Chef検証(1) Chef Server セットアップ

user の作成

• pemを格納予定のディレクトリを予め作成しておきます。

inohana@ino-ubuntu:~/repo/chef/Packages$ sudo mkdir /etc/opscode/ise

• user を作成します。

sudo chef-server-ctl user-create [firstname] [lastname] xxxxx@jp.ibm.com [password] --filename /etc/opscode/test/inohana.pem

• エラーが出力されました。

ERROR: Error connecting to https://127.0.0.1/users/, retry 1/5
ERROR: Error connecting to https://127.0.0.1/users/, retry 2/5
ERROR: Error connecting to https://127.0.0.1/users/, retry 3/5
ERROR: Error connecting to https://127.0.0.1/users/, retry 4/5
ERROR: Error connecting to https://127.0.0.1/users/, retry 5/5
ERROR: Errno::ECONNRESET: Error connecting to https://127.0.0.1/users/ - Connection reset by peer - SSL_connect

• tail コマンドでログを確認。

==> /var/log/opscode/nginx/current <==
2017-03-01_19:37:40.90458 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
2017-03-01_19:37:41.40734 nginx: [emerg] still could not bind()
2017-03-01_19:37:41.41950 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
2017-03-01_19:37:41.91978 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
2017-03-01_19:37:42.42006 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
2017-03-01_19:37:42.92038 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
2017-03-01_19:37:43.42054 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
2017-03-01_19:37:43.92310 nginx: [emerg] still could not bind()
2017-03-01_19:37:43.94111 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
2017-03-01_19:37:44.44136 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)

inohana@ino-ubuntu:~$ sudo chef-server-ctl tail -f /var/log/message

• Port 80 で怒られているのでプロセスを見てみます。

inohana@ino-ubuntu:~/repo/chef/Packages$ netstat -an|grep :443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:44367         0.0.0.0:*               LISTEN

inohana@ino-ubuntu:~/repo/chef/Packages$ ss -tnsa
State      Recv-Q Send-Q        Local Address:Port          Peer Address:Port 
LISTEN     0      10          192.168.100.191:53                       *:*     
(略)                :::*     
LISTEN     0      128                      :::80                      :::*     

• ルーティングテーブルも問題なし。

inohana@ino-ubuntu:~/repo/chef/Packages$ sudo ip tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination     

• Apache が上がっていました。(Port80)

inohana@ino-ubuntu:~/repo/chef/Packages$ sudo lsof -i:80
COMMAND  PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
apache2 1328     root    4u  IPv6   9696      0t0  TCP *:http (LISTEN)
apache2 1334 www-data    4u  IPv6   9696      0t0  TCP *:http (LISTEN)
apache2 1335 www-data    4u  IPv6   9696      0t0  TCP *:http (LISTEN)
apache2 1336 www-data    4u  IPv6   9696      0t0  TCP *:http (LISTEN)
apache2 1337 www-data    4u  IPv6   9696      0t0  TCP *:http (LISTEN)
apache2 1338 www-data    4u  IPv6   9696      0t0  TCP *:http (LISTEN)

• Apache を停止。

inohana@ino-ubuntu:~/repo/chef/Packages$ sudo lsof -i :80 service apache2 stop
inohana@ino-ubuntu:~/repo/chef/Packages$ sudo lsof -i:80
COMMAND   PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   12663    root   16u  IPv4  80594      0t0  TCP *:http (LISTEN)
nginx   12665 opscode   16u  IPv4  80594      0t0  TCP *:http (LISTEN)

• chef-server-ctl status を確認。
  • 問題なく上がっているように見えるが、念のため一度止めてクリーンアップしてみます。

inohana@ino-ubuntu:~/repo/chef/Packages$ sudo chef-server-ctl status
run: bookshelf: (pid 11050) 967s; run: log: (pid 11085) 967s
run: nginx: (pid 12263) 1s; run: log: (pid 11265) 958s
run: oc_bifrost: (pid 10810) 1001s; run: log: (pid 10856) 1001s
run: oc_id: (pid 10928) 978s; run: log: (pid 10933) 978s
run: opscode-erchef: (pid 11157) 964s; run: log: (pid 11134) 966s
run: opscode-expander: (pid 11009) 968s; run: log: (pid 11039) 968s
run: opscode-solr4: (pid 10955) 972s; run: log: (pid 10973) 972s
run: postgresql: (pid 10793) 1002s; run: log: (pid 10797) 1002s
run: rabbitmq: (pid 10694) 1005s; run: log: (pid 10687) 1006s
run: redis_lb: (pid 10635) 1041s; run: log: (pid 11258) 958s

inohana@ino-ubuntu:~/repo/chef/Packages$ sudo chef-server-ctl stop
inohana@ino-ubuntu:~/repo/chef/Packages$ sudo chef-server-ctl status
ok: down: bookshelf: 1s, normally up
ok: down: oc_bifrost: 0s, normally up
ok: down: oc_id: 1s, normally up
ok: down: opscode-erchef: 0s, normally up
ok: down: opscode-expander: 0s, normally up
ok: down: opscode-solr4: 0s, normally up
ok: down: postgresql: 0s, normally up
ok: down: rabbitmq: 1s, normally up
inohana@ino-ubuntu:~/repo/chef/Packages$ sudo chef-server-ctl stop
down: bookshelf: 16s, normally up; run: log: (pid 5227) 283s
down: oc_bifrost: 15s, normally up; run: log: (pid 4918) 332s
down: oc_id: 8s, normally up; run: log: (pid 4946) 330s
down: opscode-erchef: 7s, normally up; run: log: (pid 5312) 281s
down: opscode-expander: 6s, normally up; run: log: (pid 5196) 284s
down: opscode-solr4: 4s, normally up; run: log: (pid 5134) 285s
down: postgresql: 4s, normally up; run: log: (pid 4864) 333s
down: rabbitmq: 4s, normally up; run: log: (pid 2779) 888s

inohana@ino-ubuntu:~/repo/chef/Packages$ sudo chef-server-ctl cleanup
Starting Chef Client, version 12.17.44
resolving cookbooks for run list: ["private-chef::post_11_upgrade_cleanup", "private-chef::post_12_upgrade_cleanup", "private-chef::solr4_gclog_cleanup"]
Synchronizing Cookbooks:
  - private-chef (0.1.0)
  - enterprise (0.10.1)
  - apt (2.9.2)
  - yum (3.13.0)
  - openssl (6.1.1)
  - runit (1.6.0)
  - packagecloud (0.2.5)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 18 resources
Recipe: private-chef::post_11_upgrade_cleanup
  * private_chef_package_cleaner[opscode-authz] action clean

• 無事ユーザが作成できました。

chef org の作成

chef-server-ctl org-create test 'Test Company' --association_user kentarok --filename /etc/opscode/test/test-validator.pem

確認

inohana@ino-ubuntu:~$ sudo chef-server-ctl user-list
[sudo] password for inohana:
inohana
pivotal

inohana@ino-ubuntu:~$ sudo chef-server-ctl org-list
ise

user01@ino-ubuntu:/etc/opscode/ise$ pwd
/etc/opscode/ise
user01@ino-ubuntu:/etc/opscode/ise$ ls -la
total 20
drwxrwxrwx 2 root root 4096 Mar 16 14:27 .
drwxr-xr-x 4 root root 4096 Mar 10 07:55 ..
-rw-r--r-- 1 root root 1678 Mar  2 04:38 inohana.pem
-rw-r--r-- 1 root root 1678 Mar  2 04:41 ise-validator.pem

参考：Chef Server 環境構築手順

参考：Chef 12対応版 Chef Server構築手順

[参考]
Chef Server 環境構築手順

補足：作成したユーザ / 組織の削除

user01@ino-ubuntu:/etc/opscode/ibm$ sudo chef-server-ctl org-delete ibm
Do you want to delete the organization ibm? (Y/N) Y
full_name: IBM Japan
guid:      f96ebc5ec69f17139cf7f0cbe087cbbd
name:      ibm
user01@ino-ubuntu:/etc/opscode/ibm$
user01@ino-ubuntu:/etc/opscode/ibm$ sudo chef-server-ctl user-delete user01
Do you want to delete the user user01? (Y/N) Y
Checking organization memberships...
Deleting user user01.
user01@ino-ubuntu:/etc/opscode/ibm$

(参考)chef-server-ctl メニュー

inohana@ino-ubuntu:~$ sudo chef-server-ctl
[sudo] password for inohana:
I don't know that command.
chef-server-ctl: command (subcommand)
General Commands:
  backup
    Backup the Chef Server
  cleanse
    Delete *all* Chef Server data, and start from scratch.
  cleanup
    Perform post-upgrade removal of now-obsolete data, configuration files, logs, etc.  Add the '--no-op' flag to see what *would* be removed.
  gather-logs
    Create a tarball of recent logs and system information for Chef Support
  help
    Print this help message.
  install
    Install addon package by name, with optional --path parameter indicating directory containing packages
  reconfigure
    Reconfigure the application.
  reindex
    Reindex all server data for a given organization
  restore
    Restore the Chef Server from backup
  show-config
    Show the configuration that would be generated by reconfigure.
  test
    Run the API test suite against localhost.
  uninstall
    Kill all processes and uninstall the process supervisor (data will be preserved).
  upgrade
    Upgrade your private chef installation.
Service Management Commands:
  graceful-kill
    Attempt a graceful stop, then SIGKILL the entire process group.
  hup
    Send the services a HUP.
  int
    Send the services an INT.
  kill
    Send the services a KILL.
  once
    Start the services if they are down. Do not restart them if they stop.
  restart
    Stop the services if they are running, then start them again.
  service-list
    List all the services (enabled services appear with a *.)
  start
    Start services if they are down, and restart them if they stop.
  status
    Show the status of all the services.
  stop
    Stop the services, and do not restart them.
  tail
    Watch the service logs of all enabled services.
  term
    Send the services a TERM.
  usr1
    Send the services a USR1.
  usr2
    Send the services a USR2.
Credential Rotation Commands:
  require-credential-rotation
    Disable the Chef Server and require credential rotation
  rotate-all-credentials
    Rotate all Chef Server service credentials
  rotate-credentials
    Rotate Chef Server credentials for a given service
  rotate-shared-secrets
    Rotate the Chef Server shared secrets and all service credentials
  show-service-credentials
    Show the service credentials
Debug Tools Commands:
  filtered-dump
    Generate a filtered dump of indexable Chef Objects for all organizations.  Top-level data is captured; only object name is captured from object json
Key Rotation Commands:
  add-client-key
    Create a new client key
  add-user-key
    Create a new user key
  delete-client-key
    Delete a key
  delete-user-key
    Delete a key
  list-client-keys
    List keys for a client
  list-user-keys
    List keys for a user
Open Source Upgrade Commands:
  chef12-upgrade-data-transform
    Transfrom data from an open source Chef 11 server for upload to an Chef 12 server.
  chef12-upgrade-download
    Download data from a open source Chef 11 server.
  chef12-upgrade-upload
    Upload transformed open source Chef 11 data to a Chef 12 server.
High Availability Commands:
  backup-recover
    Set this server to HA backup state, ignoring VRRP
  ha-status
    Show the status of high availability services.
  master-recover
    Set this server to HA master state, ignoring VRRP.
Organization And User Management Commands:
  org-create
    Create an organization in the chef server.
  org-delete
    Delete an organization in the chef server.
  org-list
    List all organizations in the chef server.
  org-show
    Show an organization in the chef server.
  org-user-add
    Associate a user with an organization.
  org-user-remove
    Dissociate a user with an organization.
  password
    Set a user's password or System Recovery Password.
  user-create
    Create a user in the chef server.
  user-delete
    Delete a user in the chef server.
  user-edit
    Edit a user in the chef server.
  user-list
    List all users in the chef server.
  user-show
    Show a user in the chef server.
Database Commands:
  psql
    Launches an interactive psql session with the service database you name. Add '--write' for write access and '--options <OPTIONS>' to specify psql options.
Server Admins Commands:
  grant-server-admin-permissions
    Grant a user the ability to create other users by added the user to the server-admins group.
  list-server-admins
    List users that have server-admins permissions.
  remove-server-admin-permissions
    Remove all special permission granted to a user from being a server-admin.
inohana@ino-ubuntu:~$