本文不讲架构,不扯淡,上来就是命令和代码直接开干!就是入门和学习,完整的基础构成组件全部堆在一台机器上。有问题请留言。
一台机器安装四个组件
chef server
chef manage
chef workstation
chef client
系统环境为ubuntu16.04,root权限,注意内存至少为3GB
下载的包在/root文件夹下,依次为
https://downloads.chef.io/products/infra-client?os=ubuntu
chef_16.6.14-1_amd64.deb
https://downloads.chef.io/products/infra-server
chef-server-core_14.0.65-1_amd64.deb
https://downloads.chef.io/products/manage
chef-manage_3.0.11-1_amd64.deb
https://downloads.chef.io/products/workstation?os=ubuntu
chef-workstation_20.11.180-1_amd64.deb
/etc/hosts配置如下:
192.168.64.130 chefserver chef.test.com
192.168.64.130 chefworkstation
192.168.64.130 chefnode
chef server安装与配置
配置主机名
hostnamectl set-hostname chef.test.com
安装
dpkg -i chef-server-core_14.0.65-1_amd64.deb
chef-server-ctl reconfigure
chef-server-ctl install chef-manage --path /root/chef-manage_3.0.11-1_amd64.deb
chef-server-ctl reconfigure
chef-manage-ctl reconfigure
创建管理员,比如管理员叫what thehell,用户名为hell,邮箱为whatthehell@whatever.com,密码为usaygej8,证书保存为/root/hell.pem
chef-server-ctl user-create hell what thehell whatthehell@whatever.com 'usaygej8' --filename /root/hell.pem
创建组织,比如组织叫test,全名叫test com,和hell用户关联,证书保存为/root/test-validator.pem(这一步也可以登录https://192.168.64.130的管理页面设置)
chef-server-ctl org-create test 'test com' --association_user hell --filename test-validator.pem
登录https://192.168.64.130的管理页面下载config.rb和Starter Kit
chef workstation安装与配置
安装
dpkg -i chef-workstation_20.11.180-1_amd64.deb
验证
chef -v
显示
Chef Workstation version: 20.11.180
Chef Infra Client version: 16.6.14
Chef InSpec version: 4.23.15
Chef CLI version: 3.0.33
Chef Habitat version: 1.6.56
Test Kitchen version: 2.7.2
Cookstyle version: 7.2.1
配置ruby,使用chef自带ruby
echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile
source ~/.bash_profile
which ruby
创建chef-repo
chef generate repo chef-repo
创建之后的目录结构
chef-repo/
├── chefignore
├── cookbooks
│ ├── example
│ │ ├── attributes
│ │ │ └── default.rb
│ │ ├── metadata.rb
│ │ ├── README.md
│ │ └── recipes
│ │ └── default.rb
│ └── README.md
├── data_bags
│ ├── example
│ │ └── example_item.json
│ └── README.md
├── LICENSE
├── policyfiles
│ └── README.md
└── README.md
创建.chef文件夹用来保存以下文件
config.rb
test-validator.pem
hell.pem
生成.chef文件夹,生成后位置为/root/.chef
root@chef:~# knife configure
WARNING: No knife configuration file found. See https://docs.chef.io/config_rb/ for details.
Please enter the chef server URL: [https://chefserver/organizations/myorg] https://chefserver/organizations/test
Please enter an existing username or clientname for the API: [root] hell
*****
You must place your client key in:
/root/.chef/hell.pem
Before running commands with Knife
*****
Knife configuration file written to /root/.chef/credentials
下载的config.rb上传到~/.chef,需要修改下cookbook_path
改完内容如下:
# See https://docs.getchef.com/config_rb.html for more information on knife configuration options
current_dir = File.dirname(__FILE__)
log_level :info
log_location STDOUT
node_name "hell"
client_key "#{current_dir}/hell.pem"
chef_server_url "https://chefserver/organizations/test"
cookbook_path ["#{current_dir}/../chef-repo/cookbooks"]
官方的参考内容更丰富一些
current_dir = File.dirname(__FILE__)
log_level :info
log_location STDOUT
node_name 'node_name'
client_key "#{current_dir}/USER.pem"
validation_client_name 'ORG_NAME-validator'
validation_key "#{current_dir}/ORGANIZATION-validator.pem"
chef_server_url 'https://api.chef.io/organizations/ORG_NAME'
cache_type 'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path ["#{current_dir}/../cookbooks"]
拷贝证书
cp /root/hell.pem ~/.chef
cp /root/test-validator.pem ~/.chef
执行
knife ssl fetch
knife ssl check
knife node list
执行结果如下:
root@chef:~# knife ssl fetch
WARNING: Certificates from chefserver will be fetched and placed in your trusted_cert
directory (/root/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
Adding certificate for chefserver in /root/.chef/trusted_certs/chefserver.crt
root@chef:~# knife ssl check
Connecting to host chefserver:443
Successfully verified certificates from `chefserver'
root@chef:~# knife node list
chef client
chef server和workstation已经自带了,不必再安装,如果是单独的client安装如下:
dpkg -i chef_16.6.14-1_amd64.deb
chef-client -v
下面添加节点,应该在workstation上执行,本文情况本地执行:
假设root密码为111111,node名称和/etc/hosts中一致
knife bootstrap 192.168.64.130 --ssh-user root --ssh-password 111111 --node-name chefnode
回显
root@chef:~# knife bootstrap 192.168.64.130 --ssh-user root --ssh-password 111111 --node-name chefnode
--ssh-user: This flag is deprecated. Use -U/--connection-user instead.
--ssh-password: This flag is deprecated. Use -P/--connection-password instead.
Connecting to 192.168.64.130 using ssh
The authenticity of host '192.168.64.130 ()' can't be established.
fingerprint is SHA256:0aYC/Q38o7GpyBSNnpbMRgC0iRcclksBcvIf58tH4EA.
Are you sure you want to continue connecting
? (Y/N) y
Connecting to 192.168.64.130 using ssh
WARNING: Performing legacy client registration with the validation key at /root/.chef/test-validator.pem...
WARNING: Remove the key file or remove the 'validation_key' configuration option from your config.rb (knife.rb) to use more secure user credentials for client registration.
Bootstrapping 192.168.64.130
[192.168.64.130] -----> Existing Chef Infra Client installation detected
[192.168.64.130] Starting the first Chef Infra Client Client run...
[192.168.64.130] Starting Chef Infra Client, version 16.6.14
Patents: https://www.chef.io/patents
[192.168.64.130] Creating a new client identity for chefnode using the validator key.
[192.168.64.130] resolving cookbooks for run list: []
[192.168.64.130] Synchronizing Cookbooks:
[192.168.64.130] Installing Cookbook Gems:
[192.168.64.130]
[192.168.64.130] Compiling Cookbooks...
[192.168.64.130]
[192.168.64.130] [2020-11-23T22:17:42-08:00] WARN: Node chefnode has an empty run list.
[192.168.64.130] Converging 0 resources
[192.168.64.130]
Running handlers:
Running handlers complete
[192.168.64.130] Chef Infra Client finished, 0/0 resources updated in 08 seconds
[192.168.64.130]
https://192.168.64.130控制台中可以看到节点,登录用户名密码即为创建的hell用户
编写和使用第一个cookbook
我们这里不再使用starter kit,直接修改chef-repo默认生成的example
vim /root/chef-repo/cookbooks/example/recipes/default.rb
execute 'repo_test' do
command 'netstat -nltp>> /tmp/netstat.txt'
ignore_failure true
end
上传到chef server
knife cookbook upload example
root@chef:~# knife cookbook upload example
Uploading example [1.0.0]
Uploaded 1 cookbook.
查看cookbook
knife cookbook list
root@chef:~# knife cookbook list
example 1.0.0
添加cookbook到目标节点
knife node run_list add chefnode example
root@chef:~# knife node run_list add chefnode example
chefnode:
run_list: recipe[example]
cookbook的操作都是在workstation上完成,本文为本地即可
chef client执行应用cookbook,本文为本地
chef-client
root@chef:~# chef-client
Starting Chef Infra Client, version 16.6.14
Patents: https://www.chef.io/patents
resolving cookbooks for run list: ["example"]
Synchronizing Cookbooks:
- example (1.0.0)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 1 resources
Recipe: example::default
* execute[repo_test] action run
- execute netstat -nltp>> /tmp/netstat.txt
Running handlers:
Running handlers complete
Chef Infra Client finished, 1/1 resources updated in 06 seconds
验证/tmp/netstat.txt文件
root@chef:~# cat /tmp/netstat.txt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9999 0.0.0.0:* LISTEN 46379/nginx.conf
tcp 0 0 0.0.0.0:9680 0.0.0.0:* LISTEN 46379/nginx.conf
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 46379/nginx.conf
tcp 0 0 127.0.0.1:4369 0.0.0.0:* LISTEN 23885/epmd
tcp 0 0 0.0.0.0:9683 0.0.0.0:* LISTEN 46379/nginx.conf
tcp 0 0 127.0.0.1:9462 0.0.0.0:* LISTEN 46366/config.ru
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 813/sshd
tcp 0 0 127.0.0.1:9463 0.0.0.0:* LISTEN 24509/oc_bifrost
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 24505/postgres
tcp 0 0 127.0.0.1:11002 0.0.0.0:* LISTEN 46334/redis-server
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 46379/nginx.conf
tcp 0 0 127.0.0.1:16379 0.0.0.0:* LISTEN 45836/redis-server
tcp 0 0 127.0.0.1:33533 0.0.0.0:* LISTEN 24509/oc_bifrost
tcp 0 0 127.0.0.1:43870 0.0.0.0:* LISTEN 24599/bookshelf
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN 24676/oc_erchef
tcp 0 0 127.0.0.1:4321 0.0.0.0:* LISTEN 24599/bookshelf
tcp 0 0 127.0.0.1:9090 0.0.0.0:* LISTEN 24519/rails master
tcp 0 0 127.0.0.1:37673 0.0.0.0:* LISTEN 24676/oc_erchef
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 24586/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 24586/java
tcp6 0 0 :::22 :::* LISTEN 813/sshd
tcp6 0 0 ::1:5432 :::* LISTEN 24505/postgres
cookbook市场
https://supermarket.chef.io/cookbooks
常用命令
生成repo
chef generate repo chef-repo
生成cookbook
chef generate cookbook COOKBOOK_NAME
下载cookbook
knife supermarket download COOKBOOK_NAME
安装cookbook
knife supermarket install COOKBOOK_NAME
knife download命令是用来从chef server上下载文件的,参见https://docs.chef.io/workstation/knife_download/
chef-server-ctl [start, stop, status]