Chef集中管理工具实践
Chef集中管理工具实践之 (0) 什么是Chef
目录结构
Chef集中管理工具实践之 (0) 什么是Chef
Chef集中管理工具实践之 (1) 环境部署
Chef集中管理工具实践之 (2) 服务器配置
Chef集中管理工具实践之 (3) 自定义配置
本文内容
Chef集中管理工具实践之 (0) 什么是Chef
参考资料
http://my.oschina.net/williamherrychina/blog/63576
http://www.rubycc.com/bbs/topic_detail/91
http://gigix.thoughtworkers.org/2011/2/19/chef-1
Chef社区站点
http://community.opscode.com/
1.1 初识Chef
初识Chef,我们可以先了解一下DevOps运动
http://zh.wikipedia.org/wiki/DevOps,简单点说,就是传统的软件组织将开发、IT运营和质量保障设为各自分离的部门,而DevOps运动的出现是由于软件行业日益清晰地认识到:为了按时交付软件产品和服务,开发和运营工作必须紧密合作。
所以Chef简单点说,就是DevOps运动中的一项重要工具成员,是一个同时面向开发与运维的集中管理工具。
想像一下我们现在需要搭建一台MySQL Database Slave服务器,安装过程我们手动操作了没过多久,又需要第二台,这时候我们会想,如果之后安装第一台的时候把操作过程执行的命令写成脚本,现在安装第二台,运行一下脚本就行了,节约时间而且不容易出错。
Chef就相当于这样的一个脚本管理工具,但功能要强大得多,可定制性强,Chef将脚本命令代码化,定制时只需要修改代码,安装的过程就是执行代码的过程。
打个比方,Chef就像一个制作玩具的工厂,它可以把一些原材料做成漂亮的玩具, 它有一些模板,你把原材料放进去,选择一个模板(比如怪物史莱克),它就会制造出这个玩具,服务器的配置也是这样,一台还没有配置的服务器,你给它指定一个模板(role或recipe), Chef就会把它配置成你想要的线上服务器。
1.2 Chef和Puppet比较
就服务器的集中管理工具而言,知名度与Chef平分天下的是叫“Puppet”的工具,它们是OSS知名度排名最前的2个。
让我们来比较下它们的不同:
比较
Puppet
Chef
历史
有一些
还年轻
用户
多,有名的公司也在用
还比较少,有一些公司如37signals在使用
开发的活跃度
中等
活跃(感觉正在旺季)
文档
多
也足够了
设定文件
用专用的文法书写(外部DSL)
用Ruby书写(内部DSL)
设定的构成
有点难懂
相对容易理解,命名等很合适
依存关系的处理
运行次序状况由系统端决定
像Makefile,基本上是书写顺序,相比Puppet更具脚本风格
必要的中间软件
没有
服务端需要有CouchDB、RabbitMQ
安装
简单,用gem的安装就可以
服务端安装比较麻烦。客户端简单,只需要gem就可以了
和其他系统的协作
感觉基本上没有
因为使用RESTful的服务API,用JSON可以取值,能做许多事 1.3 Chef结构
这是Chef的结构图,对图做一点解释:
有一个中心服务器(运行chef-server)
Chef将数据存储在CouchDB数据库里面
RabbitMQ和chef-solo等提供搜索的功能
Chef还提供了个图形的用户界面(cher-server-webui)
Workstation上有一个pem文件,knift(对Chef进行配置)利用它作为认证来和chef-server通过REST API进行通信
Workstation将配置(利用Recipe等描述各Client应该如何配置自己)上传到服务器
Client上有一个pem文件,chef-client利用它作为认证来和chef-server通过REST API进行通信
当新加一个Client的时候,需要从中心服务器上拷贝validator.pem到新加的Client
它利用这个pem进行注册得到自己的client.pem进行以后的认证
Client连到Chef服务器查看如何配置自己,然后进行自我配置
1.4 Chef的三种管理模式
Chef-Solo
由一台普通电脑控制所有的服务器,不需要专设一台chef-server
Client-Server
所有的服务器作为chef-client,统一由chef-server进行管理,管理包括安装、配置等工作 chef-server可以自建,但安装的东西较多,由于使用solr作为全文搜索引擎,还需要安装java
Opscode Platform
类似于Client-Server,只是Server端不需要自建,而是采用http://www.opscode.com提供的chef-server服务
而上面三种管理模式,无疑Client-Server模式是最好,也是最复杂的,因为这样可以在本地环境中搭建一个私有的Chef集中管理环境而无需依赖任何第三方的平台。
1.5 Chef能做什么
Chef能做什么,答案的Anything,这个实际上很好理解,只要你可以对一台服务执行命令,你就可以对这台服务做任何配置(不是有那句话嘛:Where there is a SHELL, there is a way)
这里大家可能对Chef有一些误解,由于Chef使用类似模板的方法对服务进行配置, 大家可能认识它只适合于一些配置比较类似的服务, 这里完全小看Chef了,就拿官方的mysql cookbook来说,它可以同时支持众多OS平台:
debian ubuntu centos suse fedora redhat scientific amazon freebsd windows,当你对Chef有了更深的了解后你就不会感到惊讶了。
1.6 Chef是怎么工作的
如果忽略所有的细节,Chef是这样工作的:
在Workstation上定义各个Client应该如何配置自己,然后将这些信息上传到中心服务器
每个Client连到中心服务器查看如何配置自己,然后进行自我配置
因此,在Chef的环境搭建完成以后,绝大部分工作是在Workstation上进行的,只有在工作完成以后,决定应用到Client的时候,才会操作Server与Client。
1.7 对Chef中各个名词的形象解释
Chef 大厨
我就是个新手大厨,我想要烹调一桌服务器大餐,也就是一台体面的、可以用来满足某种用途的服务器。
Cookbook 菜谱
别人写好的一本书,书上写着一堆相关菜色的做法(比如“家常川菜”)。一些出色的服务器大厨已经写了 很多菜谱 ,这些是我要学习和抄袭的。
Recipe 菜谱里的一道菜色(比如“麻婆豆腐”)
服务器大餐里的某一部分该怎么做,都在菜色里写着呢。
所以,整个故事就是:
作为一个新手大厨(Chef),我想要从现成的很多菜谱(Cookbook)里挑选几道合适的菜色(Recipe),组合成一道大餐(服务器)来款待我的客人。
等我的手艺熟练之后我还会写我自己的菜色和菜谱,来创造属于我自己的大餐。
Chef的主要目标就是:把服务器配置变成源代码。
这样做的好处有两个:
自动化
我可以很轻松地把一台服务器大餐的做法直接照搬到另一台服务器上,于是我就得到了另一台大餐。
配置管理
服务器的配置信息能够很好的通过Git来管理,可以分享,可以多人协作,可以跟踪变化历史。
Chef使用服务器—客户端模式管理所有需要配置的机器,使用Chef涉及至少三台机器:
一台开发机器Workstation,在上面编写大餐的做法;
一台Chef服务器,管理所有要配置的Chef客户端,给它们下发配置信息;
多台Chef客户端(Node),就是我将要烹调出的大餐。
1.8 接着,我们可以开始以下过程
目前,我们对Chef已经有了一个基本的了解,接下来就可以通过以下步骤进行亲身实践,来加深理解。
Chef集中管理工具实践之 (1) 环境部署
目录结构
Chef集中管理工具实践之 (0) 什么是Chef
Chef集中管理工具实践之 (1) 环境部署
Chef集中管理工具实践之 (2) 服务器配置
Chef集中管理工具实践之 (3) 自定义配置
本文内容
Chef集中配置管理工具实践之 (1) 环境部署
参考资料
http://wiki.opscode.com/pages/viewpage.action?pageId=24773429
http://wiki.opscode.com/display/chef/Installing+Chef+Server+on+Debian+or+Ubuntu+using+Packages
http://wiki.opscode.com/display/chef/Workstation+Setup+for+Debian+and+Ubuntu
http://wiki.opscode.com/display/chef/Knife+Bootstrap
环境介绍
OS: Ubuntu 10.10 Server 64-bit //经过验证在12.04.1以及12.10上也成功实现部署。
Servers:
chef-server:10.6.1.170
chef-workstation:10.6.1.171
chef-client-1:10.6.1.172
chef-client-2:10.6.1.173
1. 安装配置Chef Server
编辑hosts
ubuntu@chef-server:~$ sudo vim /etc/hosts
view source
print?
1
127.0.0.1 localhost
2
3
10.6.1.170 chef-server
4
10.6.1.171 chef-workstation
5
10.6.1.172 chef-client-1
6
10.6.1.173 chef-client-2 注意:
将本机的hostname在/etc/hosts中添加一条IP解析记录,这一点非常重要。
因为后面在安装chef-server的过程中,会首先安装rabbitmq-server,缺少该解析记录的话,会导致rabbitma-server启动失败,进而影响到所有其它chef-server软件包的正常安装,如果不清楚这一点的话,会给问题的排查带来很大的不便。
创建 /etc/apt/sources.list.d/opscode.list
ubuntu@chef-server:~$ sudo echo "deb http://apt.opscode.com/ `lsb_release -cs`-0.10 main" | sudo tee /etc/apt/sources.list.d/opscode.list
添加GPG Key
ubuntu@chef-server:~$ sudo mkdir -p /etc/apt/trusted.gpg.d
ubuntu@chef-server:~$ sudo gpg --keyserver keys.gnupg.net --recv-keys 83EF826A
ubuntu@chef-server:~$ sudo gpg --export packages@opscode.com | sudo tee /etc/apt/trusted.gpg.d/opscode-keyring.gpg > /dev/null
ubuntu@chef-server:~$ sudo apt-get update
ubuntu@chef-server:~$ sudo apt-get install opscode-keyring
安装NTP时间服务器,Chef需要确保workstation与所有client与server的时钟一致
ubuntu@chef-server:~$ sudo apt-get install ntp
更新现有系统
ubuntu@chef-server:~$ sudo apt-get upgrade
安装chef-server软件包
ubuntu@chef-server:~$ sudo apt-get install chef chef-server
输入URL: http://chef-server:4000
输入密码: chef-server
该过程执行了如下过程:
安装Chef Server以及所依赖的软件包如Merb,CouchDB,RabbitMQ等共300多个软件包
启动CouchDB,RabbitMQ
启动chef-server-api并运行在4000端口
启动chef-server-webui并运行在4040端口
启动chef-solr-indexer并自动连接到rabbitmq-server
启动chef-solr,chef-client
在目录/etc/chef中创建相关的配置文件
安装完成后检查并确认以下端口:
Chef Server - 4000
Chef Server WebUI - 4040
CouchDB - 5984
RabbitMQ - 5672
Chef Solr - 8983
ubuntu@chef-server:~$ sudo netstat -lntp
view source
print?
01
Active Internet connections (only servers)
02
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
03
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 11402/sshd
04
tcp 0 0 0.0.0.0:4000 0.0.0.0:* LISTEN 31998/merb : chef-s
05
tcp 0 0 0.0.0.0:4040 0.0.0.0:* LISTEN 32168/merb : chef-s
06
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 30470/beam
07
tcp 0 0 127.0.0.1:5984 0.0.0.0:* LISTEN 30518/beam
08
tcp 0 0 0.0.0.0:41891 0.0.0.0:* LISTEN 30128/beam
09
tcp60 0 :::22 :::* LISTEN 11402/sshd
10
tcp60 0 127.0.0.1:8983 :::* LISTEN 31760/java
11
... 登陆Web UI
地址:http://chef-server:4040 (正常访问需要在本地电脑的hosts中添加“10.6.1.170 chef-server”)
账号:admin
密码:chef-server
安装配置knife命令行工具
ubuntu@chef-server:~$ mkdir -p ~/.chef
ubuntu@chef-server:~$ sudo cp /etc/chef/validation.pem /etc/chef/webui.pem ~/.chef
ubuntu@chef-server:~$ sudo chown -R $USER ~/.chef
ubuntu@chef-server:~$ knife configure -i
view source
print?
01
WARNING: No knife configuration
file found
02
Where should I put the config
file?
03
Please enter the chef server URL:
http://chef-server:4000
04
Please enter a clientname for
the new client:
05
Please enter the existing admin clientname:
06
Please enter the location of the existing admin client's private key: .chef/webui.pem
07
Please enter the validation clientname:
08
Please enter the location of the validation key: .chef/validation.pem
09
Please enter the path to a chef repository (or leave blank):
10
Creating initial API user...
11
Created client
12
Configuration file
written to /home/ubuntu/.chef/knife.rb 执行knife命令,检查是否能连接到指定的Chef Server
ubuntu@chef-server:~$ knife client list
view source
print?
1
chef-validator
2
chef-webui
3
ubuntu ubuntu@chef-server:~$ knife cookbook list
ubuntu@chef-server:~$ sudo apt-get install ntp
为工作站安装并配置Knife Client
ubuntu@chef-server:~$ knife client create chef-workstation -d -a -f /home/ubuntu/.chef/chef-workstation.pem
view source
print?
1
Created client ubuntu@chef-server:~$ knife client show chef-workstation
view source
print?
01
_rev: 1-2a52b9416bad08b697e9c644a0aea4cc
02
admin: true
03
chef_type: client
04
json_class:Chef::ApiClient
05
name: chef-workstation
06
public_key:-----BEGIN RSA PUBLIC KEY-----
07
MIIBCgKCAQEA1RAa+jf733FtoTv64msykO3/SEe8G/YhPgA2S3NfWdgh+LbuhCdT
08
9IjX3Hio3U/rj6VGeICJkCfWZy7NM9pTaPzH+gJdFbkLrLW1GSoEKMJ/f9IkxRcS
09
7vdySU05IrPOF9PqcMvrME4xYzsFzIXDz1CbWBs08SuMfjP9qHfeStfBQaoQ8rLp
10
mOGI0VMOU/CrlfNsAPLbUgVVylKfcmop1dCO6My53xW/qogfg/8Af0qtk7tyjVFi
11
K+umCjmHmtW09qg5467p7xf4WSUYh076pb3ofbTi0o3VJi8Dz+qGISjvAVf3Y1As
12
mwkam0IBM5sK41r/Suki9UQanKWsiDm0CQIDAQAB
13
-----END RSA PUBLIC KEY----- 2. 安装配置chef-workstation
编辑hosts
ubuntu@chef-workstation:~$ vim /etc/hosts
view source
print?
1
127.0.0.1 localhost
2
3
10.6.1.170 chef-server
4
10.6.1.171 chef-workstation
5
10.6.1.172 chef-client-1
6
10.6.1.173 chef-client-2 安装Ruby与其它依赖包
ubuntu@chef-workstation:~$ sudo apt-get install ruby ruby-dev libopenssl-ruby rdoc ri irb build-essential wget ssl-cert curl
安装RubyGems
ubuntu@chef-workstation:~$ cd /tmp
ubuntu@chef-workstation:~$ curl -O http://production.cf.rubygems.org/rubygems/rubygems-1.8.10.tgz
ubuntu@chef-workstation:~$ tar zxf rubygems-1.8.10.tgz
ubuntu@chef-workstation:~$ cd rubygems-1.8.10
ubuntu@chef-workstation:/tmp/rubygems-1.8.10$ sudo ruby setup.rb --no-format-executable
安装Chef Gem
ubuntu@chef-workstation:/tmp/rubygems-1.8.10$ sudo gem install chef --no-ri --no-rdoc
view source
print?
01
Fetching: mixlib-config-1.1.2.gem (100%)
02
Fetching: mixlib-cli-1.2.2.gem (100%)
03
Fetching: mixlib-log-1.4.1.gem (100%)
04
Fetching: mixlib-authentication-1.3.0.gem (100%)
05
Fetching: mixlib-shellout-1.1.0.gem (100%)
06
Fetching: systemu-2.5.2.gem (100%)
07
Fetching: yajl-ruby-1.1.0.gem (100%)
08
Building native extensions.This could take a
while...
09
Fetching: ipaddress-0.8.0.gem (100%)
10
Fetching: ohai-6.14.0.gem (100%)
11
Fetching: mime-types-1.19.gem (100%)
12
Fetching: rest-client-1.6.7.gem (100%)
13
Fetching: bunny-0.7.9.gem (100%)
14
test
suite cleanup (eliminated some race conditions related to queue.message_count)
15
Fetching: json-1.6.1.gem (100%)
16
Building native extensions.This could take a
while...
17
Fetching: polyglot-0.3.3.gem (100%)
18
Fetching: treetop-1.4.12.gem (100%)
19
Fetching: net-ssh-2.2.2.gem (100%)
20
Fetching: net-ssh-gateway-1.1.0.gem (100%)
21
Fetching: net-ssh-multi-1.1.gem (100%)
22
Fetching: highline-1.6.15.gem (100%)
23
Fetching: erubis-2.7.0.gem (100%)
24
Fetching: moneta-0.6.0.gem (100%)
25
Fetching: uuidtools-2.1.3.gem (100%)
26
Fetching: chef-10.16.2.gem (100%)
27
Successfully installed mixlib-config-1.1.2
28
Successfully installed mixlib-cli-1.2.2
29
Successfully installed mixlib-log-1.4.1
30
Successfully installed mixlib-authentication-1.3.0
31
Successfully installed mixlib-shellout-1.1.0
32
Successfully installed systemu-2.5.2
33
Successfully installed yajl-ruby-1.1.0
34
Successfully installed ipaddress-0.8.0
35
Successfully installed ohai-6.14.0
36
Successfully installed mime-types-1.19
37
Successfully installed rest-client-1.6.7
38
Successfully installed bunny-0.7.9
39
Successfully installed json-1.6.1
40
Successfully installed polyglot-0.3.3
41
Successfully installed treetop-1.4.12
42
Successfully installed net-ssh-2.2.2
43
Successfully installed net-ssh-gateway-1.1.0
44
Successfully installed net-ssh-multi-1.1
45
Successfully installed highline-1.6.15
46
Successfully installed erubis-2.7.0
47
Successfully installed moneta-0.6.0
48
Successfully installed uuidtools-2.1.3
49
Successfully installed chef-10.16.2
50
23 gems installed 安装Git
ubuntu@chef-workstation:~$ sudo apt-get -y install git-core
ubuntu@chef-workstation:~$ git --version
git version 1.7.1
创建Chef Repository
备注:Chef的大部分配置工作都是在Workstaion中的Chef Repository中完成的,不同的Chef Repository可以管理不同的Chef Server。
ubuntu@chef-workstation:~$ sudo git clone git://github.com/opscode/chef-repo.git /opt/chef-local
view source
print?
1
Initialized empty Git repository
in /opt/chef-local/.git/
2
remote: Counting objects: 199,
done.
3
remote: Compressing objects: 100% (117/117),
done.
4
remote: Total 199 (delta 72), reused 162 (delta 49)
5
Receiving objects: 100% (199/199), 30.34 KiB | 10 KiB/s,
done.
6
Resolving deltas: 100% (72/72),
done. ubuntu@chef-workstation:~$ cd /opt/chef-local/
ubuntu@chef-workstation:/opt/chef-local$ ls
README.md Rakefile certificates chefignore config cookbooks data_bags environments roles
创建配置文件夹
ubuntu@chef-workstation:/opt/chef-local$ sudo mkdir -p .chef
传输pem认证文件到Workstation
ubuntu@chef-workstation:/opt/chef-local$ sudo scp ubuntu@chef-server:/home/ubuntu/.chef/chef-workstation.pem .chef/
ubuntu@chef-workstation:/opt/chef-local$ sudo scp ubuntu@chef-server:/home/ubuntu/.chef/validation.pem .chef/
ubuntu@chef-workstation:/opt/chef-local$ ls .chef/
chef-workstation.pem validation.pem
ubuntu@chef-workstation:/opt/chef-local$ sudo knife configure
view source
print?
01
WARNING: No knife configuration
file found
02
Where should I put the config
file? .chef/knife.rb
03
Please enter the chef server URL:
http://chef-server:4000
04
Please enter an existing username or clientname
for the API: chef-workstation
05
Please enter the validation clientname:
06
Please enter the location of the validation key: .chef/validation.pem
07
Please enter the path to a chef repository (or leave blank): /opt/chef-local
08
*****
09
10
You must place your client key
in:
11
/opt/chef-local/.chef/chef-workstation.pem
12
Before running commands with Knife!
13
14
*****
15
16
You must place your validation key
in:
17
/opt/chef-local/.chef/validation.pem
18
Before generating instance data with Knife!
19
20
*****
21
Configuration file
written to /opt/chef-local/.chef/knife.rb 验证配置是否正确
ubuntu@chef-workstation:~$ sudo ntpdate chef-server
确认Knife工具能否连接到Chef Server
ubuntu@chef-workstation:~$ knife client list
view source
print?
1
chef-server
2
chef-validator
3
chef-webui
4
chef-workstation
5
ubuntu ubuntu@chef-workstation:~$ knife client show chef-validator
view source
print?
01
_rev: 1-96959e21dfdb3f232a3ce8bae835475b
02
admin: false
03
chef_type: client
04
json_class:Chef::ApiClient
05
name: chef-validator
06
public_key:-----BEGIN RSA PUBLIC KEY-----
07
MIIBCgKCAQEA00/AWJL5mThj+pSXEB2gMKdTdHFm0pGi2hXAoBwm4/ZlnO4p2iwI
08
/skfZMepVm8SAkSMIhz7ZC+jN/+Kqas7es0E+iv9ei0BF4Q41Y5kKMFctuElYbPH
09
ImRCVTcQJ6m7BPS0Tczhy87jk6QlhsDsrnhNyUEgM5XRVNO+NzqeqZ+UMOWd9k2q
10
KTJhbtHdx7ILdjZ5SBsiIMBhBNni2D0Y34BDtddsXCn1eyTWwGZxZTRZuDDXnls+
11
aZaqogKoZ40d6h6ZVGh6nmmpdPDi9YdCIqFtWe5LF5bwIy7K6qBVgiOqU0x3Xek3
12
d1eZG/8C+4FWjAm1h856npvmMOpVip9w8QIDAQAB
13
-----END RSA PUBLIC KEY----- 3. 安装配置chef-client
编辑hosts
ubuntu@chef-client-1:~$ vim /etc/hosts
view source
print?
1
127.0.0.1 localhost
2
3
10.6.1.170 chef-server
4
10.6.1.171 chef-workstation
5
10.6.1.172 chef-client-1
6
10.6.1.173 chef-client-2 与chef-server同步时间
ubuntu@chef-client-1:~$ sudo ntpdate chef-server
Boostrap可以用来将目标节点初始化为一个Client
ubuntu@chef-workstation:~$ knife bootstrap --help
view source
print?
01
knife bootstrap FQDN (options)
02
--bootstrap-proxy PROXY_URLThe proxy server
for the node being bootstrapped
03
--bootstrap-version VERSIONThe version of Chef to
install
04
-N, --node-name NAME The Chef node name
for your new node
05
-s, --server-url URL Chef Server URL
06
-k, --key KEY API Client Key
07
--color Use colored output, defaults to enabled
08
-c, --config CONFIG The configuration
file to use
09
--defaults Accept default values
for all questions
10
--disable-editing Do not
open EDITOR, just accept the data as is
11
-d, --distro DISTRO Bootstrap a distro using a template
12
-e, --editor EDITOR Set the editor to use
for interactive commands
13
-E, --environment ENVIRONMENT Set the Chef environment
14
-j JSON_ATTRIBS A JSON string to be added to the first run of chef-client
15
--json-attributes
16
-F, --format
FORMAT Which format
to use for
output
17
--hint HINT_NAME[=HINT_FILE] Specify Ohai Hint to be
set on the bootstrap target.Use multiple --hint options to specify multiple hints.
18
--host-key-verify Verify host key, enabled by default.
19
-i IDENTITY_FILE The SSH identity
file used
for authentication
20
--identity-file
21
-u, --user USER API Client Username
22
--prerelease Install the pre-release chef gems
23
--print-after Show the data after a destructive operation
24
-r, --run-list RUN_LIST Comma separated list of roles/recipes to apply
25
-G, --ssh-gateway GATEWAY The
ssh gateway
26
-P, --ssh-password PASSWORD The
ssh password
27
-p, --ssh-port PORT The
ssh port
28
-x, --ssh-user USERNAME The
ssh username
29
--template-file
TEMPLATE Full path to location of template to use
30
--sudo
Execute the bootstrap via sudo
31
-V, --verbose More verbose output. Use twice
for max verbosity
32
-v, --version Show chef version
33
-y, --yes
Say yes
to all prompts for
confirmation
34
-h, --help Show this message 下面我们对chef-client-1进行初始化
ubuntu@chef-workstation:~$ sudo knife bootstrap 10.6.1.172 -x ubuntu -P password --sudo
view source
print?
01
Bootstrapping Chef on 10.6.1.172
02
10.6.1.172 --2012-11-09 03:34:40--
http://opscode.com/chef/install.sh
03
10.6.1.172 Resolving opscode.com...
04
10.6.1.172 184.106.28.83
05
10.6.1.172 Connecting to opscode.com|184.106.28.83|:80...
06
10.6.1.172 connected.
07
10.6.1.172 HTTP request sent, awaiting response...
08
10.6.1.172 301 Moved Permanently
09
10.6.1.172 Location:
http://www.opscode.com/chef/install.sh
10
10.6.1.172 --2012-11-09 03:34:41--
http://www.opscode.com/chef/install.sh
11
10.6.1.172 Resolving www.opscode.com...
12
10.6.1.172 184.106.28.83
13
10.6.1.172 Reusing existing connection to opscode.com:80.
14
10.6.1.172 HTTP request sent, awaiting response...
15
10.6.1.172 200 OK
16
10.6.1.172 Length: 6396 (6.2K)
17
10.6.1.172 Saving to: `STDOUT'
18
10.6.1.172
19
0% [ ] 0 --.-K/s
20
10.6.1.172 Downloading Chef 10.16.2
for ubuntu...
21
100%[======================================>] 6,396 18.7K/s
in 0.3s
22
10.6.1.172
23
10.6.1.172 2012-11-09 03:34:42 (18.7 KB/s) - written to stdout
24
10.6.1.172
25
10.6.1.172 Installing Chef 10.16.2
26
10.6.1.172 Selecting previously deselected package chef.
27
10.6.1.172 (Reading database ...
28
(Reading database ... 60%
29
(Reading database ... 65%
30
(Reading database ... 70%
31
(Reading database ... 75%
32
(Reading database ... 80%
33
(Reading database ... 85%
34
(Reading database ... 90%
35
(Reading database ... 95%
36
(Reading database ... 41378 files and directories currently installed.)
37
10.6.1.172 Unpacking chef (from .../chef_10.16.2_amd64.deb) ...
38
10.6.1.172 Setting up chef (10.16.2-1.ubuntu.10.04) ...
39
10.6.1.172 Thank you for
installing Chef!
40
10.6.1.172 INFO: *** Chef 10.16.2 ***
41
10.6.1.172 INFO: Client key /etc/chef/client.pem is not present - registering
42
10.6.1.172 INFO: HTTP Request Returned 404 Not Found: Cannot load node chef-client-1
43
10.6.1.172 INFO: Setting the run_list to [] from JSON
44
10.6.1.172 INFO: Run List is []
45
10.6.1.172 INFO: Run List expands to []
46
10.6.1.172 INFO: HTTP Request Returned 404 Not Found: No routes match the request: /reports/nodes/chef-client-1/runs
47
10.6.1.172 INFO: Starting Chef Run
for chef-client-1
48
10.6.1.172 INFO: Running start handlers
49
10.6.1.172 INFO: Start handlers complete.
50
10.6.1.172 INFO: Loading cookbooks []
51
10.6.1.172 WARN: Node chef-client-1 has an empty run list.
52
10.6.1.172 INFO: Chef Run complete
in 0.438462677 seconds
53
10.6.1.172 INFO: Running report handlers
54
10.6.1.172 INFO: Report handlers complete 验证chef-client-1是否已经注册
ubuntu@chef-workstation:~$ knife client list
view source
print?
1
chef-client-1
2
chef-server
3
chef-validator
4
chef-webui
5
chef-workstation
6
ubuntu 从上面可以看出chef-client-1已经成功注册到了chef-server中,整个环境 chef-workstation => chef-server => chef-client-1 已经搭建成功。
4. 接着,我们可以开始以下过程
Chef集中管理工具实践之 (2) 服务器配置
目录结构
Chef集中管理工具实践之 (0) 什么是Chef
Chef集中管理工具实践之 (1) 环境部署
Chef集中管理工具实践之 (2) 服务器配置
Chef集中管理工具实践之 (3) 自定义配置
本文内容
Chef集中配置管理工具实践之 (2) 服务器配置
参考资料
http://wiki.opscode.com/display/ChefCN/Just+Enough+Ruby+for+Chef
http://wiki.opscode.com/display/chef/Fast+Start+Guide
http://gigix.thoughtworkers.org/2011/1/30/devops
http://gigix.thoughtworkers.org/2011/2/20/chef-2-rails-server
http://gigix.thoughtworkers.org/2011/3/2/chef-3-first-cookbook
http://gigix.thoughtworkers.org/2011/3/12/devops-readings
环境介绍
OS: Ubuntu 10.10 Server 64-bit
Servers:
chef-server:10.6.1.170
chef-workstation:10.6.1.171
chef-client-1:10.6.1.172
1. 从这里开始
通过前面的两个章节,我们认识了什么是Chef,并成功的部署好了整个环境。但目前Chef具体能做什么,能实现什么具体的功能,其实还是一头雾水的。
在这一个章节,我们会通过使用Chef完成对用户账号和SSH Server的集中管理来加深理解。
前面,我们在提到Cookbook 菜谱的时候,提到 “一些出色的大厨已经写了很多菜谱,这些是我要学习和抄袭的。”真实的意思就是,Chef社区已经有了许多官方的cookbook以及优秀的社区成员所编写的cookbook提供下载使用,我们只需要阅读它们的README文件,就可以很快速方便的使用了。这就是我在这一个章节所讲的内容。
而“等我的手艺熟练之后我还会写我自己的菜色和菜谱,来创造属于我自己的大餐。”真实的意思就是,在我熟悉了如何使用别人的cookbook以后,便可以尝试借鉴并编写适合自己的cookbook,用来对自己的服务器进行一些自定义的,特有的管理,而这些管理可能在其它环境里并不适用。这是我在下一个章节要讲的内容。
2. 如何开始
首先,我们来明确一下马上要进行的任务,就是“使用Chef完成对用户账号和SSH Server的配置”。
接着,我们可以登录到Chef的官方社区http://community.opscode.com/cookbooks,搜索是否已经存在有相关的cookbook提供使用。
通过搜索之后,我们可以确定有如下cookbook能够帮助我们完成任务:
1) 用户账号: user
2) SSH Server: openssh
ubuntu@chef-workstation:~$ cd /opt/chef-local/
查看knife配置
ubuntu@chef-workstation:/opt/chef-local$ cat .chef/knife.rb
log_level :info
log_location STDOUT
node_name 'chef-workstation'
client_key '/opt/chef-local/.chef/chef-workstation.pem'
validation_client_name 'chef-validator'
validation_key '/opt/chef-local/chef/validation.pem'
chef_server_url 'http://chef-server:4000'
cache_type 'BasicFile'
cache_options( :path => '/opt/chef-local/.chef/checksums' )
cookbook_path [ '/opt/chef-local/cookbooks' ]
2.1 首先,让我们来部署并使用user来管理用户
下载cookbook
ubuntu@chef-workstation:/opt/chef-local$ sudo knife cookbook site install user
Installing user to /opt/chef-local/cookbooks
Checking out the master branch.
Creating pristine copy branch chef-vendor-user
Downloading user from the cookbooks site at version 0.3.0 to /opt/chef-local/cookbooks/user.tar.gz
Cookbook saved: /opt/chef-local/cookbooks/user.tar.gz
Removing pre-existing version.
Uncompressing user version 0.3.0.
removing downloaded tarball
1 files updated, committing changes
Creating tag cookbook-site-imported-user-0.3.0
Checking out the master branch.
Updating a3bec38..f06cc56
Fast-forward
cookbooks/user/.gitignore | 2 +
cookbooks/user/.travis.yml | 6 +
cookbooks/user/CHANGELOG.md | 95 +++++
cookbooks/user/README.md |391 ++++++++++++++++++++
cookbooks/user/Rakefile | 33 ++
cookbooks/user/attributes/default.rb | 42 ++
cookbooks/user/metadata.json | 35 ++
cookbooks/user/metadata.rb | 14 +
cookbooks/user/providers/account.rb |173 +++++++++
cookbooks/user/recipes/data_bag.rb | 52 +++
cookbooks/user/recipes/default.rb | 18 +
cookbooks/user/resources/account.rb | 40 ++
.../user/templates/default/authorized_keys.erb | 7 +
13 files changed, 908 insertions(+), 0 deletions(-)
create mode 100644 cookbooks/user/.gitignore
create mode 100644 cookbooks/user/.travis.yml
create mode 100644 cookbooks/user/CHANGELOG.md
create mode 100644 cookbooks/user/README.md
create mode 100644 cookbooks/user/Rakefile
create mode 100644 cookbooks/user/attributes/default.rb
create mode 100644 cookbooks/user/metadata.json
create mode 100644 cookbooks/user/metadata.rb
create mode 100644 cookbooks/user/providers/account.rb
create mode 100644 cookbooks/user/recipes/data_bag.rb
create mode 100644 cookbooks/user/recipes/default.rb
create mode 100644 cookbooks/user/resources/account.rb
create mode 100644 cookbooks/user/templates/default/authorized_keys.erb
Cookbook user version 0.3.0 successfully installed
ubuntu@chef-workstation:/opt/chef-local$ cd cookbooks/
ubuntu@chef-workstation:/opt/chef-local/cookbooks$ ls
README.mduser
每个模块下面的README.md文件非常有用,讲解了该模块的配置方法以及与chef-server如何通信。
比如,我们通过阅读了user的README.md之后,就会知道我们需要建立一个名为users的data bag,将用户的信息写成一个个json文件放在下面,再通过override_attributes在role的配置文件中指定需要配置的用户。
ubuntu@chef-workstation:/opt/chef-local/cookbooks$ cd user/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/user$ ll
total 76
drwxr-xr-x 7 root root4096 Nov 15 20:31 ./
drwxr-xr-x 3 root root4096 Nov 15 20:31 ../
-rw-r--r-- 1 root root 18 Nov 15 20:31 .gitignore
-rw-r--r-- 1 root root 141 Nov 15 20:31 .travis.yml
-rw-r--r-- 1 root root2705 Nov 15 20:31 CHANGELOG.md
-rw-r--r-- 1 root root 11753 Nov 15 20:31 README.md
-rw-r--r-- 1 root root 813 Nov 15 20:31 Rakefile
drwxr-xr-x 2 root root4096 Nov 15 20:31 attributes/
-rw-r--r-- 1 root root 13048 Nov 15 20:31 metadata.json
-rw-r--r-- 1 root root 538 Nov 15 20:31 metadata.rb
drwxr-xr-x 2 root root4096 Nov 15 20:31 providers/
drwxr-xr-x 2 root root4096 Nov 15 20:31 recipes/
drwxr-xr-x 2 root root4096 Nov 15 20:31 resources/
drwxr-xr-x 3 root root4096 Nov 15 20:31 templates/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/user$ cd recipes/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/user/recipes$ ls
data_bag.rbdefault.rb
dongguo@chef-workstation:/opt/chef-local/cookbooks/user/attributes$ ls
default.rb
上传cookbook到chef-server
ubuntu@chef-workstation:/opt/chef-local$ sudo knife cookbook upload user
Uploading user
Uploaded 1 cookbook.
创建role
ubuntu@chef-workstation:/opt/chef-local$ cd roles/
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo vim ubuntu_servers.rb
name "ubuntu_servers"
description "The base role applied to all nodes."
run_list(
"recipe",
"recipe"
)
override_attributes(
"users" => [ "ubuntu" ]
)
上传role到chef-server
ubuntu@chef-workstation:/opt/chef-local$ sudo knife role from file roles/ubuntu_servers.rb
Updated Role ubuntu_servers!
为user这个cookbook创建data_bag
ubuntu@chef-workstation:/opt/chef-local$ cd data_bags/
ubuntu@chef-workstation:/opt/chef-local/data_bags$ sudo mkdir users
ubuntu@chef-workstation:/opt/chef-local/data_bags$ sudo vim users/ubuntu.json
{
"id" : "ubuntu",
"gid": "admin",
"comment": "ubuntu",
"home" : "/home/ubuntu",
"create_user_group":"false",
"ssh_keygen": "false",
"ssh_keys" : "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+upV++0vIM2PuD2XvH+zOUF6JsfofPCvCdqZ/Wg0GaRvcuPpKs7Ua2APSs
vtvEz9ohQvexS1DO4G1ZjIO20dsc82BHTFxd3DmZyQ8g/CLoIKIdkDImSffQxBYM//8URvtk16HTmuYVY9poalbVh
lErhg0xSbyx/DQfOChfc34T8481iWPZ0pnJLj7z5AUvYR8fcWGtbMhveoyKuB4VocsQvKfgVUauS1jIGGac7kC8XG
Vc6fEVzzTycS7dTypzHDJp3I9wHWoiMF4SD5MRb0sEhlvaOtryHGVdcfFj4Mrdiu8NepL7yyCb9qGdB7QbT1+hNCn
ZukWP4Iz6yzATLzS"
}
上传data_bag到chef-server
ubuntu@chef-workstation:/opt/chef-local/data_bags$ sudo knife data bag create users
Created data_bag
ubuntu@chef-workstation:/opt/chef-local/data_bags$ sudo knife data bag from file users users/ubuntu.json
Updated data_bag_item
为节点增加run_list,即将ubuntu_servers这个角色赋给chef-client-1
ubuntu@chef-workstation:/opt/chef-local$ sudo knife node run_list add chef-client-1 "role"
run_list:role
在chef-client-1上执行chef-client拉取配置
ubuntu@chef-client-1:~$ sudo chef-client
INFO: *** Chef 10.16.2 ***
INFO: Run List is ]
INFO: Run List expands to
INFO: HTTP Request Returned 404 Not Found: No routes match the request: /reports/nodes/chef-client-1/runs
INFO: Starting Chef Run for chef-client-1
INFO: Running start handlers
INFO: Start handlers complete.
INFO: Loading cookbooks
INFO: Processing user_account action create (user::data_bag line 36)
INFO: Processing user action create (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
INFO: user altered
INFO: Processing directory action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: directory created directory /home/ubuntu/.ssh
INFO: directory owner changed to 1000
INFO: directory group changed to 109
INFO: directory mode changed to 700
INFO: Processing directory action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: directory group changed to 109
INFO: directory mode changed to 2755
INFO: Processing template action create (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
INFO: template updated content
INFO: template owner changed to 1000
INFO: template group changed to 109
INFO: template mode changed to 600
INFO: Processing user action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
INFO: Processing directory action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing directory action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing template action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
INFO: Processing execute action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 148)
INFO: Chef Run complete in 0.766601698 seconds
INFO: Running report handlers
INFO: Report handlers complete
我们可以看到,chef-client已经成功拉取到了ubuntu这个用户的信息,并自动的进行了一系列的配置。
至此,我们就成功的使用Chef的user这个cookbook完成一次服务器的自动化部署。
2.2 接着,让我们来通过Chef完成OpenSSH的配置
在本地提交刚刚的一系列修改,因为我们使用了git来管理Chef的配置。
ubuntu@chef-workstation:/opt/chef-local$ sudo git commit -a -m "update"
安装openssh的cookbook
ubuntu@chef-workstation:/opt/chef-local$ sudo knife cookbook site install openssh
Installing openssh to /opt/chef-local/cookbooks
Checking out the master branch.
Creating pristine copy branch chef-vendor-openssh
Downloading openssh from the cookbooks site at version 1.1.2 to /opt/chef-local/cookbooks/openssh.tar.gz
Cookbook saved: /opt/chef-local/cookbooks/openssh.tar.gz
Removing pre-existing version.
Uncompressing openssh version 1.1.2.
removing downloaded tarball
1 files updated, committing changes
Creating tag cookbook-site-imported-openssh-1.1.2
Checking out the master branch.
Updating 8945cc6..ea9f570
Fast-forward
cookbooks/openssh/.gitignore | 4 +
cookbooks/openssh/CHANGELOG.md | 19 ++
cookbooks/openssh/CONTRIBUTING | 29 +++
cookbooks/openssh/Gemfile | 3 +
cookbooks/openssh/LICENSE |201 ++++++++++++++++++++
cookbooks/openssh/README.md |122 ++++++++++++
cookbooks/openssh/attributes/default.rb |125 ++++++++++++
.../files/default/tests/minitest/config_test.rb | 38 ++++
.../files/default/tests/minitest/default_test.rb | 13 ++
.../default/tests/minitest/support/helpers.rb | 13 ++
cookbooks/openssh/metadata.json | 37 ++++
cookbooks/openssh/metadata.rb | 12 ++
cookbooks/openssh/recipes/default.rb | 73 +++++++
cookbooks/openssh/templates/default/port_ssh.erb | 2 +
cookbooks/openssh/templates/default/ssh_config.erb | 11 +
.../openssh/templates/default/sshd_config.erb | 11 +
16 files changed, 713 insertions(+), 0 deletions(-)
create mode 100644 cookbooks/openssh/.gitignore
create mode 100644 cookbooks/openssh/CHANGELOG.md
create mode 100644 cookbooks/openssh/CONTRIBUTING
create mode 100644 cookbooks/openssh/Gemfile
create mode 100644 cookbooks/openssh/LICENSE
create mode 100644 cookbooks/openssh/README.md
create mode 100644 cookbooks/openssh/attributes/default.rb
create mode 100644 cookbooks/openssh/files/default/tests/minitest/config_test.rb
create mode 100644 cookbooks/openssh/files/default/tests/minitest/default_test.rb
create mode 100644 cookbooks/openssh/files/default/tests/minitest/support/helpers.rb
create mode 100644 cookbooks/openssh/metadata.json
create mode 100644 cookbooks/openssh/metadata.rb
create mode 100644 cookbooks/openssh/recipes/default.rb
create mode 100644 cookbooks/openssh/templates/default/port_ssh.erb
create mode 100644 cookbooks/openssh/templates/default/ssh_config.erb
create mode 100644 cookbooks/openssh/templates/default/sshd_config.erb
Cookbook openssh version 1.1.2 successfully installed
我们可以看到openssh的cookbook已经被安装了
ubuntu@chef-workstation:/opt/chef-local/cookbooks$ ls
README.mdopensshuser
同样,通过仔细阅读README.md,我们可以了解这个cookbook的用法,就是通过在attributes中修改对应的参数,然后再通过添加到role的配置文件中即可。
ubuntu@chef-workstation:/opt/chef-local/cookbooks$ cd openssh/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh$ ls
CHANGELOG.mdCONTRIBUTINGGemfileLICENSEREADME.mdattributesfilesmetadata.jsonmetadata.rbrecipestemplates
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh/attributes$ ls
default.rb
打开attributes中的default参数配置文件,我们可以看到有很多的选项都已经被定义好了。
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh/attributes$ sudo vim default.rb
#
# Cookbook Name:: openssh
# Attributes:: default
#
# Author:: Ernie Brodeur
# Copyright 2008-2012, Opscode, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Attributes are commented out using the default config file values.
# Uncomment the ones you need, or set attributes in a role.
#
default['openssh']['package_name'] = case node['platform_family']
when "rhel", "fedora"
%w{openssh-clients openssh}
when "arch"
%w{openssh}
else
%w{openssh-client openssh-server}
end
default['openssh']['service_name'] = case node['platform_family']
when "rhel", "fedora"
"sshd"
else
"ssh"
end
# ssh config group
default['openssh']['client']['host'] = "*"
# default['openssh']['client']['forward_agent'] = "no"
# default['openssh']['client']['forward_x11'] = "no"
# default['openssh']['client']['rhosts_rsa_authentication'] = "no"
# default['openssh']['client']['rsa_authentication'] = "yes"
# default['openssh']['client']['password_authentication'] = "yes"
# default['openssh']['client']['host_based_authentication'] = "no"
# default['openssh']['client']['gssapi_authentication'] = "no"
# default['openssh']['client']['gssapi_delegate_credentials'] = "no"
# default['openssh']['client']['batch_mode'] = "no"
# default['openssh']['client']['check_host_ip'] = "yes"
# default['openssh']['client']['address_family'] = "any"
# default['openssh']['client']['connect_timeout'] = "0"
# default['openssh']['client']['strict_host_key_checking'] = "ask"
# default['openssh']['client']['identity_file'] = "~/.ssh/identity"
# default['openssh']['client']['identity_file_rsa'] = "~/.ssh/id_rsa"
# default['openssh']['client']['identity_file_dsa'] = "~/.ssh/id_dsa"
# default['openssh']['client']['port'] = "22"
# default['openssh']['client']['protocol'] = [ "2 1" ]
# default['openssh']['client']['cipher'] = "3des"
# default['openssh']['client']['ciphers'] = [ "aes128-ctr aes192-ctr aes256-ctr arcfour256 arcfour128 aes128-cbc 3des-cbc" ]
# default['openssh']['client']['macs'] = [ "hmac-md5 hmac-sha1 umac-64@openssh.com hmac-ripemd160" ]
# default['openssh']['client']['escape_char'] = "~"
# default['openssh']['client']['tunnel'] = "no"
# default['openssh']['client']['tunnel_device'] = "any:any"
# default['openssh']['client']['permit_local_command'] = "no"
# default['openssh']['client']['visual_host_key'] = "no"
# default['openssh']['client']['proxy_command'] = "ssh -q -W %h:%p gateway.example.com"
# sshd config group
# default['openssh']['server']['port'] = "22"
# default['openssh']['server']['address_family'] = "any"
# default['openssh']['server']['listen_address'] = [ "0.0.0.0 ::" ]
# default['openssh']['server']['protocol'] = "2"
# default['openssh']['server']['host_key_v1'] = "/etc/ssh/ssh_host_key"
# default['openssh']['server']['host_key_rsa'] = "/etc/ssh/ssh_host_rsa_key"
# default['openssh']['server']['host_key_dsa'] = "/etc/ssh/ssh_host_dsa_key"
# default['openssh']['server']['host_key_ecdsa'] = "/etc/ssh/ssh_host_ecdsa_key"
# default['openssh']['server']['key_regeneration_interval'] = "1h"
# default['openssh']['server']['server_key_bits'] = "1024"
# default['openssh']['server']['syslog_facility'] = "AUTH"
# default['openssh']['server']['log_level'] = "INFO"
# default['openssh']['server']['login_grace_time'] = "2m"
# default['openssh']['server']['permit_root_login'] = "yes"
# default['openssh']['server']['strict_modes'] = "yes"
# default['openssh']['server']['max_auth_tries'] = "6"
# default['openssh']['server']['max_sessions'] = "10"
# default['openssh']['server']['rsa_authentication'] = "yes"
# default['openssh']['server']['pub_key_authentication'] = "yes"
default['openssh']['server']['authorized_keys_file'] = "%h/.ssh/authorized_keys"
# default['openssh']['server']['rhosts_rsa_authentication'] = "no"
# default['openssh']['server']['host_based_authentication'] = "no"
# default['openssh']['server']['ignore_user_known_hosts'] = "no"
# default['openssh']['server']['ignore_rhosts'] = "yes"
# default['openssh']['server']['password_authentication'] = "yes"
# default['openssh']['server']['permit_empty_passwords'] = "no"
default['openssh']['server']['challenge_response_authentication'] = "no"
# default['openssh']['server']['kerberos_authentication'] = "no"
# default['openssh']['server']['kerberos_or_localpasswd'] = "yes"
# default['openssh']['server']['kerberos_ticket_cleanup'] = "yes"
# default['openssh']['server']['kerberos_get_afs_token'] = "no"
# default['openssh']['server']['gssapi_authentication'] = "no"
# default['openssh']['server']['gssapi_clean_up_credentials'] = "yes"
default['openssh']['server']['use_p_a_m'] = "yes"
# default['openssh']['server']['allow_agent_forwarding'] = "yes"
# default['openssh']['server']['allow_tcp_forwarding'] = "yes"
# default['openssh']['server']['gateway_ports'] = "no"
# default['openssh']['server']['x11_forwarding'] = "no"
# default['openssh']['server']['x11_display_offset'] = "10"
# default['openssh']['server']['x11_use_localhost'] = "yes"
# default['openssh']['server']['print_motd'] = "yes"
# default['openssh']['server']['print_lastlog'] = "yes"
# default['openssh']['server']['t_c_p_keep_alive'] = "yes"
# default['openssh']['server']['use_login'] = "no"
# default['openssh']['server']['use_privilege_separation'] = "yes"
# default['openssh']['server']['permit_user_environment'] = "no"
# default['openssh']['server']['compression'] = "delayed"
# default['openssh']['server']['client_alive_interval'] = "0"
# default['openssh']['server']['client_alive_count_max'] = "3"
# default['openssh']['server']['use_dns'] = "yes"
# default['openssh']['server']['pid_file'] = "/var/run/sshd.pid"
# default['openssh']['server']['max_startups'] = "10"
# default['openssh']['server']['permit_tunnel'] = "no"
# default['openssh']['server']['chroot_directory'] = "none"
# default['openssh']['server']['banner'] = "none"
# default['openssh']['server']['subsystem'] = "sftp /usr/libexec/sftp-server"
在这里,我们可以修改以下选项使OpenSSH仅支持Key的认证方式,禁用密码登陆。
default['openssh']['server']['password_authentication'] = "yes"
default['openssh']['server']['use_dns'] = "yes"
修改完成以后,更新openssh的cookbook
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh/attributes$ sudo knife cookbook upload openssh
Uploading openssh
Uploaded 1 cookbook.
将openssh添加到role中
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh/attributes$ cd /opt/chef-local/roles/
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo vim ubuntu_servers.rb
name "ubuntu_servers"
description "The base role applied to all nodes."
run_list(
"recipe",
"recipe",
"recipe"
)
override_attributes(
"users" => [ "ubuntu" ]
)
更新role
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo knife role from file ubuntu_servers.rb
Updated Role ubuntu_servers!
到chef-client上拉取配置
ubuntu@chef-client-1:~$ sudo chef-client
INFO: *** Chef 10.16.2 ***
INFO: Run List is ]
INFO: Run List expands to
INFO: HTTP Request Returned 404 Not Found: No routes match the request: /reports/nodes/chef-client-1/runs
INFO: Starting Chef Run for chef-client-1
INFO: Running start handlers
INFO: Start handlers complete.
INFO: Loading cookbooks
INFO: Processing user_account action create (user::data_bag line 36)
INFO: Processing user action create (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
INFO: Processing directory action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing directory action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing template action create (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
INFO: Processing user action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
INFO: Processing directory action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing directory action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing template action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
INFO: Processing execute action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 148)
INFO: Processing package action install (openssh::default line 27)
INFO: Processing package action install (openssh::default line 27)
INFO: Processing service action enable (openssh::default line 30)
INFO: service enabled
INFO: Processing service action start (openssh::default line 30)
INFO: Processing template action create (openssh::default line 48)
INFO: template backed up to /var/chef/backup/etc/ssh/ssh_config.chef-20121217205128
INFO: template updated content
INFO: template owner changed to 0
INFO: template group changed to 0
INFO: template mode changed to 644
INFO: Processing template action create (openssh::default line 66)
INFO: template backed up to /var/chef/backup/etc/ssh/sshd_config.chef-20121217205129
INFO: template updated content
INFO: template owner changed to 0
INFO: template group changed to 0
INFO: template mode changed to 644
INFO: template sending restart action to service (delayed)
INFO: Processing service action restart (openssh::default line 30)
INFO: service restarted
INFO: Chef Run complete in 1.742643517 seconds
INFO: Running report handlers
INFO: Report handlers complete
可以看到,chef-client-1已经自动的获取到了相应的参数,并更新了OpenSSH的配置文件,并重启了服务。
手动查看OpenSSH的配置文件,可以看到只有我们配置的几行参数内容。不过这里放心,其它的参数都有默认值,所以整个OpenSSH的配置是OK的。
ubuntu@chef-client-1:~$ cat /etc/ssh/sshd_config
# Generated by Chef for chef-client-1
AuthorizedKeysFile %h/.ssh/authorized_keys
ChallengeResponseAuthentication no
PasswordAuthentication no
UseDns yes
UsePAM yes
至此,我们就已经完成了通过Chef来对用户账号以及OpenSSH的配置管理,对于Chef,也应该有了一些具体的认知。
不过,这仅仅是一个开始,试想如果我们只能通过别人写好的cookbook来修改参数进行服务器的配置,未免也太尴尬了。
所以,接下来,我们将会创建属于自己的cookbook,随心所欲的来配置服务器!
3 接着,我们可以开始以下过程
Chef集中管理工具实践之 (3) 自定义配置
目录结构
Chef集中管理工具实践之 (0) 什么是Chef
Chef集中管理工具实践之 (1) 环境部署
Chef集中管理工具实践之 (2) 服务器配置
Chef集中管理工具实践之 (3) 自定义配置
本文内容
Chef集中管理工具实践之 (3) 自定义配置
参考资料
http://wiki.opscode.com/display/chef/Resources#Resources-Service
环境介绍
OS: Ubuntu 10.10 Server 64-bit
Servers:
chef-server:10.6.1.170
chef-workstation:10.6.1.171
chef-client-1:10.6.1.172
1. 开始创造属于自己的大餐
“等我的手艺熟练之后我还会写我自己的菜色和菜谱,来创造属于我自己的大餐。” 在前面我提到过这句话,并且在上一个章节,也通过使用官方社区提供的cookbook完成了账号与openssh的配置。
在这一章,我们就来编写一个cookbook,将不同的自定义配置任务做成不同的recipe,最后实现对服务器的配置。
2. 如何开始
如何开始呢?使用官方社区的cookbook很简单,只需要修改attributes里面的参数就可以了,如果要自己来写,该怎么写用什么格式呢?
相信你一定有这个疑问存在。不过你可以尽管放心,Chef的官方社区有很完善的在线文档可供参考的。
上面提到的“参考资料”中的URL,就是对应的文档地址:http://wiki.opscode.com/display/chef/Resources#Resources-Service
具体内容很多,我们可以通过右侧的目录结构来理清思绪。
总共有差不多30个模块,每一个都有相应的示例。
最常用的有:
账号管理方面 Group,User
配置文件方面 Template,File,
脚本命令方面 Script,Execute
系统服务方面 Cron,Service,Mount,Package
这些模块的具体用法,都可以在上面的页面中找到,在这里我先就不描述了,接下来我们通过实践来理解它们。
3. 规划接下来要做的事情
以我的实际生产环境中遇到的情况为例,操作系统为Ubuntu,有以下几个任务要完成:
1.新建一个名为project的用户组,并将之前创建的用户ubuntu添加到该组
2.更改系统默认的APT镜像源为http://old-releases.ubuntu.com
3.通过apt-get安装build-essential
4.编译安装pcre 8.10
这一次,我们不再到官方社区去搜寻第三方的cookbook,而是自己来编写一个cookbook。
3.1 首先,来设计这个cookbook
将cookbook命名为mycookbook
然后分别创建4个不同的recipe,分别命名为
conf_group, conf_sources.list, install_build-essential, build_pcre
来实现对以上4个任务的完成
3.2 开始编写cookbook
3.2.1 创建cookbook
ubuntu@chef-workstation:/opt/chef-local$ sudo knife cookbook create mycookbook
** Creating cookbook mycookbook
** Creating README for cookbook: mycookbook
** Creating CHANGELOG for cookbook: mycookbook
** Creating metadata for cookbook: mycookbook
ubuntu@chef-workstation:/opt/chef-local$ cd cookbooks/mycookbook/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook$ ls
CHANGELOG.mdREADME.mdattributesdefinitionsfileslibrariesmetadata.rbprovidersrecipesresourcestemplates
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook$ cd recipes/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ ls
default.rb
3.2.2 创建recipe conf_group
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo vim conf_group.rb
group "project" do
gid 999
members [ 'ubuntu' ]
end
3.2.3 创建recipe conf_sources.list
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo vim conf_sources.list.rb
execute "update" do
command "sudo apt-get update"
action :nothing
end
template "/etc/apt/sources.list" do
source "sources.list.erb"
mode 0644
owner "root"
group "root"
notifies :run, "execute", :immediately
end
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ cd ../templates/default/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/templates/default$ sudo vim sources.list.erb
# Generated by Chef for <%= node['fqdn'] %>
deb http://old-releases.ubuntu.com/ubuntu/ maverick main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ maverick-updates main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ maverick main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ maverick-updates main restricted universe multiverse
3.2.4 创建recipe install_build-essential
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/templates/default$ cd ../../recipes/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo vim install_build-essential.rb
package "build-essential" do
action :install
end
3.2.5 创建recipe build_pcre
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo vim build_pcre.rb
script "build_pcre" do
interpreter "bash"
user "root"
cwd "/tmp"
not_if "test -f /usr/local/bin/pcregrep"
code <<-EOH
wget http://nchc.dl.sourceforge.net/project/pcre/pcre/8.10/pcre-8.10.tar.gz
tar zxvf pcre-8.10.tar.gz
cd pcre-8.10
./configure
make
make install
EOH
end
3.3 更新并应用编写的cookbook
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ ll
total 28
drwxr-xr-x2 root root 4096 Jan6 18:30 ./
drwxr-xr-x 10 root root 4096 Jan6 18:11 ../
-rw-r--r--1 root root305 Jan6 18:30 build_pcre.rb
-rw-r--r--1 root root 56 Jan6 18:17 conf_group.rb
-rw-r--r--1 root root234 Jan6 18:19 conf_sources.list.rb
-rw-r--r--1 root root136 Jan6 18:11 default.rb
-rw-r--r--1 root root 51 Jan6 18:24 install_build-essential.rb
上传cookbook
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo knife cookbook upload mycookbook
Uploading mycookbook
Uploaded 1 cookbook.
查看当前role配置文件
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ cd ../../../roles/
ubuntu@chef-workstation:/opt/chef-local/roles$ ls
README.mdubuntu_servers.rb
ubuntu@chef-workstation:/opt/chef-local/roles$ cat ubuntu_servers.rb
name "ubuntu_servers"
description "The base role applied to all nodes."
run_list(
"recipe",
"recipe",
"recipe"
)
override_attributes(
"users" => [ "ubuntu" ]
)
更新role配置文件
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo vim ubuntu_servers.rb
name "ubuntu_servers"
description "The base role applied to all nodes."
run_list(
"recipe",
"recipe",
"recipe",
"recipe",
"recipe",
"recipe",
"recipe"
)
override_attributes(
"users" => [ "ubuntu" ]
)
上传role配置文件
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo knife role from file ubuntu_servers.rb
Updated Role ubuntu_servers!
查看节点
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo knife node list
chef-client-1
chef-server
更新节点run_list
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo knife node run_list add chef-client-1 "role"
run_list:role
3.4 在节点上应用新的cookbook
ubuntu@chef-client-1:~$ sudo chef-client
INFO: *** Chef 10.16.2 ***
INFO: Run List is ]
INFO: Run List expands to
INFO: HTTP Request Returned 404 Not Found: No routes match the request: /reports/nodes/chef-client-1/runs
INFO: Starting Chef Run for chef-client-1
INFO: Running start handlers
INFO: Start handlers complete.
INFO: Loading cookbooks
INFO: Storing updated cookbooks/openssh/recipes/default.rb in the cache.
INFO: Storing updated cookbooks/openssh/attributes/default.rb in the cache.
INFO: Storing updated cookbooks/openssh/.gitignore in the cache.
INFO: Storing updated cookbooks/openssh/metadata.rb in the cache.
INFO: Storing updated cookbooks/openssh/README.md in the cache.
INFO: Storing updated cookbooks/openssh/LICENSE in the cache.
INFO: Storing updated cookbooks/openssh/CHANGELOG.md in the cache.
INFO: Storing updated cookbooks/openssh/metadata.json in the cache.
INFO: Storing updated cookbooks/openssh/Gemfile in the cache.
INFO: Storing updated cookbooks/openssh/CONTRIBUTING in the cache.
INFO: Storing updated cookbooks/user/resources/account.rb in the cache.
INFO: Storing updated cookbooks/user/providers/account.rb in the cache.
INFO: Storing updated cookbooks/user/recipes/data_bag.rb in the cache.
INFO: Storing updated cookbooks/user/recipes/default.rb in the cache.
INFO: Storing updated cookbooks/user/attributes/default.rb in the cache.
INFO: Storing updated cookbooks/user/Rakefile in the cache.
INFO: Storing updated cookbooks/user/CHANGELOG.md in the cache.
INFO: Storing updated cookbooks/user/README.md in the cache.
INFO: Storing updated cookbooks/user/metadata.rb in the cache.
INFO: Storing updated cookbooks/user/metadata.json in the cache.
INFO: Storing updated cookbooks/mycookbook/recipes/build_nginx.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/recipes/conf_group.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/recipes/conf_sources.list.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/recipes/default.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/recipes/install_build-essential.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/recipes/build_pcre.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/README.md in the cache.
INFO: Storing updated cookbooks/mycookbook/metadata.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/CHANGELOG.md in the cache.
INFO: Processing user_account action create (user::data_bag line 36)
INFO: Processing user action create (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
INFO: user created
INFO: Processing directory action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: directory created directory /home/ubuntu/.ssh
INFO: directory owner changed to 1001
INFO: directory group changed to 109
INFO: directory mode changed to 700
INFO: Processing directory action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: directory mode changed to 2755
INFO: Processing template action create (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
INFO: template updated content
INFO: template owner changed to 1001
INFO: template group changed to 109
INFO: template mode changed to 600
INFO: Processing user action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
INFO: Processing directory action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing directory action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing template action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
INFO: Processing execute action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 148)
INFO: Processing package action install (openssh::default line 27)
INFO: Processing package action install (openssh::default line 27)
INFO: Processing service action enable (openssh::default line 30)
INFO: service enabled
INFO: Processing service action start (openssh::default line 30)
INFO: Processing template action create (openssh::default line 48)
INFO: template backed up to /var/chef/backup/etc/ssh/ssh_config.chef-20130106190629
INFO: template updated content
INFO: template owner changed to 0
INFO: template group changed to 0
INFO: template mode changed to 644
INFO: Processing template action create (openssh::default line 66)
INFO: template backed up to /var/chef/backup/etc/ssh/sshd_config.chef-20130106190629
INFO: template updated content
INFO: template owner changed to 0
INFO: template group changed to 0
INFO: template mode changed to 644
INFO: Processing group action create (mycookbook::conf_group line 1)
INFO: group created
INFO: Processing execute action nothing (mycookbook::conf_sources.list line 1)
INFO: Processing template action create (mycookbook::conf_sources.list line 6)
INFO: template backed up to /var/chef/backup/etc/apt/sources.list.chef-20130106190629
INFO: template updated content
INFO: template owner changed to 0
INFO: template group changed to 0
INFO: template mode changed to 644
INFO: template sending run action to execute (immediate)
INFO: Processing execute action run (mycookbook::conf_sources.list line 1)
INFO: execute ran successfully
INFO: Processing package action install (mycookbook::install_build-essential line 1)
INFO: Processing script action run (mycookbook::build_pcre line 1)
INFO: script ran successfully
INFO: template sending restart action to service (delayed)
INFO: Processing service action restart (openssh::default line 30)
INFO: service restarted
INFO: Chef Run complete in 448.775004685 seconds
INFO: Running report handlers
INFO: Report handlers complete
ubuntu@chef-client-1:/etc$
通过以上输出,我们可以很清晰的看到每个recipe的执行过程,并且全部都成功执行了。
我们通过以下方式来一一校验:
ubuntu@chef-client-1:~$ id ubuntu
uid=1001(ubuntu) gid=109(admin) groups=109(admin),999(project)
ubuntu@chef-client-1:~$ cat /etc/apt/sources.list
# Generated by Chef for chef-client-1
deb http://old-releases.ubuntu.com/ubuntu/ maverick main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ maverick-updates main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ maverick main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ maverick-updates main restricted universe multiverse
ubuntu@chef-client-1:~$ dpkg -l | grep build-essential
iibuild-essential 11.5 Informational list of build-essential packages
ubuntu@chef-client-1:~$ which pcregrep
/usr/local/bin/pcregrep
通过以上校验,再次证明所有的任务都已经执行了。
我们成功的完成了cookbook的自定义配置。
4. 更多深入的功能
至此,我们已经具备了一定的编写cookbook的能力了。
下面我分享一些比较有价值的经验:
4.1 安装官方社区的cookbook chef-client 可以实现客户端的定时自动拉取服务端配置,默认30分钟一次,具体时间可配置
Tips:
---
$ sudo knife cookbook site install chef-client
通过以下方式引用:
"recipe",
"recipe",
"recipe",
4.2 改造cookbook openssh
Tips:
---
直接将系统的/etc/ssh/sshd_config 复制成为模板文件sshd_config.erb
然后仅将需要自定义的参数修改为从attributes中读取,如:
PasswordAuthentication <%= node['openssh']['server']['password_authentication'] %>
UseDNS <%= node['openssh']['server']['use_dns'] %>
同样,我们也可以自己来写attributes文件,实现参数的功能。
4.3 在role文件中重新定义参数值
Tips:
---
通过override_attributes可以直接定义参数的值,实现不同role采用不同的参数。
例如,针对官方社区的sudo的配置,可以通过以下方式重新定义参数的值:
默认的参数值:
default['authorization']['sudo']['groups'] = Array.new
default['authorization']['sudo']['users'] = Array.new
default['authorization']['sudo']['passwordless'] = false
default['authorization']['sudo']['include_sudoers_d'] = false
default['authorization']['sudo']['agent_forwarding'] = false
在role文件中重新定义后的值:
override_attributes(
"authorization" => {
"sudo" => {
"groups" => ["admin"],
"passwordless" => true,
"users" => ["zabbix"]
}
}
)
5. 至此,整个系列的文章可以告一段落了
用一句很2的话来说,就是,我只能帮你到这儿了。接下来,通过参考官方文档,以及实践中的更多应用,我们就能够更加熟练的掌握Chef这个强大的集中管理工具,再多的服务器在我们的手里也能管理的井然有序。
原文:http://heylinux.com/archives/2175.html
页:
[1]