Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Skynet Infrastructure - Opscode Chef

Brandon Dennis
January 16, 2013
Programming
1
330

Skynet Infrastructure - Opscode Chef

How to use Chef to help make your cloud self aware. I gave this presentation for the Charlotte Ruby Meetup group and the Charlotte Cloud Compute Meetup group on 1/16/2013 at Lending Tree. It doesn't make a ton of sense without the speaker notes though. The keynote is available at http://bit.ly/VyPexS

Brandon Dennis

January 16, 2013
Tweet

Other Decks in Programming

See All in Programming
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
24k
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k
受け取る人から提供する人になるということ
little_rubyist
0
230
【Kaigi on Rails 2024】YOUTRUST スポンサーLT
krpk1900
1
330
Jakarta Concurrencyによる並行処理プログラミングの始め方 (JJUG CCC 2024 Fall)
tnagao7
1
290
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
520
Jakarta EE meets AI
ivargrimstad
0
580
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
5
910
Contemporary Test Cases
maaretp
0
130
Laravel や Symfony で手っ取り早く
OpenAPI のドキュメントを作成する
azuki
1
110
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
150
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110

Featured

See All Featured
The Pragmatic Product Professional
lauravandoore
31
6.3k
Bash Introduction
62gerente
608
210k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Fireside Chat
paigeccino
34
3k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
410
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
How GitHub (no longer) Works
holman
310
140k
Become a Pro
speakerdeck
PRO
25
5k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k

Transcript

  1. [email protected] @_toady00 Friday, January 25, 13

  2. Where We Were Friday, January 25, 13

  3. What Changed Friday, January 25, 13

  4. Where We're at Now Friday, January 25, 13

  5. My Goal for Tonight Friday, January 25, 13

  6. Skynet Infrastructure Help Your Cloud Servers Become Self-Aware with Chef

    Server Friday, January 25, 13

  7. Disclaimer The chef system deployment and configuration tool from OpsCode

    is a powerful, flexible tool. While OpsCode ... tries to focus on its ease of use, they provide little guidance on patterns of real-world use. ... While it’s still a bit early for best practices to emerge, collecting experiences across a variety of business types can help to discover what works and what doesn’t. - Clinton Wolfe We, OmniTI.com, 1/09/2013 Friday, January 25, 13

  8. Disclaimer The chef system deployment and configuration tool from OpsCode

    is a powerful, flexible tool. While OpsCode ... tries to focus on its ease of use, they provide little guidance on patterns of real-world use. ... While it’s still a bit early for best practices to emerge, collecting experiences across a variety of business types can help to discover what works and what doesn’t. - Clinton Wolfe We, OmniTI.com, 1/09/2013 Friday, January 25, 13

  9. What is Chef? According to www.opscode.com, “Chef is an open-source

    system integration framework built specifically for automating the cloud.” Friday, January 25, 13

  10. Wait, what? Friday, January 25, 13

  11. What is Chef? Chef is a tool that allows you

    to define the state your servers should be in and then enforces that state on your servers. Friday, January 25, 13

  12. What are the benefits? Less time to setup new servers

    Less errors setting up new servers Easier management Consistency Cross platform ( *nix, OS X, even Windows ) Friday, January 25, 13

  13. What are the benefits? At CustomInk, we transformed our infrastructure

    from one that was primarily hand-crafted, static, and managed by a few people to one that is flexible, automatically provisioned, and managed by many. - Nathen Harvey, engineyard.com, 1/07/2013 Friday, January 25, 13

  14. OK, I’m sold. Now what? Friday, January 25, 13

  15. Idempotent #1 Chef rule: Recipes should be idempotent. The number

    of chef runs should not affect the state of the server. The server should converge on the first run. And unless something changes, additional runs should not change anything. Friday, January 25, 13

  16. Provision Often If your recipes are not idempotent, refer to

    rule #1. If they are, you should consider provisioning your servers often. Possibly ever 5 minutes. Seriously. Friday, January 25, 13

  17. 1,000' View Nodes = Servers Attributes ≈ Variables Roles can

    define a Node’s attributes, and what Recipes are applied to that Node. Clients = anything that uses the API Friday, January 25, 13

  18. 1,000' View Resources are the basic building blocks to define

    state Related Resources are grouped into Recipes Related Recipes are grouped into Cookbooks Friday, January 25, 13

  19. A Simple Package Resource package ‘mysql-server’ Friday, January 25, 13

  20. A Simple File Resource file ‘/home/vader/todo.txt’ Friday, January 25, 13

  21. Slightly Less Simple file ‘/home/vader/todo.txt’ do owner ‘vader’ group ‘dark-side’

    mode ‘0740’ content ‘TODO: Build a death star’ end Friday, January 25, 13

  22. How hard is it to write a file? Friday, January

    25, 13

  23. Advanced Chef Concepts Friday, January 25, 13

  24. Providers Think of resources as an abstraction. A resource on

    one platform could be vastly different from the same resource on another platform. Providers actually implement the resource based on the platform. Friday, January 25, 13

  25. Providers For example, a ‘package’ resource on Ubuntu or Debian

    uses Chef::Provider::Package::Apt provider, where Red Hat, Fedora, CentOS uses Chef::Provider::Package::Yum. Friday, January 25, 13

  26. Data Bags Data bags give you a neat way to

    store data. Each data bag can have multiple items inside it. Each item is based on a JSON file, and can store multiple key, value pairs. Friday, January 25, 13

  27. Encrypted Data Bags Encrypted data bags allow you to store

    sensitive information like passwords, private ssh keys, and third-party credentials in source control, in an encrypted format. The encryption key is stored locally to encrypt the data bag when pushing it to the server. The key is automatically copied to new nodes so they can decrypt the data on their end. Friday, January 25, 13

  28. How Chef Server is Structured Chef uses CouchDB to primarily

    store configurations RabbitMQ provides a buffer between the Chef and the Solr-Indexer which ... Just stores search data in Solr Friday, January 25, 13

  29. talk_to crowd begin if crowd.have_questions? crowd.questions.each do |question| answer question

    end end rescue nil start chef_examples Friday, January 25, 13

  30. Skynet Friday, January 25, 13

  31. Types of Resources *docs.opscode.com/chef/resources.html cookbook_file cron deploy deploy_branch deploy_revision timestamped_deploy

    directory env erlang_call execute file group http_request ifconfig link log mdadm mount ohai package powershell_script remote_directory remote_file route ruby_block** scm script service template user yum Friday, January 25, 13

  32. Types of Lightweight Resources *docs.opscode.com/chef/resources.html application application_java_webapp application_java_tomcat application_nginx_load_balancer application_php_mod_php_apache2

    application_php_php application_python_celery application_python_django application_python_gunicorn application_ruby_memcached application_ruby_passenger_apache2 application_ruby_rails application_ruby_unicorn apt_preference apt_repository aws_ebs_volume aws_elastic_ip aws_elastic_lb aws_resource_tag bluepill_service chef_handler daemontools_service djbdns_rr dmg_package dynect_rr firewall firewall_rule freebsd_port_options gunicorn_config gunicorn_install homebrew iis_app iis_config iis_pool iis_site maven mysql_database nagios_nrpecheck pacman_aur pacman_group php_pear php_pear_channel powershell python_pip python_virtualenv rabbitmq_plugin rabbitmq_user rabbitmq_vhost riak_cluster samba_user sudo supervisor_fcgi supervisor_group supervisor_service transmission_torrent_file users_manage webpi_product windows_auto_run windows_batch windows_feature windows_package windows_path windows_path windows_reboot windows_registry windows_shortcut windows_zipfile yum_key yum_repository zenoss_zenbatchload zenoss_zenmd zenoss_zenpack zenoss_zenpatch Friday, January 25, 13

  33. Common Resources cookbook_file cron directory execute file package service template

    user Friday, January 25, 13

  34. Resources in Use Friday, January 25, 13

  35. # cookbooks/nginx/recipes/ppa_install.rb execute "Add nginx ppa" do command "add-apt-repository ppa:nginx/stable"

    creates "/etc/apt/sources.list.d/nginx-stable-precise.list" notifies :run, "execute[fetch_new_nginx_source]", :immediately end execute "fetch_new_nginx_source" do command "apt-get update" action :nothing end package 'nginx' service 'nginx' do supports :status => true, :start => true, :restart => true, :reload => true action [:enable, :start] end Friday, January 25, 13

  36. # cookbooks/nginx/recipes/ppa_install.rb execute "Add nginx ppa" do command "add-apt-repository ppa:nginx/stable"

    creates "/etc/apt/sources.list.d/nginx-stable-precise.list" notifies :run, "execute[fetch_new_nginx_source]", :immediately end execute "fetch_new_nginx_source" do command "apt-get update" action :nothing end package 'nginx' service 'nginx' do supports :status => true, :start => true, :restart => true, :reload => true action [:enable, :start] end Friday, January 25, 13

  37. # cookbooks/nginx/recipes/ppa_install.rb execute "Add nginx ppa" do command "add-apt-repository ppa:nginx/stable"

    creates "/etc/apt/sources.list.d/nginx-stable-precise.list" notifies :run, "execute[fetch_new_nginx_source]", :immediately end execute "fetch_new_nginx_source" do command "apt-get update" action :nothing end package 'nginx' service 'nginx' do supports :status => true, :start => true, :restart => true, :reload => true action [:enable, :start] end Friday, January 25, 13

  38. # cookbooks/nginx/recipes/ppa_install.rb execute "Add nginx ppa" do command "add-apt-repository ppa:nginx/stable"

    creates "/etc/apt/sources.list.d/nginx-stable-precise.list" notifies :run, "execute[fetch_new_nginx_source]", :immediately end execute "fetch_new_nginx_source" do command "apt-get update" action :nothing end package 'nginx' service 'nginx' do supports :status => true, :start => true, :restart => true, :reload => true action [:enable, :start] end Friday, January 25, 13

  39. Attributes Friday, January 25, 13

  40. # cookbooks/load_balancer/attributes/ssl.rb default['load_balancer']['ssl_cert']['mymuzak']['production'] = "star_mymuzak" default['load_balancer']['ssl_cert']['mymuzak']['staging'] = "star_mymuzak" default['load_balancer']['ssl_cert']['klikt']['production'] =

    "star_klikt" default['load_balancer']['ssl_cert']['klikt']['staging'] = "star_klikt" default['load_balancer']['ssl_cert']['onlinedj']['production'] = "onlinedj" default['load_balancer']['ssl_cert']['onlinedj']['staging'] = "onlinedjqa" Friday, January 25, 13

  41. # cookbooks/load_balancer/attributes/ssl.rb default['load_balancer']['ssl_cert']['mymuzak']['production'] = "star_mymuzak" default['load_balancer']['ssl_cert']['mymuzak']['staging'] = "star_mymuzak" default['load_balancer']['ssl_cert']['klikt']['production'] =

    "star_klikt" default['load_balancer']['ssl_cert']['klikt']['staging'] = "star_klikt" default['load_balancer']['ssl_cert']['onlinedj']['production'] = "onlinedj" default['load_balancer']['ssl_cert']['onlinedj']['staging'] = "onlinedjqa" Friday, January 25, 13

  42. # cookbooks/load_balancer/attributes/ssl.rb default['load_balancer']['ssl_cert']['mymuzak']['production'] = "star_mymuzak" default['load_balancer']['ssl_cert']['mymuzak']['staging'] = "star_mymuzak" default['load_balancer']['ssl_cert']['klikt']['production'] =

    "star_klikt" default['load_balancer']['ssl_cert']['klikt']['staging'] = "star_klikt" default['load_balancer']['ssl_cert']['onlinedj']['production'] = "onlinedj" default['load_balancer']['ssl_cert']['onlinedj']['staging'] = "onlinedjqa" Friday, January 25, 13

  43. Attribute Precedence default < normal < override < automatic Default

    attributes applied in an attributes file Default attributes applied in an environment Default attributes applied in a role Default attributes applied on a node directly in a recipe Normal attributes applied in an attributes file Normal attributes applied on a node directly in a recipe Override attributes applied in an attributes file Override attributes applied in a role Override attributes applied in an environment Override attributes applied on a node directly in a recipe Automatic attributes, re-generated by Ohai during each Chef run *docs.opscode.com/essentials_cookbook_attribute_files_attribute_precedence.html Friday, January 25, 13

  44. Roles Friday, January 25, 13

  45. // roles/mymuzak_staging_lb.json { "name": "mymuzak_staging_lb", "default_attributes": { "load_balancer": { "app":

    "mymuzak" }, "chef_env": "staging" }, "json_class": "Chef::Role", "run_list": [ "recipe[main::chef_env]", "recipe[load_balancer]", "recipe[main::ssh]" ], "description": "", "chef_type": "role", "override_attributes": { "ssh_users": [ "ubuntu" ] } } Friday, January 25, 13

  46. // roles/mymuzak_staging_lb.json { "name": "mymuzak_staging_lb", "default_attributes": { "load_balancer": { "app":

    "mymuzak" }, "chef_env": "staging" }, "json_class": "Chef::Role", "run_list": [ "recipe[main::chef_env]", "recipe[load_balancer]", "recipe[main::ssh]" ], "description": "", "chef_type": "role", "override_attributes": { "ssh_users": [ "ubuntu" ] } } Friday, January 25, 13

  47. // roles/mymuzak_staging_lb.json { "name": "mymuzak_staging_lb", "default_attributes": { "load_balancer": { "app":

    "mymuzak" }, "chef_env": "staging" }, "json_class": "Chef::Role", "run_list": [ "recipe[main::chef_env]", "recipe[load_balancer]", "recipe[main::ssh]" ], "description": "", "chef_type": "role", "override_attributes": { "ssh_users": [ "ubuntu" ] } } Friday, January 25, 13

  48. // roles/mymuzak_staging_lb.json { "name": "mymuzak_staging_lb", "default_attributes": { "load_balancer": { "app":

    "mymuzak" }, "chef_env": "staging" }, "json_class": "Chef::Role", "run_list": [ "recipe[main::chef_env]", "recipe[load_balancer]", "recipe[main::ssh]" ], "description": "", "chef_type": "role", "override_attributes": { "ssh_users": [ "ubuntu" ] } } Friday, January 25, 13

  49. // roles/mymuzak_staging_lb.json { "name": "mymuzak_staging_lb", "default_attributes": { "load_balancer": { "app":

    "mymuzak" }, "chef_env": "staging" }, "json_class": "Chef::Role", "run_list": [ "recipe[main::chef_env]", "recipe[load_balancer]", "recipe[main::ssh]" ], "description": "", "chef_type": "role", "override_attributes": { "ssh_users": [ "ubuntu" ] } } Friday, January 25, 13

  50. // roles/mymuzak_staging_lb.json { "name": "mymuzak_staging_lb", "default_attributes": { "load_balancer": { "app":

    "mymuzak", "ssl_cert": { "mymuzak": { "staging": { "star_mymuzak" } } } }, "chef_env": "staging" }, "json_class": "Chef::Role", "run_list": [ "recipe[main::chef_env]", "recipe[load_balancer]", "recipe[main::ssh]" ], "description": "", "chef_type": "role", "override_attributes": { "ssh_users": [ "ubuntu" ] } } Friday, January 25, 13

  51. Back to Resources Friday, January 25, 13

  52. # cookbooks/nginx/recipes/ppa_install.rb execute "Add nginx ppa" do command "add-apt-repository ppa:nginx/stable"

    creates "/etc/apt/sources.list.d/nginx-stable-precise.list" notifies :run, "execute[fetch_new_nginx_source]", :immediately end execute "fetch_new_nginx_source" do command "apt-get update" action :nothing end package 'nginx' service 'nginx' do supports :status => true, :start => true, :restart => true, :reload => true action [:enable, :start] end Friday, January 25, 13

  53. # cookbooks/load_balancer/recipes/nginx.rb cookbook_file "/etc/nginx/nginx.conf" do source "nginx.conf" owner "root" group

    "root" mode "644" notifies :reload, "service[nginx]" end app = node['load_balancer']['app'] env = node.chef_environment backend_servers = search(:node, "role:#{app}_#{env}_app") server_name = node['load_balancer']['server_name']["#{app}"]["#{env}"] ssl_cert = node['load_balancer']['ssl_cert']["#{app}"]["#{env}"] protect_docs = node['load_balancer']['protect_docs'] template "/etc/nginx/conf.d/lb.conf" do source 'nginx_lb.conf.erb' owner 'root' group 'root' mode '644' variables({ :env => env, :app => app, :backend_servers => backend_servers, :server_name => server_name, :ssl_cert => ssl_cert, :protect_docs => protect_docs }) notifies :reload, "service[nginx]" end Friday, January 25, 13

  54. # cookbooks/load_balancer/recipes/nginx.rb cookbook_file "/etc/nginx/nginx.conf" do source "nginx.conf" owner "root" group

    "root" mode "644" notifies :reload, "service[nginx]" end app = node['load_balancer']['app'] env = node.chef_environment backend_servers = search(:node, "role:#{app}_#{env}_app") server_name = node['load_balancer']['server_name']["#{app}"]["#{env}"] ssl_cert = node['load_balancer']['ssl_cert']["#{app}"]["#{env}"] protect_docs = node['load_balancer']['protect_docs'] template "/etc/nginx/conf.d/lb.conf" do source 'nginx_lb.conf.erb' owner 'root' group 'root' mode '644' variables({ :env => env, :app => app, :backend_servers => backend_servers, :server_name => server_name, :ssl_cert => ssl_cert, :protect_docs => protect_docs }) notifies :reload, "service[nginx]" end Friday, January 25, 13

  55. # cookbooks/load_balancer/recipes/nginx.rb cookbook_file "/etc/nginx/nginx.conf" do source "nginx.conf" owner "root" group

    "root" mode "644" notifies :reload, "service[nginx]" end app = node['load_balancer']['app'] env = node.chef_environment backend_servers = search(:node, "role:#{app}_#{env}_app") server_name = node['load_balancer']['server_name']["#{app}"]["#{env}"] ssl_cert = node['load_balancer']['ssl_cert']["#{app}"]["#{env}"] protect_docs = node['load_balancer']['protect_docs'] template "/etc/nginx/conf.d/lb.conf" do source 'nginx_lb.conf.erb' owner 'root' group 'root' mode '644' variables({ :env => env, :app => app, :backend_servers => backend_servers, :server_name => server_name, :ssl_cert => ssl_cert, :protect_docs => protect_docs }) notifies :reload, "service[nginx]" end Friday, January 25, 13

  56. # cookbooks/load_balancer/recipes/nginx.rb cookbook_file "/etc/nginx/nginx.conf" do source "nginx.conf" owner "root" group

    "root" mode "644" notifies :reload, "service[nginx]" end app = node['load_balancer']['app'] env = node.chef_environment backend_servers = search(:node, "role:#{app}_#{env}_app") server_name = node['load_balancer']['server_name']["#{app}"]["#{env}"] ssl_cert = node['load_balancer']['ssl_cert']["#{app}"]["#{env}"] protect_docs = node['load_balancer']['protect_docs'] template "/etc/nginx/conf.d/lb.conf" do source 'nginx_lb.conf.erb' owner 'root' group 'root' mode '644' variables({ :env => env, :app => app, :backend_servers => backend_servers, :server_name => server_name, :ssl_cert => ssl_cert, :protect_docs => protect_docs }) notifies :reload, "service[nginx]" end Friday, January 25, 13

  57. # cookbooks/load_balancer/recipes/nginx.rb cookbook_file "/etc/nginx/nginx.conf" do source "nginx.conf" owner "root" group

    "root" mode "644" notifies :reload, "service[nginx]" end app = node['load_balancer']['app'] env = node.chef_environment backend_servers = search(:node, "role:#{app}_#{env}_app") server_name = node['load_balancer']['server_name']["#{app}"]["#{env}"] ssl_cert = node['load_balancer']['ssl_cert']["#{app}"]["#{env}"] protect_docs = node['load_balancer']['protect_docs'] template "/etc/nginx/conf.d/lb.conf" do source 'nginx_lb.conf.erb' owner 'root' group 'root' mode '644' variables({ :env => env, :app => app, :backend_servers => backend_servers, :server_name => server_name, :ssl_cert => ssl_cert, :protect_docs => protect_docs }) notifies :reload, "service[nginx]" end Friday, January 25, 13

  58. Templates Friday, January 25, 13

  59. # cookbooks/load_balancer/templates/default/nginx_lb.conf.erb upstream backend { <% @backend_servers.each do |server| %>

    server <%= server.ec2.local_ipv4 %> max_fails=3 fail_timeout=1m; <% end %> } server { listen 80; listen 443 default ssl; server_name <%= @server_name %>; if ($ssl_protocol = "") { rewrite ^ https://$host$request_uri? permanent; } ssl_certificate /etc/nginx/ssl/<%= @ssl_cert %>_chain.crt; ssl_certificate_key /etc/nginx/ssl/<%= @ssl_cert %>_com.key; location / { proxy_pass http://backend; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header Host $host; proxy_set_header X-Real_IP $remote_addr; proxy_redirect off; proxy_next_upstream error timeout http_500 http_502; proxy_connect_timeout 20s; } } Friday, January 25, 13

  60. # cookbooks/load_balancer/templates/default/nginx_lb.conf.erb upstream backend { <% @backend_servers.each do |server| %>

    server <%= server.ec2.local_ipv4 %> max_fails=3 fail_timeout=1m; <% end %> } server { listen 80; listen 443 default ssl; server_name <%= @server_name %>; if ($ssl_protocol = "") { rewrite ^ https://$host$request_uri? permanent; } ssl_certificate /etc/nginx/ssl/<%= @ssl_cert %>_chain.crt; ssl_certificate_key /etc/nginx/ssl/<%= @ssl_cert %>_com.key; location / { proxy_pass http://backend; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header Host $host; proxy_set_header X-Real_IP $remote_addr; proxy_redirect off; proxy_next_upstream error timeout http_500 http_502; proxy_connect_timeout 20s; } } Friday, January 25, 13

  61. # cookbooks/load_balancer/templates/default/nginx_lb.conf.erb upstream backend { <% @backend_servers.each do |server| %>

    server <%= server.ec2.local_ipv4 %> max_fails=3 fail_timeout=1m; <% end %> } server { listen 80; listen 443 default ssl; server_name <%= @server_name %>; if ($ssl_protocol = "") { rewrite ^ https://$host$request_uri? permanent; } ssl_certificate /etc/nginx/ssl/<%= @ssl_cert %>_chain.crt; ssl_certificate_key /etc/nginx/ssl/<%= @ssl_cert %>_com.key; location / { proxy_pass http://backend; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header Host $host; proxy_set_header X-Real_IP $remote_addr; proxy_redirect off; proxy_next_upstream error timeout http_500 http_502; proxy_connect_timeout 20s; } } Friday, January 25, 13

  62. # cookbooks/load_balancer/templates/default/nginx_lb.conf.erb upstream backend { <% @backend_servers.each do |server| %>

    server <%= server.ec2.local_ipv4 %> max_fails=3 fail_timeout=1m; <% end %> } server { listen 80; listen 443 default ssl; server_name <%= @server_name %>; if ($ssl_protocol = "") { rewrite ^ https://$host$request_uri? permanent; } ssl_certificate /etc/nginx/ssl/<%= @ssl_cert %>_chain.crt; ssl_certificate_key /etc/nginx/ssl/<%= @ssl_cert %>_com.key; location / { proxy_pass http://backend; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header Host $host; proxy_set_header X-Real_IP $remote_addr; proxy_redirect off; proxy_next_upstream error timeout http_500 http_502; proxy_connect_timeout 20s; } } Friday, January 25, 13

  63. Sensitive Files in Source Control Friday, January 25, 13

  64. # data_bags/database/yamls.json { "id": "yamls", "mymuzak_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm...", "klikt_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm4a...", "onlinedj_yaml":

    "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrK..." } # Use in a recipe repo = node['rails_app']['git']['repo_name'] db_yamls = Chef::EncryptedDataBagItem.load("database", "yamls") file "/var/rails/#{repo}/shared/config/database.yml" do content db_yamls["#{repo}_yaml"] owner 'deploy' group 'www-data' mode '0740' end Friday, January 25, 13

  65. # data_bags/database/yamls.json { "id": "yamls", "mymuzak_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm...", "klikt_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm4a...", "onlinedj_yaml":

    "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrK..." } # Use in a recipe repo = node['rails_app']['git']['repo_name'] db_yamls = Chef::EncryptedDataBagItem.load("database", "yamls") file "/var/rails/#{repo}/shared/config/database.yml" do content db_yamls["#{repo}_yaml"] owner 'deploy' group 'www-data' mode '0740' end Friday, January 25, 13

  66. # data_bags/database/yamls.json { "id": "yamls", "mymuzak_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm...", "klikt_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm4a...", "onlinedj_yaml":

    "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrK..." } # Use in a recipe repo = node['rails_app']['git']['repo_name'] db_yamls = Chef::EncryptedDataBagItem.load("database", "yamls") file "/var/rails/#{repo}/shared/config/database.yml" do content db_yamls["#{repo}_yaml"] owner 'deploy' group 'www-data' mode '0740' end Friday, January 25, 13

  67. # data_bags/database/yamls.json { "id": "yamls", "mymuzak_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm...", "klikt_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm4a...", "onlinedj_yaml":

    "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrK..." } # Use in a recipe repo = node['rails_app']['git']['repo_name'] db_yamls = Chef::EncryptedDataBagItem.load("database", "yamls") file "/var/rails/#{repo}/shared/config/database.yml" do content db_yamls["#{repo}_yaml"] owner 'deploy' group 'www-data' mode '0740' end Friday, January 25, 13

  68. # data_bags/database/yamls.json { "id": "yamls", "mymuzak_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm...", "klikt_yaml": "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrKm4a...", "onlinedj_yaml":

    "Xu+W4juAf1Ln2FP+w+2118TR8i6eGX+xbI9d+4mwWrK..." } # Use in a recipe repo = node['rails_app']['git']['repo_name'] db_yamls = Chef::EncryptedDataBagItem.load("database", "yamls") file "/var/rails/#{repo}/shared/config/database.yml" do content db_yamls["#{repo}_yaml"] owner 'deploy' group 'www-data' mode '0740' end Friday, January 25, 13

  69. # First create a new data bag $ knife data

    bag create database # Encrypt and upload a data bag item $ knife data bag from file database database/yamls.json \ --secret-file ~/.chef/encryption_key # Download an encrypted data bag item $ knife data bag show database yamls -Fj > data_bags/database/yamls.json # Download and decrypt a data bag item $ knife data bag show database yamls --secret-file ~/.chef/encryption_key -Fj > \ data_bags/database/yamls.json Friday, January 25, 13

  70. # First create a new data bag $ knife data

    bag create database # Encrypt and upload a data bag item $ knife data bag from file database database/yamls.json \ --secret-file ~/.chef/encryption_key # Download an encrypted data bag item $ knife data bag show database yamls -Fj > data_bags/database/yamls.json # Download and decrypt a data bag item $ knife data bag show database yamls --secret-file ~/.chef/encryption_key -Fj > \ data_bags/database/yamls.json Friday, January 25, 13

  71. # First create a new data bag $ knife data

    bag create database # Encrypt and upload a data bag item $ knife data bag from file database database/yamls.json \ --secret-file ~/.chef/encryption_key # Download an encrypted data bag item $ knife data bag show database yamls -Fj > data_bags/database/yamls.json # Download and decrypt a data bag item $ knife data bag show database yamls --secret-file ~/.chef/encryption_key -Fj > \ data_bags/database/yamls.json Friday, January 25, 13

  72. # First create a new data bag $ knife data

    bag create database # Encrypt and upload a data bag item $ knife data bag from file database database/yamls.json \ --secret-file ~/.chef/encryption_key # Download an encrypted data bag item $ knife data bag show database yamls -Fj > data_bags/database/yamls.json # Download and decrypt a data bag item $ knife data bag show database yamls --secret-file ~/.chef/encryption_key -Fj > \ data_bags/database/yamls.json Friday, January 25, 13

  73. # First create a new data bag $ knife data

    bag create database # Encrypt and upload a data bag item $ knife data bag from file database database/yamls.json \ --secret-file ~/.chef/encryption_key # Download an encrypted data bag item $ knife data bag show database yamls -Fj > data_bags/database/yamls.json # Download and decrypt a data bag item $ knife data bag show database yamls --secret-file ~/.chef/encryption_key -Fj > \ data_bags/database/yamls.json Friday, January 25, 13

  74. One Last Resource Friday, January 25, 13

  75. deploy "/my/apps/dir/deploy" do # Use a local repo if you

    prefer repo "/path/to/gitrepo/typo/" environment "RAILS_ENV" => "production" revision "HEAD" action :deploy migration_command "rake db:migrate --trace" migrate true restart_command "touch tmp/restart.txt" create_dirs_before_symlink %w{tmp public config deploy} # You can use this to customize if your app has extra configuration files # such as amqp.yml or app_config.yml symlink_before_migrate "config/database.yml" => "config/database.yml" # If your app has extra files in the shared folder, specify them here symlinks "system" => "public/system", "pids" => "tmp/pids", "log" => "log", "deploy/before_migrate.rb" => "deploy/before_migrate.rb", "deploy/before_symlink.rb" => "deploy/before_symlink.rb", "deploy/before_restart.rb" => "deploy/before_restart.rb", "deploy/after_restart.rb" => "deploy/after_restart.rb" end Friday, January 25, 13

  76. Miscellaneous Friday, January 25, 13

  77. Home Work Chef Environments Cookbook Versioning README.md and metadata.rb Knife

    Lightwieght Resources and Providers Libraries Friday, January 25, 13