Chef集中管理工具实践之 (2) 服务器配置


目录结构
Chef集中管理工具实践之 (0) 什么是Chef
Chef集中管理工具实践之 (1) 环境部署
Chef集中管理工具实践之 (2) 服务器配置
Chef集中管理工具实践之 (3) 自定义配置

本文内容
Chef集中配置管理工具实践之 (2) 服务器配置

参考资料
http://wiki.opscode.com/display/ChefCN/Just+Enough+Ruby+for+Chef
http://wiki.opscode.com/display/chef/Fast+Start+Guide
http://gigix.thoughtworkers.org/2011/1/30/devops
http://gigix.thoughtworkers.org/2011/2/20/chef-2-rails-server
http://gigix.thoughtworkers.org/2011/3/2/chef-3-first-cookbook
http://gigix.thoughtworkers.org/2011/3/12/devops-readings

环境介绍
OS: Ubuntu 10.10 Server 64-bit
Servers:
chef-server:10.6.1.170
chef-workstation:10.6.1.171
chef-client-1:10.6.1.172

1. 从这里开始
通过前面的两个章节,我们认识了什么是Chef,并成功的部署好了整个环境。但目前Chef具体能做什么,能实现什么具体的功能,其实还是一头雾水的。
在这一个章节,我们会通过使用Chef完成对用户账号和SSH Server的集中管理来加深理解。

前面,我们在提到Cookbook 菜谱的时候,提到 “一些出色的大厨已经写了很多菜谱,这些是我要学习和抄袭的。”真实的意思就是,Chef社区已经有了许多官方的cookbook以及优秀的社区成员所编写的cookbook提供下载使用,我们只需要阅读它们的README文件,就可以很快速方便的使用了。这就是我在这一个章节所讲的内容。

而“等我的手艺熟练之后我还会写我自己的菜色和菜谱,来创造属于我自己的大餐。”真实的意思就是,在我熟悉了如何使用别人的cookbook以后,便可以尝试借鉴并编写适合自己的cookbook,用来对自己的服务器进行一些自定义的,特有的管理,而这些管理可能在其它环境里并不适用。这是我在下一个章节要讲的内容。

2. 如何开始
首先,我们来明确一下马上要进行的任务,就是“使用Chef完成对用户账号和SSH Server的配置”。

接着,我们可以登录到Chef的官方社区http://community.opscode.com/cookbooks,搜索是否已经存在有相关的cookbook提供使用。
通过搜索之后,我们可以确定有如下cookbook能够帮助我们完成任务:
1) 用户账号: user
2) SSH Server: openssh

ubuntu@chef-workstation:~$ cd /opt/chef-local/
查看knife配置
ubuntu@chef-workstation:/opt/chef-local$ cat .chef/knife.rb

 
log_level                :info
log_location             STDOUT
node_name                'chef-workstation'
client_key               '/opt/chef-local/.chef/chef-workstation.pem'
validation_client_name   'chef-validator'
validation_key           '/opt/chef-local/chef/validation.pem'
chef_server_url          'http://chef-server:4000'
cache_type               'BasicFile'
cache_options( :path => '/opt/chef-local/.chef/checksums' )
cookbook_path [ '/opt/chef-local/cookbooks' ]

2.1 首先,让我们来部署并使用user来管理用户
下载cookbook
ubuntu@chef-workstation:/opt/chef-local$ sudo knife cookbook site install user

 
Installing user to /opt/chef-local/cookbooks
Checking out the master branch.
Creating pristine copy branch chef-vendor-user
Downloading user from the cookbooks site at version 0.3.0 to /opt/chef-local/cookbooks/user.tar.gz
Cookbook saved: /opt/chef-local/cookbooks/user.tar.gz
Removing pre-existing version.
Uncompressing user version 0.3.0.
removing downloaded tarball
1 files updated, committing changes
Creating tag cookbook-site-imported-user-0.3.0
Checking out the master branch.
Updating a3bec38..f06cc56
Fast-forward
 cookbooks/user/.gitignore                          |    2 +
 cookbooks/user/.travis.yml                         |    6 +
 cookbooks/user/CHANGELOG.md                        |   95 +++++
 cookbooks/user/README.md                           |  391 ++++++++++++++++++++
 cookbooks/user/Rakefile                            |   33 ++
 cookbooks/user/attributes/default.rb               |   42 ++
 cookbooks/user/metadata.json                       |   35 ++
 cookbooks/user/metadata.rb                         |   14 +
 cookbooks/user/providers/account.rb                |  173 +++++++++
 cookbooks/user/recipes/data_bag.rb                 |   52 +++
 cookbooks/user/recipes/default.rb                  |   18 +
 cookbooks/user/resources/account.rb                |   40 ++
 .../user/templates/default/authorized_keys.erb     |    7 +
 13 files changed, 908 insertions(+), 0 deletions(-)
 create mode 100644 cookbooks/user/.gitignore
 create mode 100644 cookbooks/user/.travis.yml
 create mode 100644 cookbooks/user/CHANGELOG.md
 create mode 100644 cookbooks/user/README.md
 create mode 100644 cookbooks/user/Rakefile
 create mode 100644 cookbooks/user/attributes/default.rb
 create mode 100644 cookbooks/user/metadata.json
 create mode 100644 cookbooks/user/metadata.rb
 create mode 100644 cookbooks/user/providers/account.rb
 create mode 100644 cookbooks/user/recipes/data_bag.rb
 create mode 100644 cookbooks/user/recipes/default.rb
 create mode 100644 cookbooks/user/resources/account.rb
 create mode 100644 cookbooks/user/templates/default/authorized_keys.erb
Cookbook user version 0.3.0 successfully installed

ubuntu@chef-workstation:/opt/chef-local$ cd cookbooks/
ubuntu@chef-workstation:/opt/chef-local/cookbooks$ ls

README.md  user

每个模块下面的README.md文件非常有用,讲解了该模块的配置方法以及与chef-server如何通信。
比如,我们通过阅读了user的README.md之后,就会知道我们需要建立一个名为users的data bag,将用户的信息写成一个个json文件放在下面,再通过override_attributes在role的配置文件中指定需要配置的用户。

ubuntu@chef-workstation:/opt/chef-local/cookbooks$ cd user/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/user$ ll

total 76
drwxr-xr-x 7 root root  4096 Nov 15 20:31 ./
drwxr-xr-x 3 root root  4096 Nov 15 20:31 ../
-rw-r--r-- 1 root root    18 Nov 15 20:31 .gitignore
-rw-r--r-- 1 root root   141 Nov 15 20:31 .travis.yml
-rw-r--r-- 1 root root  2705 Nov 15 20:31 CHANGELOG.md
-rw-r--r-- 1 root root 11753 Nov 15 20:31 README.md
-rw-r--r-- 1 root root   813 Nov 15 20:31 Rakefile
drwxr-xr-x 2 root root  4096 Nov 15 20:31 attributes/
-rw-r--r-- 1 root root 13048 Nov 15 20:31 metadata.json
-rw-r--r-- 1 root root   538 Nov 15 20:31 metadata.rb
drwxr-xr-x 2 root root  4096 Nov 15 20:31 providers/
drwxr-xr-x 2 root root  4096 Nov 15 20:31 recipes/
drwxr-xr-x 2 root root  4096 Nov 15 20:31 resources/
drwxr-xr-x 3 root root  4096 Nov 15 20:31 templates/

ubuntu@chef-workstation:/opt/chef-local/cookbooks/user$ cd recipes/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/user/recipes$ ls

data_bag.rb  default.rb

dongguo@chef-workstation:/opt/chef-local/cookbooks/user/attributes$ ls

default.rb

上传cookbook到chef-server
ubuntu@chef-workstation:/opt/chef-local$ sudo knife cookbook upload user

Uploading user         [0.3.0]
Uploaded 1 cookbook.

创建role
ubuntu@chef-workstation:/opt/chef-local$ cd roles/
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo vim ubuntu_servers.rb

name "ubuntu_servers"
description "The base role applied to all nodes."
run_list(
    "recipe[user]",
    "recipe[user::data_bag]"
)
override_attributes(
    "users" => [ "ubuntu" ]
)

上传role到chef-server
ubuntu@chef-workstation:/opt/chef-local$ sudo knife role from file roles/ubuntu_servers.rb

Updated Role ubuntu_servers!

为user这个cookbook创建data_bag
ubuntu@chef-workstation:/opt/chef-local$ cd data_bags/
ubuntu@chef-workstation:/opt/chef-local/data_bags$ sudo mkdir users
ubuntu@chef-workstation:/opt/chef-local/data_bags$ sudo vim users/ubuntu.json

 
{
    "id"       : "ubuntu",
    "gid": "admin",
    "comment"  : "ubuntu",
    "home"     : "/home/ubuntu",
    "create_user_group":"false",
    "ssh_keygen": "false",
    "ssh_keys" : "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+upV++0vIM2PuD2XvH+zOUF6JsfofPCvCdqZ/Wg0GaRvcuPpKs7Ua2APSs
vtvEz9ohQvexS1DO4G1ZjIO20dsc82BHTFxd3DmZyQ8g/CLoIKIdkDImSffQxBYM//8URvtk16HTmuYVY9poalbVh
lErhg0xSbyx/DQfOChfc34T8481iWPZ0pnJLj7z5AUvYR8fcWGtbMhveoyKuB4VocsQvKfgVUauS1jIGGac7kC8XG
Vc6fEVzzTycS7dTypzHDJp3I9wHWoiMF4SD5MRb0sEhlvaOtryHGVdcfFj4Mrdiu8NepL7yyCb9qGdB7QbT1+hNCn
ZukWP4Iz6yzATLzS"
}

上传data_bag到chef-server
ubuntu@chef-workstation:/opt/chef-local/data_bags$ sudo knife data bag create users

Created data_bag[users]

ubuntu@chef-workstation:/opt/chef-local/data_bags$ sudo knife data bag from file users users/ubuntu.json

Updated data_bag_item[users::ubuntu]

为节点增加run_list,即将ubuntu_servers这个角色赋给chef-client-1
ubuntu@chef-workstation:/opt/chef-local$ sudo knife node run_list add chef-client-1 "role[ubuntu_servers]"

run_list:  role[ubuntu_servers]

在chef-client-1上执行chef-client拉取配置
ubuntu@chef-client-1:~$ sudo chef-client

INFO: *** Chef 10.16.2 ***
INFO: Run List is [role[ubuntu_servers]]
INFO: Run List expands to [user, user::data_bag]
INFO: HTTP Request Returned 404 Not Found: No routes match the request: /reports/nodes/chef-client-1/runs
INFO: Starting Chef Run for chef-client-1
INFO: Running start handlers
INFO: Start handlers complete.
INFO: Loading cookbooks [user]
INFO: Processing user_account[ubuntu] action create (user::data_bag line 36)
INFO: Processing user[ubuntu] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
INFO: user[ubuntu] altered
INFO: Processing directory[/home/ubuntu/.ssh] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: directory[/home/ubuntu/.ssh] created directory /home/ubuntu/.ssh
INFO: directory[/home/ubuntu/.ssh] owner changed to 1000
INFO: directory[/home/ubuntu/.ssh] group changed to 109
INFO: directory[/home/ubuntu/.ssh] mode changed to 700
INFO: Processing directory[/home/ubuntu] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: directory[/home/ubuntu] group changed to 109
INFO: directory[/home/ubuntu] mode changed to 2755
INFO: Processing template[/home/ubuntu/.ssh/authorized_keys] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
INFO: template[/home/ubuntu/.ssh/authorized_keys] updated content
INFO: template[/home/ubuntu/.ssh/authorized_keys] owner changed to 1000
INFO: template[/home/ubuntu/.ssh/authorized_keys] group changed to 109
INFO: template[/home/ubuntu/.ssh/authorized_keys] mode changed to 600
INFO: Processing user[ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
INFO: Processing directory[/home/ubuntu/.ssh] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing directory[/home/ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
INFO: Processing template[/home/ubuntu/.ssh/authorized_keys] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
INFO: Processing execute[create ssh keypair for ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 148)
INFO: Chef Run complete in 0.766601698 seconds
INFO: Running report handlers
INFO: Report handlers complete

我们可以看到,chef-client已经成功拉取到了ubuntu这个用户的信息,并自动的进行了一系列的配置。
至此,我们就成功的使用Chef的user这个cookbook完成一次服务器的自动化部署。

2.2 接着,让我们来通过Chef完成OpenSSH的配置
在本地提交刚刚的一系列修改,因为我们使用了git来管理Chef的配置。
ubuntu@chef-workstation:/opt/chef-local$ sudo git commit -a -m "update"

安装openssh的cookbook
ubuntu@chef-workstation:/opt/chef-local$ sudo knife cookbook site install openssh

Installing openssh to /opt/chef-local/cookbooks
Checking out the master branch.
Creating pristine copy branch chef-vendor-openssh
Downloading openssh from the cookbooks site at version 1.1.2 to /opt/chef-local/cookbooks/openssh.tar.gz
Cookbook saved: /opt/chef-local/cookbooks/openssh.tar.gz
Removing pre-existing version.
Uncompressing openssh version 1.1.2.
removing downloaded tarball
1 files updated, committing changes
Creating tag cookbook-site-imported-openssh-1.1.2
Checking out the master branch.
Updating 8945cc6..ea9f570
Fast-forward
 cookbooks/openssh/.gitignore                       |    4 +
 cookbooks/openssh/CHANGELOG.md                     |   19 ++
 cookbooks/openssh/CONTRIBUTING                     |   29 +++
 cookbooks/openssh/Gemfile                          |    3 +
 cookbooks/openssh/LICENSE                          |  201 ++++++++++++++++++++
 cookbooks/openssh/README.md                        |  122 ++++++++++++
 cookbooks/openssh/attributes/default.rb            |  125 ++++++++++++
 .../files/default/tests/minitest/config_test.rb    |   38 ++++
 .../files/default/tests/minitest/default_test.rb   |   13 ++
 .../default/tests/minitest/support/helpers.rb      |   13 ++
 cookbooks/openssh/metadata.json                    |   37 ++++
 cookbooks/openssh/metadata.rb                      |   12 ++
 cookbooks/openssh/recipes/default.rb               |   73 +++++++
 cookbooks/openssh/templates/default/port_ssh.erb   |    2 +
 cookbooks/openssh/templates/default/ssh_config.erb |   11 +
 .../openssh/templates/default/sshd_config.erb      |   11 +
 16 files changed, 713 insertions(+), 0 deletions(-)
 create mode 100644 cookbooks/openssh/.gitignore
 create mode 100644 cookbooks/openssh/CHANGELOG.md
 create mode 100644 cookbooks/openssh/CONTRIBUTING
 create mode 100644 cookbooks/openssh/Gemfile
 create mode 100644 cookbooks/openssh/LICENSE
 create mode 100644 cookbooks/openssh/README.md
 create mode 100644 cookbooks/openssh/attributes/default.rb
 create mode 100644 cookbooks/openssh/files/default/tests/minitest/config_test.rb
 create mode 100644 cookbooks/openssh/files/default/tests/minitest/default_test.rb
 create mode 100644 cookbooks/openssh/files/default/tests/minitest/support/helpers.rb
 create mode 100644 cookbooks/openssh/metadata.json
 create mode 100644 cookbooks/openssh/metadata.rb
 create mode 100644 cookbooks/openssh/recipes/default.rb
 create mode 100644 cookbooks/openssh/templates/default/port_ssh.erb
 create mode 100644 cookbooks/openssh/templates/default/ssh_config.erb
 create mode 100644 cookbooks/openssh/templates/default/sshd_config.erb
Cookbook openssh version 1.1.2 successfully installed

我们可以看到openssh的cookbook已经被安装了
ubuntu@chef-workstation:/opt/chef-local/cookbooks$ ls

README.md  openssh  user

同样,通过仔细阅读README.md,我们可以了解这个cookbook的用法,就是通过在attributes中修改对应的参数,然后再通过添加到role的配置文件中即可。
ubuntu@chef-workstation:/opt/chef-local/cookbooks$ cd openssh/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh$ ls

CHANGELOG.md  CONTRIBUTING  Gemfile  LICENSE  README.md  attributes  files  metadata.json  metadata.rb  recipes  templates

ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh/attributes$ ls

default.rb

打开attributes中的default参数配置文件,我们可以看到有很多的选项都已经被定义好了。
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh/attributes$ sudo vim default.rb

 
#
# Cookbook Name:: openssh
# Attributes:: default
#
# Author:: Ernie Brodeur 
# Copyright 2008-2012, Opscode, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Attributes are commented out using the default config file values.
# Uncomment the ones you need, or set attributes in a role.
#

default['openssh']['package_name'] = case node['platform_family']
                                     when "rhel", "fedora"
                                       %w{openssh-clients openssh}
                                     when "arch"
                                       %w{openssh}
                                     else
                                       %w{openssh-client openssh-server}
                                     end

default['openssh']['service_name'] = case node['platform_family']
                                     when "rhel", "fedora"
                                       "sshd"
                                     else
                                       "ssh"
                                     end

# ssh config group
default['openssh']['client']['host'] = "*"
# default['openssh']['client']['forward_agent'] = "no"
# default['openssh']['client']['forward_x11'] = "no"
# default['openssh']['client']['rhosts_rsa_authentication'] = "no"
# default['openssh']['client']['rsa_authentication'] = "yes"
# default['openssh']['client']['password_authentication'] = "yes"
# default['openssh']['client']['host_based_authentication'] = "no"
# default['openssh']['client']['gssapi_authentication'] = "no"
# default['openssh']['client']['gssapi_delegate_credentials'] = "no"
# default['openssh']['client']['batch_mode'] = "no"
# default['openssh']['client']['check_host_ip'] = "yes"
# default['openssh']['client']['address_family'] = "any"
# default['openssh']['client']['connect_timeout'] = "0"
# default['openssh']['client']['strict_host_key_checking'] = "ask"
# default['openssh']['client']['identity_file'] = "~/.ssh/identity"
# default['openssh']['client']['identity_file_rsa'] = "~/.ssh/id_rsa"
# default['openssh']['client']['identity_file_dsa'] = "~/.ssh/id_dsa"
# default['openssh']['client']['port'] = "22"
# default['openssh']['client']['protocol'] = [ "2 1" ]
# default['openssh']['client']['cipher'] = "3des"
# default['openssh']['client']['ciphers'] = [ "aes128-ctr aes192-ctr aes256-ctr arcfour256 arcfour128 aes128-cbc 3des-cbc" ]
# default['openssh']['client']['macs'] = [ "hmac-md5 hmac-sha1 umac-64@openssh.com hmac-ripemd160" ]
# default['openssh']['client']['escape_char'] = "~"
# default['openssh']['client']['tunnel'] = "no"
# default['openssh']['client']['tunnel_device'] = "any:any"
# default['openssh']['client']['permit_local_command'] = "no"
# default['openssh']['client']['visual_host_key'] = "no"
# default['openssh']['client']['proxy_command'] = "ssh -q -W %h:%p gateway.example.com"
# sshd config group
# default['openssh']['server']['port'] = "22"
# default['openssh']['server']['address_family'] = "any"
# default['openssh']['server']['listen_address'] = [ "0.0.0.0 ::" ]
# default['openssh']['server']['protocol'] = "2"
# default['openssh']['server']['host_key_v1'] = "/etc/ssh/ssh_host_key"
# default['openssh']['server']['host_key_rsa'] = "/etc/ssh/ssh_host_rsa_key"
# default['openssh']['server']['host_key_dsa'] = "/etc/ssh/ssh_host_dsa_key"
# default['openssh']['server']['host_key_ecdsa'] = "/etc/ssh/ssh_host_ecdsa_key"
# default['openssh']['server']['key_regeneration_interval'] = "1h"
# default['openssh']['server']['server_key_bits'] = "1024"
# default['openssh']['server']['syslog_facility'] = "AUTH"
# default['openssh']['server']['log_level'] = "INFO"
# default['openssh']['server']['login_grace_time'] = "2m"
# default['openssh']['server']['permit_root_login'] = "yes"
# default['openssh']['server']['strict_modes'] = "yes"
# default['openssh']['server']['max_auth_tries'] = "6"
# default['openssh']['server']['max_sessions'] = "10"
# default['openssh']['server']['rsa_authentication'] = "yes"
# default['openssh']['server']['pub_key_authentication'] = "yes"
default['openssh']['server']['authorized_keys_file'] = "%h/.ssh/authorized_keys"
# default['openssh']['server']['rhosts_rsa_authentication'] = "no"
# default['openssh']['server']['host_based_authentication'] = "no"
# default['openssh']['server']['ignore_user_known_hosts'] = "no"
# default['openssh']['server']['ignore_rhosts'] = "yes"
# default['openssh']['server']['password_authentication'] = "yes"
# default['openssh']['server']['permit_empty_passwords'] = "no"
default['openssh']['server']['challenge_response_authentication'] = "no"
# default['openssh']['server']['kerberos_authentication'] = "no"
# default['openssh']['server']['kerberos_or_localpasswd'] = "yes"
# default['openssh']['server']['kerberos_ticket_cleanup'] = "yes"
# default['openssh']['server']['kerberos_get_afs_token'] = "no"
# default['openssh']['server']['gssapi_authentication'] = "no"
# default['openssh']['server']['gssapi_clean_up_credentials'] = "yes"
default['openssh']['server']['use_p_a_m'] = "yes"
# default['openssh']['server']['allow_agent_forwarding'] = "yes"
# default['openssh']['server']['allow_tcp_forwarding'] = "yes"
# default['openssh']['server']['gateway_ports'] = "no"
# default['openssh']['server']['x11_forwarding'] = "no"
# default['openssh']['server']['x11_display_offset'] = "10"
# default['openssh']['server']['x11_use_localhost'] = "yes"
# default['openssh']['server']['print_motd'] = "yes"
# default['openssh']['server']['print_lastlog'] = "yes"
# default['openssh']['server']['t_c_p_keep_alive'] = "yes"
# default['openssh']['server']['use_login'] = "no"
# default['openssh']['server']['use_privilege_separation'] = "yes"
# default['openssh']['server']['permit_user_environment'] = "no"
# default['openssh']['server']['compression'] = "delayed"
# default['openssh']['server']['client_alive_interval'] = "0"
# default['openssh']['server']['client_alive_count_max'] = "3"
# default['openssh']['server']['use_dns'] = "yes"
# default['openssh']['server']['pid_file'] = "/var/run/sshd.pid"
# default['openssh']['server']['max_startups'] = "10"
# default['openssh']['server']['permit_tunnel'] = "no"
# default['openssh']['server']['chroot_directory'] = "none"
# default['openssh']['server']['banner'] = "none"
# default['openssh']['server']['subsystem'] =   "sftp   /usr/libexec/sftp-server"

在这里,我们可以修改以下选项使OpenSSH仅支持Key的认证方式,禁用密码登陆。

default['openssh']['server']['password_authentication'] = "yes"
default['openssh']['server']['use_dns'] = "yes"

修改完成以后,更新openssh的cookbook
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh/attributes$ sudo knife cookbook upload openssh

Uploading openssh        [1.1.2]
Uploaded 1 cookbook.

将openssh添加到role中
ubuntu@chef-workstation:/opt/chef-local/cookbooks/openssh/attributes$ cd /opt/chef-local/roles/
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo vim ubuntu_servers.rb

name "ubuntu_servers"
description "The base role applied to all nodes."
run_list(
    "recipe[user]",
    "recipe[user::data_bag]",
    "recipe[openssh]"
)
override_attributes(
    "users" => [ "ubuntu" ]
)

更新role
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo knife role from file ubuntu_servers.rb

Updated Role ubuntu_servers!

到chef-client上拉取配置
ubuntu@chef-client-1:~$ sudo chef-client

[2012-12-17T20:51:40+08:00] INFO: *** Chef 10.16.2 ***
[2012-12-17T20:51:41+08:00] INFO: Run List is [role[ubuntu_servers]]
[2012-12-17T20:51:41+08:00] INFO: Run List expands to [user, user::data_bag, openssh]
[2012-12-17T20:51:41+08:00] INFO: HTTP Request Returned 404 Not Found: No routes match the request: /reports/nodes/chef-client-1/runs
[2012-12-17T20:51:41+08:00] INFO: Starting Chef Run for chef-client-1
[2012-12-17T20:51:41+08:00] INFO: Running start handlers
[2012-12-17T20:51:41+08:00] INFO: Start handlers complete.
[2012-12-17T20:51:41+08:00] INFO: Loading cookbooks [openssh, user]
[2012-12-17T20:51:41+08:00] INFO: Processing user_account[ubuntu] action create (user::data_bag line 36)
[2012-12-17T20:51:41+08:00] INFO: Processing user[ubuntu] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
[2012-12-17T20:51:41+08:00] INFO: Processing directory[/home/ubuntu/.ssh] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
[2012-12-17T20:51:41+08:00] INFO: Processing directory[/home/ubuntu] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
[2012-12-17T20:51:41+08:00] INFO: Processing template[/home/ubuntu/.ssh/authorized_keys] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
[2012-12-17T20:51:41+08:00] INFO: Processing user[ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
[2012-12-17T20:51:41+08:00] INFO: Processing directory[/home/ubuntu/.ssh] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
[2012-12-17T20:51:41+08:00] INFO: Processing directory[/home/ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
[2012-12-17T20:51:41+08:00] INFO: Processing template[/home/ubuntu/.ssh/authorized_keys] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
[2012-12-17T20:51:41+08:00] INFO: Processing execute[create ssh keypair for ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 148)
[2012-12-17T20:51:28+08:00] INFO: Processing package[openssh-client] action install (openssh::default line 27)
[2012-12-17T20:51:28+08:00] INFO: Processing package[openssh-server] action install (openssh::default line 27)
[2012-12-17T20:51:28+08:00] INFO: Processing service[ssh] action enable (openssh::default line 30)
[2012-12-17T20:51:28+08:00] INFO: service[ssh] enabled
[2012-12-17T20:51:28+08:00] INFO: Processing service[ssh] action start (openssh::default line 30)
[2012-12-17T20:51:28+08:00] INFO: Processing template[/etc/ssh/ssh_config] action create (openssh::default line 48)
[2012-12-17T20:51:28+08:00] INFO: template[/etc/ssh/ssh_config] backed up to /var/chef/backup/etc/ssh/ssh_config.chef-20121217205128
[2012-12-17T20:51:28+08:00] INFO: template[/etc/ssh/ssh_config] updated content
[2012-12-17T20:51:28+08:00] INFO: template[/etc/ssh/ssh_config] owner changed to 0
[2012-12-17T20:51:28+08:00] INFO: template[/etc/ssh/ssh_config] group changed to 0
[2012-12-17T20:51:28+08:00] INFO: template[/etc/ssh/ssh_config] mode changed to 644
[2012-12-17T20:51:28+08:00] INFO: Processing template[/etc/ssh/sshd_config] action create (openssh::default line 66)
[2012-12-17T20:51:29+08:00] INFO: template[/etc/ssh/sshd_config] backed up to /var/chef/backup/etc/ssh/sshd_config.chef-20121217205129
[2012-12-17T20:51:29+08:00] INFO: template[/etc/ssh/sshd_config] updated content
[2012-12-17T20:51:29+08:00] INFO: template[/etc/ssh/sshd_config] owner changed to 0
[2012-12-17T20:51:29+08:00] INFO: template[/etc/ssh/sshd_config] group changed to 0
[2012-12-17T20:51:29+08:00] INFO: template[/etc/ssh/sshd_config] mode changed to 644
[2012-12-17T20:51:29+08:00] INFO: template[/etc/ssh/sshd_config] sending restart action to service[ssh] (delayed)
[2012-12-17T20:51:29+08:00] INFO: Processing service[ssh] action restart (openssh::default line 30)
[2012-12-17T20:51:29+08:00] INFO: service[ssh] restarted
[2012-12-17T20:51:29+08:00] INFO: Chef Run complete in 1.742643517 seconds
[2012-12-17T20:51:29+08:00] INFO: Running report handlers
[2012-12-17T20:51:29+08:00] INFO: Report handlers complete

可以看到,chef-client-1已经自动的获取到了相应的参数,并更新了OpenSSH的配置文件,并重启了服务。

手动查看OpenSSH的配置文件,可以看到只有我们配置的几行参数内容。不过这里放心,其它的参数都有默认值,所以整个OpenSSH的配置是OK的。
ubuntu@chef-client-1:~$ cat /etc/ssh/sshd_config

# Generated by Chef for chef-client-1

AuthorizedKeysFile %h/.ssh/authorized_keys
ChallengeResponseAuthentication no
PasswordAuthentication no
UseDns yes
UsePAM yes

至此,我们就已经完成了通过Chef来对用户账号以及OpenSSH的配置管理,对于Chef,也应该有了一些具体的认知。
不过,这仅仅是一个开始,试想如果我们只能通过别人写好的cookbook来修改参数进行服务器的配置,未免也太尴尬了。
所以,接下来,我们将会创建属于自己的cookbook,随心所欲的来配置服务器!

3 接着,我们可以开始以下过程
Chef集中管理工具实践之 (3) 自定义配置

, ,

  1. #1 by jack zhang on 2013/01/06 - 19:40

    老师,你好,请问您知道如何让chef-workstation 通知chef-client 自动去获取自己的配置信息呢?

  2. #3 by Peter on 2014/11/01 - 16:34

    HI,
    你没有交代下 "ssh_keys" : "ssh-rsa 后面的内容是从哪里来的?

    sudo vim users/ubuntu.json
    ...
    "ssh_keys" : "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+upV++0vIM2PuD2XvH+zOUF6JsfofPCvCdqZ/Wg0GaRvcuPpKs7Ua2APSs
    ...

    • #4 by mcsrainbow on 2014/11/03 - 11:06

      这是你自己的SSH公钥内容啊,熟悉SSHKey方式认证的应该都会比较清楚吧,所以我就没有多加解释。

(will not be published)
*