[原]Chef_Server and Chef_WorkStation and Chef_Client Install Guide[by haibo]

一、Prerequisite

OS  :  CentOS-7.0-1406-x86_64-DVD.iso

Time Server :   NTP Server

SERVER NAME	IP PLAN
chef_server	192.168.100.10
chef_workstation	192.168.100.11
chefnode-1	192.168.100.12

IP Plan:  

                   

                  

rpm package(chef_server):

             autogen-libopts-5.18-5.el7.x86_64.rpm

            ntp-4.2.6p5-25.el7.centos.x86_64.rpm

           chef-server-core-12.15.7-1.el7.x86_64.rpm

rpm package(chef workstation):

              chefdk-1.4.3-1.el7.x86_64.rpm

            git-1.8.3.1-6.el7_2.1.x86_64.rpm

 rpm package(chef node):

              chef-13.1.31-1.el7.x86_64.rpm

二、Configure OS Environment

2.1 Configure  the  /etc/hosts

             add the content of below into /etc/hosts   every node:

     192.168.100.10     chef_server             

192.168.100.11    chef_workstation  

192.168.100.12    chefnode-1               

2.2 Setting the NTP Server  On chef_server node

      2.2.1 Install NTP package

[root@chef_server ~]# rpm -Uvh autogen-libopts-5.18-5.el7.x86_64.rpm

warning: autogen-libopts-5.18-5.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY

Preparing...                          ################################# [100%]

Updating / installing...

   1:autogen-libopts-5.18-5.el7       ################################# [100%]

[root@chef_server ~]# rpm -Uvh ntp-4.2.6p5-25.el7.centos.x86_64.rpm --nodeps

warning: ntp-4.2.6p5-25.el7.centos.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY

Preparing...                          ################################# [100%]

Updating / installing...

   1:ntp-4.2.6p5-25.el7.centos        ################################# [100%]

[root@chef_server ~]# systemctl start ntpd

[root@chef_server ~]# systemctl status ntpd

ntpd.service - Network Time Service

   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; disabled)

   Active: active (running) since Thu 2017-06-15 23:40:59 CST; 11s ago

  Process: 2681 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)

 Main PID: 2682 (ntpd)

   CGroup: /system.slice/ntpd.service

           ├─2682 /usr/sbin/ntpd -u ntp:ntp -g

           └─2683 /usr/sbin/ntpd -u ntp:ntp -g

      2.2.2 Configure the NTP Server

   [root@chef_server ~]# vim /etc/ntp.conf

driftfile /var/lib/ntp/drift

restrict default nomodify notrap nopeer noquery

restrict 127.0.0.1

restrict ::1

# delete

server 0.centos.pool.ntp.org iburst     

server 1.centos.pool.ntp.org iburst

server 2.centos.pool.ntp.org iburst

server 3.centos.pool.ntp.org iburst

 

#  add

server 127.127.1.0

fudge  127.127.1.0 stratum 1     

 

includefile /etc/ntp/crypto/pw

keys /etc/ntp/keys

disable monitor

[root@chef_server ~]# systemctl restart ntpd

[root@chef_server ~]# ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

*LOCAL(0)        .LOCL.           1 l    6   64    1    0.000    0.000   0.000

2.2.3 disable the service named  firewalld

 [root@chef_server ~]# systemctl status firewalld

firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)

   Active: active (running) since Thu 2017-06-15 23:17:24 CST; 37min ago

 Main PID: 782 (firewalld)

   CGroup: /system.slice/firewalld.service

           └─782 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Jun 15 23:17:24 chef_server systemd[1]: Started firewalld - dynamic firewall daemon.

[root@chef_server ~]# systemctl stop firewalld

[root@chef_server ~]# systemctl status firewalld

firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)

   Active: inactive (dead) since Thu 2017-06-15 23:55:50 CST; 2s ago

 Main PID: 782 (code=exited, status=0/SUCCESS)

Jun 15 23:17:24 chef_server systemd[1]: Started firewalld - dynamic firewall daemon.

Jun 15 23:55:48 chef_server systemd[1]: Stopping firewalld - dynamic firewall daemon...

Jun 15 23:55:50 chef_server systemd[1]: Stopped firewalld - dynamic firewall daemon.

NOTE THAT: if you don’t want to stop the firewall ,The Chef server requires the following ports to be open through the firewall

 

Run the following command to allow 80 and 443 through the firewall.

firewall-cmd --permanent --zone public --add-service http

firewall-cmd --permanent --zone public --add-service https

firewall-cmd --reload

2.2.4 Verify configure and Synchronization

         On chef_workstation

    [root@chef_workstation ~]# ntpdate chef_server

16 Jun 00:21:55 ntpdate[3239]: adjust time server 192.168.100.10 offset 0.006277 sec

On chefnode-1

   [root@chefnode-1 ~]# ntpdate chef_server

16 Jun 00:22:02 ntpdate[3629]: step time server 192.168.100.10 offset 51936.191786 sec

三、Configure Chef Server

3.1 Install chef server package on server node

                   Install the chef server package and download from the site: https://downloads.chef.io/

         [root@chef_server ~]# rpm -Uvh chef-server-core-12.15.7-1.el7.x86_64.rpm

warning: chef-server-core-12.15.7-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY

Preparing...                          ################################# [100%]

Updating / installing...

   1:chef-server-core-12.15.7-1.el7   ################################# [100%]

[root@chef_server ~]# chef-server-ctl reconfigure

……

Chef Client finished, 493/1080 resources updated in 03 minutes 39 seconds

Chef Server Reconfigured!

         [root@chef_server ~]# chef-server-ctl status

run: bookshelf: (pid 12149) 193s; run: log: (pid 12187) 193s

run: nginx: (pid 11960) 197s; run: log: (pid 12564) 188s

run: oc_bifrost: (pid 11858) 199s; run: log: (pid 11901) 198s

run: oc_id: (pid 11950) 198s; run: log: (pid 11956) 197s

run: opscode-erchef: (pid 12387) 190s; run: log: (pid 12311) 192s

run: opscode-expander: (pid 12034) 194s; run: log: (pid 12105) 194s

run: opscode-solr4: (pid 12000) 195s; run: log: (pid 12020) 195s

run: postgresql: (pid 11816) 199s; run: log: (pid 11841) 199s

run: rabbitmq: (pid 11304) 211s; run: log: (pid 11163) 216s

run: redis_lb: (pid 10796) 248s; run: log: (pid 12555) 188s

3.2 Create an admin User or Organization

User Name: admin

First Name: admin

Last Name: admin

Email: admin@chef.io

Password: password

File Name: admin.pem

Path: /root

[root@chef_server ~]# chef-server-ctl user-create admin admin admin admin@chef.io password -f /root/admin.pem

[root@chef_server ~]# chef-server-ctl org-create chef "CHEF, Inc" --association_user admin -f /root/chef-validator.pem

四、Configure Chef Workstation

      4.1 Install chef dk package on chef workstation node

         Download the package from the site : https://downloads.chef.io/

    [root@chef_workstation ~]# rpm -Uvh chefdk-1.4.3-1.el7.x86_64.rpm

warning: chefdk-1.4.3-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY

Preparing...                          ################################# [100%]

Updating / installing...

   1:chefdk-1.4.3-1.el7               ################################# [100%]

Thank you for installing Chef Development Kit!

     4.2 Configure the PATH

      [root@chef_workstation bin]# export PATH="/opt/chefdk/embedded/bin:${HOME}/.chefdk/gem/ruby/2.1.0/bin:$PATH"

                  Verify the configure

[root@chef_workstation bin]# which ruby

/opt/chefdk/embedded/bin/ruby

     4.3 Install Git

           [root@chef_workstation ~]# rpm -Uvh git-1.8.3.1-6.el7_2.1.x86_64.rpm --nodeps

warning: git-1.8.3.1-6.el7_2.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY

Preparing...                          ################################# [100%]

Updating / installing...

   1:git-1.8.3.1-6.el7_2.1            ################################# [100%]

[root@chef_workstation ~]# git --version

git version 1.8.3.1

      4.4 Create chef repo directory

           [root@chef_workstation ~]# chef generate repo chef-repo

         [root@chef_workstation ~]# cd chef-repo/

         [root@chef_workstation chef-repo]# ls -al

total 32

drwxr-xr-x. 7 root root 4096 Jun 16 01:20 .

dr-xr-x---. 6 root root 4096 Jun 16 01:20 ..

-rw-r--r--. 1 root root 1133 Jun 16 01:20 chefignore

-rw-r--r--. 1 root root  255 Jun 16 01:20 .chef-repo.txt

drwxr-xr-x. 3 root root   36 Jun 16 01:20 cookbooks

drwxr-xr-x. 3 root root   36 Jun 16 01:20 data_bags

drwxr-xr-x. 2 root root   41 Jun 16 01:20 environments

drwxr-xr-x. 7 root root 4096 Jun 16 01:20 .git

-rw-r--r--. 1 root root 2121 Jun 16 01:20 .gitignore

-rw-r--r--. 1 root root   70 Jun 16 01:20 LICENSE

-rw-r--r--. 1 root root 1499 Jun 16 01:20 README.md

drwxr-xr-x. 2 root root   41 Jun 16 01:20 roles

     4.5 Create the user and email for git

          [root@chef_workstation ~]# git config --global user.name "admin"

[root@chef_workstation ~]# git config --global user.email "admin@chef.io"

     4.6 Create the repo for git

           [root@chef_workstation ~]# cd chef-repo/

[root@chef_workstation chef-repo]# git init

   Reinitialized existing Git repository in /root/chef-repo/.git/

4.7 Create the hidden folder  .chef under /root/chef-repo

the hidden folder  .chef under /root/chef-repo so that stores the RSA keys

     [root@chef_workstation chef-repo]# mkdir -p ~/chef-repo/.chef

  NOTE THAT:Since this hidden directory stores the RSA keys, it should not be exposed to the public. To do that we will add this directory to “.gitignore” to prevent uploading the contents to GitHub

   

[root@chef_workstation chef-repo]# echo '.chef' >> ~/chef-repo/.gitignore

[root@chef_workstation chef-repo]# git add .

[root@chef_workstation chef-repo]# git commit -m "initial commit"

[master (root-commit) 26d359d] initial commit

 16 files changed, 471 insertions(+)

 create mode 100644 .chef-repo.txt

 create mode 100644 .gitignore

 create mode 100644 LICENSE

 create mode 100644 README.md

 create mode 100644 chefignore

 create mode 100644 cookbooks/README.md

 create mode 100644 cookbooks/example/README.md

 create mode 100644 cookbooks/example/attributes/default.rb

 create mode 100644 cookbooks/example/metadata.rb

 create mode 100644 cookbooks/example/recipes/default.rb

 create mode 100644 data_bags/README.md

 create mode 100644 data_bags/example/example_item.json

 create mode 100644 environments/README.md

 create mode 100644 environments/example.json

 create mode 100644 roles/README.md

 create mode 100644 roles/example.json

      [root@chef_workstation chef-repo]# git status

# On branch master

nothing to commit, working directory clean

4.8 Copy the RSA Keys to the Workstation:

Copy the RSA key from chef server node to chef workstation node

      [root@chef_workstation chef-repo]# scp -pr root@chef_server:/root/admin.pem /root/chef-repo/.chef/

      [root@chef_workstation chef-repo]# scp -pr root@chef_server:/root/chef-validator.pem /root/chef-repo/.chef/

4.9 Create knife.rb File:

       

create and edit the knife.rb file

[root@chef_workstation chef-repo]# vim ~/chef-repo/.chef/knife.rb

current_dir = File.dirname(__FILE__)

log_level                :info

log_location             STDOUT

node_name                "admin"

client_key               "#{current_dir}/admin.pem"

validation_client_name   "chef-validator"

validation_key           "#{current_dir}/chef-validator.pem"

chef_server_url          "https://chef_server/organizations/chef"

syntax_check_cache_path  "#{ENV['HOME']}/.chef/syntaxcache"

cookbook_path            ["#{current_dir}/../cookbooks"]

4.10 Testing Knife:

[root@chef_workstation ~]# cd /root/chef-repo

[root@chef_workstation chef-repo]# knife client list

ERROR: SSL Validation failure connecting to host: chef_server - SSL_connect returned=1 errno=0 state=error: certificate verify failed

ERROR: Could not establish a secure connection to the server.

Use `knife ssl check` to troubleshoot your SSL configuration.

If your Chef Server uses a self-signed certificate, you can use

`knife ssl fetch` to make knife trust the server's certificates.

Original Exception: OpenSSL::SSL::SSLError: SSL Error connecting to https://chef_server/organizations/chef/clients - SSL_connect returned=1 errno=0 state=error: certificate verify failed

4.11 Check SSL

[root@chef_workstation chef-repo]# knife ssl check

Connecting to host chef_server:443

ERROR: The SSL certificate of chef_server could not be verified

Certificate issuer data: /C=US/O=YouCorp/OU=Operations/CN=chef_server

Configuration Info:

OpenSSL Configuration:

* Version: OpenSSL 1.0.2j  26 Sep 2016

* Certificate file: /opt/chefdk/embedded/ssl/cert.pem

* Certificate directory: /opt/chefdk/embedded/ssl/certs

Chef SSL Configuration:

* ssl_ca_path: nil

* ssl_ca_file: nil

* trusted_certs_dir: "/root/chef-repo/.chef/trusted_certs"

TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate, you must

configure chef to trust that server's certificate.

By default, the certificate is stored in the following location on the host

where your chef-server runs:

  /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently: /root/chef-repo/.chef/trusted_certs)

using SSH/SCP or some other secure method, then re-run this command to confirm

that the server's certificate is now trusted.

      [root@chef_workstation chef-repo]# knife ssl fetch

WARNING: Certificates from chef_server will be fetched and placed in your trusted_cert

directory (/root/chef-repo/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should

verify the authenticity of these certificates after downloading.

Adding certificate for chef_server in /root/chef-repo/.chef/trusted_certs/chef_server.crt

[root@chef_workstation chef-repo]# knife ssl check

Connecting to host chef_server:443

Successfully verified certificates from `chef_server'

4.12 Verify the client connection

[root@chef_workstation chef-repo]# knife client list

chef-validator

The output confirms the verification has been completed successfully.

五、Configure Chef client Node

Bootstrapping a node is a process of installing chef-client on a target machine so that it can run as a chef-client node and communicate with the chef server.From the workstation, you can bootstrap the node either by using the node’s root user, or a user with elevated privileges.

[root@chef_workstation .chef]# knife bootstrap chefnode-1 -x root -P password --sudo

Important options:

-x: The ssh username

-P: The ssh password

-p: The ssh port

-N: Set your chef-client node name. Leaving this out will usually make hostname being used as the chef-client node name.

[root@chef_workstation .chef]# knife bootstrap chefnode-1 -x root -P password --sudo

Doing old-style registration with the validation key at /root/chef-repo/.chef/chef-validator.pem...

Delete your validation key in order to use your user credentials instead

Connecting to chefnode-1

chefnode-1 -----> Existing Chef installation detected

chefnode-1 Starting the first Chef Client run...

chefnode-1 Starting Chef Client, version 13.1.31

chefnode-1 Creating a new client identity for chefnode-1 using the validator key.

chefnode-1 resolving cookbooks for run list: []

chefnode-1 Synchronizing Cookbooks:

chefnode-1 Installing Cookbook Gems:

chefnode-1 Compiling Cookbooks...

chefnode-1 [2017-06-16T03:07:47+08:00] WARN: Node chefnode-1 has an empty run list.

chefnode-1 Converging 0 resources

chefnode-1

chefnode-1 Running handlers:

chefnode-1 Running handlers complete

chefnode-1 Chef Client finished, 0/0 resources updated in 02 seconds

[root@chef_workstation .chef]# knife node list

chefnode-1

[root@chef_workstation .chef]# knife client show chefnode-1

admin:     false

chef_type: client

name:      chefnode-1

validator: false

六、Create a Simple Chef Cookbooks

         create cookbook test_cookbook

[root@chef_workstation ~]# cd ~/chef-repo/cookbooks/

[root@chef_workstation cookbooks]# chef generate cookbook test_cookbook

Generating cookbook test_cookbook

- Ensuring correct cookbook file content

- Ensuring delivery configuration

- Ensuring correct delivery build cookbook content

Your cookbook is ready. Type `cd test_cookbook` to enter it.

There are several commands you can run to get started locally developing and testing your cookbook.

Type `delivery local --help` to see a full list.

Why not start by writing a test? Tests for the default recipe are stored at:

test/smoke/default/default_test.rb

If you'd prefer to dive right in, the default recipe can be found at:

recipes/default.rb

                           

[root@chef_workstation recipes]# vim default.rb

#

# Cookbook:: test_cookbook

# Recipe:: default

#

# Copyright:: 2017, The Authors, All Rights Reserved.

#

execute 'cp_file' do

        command 'cp /etc/hosts /root'

        ignore_failure true

end

Upload the Cookbook:

Once your cookbook is complete, you can upload them on to your Chef server

[root@chef_workstation cookbooks]# knife cookbook upload test_cookbook

Uploading test_cookbook [0.1.0]

Uploaded 1 cookbook.

Check the version of cookbook

[root@chef_workstation cookbooks]# knife cookbook list

test_cookbook   0.1.0

Add the Cookbook to your node:

You can add a cookbook to the run_list of a particular node using the following command

[root@chef_workstation cookbooks]# knife node run_list add chefnode-1 test_cookbook

chefnode-1:

  run_list: recipe[test_cookbook]

Ececute the action in cookbook on chef node

[root@chefnode-1 ~]# chef-client

Starting Chef Client, version 13.1.31

resolving cookbooks for run list: ["test_cookbook"]

Synchronizing Cookbooks:

  - test_cookbook (0.1.0)

Installing Cookbook Gems:

Compiling Cookbooks...

Converging 1 resources

Recipe: test_cookbook::default

  * execute[cp_file] action run

    - execute cp /etc/hosts /root

Running handlers:

Running handlers complete

Chef Client finished, 1/1 resources updated in 02 seconds

vreufy the result

[root@chefnode-1 ~]# ls

anaconda-ks.cfg    hosts

Resources Reference

                                     https://docs.chef.io/resources.html