Chef training - Day3

  • 388 views
Uploaded on

Presentation for Day3 training held by SmartMe …

Presentation for Day3 training held by SmartMe
http://www.smartme.com.ua/courses/nachala-devops-konfiguriruem-server-s-pomoshchyu-opscode-chef

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
388
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
23
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Начала DevOps: Opscode Chef Day 3 Andriy Samilyak samilyak@gmail.com skype: samilyaka
  • 2. Goals ● New resources: file, cookbook_file ● Berkshelf ● DataBags ● Deployment with Chef ● Environments
  • 3. Password protection We need to close our site by login/password in order to keep it private admin/password
  • 4. Password protection HTTP Basic Authentication <Directory <%= node['apache']['docroot_dir'] %>/> Options Indexes FollowSymLinks MultiViews AllowOverride None AuthType Basic AuthName "Restricted Files" AuthBasicProvider file AuthUserFile <%= node['apache']['dir'] %>/htpasswd Require valid-user </Directory> Copy/paste from http://goo.gl/6sEYT5
  • 5. htpasswd We need this contents to be in node['apache']['dir']/htpasswd admin:$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0 Copy/paste from http://goo.gl/6sEYT5
  • 6. Google it! 'chef resource file'
  • 7. Putting file to server #1 ../cookbooks/webserver/recipes/default.rb file "#{node['apache']['dir']}/htpasswd" do owner 'root' group node['apache']['root_group'] mode '0644' backup false content "admin: $apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0" end
  • 8. Putting file to server #2 ● 'content' attribute is not really scalable – what if we need 2Kb of text inside? ● Lets first comment out with # content attribute ● create file ../cookbooks/webserver/files/default/htpasswd ● and put root (not admin!) and password hash to it ● Change resource from 'file' to 'cookbook_file'
  • 9. Putting file to server #2 ../cookbooks/webserver/recipes/default.rb cookbook_file "#{node['apache']['dir']}/htpasswd" do owner 'root' group node['apache']['root_group'] mode '0644' backup false end
  • 10. Welcome Berks-way! gem install berkshelf Test it with “berks -v” -------------------------------------------------------------On Windows you'll need to add to chefrepo/.berkshelf/config.json: "ssl": { "verify": false }
  • 11. Move out community cookbooks ● Add a line to Berksfile: cookbook “cookbook” path: cookbooks/webserver ● berks install ← download cookbook to local folder ● berks upload ← upload cookbooks to Chef Server ● remove 'apache2' folder from chef_repo Where is cookbook now anyway?
  • 12. Well done! Lets put it to git git commit -a -m “Initial commit” git push origin master
  • 13. Berks locations ● site: cookbook "artifact", site: "http://cookbooks.opscode.com/api/v1/cookbooks" cookbook "artifact", site: :opscode ● git: cookbook "mysql", git: "https://github.com/opscodecookbooks/mysql.git", branch: "foodcritic"
  • 14. Lets do it better now! https://github.com/Youscribe/htpasswdcookbook Goal: specify user/pass with cookbook attributes Copy/paste from http://goo.gl/6sEYT5
  • 15. New cookbook in Berksfile cookbook "htpasswd", git: https://github.com/Youscribe/htpasswdcookbook.git
  • 16. Example: htpasswd "/etc/apache2/htpasswd" do user node['webserver']['auth_user'] password node['webserver']['auth_pass'] end
  • 17. Htpasswd - review ● webserver/metadata.rb: add dependency ● recipes/default.rb: add resource httpasswd ● attributes/default.rb: add two attributes ● berks update & berks upload
  • 18. Managing users access Site User1/pass User2/pass User3/pass Site Backend User1/pass User3/pass Store Backend User3/pass
  • 19. DataBags ● Reusable data containers ● JSON ● Search API
  • 20. Managing user access - Plan ● Keep user/pass with granted nodes ● Find all users for current node ● Generate htpasswd by adding hash for each user
  • 21. DataBags as files chef_repo data_bags htpasswd user1.json user2.json user3.json
  • 22. user1.json { "id": "user1", "pass": "password", "nodes" : ["yournode1", "yournode2"] }
  • 23. Data bag CLI knife data bag create htpasswd knife data bag from file htpasswd user1.json knife data bag from file htpasswd data_bags/htpasswd/* knife search htpasswd "(id:user1)" knife search htpasswd "(nodes:yournode)"
  • 24. Search API search(:htpasswd, "nodes:#{node.name}") do |user| #add line to file user['pass'] end
  • 25. Just an example of solution... file "#{node['apache']['dir']}/htpasswd" do action :delete end search(:htpasswd, "nodes:#{node.name}") do |user| htpasswd "#{node['apache']['dir']}/htpasswd" do user user['id'] password user['pass'] notifies :reload, 'service[apache2]' end end