chef training - day2

DevOps: Opscode Chef

Day 2

Andriy Samilyak

[email protected]: samilyaka

Goals

in-depth understanding of attributes

working with templates

roles

files and cookbook_files

Notes to copy/paste

http://goo.gl/6sEYT5

Nothing like too much practice

knife node list

knife node delete yournode

knife client delete yournode

knife bootstrap 11.22.33.44 -x root -N freshnode

Changing attributes #1

Setting node['apache']['default_site_enabled'] to 'true'

We were changing:

cookbooks/apache2/attributes/default.rb ?



We were changing:

cookbooks/apache2/attributes/default.rb ?

Where we can change attributes

cookbook/attributes/*

cookbook/recipes/*

role

environment

node (Chef server)

Role

WebserverDrupalOnLineStore

CentOS6LogLevel debug

UbuntuLogLevel warn


name "node"run_list "recipe[apache2]"default_attributes "apache" =>
{"default_site_enabled" => true }

Create role file: chef-repo/roles/node.rb

> knife role from file roles/node.rb> knife node edit yournodename

Set run_list to [role[node]]




Let's set it false and see what happen

Attributes Types

default

normal

override

default['apache']['default_site_enabled'] = falseornode.default.apache.default_site_enabled=true

set[:apache]['default_site_enabled'] = falseornode.normal['apache'[:default_site_enabled=true

node.override[:apache]['default_site_enabled'] = falseoroverride_attributes "apache" => {"default_site_enabled" => true}

Attribute precedence

From: http://docs.opscode.com/essentials_cookbook_attribute_files.html


Change it back to 'true', we will need it!

http://goo.gl/oqDYA

How to test

curl -X TRACE http://yoursite.com

You should receive HTTP 403, not HTTP 200 OK

Changing template bad and ugly

Let's try changing../templates/default/default-site.erb directly?

Wrapper cookbook

1) knife cookbook create webserver2) roles/node.rb change:"recipe[apache2]" => "recipe[webserver]"

3) Upload cookbook4) Upload role 5) Run chef-client

OMG! Apache is still installed!

Removing defaults

Including recipe

Add in cookbooks/webserver/recipes/default.rb:

include_recipe "apache2"

Something went wrong

Chef::Exceptions::CookbookNotFound----------------------------------Cookbook apache2 not found

Cookbook dependencies

In cookbooks/webserver/metadata.rb add:depends 'apache2'

Upload cookbook and run chef-client again

CVE patch plan

Create new vhost configuration

Enable new vhost

Disable default site

Create new vhost configuration

Copy default-site.erb as cvepatch.erb in cookbooks/webserver/templates/default/

Insert patch lines into templateRewriteEngine OnRewriteCond %{REQUEST_METHOD} ^TRACERewriteRule .* - [F]

Upload cookbook and chef-client run

Any results?

Welcome Chef resources

template "#{node['apache']['dir']}/sites-available/default" dosource 'default-site.erb'owner 'root'group node['apache']['root_group']mode '0644'notifies :restart, 'service[apache2]'

end

New template resource
in ../cookbooks/webserver/recipes/default.rb

template "#{node['apache']['dir']}/sites-available/cvepatch" doowner 'root'group node['apache']['root_group']mode '0644'notifies :restart, 'service[apache2]'

end

Upload cookbook, run chef-client, check results

How default site is enabled?

apache_site 'default' doenable node['apache']['default_site_enabled']

end

You can visualize it as a function call...

apache_site('default',true)

and this is called definition

Enable new vhost
in ../cookbooks/webserver/recipes/default.rb

apache_site 'cvepatch' doenable true

end

apache_site 'cvepatch'

Upload cookbook and chef-client run

Error? Again?

STDOUT: Action 'configtest' failed.The Apache error log may have more information. ...fail!STDERR: Syntax error on line 6 of /etc/apache2/sites-enabled/cvepatch:Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration

It seems like we forgot about mod_rewrite...

Final recipe

include_recipe "apache2"include_recipe "apache2::mod_rewrite"

template "#{node['apache']['dir']}/sites-available/cvepatch" do owner 'root' group node['apache']['root_group'] mode '0644' notifies :restart, 'service[apache2]'end

apache_site 'cvepatch'

Still have to disable default site
ls -la /etc/apache2/sites-enabled/

../cookbooks/attributes/default.rb false../roles/node.rb trueChef Server GUI true? how to make it false finally?

Attribute precedence

From: http://docs.opscode.com/essentials_cookbook_attribute_files.html

Override attribute
in ../cookbook/webserver/attributes/default.rb

override['apache']['default_site_enabled'] = false

How to test

curl -X TRACE http://yoursite.com

You should receive HTTP 403, not HTTP 200 OK

Verbose logging

LogLevel warn is not enough for usWe would like to have log level as parameter via attributes

Verbose logging: Plan

Find what to change in template

Put parameter instead of string

Create attribute

Check

What to change?
../cookbooks/webserver/templates/default/cvepatch.erb

# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.LogLevel warn

Template parameters

# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.LogLevel

Log_level attribute
in ../cookbook/webserver/attributes/default.rb

default['apache']['log_level'] = 'debug'

Platform specificity

We know that our Ubuntu server is reliable enough and don't need logging more than 'warn' level.While the rest of our servers need 'debug' level logging. What to do?Something like that we met when we were disabling default site with attributes...

Smart templates

#This is UbuntuLogLevel warn

LogLevel debug

node['platform']
in cookbooks/webserver/attributes/default.rb

case node['platform']when 'ubuntu'default['apache']['log_level'] = 'warn'elsedefault['apache']['log_level'] = 'debug'end

Platform specific templates

../templates/ default/cvepatch.erb ubuntu/ cvepatch.erbcentos-6.4/ cvepatch.erb

Works just for Ubuntu

Lets create Ubuntu-specific template and set LogLevel warn

Many server domains

The problem now is that we would like to use different domains and one vhost configuration only.So you need ServerAlias included several times and list of additional domains set as attribute.Expected changes:attributes/default.rb

templates/default/ubuntu/cvepatch.erb

Foreach
../cookbooks/webserver/templates/ubuntu/cvepatch.erb

ServerAlias

default['apache']['aliases'] = ['url1.com','url2.com']


Foreach

Password protection

We need to close our site by login/password in order to keep it private

admin/password

Password protection
HTTP Basic Authentication

Options Indexes FollowSymLinks MultiViewsAllowOverride NoneAuthType BasicAuthName "Restricted Files"AuthBasicProvider fileAuthUserFile /htpasswdRequire valid-user

Copy/paste from http://goo.gl/6sEYT5

htpasswd

We need this contents to be innode['apache']['dir']/htpasswd

admin:$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0

Copy/paste from http://goo.gl/6sEYT5

Google it!

'chef resource file'

Putting file to server #1
../cookbooks/webserver/recipes/default.rb

file "#{node['apache']['dir']}/htpasswd" doowner 'root'group node['apache']['root_group']mode '0644'backup falsecontent "admin:$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0"

end

Putting file to server #2

'content' attribute is not really scalable what if we need 2Kb of text inside?

Lets first comment out with # content attribute

create file ../cookbooks/webserver/files/default/htpasswd

and put root (not admin!) and password hash to it

Change resource from 'file' to 'cookbook_file'

What to do till the next meeting?

http://dougireton.com/blog/2013/02/16/chef-cookbook-anti-patterns/

chef training - day2

Education