From 99990762616bd34a5fc75a752afaadd320819b46 Mon Sep 17 00:00:00 2001 From: Dieterich Lawson Date: Fri, 29 Jun 2012 17:45:04 -0500 Subject: [PATCH] Updated chef-server to make local installs easier - Changed default install directory for osx to /usr/local/etc/cher - Added configuration options for chef-server user and group - Added a script that properly sets up rabbitmq to be run before standing up chef-server for the first time - other small changes --- chef-server/attributes/default.rb | 30 ++++++-- chef-server/recipes/apache-proxy.rb | 14 ++-- chef-server/recipes/nginx-proxy.rb | 8 +-- chef-server/recipes/rabbitmq.rb | 16 +++-- chef-server/recipes/rubygems-install.rb | 68 ++++++++++--------- .../default/Procfile-chef-server.erb | 9 +-- .../templates/default/chef_server.conf.erb | 8 +-- .../default/chef_server.nginx.conf.erb | 8 +-- chef-server/templates/default/server.rb.erb | 15 ++-- .../default/setup-chef-server.sh.erb | 44 ++++++++++++ 10 files changed, 149 insertions(+), 71 deletions(-) create mode 100644 chef-server/templates/default/setup-chef-server.sh.erb diff --git a/chef-server/attributes/default.rb b/chef-server/attributes/default.rb index fb4f2d9e8..85a981406 100644 --- a/chef-server/attributes/default.rb +++ b/chef-server/attributes/default.rb @@ -24,35 +24,52 @@ default["chef_server"]["run_path"] = "/var/run/chef" default["chef_server"]["cache_path"] = "/var/cache/chef" default["chef_server"]["backup_path"] = "/var/lib/chef/backup" + default["chef_server"]["conf_dir"] = "/etc/chef" + default['chef_server']['log_dir'] = "/var/log/chef" + default['chef_server']['group'] = 'wheel' when "debian","ubuntu","redhat","centos","fedora" default["chef_server"]["init_style"] = "init" default["chef_server"]["path"] = "/var/lib/chef" default["chef_server"]["run_path"] = "/var/run/chef" default["chef_server"]["cache_path"] = "/var/cache/chef" default["chef_server"]["backup_path"] = "/var/lib/chef/backup" + default["chef_server"]["conf_dir"] = "/etc/chef" + default['chef_server']['log_dir'] = "/var/log/chef" + default['chef_server']['group'] = 'wheel' when "openbsd","freebsd" default["chef_server"]["init_style"] = "bsd" default["chef_server"]["path"] = "/var/chef" default["chef_server"]["run_path"] = "/var/run" default["chef_server"]["cache_path"] = "/var/chef/cache" default["chef_server"]["backup_path"] = "/var/chef/backup" + default["chef_server"]["conf_dir"] = "/etc/chef" + default['chef_server']['log_dir'] = "/var/log/chef" + default['chef_server']['group'] = 'wheel' when "mac_os_x" + #NOTE: these defaults assume that if you are deploying chef-server on OS X + # then you want it to be a dev environment. + default["chef_server"]["manage_user_action"] = "nothing" default["chef_server"]["init_style"] = "procfile" - default["chef_server"]["path"] = "/var/chef" - default["chef_server"]["run_path"] = "/var/chef/pid" - default["chef_server"]["cache_path"] = "/var/chef/cache" - default["chef_server"]["backup_path"] = "/var/chef/backup" + default["chef_server"]["path"] = "/usr/local/var/chef" + default["chef_server"]["run_path"] = "/usr/local/var/chef/pid" + default["chef_server"]["cache_path"] = "/usr/local/var/chef/cache" + default["chef_server"]["backup_path"] = "/usr/local/var/chef/backup" + default["chef_server"]["conf_dir"] = "/usr/local/etc/chef" + default["chef_server"]["log_dir"] = "/usr/local/var/log/chef" + default['chef_server']['group'] = 'wheel' else default["chef_server"]["init_style"] = "none" default["chef_server"]["path"] = "/var/chef" default["chef_server"]["run_path"] = "/var/run" default["chef_server"]["cache_path"] = "/var/chef/cache" default["chef_server"]["backup_path"] = "/var/chef/backup" + default["chef_server"]["conf_dir"] = "/etc/chef" + default['chef_server']['log_dir'] = "/var/log/chef" + default['chef_server']['group'] = 'root' end default['chef_server']['umask'] = "0022" default['chef_server']['url'] = "http://localhost:4000" -default['chef_server']['log_dir'] = "/var/log/chef" default['chef_server']['api_port'] = "4000" default['chef_server']['webui_port'] = "4040" default['chef_server']['webui_enabled'] = false @@ -60,3 +77,6 @@ default['chef_server']['validation_client_name'] = "chef-validator" default['chef_server']['expander_nodes'] = 1 default['chef_server']['amqp_pass'] = 'testing' +default['chef_server']['user'] = 'chef' +default['chef_server']['user_manage_action'] = 'create' +default['chef_server']['user_shell'] = '/bin/sh' diff --git a/chef-server/recipes/apache-proxy.rb b/chef-server/recipes/apache-proxy.rb index 63bb97c79..d31d472bf 100644 --- a/chef-server/recipes/apache-proxy.rb +++ b/chef-server/recipes/apache-proxy.rb @@ -16,12 +16,13 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +=begin root_group = value_for_platform( "openbsd" => { "default" => "wheel" }, "freebsd" => { "default" => "wheel" }, "default" => "root" ) +=end node['apache']['listen_ports'] << "443" unless node['apache']['listen_ports'].include?("443") if node['chef_server']['webui_enabled'] @@ -38,21 +39,22 @@ include_recipe "apache2::mod_expires" include_recipe "apache2::mod_deflate" -directory "/etc/chef/certificates" do - owner "chef" - group root_group +directory "#{node['chef_server']['conf_dir']}/certificates" do + owner node['chef_server']['user'] +# group root_group + group node['chef_server']['group'] mode "700" end bash "Create SSL Certificates" do - cwd "/etc/chef/certificates" + cwd "#{node['chef_server']['conf_dir']}/certificates" code <<-EOH umask 077 openssl genrsa 2048 > chef-server-proxy.key openssl req -subj "#{node['chef_server']['ssl_req']}" -new -x509 -nodes -sha1 -days 3650 -key chef-server-proxy.key > chef-server-proxy.crt cat chef-server-proxy.key chef-server-proxy.crt > chef-server-proxy.pem EOH - not_if { ::File.exists?("/etc/chef/certificates/chef-server-proxy.pem") } + not_if { ::File.exists?("#{node['chef_server']['conf_dir']}/certificates/chef-server-proxy.pem") } end web_app "chef-server-proxy" do diff --git a/chef-server/recipes/nginx-proxy.rb b/chef-server/recipes/nginx-proxy.rb index d428266d1..bed54b7dd 100644 --- a/chef-server/recipes/nginx-proxy.rb +++ b/chef-server/recipes/nginx-proxy.rb @@ -25,21 +25,21 @@ "default" => "root" ) -directory "/etc/chef/certificates" do - owner "chef" +directory "#{node['chef_server']['conf_dir']}/certificates" do + owner node['chef_server']['user'] group root_group mode "700" end bash "Create SSL Certificates" do - cwd "/etc/chef/certificates" + cwd "#{node['chef_server']['conf_dir']}/certificates" code <<-EOH umask 077 openssl genrsa 2048 > chef-server-proxy.key openssl req -subj "#{node['chef_server']['ssl_req']}" -new -x509 -nodes -sha1 -days 3650 -key chef-server-proxy.key > chef-server-proxy.crt cat chef-server-proxy.key chef-server-proxy.crt > chef-server-proxy.pem EOH - not_if { ::File.exists?("/etc/chef/certificates/chef-server-proxy.pem") } + not_if { ::File.exists?("#{node['chef_server']['conf_dir']}/certificates/chef-server-proxy.pem") } end template "#{node[:nginx][:dir]}/sites-available/chef_server_proxy.conf" do diff --git a/chef-server/recipes/rabbitmq.rb b/chef-server/recipes/rabbitmq.rb index 372e84f7c..6e1da00b7 100644 --- a/chef-server/recipes/rabbitmq.rb +++ b/chef-server/recipes/rabbitmq.rb @@ -39,17 +39,21 @@ def debian_before_squeeze? version '1.7.2-1' action :install end +elsif platform?("mac_os_x") + package "rabbitmq" else package "rabbitmq-server" end -service "rabbitmq-server" do - if platform?("centos","redhat","fedora") - start_command "/sbin/service rabbitmq-server start &> /dev/null" - stop_command "/sbin/service rabbitmq-server stop &> /dev/null" +if not platform?("mac_os_x") + service "rabbitmq-server" do + if platform?("centos","redhat","fedora") + start_command "/sbin/service rabbitmq-server start &> /dev/null" + stop_command "/sbin/service rabbitmq-server stop &> /dev/null" + end + supports [ :restart, :status ] + action [ :enable, :start ] end - supports [ :restart, :status ] - action [ :enable, :start ] end # add a chef vhost to the queue diff --git a/chef-server/recipes/rubygems-install.rb b/chef-server/recipes/rubygems-install.rb index dd62ead99..1323d91ce 100644 --- a/chef-server/recipes/rubygems-install.rb +++ b/chef-server/recipes/rubygems-install.rb @@ -21,16 +21,10 @@ # limitations under the License. # -root_group = value_for_platform( - "openbsd" => { "default" => "wheel" }, - "freebsd" => { "default" => "wheel" }, - "mac_os_x" => { "default" => "wheel" }, - "default" => "root" -) - -user "chef" do +user node['chef_server']['user'] do + action node['chef_server']['manage_user_action'] system true - shell "/bin/sh" + shell node['chef_server']['user_shell'] home node['chef_server']['path'] end @@ -105,63 +99,68 @@ node['chef_server']['cache_path'], node['chef_server']['backup_path'], node['chef_server']['run_path'], - "/etc/chef" + node['chef_server']['conf_dir'], ] +Chef::Log.info chef_dirs.inspect + chef_dirs.each do |dir| directory dir do - owner "chef" - group root_group + owner node['chef_server']['user'] + group node['chef_server']['group'] mode 0755 end end %w{ server solr }.each do |cfg| - template "/etc/chef/#{cfg}.rb" do + template "#{node['chef_server']['conf_dir']}/#{cfg}.rb" do source "#{cfg}.rb.erb" - owner "chef" - group root_group + owner node['chef_server']['user'] + group node['chef_server']['group'] mode 0600 end - link "/etc/chef/webui.rb" do - to "/etc/chef/server.rb" + link "#{node['chef_server']['conf_dir']}/webui.rb" do + to "#{node['chef_server']['conf_dir']}/server.rb" end - link "/etc/chef/expander.rb" do - to "/etc/chef/solr.rb" + link "#{node['chef_server']['conf_dir']}/expander.rb" do + to "#{node['chef_server']['conf_dir']}/solr.rb" end end directory node['chef_server']['path'] do - owner "chef" - group root_group + owner node['chef_server']['user'] + group node['chef_server']['group'] + #group root_group mode 0755 end %w{ cache search_index }.each do |dir| directory "#{node['chef_server']['path']}/#{dir}" do - owner "chef" - group root_group + owner node['chef_server']['user'] + group node['chef_server']['group'] + # group root_group mode 0755 end end -directory "/etc/chef/certificates" do - owner "chef" - group root_group +directory "#{node['chef_server']['conf_dir']}/certificates" do + owner node['chef_server']['user'] + group node['chef_server']['group'] + #group root_group mode 0700 end directory node['chef_server']['run_path'] do - owner "chef" - group root_group + owner node['chef_server']['user'] + group node['chef_server']['group'] mode 0755 end # install solr execute "chef-solr-installer" do - command "chef-solr-installer -c /etc/chef/solr.rb -u chef -g #{root_group}" + command "chef-solr-installer -c #{node['chef_server']['conf_dir']}/solr.rb -u #{node['chef_server']['user']} -g #{node['chef_server']['group']}" path %w{ /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin } not_if { ::File.exists?("#{node['chef_server']['path']}/solr/home") } end @@ -189,8 +188,8 @@ directory node['chef_server']['run_path'] do action :create - owner "chef" - group root_group + owner node['chef_server']['user'] + group node['chef_server']['group'] mode 0755 end @@ -266,7 +265,9 @@ gem_package "foreman" - procfiles = [ "/etc/chef/Procfile-chef-backend", "/etc/chef/Procfile-chef-server" ] + procfiles = [ "#{node['chef_server']['conf_dir']}/Procfile-chef-backend", + "#{node['chef_server']['conf_dir']}/Procfile-chef-server", + "#{node['chef_server']['conf_dir']}/setup-chef-server.sh" ] procfiles.each do |procfile_path| template procfile_path do source "#{File.basename(procfile_path)}.erb" @@ -276,7 +277,8 @@ end msg = "\nLaunch chef server with\n\n" - msg << procfiles.map{|pf| "sudo -u chef foreman start -f #{pf}" }.join(" & sleep 2\n") + msg << procfiles.map{|pf| "sudo -u #{node['chef_server']['user']} foreman start -f #{pf}" }.join(" & sleep 2\n") + msg << "\n(sudo unnecessary if you are #{node['chef_server']['user']})" msg << "\n" log(msg) diff --git a/chef-server/templates/default/Procfile-chef-server.erb b/chef-server/templates/default/Procfile-chef-server.erb index 166dd169e..a88b6d3ee 100644 --- a/chef-server/templates/default/Procfile-chef-server.erb +++ b/chef-server/templates/default/Procfile-chef-server.erb @@ -1,4 +1,5 @@ -chef_solr: chef-solr -c /etc/chef/solr.rb -l info -chef_expander: chef-expander -c /etc/chef/solr.rb -l info -n <%= @chef_server['expander_nodes'] %> -chef_server: chef-server -N -p <%= @chef_server['api_port'] %> -e production -P <%= @chef_server['run_path'] %>/chef-server.%s.pid -chef_webui: chef-server-webui -N -p <%= @chef_server['webui_port'] %> -e production -P <%= @chef_server['run_path'] %>/chef-server-webui.%s.pid +chef_solr: chef-solr -c <%= @chef_server['conf_dir'] %>/solr.rb -l info +chef_expander: chef-expander -c <%= @chef_server['conf_dir'] %>/expander.rb -l info -n <%= @chef_server['expander_nodes'] %> +chef_server: chef-server -N -p <%= @chef_server['api_port'] %> -e production -P <%= @chef_server['run_path'] %>/chef-server.%s.pid -C <%= @chef_server['conf_dir'] %>/server.rb +chef_webui: chef-server-webui -N -p <%= @chef_server['webui_port'] %> -e production -P <%= @chef_server['run_path'] %>/chef-server-webui.%s.pid -C <%= @chef_server['conf_dir'] %>/webui.rb + diff --git a/chef-server/templates/default/chef_server.conf.erb b/chef-server/templates/default/chef_server.conf.erb index 6d4efda97..59a8897cd 100644 --- a/chef-server/templates/default/chef_server.conf.erb +++ b/chef-server/templates/default/chef_server.conf.erb @@ -23,8 +23,8 @@ CustomLog <%= @params[:log_dir] %>/<%= @params[:name] %>-access.log combined SSLEngine On - SSLCertificateFile /etc/chef/certificates/chef-server-proxy.pem - SSLCertificateKeyFile /etc/chef/certificates/chef-server-proxy.pem + SSLCertificateFile <%= node['chef_server']['conf_dir'] %>/certificates/chef-server-proxy.pem + SSLCertificateKeyFile <%= node['chef_server']['conf_dir'] %>/certificates/chef-server-proxy.pem RequestHeader set X_FORWARDED_PROTO 'https' @@ -59,8 +59,8 @@ CustomLog <%= @params[:log_dir] %>/<%= @params[:name] %>-access.log combined SSLEngine On - SSLCertificateFile /etc/chef/certificates/chef-server-proxy.pem - SSLCertificateKeyFile /etc/chef/certificates/chef-server-proxy.pem + SSLCertificateFile <%= node['chef_server']['conf_dir'] %>/certificates/chef-server-proxy.pem + SSLCertificateKeyFile <%= node['chef_server']['conf_dir'] %>/certificates/chef-server-proxy.pem RequestHeader set X_FORWARDED_PROTO 'https' diff --git a/chef-server/templates/default/chef_server.nginx.conf.erb b/chef-server/templates/default/chef_server.nginx.conf.erb index 1e47a9edf..7dfeefc10 100644 --- a/chef-server/templates/default/chef_server.nginx.conf.erb +++ b/chef-server/templates/default/chef_server.nginx.conf.erb @@ -8,8 +8,8 @@ upstream chef_server_webui { server { listen <%= @api_port %> ssl; - ssl_certificate /etc/chef/certificates/chef-server-proxy.pem; - ssl_certificate_key /etc/chef/certificates/chef-server-proxy.pem; + ssl_certificate <%= node['chef_server']['conf_dir'] %>/certificates/chef-server-proxy.pem; + ssl_certificate_key <%= node['chef_server']['conf_dir'] %>/certificates/chef-server-proxy.pem; server_name <%= @api_server_name %>; access_log <%= node[:nginx][:log_dir] %>/chef-server.access.log; error_log <%= node[:nginx][:log_dir] %>/chef-server.error.log warn; @@ -41,8 +41,8 @@ server { <% if node['chef_server']['webui_enabled'] -%> server { listen <%= @webui_port %> ssl; - ssl_certificate /etc/chef/certificates/chef-server-proxy.pem; - ssl_certificate_key /etc/chef/certificates/chef-server-proxy.pem; + ssl_certificate <%= node['chef_server']['conf_dir'] %>/certificates/chef-server-proxy.pem; + ssl_certificate_key <%= node['chef_server']['conf_dir'] %>/certificates/chef-server-proxy.pem; server_name <%= @webui_server_name %>; access_log <%= node[:nginx][:log_dir] %>/chef-server.access.log; error_log <%= node[:nginx][:log_dir] %>/chef-server.error.log warn; diff --git a/chef-server/templates/default/server.rb.erb b/chef-server/templates/default/server.rb.erb index ab14a600a..0afcec00f 100644 --- a/chef-server/templates/default/server.rb.erb +++ b/chef-server/templates/default/server.rb.erb @@ -8,16 +8,21 @@ log_location STDOUT chef_server_url "<%= node['chef_server']['url'] %>" file_cache_path "<%= node['chef_server']['cache_path'] %>" +file_backup_path "<%= node['chef_server']['backup_path'] %>" sandbox_path "<%= node['chef_server']['cache_path'] %>/sandboxes" checksum_path "<%= node['chef_server']['path'] %>/cookbook_index" node_path "<%= node['chef_server']['path'] %>/node" cookbook_tarball_path "<%= node['chef_server']['path']%>/cookbook-tarballs" validation_client_name "<%= node['chef_server']['validation_client_name'] %>" +validation_key "<%= node['chef_server']['conf_dir'] %>/validation.pem" + <% if node['chef_server']['webui_enabled'] -%> -web_ui_admin_user_name "admin" + web_ui_key "<%= node['chef_server']['conf_dir'] %>/webui.pem" + web_ui_admin_user_name "admin" <% end -%> + supportdir = "<%= node['chef_server']['path'] %>" solr_jetty_path File.join(supportdir, "solr", "jetty") solr_data_path File.join(supportdir, "solr", "data") @@ -30,7 +35,7 @@ amqp_pass "testing" umask <%= node['chef_server']['umask'] %> ssl_verify_mode :verify_none -signing_ca_cert "/etc/chef/certificates/cert.pem" -signing_ca_key "/etc/chef/certificates/key.pem" -signing_ca_user "chef" -signing_ca_group "chef" +signing_ca_cert "<%= node['chef_server']['conf_dir'] %>/certificates/cert.pem" +signing_ca_key "<%= node['chef_server']['conf_dir'] %>/certificates/key.pem" +signing_ca_user "<%= node['chef_server']['user'] %>" +signing_ca_group "<%= node['chef_server']['group'] %>" diff --git a/chef-server/templates/default/setup-chef-server.sh.erb b/chef-server/templates/default/setup-chef-server.sh.erb new file mode 100644 index 000000000..feb4ae09b --- /dev/null +++ b/chef-server/templates/default/setup-chef-server.sh.erb @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +rabbitmq_user=chef +rabbitmq_password=<%= @chef_server['amqp_pass'] %> +rabbitmq_vhost='/chef' + +#bring up the backend +echo "Starting up chef backend..." +foreman start -f <%= @chef_server['conf_dir'] %>/Procfile-chef-backend & sleep 10 + +#add the vhost if not exists +if rabbitmqctl list_vhosts| grep -q "$rabbitmq_vhost" ; then + echo "Rabbitmq vhost $rabbitmq_vhost exists. Skipping..." +else + echo "Adding $rabbimq_vhost vhost..." + rabbitmqctl add_vhost "$rabbitmq_vhost" +fi + +#add the user if not exists +if rabbitmqctl list_users| grep -q "$rabbitmq_user" ; then + echo "Rabbitmq user $rabbitmq_user exists. Skipping..." +else + echo "Adding rabbitmq user ${rabbimq_user}..." + rabbitmqctl add_user "$rabbitmq_user" "$rabbitmq_password" +fi + +#set the user's permissions +if rabbitmqctl list_user_permissions "$rabbitmq_user" | grep -q "$rabbitmq_vhost" ; then + echo "Rabbitmq user $rabbitmq_user permissions good. Skipping..." +else + echo "Setting rabbitmq user ${rabbimq_user} permissions..." + rabbitmqctl set_permissions -p "$rabbitmq_vhost" "$rabbitmq_user" ".*" ".*" ".*" +fi + +#start chef_server to generate the keys +echo "Starting up chef server to generate keys..." +foreman start chef_server -f <%= @chef_server['conf_dir'] %>/Procfile-chef-server & sleep 10 + +#bring everything down +echo "Bringing everything down..." +kill %`jobs | grep chef-backend | awk '{print $1}'| tr -dC "[:digit:]"` +#kill the epm daemon +kill `ps aux | grep epmd | grep -v grep | awk '{print $2}'` +kill %`jobs | grep chef-server | awk '{print $1}'| tr -dC "[:digit:]"`