Chef training - Day3
Download as ODP, PDF2 likes1,551 views
The document outlines key concepts related to deploying applications using Chef, focusing on resources like file, cookbook_file, and managing user access through htpasswd and data bags. It includes steps for setting up password protection on a web server, using Berkshelf for cookbook management, and implementing user authentication with private data stored in JSON format. The document also emphasizes the importance of scalable configurations and user management through Chef's search API.
![Password protection
HTTP Basic Authentication
<Directory <%= node['apache']['docroot_dir'] %>/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile <%= node['apache']['dir'] %>/htpasswd
Require valid-user
</Directory>
Copy/paste from http://goo.gl/6sEYT5](https://image.slidesharecdn.com/chefday3-131219094333-phpapp02/85/Chef-training-Day3-4-320.jpg)
![htpasswd
We need this contents to be in
node['apache']['dir']/htpasswd
admin:$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0
Copy/paste from http://goo.gl/6sEYT5](https://image.slidesharecdn.com/chefday3-131219094333-phpapp02/85/Chef-training-Day3-5-320.jpg)
![Putting file to server #1
../cookbooks/webserver/recipes/default.rb
file "#{node['apache']['dir']}/htpasswd" do
owner 'root'
group node['apache']['root_group']
mode '0644'
backup false
content "admin:
$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0"
end](https://image.slidesharecdn.com/chefday3-131219094333-phpapp02/85/Chef-training-Day3-7-320.jpg)
![Putting file to server #2
../cookbooks/webserver/recipes/default.rb
cookbook_file "#{node['apache']['dir']}/htpasswd" do
owner 'root'
group node['apache']['root_group']
mode '0644'
backup false
end](https://image.slidesharecdn.com/chefday3-131219094333-phpapp02/85/Chef-training-Day3-9-320.jpg)
![Example:
htpasswd "/etc/apache2/htpasswd" do
user node['webserver']['auth_user']
password node['webserver']['auth_pass']
end](https://image.slidesharecdn.com/chefday3-131219094333-phpapp02/85/Chef-training-Day3-16-320.jpg)
![user1.json
{
"id": "user1",
"pass": "password",
"nodes" : ["yournode1", "yournode2"]
}](https://image.slidesharecdn.com/chefday3-131219094333-phpapp02/85/Chef-training-Day3-22-320.jpg)
![Search API
search(:htpasswd, "nodes:#{node.name}") do |user|
#add line to file user['pass']
end](https://image.slidesharecdn.com/chefday3-131219094333-phpapp02/85/Chef-training-Day3-24-320.jpg)
![Just an example of solution...
file "#{node['apache']['dir']}/htpasswd" do
action :delete
end
search(:htpasswd, "nodes:#{node.name}") do |user|
htpasswd "#{node['apache']['dir']}/htpasswd" do
user user['id']
password user['pass']
notifies :reload, 'service[apache2]'
end
end](https://image.slidesharecdn.com/chefday3-131219094333-phpapp02/85/Chef-training-Day3-25-320.jpg)
Chef training - Day3
- 1. Начала DevOps: Opscode Chef Day 3 Andriy Samilyak [email protected] skype: samilyaka
- 2. Goals ● New resources: file, cookbook_file ● Berkshelf ● DataBags ● Deployment with Chef ● Environments
- 3. Password protection We need to close our site by login/password in order to keep it private admin/password
- 4. Password protection HTTP Basic Authentication <Directory <%= node['apache']['docroot_dir'] %>/> Options Indexes FollowSymLinks MultiViews AllowOverride None AuthType Basic AuthName "Restricted Files" AuthBasicProvider file AuthUserFile <%= node['apache']['dir'] %>/htpasswd Require valid-user </Directory> Copy/paste from http://goo.gl/6sEYT5
- 5. htpasswd We need this contents to be in node['apache']['dir']/htpasswd admin:$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0 Copy/paste from http://goo.gl/6sEYT5
- 6. Google it! 'chef resource file'
- 7. Putting file to server #1 ../cookbooks/webserver/recipes/default.rb file "#{node['apache']['dir']}/htpasswd" do owner 'root' group node['apache']['root_group'] mode '0644' backup false content "admin: $apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0" end
- 8. Putting file to server #2 ● 'content' attribute is not really scalable – what if we need 2Kb of text inside? ● Lets first comment out with # content attribute ● create file ../cookbooks/webserver/files/default/htpasswd ● and put root (not admin!) and password hash to it ● Change resource from 'file' to 'cookbook_file'
- 9. Putting file to server #2 ../cookbooks/webserver/recipes/default.rb cookbook_file "#{node['apache']['dir']}/htpasswd" do owner 'root' group node['apache']['root_group'] mode '0644' backup false end
- 10. Welcome Berks-way! gem install berkshelf Test it with “berks -v” -------------------------------------------------------------On Windows you'll need to add to chefrepo/.berkshelf/config.json: "ssl": { "verify": false }
- 11. Move out community cookbooks ● Add a line to Berksfile: cookbook “cookbook” path: cookbooks/webserver ● berks install ← download cookbook to local folder ● berks upload ← upload cookbooks to Chef Server ● remove 'apache2' folder from chef_repo Where is cookbook now anyway?
- 12. Well done! Lets put it to git git commit -a -m “Initial commit” git push origin master
- 13. Berks locations ● site: cookbook "artifact", site: "http://cookbooks.opscode.com/api/v1/cookbooks" cookbook "artifact", site: :opscode ● git: cookbook "mysql", git: "https://github.com/opscodecookbooks/mysql.git", branch: "foodcritic"
- 14. Lets do it better now! https://github.com/Youscribe/htpasswdcookbook Goal: specify user/pass with cookbook attributes Copy/paste from http://goo.gl/6sEYT5
- 15. New cookbook in Berksfile cookbook "htpasswd", git: https://github.com/Youscribe/htpasswdcookbook.git
- 16. Example: htpasswd "/etc/apache2/htpasswd" do user node['webserver']['auth_user'] password node['webserver']['auth_pass'] end
- 17. Htpasswd - review ● webserver/metadata.rb: add dependency ● recipes/default.rb: add resource httpasswd ● attributes/default.rb: add two attributes ● berks update & berks upload
- 18. Managing users access Site User1/pass User2/pass User3/pass Site Backend User1/pass User3/pass Store Backend User3/pass
- 20. Managing user access - Plan ● Keep user/pass with granted nodes ● Find all users for current node ● Generate htpasswd by adding hash for each user
- 22. user1.json { "id": "user1", "pass": "password", "nodes" : ["yournode1", "yournode2"] }
- 23. Data bag CLI knife data bag create htpasswd knife data bag from file htpasswd user1.json knife data bag from file htpasswd data_bags/htpasswd/* knife search htpasswd "(id:user1)" knife search htpasswd "(nodes:yournode)"
- 24. Search API search(:htpasswd, "nodes:#{node.name}") do |user| #add line to file user['pass'] end
- 25. Just an example of solution... file "#{node['apache']['dir']}/htpasswd" do action :delete end search(:htpasswd, "nodes:#{node.name}") do |user| htpasswd "#{node['apache']['dir']}/htpasswd" do user user['id'] password user['pass'] notifies :reload, 'service[apache2]' end end