Chef集中管理工具实践

时间:2021-02-16 17:40:40


Chef集中管理工具实践之 (0) 什么是Chef


目录结构
Chef集中管理工具实践之 (0) 什么是Chef
Chef集中管理工具实践之 (1) 环境部署
Chef集中管理工具实践之 (2) 服务器配置
Chef集中管理工具实践之 (3) 自定义配置

本文内容
Chef集中管理工具实践之 (0) 什么是Chef

参考资料
http://my.oschina.net/williamherrychina/blog/63576
http://www.rubycc.com/bbs/topic_detail/91
http://gigix.thoughtworkers.org/2011/2/19/chef-1

Chef社区站点
http://community.opscode.com/

1.1 初识Chef
初识Chef,我们可以先了解一下DevOps运动 http://zh.wikipedia.org/wiki/DevOps,简单点说,就是传统的软件组织将开发、IT运营和质量保障设为各自分离的部门,而DevOps运动的出现是由于软件行业日益清晰地认识到:为了按时交付软件产品和服务,开发和运营工作必须紧密合作。
所以Chef简单点说,就是DevOps运动中的一项重要工具成员,是一个同时面向开发与运维的集中管理工具。

想像一下我们现在需要搭建一台MySQL Database Slave服务器,安装过程我们手动操作了没过多久,又需要第二台,这时候我们会想,如果之后安装第一台的时候把操作过程执行的命令写成脚本,现在安装第二台,运行一下脚本就行了,节约时间而且不容易出错。

Chef就相当于这样的一个脚本管理工具,但功能要强大得多,可定制性强,Chef将脚本命令代码化,定制时只需要修改代码,安装的过程就是执行代码的过程。
打个比方,Chef就像一个制作玩具的工厂,它可以把一些原材料做成漂亮的玩具, 它有一些模板,你把原材料放进去,选择一个模板(比如怪物史莱克),它就会制造出这个玩具,服务器的配置也是这样,一台还没有配置的服务器,你给它指定一个模板(role或recipe), Chef就会把它配置成你想要的线上服务器。

1.2 Chef和Puppet比较
就服务器的集中管理工具而言,知名度与Chef平分天下的是叫“Puppet”的工具,它们是OSS知名度排名最前的2个。

让我们来比较下它们的不同:

比较 Puppet Chef
历史 有一些 还年轻
用户 多,有名的公司也在用 还比较少,有一些公司如37signals在使用
开发的活跃度 中等 活跃(感觉正在旺季)
文档 也足够了
设定文件 用专用的文法书写(外部DSL) 用Ruby书写(内部DSL)
设定的构成 有点难懂 相对容易理解,命名等很合适
依存关系的处理 运行次序状况由系统端决定 像Makefile,基本上是书写顺序,相比Puppet更具脚本风格
必要的中间软件 没有 服务端需要有CouchDB、RabbitMQ
安装 简单,用gem的安装就可以 服务端安装比较麻烦。客户端简单,只需要gem就可以了
和其他系统的协作 感觉基本上没有 因为使用RESTful的服务API,用JSON可以取值,能做许多事

1.3 Chef结构
这是Chef的结构图,对图做一点解释:

Chef集中管理工具实践

有一个中心服务器(运行chef-server)
Chef将数据存储在CouchDB数据库里面
RabbitMQ和chef-solo等提供搜索的功能
Chef还提供了个图形的用户界面(cher-server-webui)
Workstation上有一个pem文件,knift(对Chef进行配置)利用它作为认证来和chef-server通过REST API进行通信
Workstation将配置(利用Recipe等描述各Client应该如何配置自己)上传到服务器
Client上有一个pem文件,chef-client利用它作为认证来和chef-server通过REST API进行通信
当新加一个Client的时候,需要从中心服务器上拷贝validator.pem到新加的Client
它利用这个pem进行注册得到自己的client.pem进行以后的认证
Client连到Chef服务器查看如何配置自己,然后进行自我配置

1.4 Chef的三种管理模式
Chef-Solo
由一台普通电脑控制所有的服务器,不需要专设一台chef-server

Client-Server
所有的服务器作为chef-client,统一由chef-server进行管理,管理包括安装、配置等工作 chef-server可以自建,但安装的东西较多,由于使用solr作为全文搜索引擎,还需要安装java

Opscode Platform
类似于Client-Server,只是Server端不需要自建,而是采用http://www.opscode.com提供的chef-server服务

而上面三种管理模式,无疑Client-Server模式是最好,也是最复杂的,因为这样可以在本地环境中搭建一个私有的Chef集中管理环境而无需依赖任何第三方的平台。

1.5 Chef能做什么
Chef能做什么,答案的Anything,这个实际上很好理解,只要你可以对一台服务执行命令,你就可以对这台服务做任何配置(不是有那句话嘛:Where there is a SHELL, there is a way)
这里大家可能对Chef有一些误解,由于Chef使用类似模板的方法对服务进行配置, 大家可能认识它只适合于一些配置比较类似的服务, 这里完全小看Chef了,就拿官方的mysql cookbook来说,它可以同时支持众多OS平台:
debian ubuntu centos suse fedora redhat scientific amazon freebsd windows,当你对Chef有了更深的了解后你就不会感到惊讶了。

1.6 Chef是怎么工作的
如果忽略所有的细节,Chef是这样工作的:
在Workstation上定义各个Client应该如何配置自己,然后将这些信息上传到中心服务器
每个Client连到中心服务器查看如何配置自己,然后进行自我配置
因此,在Chef的环境搭建完成以后,绝大部分工作是在Workstation上进行的,只有在工作完成以后,决定应用到Client的时候,才会操作Server与Client。

1.7 对Chef中各个名词的形象解释
Chef 大厨
我就是个新手大厨,我想要烹调一桌服务器大餐,也就是一台体面的、可以用来满足某种用途的服务器。

Cookbook 菜谱
别人写好的一本书,书上写着一堆相关菜色的做法(比如“家常川菜”)。一些出色的服务器大厨已经写了 很多菜谱 ,这些是我要学习和抄袭的。

Recipe 菜谱里的一道菜色(比如“麻婆豆腐”)
服务器大餐里的某一部分该怎么做,都在菜色里写着呢。

所以,整个故事就是:
作为一个新手大厨(Chef),我想要从现成的很多菜谱(Cookbook)里挑选几道合适的菜色(Recipe),组合成一道大餐(服务器)来款待我的客人。
等我的手艺熟练之后我还会写我自己的菜色和菜谱,来创造属于我自己的大餐。

Chef的主要目标就是:把服务器配置变成源代码。
这样做的好处有两个:
自动化
我可以很轻松地把一台服务器大餐的做法直接照搬到另一台服务器上,于是我就得到了另一台大餐。

配置管理
服务器的配置信息能够很好的通过Git来管理,可以分享,可以多人协作,可以跟踪变化历史。

Chef使用服务器—客户端模式管理所有需要配置的机器,使用Chef涉及至少三台机器:
一台开发机器Workstation,在上面编写大餐的做法;
一台Chef服务器,管理所有要配置的Chef客户端,给它们下发配置信息;
多台Chef客户端(Node),就是我将要烹调出的大餐。

1.8 接着,我们可以开始以下过程
目前,我们对Chef已经有了一个基本的了解,接下来就可以通过以下步骤进行亲身实践,来加深理解。

Chef集中管理工具实践之 (1) 环境部署


目录结构
Chef集中管理工具实践之 (0) 什么是Chef
Chef集中管理工具实践之 (1) 环境部署
Chef集中管理工具实践之 (2) 服务器配置
Chef集中管理工具实践之 (3) 自定义配置

本文内容
Chef集中配置管理工具实践之 (1) 环境部署

参考资料
http://wiki.opscode.com/pages/viewpage.action?pageId=24773429
http://wiki.opscode.com/display/chef/Installing+Chef+Server+on+Debian+or+Ubuntu+using+Packages
http://wiki.opscode.com/display/chef/Workstation+Setup+for+Debian+and+Ubuntu
http://wiki.opscode.com/display/chef/Knife+Bootstrap

环境介绍
OS: Ubuntu 10.10 Server 64-bit //经过验证在12.04.1以及12.10上也成功实现部署。
Servers:
chef-server:10.6.1.170
chef-workstation:10.6.1.171
chef-client-1:10.6.1.172
chef-client-2:10.6.1.173

1. 安装配置Chef Server
编辑hosts
ubuntu@chef-server:~$ sudo vim /etc/hosts

view source print ?
1 127.0.0.1   localhost
2  
3 10.6.1.170 chef-server
4 10.6.1.171 chef-workstation
5 10.6.1.172 chef-client-1
6 10.6.1.173 chef-client-2

注意:
将本机的hostname在/etc/hosts中添加一条IP解析记录,这一点非常重要。
因为后面在安装chef-server的过程中,会首先安装rabbitmq-server,缺少该解析记录的话,会导致rabbitma-server启动失败,进而影响到所有其它chef-server软件包的正常安装,如果不清楚这一点的话,会给问题的排查带来很大的不便。

创建 /etc/apt/sources.list.d/opscode.list
ubuntu@chef-server:~$ sudo echo "deb http://apt.opscode.com/ `lsb_release -cs`-0.10 main" | sudo tee /etc/apt/sources.list.d/opscode.list

添加GPG Key
ubuntu@chef-server:~$ sudo mkdir -p /etc/apt/trusted.gpg.d
ubuntu@chef-server:~$ sudo gpg --keyserver keys.gnupg.net --recv-keys 83EF826A
ubuntu@chef-server:~$ sudo gpg --export packages@opscode.com | sudo tee /etc/apt/trusted.gpg.d/opscode-keyring.gpg > /dev/null

ubuntu@chef-server:~$ sudo apt-get update
ubuntu@chef-server:~$ sudo apt-get install opscode-keyring

安装NTP时间服务器,Chef需要确保workstation与所有client与server的时钟一致
ubuntu@chef-server:~$ sudo apt-get install ntp

更新现有系统
ubuntu@chef-server:~$ sudo apt-get upgrade

安装chef-server软件包
ubuntu@chef-server:~$ sudo apt-get install chef chef-server

输入URL: http://chef-server:4000
Chef集中管理工具实践

输入密码: chef-server
Chef集中管理工具实践

该过程执行了如下过程:
安装Chef Server以及所依赖的软件包如Merb,CouchDB,RabbitMQ等共300多个软件包
启动CouchDB,RabbitMQ
启动chef-server-api并运行在4000端口
启动chef-server-webui并运行在4040端口
启动chef-solr-indexer并自动连接到rabbitmq-server
启动chef-solr,chef-client
在目录/etc/chef中创建相关的配置文件

安装完成后检查并确认以下端口:
Chef Server - 4000
Chef Server WebUI - 4040
CouchDB - 5984
RabbitMQ - 5672
Chef Solr - 8983

ubuntu@chef-server:~$ sudo netstat -lntp

view source print ?
01 Active Internet connections (only servers)
02 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
03 tcp   0   0 0.0.0.0:22          0.0.0.0:*          LISTEN      11402/sshd              
04 tcp   0   0 0.0.0.0:4000        0.0.0.0:*          LISTEN      31998/merb : chef-s 
05 tcp   0   0 0.0.0.0:4040        0.0.0.0:*          LISTEN      32168/merb : chef-s
06 tcp   0   0 0.0.0.0:5672        0.0.0.0:*          LISTEN      30470/beam
07 tcp   0   0 127.0.0.1:5984      0.0.0.0:*          LISTEN      30518/beam     
08 tcp   0   0 0.0.0.0:41891       0.0.0.0:*          LISTEN      30128/beam       
09 tcp6  0   0 :::22               :::*               LISTEN      11402/sshd     
10 tcp6  0   0 127.0.0.1:8983      :::*               LISTEN      31760/java
11 ...

登陆Web UI
Chef集中管理工具实践

地址:http://chef-server:4040 (正常访问需要在本地电脑的hosts中添加“10.6.1.170 chef-server”)
账号:admin
密码:chef-server

安装配置knife命令行工具
ubuntu@chef-server:~$ mkdir -p ~/.chef
ubuntu@chef-server:~$ sudo cp /etc/chef/validation.pem /etc/chef/webui.pem ~/.chef
ubuntu@chef-server:~$ sudo chown -R $USER ~/.chef

ubuntu@chef-server:~$ knife configure -i

view source print ?
01 WARNING: No knife configuration file found
02 Where should I put the config file? [/home/ubuntu/.chef/knife.rb]
03 Please enter the chef server URL: [http://chef-server:4000] http://chef-server:4000
04 Please enter a clientname for the new client: [ubuntu]
05 Please enter the existing admin clientname: [chef-webui]
06 Please enter the location of the existing admin client's private key: [/etc/chef/webui.pem] .chef/webui.pem
07 Please enter the validation clientname: [chef-validator]
08 Please enter the location of the validation key: [/etc/chef/validation.pem] .chef/validation.pem
09 Please enter the path to a chef repository (or leave blank):
10 Creating initial API user...
11 Created client[ubuntu]
12 Configuration file written to /home/ubuntu/.chef/knife.rb

执行knife命令,检查是否能连接到指定的Chef Server
ubuntu@chef-server:~$ knife client list

view source print ?
1 chef-validator
2 chef-webui
3 ubuntu

ubuntu@chef-server:~$ knife cookbook list

ubuntu@chef-server:~$ sudo apt-get install ntp

为工作站安装并配置Knife Client
ubuntu@chef-server:~$ knife client create chef-workstation -d -a -f /home/ubuntu/.chef/chef-workstation.pem

view source print ?
1 Created client[chef-workstation]

ubuntu@chef-server:~$ knife client show chef-workstation

view source print ?
01 _rev:        1-2a52b9416bad08b697e9c644a0aea4cc
02 admin:       true
03 chef_type:   client
04 json_class:  Chef::ApiClient
05 name:        chef-workstation
06 public_key:  -----BEGIN RSA PUBLIC KEY-----
07              MIIBCgKCAQEA1RAa+jf733FtoTv64msykO3/SEe8G/YhPgA2S3NfWdgh+LbuhCdT
08              9IjX3Hio3U/rj6VGeICJkCfWZy7NM9pTaPzH+gJdFbkLrLW1GSoEKMJ/f9IkxRcS
09              7vdySU05IrPOF9PqcMvrME4xYzsFzIXDz1CbWBs08SuMfjP9qHfeStfBQaoQ8rLp
10              mOGI0VMOU/CrlfNsAPLbUgVVylKfcmop1dCO6My53xW/qogfg/8Af0qtk7tyjVFi
11              K+umCjmHmtW09qg5467p7xf4WSUYh076pb3ofbTi0o3VJi8Dz+qGISjvAVf3Y1As
12              mwkam0IBM5sK41r/Suki9UQanKWsiDm0CQIDAQAB
13              -----END RSA PUBLIC KEY-----

2. 安装配置chef-workstation
编辑hosts
ubuntu@chef-workstation:~$ vim /etc/hosts

view source print ?
1 127.0.0.1   localhost
2  
3 10.6.1.170 chef-server
4 10.6.1.171 chef-workstation
5 10.6.1.172 chef-client-1
6 10.6.1.173 chef-client-2

安装Ruby与其它依赖包
ubuntu@chef-workstation:~$ sudo apt-get install ruby ruby-dev libopenssl-ruby rdoc ri irb build-essential wget ssl-cert curl

安装RubyGems
ubuntu@chef-workstation:~$ cd /tmp
ubuntu@chef-workstation:~$ curl -O http://production.cf.rubygems.org/rubygems/rubygems-1.8.10.tgz
ubuntu@chef-workstation:~$ tar zxf rubygems-1.8.10.tgz
ubuntu@chef-workstation:~$ cd rubygems-1.8.10
ubuntu@chef-workstation:/tmp/rubygems-1.8.10$ sudo ruby setup.rb --no-format-executable

安装Chef Gem
ubuntu@chef-workstation:/tmp/rubygems-1.8.10$ sudo gem install chef --no-ri --no-rdoc

view source print ?
01 Fetching: mixlib-config-1.1.2.gem (100%)
02 Fetching: mixlib-cli-1.2.2.gem (100%)
03 Fetching: mixlib-log-1.4.1.gem (100%)
04 Fetching: mixlib-authentication-1.3.0.gem (100%)
05 Fetching: mixlib-shellout-1.1.0.gem (100%)
06 Fetching: systemu-2.5.2.gem (100%)
07 Fetching: yajl-ruby-1.1.0.gem (100%)
08 Building native extensions.  This could take a while...
09 Fetching: ipaddress-0.8.0.gem (100%)
10 Fetching: ohai-6.14.0.gem (100%)
11 Fetching: mime-types-1.19.gem (100%)
12 Fetching: rest-client-1.6.7.gem (100%)
13 Fetching: bunny-0.7.9.gem (100%)
14 [Version 0.7.8] test suite cleanup (eliminated some race conditions related to queue.message_count)
15 Fetching: json-1.6.1.gem (100%)
16 Building native extensions.  This could take a while...
17 Fetching: polyglot-0.3.3.gem (100%)
18 Fetching: treetop-1.4.12.gem (100%)
19 Fetching: net-ssh-2.2.2.gem (100%)
20 Fetching: net-ssh-gateway-1.1.0.gem (100%)
21 Fetching: net-ssh-multi-1.1.gem (100%)
22 Fetching: highline-1.6.15.gem (100%)
23 Fetching: erubis-2.7.0.gem (100%)
24 Fetching: moneta-0.6.0.gem (100%)
25 Fetching: uuidtools-2.1.3.gem (100%)
26 Fetching: chef-10.16.2.gem (100%)
27 Successfully installed mixlib-config-1.1.2
28 Successfully installed mixlib-cli-1.2.2
29 Successfully installed mixlib-log-1.4.1
30 Successfully installed mixlib-authentication-1.3.0
31 Successfully installed mixlib-shellout-1.1.0
32 Successfully installed systemu-2.5.2
33 Successfully installed yajl-ruby-1.1.0
34 Successfully installed ipaddress-0.8.0
35 Successfully installed ohai-6.14.0
36 Successfully installed mime-types-1.19
37 Successfully installed rest-client-1.6.7
38 Successfully installed bunny-0.7.9
39 Successfully installed json-1.6.1
40 Successfully installed polyglot-0.3.3
41 Successfully installed treetop-1.4.12
42 Successfully installed net-ssh-2.2.2
43 Successfully installed net-ssh-gateway-1.1.0
44 Successfully installed net-ssh-multi-1.1
45 Successfully installed highline-1.6.15
46 Successfully installed erubis-2.7.0
47 Successfully installed moneta-0.6.0
48 Successfully installed uuidtools-2.1.3
49 Successfully installed chef-10.16.2
50 23 gems installed

安装Git
ubuntu@chef-workstation:~$ sudo apt-get -y install git-core
ubuntu@chef-workstation:~$ git --version
git version 1.7.1

创建Chef Repository
备注:Chef的大部分配置工作都是在Workstaion中的Chef Repository中完成的,不同的Chef Repository可以管理不同的Chef Server。
ubuntu@chef-workstation:~$ sudo git clone git://github.com/opscode/chef-repo.git /opt/chef-local

view source print ?
1 Initialized empty Git repository in /opt/chef-local/.git/
2 remote: Counting objects: 199, done.
3 remote: Compressing objects: 100% (117/117), done.
4 remote: Total 199 (delta 72), reused 162 (delta 49)
5 Receiving objects: 100% (199/199), 30.34 KiB | 10 KiB/s, done.
6 Resolving deltas: 100% (72/72), done.

ubuntu@chef-workstation:~$ cd /opt/chef-local/
ubuntu@chef-workstation:/opt/chef-local$ ls
README.md Rakefile certificates chefignore config cookbooks data_bags environments roles

创建配置文件夹
ubuntu@chef-workstation:/opt/chef-local$ sudo mkdir -p .chef

传输pem认证文件到Workstation
ubuntu@chef-workstation:/opt/chef-local$ sudo scp ubuntu@chef-server:/home/ubuntu/.chef/chef-workstation.pem .chef/
ubuntu@chef-workstation:/opt/chef-local$ sudo scp ubuntu@chef-server:/home/ubuntu/.chef/validation.pem .chef/

ubuntu@chef-workstation:/opt/chef-local$ ls .chef/
chef-workstation.pem validation.pem

ubuntu@chef-workstation:/opt/chef-local$ sudo knife configure

view source print ?
01 WARNING: No knife configuration file found
02 Where should I put the config file? [/home/ubuntu/.chef/knife.rb] .chef/knife.rb
03 Please enter the chef server URL: [http://chef-workstation:4000] http://chef-server:4000
04 Please enter an existing username or clientname for the API: [ubuntu] chef-workstation
05 Please enter the validation clientname: [chef-validator]
06 Please enter the location of the validation key: [/etc/chef/validation.pem] .chef/validation.pem
07 Please enter the path to a chef repository (or leave blank): /opt/chef-local
08 *****
09  
10 You must place your client key in:
11   /opt/chef-local/.chef/chef-workstation.pem
12 Before running commands with Knife!
13  
14 *****
15  
16 You must place your validation key in:
17   /opt/chef-local/.chef/validation.pem
18 Before generating instance data with Knife!
19  
20 *****
21 Configuration file written to /opt/chef-local/.chef/knife.rb

验证配置是否正确
ubuntu@chef-workstation:~$ sudo ntpdate chef-server

确认Knife工具能否连接到Chef Server
ubuntu@chef-workstation:~$ knife client list

view source print ?
1 chef-server
2 chef-validator
3 chef-webui
4 chef-workstation
5 ubuntu

ubuntu@chef-workstation:~$ knife client show chef-validator

view source print ?
01 _rev:        1-96959e21dfdb3f232a3ce8bae835475b
02 admin:       false
03 chef_type:   client
04 json_class:  Chef::ApiClient
05 name:        chef-validator
06 public_key:  -----BEGIN RSA PUBLIC KEY-----
07              MIIBCgKCAQEA00/AWJL5mThj+pSXEB2gMKdTdHFm0pGi2hXAoBwm4/ZlnO4p2iwI
08              /skfZMepVm8SAkSMIhz7ZC+jN/+Kqas7es0E+iv9ei0BF4Q41Y5kKMFctuElYbPH
09              ImRCVTcQJ6m7BPS0Tczhy87jk6QlhsDsrnhNyUEgM5XRVNO+NzqeqZ+UMOWd9k2q
10              KTJhbtHdx7ILdjZ5SBsiIMBhBNni2D0Y34BDtddsXCn1eyTWwGZxZTRZuDDXnls+
11              aZaqogKoZ40d6h6ZVGh6nmmpdPDi9YdCIqFtWe5LF5bwIy7K6qBVgiOqU0x3Xek3
12              d1eZG/8C+4FWjAm1h856npvmMOpVip9w8QIDAQAB
13              -----END RSA PUBLIC KEY-----

3. 安装配置chef-client
编辑hosts
ubuntu@chef-client-1:~$ vim /etc/hosts

view source print ?
1 127.0.0.1   localhost
2  
3 10.6.1.170 chef-server
4 10.6.1.171 chef-workstation
5 10.6.1.172 chef-client-1
6 10.6.1.173 chef-client-2

与chef-server同步时间
ubuntu@chef-client-1:~$ sudo ntpdate chef-server

Boostrap可以用来将目标节点初始化为一个Client
ubuntu@chef-workstation:~$ knife bootstrap --help

view source print ?
01 knife bootstrap FQDN (options)
02         --bootstrap-proxy PROXY_URL  The proxy server for the node being bootstrapped
03         --bootstrap-version VERSION  The version of Chef to install
04     -N, --node-name NAME             The Chef node name for your new node
05     -s, --server-url URL             Chef Server URL
06     -k, --key KEY                    API Client Key
07         --[no-]color                 Use colored output, defaults to enabled
08     -c, --config CONFIG              The configuration file to use
09         --defaults                   Accept default values for all questions
10         --disable-editing            Do not open EDITOR, just accept the data as is
11     -d, --distro DISTRO              Bootstrap a distro using a template
12     -e, --editor EDITOR              Set the editor to use for interactive commands
13     -E, --environment ENVIRONMENT    Set the Chef environment
14     -j JSON_ATTRIBS                  A JSON string to be added to the first run of chef-client
15         --json-attributes
16     -F, --format FORMAT              Which format to use for output
17         --hint HINT_NAME[=HINT_FILE] Specify Ohai Hint to be set on the bootstrap target.  Use multiple --hint options to specify multiple hints.
18         --[no-]host-key-verify       Verify host key, enabled by default.
19     -i IDENTITY_FILE                 The SSH identity file used for authentication
20         --identity-file
21     -u, --user USER                  API Client Username
22         --prerelease                 Install the pre-release chef gems
23         --print-after                Show the data after a destructive operation
24     -r, --run-list RUN_LIST          Comma separated list of roles/recipes to apply
25     -G, --ssh-gateway GATEWAY        The ssh gateway
26     -P, --ssh-password PASSWORD      The ssh password
27     -p, --ssh-port PORT              The ssh port
28     -x, --ssh-user USERNAME          The ssh username
29         --template-file TEMPLATE     Full path to location of template to use
30         --sudo                       Execute the bootstrap via sudo
31     -V, --verbose                    More verbose output. Use twice for max verbosity
32     -v, --version                    Show chef version
33     -y, --yes                        Say yes to all prompts for confirmation
34     -h, --help                       Show this message

下面我们对chef-client-1进行初始化
ubuntu@chef-workstation:~$ sudo knife bootstrap 10.6.1.172 -x ubuntu -P password --sudo

view source print ?
01 Bootstrapping Chef on 10.6.1.172
02 10.6.1.172 --2012-11-09 03:34:40--  http://opscode.com/chef/install.sh
03 10.6.1.172 Resolving opscode.com...
04 10.6.1.172 184.106.28.83
05 10.6.1.172 Connecting to opscode.com|184.106.28.83|:80...
06 10.6.1.172 connected.
07 10.6.1.172 HTTP request sent, awaiting response...
08 10.6.1.172 301 Moved Permanently
09 10.6.1.172 Location: http://www.opscode.com/chef/install.sh [following]
10 10.6.1.172 --2012-11-09 03:34:41--  http://www.opscode.com/chef/install.sh
11 10.6.1.172 Resolving www.opscode.com...
12 10.6.1.172 184.106.28.83
13 10.6.1.172 Reusing existing connection to opscode.com:80.
14 10.6.1.172 HTTP request sent, awaiting response...
15 10.6.1.172 200 OK
16 10.6.1.172 Length: 6396 (6.2K) [application/x-sh]
17 10.6.1.172 Saving to: `STDOUT'
18 10.6.1.172
19  0% [                                       ] 0           --.-K/s             
20 10.6.1.172 Downloading Chef 10.16.2 for ubuntu...
21 100%[======================================>] 6,396       18.7K/s   in 0.3s   
22 10.6.1.172
23 10.6.1.172 2012-11-09 03:34:42 (18.7 KB/s) - written to stdout [6396/6396]
24 10.6.1.172
25 10.6.1.172 Installing Chef 10.16.2
26 10.6.1.172 Selecting previously deselected package chef.
27 10.6.1.172 (Reading database ...
28 (Reading database ... 60%
29 (Reading database ... 65%
30 (Reading database ... 70%
31 (Reading database ... 75%
32 (Reading database ... 80%
33 (Reading database ... 85%
34 (Reading database ... 90%
35 (Reading database ... 95%
36 (Reading database ... 41378 files and directories currently installed.)
37 10.6.1.172 Unpacking chef (from .../chef_10.16.2_amd64.deb) ...
38 10.6.1.172 Setting up chef (10.16.2-1.ubuntu.10.04) ...
39 10.6.1.172 Thank you for installing Chef!
40 10.6.1.172 [2012-11-09T03:57:46+08:00] INFO: *** Chef 10.16.2 ***
41 10.6.1.172 [2012-11-09T03:57:47+08:00] INFO: Client key /etc/chef/client.pem is not present - registering
42 10.6.1.172 [2012-11-09T03:57:47+08:00] INFO: HTTP Request Returned 404 Not Found: Cannot load node chef-client-1
43 10.6.1.172 [2012-11-09T03:57:47+08:00] INFO: Setting the run_list to [] from JSON
44 10.6.1.172 [2012-11-09T03:57:47+08:00] INFO: Run List is []
45 10.6.1.172 [2012-11-09T03:57:47+08:00] INFO: Run List expands to []
46 10.6.1.172 [2012-11-09T03:57:47+08:00] INFO: HTTP Request Returned 404 Not Found: No routes match the request: /reports/nodes/chef-client-1/runs
47 10.6.1.172 [2012-11-09T03:57:47+08:00] INFO: Starting Chef Run for chef-client-1
48 10.6.1.172 [2012-11-09T03:57:47+08:00] INFO: Running start handlers
49 10.6.1.172 [2012-11-09T03:57:47+08:00] INFO: Start handlers complete.
50 10.6.1.172 [2012-11-09T03:57:48+08:00] INFO: Loading cookbooks []
51 10.6.1.172 [2012-11-09T03:57:48+08:00] WARN: Node chef-client-1 has an empty run list.
52 10.6.1.172 [2012-11-09T03:57:48+08:00] INFO: Chef Run complete in 0.438462677 seconds
53 10.6.1.172 [2012-11-09T03:57:48+08:00] INFO: Running report handlers
54 10.6.1.172 [2012-11-09T03:57:48+08:00] INFO: Report handlers complete

验证chef-client-1是否已经注册
ubuntu@chef-workstation:~$ knife client list

view source print ?
1 chef-client-1
2 chef-server
3 chef-validator
4 chef-webui
5 chef-workstation
6 ubuntu

从上面可以看出chef-client-1已经成功注册到了chef-server中,整个环境 chef-workstation => chef-server => chef-client-1 已经搭建成功。

4. 接着,我们可以开始以下过程

Chef集中管理工具实践之 (2) 服务器配置


目录结构
Chef集中管理工具实践之 (0) 什么是Chef
Chef集中管理工具实践之 (1) 环境部署
Chef集中管理工具实践之 (2) 服务器配置
Chef集中管理工具实践之 (3) 自定义配置

本文内容
Chef集中配置管理工具实践之 (2) 服务器配置

参考资料
http://wiki.opscode.com/display/ChefCN/Just+Enough+Ruby+for+Chef
http://wiki.opscode.com/display/chef/Fast+Start+Guide
http://gigix.thoughtworkers.org/2011/1/30/devops
http://gigix.thoughtworkers.org/2011/2/20/chef-2-rails-server
http://gigix.thoughtworkers.org/2011/3/2/chef-3-first-cookbook
http://gigix.thoughtworkers.org/2011/3/12/devops-readings

环境介绍
OS: Ubuntu 10.10 Server 64-bit
Servers:
chef-server:10.6.1.170
chef-workstation:10.6.1.171
chef-client-1:10.6.1.172

1. 从这里开始
通过前面的两个章节,我们认识了什么是Chef,并成功的部署好了整个环境。但目前Chef具体能做什么,能实现什么具体的功能,其实还是一头雾水的。
在这一个章节,我们会通过使用Chef完成对用户账号和SSH Server的集中管理来加深理解。

前面,我们在提到Cookbook 菜谱的时候,提到 “一些出色的大厨已经写了很多菜谱,这些是我要学习和抄袭的。”真实的意思就是,Chef社区已经有了许多官方的cookbook以及优秀的社区成员所编写的cookbook提供下载使用,我们只需要阅读它们的README文件,就可以很快速方便的使用了。这就是我在这一个章节所讲的内容。

而“等我的手艺熟练之后我还会写我自己的菜色和菜谱,来创造属于我自己的大餐。”真实的意思就是,在我熟悉了如何使用别人的cookbook以后,便可以尝试借鉴并编写适合自己的cookbook,用来对自己的服务器进行一些自定义的,特有的管理,而这些管理可能在其它环境里并不适用。这是我在下一个章节要讲的内容。

2. 如何开始
首先,我们来明确一下马上要进行的任务,就是“使用Chef完成对用户账号和SSH Server的配置”。

接着,我们可以登录到Chef的官方社区http://community.opscode.com/cookbooks,搜索是否已经存在有相关的cookbook提供使用。
通过搜索之后,我们可以确定有如下cookbook能够帮助我们完成任务:
1) 用户账号: user
2) SSH Server: openssh

ubuntu@chef-workstation:~$ cd /opt/chef-local/
查看knife配置
ubuntu@chef-workstation:/opt/chef-local$ cat .chef/knife.rb

 
log_level                :info
log_location             STDOUT
node_name                'chef-workstation'
client_key               '/opt/chef-local/.chef/chef-workstation.pem'
validation_client_name   'chef-validator'
validation_key           '/opt/chef-local/chef/validation.pem'
chef_server_url          'http://chef-server:4000'
cache_type               'BasicFile'
cache_options( :path => '/opt/chef-local/.chef/checksums' )
cookbook_path [ '/opt/chef-local/cookbooks' ]

2.1 首先,让我们来部署并使用user来管理用户
下载cookbook
ubuntu@chef-workstation:/opt/chef-local$ sudo knife cookbook site install user

 
Installing user to /opt/chef-local/cookbooks
Checking out the master branch.
Creating pristine copy branch chef-vendor-user
Downloading user from the cookbooks site at version 0.3.0 to /opt/chef-local/cookbooks/user.tar.gz
Cookbook saved: /opt/chef-local/cookbooks/user.tar.gz
Removing pre-existing version.
Uncompressing user version 0.3.0.
removing downloaded tarball
1 files updated, committing changes
Creating tag cookbook-site-imported-user-0.3.0
Checking out the master branch.
Updating a3bec38..f06cc56
Fast-forward
 cookbooks/user/.gitignore                          |    2 +
 cookbooks/user/.travis.yml                         |    6 +
 cookbooks/user/CHANGELOG.md                        |   95 +++++
 cookbooks/user/README.md                           |  391 ++++++++++++++++++++
 cookbooks/user/Rakefile                            |   33 ++
 cookbooks/user/attributes/default.rb               |   42 ++
 cookbooks/user/metadata.json                       |   35 ++
 cookbooks/user/metadata.rb                         |   14 +
 cookbooks/user/providers/account.rb                |  173 +++++++++
 cookbooks/user/recipes/data_bag.rb                 |   52 +++
 cookbooks/user/recipes/default.rb                  |   18 +
 cookbooks/user/resources/account.rb                |   40 ++
 .../user/templates/default/authorized_keys.erb     |    7 +
 13 files changed, 908 insertions(+), 0 deletions(-)
 create mode 100644 cookbooks/user/.gitignore
 create mode 100644 cookbooks/user/.travis.yml
 create mode 100644 cookbooks/user/CHANGELOG.md
 create mode 100644 cookbooks/user/README.md
 create mode 100644 cookbooks/user/Rakefile
 create mode 100644 cookbooks/user/attributes/default.rb
 create mode 100644 cookbooks/user/metadata.json
 create mode 100644 cookbooks/user/metadata.rb
 create mode 100644 cookbooks/user/providers/account.rb
 create mode 100644 cookbooks/user/recipes/data_bag.rb
 create mode 100644 cookbooks/user/recipes/default.rb
 create mode 100644 cookbooks/user/resources/account.rb
 create mode 100644 cookbooks/user/templates/default/authorized_keys.erb
Cookbook user version 0.3.0 successfully installed

ubuntu@chef-workstation:/opt/chef-local$ cd cookbooks/
ubuntu@chef-workstation:/opt/chef-local/cookbooks$ ls

README.md  user

每个模块下面的README.md文件非常有用,讲解了该模块的配置方法以及与chef-server如何通信。
比如,我们通过阅读了user的README.md之后,就会知道我们需要建立一个名为users的data bag,将用户的信息写成一个个json文件放在下面,再通过override_attributes在role的配置文件中指定需要配置的用户。

ubuntu@chef-workstation:/opt/chef-local/cookbooks$ cd user/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/user$ ll

total 76
drwxr-xr-x 7 root root  4096 Nov 15 20:31 ./
drwxr-xr-x 3 root root  4096 Nov 15 20:31 ../
-rw-r--r-- 1 root root    18 Nov 15 20:31 .gitignore
-rw-r--r-- 1 root root   141 Nov 15 20:31 .travis.yml
-rw-r--r-- 1 root root  2705 Nov 15 20:31 CHANGELOG.md
-rw-r--r-- 1 root root 11753 Nov 15 20:31 README.md
-rw-r--r-- 1 root root   813 Nov 15 20:31 Rakefile
drwxr-xr-x 2 root root  4096 Nov 15 20:31 attributes/
-rw-r--r-- 1 root root 13048 Nov 15 20:31 metadata.json
-rw-r--r-- 1 root root   538 Nov 15 20:31 metadata.rb
drwxr-xr-x 2 root root  4096 Nov 15 20:31 providers/
drwxr-xr-x 2 root root  4096 Nov 15 20:31 recipes/
drwxr-xr-x 2 root root  4096 Nov 15 20:31 resources/
drwxr-xr-x 3 root root  4096 Nov 15 20:31 templates/

ubuntu@chef-workstation:/opt/chef-local/cookbooks/user$ cd recipes/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/user/recipes$ ls

data_bag.rb  default.rb

dongguo@chef-workstation:/opt/chef-local/cookbooks/user/attributes$ ls

default.rb

上传cookbook到chef-server
ubuntu@chef-workstation:/opt/chef-local$ sudo knife cookbook upload user

Uploading user         [0.3.0]
Uploaded 1 cookbook.

创建role
ubuntu@chef-workstation:/opt/chef-local$ cd roles/
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo vim ubuntu_servers.rb 

name "ubuntu_servers"
description "The base role applied to all nodes."
run_list(
    "recipe[user]",
    "recipe[user::data_bag]"
)
override_attributes(
    "users" => [ "ubuntu" ]
)

上传role到chef-server
ubuntu@chef-workstation:/opt/chef-local$ sudo knife role from file roles/ubuntu_servers.rb 

Updated Role ubuntu_servers!

为user这个cookbook创建data_bag
ubuntu@chef-workstation:/opt/chef-local$ cd data_bags/
ubuntu@chef-workstation:/opt/chef-local/data_bags$ sudo mkdir users
ubuntu@chef-workstation:/opt/chef-local/data_bags$ sudo vim users/ubuntu.json

 
{
    "id"       : "ubuntu",
    "gid": "admin",
    "comment"  : "ubuntu",
    "home"     : "/home/ubuntu",
    "create_user_group":"false",
    "ssh_keygen": "false",
    "ssh_keys" : "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+upV++0vIM2PuD2XvH+zOUF6JsfofPCvCdqZ/Wg0GaRvcuPpKs7Ua2APSs
vtvEz9ohQvexS1DO4G1ZjIO20dsc82BHTFxd3DmZyQ8g/CLoIKIdkDImSffQxBYM//8URvtk16HTmuYVY9poalbVh
lErhg0xSbyx/DQfOChfc34T8481iWPZ0pnJLj7z5AUvYR8fcWGtbMhveoyKuB4VocsQvKfgVUauS1jIGGac7kC8XG
Vc6fEVzzTycS7dTypzHDJp3I9wHWoiMF4SD5MRb0sEhlvaOtryHGVdcfFj4Mrdiu8NepL7yyCb9qGdB7QbT1+hNCn
ZukWP4Iz6yzATLzS"
}

上传data_bag到chef-server
ubuntu@chef-workstation:/opt/chef-local/data_bags$ sudo knife data bag create users

Created data_bag[users]

ubuntu@chef-workstation:/opt/chef-local/data_bags$ sudo knife data bag from file users users/ubuntu.json 

Updated data_bag_item[users::ubuntu]

为节点增加run_list,即将ubuntu_servers这个角色赋给chef-client-1
ubuntu@chef-workstation:/opt/chef-local$ sudo knife node run_list add chef-client-1 "role[ubuntu_servers]"

run_list:  role[ubuntu_servers]

在chef-client-1上执行chef-client拉取配置
ubuntu@chef-client-1:~$ sudo chef-client 

INFO: *** Chef 10.16.2 ***
INFO: Run List is [role[ubuntu_servers]]
INFO: Run List expands to [user, user::data_bag]
INFO: HTTP Request Returned 404 Not Found: No routes match the request: /reports/nodes/chef-client-1/runs
INFO: Starting Chef Run for chef-client-1
INFO: Running start handlers
INFO: Start handlers complete.
INFO: Loading cookbooks [user]
INFO: Processing user_account[ubuntu] action create (user::data_bag line 36)
INFO: Processing user[ubuntu] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
INFO: user[ubuntu] altered
INFO: Processing directory[/home/ubuntu/.ssh] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: directory[/home/ubuntu/.ssh] created directory /home/ubuntu/.ssh
INFO: directory[/home/ubuntu/.ssh] owner changed to 1000
INFO: directory[/home/ubuntu/.ssh] group changed to 109
INFO: directory[/home/ubuntu/.ssh] mode changed to 700
INFO: Processing directory[/home/ubuntu] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: directory[/home/ubuntu] group changed to 109
INFO: directory[/home/ubuntu] mode changed to 2755
INFO: Processing template[/home/ubuntu/.ssh/authorized_keys] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
INFO: template[/home/ubuntu/.ssh/authorized_keys] updated content
INFO: template[/home/ubuntu/.ssh/authorized_keys] owner changed to 1000
INFO: template[/home/ubuntu/.ssh/authorized_keys] group changed to 109
INFO: template[/home/ubuntu/.ssh/authorized_keys] mode changed to 600
INFO: Processing user[ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
INFO: Processing directory[/home/ubuntu/.ssh] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing directory[/home/ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing template[/home/ubuntu/.ssh/authorized_keys] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
INFO: Processing execute[create ssh keypair for ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 148)
INFO: Chef Run complete in 0.766601698 seconds
INFO: Running report handlers
INFO: Report handlers complete

我们可以看到,chef-client已经成功拉取到了ubuntu这个用户的信息,并自动的进行了一系列的配置。
至此,我们就成功的使用Chef的user这个cookbook完成一次服务器的自动化部署。

2.2 接着,让我们来通过Chef完成OpenSSH的配置
在本地提交刚刚的一系列修改,因为我们使用了git来管理Chef的配置。
ubuntu@chef-workstation:/opt/chef-local$ sudo git commit -a -m "update"

安装openssh的cookbook
ubuntu@chef-workstation:/opt/chef-local$ sudo knife cookbook site install openssh

Installing openssh to /opt/chef-local/cookbooks
Checking out the master branch.
Creating pristine copy branch chef-vendor-openssh
Downloading openssh from the cookbooks site at version 1.1.2 to /opt/chef-local/cookbooks/openssh.tar.gz
Cookbook saved: /opt/chef-local/cookbooks/openssh.tar.gz
Removing pre-existing version.
Uncompressing openssh version 1.1.2.
removing downloaded tarball
1 files updated, committing changes
Creating tag cookbook-site-imported-openssh-1.1.2
Checking out the master branch.
Updating 8945cc6..ea9f570
Fast-forward
 cookbooks/openssh/.gitignore                       |    4 +
 cookbooks/openssh/CHANGELOG.md                     |   19 ++
 cookbooks/openssh/CONTRIBUTING                     |   29 +++
 cookbooks/openssh/Gemfile                          |    3 +
 cookbooks/openssh/LICENSE                          |  201 ++++++++++++++++++++
 cookbooks/openssh/README.md                        |  122 ++++++++++++
 cookbooks/openssh/attributes/default.rb            |  125 ++++++++++++
 .../files/default/tests/minitest/config_test.rb    |   38 ++++
 .../files/default/tests/minitest/default_test.rb   |   13 ++
 .../default/tests/minitest/support/helpers.rb      |   13 ++
 cookbooks/openssh/metadata.json                    |   37 ++++
 cookbooks/openssh/metadata.rb                      |   12 ++
 cookbooks/openssh/recipes/default.rb               |   73 +++++++
 cookbooks/openssh/templates/default/port_ssh.erb   |    2 +
 cookbooks/openssh/templates/default/ssh_config.erb |   11 +
 .../openssh/templates/default/sshd_config.erb      |   11 +
 16 files changed, 713 insertions(+), 0 deletions(-)
 create mode 100644 cookbooks/openssh/.gitignore
 create mode 100644 cookbooks/openssh/CHANGELOG.md
 create mode 100644 cookbooks/openssh/CONTRIBUTING
 create mode 100644 cookbooks/openssh/Gemfile
 create mode 100644 cookbooks/openssh/LICENSE
 create mode 100644 cookbooks/openssh/README.md
 create mode 100644 cookbooks/openssh/attributes/default.rb
 create mode 100644 cookbooks/openssh/files/default/tests/minitest/config_test.rb
 create mode 100644 cookbooks/openssh/files/default/tests/minitest/default_test.rb
 create mode 100644 cookbooks/openssh/files/default/tests/minitest/support/helpers.rb
 create mode 100644 cookbooks/openssh/metadata.json
 create mode 100644 cookbooks/openssh/metadata.rb
 create mode 100644 cookbooks/openssh/recipes/default.rb
 create mode 100644 cookbooks/openssh/templates/default/port_ssh.erb
 create mode 100644 cookbooks/openssh/templates/default/ssh_config.erb
 create mode 100644 cookbooks/openssh/templates/default/sshd_config.erb
Cookbook openssh version 1.1.2 successfully installed

我们可以看到openssh的cookbook已经被安装了
ubuntu@chef-workstation:/opt/chef-local/cookbooks$ ls

README.md  openssh  user

同样,通过仔细阅读README.md,我们可以了解这个cookbook的用法,就是通过在attributes中修改对应的参数,然后再通过添加到role的配置文件中即可。
ubuntu@chef-workstation:/opt/chef-local/cookbooks$ cd openssh/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh$ ls

CHANGELOG.md  CONTRIBUTING  Gemfile  LICENSE  README.md  attributes  files  metadata.json  metadata.rb  recipes  templates

ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh/attributes$ ls

default.rb

打开attributes中的default参数配置文件,我们可以看到有很多的选项都已经被定义好了。
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh/attributes$ sudo vim default.rb

 
#
# Cookbook Name:: openssh
# Attributes:: default
#
# Author:: Ernie Brodeur 
# Copyright 2008-2012, Opscode, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Attributes are commented out using the default config file values.
# Uncomment the ones you need, or set attributes in a role.
#

default['openssh']['package_name'] = case node['platform_family']
                                     when "rhel", "fedora"
                                       %w{openssh-clients openssh}
                                     when "arch"
                                       %w{openssh}
                                     else
                                       %w{openssh-client openssh-server}
                                     end

default['openssh']['service_name'] = case node['platform_family']
                                     when "rhel", "fedora"
                                       "sshd"
                                     else
                                       "ssh"
                                     end

# ssh config group
default['openssh']['client']['host'] = "*"
# default['openssh']['client']['forward_agent'] = "no"
# default['openssh']['client']['forward_x11'] = "no"
# default['openssh']['client']['rhosts_rsa_authentication'] = "no"
# default['openssh']['client']['rsa_authentication'] = "yes"
# default['openssh']['client']['password_authentication'] = "yes"
# default['openssh']['client']['host_based_authentication'] = "no"
# default['openssh']['client']['gssapi_authentication'] = "no"
# default['openssh']['client']['gssapi_delegate_credentials'] = "no"
# default['openssh']['client']['batch_mode'] = "no"
# default['openssh']['client']['check_host_ip'] = "yes"
# default['openssh']['client']['address_family'] = "any"
# default['openssh']['client']['connect_timeout'] = "0"
# default['openssh']['client']['strict_host_key_checking'] = "ask"
# default['openssh']['client']['identity_file'] = "~/.ssh/identity"
# default['openssh']['client']['identity_file_rsa'] = "~/.ssh/id_rsa"
# default['openssh']['client']['identity_file_dsa'] = "~/.ssh/id_dsa"
# default['openssh']['client']['port'] = "22"
# default['openssh']['client']['protocol'] = [ "2 1" ]
# default['openssh']['client']['cipher'] = "3des"
# default['openssh']['client']['ciphers'] = [ "aes128-ctr aes192-ctr aes256-ctr arcfour256 arcfour128 aes128-cbc 3des-cbc" ]
# default['openssh']['client']['macs'] = [ "hmac-md5 hmac-sha1 umac-64@openssh.com hmac-ripemd160" ]
# default['openssh']['client']['escape_char'] = "~"
# default['openssh']['client']['tunnel'] = "no"
# default['openssh']['client']['tunnel_device'] = "any:any"
# default['openssh']['client']['permit_local_command'] = "no"
# default['openssh']['client']['visual_host_key'] = "no"
# default['openssh']['client']['proxy_command'] = "ssh -q -W %h:%p gateway.example.com"
# sshd config group
# default['openssh']['server']['port'] = "22"
# default['openssh']['server']['address_family'] = "any"
# default['openssh']['server']['listen_address'] = [ "0.0.0.0 ::" ]
# default['openssh']['server']['protocol'] = "2"
# default['openssh']['server']['host_key_v1'] = "/etc/ssh/ssh_host_key"
# default['openssh']['server']['host_key_rsa'] = "/etc/ssh/ssh_host_rsa_key"
# default['openssh']['server']['host_key_dsa'] = "/etc/ssh/ssh_host_dsa_key"
# default['openssh']['server']['host_key_ecdsa'] = "/etc/ssh/ssh_host_ecdsa_key"
# default['openssh']['server']['key_regeneration_interval'] = "1h"
# default['openssh']['server']['server_key_bits'] = "1024"
# default['openssh']['server']['syslog_facility'] = "AUTH"
# default['openssh']['server']['log_level'] = "INFO"
# default['openssh']['server']['login_grace_time'] = "2m"
# default['openssh']['server']['permit_root_login'] = "yes"
# default['openssh']['server']['strict_modes'] = "yes"
# default['openssh']['server']['max_auth_tries'] = "6"
# default['openssh']['server']['max_sessions'] = "10"
# default['openssh']['server']['rsa_authentication'] = "yes"
# default['openssh']['server']['pub_key_authentication'] = "yes"
default['openssh']['server']['authorized_keys_file'] = "%h/.ssh/authorized_keys"
# default['openssh']['server']['rhosts_rsa_authentication'] = "no"
# default['openssh']['server']['host_based_authentication'] = "no"
# default['openssh']['server']['ignore_user_known_hosts'] = "no"
# default['openssh']['server']['ignore_rhosts'] = "yes"
# default['openssh']['server']['password_authentication'] = "yes"
# default['openssh']['server']['permit_empty_passwords'] = "no"
default['openssh']['server']['challenge_response_authentication'] = "no"
# default['openssh']['server']['kerberos_authentication'] = "no"
# default['openssh']['server']['kerberos_or_localpasswd'] = "yes"
# default['openssh']['server']['kerberos_ticket_cleanup'] = "yes"
# default['openssh']['server']['kerberos_get_afs_token'] = "no"
# default['openssh']['server']['gssapi_authentication'] = "no"
# default['openssh']['server']['gssapi_clean_up_credentials'] = "yes"
default['openssh']['server']['use_p_a_m'] = "yes"
# default['openssh']['server']['allow_agent_forwarding'] = "yes"
# default['openssh']['server']['allow_tcp_forwarding'] = "yes"
# default['openssh']['server']['gateway_ports'] = "no"
# default['openssh']['server']['x11_forwarding'] = "no"
# default['openssh']['server']['x11_display_offset'] = "10"
# default['openssh']['server']['x11_use_localhost'] = "yes"
# default['openssh']['server']['print_motd'] = "yes"
# default['openssh']['server']['print_lastlog'] = "yes"
# default['openssh']['server']['t_c_p_keep_alive'] = "yes"
# default['openssh']['server']['use_login'] = "no"
# default['openssh']['server']['use_privilege_separation'] = "yes"
# default['openssh']['server']['permit_user_environment'] = "no"
# default['openssh']['server']['compression'] = "delayed"
# default['openssh']['server']['client_alive_interval'] = "0"
# default['openssh']['server']['client_alive_count_max'] = "3"
# default['openssh']['server']['use_dns'] = "yes"
# default['openssh']['server']['pid_file'] = "/var/run/sshd.pid"
# default['openssh']['server']['max_startups'] = "10"
# default['openssh']['server']['permit_tunnel'] = "no"
# default['openssh']['server']['chroot_directory'] = "none"
# default['openssh']['server']['banner'] = "none"
# default['openssh']['server']['subsystem'] =   "sftp   /usr/libexec/sftp-server"

在这里,我们可以修改以下选项使OpenSSH仅支持Key的认证方式,禁用密码登陆。

default['openssh']['server']['password_authentication'] = "yes"
default['openssh']['server']['use_dns'] = "yes"

修改完成以后,更新openssh的cookbook
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh/attributes$ sudo knife cookbook upload openssh

Uploading openssh        [1.1.2]
Uploaded 1 cookbook.

将openssh添加到role中
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh/attributes$ cd /opt/chef-local/roles/
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo vim ubuntu_servers.rb 

name "ubuntu_servers"
description "The base role applied to all nodes."
run_list(
    "recipe[user]",
    "recipe[user::data_bag]",
    "recipe[openssh]"
)
override_attributes(
    "users" => [ "ubuntu" ]
)

更新role
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo knife role from file ubuntu_servers.rb 

Updated Role ubuntu_servers!

到chef-client上拉取配置
ubuntu@chef-client-1:~$ sudo chef-client 

[2012-12-17T20:51:40+08:00] INFO: *** Chef 10.16.2 ***
[2012-12-17T20:51:41+08:00] INFO: Run List is [role[ubuntu_servers]]
[2012-12-17T20:51:41+08:00] INFO: Run List expands to [user, user::data_bag, openssh]
[2012-12-17T20:51:41+08:00] INFO: HTTP Request Returned 404 Not Found: No routes match the request: /reports/nodes/chef-client-1/runs
[2012-12-17T20:51:41+08:00] INFO: Starting Chef Run for chef-client-1
[2012-12-17T20:51:41+08:00] INFO: Running start handlers
[2012-12-17T20:51:41+08:00] INFO: Start handlers complete.
[2012-12-17T20:51:41+08:00] INFO: Loading cookbooks [openssh, user]
[2012-12-17T20:51:41+08:00] INFO: Processing user_account[ubuntu] action create (user::data_bag line 36)
[2012-12-17T20:51:41+08:00] INFO: Processing user[ubuntu] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
[2012-12-17T20:51:41+08:00] INFO: Processing directory[/home/ubuntu/.ssh] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
[2012-12-17T20:51:41+08:00] INFO: Processing directory[/home/ubuntu] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
[2012-12-17T20:51:41+08:00] INFO: Processing template[/home/ubuntu/.ssh/authorized_keys] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
[2012-12-17T20:51:41+08:00] INFO: Processing user[ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
[2012-12-17T20:51:41+08:00] INFO: Processing directory[/home/ubuntu/.ssh] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
[2012-12-17T20:51:41+08:00] INFO: Processing directory[/home/ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
[2012-12-17T20:51:41+08:00] INFO: Processing template[/home/ubuntu/.ssh/authorized_keys] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
[2012-12-17T20:51:41+08:00] INFO: Processing execute[create ssh keypair for ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 148)
[2012-12-17T20:51:28+08:00] INFO: Processing package[openssh-client] action install (openssh::default line 27)
[2012-12-17T20:51:28+08:00] INFO: Processing package[openssh-server] action install (openssh::default line 27)
[2012-12-17T20:51:28+08:00] INFO: Processing service[ssh] action enable (openssh::default line 30)
[2012-12-17T20:51:28+08:00] INFO: service[ssh] enabled
[2012-12-17T20:51:28+08:00] INFO: Processing service[ssh] action start (openssh::default line 30)
[2012-12-17T20:51:28+08:00] INFO: Processing template[/etc/ssh/ssh_config] action create (openssh::default line 48)
[2012-12-17T20:51:28+08:00] INFO: template[/etc/ssh/ssh_config] backed up to /var/chef/backup/etc/ssh/ssh_config.chef-20121217205128
[2012-12-17T20:51:28+08:00] INFO: template[/etc/ssh/ssh_config] updated content
[2012-12-17T20:51:28+08:00] INFO: template[/etc/ssh/ssh_config] owner changed to 0
[2012-12-17T20:51:28+08:00] INFO: template[/etc/ssh/ssh_config] group changed to 0
[2012-12-17T20:51:28+08:00] INFO: template[/etc/ssh/ssh_config] mode changed to 644
[2012-12-17T20:51:28+08:00] INFO: Processing template[/etc/ssh/sshd_config] action create (openssh::default line 66)
[2012-12-17T20:51:29+08:00] INFO: template[/etc/ssh/sshd_config] backed up to /var/chef/backup/etc/ssh/sshd_config.chef-20121217205129
[2012-12-17T20:51:29+08:00] INFO: template[/etc/ssh/sshd_config] updated content
[2012-12-17T20:51:29+08:00] INFO: template[/etc/ssh/sshd_config] owner changed to 0
[2012-12-17T20:51:29+08:00] INFO: template[/etc/ssh/sshd_config] group changed to 0
[2012-12-17T20:51:29+08:00] INFO: template[/etc/ssh/sshd_config] mode changed to 644
[2012-12-17T20:51:29+08:00] INFO: template[/etc/ssh/sshd_config] sending restart action to service[ssh] (delayed)
[2012-12-17T20:51:29+08:00] INFO: Processing service[ssh] action restart (openssh::default line 30)
[2012-12-17T20:51:29+08:00] INFO: service[ssh] restarted
[2012-12-17T20:51:29+08:00] INFO: Chef Run complete in 1.742643517 seconds
[2012-12-17T20:51:29+08:00] INFO: Running report handlers
[2012-12-17T20:51:29+08:00] INFO: Report handlers complete

可以看到,chef-client-1已经自动的获取到了相应的参数,并更新了OpenSSH的配置文件,并重启了服务。

手动查看OpenSSH的配置文件,可以看到只有我们配置的几行参数内容。不过这里放心,其它的参数都有默认值,所以整个OpenSSH的配置是OK的。
ubuntu@chef-client-1:~$ cat /etc/ssh/sshd_config 

# Generated by Chef for chef-client-1

AuthorizedKeysFile %h/.ssh/authorized_keys
ChallengeResponseAuthentication no
PasswordAuthentication no
UseDns yes
UsePAM yes

至此,我们就已经完成了通过Chef来对用户账号以及OpenSSH的配置管理,对于Chef,也应该有了一些具体的认知。
不过,这仅仅是一个开始,试想如果我们只能通过别人写好的cookbook来修改参数进行服务器的配置,未免也太尴尬了。
所以,接下来,我们将会创建属于自己的cookbook,随心所欲的来配置服务器!

3 接着,我们可以开始以下过程

Chef集中管理工具实践之 (3) 自定义配置


目录结构
Chef集中管理工具实践之 (0) 什么是Chef
Chef集中管理工具实践之 (1) 环境部署
Chef集中管理工具实践之 (2) 服务器配置
Chef集中管理工具实践之 (3) 自定义配置

本文内容
Chef集中管理工具实践之 (3) 自定义配置

参考资料
http://wiki.opscode.com/display/chef/Resources#Resources-Service

环境介绍
OS: Ubuntu 10.10 Server 64-bit
Servers:
chef-server:10.6.1.170
chef-workstation:10.6.1.171
chef-client-1:10.6.1.172

1. 开始创造属于自己的大餐
“等我的手艺熟练之后我还会写我自己的菜色和菜谱,来创造属于我自己的大餐。” 在前面我提到过这句话,并且在上一个章节,也通过使用官方社区提供的cookbook完成了账号与openssh的配置。
在这一章,我们就来编写一个cookbook,将不同的自定义配置任务做成不同的recipe,最后实现对服务器的配置。

2. 如何开始
如何开始呢?使用官方社区的cookbook很简单,只需要修改attributes里面的参数就可以了,如果要自己来写,该怎么写用什么格式呢?
相信你一定有这个疑问存在。不过你可以尽管放心,Chef的官方社区有很完善的在线文档可供参考的。

上面提到的“参考资料”中的URL,就是对应的文档地址:http://wiki.opscode.com/display/chef/Resources#Resources-Service
具体内容很多,我们可以通过右侧的目录结构来理清思绪。

总共有差不多30个模块,每一个都有相应的示例。
最常用的有:
账号管理方面 Group,User
配置文件方面 Template,File,
脚本命令方面 Script,Execute
系统服务方面 Cron,Service,Mount,Package

这些模块的具体用法,都可以在上面的页面中找到,在这里我先就不描述了,接下来我们通过实践来理解它们。

3. 规划接下来要做的事情
以我的实际生产环境中遇到的情况为例,操作系统为Ubuntu,有以下几个任务要完成:
1.新建一个名为project的用户组,并将之前创建的用户ubuntu添加到该组
2.更改系统默认的APT镜像源为http://old-releases.ubuntu.com
3.通过apt-get安装build-essential
4.编译安装pcre 8.10

这一次,我们不再到官方社区去搜寻第三方的cookbook,而是自己来编写一个cookbook。

3.1 首先,来设计这个cookbook
将cookbook命名为mycookbook
然后分别创建4个不同的recipe,分别命名为
conf_group, conf_sources.list, install_build-essential, build_pcre
来实现对以上4个任务的完成

3.2 开始编写cookbook
3.2.1 创建cookbook
ubuntu@chef-workstation:/opt/chef-local$ sudo knife cookbook create mycookbook

 
** Creating cookbook mycookbook
** Creating README for cookbook: mycookbook
** Creating CHANGELOG for cookbook: mycookbook
** Creating metadata for cookbook: mycookbook

ubuntu@chef-workstation:/opt/chef-local$ cd cookbooks/mycookbook/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook$ ls

 
CHANGELOG.md  README.md  attributes  definitions  files  libraries  metadata.rb  providers  recipes  resources  templates

ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook$ cd recipes/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ ls

 
default.rb

3.2.2 创建recipe conf_group
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo vim conf_group.rb

 
group "project" do
  gid 999
  members [ 'ubuntu' ]
end

3.2.3 创建recipe conf_sources.list
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo vim conf_sources.list.rb

 
execute "update" do
  command "sudo apt-get update"
  action :nothing
end

template "/etc/apt/sources.list" do
  source "sources.list.erb"
  mode 0644
  owner "root"
  group "root"
  notifies :run, "execute[update]", :immediately
end

ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ cd ../templates/default/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/templates/default$ sudo vim sources.list.erb 

 
# Generated by Chef for <%= node['fqdn'] %>
deb http://old-releases.ubuntu.com/ubuntu/ maverick main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ maverick-updates main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ maverick main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ maverick-updates main restricted universe multiverse

3.2.4 创建recipe install_build-essential
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/templates/default$ cd ../../recipes/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo vim install_build-essential.rb

 
package "build-essential" do
  action :install
end

3.2.5 创建recipe build_pcre
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo vim build_pcre.rb

 
script "build_pcre" do
  interpreter "bash"
  user "root"
  cwd "/tmp"
  not_if "test -f /usr/local/bin/pcregrep"
  code <<-EOH
  wget http://nchc.dl.sourceforge.net/project/pcre/pcre/8.10/pcre-8.10.tar.gz
  tar zxvf pcre-8.10.tar.gz
  cd pcre-8.10
  ./configure
  make
  make install
  EOH
end

3.3 更新并应用编写的cookbook
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ ll

 
total 28
drwxr-xr-x  2 root root 4096 Jan  6 18:30 ./
drwxr-xr-x 10 root root 4096 Jan  6 18:11 ../
-rw-r--r--  1 root root  305 Jan  6 18:30 build_pcre.rb
-rw-r--r--  1 root root   56 Jan  6 18:17 conf_group.rb
-rw-r--r--  1 root root  234 Jan  6 18:19 conf_sources.list.rb
-rw-r--r--  1 root root  136 Jan  6 18:11 default.rb
-rw-r--r--  1 root root   51 Jan  6 18:24 install_build-essential.rb

上传cookbook
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo knife cookbook upload mycookbook

 
Uploading mycookbook     [0.1.0]
Uploaded 1 cookbook.

查看当前role配置文件
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ cd ../../../roles/
ubuntu@chef-workstation:/opt/chef-local/roles$ ls

 
README.md  ubuntu_servers.rb

ubuntu@chef-workstation:/opt/chef-local/roles$ cat ubuntu_servers.rb 

 
name "ubuntu_servers"
description "The base role applied to all nodes."
run_list(
    "recipe[user]",
    "recipe[user::data_bag]",
    "recipe[openssh]"
)
override_attributes(
    "users" => [ "ubuntu" ]
)

更新role配置文件
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo vim ubuntu_servers.rb 

 
name "ubuntu_servers"
description "The base role applied to all nodes."
run_list(
    "recipe[user]",
    "recipe[user::data_bag]",
    "recipe[openssh]",
    "recipe[mycookbook::conf_group]",
    "recipe[mycookbook::conf_sources.list]",
    "recipe[mycookbook::install_build-essential]",
    "recipe[mycookbook::build_pcre]"
)
override_attributes(
    "users" => [ "ubuntu" ]
)

上传role配置文件
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo knife role from file ubuntu_servers.rb 

 
Updated Role ubuntu_servers!

查看节点
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo knife node list

 
  chef-client-1
  chef-server

更新节点run_list
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo knife node run_list add chef-client-1 "role[ubuntu_servers]"

 
run_list:  role[ubuntu_servers]

3.4 在节点上应用新的cookbook
ubuntu@chef-client-1:~$ sudo chef-client

 
INFO: *** Chef 10.16.2 ***
INFO: Run List is [role[ubuntu_servers]]
INFO: Run List expands to [user, user::data_bag, openssh, mycookbook::conf_group, mycookbook::conf_sources.list, mycookbook::install_build-essential, mycookbook::build_pcre]
INFO: HTTP Request Returned 404 Not Found: No routes match the request: /reports/nodes/chef-client-1/runs
INFO: Starting Chef Run for chef-client-1
INFO: Running start handlers
INFO: Start handlers complete.
INFO: Loading cookbooks [mycookbook, openssh, user]
INFO: Storing updated cookbooks/openssh/recipes/default.rb in the cache.
INFO: Storing updated cookbooks/openssh/attributes/default.rb in the cache.
INFO: Storing updated cookbooks/openssh/.gitignore in the cache.
INFO: Storing updated cookbooks/openssh/metadata.rb in the cache.
INFO: Storing updated cookbooks/openssh/README.md in the cache.
INFO: Storing updated cookbooks/openssh/LICENSE in the cache.
INFO: Storing updated cookbooks/openssh/CHANGELOG.md in the cache.
INFO: Storing updated cookbooks/openssh/metadata.json in the cache.
INFO: Storing updated cookbooks/openssh/Gemfile in the cache.
INFO: Storing updated cookbooks/openssh/CONTRIBUTING in the cache.
INFO: Storing updated cookbooks/user/resources/account.rb in the cache.
INFO: Storing updated cookbooks/user/providers/account.rb in the cache.
INFO: Storing updated cookbooks/user/recipes/data_bag.rb in the cache.
INFO: Storing updated cookbooks/user/recipes/default.rb in the cache.
INFO: Storing updated cookbooks/user/attributes/default.rb in the cache.
INFO: Storing updated cookbooks/user/Rakefile in the cache.
INFO: Storing updated cookbooks/user/CHANGELOG.md in the cache.
INFO: Storing updated cookbooks/user/README.md in the cache.
INFO: Storing updated cookbooks/user/metadata.rb in the cache.
INFO: Storing updated cookbooks/user/metadata.json in the cache.
INFO: Storing updated cookbooks/mycookbook/recipes/build_nginx.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/recipes/conf_group.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/recipes/conf_sources.list.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/recipes/default.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/recipes/install_build-essential.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/recipes/build_pcre.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/README.md in the cache.
INFO: Storing updated cookbooks/mycookbook/metadata.rb in the cache.
INFO: Storing updated cookbooks/mycookbook/CHANGELOG.md in the cache.
INFO: Processing user_account[ubuntu] action create (user::data_bag line 36)
INFO: Processing user[ubuntu] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
INFO: user[ubuntu] created
INFO: Processing directory[/home/ubuntu/.ssh] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: directory[/home/ubuntu/.ssh] created directory /home/ubuntu/.ssh
INFO: directory[/home/ubuntu/.ssh] owner changed to 1001
INFO: directory[/home/ubuntu/.ssh] group changed to 109
INFO: directory[/home/ubuntu/.ssh] mode changed to 700
INFO: Processing directory[/home/ubuntu] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: directory[/home/ubuntu] mode changed to 2755
INFO: Processing template[/home/ubuntu/.ssh/authorized_keys] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
INFO: template[/home/ubuntu/.ssh/authorized_keys] updated content
INFO: template[/home/ubuntu/.ssh/authorized_keys] owner changed to 1001
INFO: template[/home/ubuntu/.ssh/authorized_keys] group changed to 109
INFO: template[/home/ubuntu/.ssh/authorized_keys] mode changed to 600
INFO: Processing user[ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
INFO: Processing directory[/home/ubuntu/.ssh] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing directory[/home/ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing template[/home/ubuntu/.ssh/authorized_keys] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
INFO: Processing execute[create ssh keypair for ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 148)
INFO: Processing package[openssh-client] action install (openssh::default line 27)
INFO: Processing package[openssh-server] action install (openssh::default line 27)
INFO: Processing service[ssh] action enable (openssh::default line 30)
INFO: service[ssh] enabled
INFO: Processing service[ssh] action start (openssh::default line 30)
INFO: Processing template[/etc/ssh/ssh_config] action create (openssh::default line 48)
INFO: template[/etc/ssh/ssh_config] backed up to /var/chef/backup/etc/ssh/ssh_config.chef-20130106190629
INFO: template[/etc/ssh/ssh_config] updated content
INFO: template[/etc/ssh/ssh_config] owner changed to 0
INFO: template[/etc/ssh/ssh_config] group changed to 0
INFO: template[/etc/ssh/ssh_config] mode changed to 644
INFO: Processing template[/etc/ssh/sshd_config] action create (openssh::default line 66)
INFO: template[/etc/ssh/sshd_config] backed up to /var/chef/backup/etc/ssh/sshd_config.chef-20130106190629
INFO: template[/etc/ssh/sshd_config] updated content
INFO: template[/etc/ssh/sshd_config] owner changed to 0
INFO: template[/etc/ssh/sshd_config] group changed to 0
INFO: template[/etc/ssh/sshd_config] mode changed to 644
INFO: Processing group[project] action create (mycookbook::conf_group line 1)
INFO: group[project] created
INFO: Processing execute[update] action nothing (mycookbook::conf_sources.list line 1)
INFO: Processing template[/etc/apt/sources.list] action create (mycookbook::conf_sources.list line 6)
INFO: template[/etc/apt/sources.list] backed up to /var/chef/backup/etc/apt/sources.list.chef-20130106190629
INFO: template[/etc/apt/sources.list] updated content
INFO: template[/etc/apt/sources.list] owner changed to 0
INFO: template[/etc/apt/sources.list] group changed to 0
INFO: template[/etc/apt/sources.list] mode changed to 644
INFO: template[/etc/apt/sources.list] sending run action to execute[update] (immediate)
INFO: Processing execute[update] action run (mycookbook::conf_sources.list line 1)
INFO: execute[update] ran successfully
INFO: Processing package[build-essential] action install (mycookbook::install_build-essential line 1)
INFO: Processing script[build_pcre] action run (mycookbook::build_pcre line 1)
INFO: script[build_pcre] ran successfully
INFO: template[/etc/ssh/sshd_config] sending restart action to service[ssh] (delayed)
INFO: Processing service[ssh] action restart (openssh::default line 30)
INFO: service[ssh] restarted
INFO: Chef Run complete in 448.775004685 seconds
INFO: Running report handlers
INFO: Report handlers complete

ubuntu@chef-client-1:/etc$

通过以上输出,我们可以很清晰的看到每个recipe的执行过程,并且全部都成功执行了。

我们通过以下方式来一一校验:
ubuntu@chef-client-1:~$ id ubuntu

 
uid=1001(ubuntu) gid=109(admin) groups=109(admin),999(project)

ubuntu@chef-client-1:~$ cat /etc/apt/sources.list

 
# Generated by Chef for chef-client-1
deb http://old-releases.ubuntu.com/ubuntu/ maverick main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ maverick-updates main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ maverick main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted universe multiverse
deb-src http://old-releases.ubuntu.com/ubuntu/ maverick-updates main restricted universe multiverse

ubuntu@chef-client-1:~$ dpkg -l | grep build-essential

 
ii  build-essential                 11.5                              Informational list of build-essential packages

ubuntu@chef-client-1:~$ which pcregrep

 
/usr/local/bin/pcregrep

通过以上校验,再次证明所有的任务都已经执行了。
我们成功的完成了cookbook的自定义配置。

4. 更多深入的功能
至此,我们已经具备了一定的编写cookbook的能力了。
下面我分享一些比较有价值的经验:

4.1 安装官方社区的cookbook chef-client 可以实现客户端的定时自动拉取服务端配置,默认30分钟一次,具体时间可配置
Tips:
---
$ sudo knife cookbook site install chef-client

通过以下方式引用:

 
    "recipe[chef-client::delete_validation]",
    "recipe[chef-client::config]",
    "recipe[chef-client::service]",

4.2 改造cookbook openssh
Tips:
---
直接将系统的/etc/ssh/sshd_config 复制成为模板文件sshd_config.erb
然后仅将需要自定义的参数修改为从attributes中读取,如:

 
PasswordAuthentication <%= node['openssh']['server']['password_authentication'] %>
UseDNS <%= node['openssh']['server']['use_dns'] %>

同样,我们也可以自己来写attributes文件,实现参数的功能。

4.3 在role文件中重新定义参数值
Tips:
---
通过override_attributes可以直接定义参数的值,实现不同role采用不同的参数。
例如,针对官方社区的sudo的配置,可以通过以下方式重新定义参数的值:

默认的参数值:

 
default['authorization']['sudo']['groups'] = Array.new
default['authorization']['sudo']['users'] = Array.new
default['authorization']['sudo']['passwordless'] = false
default['authorization']['sudo']['include_sudoers_d'] = false
default['authorization']['sudo']['agent_forwarding'] = false

在role文件中重新定义后的值:

 
override_attributes(
    "authorization" => {
      "sudo" => {
        "groups" => ["admin"],
        "passwordless" => true,
        "users" => ["zabbix"]
      }
    }
)

5. 至此,整个系列的文章可以告一段落了
用一句很2的话来说,就是,我只能帮你到这儿了。接下来,通过参考官方文档,以及实践中的更多应用,我们就能够更加熟练的掌握Chef这个强大的集中管理工具,再多的服务器在我们的手里也能管理的井然有序。


原文:http://heylinux.com/archives/2175.html

标签:

相关文章