ADMIN
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Chef<br />
Management<br />
‐r http://s3.amazonaws.com/U<br />
chef‐solo/bootstrap‐latest.tar.gz<br />
The tool creates a couple of directories,<br />
corrects the configuration files,<br />
and adds chef-client to the init<br />
scripts. The latter ensures that the client<br />
will talk to the server on booting<br />
and execute any recipe changes that<br />
have occurred in the meantime.<br />
After this, the client has to register<br />
with the server. To allow this to happen,<br />
copy the /etc/chef/validation.<br />
pem file from the server to the /etc/<br />
chef/directory client-side and then<br />
restart the client manually:<br />
sudo chef‐client<br />
The client automatically creates a key,<br />
which you need to add to the /etc/<br />
chef/client.pem file and which will<br />
sign every transaction with the server<br />
from this point on. Then you want<br />
to delete the validation.pem file for<br />
security reasons.<br />
Librarian<br />
Now that you have the server and the<br />
client running, the next step is to create<br />
a repository server-side for your<br />
recipes: This is simply a hierarchy of<br />
multiple, standardized (sub-)directories.<br />
Of course, you could create<br />
them all manually, but the template<br />
provided by Opscode does a quicker<br />
job; you just need to download and<br />
unpack:<br />
wget http://github.com/opscode/U<br />
chef‐repo/tarball/master<br />
tar ‐zxf opscode‐chef‐repo‐U<br />
123454567878.tar.gz<br />
Because this cryptic number is difficult<br />
to remember in the daily grind,<br />
you might want to rename the directory<br />
(incidentally, the number comes<br />
from the versioning system and represents<br />
the Commit ID):<br />
mv opscode‐chef‐repo‐123454567878 U<br />
chef‐repo<br />
cd chef‐repo<br />
[Table 1] explains the directory hierarchy<br />
in chef-repo.<br />
The recipes stored here are injected<br />
into the server by a tool named knife.<br />
To prepare a recipe for action, run the<br />
command<br />
knife configure ‐i<br />
and confirm the default responses by<br />
pressing Enter – except, enter your<br />
own username when asked Your client<br />
user name?, and type . (dot) in<br />
response to the Path to a chef repository<br />
(or leave blank)? query. Knife<br />
then registers a new client on the<br />
Chef server, creates the above-mentioned<br />
certificate in /.chef/<br />
my-knife.pem, and finally creates the<br />
/.chef/knife.rb configuration file.<br />
Convenience Food<br />
Multiple recipes with the same objective<br />
can be grouped in a cookbook.<br />
For example, the mysql cookbook contains<br />
all the recipes required to install<br />
and set up the free database. For an<br />
initial test, it is a good idea to look for<br />
a simple cookbook [5].<br />
In the section that follows, I will use<br />
the cookbook for emacs from the applications<br />
group as an example. In<br />
this example, I’ll use the package<br />
manager to install the popular Emacs<br />
text editor.<br />
After downloading the Cookbook archive,<br />
unpack it in the cookbooks subdirectory,<br />
then introduce the server to<br />
the new recipes:<br />
rake upload_cookbooks<br />
The rake command automatically<br />
calls knife with the correct parameters,<br />
and knife then uploads all the<br />
cookbooks from the corresponding directory.<br />
To upload a single cookbook<br />
to the server, do this:<br />
rake upload_cookbook[emacs]<br />
The target, upload_cookbook, is defined<br />
in the Rakefile provided by the<br />
repository.<br />
GUI Management<br />
The server now knows the emacs<br />
cookbook, but the clients don’t. To<br />
change this, launch a browser and access<br />
the web front end with http://<br />
chefserver.example.com:4040. Chef<br />
does not offer SSL encryption here. If<br />
you prefer a more secure approach,<br />
you could use Apache as a proxy.<br />
In the form that then appears, log in<br />
by typing the admin username [Figure<br />
2]. The matching password is stored<br />
in the web_ui_admin_default_password<br />
line of the /etc/chef/server.rb file.<br />
01 {<br />
01 {<br />
Listing 4: ~/chef.json for the Client<br />
02 "bootstrap": {<br />
03 "chef": {<br />
04 "url_type": "http",<br />
05 "init_style": "runit",<br />
06 "path": "/srv/chef",<br />
07 "serve_path": "/srv/chef",<br />
08 "server_fqdn": "chefserver.example.com"<br />
09 }<br />
10 },<br />
11 "run_list": [ "recipe[bootstrap::client]" ]<br />
12 }<br />
Listing 3: ~/chef.json for the Server<br />
02 "bootstrap": {<br />
03 "chef": {<br />
04 "url_type": "http",<br />
05 "init_style": "runit",<br />
06 "path": "/srv/chef",<br />
07 "serve_path": "/srv/chef",<br />
08 "server_fqdn": "chefserver.example.com",<br />
09 "webui_enabled": true<br />
10 }<br />
11 },<br />
12 "run_list": [ "recipe[bootstrap::server]" ]<br />
13 }<br />
Listing 2: SSL Certificates for the Chef Server<br />
01 server_ssl_req="/C=US/ST=Several/L=Locality/O=Example/OU=Operations/CN=chef.example.com/<br />
emailAddress=ops@example.com"<br />
02 openssl genrsa 2048 > /etc/chef/validation.key<br />
03 openssl req ‐subj "${server_ssl_req}" ‐new ‐x509 ‐nodes ‐sha1 ‐days 3650 ‐key /etc/chef/validation.key<br />
> /etc/chef/validation.crt<br />
04 cat /etc/chef/validation.key /etc/chef/validation.crt > /etc/chef/validation.pem<br />
05 openssl genrsa 2048 > /etc/chef/webui.key<br />
06 openssl req ‐subj "${server_ssl_req}" ‐new ‐x509 ‐nodes ‐sha1 ‐days 3650 ‐key /etc/chef/webui.key > /<br />
etc/chef/webui.crt<br />
07 cat /etc/chef/webui.key /etc/chef/webui.crt > /etc/chef/webui.pem<br />
www.admin-magazine.com<br />
Admin 01<br />
71