一.前言:
初識(shí)Chef,我們可以先了解一下DevOps運(yùn)動(dòng)http://zh.wikipedia.org/wiki/DevOps,簡(jiǎn)單點(diǎn)說����,就是傳統(tǒng)的軟件組織將開發(fā)��、IT運(yùn)營(yíng)和質(zhì)量保障設(shè)為各自分離的部門�,而DevOps運(yùn)動(dòng)的出現(xiàn)是由于軟件行業(yè)日益清晰地認(rèn)識(shí)到:為了按時(shí)交付軟件產(chǎn)品和服務(wù)���,開發(fā)和運(yùn)營(yíng)工作必須緊密合作���。
所以Chef簡(jiǎn)單點(diǎn)說,就是DevOps運(yùn)動(dòng)中的一項(xiàng)重要工具成員�,是一個(gè)同時(shí)面向開發(fā)與運(yùn)維的集中管理工具。
就服務(wù)器的集中管理工具而言��,知名度與Chef平分天下的是叫“Puppet”的工具����,它們是OSS知名度排名最前的2個(gè)�。
想像一下我們現(xiàn)在需要搭建一臺(tái)MySQL Database Slave服務(wù)器,安裝過程我們手動(dòng)操作了沒過多久�,又需要第二臺(tái),這時(shí)候我們會(huì)想����,如果之后安裝第一臺(tái)的時(shí)候把操作過程執(zhí)行的命令寫成腳本,現(xiàn)在安裝第二臺(tái)�����,運(yùn)行一下腳本就行了,節(jié)約時(shí)間而且不容易出錯(cuò)���。
Chef就相當(dāng)于這樣的一個(gè)腳本管理工具�����,但功能要強(qiáng)大得多����,可定制性強(qiáng)�����,Chef將腳本命令代碼化��,定制時(shí)只需要修改代碼���,安裝的過程就是執(zhí)行代碼的過程����。打個(gè)比方�,Chef就像一個(gè)制作玩具的工廠����,它可以把一些原材料做成漂亮的玩具,它有一些模板����,你把原材料放進(jìn)去,選擇一個(gè)模板(比如怪物史萊克)�����,它就會(huì)制造出這個(gè)玩具���,服務(wù)器的配置也是這樣,一臺(tái)還沒有配置的服務(wù)器�����,你給它指定一個(gè)模板(role或recipe)��,Chef就會(huì)把它配置成你想要的線上服務(wù)器��。
Chef使用服務(wù)器—客戶端模式管理所有需要配置的機(jī)器�,使用Chef涉及至少三臺(tái)機(jī)器:
一臺(tái)開發(fā)機(jī)器(Workstation)����,在上面編寫大餐的做法��;
一臺(tái)Chef服務(wù)器(server)�����,管理所有要配置的Chef客戶端�,給它們下發(fā)配置信息���;
多臺(tái)Chef客戶端(Node)�,就是我將要烹調(diào)出的大餐��。
操作系統(tǒng):CentOS-6.3-x86-64
CHEF: chef-server-11.0.12-1.el6.x86_64
Server : 10.107.91.251 (chef.example.com)
Workstation: 10.107.91.251 (chef.example.com)
node: 10.107.91.252 (node1.example.com)
二.安裝前的準(zhǔn)備:(chef.example.com,node1.example.com)
1.關(guān)閉iptables
# service iptables stop
2.關(guān)閉SELINUX
# setenforce 0
# vi /etc/sysconfig/selinux
---------------
SELINUX=disabled
---------------
3.同步時(shí)間(重要)
# ntpdate asia.pool.ntp.org
# hwclock -w
4.安裝ruby環(huán)境:
詳見: https://www.jb51.net/article/54981.htm
三.chef-server安裝:(chef.example.com)
1.下載chef-server安裝包
進(jìn)入頁(yè)面http://www.opscode.com/chef/install���,點(diǎn)擊Chef Server標(biāo)簽��,選擇要下載的版本
或在終端下用以下命令下載11.0.12版本:
# wget -c --no-check-certificate
a href="https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.0.12-1.el6.x86_64.rpm">https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.0.12-1.el6.x86_64.rpm/a>
2.安裝chef-server
終端內(nèi)進(jìn)入chef-server軟件包所在目錄��,執(zhí)行以下命令:
# rpm -ivh chef-server-11.0.12-1.el6.x86_64.rpm
注:請(qǐng)使用下載的軟件包名稱替換上面命令中的軟件包名稱.
3.修改本地FQDN名:
1).首先修改主機(jī)的hostname
# vi /etc/sysconfig/network
———————-———————-———————-———————-
HOSTNAME=chef.example.com
———————-———————-———————-———————-
2).修改本地host,添加server與node的FNDN
# echo "10.107.91.251 chef.example.com" >> /etc/hosts
# echo "10.107.91.252 node1.example.com" >> /etc/hosts
重啟系統(tǒng). 登錄后驗(yàn)證:
# hostname -f
———————-———————-———————-———————-
chef.example.com
———————-———————-———————-———————-
3.配置chef-server
執(zhí)行以下命令配置chef-server
# chef-server-ctl reconfigure
注:chef-server 10.x版本默認(rèn)監(jiān)聽4000端口�,chef-server 11.x監(jiān)聽443端口
SO若線上開啟防火墻,需執(zhí)行以下命令防火墻開啟443端口
# iptables -I INPUT -p tcp --dport 443 -j ACCEPT
# service iptables save
現(xiàn)在瀏覽器打開https://10.107.91.251
輸入:
username: admin
password: p@ssw0rd1
即可訪問chef-server web頁(yè)面.
四.chef-workstation安裝:(chef.example.com)
1.安裝chef-Client
進(jìn)入頁(yè)面http://www.opscode.com/chef/install�,點(diǎn)擊Chef Client標(biāo)簽,選擇要下載的版本.
本例使用11.12.4-1版本:
# wget -c --no-check-certificate https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.12.4-1.el6.x86_64.rpm
# rpm -ivh chef-11.12.4-1.el6.x86_64.rpm
2.安裝配置git
1).yum安裝git:
# yum -y install git
2).進(jìn)入root主目錄�,git克隆chef repository
# su -
# cd ~
# git clone git://github.com/opscode/chef-repo.git
————————————————————————————————————————————————————————————
Initialized empty Git repository in /root/chef-repo/.git/
remote: Reusing existing pack: 223, done.
remote: Total 223 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (223/223), 45.77 KiB | 37 KiB/s, done.
Resolving deltas: 100% (57/57), done.
————————————————————————————————————————————————————————————
2.配置chef-workstation
運(yùn)行命令 knife configure -i ,配置過程如下所示(只需填寫chef repository一項(xiàng):/root/chef-repo,其他項(xiàng)使用默認(rèn)值):
# knife configure --initial
————————————————————————————————————————————————————————————
WARNING: No knife configuration file found
Where should I put the config file? [/root/.chef/knife.rb]
Please enter the chef server URL: [https://chef.example.com:443]
Please enter a name for the new user: [root]
Please enter the existing admin name: [admin]
Please enter the location of the existing admin's private key: [/etc/chef-server/admin.pem]
Please enter the validation clientname: [chef-validator]
Please enter the location of the validation key: [/etc/chef-server/chef-validator.pem]
Please enter the path to a chef repository (or leave blank): /root/chef-repo
Creating initial API user...
Please enter a password for the new user: 123456
注:這里輸入API user密碼(后面要使用)
Created user[root]
Configuration file written to /root/.chef/knife.rb
————————————————————————————————————————————————————————————
注: 沒有出現(xiàn)Please enter a name for the new user: [root] 檢查chef-server的443端口是否可以訪問.
五.chef-workstation與chef-server不在同一服務(wù)器上的配置方法
(本例server與workstation在同一服務(wù)器,如無特殊需可略過這部分)
1.將chef-server的域名解析添加至chef-workstation的hosts文件
# echo "10.107.91.251 chef.example.com" >>/etc/hosts
2.在chef-workstation先創(chuàng)建/root/.chef目錄,并將chef服務(wù)器上的/etc/chef-server/admin.pem和/etc/chef-server/chef-validator.pem文件拷貝到此目錄
# mkdir ~/.chef
# scp chef.example.com:/etc/chef-server/admin.pem ~/.chef
# scp chef.example.com:/etc/chef-server/chef-validator.pem ~/.chef
3.執(zhí)行knife configure -i命令進(jìn)行初始化, 然后刪除~/.chef/admin.pem
# knife configure --initial
# rm ~/.chef/admin.pem
4.knife configure配置過程:
1).server URL修改為chef服務(wù)器的地址https://chef.example.com:443,
2).admin's private key路徑改為/root/.chef/admin.pem
3).validation key路徑改為/root/.chef/chef-validation.pem
4).chef repository地址輸入/root/chef-repo,其余項(xiàng)保持默認(rèn)值.
# knife configure --initial
————————————————————————————————————————————————————————————
Overwrite /root/.chef/knife.rb? (Y/N) Y
Please enter the chef server URL: [https://workstation:443] https://chef.example.com:443
Please enter a name for the new user: [root]
Please enter the existing admin name: [admin]
Please enter the location of the existing admin's private key: [/etc/chef-server/admin.pem] /root/.chef/admin.pem
Please enter the validation clientname: [chef-validator]
Please enter the location of the validation key: [/etc/chef-server/chef-validator.pem] /root/.chef/chef-validator.pem
Please enter the path to a chef repository (or leave blank): /root/chef-repo
Creating initial API user...
Please enter a password for the new user: 123456
注:這里輸入API user密碼(后面要使用)
Created user[root]
Configuration file written to /root/.chef/knife.rb
————————————————————————————————————————————————————————————
5.配置ruby路徑(之前已安裝RUBY,這里可以略過)
chef默認(rèn)集成了一個(gè)ruby的穩(wěn)定版本,需修改PATH變量,保證chef集成的ruby被優(yōu)先使用.
# echo 'export PATH="/opt/chef/embedded/bin:$PATH"' >> ~/.bash_profile source ~/.bash_profile
六.驗(yàn)證chef-workstation
執(zhí)行knife client list命令返回client列表則配置成功.
# knife client list
——————————————————
chef-validator
chef-webui
——————————————————
七.chef-node配置 (node1.example.com)
node即為被chef-server配置管理的服務(wù)器
1.安裝chef-Client
進(jìn)入頁(yè)面http://www.opscode.com/chef/install�����,點(diǎn)擊Chef Client標(biāo)簽,選擇要下載的版本.
本例使用11.12.4-1版本:
# wget -c --no-check-certificate https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.12.4-1.el6.x86_64.rpm
# rpm -ivh chef-11.12.4-1.el6.x86_64.rpm
2.修改本地FQDN名:
1).首先修改主機(jī)的hostname
# vi /etc/sysconfig/network
———————-———————-———————-———————-
HOSTNAME=node1.example.com
———————-———————-———————-———————-
2).修改本地host,添加本機(jī)和server的FNDN
# echo "10.107.91.251 chef.example.com" >> /etc/hosts
# echo "10.107.91.252 node1.example.com" >> /etc/hosts
重啟系統(tǒng). 登錄后驗(yàn)證:
# hostname -f
———————-———————-———————-———————-
node1.example.com
———————-———————-———————-———————-
3.在chef-worksation執(zhí)行下面命令添加并配置node
# knife bootstrap node1.example.com -x root -P 123456
注: 這里的密碼是node1系統(tǒng)root賬號(hào)的密碼
chef-workstation通過ssh連接到node1(10.107.91.252)上執(zhí)行bootstrap腳本(chef-workstation /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef11.6.0/lib/chef/knife/bootstrap/chef-full.erb)可以使用自定義的bootstrap腳本對(duì)node進(jìn)行初始化配置.
node1會(huì)下載https://www.opscode.com/chef/install.sh腳本.腳本檢查操作系統(tǒng)類型并在網(wǎng)絡(luò)上下載符合此系統(tǒng)的chef版本進(jìn)行安裝(下載安裝較慢).可以在node上預(yù)安裝chef(見workstation安裝chef部分)跳過此腳本.
———————-———————-———————-———————-—-———————-—-———————-
Connecting to node1.example.com
node1.example.com Starting first Chef Client run...
node1.example.com [2014-05-08T15:53:22+08:00] WARN:
node1.example.com * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
node1.example.com SSL validation of HTTPS requests is disabled. HTTPS connections are still
node1.example.com encrypted, but chef is not able to detect forged replies or man in the middle
node1.example.com attacks.
node1.example.com
node1.example.com To fix this issue add an entry like this to your configuration file:
node1.example.com
node1.example.com ```
node1.example.com # Verify all HTTPS connections (recommended)
node1.example.com ssl_verify_mode :verify_peer
node1.example.com
node1.example.com # OR, Verify only connections to chef-server
node1.example.com verify_api_cert true
node1.example.com ```
node1.example.com
node1.example.com To check your SSL configuration, or troubleshoot errors, you can use the
node1.example.com `knife ssl check` command like so:
node1.example.com
node1.example.com ```
node1.example.com knife ssl check -c /etc/chef/client.rb
node1.example.com ```
node1.example.com
node1.example.com * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
node1.example.com
node1.example.com Starting Chef Client, version 11.12.4
node1.example.com Creating a new client identity for node1.example.com using the validator key.
node1.example.com resolving cookbooks for run list: []
node1.example.com Synchronizing Cookbooks:
node1.example.com Compiling Cookbooks...
node1.example.com [2014-05-08T15:53:25+08:00] WARN: Node node1.example.com has an empty run list.
node1.example.com Converging 0 resources
node1.example.com
node1.example.com Running handlers:
node1.example.com Running handlers complete
node1.example.com
node1.example.com Chef Client finished, 0/0 resources updated in 2.393659851 seconds
———————-———————-———————-———————-—-———————-—-———————-
查看是否連接node1成功:
# knife node list
———————-———————-———————
node1
———————-———————-———————
從上面可以看出node1已經(jīng)成功注冊(cè)到了chef-server中�����,整個(gè)環(huán)境 chef-workstation => chef-server => chef-client-1 已經(jīng)搭建成功���。
八.登陸server web后臺(tái)
1.修改瀏覽器本機(jī)HOST,這里筆者使用的是MAC系統(tǒng)
# vi /etc/hosts
———————-———————-———————
10.107.91.251 chef.example.com
10.107.91.252 node1.example.com
———————-———————-———————
2.訪問https://chef.example.com
如圖:
九.創(chuàng)建一個(gè)cookbook實(shí)例
1.git克隆chef repository (chef.example.com)
注: chef repository 是一個(gè)存儲(chǔ)cookbooks和其他文件的目錄結(jié)構(gòu),初次使用需要從github克隆
# su -
# cd ~
# git clone git://github.com/opscode/chef-repo.git
———————————————————————————————————
Initialized empty Git repository in /root/chef-repo/.git/
remote: Reusing existing pack: 223, done.
remote: Total 223 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (223/223), 45.77 KiB | 37 KiB/s, done.
Resolving deltas: 100% (57/57), done.
———————————————————————————————————
獲取到的目錄如下:
# ls
——————————————————————————————————
Desktop Downloads Pictures Templates anaconda-ks.cfg install.log src
Documents Music Public Videos chef-repo install.log.syslog
——————————————————————————————————
# cd chef-repo/
# ls
——————————————————————————————————
LICENSE Rakefile chefignore cookbooks environments
README.md certificates config data_bags roles
——————————————————————————————————
2.創(chuàng)建一個(gè)cookbook,取名quick_start (chef.example.com)
注:需要切換到之前clone獲取到的目錄的cookbooks目錄下
# cd ~/chef-repo/cookbooks
# knife cookbook create quick_start -o ./
——————————————————————————————————
** Creating cookbook quick_start
** Creating README for cookbook: quick_start
** Creating CHANGELOG for cookbook: quick_start
** Creating metadata for cookbook: quick_start
——————————————————————————————————
創(chuàng)建的cookbooks目錄如下
# # ls -1p quick_start
—————————————
CHANGELOG.md
README.md
attributes/
definitions/
files/
libraries/
metadata.rb
providers/
recipes/
resources/
templates/
—————————————
注: cookbooks用來在chef中分布共享,大多數(shù)你創(chuàng)建基礎(chǔ)實(shí)例都需要cookbooks.
此cookbook實(shí)例是創(chuàng)建一個(gè)簡(jiǎn)單的recipe,用來傳遞給node1一個(gè)簡(jiǎn)單的帶有一些已經(jīng)定義好的變量屬性的文本.
3.創(chuàng)建一個(gè)屬性文件,取名"quick_start.rb" (chef.example.com)
# vi ~/chef-repo/cookbooks/quick_start/attributes/quick_start.rb
——————————————————————————
normal[:deep_thought] = "If a tree falls in the forest ..."
——————————————————————————
注: 在cookbook中屬性文件用來在node中創(chuàng)建一些配置,從而你可以從recipe中調(diào)用這些屬性.
4.對(duì)default recipe創(chuàng)建一個(gè)source template源模板 (chef.example.com)
# vi ~/chef-repo/cookbooks/quick_start/recipes/default.rb
——————————————————————————
template "/tmp/deep_thought.txt" do
source "deep_thought.txt.erb"
variables :deep_thought => node[:deep_thought]
action :create
end
——————————————————————————
注: recipes允許你對(duì)具體的源進(jìn)行管理,這個(gè)例子中,你創(chuàng)建了一個(gè)叫quick_start的recipe,內(nèi)容包括一個(gè)單獨(dú)的源模板名叫template "/tmp/deep_thought.txt"
5.創(chuàng)建一個(gè)template模板文件 (chef.example.com)
注:這個(gè)文件調(diào)用源模板的具體屬性,而后被chef傳送給具體的node客戶端
# vi ~/chef-repo/cookbooks/quick_start/templates/default/deep_thought.txt.erb
——————————————————————————
Today's deep thought: %= @deep_thought %>
——————————————————————————
6.將cookbook上傳到Server (chef.example.com)
# cd ~/chef-repo/cookbooks/
# ls
——————————————————————————
README.md quick_start
——————————————————————————
# knife cookbook upload -a -o ./
——————————————————————————
Uploading quick_start [0.1.0]
Uploaded all cookbooks.
——————————————————————————
確認(rèn)你剛上傳的cookbook
# knife cookbook list
——————————————————————————
quick_start 0.1.0
——————————————————————————
6.將quick_start recipe添加到你的node中 (chef.example.com)
# knife node run_list add node1.example.com 'recipe[quick_start]'
——————————————————————————
node1.example.com:
run_list: recipe[quick_start]
——————————————————————————
查看添加好的recipe
# knife node show node1.example.com -r
——————————————————————————
node1.example.com:
run_list: recipe[quick_start]
——————————————————————————
6.在node客戶端注冊(cè),從而獲取server上recipe的具體實(shí)例 (node1.example.com)
注:保證/etc/chef下有client.pem與validation.pem證書文件,如果沒有檢查之前的配置.
# chef-client
————————————————————————————————————
[2014-05-08T23:55:33+08:00] WARN:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.
To fix this issue add an entry like this to your configuration file:
```
# Verify all HTTPS connections (recommended)
ssl_verify_mode :verify_peer
# OR, Verify only connections to chef-server
verify_api_cert true
```
To check your SSL configuration, or troubleshoot errors, you can use the
`knife ssl check` command like so:
```
knife ssl check -c /etc/chef/client.rb
```
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Starting Chef Client, version 11.12.4
resolving cookbooks for run list: ["quick_start"]
Synchronizing Cookbooks:
- quick_start
Compiling Cookbooks...
Converging 1 resources
Recipe: quick_start::default
* template[/tmp/deep_thought.txt] action create
- create new file /tmp/deep_thought.txt
- update content in file /tmp/deep_thought.txt from none to feb62f
--- /tmp/deep_thought.txt 2014-05-08 23:55:43.098408727 +0800
+++ /tmp/chef-rendered-template20140508-8171-11cxwpb 2014-05-08 23:55:43.099454345 +0800
@@ -1 +1,2 @@
+Today's deep thought: If a tree falls in the forest ...
Running handlers:
Running handlers complete
Chef Client finished, 1/1 resources updated in 9.915108372 seconds
————————————————————————————————————
最終執(zhí)行后,創(chuàng)建 /tmp/deep_thought.txt文件,即實(shí)現(xiàn)了server向node的文件分發(fā)
# vi /tmp/deep_thought.txt
————————————————————————————————————
Today's deep thought: If a tree falls in the forest ...
————————————————————————————————————
注: warning問題將在以后的文檔中解決...
大功告成....
