DevOps Classroom Series – 13/Sept/2020

Installing Chef Server

Unattended chef client installations

  • We would like to avoid manual bootstraps, so lets write a simple shell script and execute this shell script on the startup of the node
  • Lets quickly come up with a script that can be used as a startup script
#!/bin/bash

sudo mkdir -p /etc/chef
sudo mkdir -p /var/lib/chef
sudo mkdir -p /var/log/chef

cd /etc/chef/

curl -L https://omnitruck.chef.io/install.sh | bash || error_exit 'could not install chef'
# Create first-boot.json
cat > "/etc/chef/first-boot.json" << EOF
{
   "run_list" :[ "role[dynamicserver]"   ]
}
EOF

cat > "/etc/chef/validation.pem" << EOF
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAx1qQdvMB+dsbM9QyqcO9AQyaH+GtKxIdLi2EYG5bx02RCtYu
1mfjTV1WIN1RjqhZevY43wsCNcxdQd9MtwdOacOlIKcmRx9jct+jLXCG6/MFtcfe
XKYO7D6od1zfG3NrLluNLAo7hinkvS1w9rIo8pamyOEibqIkXJadjSuF/RdJ0fjz
XwQmcadrE8R6y3KpBnn3RS1GKKjdnOlSXCibeSV/6Z2GvF+Gzm0cwVfUe4sNAj+U
VLFHvgq/LDoLTA45OLsJ+0kOtfwR4/Ww9iZ4v2sIgHgAZHGSZk8KUttsEGdVkDN+
qGhe1+mgCIWAwnNWQw2yU+zPZdH/h7TOI65AAQIDAQABAoIBAD50jRX3BAN3NYqD
TGwLOsd9XzvlxA7eWe4BrJtZd790+Z/fgkUBvyCZwUYCkG6VJ5NyWFboaATaxczB
XJNq4pIYDT+xnjhiCRIQJlsyCdMaDAvrVirIi5xP9Q+QNQWwnz+ixxOpEQTzUwpB
lkZzgoid0hrVDaiDe8jWFv4HSK8FclP7WLxo+grAPqRh4O0soGvdJMEvTrRyz3GV
ff5SiydhDHsKhMtCBl0rypvDRpgLwUlk058IY1+asbIoTJPBkK3IuNtVx8jcZ7PU
p6sYeTWQYx5ekPmCXQmu17K7qFHEanqzSE4RZuoFnVhMWu+N4NkOz9Ylb/BV8nnJ
H+pJL8ECgYEA/NcPBRoJOxClRgmSHuxa9Xnzun1rRGCp2z/uZCT4mKMhbQCGF4bq
XZZivDIXRRShHiKElxZQofWA3B/nAJev2t5/0Yx3xMgbRMdpHBjrqGJhHPUPkWe4
WzKzUKzzAOYGS9wPl9NMakFdL3LsiwnrHUoy+bF/BamI74kWUwvA/HUCgYEAydhh
axsD6nwPpJuru/0/IZ0DT+cT2bxoGADaOAfNGAIZ+FOu86Z8Rc5uhpGSn1HwDQhz
W8FlDmrzTZEpg1j5UdelN+IxDn9Bsrm+3C+rLMDdhjemSOIMrAEjUEu+r7lB0GkC
TKgzrtKKJ0vp0GqrbZoMoiEw6qE7A1SBiHeFM90CgYAVZnJ8AQ8k86y5d9fpTCIK
wu6xKypoGDJoP0oDKensqWoL2s5+sUmm8DKdMTQtAaj9bvh//UCH5MqqVvzrXOti
gBCbgOMmQbWlJaes3CMeFm2X0NoneXruJSVuP6U1v0JrK04akKTYHX4wpO6Geilv
Sjd0UOSqawYPGDBOiSElfQKBgQCEg6yhdqEBhuV2OkVrK/4QgVa1VI3xuwHUEGsz
sdtyUZ7fK4GGsNyRr89cRaIvOsoQpGWn7bX82zZUzGKmuvkkRCFSKQvv6pglUFD/
mcQVo6FMBqkC3HVZT33xr2jHUSbmPqqlzR/xPIQ6/FnK3N0jHaoBnyzQPX3S194a
y+0FeQKBgGgMQdwiVjxBtGv/3kZJyCgTbEFc8z72AGR8yHr52mv14DTK0KMMPiGa
n1WkioVetl/NEq1vIoIo+KegLOzBJSWBq8CKyrapQCWEPgFnamNSHitZQEdnA+sU
ihwktGDnrWlqkCpTqeKBL4q32aOMnbx7urbv6zFEBAUX6LMmRf5H
-----END RSA PRIVATE KEY-----
EOF

NODE_NAME=node-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 4 | head -n 1)

# Create client.rb
cat > '/etc/chef/client.rb' << EOF
log_location            STDOUT
chef_server_url         'https://18.237.202.132/organizations/qualitythought'
validation_client_name  'qualitythought-validator'
validation_key          '/etc/chef/validation.pem'
node_name               "${NODE_NAME}"
ssl_verify_mode         ":verify_none"
EOF

chef-client -j /etc/chef/first-boot.json --chef-license 'accept' --environment 'development'

Databags

  • In many cases we need to deal with sensitive information like passwords, having passwords in plain text format and then submitting the changes to VCS (GIT) will expose your passwords.
  • Chef has a data bags which can help you in encryption & decryption of sensitive
  • Data Bag is collection of data bag items.
  • Each item is a json file with one key called as "id"
{
    "id": "<filename>"
}
  • Data_bags operate at chef server level.
  • Refer Here for official docs
  • Navigate to chef repo root folder and create a directory called as data_bags Preview
  • Lets create a folder to represent databag ‘application_secrets’
knife data bag create application_secrets
mkdir application_secrets

Preview

  • Navigate to chef management ui and verify data bags Preview
  • Create a file with name ‘tomcat_qms_secrets.json’ with the below content
{
    "id": "tomcat_qms_secrets",
    "common_password": "motherindia@123",
    "common_username": "qtdevops"
}
  • Lets use knife to upload this data to chef server
knife data bag from file application_secrets ./application_secrets/tomcat_qms_secrets.json

Preview Preview

  • Now lets encrypt the data bag. Data bag can be encrypted by
    • secret text
    • key
  • In this series i will be using the secret text version
knife data bag from file application_secrets ./application_secrets/tomcat_qms_secrets.json --secret "<your secret text>"

Preview Preview Preview

  • As the local file is still unencrypted to make local file encryption add --local-mode to the knife data bag from file command Preview Preview
  • To use data bag item in a recipe
data_bag_item('bag_name', 'item', 'secret')
  • Now change the recipe code as shown below
password = data_bag_item(
    'application_secrets', 
    'tomcat_qms_secrets', 
    'qualitythought')['common_password']
file '/tmp/password.txt' do
    content password
    action :create
end

Support of Chef on AWS and Azure

  • Azure:
    • Azure Supports chef infra and bootstrap support using vm extensions
    • Azure has given a plugin into knife Refer Here and also here
  • AWS:
    • AWS has Opsworks from where you can bring up chef automate & chef infra server for handling infrastructure Refer Here

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube