configuration-management.md

Configuration Management

Ansible

Run a playbook

ansible-playbook -i ./inventory.yml playbook.yml

Chef

Handle EC2 instance

ec2 plugin installed with

knife ec2 server create "role[ubuntu]" -I ami_id -f instance_type -S knife -i ~/.ssh/knife.pem --ssh-user ubuntu --region eu-west-1 -Z eu-west-1a

Install chef on RHEL 6 using gems

Use the omnibus installer if you can!

sudo rpm -Uvh http://rbel.frameos.org/rbel6
yum install ruby ruby-devel ruby-ri ruby-rdoc ruby-shadow gcc gcc-c++ automake autoconf make curl dmidecode
gem install chef --no-ri --no-rdoc

Using chef-solo

/etc/chef/solo.rb

json_attribs "/etc/chef/node.json"

/etc/chef/node.json

{
 "resolver": {
       "nameservers": [ "10.0.0.1" ],
       "search": "int.example.com"
  },
  "run_list": [ "recipe[resolver]" ]
}

knife search

knife search -a ATTR

common node attributes

description	attribute
version of chef	chef_packages.chef.version
nodes's environment	chef.environment

Compile time notes

Use lazy so that the code block isn't evaluated until execution phase.

Chef shell

# list resources
help resource

Debug attributes

pp node.debug_value('system', 'repo')

Get the resources used

# in chef-shell
recipe_mode
resources

Foodcritic

Has been replaced by cookstyle

# Run rules that match the tags
foodcritic -t annoyances,deprecated,correctness

ChefSpec

• Chef docs
• Github repo

Chef Handlers

Handler types

exception

Loaded when run fails

exception handler runs when the failed? property for the run_status object returns true.

report

Reports details of run success

report handler runs when the success? property for the run_status object returns true.

start

Starts at chef client run

Resources

https://docs.chef.io/handlers.html

Knife

Bootstrap a node

knife bootstrap FQDN_OR_IP -E ENVIRONMENT -N NAME -x USER -r RUN_LIST [ --sudo | -G GATEWAY ]

Return chef versions

knife search node "name:*" -a chef_packages.chef.version

Remove recipe from all nodes

knife exec -E 'nodes.transform("chef_environment:dev") {|n| puts n.run_list.remove("recipe[chef-client::upgrade]"); n.save }'

Find non 64-bit nodes

knife search node "(NOT kernel_machine:x86_64)"

Generate new keypair for client

knife client reregister CLIENT

provisioning

CLI

chef provision --no-policy
# debug mode
chef provision --no-policy -D

Berkshelf

CLI

# Install cookbooks
berks install

Berksfile

## In case you're developing on a bunch of cookbooks
source chef_repo: ".."

# You'll need this if you're downloading upstream cookbooks
source "https://supermarket.chef.io"

metadata

# Use specific directory in git repo
cookbook "rightscale", git: "https://github.com/rightscale/rightscale_cookbooks.git", rel: "cookbooks/rightscale"

Test Kitchen

Setting RAM on Vagrant

driver:
  name: vagrant
  customize:
    memory: 2048

Setting environment in chef-zero

driver:
  name: vagrant

provisioner:
  name: chef_zero
  environments_path: path/to/environments
  client_rb:
    environment: production

kitchen-dokken

Pre-installed with ChefDK

---
driver:
  name: dokken
  chef_version: latest

transport:
  name: dokken

provisioner:
  name: dokken

verifier:
  name: inspec

platforms:
- name: centos-7
  driver:
    image: dokken/centos-7

suites:
  - name: default
    run_list:
    - recipe[hello_dokken::default]

Using chef-vault

suites:
  - name: default
      data_bags_path: 'test/data_bags'
      attributes:
      chef-vault:
        databags_fallback: true
      dev_mode: true # For very old chef-vault cookbooks
    run_list:
    - recipe[chef-vault]

Links

• Test Kitchen website
• https://github.com/someara/kitchen-dokken

Server

Users

# Create a user
chef-server-ctl user-create USER_NAME FIRST_NAME [MIDDLE_NAME] LAST_NAME EMAIL PASSWORD (options)
# Edit a user
chef-server-ctl user-edit USER_NAME
# Delete a user
chef-server-ctl user-delete USER_NAME

Organizations

# List orgs
chef-server-ctl org-list
# Create an org
chef-server-ctl org-create ORG_NAME ORG_FULL_NAME
# Add a user to an org
chef-server-ctl org-user-add ORG_NAME USER_NAME [--admin]

Groups

knife acl plugin

knife group create GROUP
knife group add MEMBERTYPE MEMBER GROUP

Links

• chef-server-ctl
• Air-gapped servers

Chef-Vault

Knife

# Create a vault
knife vault create passwords root '{"username": "root", "password": "mypassword"}' -S "role:webserver"

# Re-encrypt the vault with a fresh search of nodes
knife vault refresh passwords root

# Update the search for hosts on a vault
knife vault update passwords root -S "role:webserver"

# Create a vault from a file
knife vault create certs example.com --file example.crt

# Get the search query
knife data bag show VAULT ITEM_keys -Fjson | jq .search_query

Code

chef-vault cookbook

include_recipe "chef-vault"
vault = chef_vault_item(DATABAG, ITEM)

chef-vault gem

chef_gem 'chef-vault' do
  compile_time true if respond_to?(:compile_time)
end

require 'chef-vault'

item = ChefVault::Item.load("passwords", "root")
item["password"]

Links

• chef vault gem
• chef vault cookbook
• http://www.pburkholder.com/blog/2015/12/04/why-chef-vault-and-autoscaling-dont-mix/
• http://engineering.ooyala.com/blog/keeping-secrets-chef

Concepts - Idempotency

Something that should always have the same result, no matter how many times it runs.

# /tmp/thing should exist no matter how many times you run this:
mkdir -p /tmp/thing

Inspec

https://www.inspec.io/