Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Управление конфигурацией в Chef

Materials for training on Opscode Chef delivered with smartme.com.au
by

Andriy Samilyak

on 30 May 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Управление конфигурацией в Chef

From http://docs.opscode.com/chef_overview.html Chef infrastructure overview CHEF SERVER Hosted Chef > Zero-installation
> Unbeatable uptime and support
> Fantastic permission management
> More entities to manage: users/organizations
> More complex
> Expensive

* Behind your firewall Private Chef Open source
Chef server Open source
chef-solo Hosted Chef & Private Chef Open source Chef server > Free
> Open source
> You will have to maintain it yourself
> Limited permission management Chef-solo > one node only
> no API
> perfect for Vagrant or other quick provisioning How to create free account on Hosted Chef > Form on http://www.opscode.com/hosted-chef/
> Select current organization
https://manage.opscode.com/organizations
> mkdir ~/.chef
> Save/re-create validation.pem & knife.rb to ~/.chef
> Create client and download API key to ~/.chef
https://manage.opscode.com/clients
> modify knife.rb log_level :info
log_location STDOUT
node_name 'user'
client_key '/home/${USER}/.chef/user.pem'
validation_client_name 'chef-validator'
validation_key '/etc/chef/validation.pem'
chef_server_url 'http://${SERVER}:4000' knife.rb OR client.rb Chef authentication
(simplified) knife/ chef-client Chef server Auth using PEM-key & Client name Check against Client public key Response client.pem OR validation.pem # knife configure Add a node (server) # knife bootstrap IP/FQDN -x ubuntu -N mynode --sudo parameters knife ssh # knife ssh name:my* "tail /var/log/syslog" -x ubuntu -a ec2.public_hostname Our goal Server configuration github: html source Apache
webserver /var/www :80 Simple one this time... # sudo chef-client Chef run From: http://docs.opscode.com/essentials_nodes_chef_run.html Run list Role Recipe n n n name "magento_autoscale_node"

run_list "role[magento_front_apache]",
"recipe[apache2::capistrano_docroot]",
"recipe[php::module_memcache]",
"recipe[glusterfs::client]",
"recipe[rsync::glusterclient]",
"recipe[monit]" package "php5-gd" do
action :install
end Chef repository #cd ~
# git clone git://github.com/opscode/chef-repo.git Cookbook 1. Where to find? > http://community.opscode.com/cookbooks
> http://github.com
> write one! 2. How to install # knife cookbook site install apache2 Recipes in run-list # knife node show mynode Run List:
Roles:
Recipes: apache2 apache2 == apache2::default

apache2::mod_autoindex Changing attributes #1 How to set node['apache']['default_site_enabled'] to 'true' ? Let's try changing cookbooks/apache2/attributes.rb WHY IS IT A BAD IDEA? Changing attributes #2 Let's do it in GUI? WHY IS IT A BAD IDEA? Changing attributes #3 name "mynode"
description "My node"

run_list(
"recipe[apache2::default]"
)

default_attributes "apache" => {
"default_site_enabled" => true
} # touch roles/mynode.rb # knife role from file roles/mynode.rb RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F] Changing template 1. Change templates/default/default-site.erb directly? Why is it a bad idea? # knife cookbook create webserver metadata.rb depends 'apache2' roles/mynode.rb "recipe[apache2::default]" =>
"recipe[webserver]" Changing template #2 webserver/recipes/default.rb include_recipe "apache2" # sudo chef-client vhosts are still in place! 1. 2. How to disable default site now? 3. Adding vhost with CVE patch
> apache_site
> template
> rewrite: Deployment with Chef # knife cookbook site install application > add dependency

webserver/recipes/default.rb application "my_app" do
path "/var/www"
repository "git://github.com/werdan/hpmor.git"
end > resource package for git
> change DocRoot in template Fun time - second server! Call me
mynode2 NTP webserver base_server Cookbook inheritance db_server * ntp daemon
* cron
* chef-client * apache
* application * mysql
* etc chef-client daemon Further reading http://dougireton.com/blog/2013/02/16/chef-cookbook-anti-patterns/ New management task! 1. New release is ready for production: We will follow git-flow: master branch -> production, develop -> development server 2. Leave everything as it is on development Environments - 1 environments/production.rb name "production"

default_attributes :application => {
:repo_revision => "master"
} environments/dev.rb name "dev"

default_attributes :application => {
:repo_revision => "develop"
} Case: failed PCI DSS audit Go to http://YOUR_NODE_ADDRESS/icons/ Pinning cookbook version <Directory /usr/share/apache2/icons>
Options -Indexes
</Directory> Add to webserver/templates/default/protected.erb environments/production.rb cookbook "webserver", "= 0.1.0" # knife environment from file environments/dev.rb Berkshelf way > curl -L https://get.rvm.io | bash -s stable --ruby=1.9.3
> echo "source $HOME/.rvm/scripts/rvm" >> ~/.bash_profile
> source ~/.bash_profile
> sudo gem install chef --no-ri --no-rdoc --version "=10.24.0"
> gem install berkshelf > cd CHEF_REPO
> berks configure
> echo "site :opscode" > Berksfile

Delete cookbooks apache2/application/ntp from server
Add cookbooks to Berksfile:
cookbook 'application'
> berks update
> berks upload Subscribe http://devopsweekly.com/ http://foodfightshow.org/ Debugging with chef Debugging with Shef Foodcritic lint Knife plugins # sudo chef-client -ldebug -Fdoc
# sudo chef-client --why-run
# sudo chef-client -o recipe['apache2::mod_dav'] Chef::log.info("Your message")
log("Your message to put it simple") # sudo shef -z -c /etc/chef/client.rb

chef> recipe
chef:recipe> include_recipe "webserver"
chef:recipe> exit
chef> run_chef
chef> chef_run.skip_back 40
chef> chef_run.step
chef> node[:application][:repo_revision] > sudo apt-get install libxslt-dev libxml2-dev
> gem install foodcritic --no-ri --no-rdoc
> cd CHEF_REPO
> foodcritic cookbooks/webserver Being even more serious > git clone git://github.com/customink-webops/foodcritic-rules.git foodcritic/customink
> git clone git://github.com/etsy/foodcritic-rules.git foodcritic/etsy
> foodcritic -I foodcritic/* cookbooks/webserver Being even more serious Easy SSH login https://github.com/werdan/knife-sshx Amazon EC2 https://github.com/opscode/knife-ec2 Управление конфигурацией в Chef Андрей Самиляк

samilyak@gmail.com
skype: samilyaka Управление конфигурацией
в Chef Andriy Samilyak

samilyak@gmail.com
skype: samilyaka and knife status http://docs.opscode.com/just_enough_ruby_for_chef.html Our primary competitor is the in-house, home-grown tooling that every systems engineer has had to cobble together to deal with their legacy environments. That’s our principal competitor. Why chef? Jesse Robbins,
Opscode co-founder Why Chef? * Less documentation

* Bash doesn't scale

* Technically cool

* Stop reinventing the wheel http://devopsanywhere.blogspot.com/2011/10/why-chef.html Why not? * Don't automate your first step.
Try and only then automate

* You are short of time

* Is not really suited for creating (NOT configuring) new servers and orchestration Node run list Recipe customization Magic
Full transcript