共计 7496 个字符,预计需要花费 19 分钟才能阅读完成。
| 导读 | Chef 是一个 IT 基础设施自动化软件,它可以管理你组织中所有的服务器和网络设备。当我们想与 Chef 服务器、任何物理节点(服务器、网络设备等)的基础设施进行交互时,我们需要一个 Chef 工作站。本教程解释如何安装和配置 Linux 服务器上 Chef 工作站。 |
下载 ChefDK
ChefDK 是 Chef Development Kit 的缩写,它几乎用于所有的平台,包括基于 Debian 发行版、Ubuntu、RedHat、CentOS、Mac OS X 和 Windows。当前 ChefDK 的稳定版本是 0.11.2,对于基于 RHEL 的系统,它可用于版本 6 和 7(如:CentOS 6 和 CentOS 7),RPM 版本只有 64 位版本。
使用以下命令下载 ChefDK
在 CentOS 7 上
cd ~
wget https://packages.chef.io/stable/el/7/chefdk-0.11.2-1.el7.x86_64.rpm在 CentOS 6 上
cd ~
wget https://packages.chef.io/stable/el/6/chefdk-0.11.2-1.el6.x86_64.rpm 安装 ChefDK
使用 RPM 安装刚刚下载的 ChefDK
# rpm -ivh chefdk-0.11.2-1.el7.x86_64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:chefdk-0.11.2-1.el7 ################################# [100%]
Thank you for installing Chef Development Kit!ChefDK 默认安装到 /opt/chefdk 目录下,如下所示
# ls -l /opt/chefdk/
drwxr-xr-x. 2 root root 4096 Mar 3 13:50 bin
drwxr-xr-x. 7 root root 62 Mar 3 13:50 embedded
-rw-r--r--. 1 root root 13249 Feb 22 14:26 version-manifest.json
-rw-r--r--. 1 root root 8233 Feb 22 14:26 version-manifest.txt 验证 ChefDK 的安装
执行 chef verify,验证所有来自 ChefDK 的不同组件,确保他们都工作正常,没有任何问题
# chef verify
Running verification for component 'berkshelf'
Running verification for component 'test-kitchen'
Running verification for component 'tk-policyfile-provisioner'
Running verification for component 'chef-client'
Running verification for component 'chef-dk'
Running verification for component 'chef-provisioning'
Running verification for component 'chefspec'
Running verification for component 'generated-cookbooks-pass-chefspec'
Running verification for component 'rubocop'
Running verification for component 'fauxhai'
Running verification for component 'knife-spork'
Running verification for component 'kitchen-vagrant'
Running verification for component 'package installation'
Running verification for component 'openssl'
Running verification for component 'inspec'
.......
---------------------------------------------
Verification of component 'test-kitchen' succeeded.
Verification of component 'chef-dk' succeeded.
Verification of component 'chefspec' succeeded.
Verification of component 'rubocop' succeeded.
Verification of component 'knife-spork' succeeded.
Verification of component 'openssl' succeeded.
Verification of component 'berkshelf' succeeded.
Verification of component 'chef-client' succeeded.
Verification of component 'fauxhai' succeeded.
Verification of component 'inspec' succeeded.
Verification of component 'tk-policyfile-provisioner' succeeded.
Verification of component 'kitchen-vagrant' succeeded.
Verification of component 'chef-provisioning' succeeded.
Verification of component 'package installation' succeeded.
Verification of component 'generated-cookbooks-pass-chefspec' succeeded.下面是 chef verify 失败的案例。注意:Ruby 在 Chef 中是必须的,它被嵌入在了 ChefDK 中。
# chef verify
..
/opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/mixlib-shellout-2.2.6/lib/mixlib/shellout.rb:289:in `invalid!': Expected process to exit with [0], but received'1' (Mixlib::ShellOut::ShellCommandFailed)
---- Begin output of /usr/bin/ohai -v ----
STDOUT:
STDERR: /opt/chefdk/embedded/lib/ruby/site_ruby/2.1.0/rubygems/dependency.rb:319:in `to_specs': Could not find'chef-config' (= 12.8.0) - did find: [chef-config-12.7.2] (Gem::LoadError)以上错误信息显示:“Could not find‘chef-config’(= 12.8.0) – did find: [chef-config-12.7.2] (Gem::LoadError)”,在安装的 ChefDK 中 chef-config 的版本是 12.7.2 的旧版本,在手动安装 chef-confg 12.8.0 版本后再执行 chef verify,显示验证成功。
验证 ChefDK 版本
执行 chef -version 命令,显示 ChefDK 的版本号以及所有附带组件
# chef --version
Chef Development Kit Version: 0.11.2
chef-client version: 12.7.2
berks version: 4.2.0
kitchen version: 1.5.0 设置 Chef 环境变量
设置 Chef 相关的环境变量,如:GEM_ROOT GEM_HOME GEM_PATH。
export GEM_ROOT="/opt/chefdk/embedded/lib/ruby/gems/2.1.0"
export GEM_HOME="/root/.chefdk/gem/ruby/2.1.0"
export GEM_PATH="/root/.chefdk/gem/ruby/2.1.0:/opt/chefdk/embedded/lib/ruby/gems/2.1.0"此外,如果你的系统上已经安装了 ruby,你需要更新与 ruby 相关的 PATH 变量,如下所示
export PATH="/opt/chefdk/bin:/root/.chefdk/gem/ruby/2.1.0/bin:/opt/chefdk/embedded/bin:/opt/chefdk/bin:/root/.chefdk/gem/ruby/2.1.0/bin:/opt/chefdk/embedded/bin:/opt/chefdk/bin:/root/.chefdk/gem/ruby/2.1.0/bin:/opt/chefdk/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin"显示所有 Chef 设置的环境变量。
chef shell-init bash想要快速设置这些环境变量,可以将其添加到 bash_profile 文件中,如下所示。
echo 'eval"$(chef shell-init bash)"' >> ~/.bash_profile 访问 Chef 的 Firewalld 规则
为了访问 Chef 服务器上的 Chef Manage GUI,添加以下 firewalld 规则,开放 Chef 服务器上的相应端口。
firewall-cmd --direct --add-rule ipv4 \
filter INPUT_direct 0 -i eth0 -p tcp \
--dport 443 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 \
filter INPUT_direct 0 -i eth0 -p tcp \
--dport 80 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 \
filter INPUT_direct 0 -i eth0 -p tcp \
--dport 9683 -j ACCEPT
firewall-cmd --reload 从 Chef Manage GUI 下载 Starter Kit
登录到 Chef Manage GUI,单击“Administration”选项,从列表中选择“organization”。此例中,“organization”为“example”,选中 organization 之后,点击左侧菜单中的“Starter Kit”。
按下“Download(下载)”按钮之后,会跳出一个警告信息,按下“Proceed”,它会将 chef-starter.zip 文件下载到本地机器。
解压缩 Starter Kit
将 chef-starter.zip 文件传输到 Chef 工作站并解压到 root 的 home 目录下
# cd ~
# unzip chef-starter.zip
Archive: chef-starter.zip
creating: chef-repo/cookbooks/
creating: chef-repo/cookbooks/starter/
creating: chef-repo/cookbooks/starter/templates/
creating: chef-repo/cookbooks/starter/templates/default/
inflating: chef-repo/cookbooks/starter/templates/default/sample.erb
creating: chef-repo/cookbooks/starter/files/
creating: chef-repo/cookbooks/starter/files/default/
inflating: chef-repo/cookbooks/starter/files/default/sample.txt
creating: chef-repo/cookbooks/starter/recipes/
inflating: chef-repo/cookbooks/starter/recipes/default.rb
creating: chef-repo/cookbooks/starter/attributes/
inflating: chef-repo/cookbooks/starter/attributes/default.rb
inflating: chef-repo/cookbooks/starter/metadata.rb
inflating: chef-repo/cookbooks/chefignore
inflating: chef-repo/README.md
inflating: chef-repo/.gitignore
creating: chef-repo/.chef/
creating: chef-repo/roles/
inflating: chef-repo/.chef/knife.rb
inflating: chef-repo/roles/starter.rb
inflating: chef-repo/.chef/ramesh.pem
inflating: chef-repo/.chef/example-validator.pem如果你手动创建了 chef-repo 文件夹,那你就需要手动创建上述的子目录,复制 knife.rb 文件、organization-validator.pem 文件(如:example-validator.pem)、username.pem 文件(如:ramesh.pem)到上面显示的目录中。
Chef 服务器的 SSL 证书
在这个阶段如果执行 knife client list 会得到以下错误信息
# cd ~/chef-repo
# knife client list
ERROR: SSL Validation failure connecting to host: centos.example.com - SSL_connect returned=1 errno=0 state=error: certificate verify failed
ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
`knife ssl fetch` to make knife trust the server's certificates.
Original Exception: OpenSSL::SSL::SSLError: SSL Error connecting to https://centos.example.com/organizations/example/clients - SSL_connect returned=1 errno=0 state=error: certificate verify failed证书验证失败,因为我们没有从 Chef 服务器下载 SSL 证书,此时可以执行以下“knife ssl fetch”。
# cd ~/chef-repo
# knife ssl fetch
WARNING: Certificates from centos.example.com will be fetched and placed in your trusted_cert
directory (/root/chef-repo/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.证书将会下载到以下 truster_certs 目录中
# ls -l /root/chef-repo/.chef/trusted_certs
-rw-r--r--. 1 root root 1379 Mar 20 20:17 centos_example_com.crt
# cat /root/chef-repo/.chef/trusted_certs/centos_example_com.crt
-----BEGIN CERTIFICATE-----
MIIDzDCCArSgAwIBAgIBADANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJVUzEQ
MA4GA1UECgwHWW91Q29ycDETMBEGA1UECwwKT3BlcmF0aW9uczEbMBkGA1UEAwwS
ZXJhdGlvbnMxGzAZBgNVBAMMEmNlbnRvcy5leGFtcGxlLmNvbTCCASIwDQYJKoZI
..
..
WLyr2ORLMcck/OGsubabO/koMNTqhl2JJPECNiDJh06MeZ/2+BOwGZSpXDbw+vFE
NJAsLfsTzihGWZ58einMFA==
-----END CERTIFICATE-----Chef 工作站的最终确认
如果 Chef 工作站工作正常,当你执行“knife client list”时,它会显示所有连接工作站的客户端。由于我们刚刚安装它,因此只能看到刚刚我们创建的组织(organization)
# cd ~/chef-repo
# knife client list
example-validator如果你现有的 Chef 工作站机器上已经有 5 个服务器连接到它了,你会看到以下信息
# knife client list
example-validator
node1
node2
node3
node4
node5
正文完
星哥玩云-微信公众号
