sysinternals Management Name Table
Page 79 and 80: PAM and Hardware Nuts and Bolts Fig
Page 81 and 82: November 13-19, 2010 • Ernest N.
Page 83 and 84: PAM and Hardware Nuts and Bolts to
Page 85 and 86: ON NEWSSTANDS NOW ! UBUNTU USER MAG
Page 87 and 88: modSecurity nutS And boltS complex
Page 89 and 90: ModSecurity Nuts and bolts Insider
Page 91 and 92: REAL SOLUTIONS FOR REAL NETWORKS Ea
Page 93 and 94: Daemon Monitoring Nuts and Bolts Fi
Page 95 and 96: VPns with SSTP nuTS And BoLTS Hands
Page 97 and 98: VPNs with SSTP Nuts and Bolts Figur
Page 100: DEDICATED SERVERS £59 FROM PER MON
show all

ADMIN

Create successful ePaper yourself

Delete template?

Save as template?