From 7bbfade233cdf46890ccba45678a58da57af4bf3 Mon Sep 17 00:00:00 2001 From: franklines Date: Mon, 18 Jun 2018 19:26:19 -0500 Subject: [PATCH 1/3] Added new parameters to the configure_chef.sh script. Updated README with description of said parameters and how to use them. --- README.md | 72 +++++++++++++++++++++++++++++++---------------- configure_chef.sh | 42 +++++++++++++++++++++++---- 2 files changed, 85 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 145f8fc..6f86763 100644 --- a/README.md +++ b/README.md @@ -1,27 +1,42 @@ -# chef-server - -chef-server will run Chef Server 12 in an Ubuntu Trusty 14.04 LTS container. +# Chef Server Docker Container Image +![N|Solid](https://i.imgur.com/xPY9jpK.png) +chef-server will run Chef Server 12 in an Ubuntu Trusty 14.04 LTS container. Image Size: Approximately 1GB This is a fork of: [base/chef-server](https://registry.hub.docker.com/u/base/chef-server/). -## Environment -##### Protocol / Port -Chef is running over HTTPS/443 by default. +# Environment +#### Protocol / Port +Chef is running over HTTPS/443 by default. You can however change that to another port by adding `-e SSL_PORT=new_port` to the `docker run` command below and update the expose port `-p` accordingly. -##### SSL certificate -When Chef Server gets configured it creates an SSL certificate based on the container's FQDN (i.e "103d6875c1c5" which is the "CONTAINER ID"). This default behiavior has been changed to always produce an SSL certificate file named "chef-server.crt". +# SSL certificate +When Chef Server gets configured it creates an SSL certificate based on the container's FQDN (i.e "103d6875c1c5" which is the "CONTAINER ID"). This default behavior has been changed to always produce an SSL certificate file named "chef-server.crt". You can change the certificate name by adding `-e CONTAINER_NAME=new_name` to the `docker run` command. Remember to reflect that change in config.rb! -##### Logs +# Logs `/var/log/` is accessible via a volume directory. Feel free to optionally to use it with the `docker run` command above by adding: `-v ~/chef-logs:/var/log` -##### DNS -The container needs to be **DNS resolvable!** -Be sure **'chef-server'** or **$CONTAINER_NAME** is pointing to the container's IP! +# DNS +The container needs to be **DNS resolvable!** +Be sure **'chef-server'** or **$CONTAINER_NAME** is pointing to the container's IP! This needs to be done to match the SSL certificate name with the `chef_server_url ` from knife's `config.rb` file. +# Setup Chef User & Organization +The following parameters have been added to assist you in defining a default chef user and organization. +| Parameter | Description | +| ------------- |:-------------:| +| CHEF_USER | Define your chef username. If not set, username defaults to admin. | +| CHEF_PASS | Define your chef user's password. Default generates a random password. | +| CHEF_MAIL | Sets your chef user's email address. Default is admin@. | +| CHEF_ORG | Defines the name of the organization that is created during setup. Default is set to 'my_org'.| +| CHEF_ORGDESC | Sets your chef organization's description. If not set, default is 'Default organization'. | + +Set these parameters after the `-e` switch. Example below. +```bash +$ sudo docker run --privileged -t -e CONTAINER_NAME='' CHEF_USER='' CHEF_PASS='' CHEF_MAIL='' CHEF_ORG='' CHEF_ORGDESC='' --name chef-server -d -p 443:443 cbuisson/chef-server +``` + ## Start the container Docker command: @@ -37,13 +52,22 @@ $ docker logs -f chef-server ## Setup knife -Once Chef Server 12 is configured, you can download the Knife admin keys here: +Once Chef Server 12 is configured, you can download the Knife admin keys with these steps: + +#### Login to a shell session on your container. ```bash -curl -Ok https://chef-server:$SSL_PORT/knife_admin_key.tar.gz +sudo docker exec -it /bin/bash +``` +#### Copy your user & organization pem keys. +```bash +cat /etc/chef/.pem +cat /etc/chef/-validator.pem +``` +Save the above keys to your local workstation (where you have knife installed). Then create a config.rb file with the contents. +```bash +vim ~/.chef/config.rb ``` - -Then un-tar that archive and point your config.rb to the `admin.pem` and `my_org-validator.pem` files. *config.rb* example: @@ -52,10 +76,10 @@ log_level :info log_location STDOUT cache_type 'BasicFile' node_name 'admin' -client_key '/home/cbuisson/.chef/admin.pem' +client_key '/home//.chef/.pem' validation_client_name 'my_org-validator' -validation_key '/home/cbuisson/.chef/my_org-validator.pem' -chef_server_url 'https://chef-server:$SSL_PORT/organizations/my_org' +validation_key '/home//.chef/-validator.pem' +chef_server_url 'https://:$SSL_PORT/organizations/' ``` When the config.rb file is ready, you will need to get the SSL certificate file from the container to access Chef Server: @@ -63,25 +87,25 @@ When the config.rb file is ready, you will need to get the SSL certificate file ```bash cbuisson@server:~/.chef# knife ssl fetch WARNING: Certificates from chef-server will be fetched and placed in your trusted_cert -directory (/home/cbuisson/.chef/trusted_certs). +directory (/home//.chef/trusted_certs). Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading. -Adding certificate for chef-server in /home/cbuisson/.chef/trusted_certs/chef-server.crt +Adding certificate for chef-server in /home//.chef/trusted_certs/chef-server.crt ``` You should now be able to use the knife command! ```bash -cbuisson@server:~# knife user list +@server:~# knife user list admin ``` **Done!** ##### Note -Chef-Server running inside a container isn't officially supported by [Chef](https://www.chef.io/about/) and as a result the webui isn't available. +Chef-Server running inside a container isn't officially supported by [Chef](https://www.chef.io/about/) and as a result the webui isn't available. However the webui is not required since you can interact with Chef-Server via the `knife` and `chef-server-ctl` commands. ##### Tags -v1.0: Chef Server 11 +v1.0: Chef Server 11 v2.x: Chef Server 12 diff --git a/configure_chef.sh b/configure_chef.sh index 77fc998..b3d42b5 100755 --- a/configure_chef.sh +++ b/configure_chef.sh @@ -10,8 +10,10 @@ else fi if [[ -z $CONTAINER_NAME ]]; then + chefFQDN=$(uname -n) echo "nginx['server_name']=\"chef-server\"" >> /etc/opscode/chef-server.rb else + chefFQDN="$CONTAINER_NAME" echo "nginx['server_name']=\"$CONTAINER_NAME\"" >> /etc/opscode/chef-server.rb fi @@ -52,17 +54,47 @@ fi echo -e "\n\n$URL is available!\n" echo -e "\nSetting up admin user and default organization" -chef-server-ctl user-create admin Admin User admin@myorg.com "passwd" --filename /etc/chef/admin.pem -chef-server-ctl org-create my_org "Default organization" --association_user admin --filename /etc/chef/my_org-validator.pem + +if [[ -z $CHEF_MAIL ]]; then + chefMail="admin@$chefFDQN"; +else + chefMail="$CHEF_MAIL" +fi + + +if [[ -z $CHEF_USER ]]; then + chefUser="admin"; +else + chefUser="$CHEF_USER" +fi + +if [[ -z $CHEF_PASS ]]; then + chefPass=$(strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 32 | tr -d '\n'; echo) +else + chefPass="$CHEF_PASS"; +fi + +chef-server-ctl user-create "$chefUser" "$chefUser" "User" "$chefMail" "$chefPass" --filename "/etc/chef/$chefUser.pem" + +if [[ -z $CHEF_ORG ]]; then + chefOrg="my_org"; +else + chefOrg="$CHEF_ORG" +fi + +if [[ -z $CHEF_ORGDESC ]]; then + chefOrgDesc="Default organization" +else + chefOrgDesc="$CHEF_ORGDESC"; +fi + +chef-server-ctl org-create "$chefOrg" "$chefOrgDesc" --association_user "$chefUser" --filename "/etc/chef/$chefOrg-validator.pem" echo -e "\nRunning: 'chef-server-ctl install chef-manage'"... chef-server-ctl install chef-manage echo -e "\nRunning: 'chef-server-ctl reconfigure'"... chef-server-ctl reconfigure echo "{ \"error\": \"Please use https:// instead of http:// !\" }" > /var/opt/opscode/nginx/html/500.json sed -i "s,/503.json;,/503.json;\n error_page 497 =503 /500.json;,g" /var/opt/opscode/nginx/etc/chef_https_lb.conf -sed -i '$i\ location /knife_admin_key.tar.gz {\n default_type application/zip;\n alias /etc/chef/knife_admin_key.tar.gz;\n }' /var/opt/opscode/nginx/etc/chef_https_lb.conf -echo -e "\nCreating tar file with the Knife keys" -cd /etc/chef/ && tar -cvzf knife_admin_key.tar.gz admin.pem my_org-validator.pem echo -e "\nRestart Nginx..." chef-server-ctl restart nginx chef-server-ctl status From 664462ef057f987f5f6316207dc6d5a31fdd44d5 Mon Sep 17 00:00:00 2001 From: franklines Date: Mon, 18 Jun 2018 19:30:35 -0500 Subject: [PATCH 2/3] Fixed README.md parameters table. --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6f86763..4c56900 100644 --- a/README.md +++ b/README.md @@ -24,12 +24,13 @@ This needs to be done to match the SSL certificate name with the `chef_server_ur # Setup Chef User & Organization The following parameters have been added to assist you in defining a default chef user and organization. + | Parameter | Description | | ------------- |:-------------:| | CHEF_USER | Define your chef username. If not set, username defaults to admin. | | CHEF_PASS | Define your chef user's password. Default generates a random password. | | CHEF_MAIL | Sets your chef user's email address. Default is admin@. | -| CHEF_ORG | Defines the name of the organization that is created during setup. Default is set to 'my_org'.| +| CHEF_ORG | Defines the name of the organization that is created during setup. Default is set to 'my_org'. | | CHEF_ORGDESC | Sets your chef organization's description. If not set, default is 'Default organization'. | Set these parameters after the `-e` switch. Example below. From 72981388fcd6386f2a6d1e66bcd48ab3df0dd504 Mon Sep 17 00:00:00 2001 From: franklines Date: Tue, 19 Jun 2018 14:05:51 -0500 Subject: [PATCH 3/3] Corrected command typo in README.md file. Updated configure_chef.sh to save random generated password. --- README.md | 4 ++-- configure_chef.sh | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4c56900..ea81aeb 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The following parameters have been added to assist you in defining a default che Set these parameters after the `-e` switch. Example below. ```bash -$ sudo docker run --privileged -t -e CONTAINER_NAME='' CHEF_USER='' CHEF_PASS='' CHEF_MAIL='' CHEF_ORG='' CHEF_ORGDESC='' --name chef-server -d -p 443:443 cbuisson/chef-server +$ sudo docker run --privileged -t -e CONTAINER_NAME='' -e CHEF_USER='' -e CHEF_PASS='' -e CHEF_MAIL='' -e CHEF_ORG='' -e CHEF_ORGDESC='' --name chef-server -d -p 443:443 cbuisson/chef-server ``` ## Start the container @@ -86,7 +86,7 @@ chef_server_url 'https://:$SSL_PORT/organizations/@server:~/.chef# knife ssl fetch WARNING: Certificates from chef-server will be fetched and placed in your trusted_cert directory (/home//.chef/trusted_certs). diff --git a/configure_chef.sh b/configure_chef.sh index b3d42b5..b0b1250 100755 --- a/configure_chef.sh +++ b/configure_chef.sh @@ -69,7 +69,8 @@ else fi if [[ -z $CHEF_PASS ]]; then - chefPass=$(strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 32 | tr -d '\n'; echo) + chefPass=$(strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 32 | tr -d '\n'; echo) + echo "$chefPass" >> /etc/chef/chefUserPass.txt else chefPass="$CHEF_PASS"; fi