-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- The container won't reconfigure Chef after a reboot - Better logging - Removed unused commands
- Loading branch information
Showing
5 changed files
with
111 additions
and
170 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,22 +1,17 @@ | ||
| FROM ubuntu:14.04 | ||
| MAINTAINER Clement Buisson <[email protected]> | ||
| #This is a fork of base/chef-server | ||
|
|
||
| ENV DEBIAN_FRONTEND noninteractive | ||
| RUN apt-get update && \ | ||
| apt-get install -yq --no-install-recommends wget curl && \ | ||
| wget --no-check-certificate --content-disposition "http://www.opscode.com/chef/download-server?p=ubuntu&pv=14.04&m=x86_64&v=11&prerelease=false&nightlies=false" && \ | ||
| wget --no-check-certificate --content-disposition "http://www.opscode.com/chef/download-server?p=ubuntu&pv=14.04&m=x86_64&v=12&prerelease=false&nightlies=false" && \ | ||
| dpkg -i chef-server*.deb && \ | ||
| rm chef-server*.deb && \ | ||
| apt-get remove -y wget && \ | ||
| rm -rf /var/lib/apt/lists/* | ||
|
|
||
| RUN dpkg-divert --local --rename --add /sbin/initctl | ||
| RUN ln -sf /bin/true /sbin/initctl | ||
|
|
||
| ADD reconfigure_chef.sh /usr/local/bin/ | ||
| ADD configure_chef.sh /usr/local/bin/ | ||
| ADD run.sh /usr/local/bin/ | ||
| CMD rsyslogd -n | ||
| VOLUME /root/ | ||
| VOLUME /var/log | ||
| CMD ["run.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,50 +1,74 @@ | ||
| # chef-server | ||
|
|
||
| chef-server is running Chef Server 11 in a Ubuntu Trusty 14.04 LTS container. | ||
| Image Size: 1.025 GB | ||
| chef-server will run Chef Server 12 in an Ubuntu Trusty 14.04 LTS container. | ||
| Image Size: 1.124 GB | ||
|
|
||
| This is a fork of: [base/chef-server](https://registry.hub.docker.com/u/base/chef-server/). | ||
|
|
||
| ## Environment | ||
| Chef is running over HTTPS/443 by default. You can however change that to another port by updating the `CHEF_PORT` variable and the expose port `-p`. | ||
|
|
||
| You will need to use Chef 11.X in order to be able to use Knife. | ||
| Check Knife's version: | ||
| ```bash | ||
| cbuisson@t530:~# knife -v | ||
| Chef: 11.16.4 | ||
| ``` | ||
| *If you have Chef 12 installed on your Docker server, you will need to use* `knife ssl fetch` *in order to get the SSL certificates from the container. Don't forget to update `chef_server_url` with the container ID in knife.rb!* | ||
|
|
||
| ## Usage | ||
| *With log output:* | ||
| *Launch the container:* | ||
|
|
||
| ``` | ||
| $ docker run --privileged -e CHEF_PORT=443 --name chef-server -d -v ~/chef-logs:/var/log -v ~/install-chef-out:/root -p 443:443 cbuisson/chef-server | ||
| $ docker run --privileged -e CHEF_PORT=443 --name chef-server -d -p 443:443 cbuisson/chef-server | ||
| ``` | ||
|
|
||
| *Just the container:* | ||
| *Launch the container with logs volumes:* | ||
|
|
||
| ``` | ||
| $ docker run --privileged -e CHEF_PORT=443 --name chef-server -d -p 443:443 cbuisson/chef-server | ||
| $ docker run --privileged -e CHEF_PORT=443 --name chef-server -d -v ~/chef-logs:/var/log -v ~/install-chef-out:/root -p 443:443 cbuisson/chef-server | ||
| ``` | ||
|
|
||
| Once the Chef server is configured, you can download the Knife admin keys here: | ||
| Once Chef Server 12 is configured, you can download the Knife admin keys here: | ||
|
|
||
| ``` | ||
| $ curl -Ok https://IP_HOST:CHEF_PORT/knife_admin_key.tar.gz | ||
| $ curl -Ok https://CONTAINER_ID:CHEF_PORT/knife_admin_key.tar.gz | ||
| ``` | ||
|
|
||
| Then un-tar that archive and point your knife.rb to the `admin.pem` and `chef-validator.pem` files. | ||
| Then un-tar that archive and point your config.rb to the `admin.pem` and `admin-validator.pem` files. | ||
|
|
||
| *knife.rb* example: | ||
| ```bash | ||
| *config.rb* example: | ||
|
|
||
| ```ruby | ||
| log_level :info | ||
| log_location STDOUT | ||
| cache_type 'BasicFile' | ||
| node_name 'admin' | ||
| client_key '/home/cbuisson/.chef/admin.pem' | ||
| validation_client_name 'chef-validator' | ||
| validation_key '/home/cbuisson/.chef/chef-validator.pem' | ||
| chef_server_url 'https://IP_HOST:CHEF_PORT' | ||
| validation_client_name 'admin-validator' | ||
| validation_key '/home/cbuisson/.chef/admin-validator.pem' | ||
| chef_server_url 'https://CONTAINER_ID:CHEF_PORT/organizations/my_org' | ||
| ``` | ||
| Note: CONTAINER_ID **needs** to be resolvable by hostname! | ||
|
|
||
| When the config.rb file is ready, you will need to get the SSL certificate files from the container to access Chef Server: | ||
|
|
||
| ```bash | ||
| cbuisson@t530:~/.chef# knife ssl fetch | ||
| WARNING: Certificates from 512ab20b1e0d will be fetched and placed in your trusted_cert | ||
| directory (/home/cbuisson/.chef/trusted_certs). | ||
|
|
||
| Knife has no means to verify these are the correct certificates. You should | ||
| verify the authenticity of these certificates after downloading. | ||
|
|
||
| Adding certificate for 512ab20b1e0d in /home/cbuisson/.chef/trusted_certs/512ab20b1e0d.crt | ||
| ``` | ||
| You should now be able to use the knife command! | ||
| ```bash | ||
| cbuisson@t530:~# knife user list | ||
| admin | ||
| ``` | ||
| ##### Known issue | ||
| `chef-manage-ctl reconfigure` needs to run in order to access the Chef webui. When this command is executed within the container, it blocks here: | ||
| ```bash | ||
| * ruby_block[wait for redis service socket] action run | ||
| ``` | ||
| Therefore the Chef Server 12 webui isn't available at the moment, however this isn't required to use Chef since Knife is working. | ||
| ##### Tags | ||
| v1.0: Chef Server 11 | ||
| v2.0: Chef Server 12 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| #/bin/bash -x | ||
|
|
||
| chef-server-ctl reconfigure |tee /root/out.txt | ||
|
|
||
| URL="http://127.0.0.1:8000/_status" | ||
| CODE=1 | ||
| SECONDS=0 | ||
| TIMEOUT=60 | ||
|
|
||
| return=`curl -sf ${URL}` | ||
| echo "${URL} returns: ${return}" |tee -a /root/out.txt | ||
|
|
||
| if [[ -z "$return" ]]; then | ||
| echo "Error while running chef-server-ctl reconfigure" |tee -a /root/out.txt | ||
| echo -e "Blocking until <${URL}> responds...\n" |tee -a /root/out.txt | ||
|
|
||
| while [ $CODE -ne 0 ]; do | ||
|
|
||
| curl -sf \ | ||
| --connect-timeout 3 \ | ||
| --max-time 5 \ | ||
| --fail \ | ||
| --silent \ | ||
| ${URL} | ||
|
|
||
| CODE=$? | ||
|
|
||
| sleep 2 | ||
| echo -n "." |tee -a /root/out.txt | ||
|
|
||
| if [ $SECONDS -ge $TIMEOUT ]; then | ||
| echo "$URL is not available after $SECONDS seconds...stopping the script!" |tee -a /root/out.txt | ||
| exit 1 | ||
| fi | ||
|
|
||
| done; | ||
| echo -e "\n\n$URL is available!\n" |tee -a /root/out.txt | ||
| echo -e "\nSetting up admin user and default organization" |tee -a /root/out.txt | ||
| chef-server-ctl user-create admin Admin User [email protected] "passwd" --filename /etc/chef/admin.pem |tee -a /root/out.txt | ||
| chef-server-ctl org-create my_org "Default organization" --association_user admin --filename /etc/chef/admin-validator.pem |tee -a /root/out.txt | ||
| echo -e "\nRunning: chef-server-ctl install chef-manage" |tee -a /root/out.txt | ||
| chef-server-ctl install chef-manage |tee -a /root/out.txt | ||
| echo -e "\nRunning: chef-server-ctl reconfigure" |tee -a /root/out.txt | ||
| chef-server-ctl reconfigure |tee -a /root/out.txt | ||
| fi |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,103 +1,20 @@ | ||
| #!/bin/bash -xe | ||
| sysctl -w kernel.shmmax=17179869184 | ||
| /opt/chef-server/embedded/bin/runsvdir-start & | ||
| /usr/local/bin/reconfigure_chef.sh | ||
| hostname=`hostname` | ||
| cat > /var/opt/chef-server/nginx/etc/chef_https_lb.conf << EOL | ||
| server { | ||
| listen $CHEF_PORT; | ||
| server_name $hostname; | ||
| access_log /var/log/chef-server/nginx/access.log opscode; | ||
| ssl on; | ||
| ssl_certificate /var/opt/chef-server/nginx/ca/${hostname}.crt; | ||
| ssl_certificate_key /var/opt/chef-server/nginx/ca/${hostname}.key; | ||
| ssl_session_timeout 5m; | ||
| ssl_protocols SSLv3 TLSv1; | ||
| ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; | ||
| ssl_prefer_server_ciphers on; | ||
| root /var/opt/chef-server/nginx/html; | ||
| client_max_body_size 250m; | ||
| proxy_set_header Host \$host:\$server_port; | ||
| proxy_set_header X-Real-IP \$remote_addr; | ||
| proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; | ||
| proxy_set_header X-Forwarded-Proto https; | ||
| proxy_pass_request_headers on; | ||
| proxy_connect_timeout 1; | ||
| proxy_send_timeout 300; | ||
| proxy_read_timeout 300; | ||
| error_page 404 =404 /404.html; | ||
| error_page 503 =503 /503.json; | ||
| location /nginx_status { | ||
| stub_status on; | ||
| access_log off; | ||
| allow 127.0.0.1; | ||
| deny all; | ||
| } | ||
| location /knife_admin_key.tar.gz { | ||
| default_type application/zip; | ||
| alias /etc/chef-server/knife_admin_key.tar.gz; | ||
| } | ||
| location /version { | ||
| types { } | ||
| default_type text/plain; | ||
| alias /opt/chef-server/version-manifest.txt; | ||
| } | ||
| location /docs { | ||
| index index.html ; | ||
| alias /opt/chef-server/docs; | ||
| } | ||
| # bookshelf | ||
| location ~ "/bookshelf/{0,1}.*$" { | ||
| proxy_pass http://bookshelf; | ||
| } | ||
| location ~ "^/(?:stylesheets|javascripts|images|facebox|css|favicon|robots|humans)/{0,1}.*$" { | ||
| if (\$http_x_chef_version ~* "^(\d+\.\d+?)\..+$") { | ||
| error_page 400 =400 /400-chef_client_manage.json; | ||
| return 400; | ||
| } | ||
| proxy_pass http://chef_server_webui; | ||
| proxy_pass_request_headers off; | ||
| proxy_cache webui-cache; | ||
| proxy_cache_valid 200 302 300m; | ||
| proxy_cache_valid 404 1m; | ||
| } | ||
| location = /_status { | ||
| proxy_pass http://erchef/_status; | ||
| } | ||
| location = /_status/ { | ||
| proxy_pass http://erchef/_status; | ||
| } | ||
| location / { | ||
| set \$my_upstream erchef; | ||
| if (\$http_x_ops_userid = "") { | ||
| set \$my_upstream chef_server_webui; | ||
| } | ||
| proxy_redirect http://\$my_upstream /; | ||
| proxy_pass http://\$my_upstream; | ||
| } | ||
| } | ||
| EOL | ||
| cd /etc/chef-server/ && tar -cvzf knife_admin_key.tar.gz admin.pem chef-validator.pem | ||
| cat > /etc/chef-server/chef-server.rb << EOL | ||
| nginx['ssl_port'] = $CHEF_PORT | ||
| EOL | ||
| chef-server-ctl restart nginx | ||
| chef-server-ctl status >> /root/out.txt | ||
| echo "Done!" >> /root/out.txt | ||
| tail -F /opt/chef-server/embedded/service/*/log/current | ||
| /opt/opscode/embedded/bin/runsvdir-start & | ||
| if [ -f "/root/chef_configured" ] | ||
| then | ||
| echo -e "\nChef Server already configured!\n" |tee -a /root/out.txt | ||
| chef-server-ctl status |tee -a /root/out.txt | ||
| else | ||
| /usr/local/bin/configure_chef.sh | ||
| sed -i "s, listen 443;, listen $CHEF_PORT;,g" /var/opt/opscode/nginx/etc/chef_https_lb.conf | ||
| sed -i '$i\ location /knife_admin_key.tar.gz {\n default_type application/zip;\n alias /etc/chef/knife_admin_key.tar.gz;\n }' /var/opt/opscode/nginx/etc/chef_https_lb.conf | ||
| echo -e "\nCreating tar file with the Knife keys" |tee -a /root/out.txt | ||
| cd /etc/chef/ && tar -cvzf knife_admin_key.tar.gz admin.pem admin-validator.pem | ||
| echo -e "\nRestart Nginx..." |tee -a /root/out.txt | ||
| chef-server-ctl restart nginx | ||
| chef-server-ctl status |tee -a /root/out.txt | ||
| touch /root/chef_configured | ||
| echo -e "\n\nDone!\n" |tee -a /root/out.txt | ||
| fi | ||
| tail -F /opt/opscode/embedded/service/*/log/current |