Chef 自动化运维:Chef 的安装

安装准备

准备三台服务器,分别用作 Chef Server、Chef DK、Chef Client 的安装使用。

在三台服务器中,添加以下 hosts:

1
2
3
4
5
vim /etc/hosts

192.168.221.89 chef-server.geekrainy.local chef-server
192.168.221.90 chef-dk.geekrainy.local chef-dk
192.168.221.91 chef-client.geekrainy.local chef-client

安装 Chef Server

访问 Chef 下载页面,选择合适的发行版和系统架构,进行下载安装:

1
wget https://packages.chef.io/files/stable/chef-server/12.17.15/el/7/chef-server-core-12.17.15-1.el7.x86_64.rpm

执行安装:

1
rpm -ivh chef-server*.rpm

执行配置(此过程会将需要的附属套件一并安装):

1
chef-server-ctl reconfigure

检查组件状态:

1
chef-server-ctl status

输出:

1
2
3
4
5
6
7
8
9
10
run: bookshelf: (pid 1246) 5195s; run: log: (pid 1243) 5195s
run: nginx: (pid 8394) 2240s; run: log: (pid 1262) 5195s
run: oc_bifrost: (pid 1253) 5195s; run: log: (pid 1252) 5195s
run: oc_id: (pid 1264) 5195s; run: log: (pid 8281) 2241s
run: opscode-erchef: (pid 8285) 2240s; run: log: (pid 1244) 5195s
run: opscode-expander: (pid 1251) 5195s; run: log: (pid 1247) 5195s
run: opscode-solr4: (pid 1259) 5195s; run: log: (pid 1258) 5195s
run: postgresql: (pid 1275) 5195s; run: log: (pid 1269) 5195s
run: rabbitmq: (pid 1257) 5195s; run: log: (pid 1256) 5195s
run: redis_lb: (pid 5711) 2271s; run: log: (pid 1250) 5195s

创建管理员用户和组织

以下命令创建过程中,会默认创建私钥,需要保存至安全的地方:

User Name: admin

First Name: admin

Last Name: admin

Email: admin@geekrainy.local

Password: password

File Name: admin.pem

Path: /etc/chef

1
chef-server-ctl user-create admin admin admin admin@geekrainy.local password -f /etc/chef/admin.pem

原始命令参考:

1
chef-server-ctl user-create USER_NAME FIRST_NAME LAST_NAME EMAIL 'PASSWORD' -f PATH_FILE_NAME

开始创建组织:

Short Name: geekrainy

Full Organization Name: GeekRainy, Inc

Association User: admin (设置 admin 用户为安全组用户)

Filename: geekrainy-validator.pem

Path: /etc/chef

1
chef-server-ctl org-create geekrainy "GeekRainy, Inc" --association_user admin -f /etc/chef/geekrainy-validator.pem

原始命令参考:

1
chef-server-ctl org-create short_name 'full_organization_name' --association_user user_name --filename ORGANIZATION-validator.pem

端口配置

Chef Server 要求开放下列端口通过防火墙,但是在此处我们只需要开放 80 和 443 端口。

1
2
3
firewall-cmd --permanent --zone public --add-service http
firewall-cmd --permanent --zone public --add-service https
firewall-cmd --reload

安装 Chef Workstation

下载安装:

1
2
wget https://packages.chef.io/files/stable/chefdk/2.4.17/el/7/chefdk-2.4.17-1.el7.x86_64.rpm
rpm -ivh chefdk-*.rpm

验证安装:

1
chef verify

确保 ruby 环境安装完毕:

1
which ruby

配置环境变量:

1
2
echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile
source ~/.bash_profile

配置 Chef 仓库

确保安装了 git,之后使用 chef 命令初始化一个仓库:

1
chef generate repo chef-repo

配置 git 提交用户和邮箱:

1
2
git config --global user.name "admin"
git config --global user.email "admin@geekrainy.local"

初始化仓库:

1
2
cd chef-repo
git init

创建 .chef 目录,它将用来保存 Chef Server 创建的私钥,因此忽略该目录的版本跟踪:

1
echo '.chef' >> ~/chef-repo/.gitignore

初始化提交:

1
2
3
cd chef-repo
git add .
git commit -m "initial commit"

将服务器生成的 key 保存至 .chef 文件夹:

1
2
scp -pr root@chef-server:/etc/chef/admin.pem ~/chef-repo/.chef/
scp -pr root@chef-server:/etc/chef/geekrainy-validator.pem ~/chef-repo/.chef/

关于 Knife

Knife 是一个在 Chef 仓库和 Chef Server 之间进行交互的命令,在使用这个命令之前,需要新建一个 knife.rb 配置文件新建一个 config.rb 配置文件(在版本 12 中,用 config.rb 替换了 knife.rb,参见 https://docs.chef.io/config_rb.html)。

1
vim ~/chef-repo/.chef/knife.rb

在文件中添加如下信息:

1
2
3
4
5
6
7
8
9
10
current_dir = File.dirname(__FILE__)
log_level :info
log_location STDOUT
node_name "admin"
client_key "#{current_dir}/admin.pem"
validation_client_name "geekrainy-validator"
validation_key "#{current_dir}/geekrainy-validator.pem"
chef_server_url "https://chef-server.geekrainy.local/organizations/geekrainy"
syntax_check_cache_path "#{ENV['HOME']}/.chef/syntaxcache"
cookbook_path ["#{current_dir}/../cookbooks"]

node_name: 用户名应该与 Chef Server 创建的管理员用户名相匹配

client_key: 保存 Chef Server 创建的用户私钥的路径

validation_client_name: 组织的短用户名加 -validator

validation_key: Chef Server 创建的组织验证私钥路径

chef_server_url: 同 hostname 配置的一致

测试 Knife 命令:

1
2
cd ~/chef-repo
knife client list

得到如下错误:

1
2
3
4
5
6
7
ERROR: SSL Validation failure connecting to host: chef-server.geekrainy.local - SSL_connect returned=1 errno=0 state=error: certificate verify failed
ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
`knife ssl fetch` to make knife trust the server's certificates.

Original Exception: OpenSSL::SSL::SSLError: SSL Error connecting to https://chef-server.geekrainy.local/organizations/geekrainy/clients - SSL_connect returned=1 errno=0 state=error: certificate verify failed

从 Chef Server 获取证书:

1
2
3
4
5
6
7
8
9
knife ssl fetch

WARNING: Certificates from chef-server.geekrainy.local will be fetched and placed in your trusted_cert
directory (/root/chef-repo/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for chef-server_geekrainy_local in /root/chef-repo/.chef/trusted_certs/chef-server_geekrainy_local.crt

该证书将被保存至 .chef/trusted_certs 文件夹下。

此时再次执行命令验证:

1
2
knife client list
geekrainy-validator

可以得到结果,至此已经完成了搭建。

修改 hostname 的注意事项

若在安装 Chef Server 后,重新修改了 Chef Server 的 hostname,在获取 Chef Server 证书的时候是基于之前的主机名和域名配置的,因而需要重新执行配置:

1
vim /etc/opscode/chef-server.rb

添加如下配置:

1
2
server_name = "chef-server.geekrainy.local"
api_fqdn server_name

这里的 chef-server.geekrainy.local 为更改后的主机名配置,当然,同 knife.rb 中的地址也是一致的。执行 Chef Server 的重新配置命令:

1
server-ctl reconfigure

随后,重新执行上述步骤即可获得正确的 crt 证书。

关于 chef-server.rb 的配置,可以参考说明:https://docs.chef.io/config_rb_server.html

配置 Chef Client

用 knife 命令来创建一个新的节点,即在目标主机安装 Chef Client 与 Chef Server 相关联:

1
knife bootstrap chef-client.geekriany.local -x root -P password --sudo

如果需要使用 sudo 命令来获得管理员权限,则需要添加 --sudo 参数,在此处使用 CentOS 7,不需要此参数。

以上参数的解释:

-x ssh 用户名

-P ssh 密码

-p ssh 端口

执行后可以看到如下输出:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Connecting to chef-client.geekrainy.local
chef-client.geekrainy.local -----> Installing Chef Omnibus (-v 13)
chef-client.geekrainy.local downloading https://omnitruck-direct.chef.io/chef/install.sh
chef-client.geekrainy.local to file /tmp/install.sh.3511/install.sh
chef-client.geekrainy.local trying wget...
chef-client.geekrainy.local el 7 x86_64
chef-client.geekrainy.local Getting information for chef stable 13 for el...
chef-client.geekrainy.local downloading https://omnitruck-direct.chef.io/stable/chef/metadata?v=13&p=el&pv=7&m=x86_64
chef-client.geekrainy.local to file /tmp/install.sh.3528/metadata.txt
chef-client.geekrainy.local trying wget...
chef-client.geekrainy.local sha1 037a61a5d9c89d9b71d4c4f6256f45ed422a73ee
chef-client.geekrainy.local sha256 18826690ac2c7e5f16a21d898ed77be7d78fd2d84bc2a71b4506ee480876bc4b
chef-client.geekrainy.local url https://packages.chef.io/files/stable/chef/13.6.4/el/7/chef-13.6.4-1.el7.x86_64.rpm
chef-client.geekrainy.local version 13.6.4
chef-client.geekrainy.local downloaded metadata file looks valid...
chef-client.geekrainy.local downloading https://packages.chef.io/files/stable/chef/13.6.4/el/7/chef-13.6.4-1.el7.x86_64.rpm
chef-client.geekrainy.local to file /tmp/install.sh.3528/chef-13.6.4-1.el7.x86_64.rpm
chef-client.geekrainy.local trying wget...
chef-client.geekrainy.local Comparing checksum with sha256sum...
chef-client.geekrainy.local Installing chef 13
chef-client.geekrainy.local installing with rpm...
chef-client.geekrainy.local warning: /tmp/install.sh.3528/chef-13.6.4-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
chef-client.geekrainy.local Preparing... ################################# [100%]
chef-client.geekrainy.local Updating / installing...
chef-client.geekrainy.local 1:chef-13.6.4-1.el7 ################################# [100%]
chef-client.geekrainy.local Thank you for installing Chef!
chef-client.geekrainy.local Starting the first Chef Client run...
chef-client.geekrainy.local Starting Chef Client, version 13.6.4
chef-client.geekrainy.local Creating a new client identity for chef-client.geekrainy.local using the validator key.
chef-client.geekrainy.local resolving cookbooks for run list: []
chef-client.geekrainy.local Synchronizing Cookbooks:
chef-client.geekrainy.local Installing Cookbook Gems:
chef-client.geekrainy.local Compiling Cookbooks...
chef-client.geekrainy.local [2017-12-26T10:13:45+08:00] WARN: Node chef-client.geekrainy.local has an empty run list.
chef-client.geekrainy.local Converging 0 resources
chef-client.geekrainy.local
chef-client.geekrainy.local Running handlers:
chef-client.geekrainy.local Running handlers complete
chef-client.geekrainy.local Chef Client finished, 0/0 resources updated in 20 seconds

上述输出证明节点已经配置完毕,验证:

1
knife node list

返回如下结果:

1
chef-client.geekrainy.local

查看该节点的详情:

1
2
3
4
5
[root@chef-dk chef-repo]# knife client show chef-client.geekrainy.local
admin: false
chef_type: client
name: chef-client.geekrainy.local
validator: false

参考

-EOF-

本博客所有文章除特别声明外,均采用 CC BY-NC-ND 4.0 许可协议。转载请注明出处! © 雨落
  1. 1. 安装准备
  2. 2. 安装 Chef Server
    1. 2.1. 创建管理员用户和组织
    2. 2.2. 端口配置
  3. 3. 安装 Chef Workstation
    1. 3.1. 配置 Chef 仓库
    2. 3.2. 关于 Knife
    3. 3.3. 修改 hostname 的注意事项
  4. 4. 配置 Chef Client
  5. 5. 参考