当前位置:龙图IT服务 > 操作系统 >

Chef集中管理工具实践之 (3) 自定义配置

作者:北京IT服务外包公司 发布时间:2016-04-11 阅读: 转至微博:

环境介绍
OS: Ubuntu 10.10 Server 64-bit
Servers:
chef-server:10.6.1.170
chef-workstation:10.6.1.171
chef-client-1:10.6.1.172

1. 开始创造属于自己的大餐
“等我的手艺熟练之后我还会写我自己的菜色和菜谱,来创造属于我自己的大餐。” 在前面我提到过这句话,并且在上一个章节,也通过使用官方社区提供的cookbook完成了账号与openssh的配置。
在这一章,我们就来编写一个cookbook,将不同的自定义配置任务做成不同的recipe,最后实现对服务器的配置。

2. 如何开始
如何开始呢?使用官方社区的cookbook很简单,只需要修改attributes里面的参数就可以了,如果要自己来写,该怎么写用什么格式呢?
相信你一定有这个疑问存在。不过你可以尽管放心,Chef的官方社区有很完善的在线文档可供参考的。

上面提到的“参考资料”中的URL,就是对应的文档地址:http://wiki.opscode.com/display/chef/Resources#Resources-Service
具体内容很多,我们可以通过右侧的目录结构来理清思绪。

总共有差不多30个模块,每一个都有相应的示例。
最常用的有:
账号管理方面 Group,User
配置文件方面 Template,File,
脚本命令方面 Script,Execute
系统服务方面 Cron,Service,Mount,Package

这些模块的具体用法,都可以在上面的页面中找到,在这里我先就不描述了,接下来我们通过实践来理解它们。

3. 规划接下来要做的事情
以我的实际生产环境中遇到的情况为例,操作系统为Ubuntu,有以下几个任务要完成:
1.新建一个名为project的用户组,并将之前创建的用户ubuntu添加到该组
2.更改系统默认的APT镜像源为http://old-releases.ubuntu.com
3.通过apt-get安装build-essential
4.编译安装pcre 8.10

这一次,我们不再到官方社区去搜寻第三方的cookbook,而是自己来编写一个cookbook。

3.1 首先,来设计这个cookbook
将cookbook命名为mycookbook
然后分别创建4个不同的recipe,分别命名为
conf_group, conf_sources.list, install_build-essential, build_pcre
来实现对以上4个任务的完成

3.2 开始编写cookbook
3.2.1 创建cookbook
ubuntu@chef-workstation:/opt/chef-local$ sudo knife cookbook create mycookbook
1
    ** Creating cookbook mycookbook
2
    ** Creating README for cookbook: mycookbook
3
    ** Creating CHANGELOG for cookbook: mycookbook
4
    ** Creating metadata for cookbook: mycookbook

ubuntu@chef-workstation:/opt/chef-local$ cd cookbooks/mycookbook/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook$ ls
1
    CHANGELOG.md  README.md  attributes  definitions  files  libraries  metadata.rb  providers  recipes  resources  templates

ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook$ cd recipes/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ ls
1
    default.rb

3.2.2 创建recipe conf_group
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo vim conf_group.rb
1
    group "project" do
2
      gid 999
3
      members [ 'ubuntu' ]
4
    end

3.2.3 创建recipe conf_sources.list
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo vim conf_sources.list.rb
01
    execute "update" do
02
      command "sudo apt-get update"
03
      action :nothing
04
    end
05
    
06
    template "/etc/apt/sources.list" do
07
      source "sources.list.erb"
08
      mode 0644
09
      owner "root"
10
      group "root"
11
      notifies :run, "execute[update]", :immediately
12
    end

ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ cd ../templates/default/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/templates/default$ sudo vim sources.list.erb
1
    # Generated by Chef for <%= node['fqdn'] %>
2
    deb http://old-releases.ubuntu.com/ubuntu/ maverick main restricted universe multiverse
3
    deb http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted universe multiverse
4
    deb http://old-releases.ubuntu.com/ubuntu/ maverick-updates main restricted universe multiverse
5
    deb-src http://old-releases.ubuntu.com/ubuntu/ maverick main restricted universe multiverse
6
    deb-src http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted universe multiverse
7
    deb-src http://old-releases.ubuntu.com/ubuntu/ maverick-updates main restricted universe multiverse

3.2.4 创建recipe install_build-essential
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/templates/default$ cd ../../recipes/
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo vim install_build-essential.rb
1
    package "build-essential" do
2
      action :install
3
    end

3.2.5 创建recipe build_pcre
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo vim build_pcre.rb
01
    script "build_pcre" do
02
      interpreter "bash"
03
      user "root"
04
      cwd "/tmp"
05
      not_if "test -f /usr/local/bin/pcregrep"
06
      code <<-EOH
07
      wget http://nchc.dl.sourceforge.net/project/pcre/pcre/8.10/pcre-8.10.tar.gz
08
      tar zxvf pcre-8.10.tar.gz
09
      cd pcre-8.10
10
      ./configure
11
      make
12
      make install
13
      EOH
14
    end

3.3 更新并应用编写的cookbook
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ ll
1
    total 28
2
    drwxr-xr-x  2 root root 4096 Jan  6 18:30 ./
3
    drwxr-xr-x 10 root root 4096 Jan  6 18:11 ../
4
    -rw-r--r--  1 root root  305 Jan  6 18:30 build_pcre.rb
5
    -rw-r--r--  1 root root   56 Jan  6 18:17 conf_group.rb
6
    -rw-r--r--  1 root root  234 Jan  6 18:19 conf_sources.list.rb
7
    -rw-r--r--  1 root root  136 Jan  6 18:11 default.rb
8
    -rw-r--r--  1 root root   51 Jan  6 18:24 install_build-essential.rb

上传cookbook
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ sudo knife cookbook upload mycookbook
1
    Uploading mycookbook     [0.1.0]
2
    Uploaded 1 cookbook.

查看当前role配置文件
ubuntu@chef-workstation:/opt/chef-local/cookbooks/mycookbook/recipes$ cd ../../../roles/
ubuntu@chef-workstation:/opt/chef-local/roles$ ls
1
    README.md  ubuntu_servers.rb

ubuntu@chef-workstation:/opt/chef-local/roles$ cat ubuntu_servers.rb
01
    name "ubuntu_servers"
02
    description "The base role applied to all nodes."
03
    run_list(
04
        "recipe[user]",
05
        "recipe[user::data_bag]",
06
        "recipe[openssh]"
07
    )
08
    override_attributes(
09
        "users" => [ "ubuntu" ]
10
    )

更新role配置文件
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo vim ubuntu_servers.rb
01
    name "ubuntu_servers"
02
    description "The base role applied to all nodes."
03
    run_list(
04
        "recipe[user]",
05
        "recipe[user::data_bag]",
06
        "recipe[openssh]",
07
        "recipe[mycookbook::conf_group]",
08
        "recipe[mycookbook::conf_sources.list]",
09
        "recipe[mycookbook::install_build-essential]",
10
        "recipe[mycookbook::build_pcre]"
11
    )
12
    override_attributes(
13
        "users" => [ "ubuntu" ]
14
    )

上传role配置文件
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo knife role from file ubuntu_servers.rb
1
    Updated Role ubuntu_servers!

查看节点
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo knife node list
1
    chef-client-1
2
    chef-server

更新节点run_list
ubuntu@chef-workstation:/opt/chef-local/roles$ sudo knife node run_list add chef-client-1 "role[ubuntu_servers]"
1
    run_list:  role[ubuntu_servers]

3.4 在节点上应用新的cookbook
ubuntu@chef-client-1:~$ sudo chef-client
01
    INFO: *** Chef 10.16.2 ***
02
    INFO: Run List is [role[ubuntu_servers]]
03
    INFO: Run List expands to [user, user::data_bag, openssh, mycookbook::conf_group, mycookbook::conf_sources.list, mycookbook::install_build-essential, mycookbook::build_pcre]
04
    INFO: HTTP Request Returned 404 Not Found: No routes match the request: /reports/nodes/chef-client-1/runs
05
    INFO: Starting Chef Run for chef-client-1
06
    INFO: Running start handlers
07
    INFO: Start handlers complete.
08
    INFO: Loading cookbooks [mycookbook, openssh, user]
09
    INFO: Storing updated cookbooks/openssh/recipes/default.rb in the cache.
10
    INFO: Storing updated cookbooks/openssh/attributes/default.rb in the cache.
11
    INFO: Storing updated cookbooks/openssh/.gitignore in the cache.
12
    INFO: Storing updated cookbooks/openssh/metadata.rb in the cache.
13
    INFO: Storing updated cookbooks/openssh/README.md in the cache.
14
    INFO: Storing updated cookbooks/openssh/LICENSE in the cache.
15
    INFO: Storing updated cookbooks/openssh/CHANGELOG.md in the cache.
16
    INFO: Storing updated cookbooks/openssh/metadata.json in the cache.
17
    INFO: Storing updated cookbooks/openssh/Gemfile in the cache.
18
    INFO: Storing updated cookbooks/openssh/CONTRIBUTING in the cache.
19
    INFO: Storing updated cookbooks/user/resources/account.rb in the cache.
20
    INFO: Storing updated cookbooks/user/providers/account.rb in the cache.
21
    INFO: Storing updated cookbooks/user/recipes/data_bag.rb in the cache.
22
    INFO: Storing updated cookbooks/user/recipes/default.rb in the cache.
23
    INFO: Storing updated cookbooks/user/attributes/default.rb in the cache.
24
    INFO: Storing updated cookbooks/user/Rakefile in the cache.
25
    INFO: Storing updated cookbooks/user/CHANGELOG.md in the cache.
26
    INFO: Storing updated cookbooks/user/README.md in the cache.
27
    INFO: Storing updated cookbooks/user/metadata.rb in the cache.
28
    INFO: Storing updated cookbooks/user/metadata.json in the cache.
29
    INFO: Storing updated cookbooks/mycookbook/recipes/build_nginx.rb in the cache.
30
    INFO: Storing updated cookbooks/mycookbook/recipes/conf_group.rb in the cache.
31
    INFO: Storing updated cookbooks/mycookbook/recipes/conf_sources.list.rb in the cache.
32
    INFO: Storing updated cookbooks/mycookbook/recipes/default.rb in the cache.
33
    INFO: Storing updated cookbooks/mycookbook/recipes/install_build-essential.rb in the cache.
34
    INFO: Storing updated cookbooks/mycookbook/recipes/build_pcre.rb in the cache.
35
    INFO: Storing updated cookbooks/mycookbook/README.md in the cache.
36
    INFO: Storing updated cookbooks/mycookbook/metadata.rb in the cache.
37
    INFO: Storing updated cookbooks/mycookbook/CHANGELOG.md in the cache.
38
    INFO: Processing user_account[ubuntu] action create (user::data_bag line 36)
39
    INFO: Processing user[ubuntu] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
40
    INFO: user[ubuntu] created
41
    INFO: Processing directory[/home/ubuntu/.ssh] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
42
    INFO: directory[/home/ubuntu/.ssh] created directory /home/ubuntu/.ssh
43
    INFO: directory[/home/ubuntu/.ssh] owner changed to 1001
44
    INFO: directory[/home/ubuntu/.ssh] group changed to 109
45
    INFO: directory[/home/ubuntu/.ssh] mode changed to 700
46
    INFO: Processing directory[/home/ubuntu] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
47
    INFO: directory[/home/ubuntu] mode changed to 2755
48
    INFO: Processing template[/home/ubuntu/.ssh/authorized_keys] action create (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
49
    INFO: template[/home/ubuntu/.ssh/authorized_keys] updated content
50
    INFO: template[/home/ubuntu/.ssh/authorized_keys] owner changed to 1001
51
    INFO: template[/home/ubuntu/.ssh/authorized_keys] group changed to 109
52
    INFO: template[/home/ubuntu/.ssh/authorized_keys] mode changed to 600
53
    INFO: Processing user[ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 94)
54
    INFO: Processing directory[/home/ubuntu/.ssh] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
55
    INFO: Processing directory[/home/ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 114)
56
    INFO: Processing template[/home/ubuntu/.ssh/authorized_keys] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 130)
57
    INFO: Processing execute[create ssh keypair for ubuntu] action nothing (/var/chef/cache/cookbooks/user/providers/account.rb line 148)
58
    INFO: Processing package[openssh-client] action install (openssh::default line 27)
59
    INFO: Processing package[openssh-server] action install (openssh::default line 27)
60
    INFO: Processing service[ssh] action enable (openssh::default line 30)
61
    INFO: service[ssh] enabled
62
    INFO: Processing service[ssh] action start (openssh::default line 30)
63
    INFO: Processing template[/etc/ssh/ssh_config] action create (openssh::default line 48)
64
    INFO: template[/etc/ssh/ssh_config] backed up to /var/chef/backup/etc/ssh/ssh_config.chef-20130106190629
65
    INFO: template[/etc/ssh/ssh_config] updated content
66
    INFO: template[/etc/ssh/ssh_config] owner changed to 0
67
    INFO: template[/etc/ssh/ssh_config] group changed to 0
68
    INFO: template[/etc/ssh/ssh_config] mode changed to 644
69
    INFO: Processing template[/etc/ssh/sshd_config] action create (openssh::default line 66)
70
    INFO: template[/etc/ssh/sshd_config] backed up to /var/chef/backup/etc/ssh/sshd_config.chef-20130106190629
71
    INFO: template[/etc/ssh/sshd_config] updated content
72
    INFO: template[/etc/ssh/sshd_config] owner changed to 0
73
    INFO: template[/etc/ssh/sshd_config] group changed to 0
74
    INFO: template[/etc/ssh/sshd_config] mode changed to 644
75
    INFO: Processing group[project] action create (mycookbook::conf_group line 1)
76
    INFO: group[project] created
77
    INFO: Processing execute[update] action nothing (mycookbook::conf_sources.list line 1)
78
    INFO: Processing template[/etc/apt/sources.list] action create (mycookbook::conf_sources.list line 6)
79
    INFO: template[/etc/apt/sources.list] backed up to /var/chef/backup/etc/apt/sources.list.chef-20130106190629
80
    INFO: template[/etc/apt/sources.list] updated content
81
    INFO: template[/etc/apt/sources.list] owner changed to 0
82
    INFO: template[/etc/apt/sources.list] group changed to 0
83
    INFO: template[/etc/apt/sources.list] mode changed to 644
84
    INFO: template[/etc/apt/sources.list] sending run action to execute[update] (immediate)
85
    INFO: Processing execute[update] action run (mycookbook::conf_sources.list line 1)
86
    INFO: execute[update] ran successfully
87
    INFO: Processing package[build-essential] action install (mycookbook::install_build-essential line 1)
88
    INFO: Processing script[build_pcre] action run (mycookbook::build_pcre line 1)
89
    INFO: script[build_pcre] ran successfully
90
    INFO: template[/etc/ssh/sshd_config] sending restart action to service[ssh] (delayed)
91
    INFO: Processing service[ssh] action restart (openssh::default line 30)
92
    INFO: service[ssh] restarted
93
    INFO: Chef Run complete in 448.775004685 seconds
94
    INFO: Running report handlers
95
    INFO: Report handlers complete

ubuntu@chef-client-1:/etc$

通过以上输出,我们可以很清晰的看到每个recipe的执行过程,并且全部都成功执行了。

我们通过以下方式来一一校验:
ubuntu@chef-client-1:~$ id ubuntu
1
    uid=1001(ubuntu) gid=109(admin) groups=109(admin),999(project)

ubuntu@chef-client-1:~$ cat /etc/apt/sources.list
1
    # Generated by Chef for chef-client-1
2
    deb http://old-releases.ubuntu.com/ubuntu/ maverick main restricted universe multiverse
3
    deb http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted universe multiverse
4
    deb http://old-releases.ubuntu.com/ubuntu/ maverick-updates main restricted universe multiverse
5
    deb-src http://old-releases.ubuntu.com/ubuntu/ maverick main restricted universe multiverse
6
    deb-src http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted universe multiverse
7
    deb-src http://old-releases.ubuntu.com/ubuntu/ maverick-updates main restricted universe multiverse

ubuntu@chef-client-1:~$ dpkg -l | grep build-essential
1
    ii  build-essential                 11.5                              Informational list of build-essential packages

ubuntu@chef-client-1:~$ which pcregrep
1
    /usr/local/bin/pcregrep

通过以上校验,再次证明所有的任务都已经执行了。
我们成功的完成了cookbook的自定义配置。

4. 更多深入的功能
至此,我们已经具备了一定的编写cookbook的能力了。
下面我分享一些比较有价值的经验:

4.1 安装官方社区的cookbook chef-client 可以实现客户端的定时自动拉取服务端配置,默认30分钟一次,具体时间可配置
Tips:
---
$ sudo knife cookbook site install chef-client

通过以下方式引用:
1
    "recipe[chef-client::delete_validation]",
2
    "recipe[chef-client::config]",
3
    "recipe[chef-client::service]",

4.2 改造cookbook openssh
Tips:
---
直接将系统的/etc/ssh/sshd_config 复制成为模板文件sshd_config.erb
然后仅将需要自定义的参数修改为从attributes中读取,如:
1
    PasswordAuthentication <%= node['openssh']['server']['password_authentication'] %>
2
    UseDNS <%= node['openssh']['server']['use_dns'] %>

同样,我们也可以自己来写attributes文件,实现参数的功能。

4.3 在role文件中重新定义参数值
Tips:
---
通过override_attributes可以直接定义参数的值,实现不同role采用不同的参数。
例如,针对官方社区的sudo的配置,可以通过以下方式重新定义参数的值:

默认的参数值:
1
    default['authorization']['sudo']['groups'] = Array.new
2
    default['authorization']['sudo']['users'] = Array.new
3
    default['authorization']['sudo']['passwordless'] = false
4
    default['authorization']['sudo']['include_sudoers_d'] = false
5
    default['authorization']['sudo']['agent_forwarding'] = false

在role文件中重新定义后的值:
1
    override_attributes(
2
        "authorization" => {
3
          "sudo" => {
4
            "groups" => ["admin"],
5
            "passwordless" => true,
6
            "users" => ["zabbix"]
7
          }
8
        }
9
    )

5. 至此,整个系列的文章可以告一段落了
用一句很2的话来说,就是,我只能帮你到这儿了。接下来,通过参考官方文档,以及实践中的更多应用,我们就能够更加熟练的掌握Chef这个强大的集中管理工具,再多的服务器在我们的手里也能管理的井然有序。

关键词: Chef

    热点推荐