Edited at

Knife-Zeroで管理するnodeオブジェクトを任意のattributesに限定する

More than 3 years have passed since last update.

Chef-ClientにはWhitelist Attributesという機能があって、Ohaiが収集した(Automatic)Attributesから、任意のAttributeのみ保存対象することができます。

使い方はclient.rbに書けばOK。


Knife Zero Bootstrap で普通にnodeオブジェクトを作成するとでかい

適当なAmazon EC2インスタンスにbootstrapを仕掛けてみます。

$ knife zero bootstrap 52.69.40.215 -x ec2-user -i ~/.ssh/privatekey --hint ec2 -N test-server

Doing old-style registration with the validation key at ...
Delete your validation key in order to use your user credentials instead

Connecting to 52.69.40.215
52.69.40.215 -----> Installing Chef Omnibus (-v 12)
52.69.40.215 downloading https://www.opscode.com/chef/install.sh
52.69.40.215 to file /tmp/install.sh.2281/install.sh
52.69.40.215 trying wget...
52.69.40.215 Downloading Chef 12 for el...
52.69.40.215 downloading https://www.opscode.com/chef/metadata?v=12&prerelease=false&nightlies=false&p=el&pv=6&m=x86_64
52.69.40.215 to file /tmp/install.sh.2286/metadata.txt
52.69.40.215 trying wget...
52.69.40.215 url https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-12.3.0-1.el6.x86_64.rpm
52.69.40.215 md5 c19fefcb3d033107e9fbdb3839312584
52.69.40.215 sha256 4b7c846a9ad93564cc203a5ac99890431f7d6ad159c424aa89827fd772c9881d
52.69.40.215 downloaded metadata file looks valid...
52.69.40.215 downloading https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-12.3.0-1.el6.x86_64.rpm
52.69.40.215 to file /tmp/install.sh.2286/chef-12.3.0-1.el6.x86_64.rpm
52.69.40.215 trying wget...
52.69.40.215 Comparing checksum with sha256sum...
52.69.40.215 Installing Chef 12
52.69.40.215 installing with rpm...
52.69.40.215 warning: /tmp/install.sh.2286/chef-12.3.0-1.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
52.69.40.215 Preparing... ################################# [100%]
52.69.40.215 Updating / installing...
52.69.40.215 1:chef-12.3.0-1.el6 ################################# [100%]
52.69.40.215 Thank you for installing Chef!
52.69.40.215 Starting first Chef Client run...
52.69.40.215 Starting Chef Client, version 12.3.0
52.69.40.215 Creating a new client identity for test-server using the validator key.
52.69.40.215 resolving cookbooks for run list: []
52.69.40.215 Synchronizing Cookbooks:
52.69.40.215 Compiling Cookbooks...
52.69.40.215 [2015-06-15T08:00:47+00:00] WARN: Node test-server has an empty run list.
52.69.40.215 Converging 0 resources
52.69.40.215
52.69.40.215 Running handlers:
52.69.40.215 Running handlers complete
52.69.40.215 Chef Client finished, 0/0 resources updated in 2.739626435 seconds


Whitelistなしで採集したNodeオブジェクトのキーを確認

無策でやるとタップリとれました。固定的な値と状況による値が混在しているので、例えばnodeオブジェクトもgitの管理対象にしたいなーというケースで特に面倒です。

$ knife exec -E "puts nodes.all.first.keys"

tags
filesystem
network
counters
ipaddress
macaddress
ip6address
memory
kernel
lsb
os
os_version
platform
platform_version
platform_family
uptime_seconds
uptime
idletime_seconds
idletime
cpu
virtualization
root_group
block_device
ec2
cloud
ohai_time
languages
command
chef_packages
etc
current_user
init_package
keys
cloud_v2
dmi
hostname
machinename
domain
recipes
roles


Knife Zero Bootstrap でWhitelistを指定する。

Chefに元々ある機能ということで、knife-zeroのv1.7でBootstrap時にWhitelistも使うように機能を追加しました。

たとえばknife.rbにこの様に書いて、あらためてBootstrapしてみます。


knife.rb

knife[:automatic_attribute_whitelist] = [

"fqdn/",
"os/",
"os_version/",
"hostname",
"ipaddress/",
"roles/",
"recipes/",
"ipaddress/",
"platform/",
"platform_version/",
"platform_version/",
"cloud/",
"cloud_v2/",
"ec2/ami_id/",
"ec2/instance_id/",
"ec2/instance_type/",
"ec2/placement_availability_zone/",
"chef_packages/"
]

Bootstrapされたインスタンスの/etc/chef/client.rbには、automatic_attribute_whitelistが追加されました。


/etc/chef/client.rb

log_location     STDOUT

chef_server_url "chefzero://localhost:8889"
validation_client_name "chef-validator"
node_name "test-server"
ssl_verify_mode :none
automatic_attribute_whitelist ["fqdn/", "os/", "os_version/", "hostname", "ipaddress/", "roles/", "recipes/", "ipaddress/", "platform/", "platform_version/", "platform_version/", "cloud/", "cloud_v2/", "ec2/ami_id/", "ec2/instance_id/", "ec2/instance_type/", "ec2/placement_availability_zone/", "chef_packages/"]


Whitelistを指定したNodeオブジェクトの様子

ローカルのnode.json(nodes/test-server.json)にあるキーはこれだけになりました。

$ knife exec -E "puts nodes.all.first.keys"

tags
os
os_version
hostname
ipaddress
roles
recipes
platform
platform_version
cloud
cloud_v2
ec2
chef_packages

Vimで直接開いても画面に収まるくらいですね。


nodes/test-server.json

{

"name": "test-server",
"normal": {
"tags": [

]
},
"automatic": {
"os": "linux",
"os_version": "3.14.35-28.38.amzn1.x86_64",
"hostname": "test-server",
"ipaddress": "10.0.1.122",
"roles": [

],
"recipes": [

],
"platform": "amazon",
"platform_version": "2015.03",
"cloud": {
"public_ips": [
"52.69.40.215"
],
"private_ips": [
"10.0.1.122"
],
"public_ipv4": "52.69.40.215",
"public_hostname": "",
"local_ipv4": "10.0.1.122",
"local_hostname": "test-server.ap-northeast-1.compute.internal",
"provider": "ec2"
},
"cloud_v2": {
"public_ipv4_addrs": [
"52.69.40.215"
],
"local_ipv4_addrs": [
"10.0.1.122"
],
"provider": "ec2",
"public_hostname": "",
"local_hostname": "test-server.ap-northeast-1.compute.internal",
"public_ipv4": "52.69.40.215",
"local_ipv4": "10.0.1.122"
},
"ec2": {
"ami_id": "ami-cbf90ecb",
"instance_id": "i-0ef561fb",
"instance_type": "t2.micro",
"placement_availability_zone": "ap-northeast-1c"
},
"chef_packages": {
"chef": {
"version": "12.3.0",
"chef_root": "/opt/chef/embedded/apps/chef/lib"
},
"ohai": {
"version": "8.3.0",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/ohai-8.3.0/lib/ohai"
}
}
}
}


これならあまりじゃんじゃんと変更はされません。


もうBootstrapしちゃったホストのclient.rbだけを更新して、Whitelist対応したい?

あら古いknife-zeroでBootstrapしちゃったわよ。という環境は、--no-convergeでbootstrapするやり方が用意されています。

--[no-]converge              Bootstrap without Chef-Client Run.(for only update client.rb)

通常のBootstrapは一度Chef-Clientが走るため、再度実行する際には気を使いましたが、--no-convergeオプションで実行しないという選択肢を追加。

$ knife zero bootstrap 52.69.40.215 -x ec2-user -i ~/.ssh/private_key --hint ec2 -N test-server --no-converge

Doing old-style registration with the validation key at ...
Delete your validation key in order to use your user credentials instead

Connecting to 52.69.40.215
52.69.40.215 -----> Existing Chef installation detected
52.69.40.215 Starting first Chef Client run...
52.69.40.215 Execution of Chef-Client has been canceled due to bootstrap_converge is false. <= Chef-Client実行をとりやめて終了

client.rbが書き換わったので、zero converge(chef_client)を実行すればスッキリNodeになります。

$ knife zero converge name:test-server -x ec2-user -i ~/.ssh/private_key -a cloud_v2.public_ipv4 

52.69.40.215 Starting Chef Client, version 12.3.0
52.69.40.215 resolving cookbooks for run list: []
52.69.40.215 Synchronizing Cookbooks:
52.69.40.215 Compiling Cookbooks...
52.69.40.215 [2015-06-15T08:27:08+00:00] WARN: Node test-server has an empty run list.
52.69.40.215 Converging 0 resources
52.69.40.215 [2015-06-15T08:27:08+00:00] WARN: Could not find whitelist attribute fqdn/.
52.69.40.215
52.69.40.215 Running handlers:
52.69.40.215 Running handlers complete
52.69.40.215 Chef Client finished, 0/0 resources updated in 1.669752105 seconds

--[no-]convergeのフラグはknife[:bootstrap_converge]としてknife.rbでも指定OK、CLIオプション優先です。

knife[:bootstrap_converge] = true/false

ちなみに初回のBootstrapで--no-convergeしちゃうと、そもそもnodeオブジェクトができないため、その後convergeができません。やり直しです。


Twitterで拾った意見と、Github Issueに突貫してきたどこか異国の兄さん達のフィードバックが反映されました。