Skynet Infrastructure - Opscode Chef

Transcript

Server Friday, January 25, 13

Disclaimer The chef system deployment and configuration tool from OpsCode

is a powerful, flexible tool. While OpsCode ... tries to focus on its ease of use, they provide little guidance on patterns of real-world use. ... While it’s still a bit early for best practices to emerge, collecting experiences across a variety of business types can help to discover what works and what doesn’t. - Clinton Wolfe We, OmniTI.com, 1/09/2013 Friday, January 25, 13

Disclaimer The chef system deployment and configuration tool from OpsCode

is a powerful, flexible tool. While OpsCode ... tries to focus on its ease of use, they provide little guidance on patterns of real-world use. ... While it’s still a bit early for best practices to emerge, collecting experiences across a variety of business types can help to discover what works and what doesn’t. - Clinton Wolfe We, OmniTI.com, 1/09/2013 Friday, January 25, 13

What is Chef? According to www.opscode.com, “Chef is an open-source

system integration framework built specifically for automating the cloud.” Friday, January 25, 13

Wait, what? Friday, January 25, 13

What is Chef? Chef is a tool that allows you

to define the state your servers should be in and then enforces that state on your servers. Friday, January 25, 13

What are the benefits? Less time to setup new servers

Less errors setting up new servers Easier management Consistency Cross platform ( *nix, OS X, even Windows ) Friday, January 25, 13

What are the benefits? At CustomInk, we transformed our infrastructure

from one that was primarily hand-crafted, static, and managed by a few people to one that is flexible, automatically provisioned, and managed by many. - Nathen Harvey, engineyard.com, 1/07/2013 Friday, January 25, 13

OK, I’m sold. Now what? Friday, January 25, 13

Idempotent #1 Chef rule: Recipes should be idempotent. The number

of chef runs should not affect the state of the server. The server should converge on the first run. And unless something changes, additional runs should not change anything. Friday, January 25, 13

Provision Often If your recipes are not idempotent, refer to

rule #1. If they are, you should consider provisioning your servers often. Possibly ever 5 minutes. Seriously. Friday, January 25, 13

1,000' View Nodes = Servers Attributes ≈ Variables Roles can

define a Node’s attributes, and what Recipes are applied to that Node. Clients = anything that uses the API Friday, January 25, 13

1,000' View Resources are the basic building blocks to define

state Related Resources are grouped into Recipes Related Recipes are grouped into Cookbooks Friday, January 25, 13

A Simple Package Resource package ‘mysql-server’ Friday, January 25, 13

A Simple File Resource file ‘/home/vader/todo.txt’ Friday, January 25, 13

Slightly Less Simple file ‘/home/vader/todo.txt’ do owner ‘vader’ group ‘dark-side’

mode ‘0740’ content ‘TODO: Build a death star’ end Friday, January 25, 13

How hard is it to write a file? Friday, January

25, 13

Advanced Chef Concepts Friday, January 25, 13

Providers Think of resources as an abstraction. A resource on

one platform could be vastly different from the same resource on another platform. Providers actually implement the resource based on the platform. Friday, January 25, 13

Providers For example, a ‘package’ resource on Ubuntu or Debian

uses Chef::Provider::Package::Apt provider, where Red Hat, Fedora, CentOS uses Chef::Provider::Package::Yum. Friday, January 25, 13

Data Bags Data bags give you a neat way to

store data. Each data bag can have multiple items inside it. Each item is based on a JSON file, and can store multiple key, value pairs. Friday, January 25, 13

Encrypted Data Bags Encrypted data bags allow you to store

sensitive information like passwords, private ssh keys, and third-party credentials in source control, in an encrypted format. The encryption key is stored locally to encrypt the data bag when pushing it to the server. The key is automatically copied to new nodes so they can decrypt the data on their end. Friday, January 25, 13

How Chef Server is Structured Chef uses CouchDB to primarily

store configurations RabbitMQ provides a buffer between the Chef and the Solr-Indexer which ... Just stores search data in Solr Friday, January 25, 13

talk_to crowd begin if crowd.have_questions? crowd.questions.each do |question| answer question

end end rescue nil start chef_examples Friday, January 25, 13

Skynet Friday, January 25, 13

Types of Resources *docs.opscode.com/chef/resources.html cookbook_file cron deploy deploy_branch deploy_revision timestamped_deploy

directory env erlang_call execute file group http_request ifconfig link log mdadm mount ohai package powershell_script remote_directory remote_file route ruby_block** scm script service template user yum Friday, January 25, 13

Types of Lightweight Resources *docs.opscode.com/chef/resources.html application application_java_webapp application_java_tomcat application_nginx_load_balancer application_php_mod_php_apache2

application_php_php application_python_celery application_python_django application_python_gunicorn application_ruby_memcached application_ruby_passenger_apache2 application_ruby_rails application_ruby_unicorn apt_preference apt_repository aws_ebs_volume aws_elastic_ip aws_elastic_lb aws_resource_tag bluepill_service chef_handler daemontools_service djbdns_rr dmg_package dynect_rr firewall firewall_rule freebsd_port_options gunicorn_config gunicorn_install homebrew iis_app iis_config iis_pool iis_site maven mysql_database nagios_nrpecheck pacman_aur pacman_group php_pear php_pear_channel powershell python_pip python_virtualenv rabbitmq_plugin rabbitmq_user rabbitmq_vhost riak_cluster samba_user sudo supervisor_fcgi supervisor_group supervisor_service transmission_torrent_file users_manage webpi_product windows_auto_run windows_batch windows_feature windows_package windows_path windows_path windows_reboot windows_registry windows_shortcut windows_zipfile yum_key yum_repository zenoss_zenbatchload zenoss_zenmd zenoss_zenpack zenoss_zenpatch Friday, January 25, 13

Common Resources cookbook_file cron directory execute file package service template

user Friday, January 25, 13

Resources in Use Friday, January 25, 13

# cookbooks/nginx/recipes/ppa_install.rb execute "Add nginx ppa" do command "add-apt-repository ppa:nginx/stable"

creates "/etc/apt/sources.list.d/nginx-stable-precise.list" notifies :run, "execute[fetch_new_nginx_source]", :immediately end execute "fetch_new_nginx_source" do command "apt-get update" action :nothing end package 'nginx' service 'nginx' do supports :status => true, :start => true, :restart => true, :reload => true action [:enable, :start] end Friday, January 25, 13

# cookbooks/nginx/recipes/ppa_install.rb execute "Add nginx ppa" do command "add-apt-repository ppa:nginx/stable"

Attributes Friday, January 25, 13

# cookbooks/load_balancer/attributes/ssl.rb default['load_balancer']['ssl_cert']['mymuzak']['production'] = "star_mymuzak" default['load_balancer']['ssl_cert']['mymuzak']['staging'] = "star_mymuzak" default['load_balancer']['ssl_cert']['klikt']['production'] =

"star_klikt" default['load_balancer']['ssl_cert']['klikt']['staging'] = "star_klikt" default['load_balancer']['ssl_cert']['onlinedj']['production'] = "onlinedj" default['load_balancer']['ssl_cert']['onlinedj']['staging'] = "onlinedjqa" Friday, January 25, 13

# cookbooks/load_balancer/attributes/ssl.rb default['load_balancer']['ssl_cert']['mymuzak']['production'] = "star_mymuzak" default['load_balancer']['ssl_cert']['mymuzak']['staging'] = "star_mymuzak" default['load_balancer']['ssl_cert']['klikt']['production'] =

Attribute Precedence default < normal < override < automatic Default

attributes applied in an attributes file Default attributes applied in an environment Default attributes applied in a role Default attributes applied on a node directly in a recipe Normal attributes applied in an attributes file Normal attributes applied on a node directly in a recipe Override attributes applied in an attributes file Override attributes applied in a role Override attributes applied in an environment Override attributes applied on a node directly in a recipe Automatic attributes, re-generated by Ohai during each Chef run *docs.opscode.com/essentials_cookbook_attribute_files_attribute_precedence.html Friday, January 25, 13

Roles Friday, January 25, 13

// roles/mymuzak_staging_lb.json { "name": "mymuzak_staging_lb", "default_attributes": { "load_balancer": { "app":

"mymuzak" }, "chef_env": "staging" }, "json_class": "Chef::Role", "run_list": [ "recipe[main::chef_env]", "recipe[load_balancer]", "recipe[main::ssh]" ], "description": "", "chef_type": "role", "override_attributes": { "ssh_users": [ "ubuntu" ] } } Friday, January 25, 13

// roles/mymuzak_staging_lb.json { "name": "mymuzak_staging_lb", "default_attributes": { "load_balancer": { "app":

"mymuzak", "ssl_cert": { "mymuzak": { "staging": { "star_mymuzak" } } } }, "chef_env": "staging" }, "json_class": "Chef::Role", "run_list": [ "recipe[main::chef_env]", "recipe[load_balancer]", "recipe[main::ssh]" ], "description": "", "chef_type": "role", "override_attributes": { "ssh_users": [ "ubuntu" ] } } Friday, January 25, 13

Back to Resources Friday, January 25, 13

# cookbooks/nginx/recipes/ppa_install.rb execute "Add nginx ppa" do command "add-apt-repository ppa:nginx/stable"

# cookbooks/load_balancer/recipes/nginx.rb cookbook_file "/etc/nginx/nginx.conf" do source "nginx.conf" owner "root" group

"root" mode "644" notifies :reload, "service[nginx]" end app = node['load_balancer']['app'] env = node.chef_environment backend_servers = search(:node, "role:#{app}_#{env}_app") server_name = node['load_balancer']['server_name']["#{app}"]["#{env}"] ssl_cert = node['load_balancer']['ssl_cert']["#{app}"]["#{env}"] protect_docs = node['load_balancer']['protect_docs'] template "/etc/nginx/conf.d/lb.conf" do source 'nginx_lb.conf.erb' owner 'root' group 'root' mode '644' variables({ :env => env, :app => app, :backend_servers => backend_servers, :server_name => server_name, :ssl_cert => ssl_cert, :protect_docs => protect_docs }) notifies :reload, "service[nginx]" end Friday, January 25, 13

# cookbooks/load_balancer/recipes/nginx.rb cookbook_file "/etc/nginx/nginx.conf" do source "nginx.conf" owner "root" group

Templates Friday, January 25, 13

# cookbooks/load_balancer/templates/default/nginx_lb.conf.erb upstream backend { <% @backend_servers.each do |server| %>

server <%= server.ec2.local_ipv4 %> max_fails=3 fail_timeout=1m; <% end %> } server { listen 80; listen 443 default ssl; server_name <%= @server_name %>; if ($ssl_protocol = "") { rewrite ^ https://$host$request_uri? permanent; } ssl_certificate /etc/nginx/ssl/<%= @ssl_cert %>_chain.crt; ssl_certificate_key /etc/nginx/ssl/<%= @ssl_cert %>_com.key; location / { proxy_pass http://backend; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header Host $host; proxy_set_header X-Real_IP $remote_addr; proxy_redirect off; proxy_next_upstream error timeout http_500 http_502; proxy_connect_timeout 20s; } } Friday, January 25, 13

# cookbooks/load_balancer/templates/default/nginx_lb.conf.erb upstream backend { <% @backend_servers.each do |server| %>

Sensitive Files in Source Control Friday, January 25, 13

# data_bags/database/yamls.json { "id": "yamls", "mymuzak_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm...", "klikt_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm4a...", "onlinedj_yaml":

"Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrK..." } # Use in a recipe repo = node['rails_app']['git']['repo_name'] db_yamls = Chef::EncryptedDataBagItem.load("database", "yamls") file "/var/rails/#{repo}/shared/config/database.yml" do content db_yamls["#{repo}_yaml"] owner 'deploy' group 'www-data' mode '0740' end Friday, January 25, 13

# data_bags/database/yamls.json { "id": "yamls", "mymuzak_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm...", "klikt_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm4a...", "onlinedj_yaml":

# First create a new data bag $ knife data

bag create database # Encrypt and upload a data bag item $ knife data bag from file database database/yamls.json \ --secret-file ~/.chef/encryption_key # Download an encrypted data bag item $ knife data bag show database yamls -Fj > data_bags/database/yamls.json # Download and decrypt a data bag item $ knife data bag show database yamls --secret-file ~/.chef/encryption_key -Fj > \ data_bags/database/yamls.json Friday, January 25, 13

# First create a new data bag $ knife data

One Last Resource Friday, January 25, 13

deploy "/my/apps/dir/deploy" do # Use a local repo if you

prefer repo "/path/to/gitrepo/typo/" environment "RAILS_ENV" => "production" revision "HEAD" action :deploy migration_command "rake db:migrate --trace" migrate true restart_command "touch tmp/restart.txt" create_dirs_before_symlink %w{tmp public config deploy} # You can use this to customize if your app has extra configuration files # such as amqp.yml or app_config.yml symlink_before_migrate "config/database.yml" => "config/database.yml" # If your app has extra files in the shared folder, specify them here symlinks "system" => "public/system", "pids" => "tmp/pids", "log" => "log", "deploy/before_migrate.rb" => "deploy/before_migrate.rb", "deploy/before_symlink.rb" => "deploy/before_symlink.rb", "deploy/before_restart.rb" => "deploy/before_restart.rb", "deploy/after_restart.rb" => "deploy/after_restart.rb" end Friday, January 25, 13

Miscellaneous Friday, January 25, 13

Home Work Chef Environments Cookbook Versioning README.md and metadata.rb Knife

Lightwieght Resources and Providers Libraries Friday, January 25, 13

Skynet Infrastructure - Opscode Chef

Skynet Infrastructure - Opscode Chef

Other Decks in Programming

Featured

Transcript