Chef training - Day2

Начала DevOps: Opscode Chef
Day 2

Andriy Samilyak
samilyak@gmail.com
skype: samilyaka

Goals
●

in-depth understanding of attributes

●

working with templates

●

roles

●

files and cookbook_files

Nothing like “too much practice”
●

knife node list

●

knife node delete yournode

●

knife client delete yournode

●

knife bootstrap 11.22.33.44 -x root -N
freshnode

Changing attributes #1
Setting node['apache']['default_site_enabled'] to 'true'

We were changing:
cookbooks/apache2/attributes/default.rb ?

Where we can change attributes
●

cookbook/attributes/*

●

cookbook/recipes/*

●

role

●

environment

●

node (Chef server)

Role
Webserver

Drupal

CentOS6
LogLevel debug

OnLineStore

Ubuntu
LogLevel warn

Create role file: chef-repo/roles/node.rb
name "node"
run_list "recipe[apache2]"
default_attributes "apache" =>
{"default_site_enabled" => true }

> knife role from file roles/node.rb
> knife node edit yournodename
Set run_list to [“role[node]”]

Setting node['apache']['default_site_enabled'] to 'true'


Let's set it false and see what happen

Attributes Types
●

default

●

normal

●

default['apache']['default_site_enabled'] = false
or
node.default.apache.default_site_enabled=true
set[:apache]['default_site_enabled'] = false
or
node.normal['apache'[:default_site_enabled=true

override
node.override[:apache]['default_site_enabled'] = false
or
override_attributes "apache" =>
{"default_site_enabled" => true}

Attribute precedence

From: http://docs.opscode.com/essentials_cookbook_attribute_files.html


Change it back to 'true', we will need it!

How to test
curl -X TRACE http://yoursite.com
You should receive HTTP 403, not HTTP 200 OK

Changing template – bad and ugly
Let's try changing
../templates/default/default-site.erb
directly?

Wrapper cookbook
1) knife cookbook create webserver
2) roles/node.rb change:
"recipe[apache2]" => "recipe[webserver]"

3) Upload cookbook
4) Upload role
5) Run chef-client

OMG! Apache is still installed!

Including recipe
Add in
cookbooks/webserver/recipes/default.rb:
include_recipe "apache2"

Something went wrong
Chef::Exceptions::CookbookNotFound
---------------------------------Cookbook apache2 not found

Cookbook dependencies
In cookbooks/webserver/metadata.rb
add:
depends 'apache2'

Upload cookbook and run chef-client
again

CVE patch plan
●

Create new vhost configuration

●

Enable new vhost

●

Disable default site

Create new vhost configuration
●

●

Copy default-site.erb as cvepatch.erb in
cookbooks/webserver/templates/default/
Insert patch lines into template
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

●

Upload cookbook and chef-client run

●

Any results?

Welcome Chef resources
template "#{node['apache']['dir']}/sitesavailable/default" do
source 'default-site.erb'
owner 'root'
group node['apache']['root_group']
mode '0644'
notifies :restart, 'service[apache2]'
end

New template resource
in ../cookbooks/webserver/recipes/default.rb

template "#{node['apache']['dir']}/sitesavailable/cvepatch" do
owner 'root'
mode '0644'
end

Upload cookbook, run chef-client, check results

How default site is enabled?
apache_site 'default' do
enable node['apache']['default_site_enabled']
end

You can visualize it as a function call..

apache_site('default',true)
… and this is called “definition”

Enable new vhost
in ../cookbooks/webserver/recipes/default.rb

apache_site 'cvepatch' do
enable true
end

apache_site 'cvepatch'
●

Upload cookbook and chef-client run

Error? Again?
STDOUT: Action 'configtest' failed.
The Apache error log may have more information.
...fail!
STDERR: Syntax error on line 6 of
/etc/apache2/sites-enabled/cvepatch:
Invalid command 'RewriteEngine', perhaps
misspelled or defined by a module not included in
the server configuration

It seems like we forgot about mod_rewrite...

Final recipe
include_recipe "apache2"
include_recipe "apache2::mod_rewrite"
template "#{node['apache']['dir']}/sites-available/cvepatch" do
owner

'root'

group

node['apache']['root_group']

mode

'0644'

end
apache_site 'cvepatch'

Still have to disable default site
ls -la /etc/apache2/sites-enabled/

../cookbooks/attributes/default.rb → false
../roles/node.rb → true
Chef Server GUI → true
? how to make it false finally?

Override attribute
in ../cookbook/webserver/attributes/default.rb
override['apache']['default_site_enabled'] = false

Verbose logging
LogLevel warn is not enough for us
We would like to have log level as
parameter via attributes

Verbose logging: Plan
●

Find what to change in template

●

Put parameter instead of string

●

Create attribute

●

Check

What to change?
../cookbooks/webserver/templates/default/cvepatch.erb

# Possible values include: debug, info,
notice, warn, error, crit, alert, emerg.
LogLevel warn

Template parameters
# Possible values include: debug, info, notice,
warn, error, crit, alert, emerg.
LogLevel <%= node['apache']['log_level'] %>

Log_level attribute
in ../cookbook/webserver/attributes/default.rb
default['apache']['log_level'] = 'debug'

Platform specificity
We know that our Ubuntu server is reliable
enough and don't need logging more than 'warn'
level.
While the rest of our servers need 'debug' level
logging.
What to do?
Something like that we met when we were
disabling default site with attributes...

“Smart” templates
<% if node['platform']=='ubuntu' %>
#This is Ubuntu
LogLevel warn

<% else %>
LogLevel debug
<% end %>

node['platform']
in cookbooks/webserver/attributes/default.rb

case node['platform']
when 'ubuntu'
default['apache']['log_level'] = 'warn'
else
default['apache']['log_level'] = 'debug'
end

Platform specific templates
../templates/
default/
cvepatch.erb
ubuntu/
cvepatch.erb
centos-6.4/
cvepatch.erb

Works just for Ubuntu

Lets create Ubuntu-specific template and
set “LogLevel warn”

Many server domains
The problem now is that we would like to use
different domains and one vhost configuration
only.
So you need ServerAlias included several
times and list of additional domains set as
attribute.
Expected changes:
●

attributes/default.rb

●

templates/default/ubuntu/cvepatch.erb

Foreach
../cookbooks/webserver/templates/ubuntu/cvepatch.erb

<% node['apache']['aliases'].each do |domain| %>
ServerAlias <%= domain %>
<% end %>

../cookbooks/webserver/templates/ubuntu/cvepatch.erb

default['apache']['aliases'] = ['url1.com','url2.com']

Password protection
We need to close our site by
login/password in order to keep it private
admin/password

Password protection
HTTP Basic Authentication
<Directory <%= node['apache']['docroot_dir'] %>/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile <%= node['apache']['dir'] %>/htpasswd
Require valid-user
</Directory>

Copy/paste from http://goo.gl/6sEYT5

htpasswd
We need this contents to be in
node['apache']['dir']/htpasswd
admin:$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0

Copy/paste from http://goo.gl/6sEYT5

Google it!
'chef resource file'

Putting file to server #1
../cookbooks/webserver/recipes/default.rb

file "#{node['apache']['dir']}/htpasswd" do
owner 'root'
mode '0644'
backup false
content "admin:
$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0"
end

Putting file to server #2
●

'content' attribute is not really scalable – what if
we need 2Kb of text inside?

●

Lets first comment out with # content attribute

●

create file
../cookbooks/webserver/files/default/htpasswd

●

and put root (not admin!) and password hash to it

●

Change resource from 'file' to 'cookbook_file'

What to do till the next meeting?
http://dougireton.com/blog/2013/02/16/ch
ef-cookbook-anti-patterns/

Chef training - Day2

More Related Content

What's hot

Viewers also liked

Similar to Chef training - Day2

More from Andriy Samilyak

Recently uploaded

Chef training - Day2