Help us understand the problem. What is going on with this article?

Knife-Zeroで管理するnodeオブジェクトを任意のattributesに限定する

More than 5 years have passed since last update.

Chef-ClientにはWhitelist Attributesという機能があって、Ohaiが収集した(Automatic)Attributesから、任意のAttributeのみ保存対象することができます。

使い方はclient.rbに書けばOK。

Knife Zero Bootstrap で普通にnodeオブジェクトを作成するとでかい

適当なAmazon EC2インスタンスにbootstrapを仕掛けてみます。

$ knife zero bootstrap 52.69.40.215 -x ec2-user -i ~/.ssh/privatekey --hint ec2 -N test-server
Doing old-style registration with the validation key at ...
Delete your validation key in order to use your user credentials instead

Connecting to 52.69.40.215
52.69.40.215 -----> Installing Chef Omnibus (-v 12)
52.69.40.215 downloading https://www.opscode.com/chef/install.sh
52.69.40.215   to file /tmp/install.sh.2281/install.sh
52.69.40.215 trying wget...
52.69.40.215 Downloading Chef 12 for el...
52.69.40.215 downloading https://www.opscode.com/chef/metadata?v=12&prerelease=false&nightlies=false&p=el&pv=6&m=x86_64
52.69.40.215   to file /tmp/install.sh.2286/metadata.txt
52.69.40.215 trying wget...
52.69.40.215 url    https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-12.3.0-1.el6.x86_64.rpm
52.69.40.215 md5    c19fefcb3d033107e9fbdb3839312584
52.69.40.215 sha256 4b7c846a9ad93564cc203a5ac99890431f7d6ad159c424aa89827fd772c9881d
52.69.40.215 downloaded metadata file looks valid...
52.69.40.215 downloading https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-12.3.0-1.el6.x86_64.rpm
52.69.40.215   to file /tmp/install.sh.2286/chef-12.3.0-1.el6.x86_64.rpm
52.69.40.215 trying wget...
52.69.40.215 Comparing checksum with sha256sum...
52.69.40.215 Installing Chef 12
52.69.40.215 installing with rpm...
52.69.40.215 warning: /tmp/install.sh.2286/chef-12.3.0-1.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
52.69.40.215 Preparing...                          ################################# [100%]
52.69.40.215 Updating / installing...
52.69.40.215    1:chef-12.3.0-1.el6                ################################# [100%]
52.69.40.215 Thank you for installing Chef!
52.69.40.215 Starting first Chef Client run...
52.69.40.215 Starting Chef Client, version 12.3.0
52.69.40.215 Creating a new client identity for test-server using the validator key.
52.69.40.215 resolving cookbooks for run list: []
52.69.40.215 Synchronizing Cookbooks:
52.69.40.215 Compiling Cookbooks...
52.69.40.215 [2015-06-15T08:00:47+00:00] WARN: Node test-server has an empty run list.
52.69.40.215 Converging 0 resources
52.69.40.215 
52.69.40.215 Running handlers:
52.69.40.215 Running handlers complete
52.69.40.215 Chef Client finished, 0/0 resources updated in 2.739626435 seconds

Whitelistなしで採集したNodeオブジェクトのキーを確認

無策でやるとタップリとれました。固定的な値と状況による値が混在しているので、例えばnodeオブジェクトもgitの管理対象にしたいなーというケースで特に面倒です。

$ knife exec -E "puts nodes.all.first.keys"
tags
filesystem
network
counters
ipaddress
macaddress
ip6address
memory
kernel
lsb
os
os_version
platform
platform_version
platform_family
uptime_seconds
uptime
idletime_seconds
idletime
cpu
virtualization
root_group
block_device
ec2
cloud
ohai_time
languages
command
chef_packages
etc
current_user
init_package
keys
cloud_v2
dmi
hostname
machinename
domain
recipes
roles

Knife Zero Bootstrap でWhitelistを指定する。

Chefに元々ある機能ということで、knife-zeroのv1.7でBootstrap時にWhitelistも使うように機能を追加しました。

たとえばknife.rbにこの様に書いて、あらためてBootstrapしてみます。

knife.rb
knife[:automatic_attribute_whitelist] = [
  "fqdn/",
  "os/",
  "os_version/",
  "hostname",
  "ipaddress/",
  "roles/",
  "recipes/",
  "ipaddress/",
  "platform/",
  "platform_version/",
  "platform_version/",
  "cloud/",
  "cloud_v2/",
  "ec2/ami_id/",
  "ec2/instance_id/",
  "ec2/instance_type/",
  "ec2/placement_availability_zone/",
  "chef_packages/"
]

Bootstrapされたインスタンスの/etc/chef/client.rbには、automatic_attribute_whitelistが追加されました。

/etc/chef/client.rb
log_location     STDOUT
chef_server_url  "chefzero://localhost:8889"
validation_client_name "chef-validator"
node_name "test-server"
ssl_verify_mode :none
automatic_attribute_whitelist ["fqdn/", "os/", "os_version/", "hostname", "ipaddress/", "roles/", "recipes/", "ipaddress/", "platform/", "platform_version/", "platform_version/", "cloud/", "cloud_v2/", "ec2/ami_id/", "ec2/instance_id/", "ec2/instance_type/", "ec2/placement_availability_zone/", "chef_packages/"]

Whitelistを指定したNodeオブジェクトの様子

ローカルのnode.json(nodes/test-server.json)にあるキーはこれだけになりました。

$ knife exec -E "puts nodes.all.first.keys"
tags
os
os_version
hostname
ipaddress
roles
recipes
platform
platform_version
cloud
cloud_v2
ec2
chef_packages

Vimで直接開いても画面に収まるくらいですね。

nodes/test-server.json
{
  "name": "test-server",
  "normal": {
    "tags": [

    ]
  },
  "automatic": {
    "os": "linux",
    "os_version": "3.14.35-28.38.amzn1.x86_64",
    "hostname": "test-server",
    "ipaddress": "10.0.1.122",
    "roles": [

    ],
    "recipes": [

    ],
    "platform": "amazon",
    "platform_version": "2015.03",
    "cloud": {
      "public_ips": [
        "52.69.40.215"
      ],
      "private_ips": [
        "10.0.1.122"
      ],
      "public_ipv4": "52.69.40.215",
      "public_hostname": "",
      "local_ipv4": "10.0.1.122",
      "local_hostname": "test-server.ap-northeast-1.compute.internal",
      "provider": "ec2"
    },
    "cloud_v2": {
      "public_ipv4_addrs": [
        "52.69.40.215"
      ],
      "local_ipv4_addrs": [
        "10.0.1.122"
      ],
      "provider": "ec2",
      "public_hostname": "",
      "local_hostname": "test-server.ap-northeast-1.compute.internal",
      "public_ipv4": "52.69.40.215",
      "local_ipv4": "10.0.1.122"
    },
    "ec2": {
      "ami_id": "ami-cbf90ecb",
      "instance_id": "i-0ef561fb",
      "instance_type": "t2.micro",
      "placement_availability_zone": "ap-northeast-1c"
    },
    "chef_packages": {
      "chef": {
        "version": "12.3.0",
        "chef_root": "/opt/chef/embedded/apps/chef/lib"
      },
      "ohai": {
        "version": "8.3.0",
        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/ohai-8.3.0/lib/ohai"
      }
    }
  }
}

これならあまりじゃんじゃんと変更はされません。

もうBootstrapしちゃったホストのclient.rbだけを更新して、Whitelist対応したい?

あら古いknife-zeroでBootstrapしちゃったわよ。という環境は、--no-convergeでbootstrapするやり方が用意されています。

--[no-]converge              Bootstrap without Chef-Client Run.(for only update client.rb)

通常のBootstrapは一度Chef-Clientが走るため、再度実行する際には気を使いましたが、--no-convergeオプションで実行しないという選択肢を追加。

$ knife zero bootstrap 52.69.40.215 -x ec2-user -i ~/.ssh/private_key --hint ec2 -N test-server --no-converge
Doing old-style registration with the validation key at ...
Delete your validation key in order to use your user credentials instead

Connecting to 52.69.40.215
52.69.40.215 -----> Existing Chef installation detected
52.69.40.215 Starting first Chef Client run...
52.69.40.215 Execution of Chef-Client has been canceled due to bootstrap_converge is false. <= Chef-Client実行をとりやめて終了

client.rbが書き換わったので、zero converge(chef_client)を実行すればスッキリNodeになります。

$ knife zero converge name:test-server -x ec2-user -i ~/.ssh/private_key -a cloud_v2.public_ipv4 
52.69.40.215 Starting Chef Client, version 12.3.0
52.69.40.215 resolving cookbooks for run list: []
52.69.40.215 Synchronizing Cookbooks:
52.69.40.215 Compiling Cookbooks...
52.69.40.215 [2015-06-15T08:27:08+00:00] WARN: Node test-server has an empty run list.
52.69.40.215 Converging 0 resources
52.69.40.215 [2015-06-15T08:27:08+00:00] WARN: Could not find whitelist attribute fqdn/.
52.69.40.215 
52.69.40.215 Running handlers:
52.69.40.215 Running handlers complete
52.69.40.215 Chef Client finished, 0/0 resources updated in 1.669752105 seconds

--[no-]convergeのフラグはknife[:bootstrap_converge]としてknife.rbでも指定OK、CLIオプション優先です。

knife[:bootstrap_converge] = true/false

ちなみに初回のBootstrapで--no-convergeしちゃうと、そもそもnodeオブジェクトができないため、その後convergeができません。やり直しです。


Twitterで拾った意見と、Github Issueに突貫してきたどこか異国の兄さん達のフィードバックが反映されました。

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした