DevOps: Opscode Chef
Day 2
Andriy Samilyak
[email protected]: samilyaka
Goals
in-depth understanding of attributes
working with templates
roles
files and cookbook_files
Notes to copy/paste
http://goo.gl/6sEYT5
Nothing like too much practice
knife node list
knife node delete yournode
knife client delete yournode
knife bootstrap 11.22.33.44 -x root -N freshnode
Changing attributes #1
Setting node['apache']['default_site_enabled'] to 'true'
We were changing:
cookbooks/apache2/attributes/default.rb ?
Changing attributes #1
Setting node['apache']['default_site_enabled'] to 'true'
We were changing:
cookbooks/apache2/attributes/default.rb ?
Where we can change attributes
cookbook/attributes/*
cookbook/recipes/*
role
environment
node (Chef server)
Role
WebserverDrupalOnLineStore
CentOS6LogLevel debug
UbuntuLogLevel warn
Changing attributes #2
name "node"run_list "recipe[apache2]"default_attributes "apache"
=>
{"default_site_enabled" => true }
Create role file: chef-repo/roles/node.rb
> knife role from file roles/node.rb> knife node edit yournodename
Set run_list to [role[node]]
Changing attributes #3
Setting node['apache']['default_site_enabled'] to 'true'
Changing attributes #2
Let's set it false and see what happen
Attributes Types
default
normal
override
default['apache']['default_site_enabled'] = falseornode.default.apache.default_site_enabled=true
set[:apache]['default_site_enabled'] = falseornode.normal['apache'[:default_site_enabled=true
node.override[:apache]['default_site_enabled'] = falseoroverride_attributes "apache" => {"default_site_enabled" => true}
Attribute precedence
From: http://docs.opscode.com/essentials_cookbook_attribute_files.html
Changing attributes #3
Change it back to 'true', we will need it!
http://goo.gl/oqDYA
How to test
curl -X TRACE http://yoursite.com
You should receive HTTP 403, not HTTP 200 OK
Changing template bad and ugly
Let's try changing../templates/default/default-site.erb directly?
Wrapper cookbook
1) knife cookbook create webserver2) roles/node.rb change:"recipe[apache2]" => "recipe[webserver]"
3) Upload cookbook4) Upload role 5) Run chef-client
OMG! Apache is still installed!
Removing defaults
Including recipe
Add in cookbooks/webserver/recipes/default.rb:
include_recipe "apache2"
Something went wrong
Chef::Exceptions::CookbookNotFound----------------------------------Cookbook apache2 not found
Cookbook dependencies
In cookbooks/webserver/metadata.rb add:depends 'apache2'
Upload cookbook and run chef-client again
CVE patch plan
Create new vhost configuration
Enable new vhost
Disable default site
Create new vhost configuration
Copy default-site.erb as cvepatch.erb in cookbooks/webserver/templates/default/
Insert patch lines into templateRewriteEngine OnRewriteCond %{REQUEST_METHOD} ^TRACERewriteRule .* - [F]
Upload cookbook and chef-client run
Any results?
Welcome Chef resources
template "#{node['apache']['dir']}/sites-available/default" dosource 'default-site.erb'owner 'root'group node['apache']['root_group']mode '0644'notifies :restart, 'service[apache2]'
end
New template resource
in ../cookbooks/webserver/recipes/default.rb
template "#{node['apache']['dir']}/sites-available/cvepatch" doowner 'root'group node['apache']['root_group']mode '0644'notifies :restart, 'service[apache2]'
end
Upload cookbook, run chef-client, check results
How default site is enabled?
apache_site 'default' doenable node['apache']['default_site_enabled']
end
You can visualize it as a function call...
apache_site('default',true)
and this is called definition
Enable new vhost
in ../cookbooks/webserver/recipes/default.rb
apache_site 'cvepatch' doenable true
end
apache_site 'cvepatch'
Upload cookbook and chef-client run
Error? Again?
STDOUT: Action 'configtest' failed.The Apache error log may have more information. ...fail!STDERR: Syntax error on line 6 of /etc/apache2/sites-enabled/cvepatch:Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration
It seems like we forgot about mod_rewrite...
Final recipe
include_recipe "apache2"include_recipe "apache2::mod_rewrite"
template "#{node['apache']['dir']}/sites-available/cvepatch" do owner 'root' group node['apache']['root_group'] mode '0644' notifies :restart, 'service[apache2]'end
apache_site 'cvepatch'
Still have to disable default site
ls -la /etc/apache2/sites-enabled/
../cookbooks/attributes/default.rb false../roles/node.rb trueChef Server GUI true? how to make it false finally?
Attribute precedence
From: http://docs.opscode.com/essentials_cookbook_attribute_files.html
Override attribute
in ../cookbook/webserver/attributes/default.rb
override['apache']['default_site_enabled'] = false
How to test
curl -X TRACE http://yoursite.com
You should receive HTTP 403, not HTTP 200 OK
Verbose logging
LogLevel warn is not enough for usWe would like to have log level as parameter via attributes
Verbose logging: Plan
Find what to change in template
Put parameter instead of string
Create attribute
Check
What to change?
../cookbooks/webserver/templates/default/cvepatch.erb
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.LogLevel warn
Template parameters
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.LogLevel
Log_level attribute
in ../cookbook/webserver/attributes/default.rb
default['apache']['log_level'] = 'debug'
Platform specificity
We know that our Ubuntu server is reliable enough and don't need logging more than 'warn' level.While the rest of our servers need 'debug' level logging. What to do?Something like that we met when we were disabling default site with attributes...
Smart templates
#This is UbuntuLogLevel warn
LogLevel debug
node['platform']
in cookbooks/webserver/attributes/default.rb
case node['platform']when 'ubuntu'default['apache']['log_level'] = 'warn'elsedefault['apache']['log_level'] = 'debug'end
Platform specific templates
../templates/ default/cvepatch.erb ubuntu/ cvepatch.erbcentos-6.4/ cvepatch.erb
Works just for Ubuntu
Lets create Ubuntu-specific template and set LogLevel warn
Many server domains
The problem now is that we would like to use different domains and one vhost configuration only.So you need ServerAlias included several times and list of additional domains set as attribute.Expected changes:attributes/default.rb
templates/default/ubuntu/cvepatch.erb
Foreach
../cookbooks/webserver/templates/ubuntu/cvepatch.erb
ServerAlias
default['apache']['aliases'] = ['url1.com','url2.com']
../cookbooks/webserver/templates/ubuntu/cvepatch.erb
Foreach
../cookbooks/webserver/templates/ubuntu/cvepatch.erb
Password protection
We need to close our site by login/password in order to keep it private
admin/password
Password protection
HTTP Basic Authentication
Options Indexes FollowSymLinks MultiViewsAllowOverride NoneAuthType BasicAuthName "Restricted Files"AuthBasicProvider fileAuthUserFile /htpasswdRequire valid-user
Copy/paste from http://goo.gl/6sEYT5
htpasswd
We need this contents to be innode['apache']['dir']/htpasswd
admin:$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0
Copy/paste from http://goo.gl/6sEYT5
Google it!
'chef resource file'
Putting file to server #1
../cookbooks/webserver/recipes/default.rb
file "#{node['apache']['dir']}/htpasswd" doowner 'root'group node['apache']['root_group']mode '0644'backup falsecontent "admin:$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0"
end
Putting file to server #2
'content' attribute is not really scalable what if we need 2Kb of text inside?
Lets first comment out with # content attribute
create file ../cookbooks/webserver/files/default/htpasswd
and put root (not admin!) and password hash to it
Change resource from 'file' to 'cookbook_file'
What to do till the next meeting?
http://dougireton.com/blog/2013/02/16/chef-cookbook-anti-patterns/
Top Related