Chef training - Day3


Published on

Presentation for Day3 training held by SmartMe

Published in: Technology, Self Improvement
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Chef training - Day3

  1. 1. Начала DevOps: Opscode Chef Day 3 Andriy Samilyak skype: samilyaka
  2. 2. Goals ● New resources: file, cookbook_file ● Berkshelf ● DataBags ● Deployment with Chef ● Environments
  3. 3. Password protection We need to close our site by login/password in order to keep it private admin/password
  4. 4. Password protection HTTP Basic Authentication <Directory <%= node['apache']['docroot_dir'] %>/> Options Indexes FollowSymLinks MultiViews AllowOverride None AuthType Basic AuthName "Restricted Files" AuthBasicProvider file AuthUserFile <%= node['apache']['dir'] %>/htpasswd Require valid-user </Directory> Copy/paste from
  5. 5. htpasswd We need this contents to be in node['apache']['dir']/htpasswd admin:$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0 Copy/paste from
  6. 6. Google it! 'chef resource file'
  7. 7. Putting file to server #1 ../cookbooks/webserver/recipes/default.rb file "#{node['apache']['dir']}/htpasswd" do owner 'root' group node['apache']['root_group'] mode '0644' backup false content "admin: $apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0" end
  8. 8. Putting file to server #2 ● 'content' attribute is not really scalable – what if we need 2Kb of text inside? ● Lets first comment out with # content attribute ● create file ../cookbooks/webserver/files/default/htpasswd ● and put root (not admin!) and password hash to it ● Change resource from 'file' to 'cookbook_file'
  9. 9. Putting file to server #2 ../cookbooks/webserver/recipes/default.rb cookbook_file "#{node['apache']['dir']}/htpasswd" do owner 'root' group node['apache']['root_group'] mode '0644' backup false end
  10. 10. Welcome Berks-way! gem install berkshelf Test it with “berks -v” -------------------------------------------------------------On Windows you'll need to add to chefrepo/.berkshelf/config.json: "ssl": { "verify": false }
  11. 11. Move out community cookbooks ● Add a line to Berksfile: cookbook “cookbook” path: cookbooks/webserver ● berks install ← download cookbook to local folder ● berks upload ← upload cookbooks to Chef Server ● remove 'apache2' folder from chef_repo Where is cookbook now anyway?
  12. 12. Well done! Lets put it to git git commit -a -m “Initial commit” git push origin master
  13. 13. Berks locations ● site: cookbook "artifact", site: "" cookbook "artifact", site: :opscode ● git: cookbook "mysql", git: "", branch: "foodcritic"
  14. 14. Lets do it better now! Goal: specify user/pass with cookbook attributes Copy/paste from
  15. 15. New cookbook in Berksfile cookbook "htpasswd", git:
  16. 16. Example: htpasswd "/etc/apache2/htpasswd" do user node['webserver']['auth_user'] password node['webserver']['auth_pass'] end
  17. 17. Htpasswd - review ● webserver/metadata.rb: add dependency ● recipes/default.rb: add resource httpasswd ● attributes/default.rb: add two attributes ● berks update & berks upload
  18. 18. Managing users access Site User1/pass User2/pass User3/pass Site Backend User1/pass User3/pass Store Backend User3/pass
  19. 19. DataBags ● Reusable data containers ● JSON ● Search API
  20. 20. Managing user access - Plan ● Keep user/pass with granted nodes ● Find all users for current node ● Generate htpasswd by adding hash for each user
  21. 21. DataBags as files chef_repo data_bags htpasswd user1.json user2.json user3.json
  22. 22. user1.json { "id": "user1", "pass": "password", "nodes" : ["yournode1", "yournode2"] }
  23. 23. Data bag CLI knife data bag create htpasswd knife data bag from file htpasswd user1.json knife data bag from file htpasswd data_bags/htpasswd/* knife search htpasswd "(id:user1)" knife search htpasswd "(nodes:yournode)"
  24. 24. Search API search(:htpasswd, "nodes:#{}") do |user| #add line to file user['pass'] end
  25. 25. Just an example of solution... file "#{node['apache']['dir']}/htpasswd" do action :delete end search(:htpasswd, "nodes:#{}") do |user| htpasswd "#{node['apache']['dir']}/htpasswd" do user user['id'] password user['pass'] notifies :reload, 'service[apache2]' end end