Chef是基于Ruby的配置管理工具,用于将基础架构定义为代码。这使用户可以自动管理多个节点,并在这些节点之间保持一致性。食谱声明受管节点的所需状态,并使用Chef Workstation软件包在用户的工作站上创建。您的食谱通过Chef服务器分布在各个节点上。安装在每个节点上的Chef客户端负责将配方应用于其相应的节点。本指南将向您展示如何安装和配置Chef Server和Chef Workstation。我们还将引导节点来管理Chef。
在本教程中,您将学习:
- 安装和配置Chef服务器
- 创建厨师用户和组织
- 安装和配置Chef工作站
- 配置刀并引导客户端节点
厨师建筑。
使用的软件要求和约定
| 类别 | 使用的要求,约定或软件版本 |
|---|---|
| 系统 | Ubuntu Linux 18.04 |
| 软件 | 厨师服务器核心,厨师工作站,厨师客户,厨师开发套件 |
| 其他 | 以root身份或通过Linux特权访问Linux系统sudo命令。 |
| 约定 | #-要求linux命令可以直接以root用户身份或通过使用root特权以root特权执行sudo命令$-要求linux命令以普通非特权用户身份执行 |
安装和配置Chef服务器
Chef服务器是Chef管理下所有工作站和节点之间交互的中心。对工作站上的配置代码所做的更改将推送到Chef服务器,然后由节点的chef-client撤消以应用配置。
通过运行以下命令下载最新的Chef服务器:
# wget https://packages.chef.io/files/stable/chef-server/12.18.14/ubuntu/18.04/chef-server-core_12.18.14-1_amd64.deb
现在,通过以下命令安装服务器软件包:
# dpkg -i chef-server-core_*.deb
Chef服务器包括一个名为chef-server-ctl的命令行实用程序。运行chef-server-ctl以启动Chef服务器服务。
# chef-server-ctl reconfigure
成功配置Chef服务器后,您将看到以下消息并检查Chef服务器的运行状态。
Chef Client finished, 493/1100 resources updated in 12 minutes 02 seconds
Chef Server Reconfigured!
root@ubuntubox1:~# chef-server-ctl status
run: bookshelf: (pid 1435) 6644s; run: log: (pid 1440) 6644s
run: nginx: (pid 1235) 6653s; run: log: (pid 1744) 6631s
run: oc_bifrost: (pid 1196) 6657s; run: log: (pid 1203) 6657s
run: oc_id: (pid 1220) 6655s; run: log: (pid 1227) 6655s
run: opscode-erchef: (pid 4376) 6432s; run: log: (pid 1508) 6644s
run: opscode-expander: (pid 1335) 6648s; run: log: (pid 1431) 6646s
run: opscode-solr4: (pid 1244) 6650s; run: log: (pid 1285) 6649s
run: postgresql: (pid 1176) 6659s; run: log: (pid 1180) 6659s
run: rabbitmq: (pid 4188) 6443s; run: log: (pid 1748) 6631s
run: redis_lb: (pid 27397) 6931s; run: log: (pid 1735) 6632s
root@ubuntubox1:~#
创建厨师用户和组织
为了将工作站和节点链接到Chef服务器,请创建具有关联RSA私钥的管理员和组织。在主目录中,创建一个.chef目录来存储密钥。
# mkdir .chef
使用chef-server-ctl创建用户。在此示例中,更改以下内容以满足您的需求:USER_NAME,FIRST_NAME,LAST_NAME,EMAIL和PASSWORD。调整USER_NAME.pem,并保留.pem扩展名。
chef-server-ctl user-create USER_NAME FIRST_NAME LAST_NAME EMAIL 'PASSWORD' --filename ~/.chef/USER_NAME.pem
root@ubuntubox1:~# chef-server-ctl user-create chefadmin Chef Administrator chefadmin@@ubuntubox1.com '*******' --filename ~/.chef/chefadmin.pem
要查看Chef服务器上所有用户的列表,请发出以下命令:
root@ubuntubox1:~# chef-server-ctl user-list
chefadmin
pivotal
创建一个组织并添加在上一步中创建的用户。将ORG_NAME替换为组织的简短标识符,将ORG_FULL_NAME替换为组织的全名,将USER_NAME替换为在上述步骤中创建的用户名,将ORG_NAME.pem替换为组织的简短标识符,后跟.pem。
chef-server-ctl org-create ORG_NAME "ORG_FULL_NAME" --association_user USER_NAME --filename ~/.chef/ORG_NAME.pem
root@ubuntubox1:~# chef-server-ctl org-create chef-on-ubuntu "Chef Infrastructure on Ubuntu 18.04" --association_user chefadmin --filename ~/.chef/chef-on-ubuntu.pem
要查看Chef服务器上所有组织的列表,请使用以下命令:
root@ubuntubox1:~# chef-server-ctl org-list
chef-on-ubuntu
安装Chef服务器并生成RSA密钥后,我们将开始配置Chef工作站。在工作站上将为您的节点创建所有主要配置。
安装和配置Chef工作站
Chef工作站是您在其中创建和配置任何食谱,食谱,属性以及管理节点所需的其他更改的地方。尽管这可以是运行任何OS的本地计算机,但是将远程服务器保留为工作站还是有一些好处的,因此您可以从任何地方访问它。
在本节中,您将下载并安装Chef Workstation软件包,该软件包提供了Chef开发套件ChefDK中也包含的所有工具。
下载最新的Chef工作站:
root@ubuntubox2:~# wget https://packages.chef.io/files/stable/chef-workstation/0.2.43/ubuntu/18.04/chef-workstation_0.2.43-1_amd64.deb
--2019-06-03 13:35:51-- https://packages.chef.io/files/stable/chef-workstation/0.2.43/ubuntu/18.04/chef-workstation_0.2.43-1_amd64.deb
Resolving packages.chef.io (packages.chef.io)... 151.101.142.110
Connecting to packages.chef.io (packages.chef.io)|151.101.142.110|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 129713682 (124M) [application/x-debian-package]
Saving to: ‘chef-workstation_0.2.43-1_amd64.deb’
chef-workstation_0.2.43-1_amd64.deb 100%[=====================================================================================>] 123.70M 1.51MB/s in 80s
2019-06-03 13:37:17 (1.55 MB/s) - ‘chef-workstation_0.2.43-1_amd64.deb’ saved [129713682/129713682]
安装Chef工作站:
root@ubuntubox2:~# dpkg -i chef-workstation_*.deb
Selecting previously unselected package chef-workstation.
(Reading database ... 117468 files and directories currently installed.)
Preparing to unpack chef-workstation_0.2.43-1_amd64.deb ...
Unpacking chef-workstation (0.2.43-1) ...
Setting up chef-workstation (0.2.43-1) ...
To run the experimental Chef Workstation App, use your
platform's package manager to install these dependencies:
libgconf-2.so.4 => not found
You can then launch the App by running 'chef-workstation-app'.
The App will then be available in the system tray.
Thank you for installing Chef Workstation!
You can find some tips on getting started at https://chef.sh/
现在,我们需要创建Chef库。 chef-repo目录将存储您的Chef食谱和其他相关文件。
# chef generate repo chef-repo
创建一个.chef子目录。 .chef子目录将存储用于与Chef服务器进行RSA密钥对身份验证的Knife配置文件和.pem文件。移至chef-repo目录:
root@ubuntubox2:~# mkdir ~/chef-repo/.chef
root@ubuntubox2:~# cd chef-repo
root@ubuntubox2:~/chef-repo#
Chef服务器与工作站和/或节点之间的身份验证通过公用密钥加密完成。这样可以确保Chef服务器仅与受信任的计算机通信。在本节中,将在设置Chef服务器时生成的RSA私钥复制到工作站,以允许Chef服务器和工作站之间进行通信。
我们将在工作站服务器上生成一个RSA key-pair。此key-pair将用于访问Chef服务器,然后传输其.pem文件:
root@ubuntubox2:~# ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:sR+Nloq6vsc7rX4ZmMInP3SKdk4fYEJH1iLoKNm1YMg root@ubuntubox2.com
The key's randomart image is:
+---[RSA 4096]----+
|.. . o. |
|.E+ oo. . |
| * o.o... |
|+ o... o + |
|. .. ooS = . |
| +o=oo+ . |
| Oo+oo. |
| ooO.+. |
| o=B=*. |
+----[SHA256]-----+
root@ubuntubox2:~#
将工作站节点的公钥上载到Chef服务器节点。
root@ubuntubox2:~# ssh-copy-id root@ubuntubox1.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@ubuntubox1.com's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@ubuntubox1.com'"
and check to make sure that only the key(s) you wanted were added.
root@ubuntubox2:~#
使用scp命令将.pem文件从Chef服务器复制到工作站。
root@ubuntubox2:~# scp root@ubuntubox1.com:~/.chef/*.pem ~/chef-repo/.chef/
chefadmin.pem 100% 1674 27.9KB/s 00:00
chef-on-ubuntu.pem 100% 1674 496.8KB/s 00:00
通过列出.chef目录的内容来确认文件已成功复制。 .pem文件应列出。
root@ubuntubox2:~# ls ~/chef-repo/.chef
chefadmin.pem chef-on-ubuntu.pem
生成新的厨师食谱:
root@ubuntubox2:~# chef generate cookbook chef-first-cookbook
Hyphens are discouraged in cookbook names as they may cause problems with custom resources. See https://docs.chef.io/ctl_chef.html#chef-generate-cookbook for more information.
Generating cookbook chef-first-cookbook
- Ensuring correct cookbook file content
- Ensuring delivery configuration
- Ensuring correct delivery build cookbook content
Your cookbook is ready. Type `cd chef-first-cookbook` to enter it.
There are several commands you can run to get started locally developing and testing your cookbook.
Type `delivery local --help` to see a full list.
Why not start by writing a test? Tests for the default recipe are stored at:
test/integration/default/default_test.rb
If you'd prefer to dive right in, the default recipe can be found at:
recipes/default.rb
生成chef-repo并移至newly-created目录:
# chef generate app chef-repo
# cd chef-repo
配置刀并引导客户端节点
通过导航到〜/chef-repo /.chef目录并使用首选的文本编辑器创建名为config.rb的文件,来创建刀具配置文件。将以下配置复制到config.rb文件中:
current_dir = File.dirname(__FILE__)
log_level :info
log_location STDOUT
node_name 'node_name'
client_key "USER.pem"
validation_client_name 'ORG_NAME-validator'
validation_key "ORGANIZATION-validator.pem"
chef_server_url 'https://ubuntubox1.com/organizations/ORG_NAME'
cache_type 'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path ["#{current_dir}/../cookbooks"]
node_name的值应该是在Chef服务器上创建的用户名。更改client_key下的USER.pem以反映厨师用户的.pem文件。 validation_client_name应该是组织的ORG_NAME,后跟-validator。应将validation_key路径中的ORGANIZATION-validator.pem设置为ORG_NAME,后跟-validator.pem。最后,chef_server_url应该是Chef服务器的域,并附加/organizations /ORG_NAME。请务必将ORG_NAME替换为单位名称。
移至chef-repo目录,然后从服务器复制所需的SSL证书:
root@ubuntubox2:~/chef-repo/.chef# cd ..
root@ubuntubox2:~/chef-repo# knife ssl fetch
WARNING: Certificates from ubuntubox1.com will be fetched and placed in your trusted_cert
directory (/root/chef-repo/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
Adding certificate for ubuntubox1_com in /root/chef-repo/.chef/trusted_certs/ubuntubox1_com.crt
通过运行客户端列表,确认config.rb设置正确。此命令应输出验证者名称。
root@ubuntubox2:~/chef-repo# knife client list
chef-on-ubuntu-validator
引导节点会在该节点上安装Chef客户端并验证该节点。这允许节点从Chef服务器读取并下拉并应用chef-client检测到的任何所需配置更新。从工作站,浏览至〜/chef-repo /.chef目录:
# cd ~/chef-repo/.chef
使用客户端节点的根用户或特权较高的用户来引导客户端节点:
root@ubuntubox2:~/chef-repo/.chef# knife bootstrap ubuntubox3.com -x root -P ******* --node-name chef-client-node
Creating new client for chef-client-node
Creating new node for chef-client-node
Connecting to ubuntubox3.com
ubuntubox3.com -----> Installing Chef Omnibus (-v 14)
ubuntubox3.com downloading https://omnitruck-direct.chef.io/chef/install.sh
ubuntubox3.com to file /tmp/install.sh.2019/install.sh
ubuntubox3.com trying wget...
ubuntubox3.com ubuntu 18.04 x86_64
ubuntubox3.com Getting information for chef stable 14 for ubuntu...
ubuntubox3.com downloading https://omnitruck-direct.chef.io/stable/chef/metadata?v=14&p=ubuntu&pv=18.04&m=x86_64
ubuntubox3.com to file /tmp/install.sh.2023/metadata.txt
ubuntubox3.com trying wget...
ubuntubox3.com sha1 ed9b1fcdaf947d9a3d60e6d196308183a082bcff
ubuntubox3.com sha256 9ddcd5ceef19c95ecc1f34bef080c23d9cb42ae8ebc69fd41dcf1c768a6a708f
ubuntubox3.com url https://packages.chef.io/files/stable/chef/14.13.11/ubuntu/18.04/chef_14.13.11-1_amd64.deb
ubuntubox3.com version 14.13.11
ubuntubox3.com downloaded metadata file looks valid...
ubuntubox3.com downloading https://packages.chef.io/files/stable/chef/14.13.11/ubuntu/18.04/chef_14.13.11-1_amd64.deb
ubuntubox3.com to file /tmp/install.sh.2023/chef_14.13.11-1_amd64.deb
ubuntubox3.com trying wget...
ubuntubox3.com Comparing checksum with sha256sum...
ubuntubox3.com Installing chef 14
ubuntubox3.com installing with dpkg...
ubuntubox3.com Selecting previously unselected package chef.
(Reading database ... 117468 files and directories currently installed.)
ubuntubox3.com Preparing to unpack .../chef_14.13.11-1_amd64.deb ...
ubuntubox3.com Unpacking chef (14.13.11-1) ...
ubuntubox3.com Setting up chef (14.13.11-1) ...
ubuntubox3.com Thank you for installing Chef Infra Client! For help getting started visit https://learn.chef.io
ubuntubox3.com Starting the first Chef Client run...
ubuntubox3.com Starting Chef Client, version 14.13.11
ubuntubox3.com resolving cookbooks for run list: []
ubuntubox3.com Synchronizing Cookbooks:
ubuntubox3.com Installing Cookbook Gems:
ubuntubox3.com Compiling Cookbooks...
ubuntubox3.com [2019-06-03T14:01:44+04:00] WARN: Node chef-client-node has an empty run list.
ubuntubox3.com Converging 0 resources
ubuntubox3.com
ubuntubox3.com Running handlers:
ubuntubox3.com Running handlers complete
ubuntubox3.com Chef Client finished, 0/0 resources updated in 05 seconds
Confirm that the node has been bootstrapped by listing the client nodes:
root@ubuntubox2:~/chef-repo/.chef#
通过列出节点来确认该节点已成功引导:
root@ubuntubox2:~/chef-repo/.chef# knife node list
chef-client-node
root@ubuntubox2:~/chef-repo/.chef# knife node show chef-client-node
Node Name: chef-client-node
Environment: _default
FQDN: ubuntubox3.com
IP: 192.168.1.107
Run List:
Roles:
Recipes:
Platform: ubuntu 18.04
Tags:
结论
在这篇详细的文章中,我们了解了Chef配置管理工具,并对其基本知识以及带有安装和配置设置的组件进行了概述。您可以通过访问Chef网站(https://www.chef.io/)了解有关Chef的更多信息。