Chef training - Day2

1,241 views

Published on

Presentation for Day2 training held by SmartMe
http://www.smartme.com.ua/courses/nachala-devops-konfiguriruem-server-s-pomoshchyu-opscode-chef

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,241
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
54
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Chef training - Day2

  1. 1. Начала DevOps: Opscode Chef Day 2 Andriy Samilyak samilyak@gmail.com skype: samilyaka
  2. 2. Goals ● in-depth understanding of attributes ● working with templates ● roles ● files and cookbook_files
  3. 3. Nothing like “too much practice” ● knife node list ● knife node delete yournode ● knife client delete yournode ● knife bootstrap 11.22.33.44 -x root -N freshnode
  4. 4. Changing attributes #1 Setting node['apache']['default_site_enabled'] to 'true' We were changing: cookbooks/apache2/attributes/default.rb ?
  5. 5. Changing attributes #1 Setting node['apache']['default_site_enabled'] to 'true' We were changing: cookbooks/apache2/attributes/default.rb ?
  6. 6. Where we can change attributes ● cookbook/attributes/* ● cookbook/recipes/* ● role ● environment ● node (Chef server)
  7. 7. Role Webserver Drupal CentOS6 LogLevel debug OnLineStore Ubuntu LogLevel warn
  8. 8. Changing attributes #2 Create role file: chef-repo/roles/node.rb name "node" run_list "recipe[apache2]" default_attributes "apache" => {"default_site_enabled" => true } > knife role from file roles/node.rb > knife node edit yournodename Set run_list to [“role[node]”]
  9. 9. Changing attributes #3 Setting node['apache']['default_site_enabled'] to 'true'
  10. 10. Changing attributes #2 Let's set it false and see what happen
  11. 11. Attributes Types ● default ● normal ● default['apache']['default_site_enabled'] = false or node.default.apache.default_site_enabled=true set[:apache]['default_site_enabled'] = false or node.normal['apache'[:default_site_enabled=true override node.override[:apache]['default_site_enabled'] = false or override_attributes "apache" => {"default_site_enabled" => true}
  12. 12. Attribute precedence From: http://docs.opscode.com/essentials_cookbook_attribute_files.html
  13. 13. Changing attributes #3 Change it back to 'true', we will need it!
  14. 14. http://goo.gl/oqDYA
  15. 15. How to test curl -X TRACE http://yoursite.com You should receive HTTP 403, not HTTP 200 OK
  16. 16. Changing template – bad and ugly Let's try changing ../templates/default/default-site.erb directly?
  17. 17. Wrapper cookbook 1) knife cookbook create webserver 2) roles/node.rb change: "recipe[apache2]" => "recipe[webserver]" 3) Upload cookbook 4) Upload role 5) Run chef-client
  18. 18. OMG! Apache is still installed!
  19. 19. Removing defaults
  20. 20. Including recipe Add in cookbooks/webserver/recipes/default.rb: include_recipe "apache2"
  21. 21. Something went wrong Chef::Exceptions::CookbookNotFound ---------------------------------Cookbook apache2 not found
  22. 22. Cookbook dependencies In cookbooks/webserver/metadata.rb add: depends 'apache2' Upload cookbook and run chef-client again
  23. 23. CVE patch plan ● Create new vhost configuration ● Enable new vhost ● Disable default site
  24. 24. Create new vhost configuration ● ● Copy default-site.erb as cvepatch.erb in cookbooks/webserver/templates/default/ Insert patch lines into template RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] ● Upload cookbook and chef-client run ● Any results?
  25. 25. Welcome Chef resources template "#{node['apache']['dir']}/sitesavailable/default" do source 'default-site.erb' owner 'root' group node['apache']['root_group'] mode '0644' notifies :restart, 'service[apache2]' end
  26. 26. New template resource in ../cookbooks/webserver/recipes/default.rb template "#{node['apache']['dir']}/sitesavailable/cvepatch" do owner 'root' group node['apache']['root_group'] mode '0644' notifies :restart, 'service[apache2]' end Upload cookbook, run chef-client, check results
  27. 27. How default site is enabled? apache_site 'default' do enable node['apache']['default_site_enabled'] end You can visualize it as a function call.. apache_site('default',true) … and this is called “definition”
  28. 28. Enable new vhost in ../cookbooks/webserver/recipes/default.rb apache_site 'cvepatch' do enable true end apache_site 'cvepatch' ● Upload cookbook and chef-client run
  29. 29. Error? Again? STDOUT: Action 'configtest' failed. The Apache error log may have more information. ...fail! STDERR: Syntax error on line 6 of /etc/apache2/sites-enabled/cvepatch: Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration It seems like we forgot about mod_rewrite...
  30. 30. Final recipe include_recipe "apache2" include_recipe "apache2::mod_rewrite" template "#{node['apache']['dir']}/sites-available/cvepatch" do owner 'root' group node['apache']['root_group'] mode '0644' notifies :restart, 'service[apache2]' end apache_site 'cvepatch'
  31. 31. Still have to disable default site ls -la /etc/apache2/sites-enabled/ ../cookbooks/attributes/default.rb → false ../roles/node.rb → true Chef Server GUI → true ? how to make it false finally?
  32. 32. Attribute precedence From: http://docs.opscode.com/essentials_cookbook_attribute_files.html
  33. 33. Override attribute in ../cookbook/webserver/attributes/default.rb override['apache']['default_site_enabled'] = false
  34. 34. How to test curl -X TRACE http://yoursite.com You should receive HTTP 403, not HTTP 200 OK
  35. 35. Verbose logging LogLevel warn is not enough for us We would like to have log level as parameter via attributes
  36. 36. Verbose logging: Plan ● Find what to change in template ● Put parameter instead of string ● Create attribute ● Check
  37. 37. What to change? ../cookbooks/webserver/templates/default/cvepatch.erb # Possible values include: debug, info, notice, warn, error, crit, alert, emerg. LogLevel warn
  38. 38. Template parameters # Possible values include: debug, info, notice, warn, error, crit, alert, emerg. LogLevel <%= node['apache']['log_level'] %>
  39. 39. Log_level attribute in ../cookbook/webserver/attributes/default.rb default['apache']['log_level'] = 'debug'
  40. 40. Platform specificity We know that our Ubuntu server is reliable enough and don't need logging more than 'warn' level. While the rest of our servers need 'debug' level logging. What to do? Something like that we met when we were disabling default site with attributes...
  41. 41. “Smart” templates <% if node['platform']=='ubuntu' %> #This is Ubuntu LogLevel warn <% else %> LogLevel debug <% end %>
  42. 42. node['platform'] in cookbooks/webserver/attributes/default.rb case node['platform'] when 'ubuntu' default['apache']['log_level'] = 'warn' else default['apache']['log_level'] = 'debug' end
  43. 43. Platform specific templates ../templates/ default/ cvepatch.erb ubuntu/ cvepatch.erb centos-6.4/ cvepatch.erb Works just for Ubuntu Lets create Ubuntu-specific template and set “LogLevel warn”
  44. 44. Many server domains The problem now is that we would like to use different domains and one vhost configuration only. So you need ServerAlias included several times and list of additional domains set as attribute. Expected changes: ● attributes/default.rb ● templates/default/ubuntu/cvepatch.erb
  45. 45. Foreach ../cookbooks/webserver/templates/ubuntu/cvepatch.erb <% node['apache']['aliases'].each do |domain| %> ServerAlias <%= domain %> <% end %> ../cookbooks/webserver/templates/ubuntu/cvepatch.erb default['apache']['aliases'] = ['url1.com','url2.com']
  46. 46. Password protection We need to close our site by login/password in order to keep it private admin/password
  47. 47. Password protection HTTP Basic Authentication <Directory <%= node['apache']['docroot_dir'] %>/> Options Indexes FollowSymLinks MultiViews AllowOverride None AuthType Basic AuthName "Restricted Files" AuthBasicProvider file AuthUserFile <%= node['apache']['dir'] %>/htpasswd Require valid-user </Directory> Copy/paste from http://goo.gl/6sEYT5
  48. 48. htpasswd We need this contents to be in node['apache']['dir']/htpasswd admin:$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0 Copy/paste from http://goo.gl/6sEYT5
  49. 49. Google it! 'chef resource file'
  50. 50. Putting file to server #1 ../cookbooks/webserver/recipes/default.rb file "#{node['apache']['dir']}/htpasswd" do owner 'root' group node['apache']['root_group'] mode '0644' backup false content "admin: $apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0" end
  51. 51. Putting file to server #2 ● 'content' attribute is not really scalable – what if we need 2Kb of text inside? ● Lets first comment out with # content attribute ● create file ../cookbooks/webserver/files/default/htpasswd ● and put root (not admin!) and password hash to it ● Change resource from 'file' to 'cookbook_file'
  52. 52. What to do till the next meeting? http://dougireton.com/blog/2013/02/16/ch ef-cookbook-anti-patterns/

×