Orchestration with Chef
Download as PPT, PDF0 likes810 views
This document outlines a presentation on DevOps orchestration with Chef. The agenda includes discussing Chef provisioning, secret management with data bags and Chef Vault, cookbook versioning, dependency management, and test driven infrastructure. Chef provisioning allows managing infrastructure repeatably across environments. Secret management techniques like data bags and Chef Vault are presented. Test driven development for infrastructure configuration includes unit testing, integration testing, and auditing cookbooks.
![04/06/16 Mayank Gaikwad
• with_chef_server "https://console.chef.io/organizations/mgdevstack",
:client_name => Chef::Config[:node_name],
:signing_key_filename => Chef::Config[:client_key]
• with_machine_options({
convergence_options: {
:ssl_verify_mode => :verify_none
},
bootstrap_options: {
image_id: "ami-08173648",
instance_type: "m1.small",
key_name: “mg-keypair", # If not specified, this will be used and generated
key_path: "/root/.ssh/mg-keypair.pem",
user_data: “~/chef/chef_user_data"
},
ssh_username: 'ec2-user',
security_groups: ["default"],
:transport_address_location => :private_ip,
:sudo => true
})](https://image.slidesharecdn.com/chefmeetupjune16-160604091823/85/Orchestration-with-Chef-4-320.jpg)
![Chef-Vault continued..
knife vault show credentials database
if user is admin.. Databag content will be shown else it will show
encrypted databag
Using vault within recipe
include_recipe ‘chef-vault’
vault = chef_vault_item(:credentials, ‘database’)
node.set[‘database’][‘password’] = vault[‘password’]
Edit Vault
knife vault edit credentials database
Delete item within vault
knife vault delete credentials database
04/06/16 Mayank Gaikwad](https://image.slidesharecdn.com/chefmeetupjune16-160604091823/85/Orchestration-with-Chef-11-320.jpg)
![Foodcritic rules
FC001 : accesses node attributes with
symbols
# Don't do this
package node[:cookbook][:package] do
action :install
End
package node['cookbook']['package'] do
action :install
end
FC004: Use a service resource to start and
stop services
# Don't do this
execute 'start-tomcat' do
command '/etc/init.d/tomcat6 start'
action :run
End
service 'tomcat' do
action :start
end
04/06/16 Mayank Gaikwad](https://image.slidesharecdn.com/chefmeetupjune16-160604091823/85/Orchestration-with-Chef-18-320.jpg)
Orchestration with Chef
- 1. DevOps Orchestration with Chef Presented By: Mayank Gaikwad 04/06/16 Mayank Gaikwad
- 2. Agenda 04/06/16 Mayank Gaikwad • Chef Provisioner • Secret Management • Cookbook Versioning • Dependency Management • Test Driven Infrastructure
- 3. Chef Provisioning “ Allows to manage infrastructure with repeatable resource creation/deletion on different environment from dev, QA to production in very abstract and easy way” This is next step forward , Chef as configuration management tool What can be achieved- Idempotency Cluster Management Parallel Provisioning 04/06/16 Mayank Gaikwad
- 4. 04/06/16 Mayank Gaikwad • with_chef_server "https://console.chef.io/organizations/mgdevstack", :client_name => Chef::Config[:node_name], :signing_key_filename => Chef::Config[:client_key] • with_machine_options({ convergence_options: { :ssl_verify_mode => :verify_none }, bootstrap_options: { image_id: "ami-08173648", instance_type: "m1.small", key_name: “mg-keypair", # If not specified, this will be used and generated key_path: "/root/.ssh/mg-keypair.pem", user_data: “~/chef/chef_user_data" }, ssh_username: 'ec2-user', security_groups: ["default"], :transport_address_location => :private_ip, :sudo => true })
- 5. Secret Management 04/06/16 Mayank Gaikwad • Data bags ( Bags to share data/secret across nodes ) • Encrypted Data bags ( Requires key management across nodes ) • Chef-Vault ( Provides 2 layer encryption decryption mechanism with no hassle to manage keys across nodes )
- 6. Data Bags Data Bag Creation: Knife data bag create bag_name item_name knife data bag from file bag_name path_to/item_name.json Encrypting Data Bag openssl rand -base64 512 | tr -d 'rn' > encrypted_data_bag_secret knife data bag create bag_name item_name --secret encrypted_data_bag_secret { /* This is a supported comment style */ // This style is also supported "id": "ITEM_NAME", "key": "value" } 04/06/16 Mayank Gaikwad
- 7. Uses shared secret key to encrypt data. Overhead of distributing keys and maintaining security during key share 04/06/16 Mayank Gaikwad
- 8. Client and Node’s public and private key store 04/06/16 Mayank Gaikwad
- 9. Chef-vault When encrypted data created with chef-vault, it encrypts data-bag with random shared secret key. Generated Secret key then encrypted with user’s and nodes public key on chef server. So provides 2 layers of encryption. With out managing secret key. 04/06/16 Mayank Gaikwad
- 10. Chef-Vault continued.. Installation gem install chef-vault Vault Creation knife vault create credentials database -A mayank, meet -M client -S ‘name:poc-meetup*’ -J ./database.json -A Users/ Nodes names -M Mode for chef-vault client -- if Chef-Server solo -- if Chef-Solo -S Node search parameter where vault can be decrypted Vault Deletion: knife data bag delete credentials 04/06/16 Mayank Gaikwad
- 11. Chef-Vault continued.. knife vault show credentials database if user is admin.. Databag content will be shown else it will show encrypted databag Using vault within recipe include_recipe ‘chef-vault’ vault = chef_vault_item(:credentials, ‘database’) node.set[‘database’][‘password’] = vault[‘password’] Edit Vault knife vault edit credentials database Delete item within vault knife vault delete credentials database 04/06/16 Mayank Gaikwad
- 12. Vault Commands Add Admin user knife vault update credentials database -A “new-username” Add new Node knife vault update credentials database -S “search-query-for-nodes” Updating users key knife vault refresh credentials database Removing user knife vault remove credentials database -A “role:base” 04/06/16 Mayank Gaikwad
- 13. Test Driven Infrastructure Convergence phases: pre-convergence: syntax checking unit testing, lint checking convergence: post-convergence: verifies if node is in desired state(auditing) Testing workflow •Code Correctness - Foodcritic and Rubocop •Unit Tests and testing - ChefSpec •Integration Tests - Test Kitchen and ServerSpec 04/06/16 Mayank Gaikwad
- 14. Unit Testing package "httpd" do action :install end it "installs the httpd package" do expect(chef_run).to install_package("httpd") end 04/06/16 Mayank Gaikwad
- 15. Rubocop Does Linting and convention check Discover code style violation Rubocop.yml 04/06/16 Mayank Gaikwad
- 16. Foodcritic Checks cookbook for common problems •Style •Correctness •Syntax •Best practices •Common mistakes •Deprecations Typically run against cookbook Currently 61 rules to check linting, style guide and best practices To exclude rule FC003: foodcritic cookbooks/ --tags ~FC003 04/06/16 Mayank Gaikwad
- 17. 04/06/16 Mayank Gaikwad Foodcritic Rules
- 18. Foodcritic rules FC001 : accesses node attributes with symbols # Don't do this package node[:cookbook][:package] do action :install End package node['cookbook']['package'] do action :install end FC004: Use a service resource to start and stop services # Don't do this execute 'start-tomcat' do command '/etc/init.d/tomcat6 start' action :run End service 'tomcat' do action :start end 04/06/16 Mayank Gaikwad
- 19. Auditing cookbook Cookbook/meetup/recipes/audit.rb control_group 'Server Auditing:: ' do control 'service' do it 'should be stopped' do expect(service('crond')).to_not be_running end end end 04/06/16 Mayank Gaikwad
- 20. Questions & Answers 04/06/16 Mayank Gaikwad
- 21. Thanks You 04/06/16 Mayank Gaikwad
Editor's Notes
- #14: Stretegy: Use of Linting tools to adhere conventions provides uniformity, portability Use of Testing tools to verify cookbook is accomplishing intended goals