Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Chef 101: Breaking Down the Jargon

Chef 101: Breaking Down the Jargon

Slides from my GlueCon 2015 presentation

Joshua Timberman

May 20, 2015
Tweet

More Decks by Joshua Timberman

Other Decks in Technology

Transcript

  1. Think about your application... • It has a code repository

    • That has to be deployed on a filesystem • It has a configuration file • It runs as a non-privileged user • It runs a service
  2. Round Robin DNS App Servers App DB Cache App DBs

    Floating IP? Your's Is a Snowflake
  3. App LBs App Servers < Shiny! DB slaves Cache DB

    Cache DBs Complexity Increases Quickly Are we monitoring?? These are all microservices of course
  4. 19

  5. Cure Technical Debt Wounds for 1d8 Lines of Code •

    Help improve internal process, use of Chef at Chef • System Administrator, Software Developer • Based in Westminster, CO • Contact: jtimberman pretty much everywhere, and [email protected]
  6. Major Topics (in talk abstract order) • Configuration Management, system

    integration • Complete infrastructure automation • Resources, providers, recipes, cookbooks • Chef Server • Test Driven Infrastructure • Chef Provisioning • Walls of text and funny weird interesting images
  7. My goal today is help you: • Have context about

    Chef • Know what Chef does • Know how to get started with Chef • Understand how Chef can help solve business problems
  8. Chef Software, Inc. • Chef, the company • Based in

    Seattle, with widely distributed workforce • Raised $60 million; +192% YoY growth • Hiring! (chef.io/careers) 1/3
  9. Chef, the binary • Comes with ChefDK • Plugin-based workflow

    tool • We were missing a program named `chef` for years • I'll talk about this later 3/3
  10. Chef Client is written in Ruby • Chef recipes you

    write are also Ruby! • https://docs.chef.io/chef/dsl_recipe.html • https://www.ruby-lang.org/en/
  11. Chef is distributed as native packages • curl -L https://www.chef.io/chef/install.sh

    | less • https://speakerdeck.com/jtimberman/stop-demonizing-curl-bash •https://packagecloud.io/chef/stable
  12. chef-client • Runs on the nodes that should be configured

    • Nodes are the things managed by Chef • Nodes authenticate as API Clients to the Server • The Server stores the public key for the Clients
  13. % sudo chef-client Starting  Chef  Client,  version  12.3.0   resolving

     cookbooks  for  run  list:  ["build-­‐essential"]   Synchronizing  Cookbooks:      -­‐  build-­‐essential   Compiling  Cookbooks...   Converging  1  resource   Recipe:  build-­‐essential::_mac_os_x      *  xcode_command_line_tools[install]  action  install  (up  to   date)   Running  handlers:   Running  handlers  complete   Chef  Client  finished,  0/1  resources  updated  in  5.131888   seconds
  14. Chef Server • Formerly Open Source Chef, Private Chef, Enterprise

    Chef • Run your own Chef Server • Entirely Open Source as of Chef Server 12 "There is One Chef Server, and it is Open Source" - Adam Jacob https://www.chef.io/blog/2014/09/08/there-is-one-chef-server-and-it-is-open-source/
  15. chef-zero %  chef-­‐zero   >>  Starting  Chef  Zero  (v4.2.1)...  

    >>  WEBrick  (v1.3.1)  on  Rack  (v1.5)  is  listening  at   http://127.0.0.1:8889   >>  Press  CTRL+C  to  stop   %  knife  client  create  demo  -­‐d  -­‐z   Created  client[demo]   %  knife  client  list  -­‐z   demo
  16. chef-solo • Most functionality is the same • No server

    to manage • No server to publish cookbooks, search, etc • Server features can be emulated, but aren't completely the same
  17. The Chef Software Platform Chef 
 Development Kit Cookbook and

    
 Policy Authoring Test-Driven Infrastructure Chef Server Management 
 Console Analytics Platform High Availability 
 and Replication Chef Client 
 Nodes Data Center The Cloud
  18. Building Blocks: What is a Resource? • A Resource is

    system state you define • You declare resource state using the recipe DSL package "httpd" do action :install end windows_feature "IIS-WebServerRole" do action :install end
  19. Many Resources are included in Chef • package • template

    • service • user • group • directory • remote_file • git • chef_gem • gem_package • windows_package • windows_service • dsc_resource • powershell_script • deploy • mdadm • mount • many more!
  20. Example Resources package  'example'   user  'example'  do    

     home  '/opt/example'      shell  '/bin/false'      system  true   end   template  '/opt/example/example.conf'  do      notifies  :restart,  'service[example]'   end   service  'example'  do      supports  :restart      action  [:enable,  :start]   end
  21. Resources have a type package  'example'   user  'example'  do

         home  '/opt/example'      shell  '/bin/false'      system  true   end   template  '/opt/example/example.conf'  do      notifies  :restart,  'service[example]'   end   service  'example'  do      supports  :restart      action  [:enable,  :start]   end
  22. Resources have a name package  'example'   user  'example'  do

         home  '/opt/example'      shell  '/bin/false'      system  true   end   template  '/opt/example/example.conf'  do      notifies  :restart,  'service[example]'   end   service  'example'  do      supports  :restart      action  [:enable,  :start]   end
  23. Resources have properties package  'example'   user  'example'  do  

       home  '/opt/example'      shell  '/bin/false'      system  true   end   template  '/opt/example/example.conf'  do      notifies  :restart,  'service[example]'   end   service  'example'  do      supports  :restart      action  [:enable,  :start]   end
  24. Resources have actions package  'example'   user  'example'  do  

       home  '/opt/example'      shell  '/bin/false'      system  true   end   template  '/opt/example/example.conf'  do      notifies  :restart,  'service[example]'   end   service  'example'  do      supports  :restart      action  [:enable,  :start]   end Chef has a default action for all resources
  25. Resources can notify other resources package  'example'   user  'example'

     do      home  '/opt/example'      shell  '/bin/false'      system  true   end   template  '/opt/example/example.conf'  do      notifies  :restart,  'service[example]'   end   service  'example'  do      supports  :restart      action  [:enable,  :start]   end
  26. • An abstraction of a service that consists of a

    collection of resources to deliver that service • Resources are converged in the order they are listed Building Blocks: What is a Recipe? On Linux based OSes: package "httpd" do action :install end template ”/var/www/index.html" do source ”index.html.erb” mode "0644" end service "httpd" do action [ :enable, :start ] end windows_feature "IIS-WebServerRole" do action :install end template 'c:\inetpub\wwwroot\Default.htm' do source "Default.htm.erb" rights :read, "Everyone" end service "w3svc" do action [ :enable, :start ] end
  27. Wait, converge? By converge, we mean to bring the state

    of the system in line with what we've declared in the policy (recipe). Chef resources are configured by providers that take action to put resources in the desired state. That is, Chef performs "test and repair" operations. Actions are not taken if the resource is in the desired state. Providers can be platform specific, e.g. "yum" or "apt" for the "package" resource
  28. Building Blocks: What is a Cookbook? • A cookbook is

    a set of recipes and supporting assets (templates, etc) • A cookbook is a defined set of items and different outcomes that you expect to address ./attributes ./attributes/default.rb ./CHANGELOG.md ./metadata.rb ./README.md ./recipes ./recipes/application.rb ./recipes/balancer.rb ./recipes/database.rb ./recipes/default.rb ./recipes/webserver.rb ./templates ./templates/default ./templates/default/mysite.conf.erb
  29. Building Blocks: What is a role? • Roles apply specific

    attributes and run lists to nodes chef_type: role default_attributes: my-app: application: version: 1.5.6 description: Role for my application json_class: Chef::Role name: my_application_role run_list: role[base] recipe[my-app::application]
  30. Building Blocks: What is an Environment? • Environments define version

    constraints for cookbooks... uh, per environment chef_type: environment cookbook_versions: database: 2.2.0 default_attributes: myapp: application: version: 1.2.3 description: Our production environment json_class: Chef::Environment name: production
  31. Building Blocks: What is a Data Bag? • Define global

    data in JSON • Accessible "everywhere" { "id": "myapp", "repository": "[email protected]/myapp.git", "revision": "master", "database": { "user": "superuser", "password": "just kidding we'd encrypt this" } "api_fqdn": "myapp.example.com" }
  32. Data bags can be encrypted • Encrypted data bags are

    built into Chef • Chef Vault* is a library by Nordstrom for shared secret management/distribution deploy_key: cipher: aes-256-cbc encrypted_data: lIpW3sqd69wXt7+MB +uGXr0GfcrEf6rOnHLMA7H00ZCbTxMcEypguGD22w23 qzEZSzCf2ahv67CtcfrDGvUoWS57Gp5/QoR4WBYKQQUplY0LPtXMZFDISCLU a0aNhrzrXhT9eDKNpru7hpuEkOZPRNstx1121bdMZ9lm1/6BPBeIWUYrxAeS . . . . . . . . . . . . . . iv: tpz6zFz9xkscoi36kRw4JQ== version: 1 id: jenkins_ssh_key *Not to be confused with Hashicorp's Vault
  33. Chef knows about the node it runs on { "cpu":

    { "real": 4, "total": 8 }, "platform": "mac_os_x", "platform_version": "10.10.3", "platform_family": "mac_os_x", "current_user": "jtimberman", "root_group": "wheel" }
  34. Data from ohai is saved on the server %  knife

     node  show  champagne   Node  Name:      champagne   Environment:  _default   FQDN:   IP:                    10.13.37.102   ...   Platform:        mac_os_x  10.10   Tags:
  35. Other node data is stored on the server %  knife

     node  show  champagne  -­‐m   Node  Name:      champagne   Attributes:   rbenv:      install_pkgs:  git   ruby_build:      install_git_pkgs:      git-­‐core
  36. TL, DR; our advice • Use default where you need

    to set attributes • The others are there if when you need them
  37. % knife --help | grep COMMANDS **  BOOTSTRAP  COMMANDS  **

      **  CLIENT  COMMANDS  **   **  COOKBOOK  COMMANDS  **   **  COOKBOOK  SITE  COMMANDS  **   **  DATA  BAG  COMMANDS  **   **  ENVIRONMENT  COMMANDS  **   **  EXEC  COMMANDS  **   **  NODE  COMMANDS  **   **  PATH-­‐BASED  COMMANDS  **   **  RAW  COMMANDS  **   **  RECIPE  COMMANDS  **   **  ROLE  COMMANDS  **   **  SEARCH  COMMANDS  **   **  SSH  COMMANDS  **   **  STATUS  COMMANDS  **   **  TAG  COMMANDS  **   **  USER  COMMANDS  ** And more! 26 sub-commands installed by default
  38. % knife user show jtimberman admin:        

       false   name:              jtimberman   public_key:  -­‐-­‐-­‐-­‐-­‐BEGIN  PUBLIC  KEY-­‐-­‐-­‐-­‐-­‐   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvhYooPZJIE6Dr0g2g8f1   VUFu6JydX6Wugzs44uYGcLUpg6uZ9aE0t9C8/zMAjBt7mZy8O/ZenWfsRsnrlBnR   Qen7w9BgWkCX+5VqFm91S8J5FlyQGSS5co7t8FglZrn692upLRDo+ycUZVLvg+KF   snd20FRT9s3VMko0SVx5eTY9Qq3TIi9A4sDYGUeaczf4X/zSHgd1WM5g3okswP16   hevCc1LGiv5SfCviBqfFXL2CSzy0SSY0/B2x/s3cCE25l0A7HbmbqjhL+F0iNlAU   whXM1yZlyFO4cRRyApaF9JNBR8wYkmC4yiRaDbztBo7kNaEAdAmxAEebqw5Of5PH   MQIDAQAB   -­‐-­‐-­‐-­‐-­‐END  PUBLIC  KEY-­‐-­‐-­‐-­‐-­‐
  39. % chef gem list knife ***  LOCAL  GEMS  ***  

    knife-­‐acl  (0.0.12)   knife-­‐cloud  (1.0.1)   knife-­‐config  (1.1.0)   knife-­‐ec2  (0.10.0)   knife-­‐openstack  (1.0.0)   knife-­‐report-­‐resource  (1.0.0)   knife-­‐reporting  (0.4.1)   knife-­‐solve  (1.0.1)   knife-­‐spork  (1.5.0)   knife-­‐supermarket  (0.2.1)   knife-­‐windows  (0.8.4,  0.8.2) Get more from rubygems.org, or publish your own!
  40. % chef --version Chef  Development  Kit  Version:  0.6.0   chef-­‐client

     version:  12.3.0   berks  version:  3.2.4   kitchen  version:  1.4.0
  41. The old way: knife bootstrap, cloud plugins %  knife  ec2

     server  create  -­‐-­‐ssh-­‐user   ubuntu  -­‐f  m1.small  -­‐I  ami-­‐57516467  -­‐-­‐ region  us-­‐west-­‐2  -­‐S  jtimberman  -­‐i  ~/.ssh/ chef-­‐aws-­‐jtimberman.pem  -­‐g  default  -­‐-­‐ hint=ec2.json  -­‐r  'role[appserver]'  
  42. The old way: knife bootstrap, cloud plugins %  knife  ec2

     server  create  -­‐-­‐help  |  wc  -­‐l   90 What is this, tar or rsync?!
  43. The new way: Chef Provisioning require  'chef/provisioning/aws_driver'   with_driver  'aws'

      machine  'appserver1'  do      machine_options(          bootstrap_options:  {              key_name:  'provisioner',              image_id:  'ami-­‐b99ed989',              instance_type:  'm3.medium'          }      )      recipe  'myapp::frontend'      action  :converge   end
  44. Multiple Machines machine  'appserver1'  do      ...   machine

     'appserver2'  do      ...   machine  'database1'  do      ...   machine  'shiny1'  do      ...  etc
  45. Chef Provisioning • Write recipes with machine resources • Optionally

    drive them with data • Track it in source control • Convergent, idempotent
  46. Chef Provisioning Examples • Chef Provisioning a Chef Server Cluster

    • https://www.youtube.com/watch?v=HUQA1Ikm5Iw
  47. Configuration Management: • Test and repair nodes to bring them

    in line with policy • Prevent configuration drift over time
  48. Test and Repair $  getent  passwd  example   <  no

     results!  >   $  sudo  chef-­‐apply  -­‐e  "user  'example'  do      home  '/opt/example'      shell  '/bin/false'      system  true   end   "  
  49. Create the user Recipe:  (chef-­‐apply  cookbook)::(chef-­‐apply  recipe)      *

     user[example]  action  create   DEBUG:  user[example]  user  does  not  exist   DEBUG:  user[example]  setting  shell  to  /bin/false   DEBUG:  user[example]  setting  home  to  /opt/example   INFO:  user[example]  created   -­‐  create  user  example   $  getent  passwd  example   example:x:999:999::/opt/example:/bin/false
  50. What if we wanted to change the UID? %  sudo

     chef-­‐apply  -­‐l  debug  -­‐e  "   user  'example'  do      home  '/opt/example'      shell  '/bin/false'      uid  '333'      system  true   end   "  
  51. Chef only changes what it needs to change Recipe:  (chef-­‐apply

     cookbook)::(chef-­‐apply   recipe)      *  user[example]  action  create   DEBUG:  user[example]  setting  uid  to  333   INFO:  user[example]  altered          -­‐  alter  user  example         $  getent  passwd  example   example:x:333:999::/opt/example:/bin/false
  52. haproxy example recipe members  =  search('node',  'role:webserver  AND  chef_environment:production')  

    package  'haproxy'   template  '/etc/haproxy/haproxy.cfg'  do      source  'haproxy.cfg.erb'      owner  'root'      group  'root'      mode  '0644'      variables(:pool_members  =>  members)      notifies  :reload,  'service[haproxy]'   end   service  'haproxy'  do      supports  :reload      action  [:enable,  :start]   end
  53. haproxy.cfg.erb template backend  servers-­‐http      <%  @pool_members.each  do  |member|

     -­‐%>      server  <%=  member['hostname']  %>  <%=  member['ipaddress']%>:< %=  member['myapp']['port']  %>  weight  1  maxconn  <%=   member['myapp']['max_connections']  %>  check      <%  end  -­‐%>  
  54. Ask questions about the infrastructure %  knife  search  node  'role:webserver

     AND   chef_environment:production'   3  items  found   Node  Name:        web1   ...   Node  Name:        web2   ...   Node  Name:        web3   ...etc
  55. Why not a service discovery system instead? Sure, why not?

    Chef Search is not a service discovery system. Nor does it do leader election. Service discovery is not infrastructure management. Service discovery tools aren't publishing platforms.
  56. What is the Chef Server? • Publishing system for infrastructure

    as code: • cookbooks • nodes/API clients • roles • environments • data • Four Main Components* *Built as "microservices", aka SOA (without the XML)
  57. % chef-server-ctl status run:  bookshelf:  (pid  5376)  60983s;   run:

     nginx:  (pid  5578)  60970s;   run:  oc_bifrost:  (pid  5145)  60997s;   run:  oc_id:  (pid  5194)  60995s;   run:  opscode-­‐erchef:  (pid  5460)  60980s;   run:  opscode-­‐expander:  (pid  5270)  60989s;   run:  opscode-­‐expander-­‐reindexer:  (pid  5330)  60987s;   run:  opscode-­‐solr4:  (pid  5220)  60992s;   run:  postgresql:  (pid  5123)  60998s;   run:  rabbitmq:  (pid  6228)  60913s;   run:  redis_lb:  (pid  14062)  49602s;
  58. Sounds complicated... The Chef server stores policy and configuration data

    about all your machines. With an API. And a search engine. Without a server you have to create your own way to manage all of that.
  59. Installing Chef Server #  add  packagecloud  repository,  then:   %

     sudo  apt-­‐get  install  chef-­‐server-­‐core   %  sudo  chef-­‐server-­‐ctl  reconfigure   %  echo  "There's  no  step  three^Wfour!"
  60. Push Jobs • Open Source Add-on • Orchestration Primitives •

    https://docs.chef.io/push_jobs.html • https://www.chef.io/blog/chefconf-talks/push-jobs-an- orchestration-building-block-for-private-chef-mark- anderson/
  61. Chef Analytics Rules rules  'org  notifier'      rule  on

     action      when          true      then          notify('hipchat-­‐org')      end   end
  62. What is "Test Driven Infrastructure"? When you build your infrastructure

    as code, you need to test your infrastructure like code. In other words, bring software testing practices to your infrastructure.
  63. Downloading https://www.chef.io/chef/install.sh to file /tmp/install.sh Trying wget... Download complete. Downloading

    Chef for ubuntu... downloading https://www.chef.io/chef/metadata? v=&prerelease=false&nightlies=false&p=ubuntu&pv=14.04&m=x86_64 to file /tmp/install.sh.12411/metadata.txt trying wget... url https://opscode-omnibus-packages.s3.amazonaws.com/ubuntu/10.04/x86_64/ chef_12.3.0-1_amd64.deb md5 d8421c9b3010deb03e713ada00387e8a sha256 e06eb748e44d0a323f4334aececdf3c2c74d2f97323678ad3a43c33ac32b4f81 downloaded metadata file looks valid... downloading https://opscode-omnibus-packages.s3.amazonaws.com/ubuntu/10.04/x86_64/ chef_12.3.0-1_amd64.deb to file /tmp/install.sh.12411/chef_12.3.0-1_amd64.deb trying wget... Comparing checksum with sha256sum... Installing Chef installing with dpkg... Selecting previously unselected package chef. ng database ... 32352 files and directories currently installed.) Preparing to unpack .../chef_12.3.0-1_amd64.deb ... Unpacking chef (12.3.0-1) ... Setting up chef (12.3.0-1) ... Thank you for installing Chef! Kitchen installs Chef
  64. [2015-05-05T16:57:11-06:00] INFO: Forking chef instance to converge... [2015-05-05T16:57:11-06:00] INFO: ***

    Chef 12.3.0 *** [2015-05-05T16:57:11-06:00] INFO: Chef-client pid: 12879 [2015-05-05T16:57:14-06:00] INFO: Run List is [recipe[pantry]] [2015-05-05T16:57:14-06:00] INFO: Run List expands to [pantry] [2015-05-05T16:57:14-06:00] INFO: Starting Chef Run for champagne.local [2015-05-05T16:57:14-06:00] INFO: Running start handlers [2015-05-05T16:57:14-06:00] INFO: Start handlers complete. [2015-05-05T16:57:15-06:00] INFO: Loading cookbooks [[email protected], [email protected], [email protected], [email protected], [email protected], [email protected]] [2015-05-05T16:57:49-06:00] INFO: execute[update homebrew from github] ran successfully [2015-05-05T16:57:49-06:00] INFO: Processing homebrew_tap[caskroom/cask] action tap (homebrew::cask line 21) [2015-05-05T16:57:49-06:00] INFO: Processing homebrew_package[brew-cask] action install (homebrew::cask line 23) [2015-05-05T16:57:50-06:00] INFO: Processing execute[update homebrew cask from github] action run (homebrew::cask line 25) Error: brew-cask 0.53.3 already installed [2015-05-05T16:57:50-06:00] INFO: execute[update homebrew cask from github] ran successfully [2015-05-05T16:57:50-06:00] INFO: Processing directory[/opt/homebrew-cask] action create (homebrew::cask line 31) [2015-05-05T16:57:50-06:00] INFO: Processing directory[/opt/homebrew-cask/Caskroom] action create (homebrew::cask line 36) [2015-05-05T16:57:51-06:00] INFO: Chef Run complete in 36.945477 seconds [2015-05-05T16:57:51-06:00] INFO: Running report handlers [2015-05-05T16:57:51-06:00] INFO: Report handlers complete [2015-05-05T16:57:51-06:00] INFO: Sending resource update report (run-id: e8251771-c6fa-4d0f-8858- cc8a85af46f8) Kitchen runs Chef
  65. chef generate cookbook gluecon %  chef  generate  cookbook  gluecon  

    Compiling  Cookbooks...   Recipe:  code_generator::cookbook      *  directory[/Users/jtimberman/Development/sandbox/gluecon]  action   create          -­‐  create  new  directory  /Users/jtimberman/Development/sandbox/gluecon      *  template[/Users/jtimberman/Development/sandbox/gluecon/metadata.rb]   action  create_if_missing          -­‐  create  new  file  /Users/jtimberman/Development/sandbox/gluecon/ metadata.rb          -­‐  update  content  in  file  /Users/jtimberman/Development/sandbox/ gluecon/metadata.rb  from  none  to  2048b8          (diff  output  suppressed  by  config)   ....
  66. foodcritic: Lint check Chef Cookbooks %  foodcritic  .   FC023:

     Prefer  conditional  attributes:  ./ recipes/default.rb:20   FC045:  Consider  setting  cookbook  name  in   metadata:  ./metadata.rb:1
  67. ChefSpec: Unit Test Chef recipes %  rspec  spec   chef-­‐client::config

         contains  the  default  chef_server_url  setting      contains  the  default  validation_client_name  setting      contains  /var/run  directory      contains  /var/chef/cache  directory      contains  /var/chef/backup  directory      contains  /var/log/chef  directory      contains  /etc/chef  directory   ...snip   Finished  in  2  minutes  13.6  seconds  (files  took  7.79  seconds  to   load)   41  examples,  0  failures
  68. Audit Mode: Test for Policy Compliance %  sudo  chef-­‐client  -­‐-­‐audit-­‐mode

     enabled   Starting  audit  phase   1  Patching  and  Software  Updates      1.1  Install  Updates,  Patches,  and  Additional  Security   Software          does  not  have  packages  to  upgrade  (FAILED  -­‐  1)   ...   Finished  in  32.97  seconds  (files  took  1.27  seconds  to  load)   113  examples,  28  failures,  5  pending   Audit  phase  exception:      Audit  phase  found  failures  -­‐  28/113  controls  failed
  69. Overview of Test Driven Infrastructure with Chef Read more, with

    more links: https://www.chef.io/blog/2015/04/21/overview-of-test-driven- infrastructure-with-chef/
  70. Pick a simple task • Update sudoers • Manage SSH

    keys for your user • Checkout your editor configuration from a repository • Setup NTP • Etc.
  71. Takeaways • Chef is a complete automation platform • It

    grows as you grow • Start small, the rest is available when you get there • learn.chef.io • Come visit our booth!