- Chef Server:Clientの管理を行う(host name: chef_server)
- Chef Node:Chefによって構築、管理される対象(host name: chef_client)
- Chef Workstation:Cookbookの作成、更新を行う端末
Chef12からはClientからServerへのリクエストにおいて、 SSL証明書の検証が必要になったようだ。
chef-server、chef-clientの2台分vmを定義する
vagrant init
Vagrantfile にプロビジョニングコード追加。 とりあえず、ChefServerとChefのインストール。 ntpで時刻も合わせておく。
# -*- mode: ruby -*-
# vi: set ft=ruby :
# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
VAGRANTFILE_API_VERSION = "2"
$script = <<EOF
sudo yum update -y
sudo yum install -y wget ntp openssl-devel
sudo ntpdate ntp.nict.jp
(cd /tmp && wget https://web-dl.packagecloud.io/chef/stable/packages/el/5/chef-server-core-12.0.1-1.x86_64.rpm)
sudo rpm -Uvh /tmp/chef-server-core-12.0.1-1.x86_64.rpm
EOF
$client_script = <<EOF
sudo yum update -y
sudo yum install -y ntp openssl-devel
sudo ntpdate ntp.nict.jp
curl -L https://www.chef.io/chef/install.sh | sudo bash
sudo bash -c "echo '192.168.33.12 chef-server' >> /etc/hosts"
EOF
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vbguest.auto_update = false
config.omnibus.chef_version = :latest
config.vm.define :chef_server do |host|
host.vm.box = 'centos64'
host.vm.box_url = 'https://github.com/2creatives/vagrant-centos/releases/download/v6.4.2/centos64-x86_64-20140116.box'
host.vm.hostname = 'chef-server'
host.vm.network :private_network, ip: '192.168.33.12'
host.vm.provision :shell, :inline => $script
end
config.vm.define :chef_client do |host|
host.vm.box = 'centos65'
host.vm.box_url = 'https://github.com/2creatives/vagrant-centos/releases/download/v6.4.2/centos64-x86_64-20140116.box'
host.vm.hostname = 'chef-client'
host.vm.network :private_network, ip: '192.168.33.13'
host.vm.provision :shell, :inline => $client_script
end
end
vagrant up chef_server
vagrant ssh chef_server
sudo chef-server-ctl reconfigure
# Web UI をインストールする場合
sudo chef-server-ctl install opscode-manage
sudo opscode-manage-ctl reconfigure
sudo chef-server-ctl reconfigure
# testを実行
sudo chef-server-ctl test
the ffi-yajl and yajl-ruby gems have incompatible C libyajl libs and should not be loaded in the same Ruby VM
falling back to ffi which might work (or might not, no promises)
ffi-yajl/json_gem is deprecated, these monkeypatches will be dropped shortly
Configuring logging...
Creating platform...
Configured URL: https://chef-server
Creating org pedant_testorg_chef-server_13561
Validating Org Creation
Associating user pedant_testorg_chef-server_13561_owner with org pedant_testorg_chef-server_13561 ...
Run options: include {:focus=>true, :smoke=>true}
All examples were filtered out; ignoring {:focus=>true, :smoke=>true}
..............................
Finished in 2.03 seconds
30 examples, 0 failures
Starting Pedant Run: 2015-01-20 13:26:33 UTC
setting up rspec config for #<Pedant::MultiTenantPlatform:0x000000022cb760>
Configuring RSpec for Multi-Tenant Tests
_______ _______ _______ _______ _______ ______ _______
| || || || || || | | |
| _ || _ || _____|| || _ || _ || ___|
| | | || |_| || |_____ | || | | || | | || |___
| |_| || ___||_____ || _|| |_| || |_| || ___|
| || | _____| || |_ | || || |___
|_______||___| |_______||_______||_______||______| |_______|
_______ _______ ______ _______ __ _ _______
| || || | | _ || | | || |
| _ || ___|| _ || |_| || |_| ||_ _|
| |_| || |___ | | | || || | | |
| ___|| ___|| |_| || || _ | | |
| | | |___ | || _ || | | | | |
|___| |_______||______| |__| |__||_| |__| |___|
"Accuracy Over Tact"
=== Testing Environment ===
Config File: /var/opt/opscode/oc-chef-pedant/etc/pedant_config.rb
HTTP Traffic Log File: /var/log/opscode/oc-chef-pedant/http-traffic.log
Web UI をインストールしている場合、https://192.168.33.12/signup にアクセスできるようになる (workstation側でhosts の設定をしていると https://chef-server/) でもアクセスできる。
# ユーザー登録
sudo chef-server-ctl user-create admin firstname lastname your@mail.address password --filename admin.pem
# organization登録
# 鍵は ORGANIZATION-validator.pem となる
sudo chef-server-ctl org-create chef "Chef" --association admin --filename chef-validator.pem
# 鍵ができていることを確認
ls
admin.pem install.sh chef-validator.pem
exit
192.168.33.12 chef-server
としておく。
bundle exec knife configure
WARNING: No knife configuration file found
Where should I put the config file? [/Users/.chef/knife.rb] .chef/knife.rb
Please enter the chef server URL: [https://local:443] https://chef-server/organizations/chef/
Please enter an existing username or clientname for the API: [USER] admin
Please enter the validation clientname: [chef-validator] chef-validator
Please enter the location of the validation key: [/etc/chef-server/chef-validator.pem] ./chef/chef-validator.pem
Please enter the path to a chef repository (or leave blank):
cat .chef/knife.rb
log_level :info
log_location STDOUT
node_name 'admin'
client_key '/Users/USERNAME/.chef/admin.pem'
validation_client_name 'chef-validator'
validation_key '/Users/USERNAME/.chef/chef-validator.pem'
chef_server_url 'https://chef-server/organizations/chef/'
syntax_check_cache_path '/Users/USERNAME/.chef/syntax_check_cache'
scp -o stricthostkeychecking=no vagrant@192.168.33.12:/home/vagrant/admin.pem .chef/admin.pem
Warning: Permanently added '192.168.33.12' (RSA) to the list of known hosts.
vagrant@192.168.33.12's password: vagrant
scp -o stricthostkeychecking=no vagrant@192.168.33.12:/home/vagrant/chef-validator.pem .chef/chef-validator.pem
vagrant@192.168.33.12's password: vagrant
chef-validator.pem
# 証明書を持ってくる
bundle exec knife ssl fetch -s https://chef-server/organizations/chef/
WARNING: Certificates from chef-server will be fetched and placed in your trusted_cert
directory (/Users/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
Adding certificate for chef-server in /Users/.chef/trusted_certs/chef-server.crt
# sslで通信ができるかチェック
bundle exec knife ssl check
Connecting to host chef-server:443
Successfully verified certificates from `chef-server'
ls .chef
admin.pem chef-validator.pem trusted_certs
# client nodeの確認
bundle exec knife client list
chef-validator
# client userの確認
bundle exec knife user list
admin
Chef Serverとの認証は鍵認証を使う。
Chef Serverはclientごとに秘密鍵を発行し、公開鍵を自身(Chef Server)に登録する。
clientごとに発行するのは手間なので、Chef Serverにあらかじめ用意されているvalidator key
を使う。
clientはchef Serverとの通の際にこのvalidator key
を使うと、
chef Serverにclientとして登録され、以降の認証に必要な鍵が発行される。
最初の1回目にだけ利用される。
vagrant ssh chef_client
# hostsの設定
vi /etc/hosts
# 192.168.33.12 chef-server を追加
exit
bundle exec knife bootstrap chef-client -x vagrant -P vagrant --sudo
Connecting to chef-client
chef-client Starting first Chef Client run...
chef-client Starting Chef Client, version 12.0.3
chef-client Creating a new client identity for chef-client using the validator key.
chef-client resolving cookbooks for run list: []
chef-client Synchronizing Cookbooks:
chef-client Compiling Cookbooks...
chef-client [2015-01-21T13:57:45+00:00] WARN: Node chef-client has an empty run list.
chef-client Converging 0 resources
chef-client
chef-client Running handlers:
chef-client Running handlers complete
chef-client Chef Client finished, 0/0 resources updated in 18.701279698 second
# nodeの確認
bundle exec knife node list
chef-client
ここで
INFO: HTTP Request Returned 401 Unauthorized: Failed to authenticate as NODENAME. Ensure that your node_name and client key are correct.
など401エラーの場合の多くは証明書の問題が多い。 エラーが出た際は https://docs.chef.io/errors.html を一度参考すると良さそう。
bundle exec knife client show chef-client
admin: false
chef_type: client
json_class: Chef::ApiClient
name: chef-client
public_key: -----BEGIN PUBLIC KEY-----
...
...
-----END PUBLIC KEY-----
validator: false
# 簡単なcookbookを取得
git clone https://github.com/opscode-cookbooks/getting-started
# cookbookをアップロード
bundle exec knife cookbook upload getting-started -o .
Uploading getting-started [0.4.0]
Uploaded 1 cookbook.
# cookbookのリストの取得
bundle exec knife cookbook list
getting-started 0.4.0
#️ recipeをnode(chef-client)のRun Listとして登録
bundle exec knife node run_list add chef-client "recipe[getting-started]"
chef-client:
run_list: recipe[getting-started]
# nodeの情報を取得
bundle exec knife node show chef-client
Node Name: chef-client
Environment: _default
FQDN: chef-client
IP: 10.0.2.15
Run List: recipe[getting-started]
Roles:
Recipes: getting-started, getting-started::default
Platform: centos 6.6
Tags:
nodeでcookbookを適用するには以下の条件が必要
- Chef Serverにcookbookが登録されている
- Chef Serverにnodeの情報が登録されていてrun listに適用したいレシピが登録されている
- nodeにChef Serverと通信するためのclient keyもしくはvalidator keyが配置されている。
bundle exec knife ssh 'hostname:chef-client' 'sudo chef-client' -x vagrant -P vagrant
Starting Chef Client, version 12.0.3
[2015-01-17T13:31:24+00:00] INFO: *** Chef 12.0.3 ***
[2015-01-17T13:31:24+00:00] INFO: Chef-client pid: 14855
[2015-01-17T13:31:32+00:00] ERROR: Server returned error 500 for https://chef-server/organizations/chef/nodes/chef-client, retrying 1/5 in 4s
[2015-01-17T13:31:37+00:00] INFO: Run List is [recipe[getting-started]]
[2015-01-17T13:31:37+00:00] INFO: Run List expands to [getting-started]
[2015-01-17T13:31:37+00:00] INFO: Starting Chef Run for chef-client
[2015-01-17T13:31:37+00:00] INFO: Running start handlers
[2015-01-17T13:31:37+00:00] INFO: Start handlers complete.
[2015-01-17T13:31:37+00:00] INFO: HTTP Request Returned 404 Not Found:
resolving cookbooks for run list: ["getting-started"]
[2015-01-17T13:31:45+00:00] INFO: Loading cookbooks [getting-started@0.4.0]
Synchronizing Cookbooks:
[2015-01-17T13:31:58+00:00] INFO: Storing updated cookbooks/getting-started/templates/default/chef-getting-started.txt.erb in the cache.
[2015-01-17T13:31:58+00:00] INFO: Storing updated cookbooks/getting-started/attributes/default.rb in the cache.
[2015-01-17T13:31:58+00:00] INFO: Storing updated cookbooks/getting-started/README.md in the cache.
[2015-01-17T13:31:58+00:00] INFO: Storing updated cookbooks/getting-started/recipes/default.rb in the cache.
[2015-01-17T13:31:58+00:00] INFO: Storing updated cookbooks/getting-started/metadata.rb in the cache.
- getting-started
Compiling Cookbooks...
Converging 1 resources
Recipe: getting-started::default
* template[/root/chef-getting-started.txt] action create[2015-01-17T13:31:58+00:00] INFO: Processing template[/root/chef-getting-started.txt] action create (getting-started::default line 20)
[2015-01-17T13:31:58+00:00] INFO: template[/root/chef-getting-started.txt] created file /root/chef-getting-started.txt
- create new file /root/chef-getting-started.txt[2015-01-17T13:31:58+00:00] INFO: template[/root/chef-getting-started.txt] updated file contents /root/chef-getting-started.txt
- update content in file /root/chef-getting-started.txt from none to 353e9a
--- /root/chef-getting-started.txt 2015-01-17 13:31:58.646409944 +0000
+++ /tmp/chef-rendered-template20150117-14855-1ekyrkz 2015-01-17 13:31:58.645409453 +0000
@@ -1 +1,6 @@
+Welcome to Chef!
+
+This is Chef version 12.0.3.
+Running on centos.
+Version 6.6.[2015-01-17T13:31:58+00:00] INFO: template[/root/chef-getting-started.txt] mode changed to 644
- change mode from '' to '0644'
- restore selinux security context
[2015-01-17T13:32:07+00:00] INFO: Chef Run complete in 29.66676515 seconds
Running handlers:
[2015-01-17T13:32:07+00:00] INFO: Running report handlers
Running handlers complete
[2015-01-17T13:32:07+00:00] INFO: Report handlers complete
Chef Client finished, 1/1 resources updated in 42.665644665 seconds
運用するサーバーの台数が多くなると同時に複数台に設定を適用するのが大変。 以下の方法でclient側で処理を行う。
- Chef Clientをデーモンで起動して定期的にサーバーにアクセス
- knife ssh で指定するサーバーにコマンドを実行する
- capistranoなどを使い、複数nodeでchef-clientコマンドを実行する
# デーモンで起動して定期的に設定を取得
bundle exec knife ssh 'hostname:chef-client' 'sudo chef-client -d -i 1800 -s 300' -x vagrant -P vagrant
# ログを確認する
bundle exec knife ssh 'hostname:chef-client' 'sudo chef-server-ctl tail' -x vagrant -P vagrant