DevOps Classroom Series – 13/Sept/2020

Installing Chef Server

Unattended chef client installations

  • We would like to avoid manual bootstraps, so lets write a simple shell script and execute this shell script on the startup of the node
  • Lets quickly come up with a script that can be used as a startup script
#!/bin/bash

sudo mkdir -p /etc/chef
sudo mkdir -p /var/lib/chef
sudo mkdir -p /var/log/chef

cd /etc/chef/

curl -L https://omnitruck.chef.io/install.sh | bash || error_exit 'could not install chef'
# Create first-boot.json
cat > "/etc/chef/first-boot.json" << EOF
{
   "run_list" :[ "role[dynamicserver]"   ]
}
EOF

cat > "/etc/chef/validation.pem" << EOF
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAx1qQdvMB+dsbM9QyqcO9AQyaH+GtKxIdLi2EYG5bx02RCtYu
1mfjTV1WIN1RjqhZevY43wsCNcxdQd9MtwdOacOlIKcmRx9jct+jLXCG6/MFtcfe
XKYO7D6od1zfG3NrLluNLAo7hinkvS1w9rIo8pamyOEibqIkXJadjSuF/RdJ0fjz
XwQmcadrE8R6y3KpBnn3RS1GKKjdnOlSXCibeSV/6Z2GvF+Gzm0cwVfUe4sNAj+U
VLFHvgq/LDoLTA45OLsJ+0kOtfwR4/Ww9iZ4v2sIgHgAZHGSZk8KUttsEGdVkDN+
qGhe1+mgCIWAwnNWQw2yU+zPZdH/h7TOI65AAQIDAQABAoIBAD50jRX3BAN3NYqD
TGwLOsd9XzvlxA7eWe4BrJtZd790+Z/fgkUBvyCZwUYCkG6VJ5NyWFboaATaxczB
XJNq4pIYDT+xnjhiCRIQJlsyCdMaDAvrVirIi5xP9Q+QNQWwnz+ixxOpEQTzUwpB
lkZzgoid0hrVDaiDe8jWFv4HSK8FclP7WLxo+grAPqRh4O0soGvdJMEvTrRyz3GV
ff5SiydhDHsKhMtCBl0rypvDRpgLwUlk058IY1+asbIoTJPBkK3IuNtVx8jcZ7PU
p6sYeTWQYx5ekPmCXQmu17K7qFHEanqzSE4RZuoFnVhMWu+N4NkOz9Ylb/BV8nnJ
H+pJL8ECgYEA/NcPBRoJOxClRgmSHuxa9Xnzun1rRGCp2z/uZCT4mKMhbQCGF4bq
XZZivDIXRRShHiKElxZQofWA3B/nAJev2t5/0Yx3xMgbRMdpHBjrqGJhHPUPkWe4
WzKzUKzzAOYGS9wPl9NMakFdL3LsiwnrHUoy+bF/BamI74kWUwvA/HUCgYEAydhh
axsD6nwPpJuru/0/IZ0DT+cT2bxoGADaOAfNGAIZ+FOu86Z8Rc5uhpGSn1HwDQhz
W8FlDmrzTZEpg1j5UdelN+IxDn9Bsrm+3C+rLMDdhjemSOIMrAEjUEu+r7lB0GkC
TKgzrtKKJ0vp0GqrbZoMoiEw6qE7A1SBiHeFM90CgYAVZnJ8AQ8k86y5d9fpTCIK
wu6xKypoGDJoP0oDKensqWoL2s5+sUmm8DKdMTQtAaj9bvh//UCH5MqqVvzrXOti
gBCbgOMmQbWlJaes3CMeFm2X0NoneXruJSVuP6U1v0JrK04akKTYHX4wpO6Geilv
Sjd0UOSqawYPGDBOiSElfQKBgQCEg6yhdqEBhuV2OkVrK/4QgVa1VI3xuwHUEGsz
sdtyUZ7fK4GGsNyRr89cRaIvOsoQpGWn7bX82zZUzGKmuvkkRCFSKQvv6pglUFD/
mcQVo6FMBqkC3HVZT33xr2jHUSbmPqqlzR/xPIQ6/FnK3N0jHaoBnyzQPX3S194a
y+0FeQKBgGgMQdwiVjxBtGv/3kZJyCgTbEFc8z72AGR8yHr52mv14DTK0KMMPiGa
n1WkioVetl/NEq1vIoIo+KegLOzBJSWBq8CKyrapQCWEPgFnamNSHitZQEdnA+sU
ihwktGDnrWlqkCpTqeKBL4q32aOMnbx7urbv6zFEBAUX6LMmRf5H
-----END RSA PRIVATE KEY-----
EOF

NODE_NAME=node-$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 4 | head -n 1)

# Create client.rb
cat > '/etc/chef/client.rb' << EOF
log_location            STDOUT
chef_server_url         'https://18.237.202.132/organizations/qualitythought'
validation_client_name  'qualitythought-validator'
validation_key          '/etc/chef/validation.pem'
node_name               "${NODE_NAME}"
ssl_verify_mode         ":verify_none"
EOF

chef-client -j /etc/chef/first-boot.json --chef-license 'accept' --environment 'development'

Databags

  • In many cases we need to deal with sensitive information like passwords, having passwords in plain text format and then submitting the changes to VCS (GIT) will expose your passwords.
  • Chef has a data bags which can help you in encryption & decryption of sensitive
  • Data Bag is collection of data bag items.
  • Each item is a json file with one key called as "id"
{
    "id": "<filename>"
}
  • Data_bags operate at chef server level.
  • Refer Here for official docs
  • Navigate to chef repo root folder and create a directory called as data_bags Preview
  • Lets create a folder to represent databag ‘application_secrets’
knife data bag create application_secrets
mkdir application_secrets

Preview

  • Navigate to chef management ui and verify data bags Preview
  • Create a file with name ‘tomcat_qms_secrets.json’ with the below content
{
    "id": "tomcat_qms_secrets",
    "common_password": "motherindia@123",
    "common_username": "qtdevops"
}
  • Lets use knife to upload this data to chef server
knife data bag from file application_secrets ./application_secrets/tomcat_qms_secrets.json

Preview Preview

  • Now lets encrypt the data bag. Data bag can be encrypted by
    • secret text
    • key
  • In this series i will be using the secret text version
knife data bag from file application_secrets ./application_secrets/tomcat_qms_secrets.json --secret "<your secret text>"

Preview Preview Preview

  • As the local file is still unencrypted to make local file encryption add --local-mode to the knife data bag from file command Preview Preview
  • To use data bag item in a recipe
data_bag_item('bag_name', 'item', 'secret')
  • Now change the recipe code as shown below
password = data_bag_item(
    'application_secrets', 
    'tomcat_qms_secrets', 
    'qualitythought')['common_password']
file '/tmp/password.txt' do
    content password
    action :create
end

Support of Chef on AWS and Azure

  • Azure:
    • Azure Supports chef infra and bootstrap support using vm extensions
    • Azure has given a plugin into knife Refer Here and also here
  • AWS:
    • AWS has Opsworks from where you can bring up chef automate & chef infra server for handling infrastructure Refer Here

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin