79 lines
2.6 KiB
Markdown
79 lines
2.6 KiB
Markdown
This repository contains all infrastructure automation code that we use to set
|
|
up and configure servers, virtual machines, and applications for Kosmos hosted
|
|
services.
|
|
|
|
Chef cookbooks are written in Ruby, and based on [Chef Infra
|
|
resources](https://docs.chef.io/resources/). Some cookbooks contain integration
|
|
test suites based on [Test Kitchen](https://docs.chef.io/workstation/kitchen/).
|
|
|
|
Note: Manual configuration of servers and applications is highly discouraged,
|
|
and can be overwritten or lost without notice!
|
|
|
|
## Setup
|
|
|
|
### Install Chef Workstation
|
|
|
|
* macOS, Windows, RHEL, Ubuntu: https://docs.chef.io/workstation/install_workstation/
|
|
* Arch Linux: https://aur.archlinux.org/packages/chef-workstation
|
|
|
|
#### rbenv
|
|
|
|
If you use rbenv to manage Ruby versions on your system, install the
|
|
[rbenv-chef-workstation](https://github.com/docwhat/rbenv-chef-workstation)
|
|
plugin.
|
|
|
|
### Install gem dependencies
|
|
|
|
Clone this repository, `cd` into it, and run:
|
|
|
|
bundle install
|
|
|
|
## Common tasks
|
|
|
|
### Bootstrap a new host server
|
|
|
|
knife zero bootstrap root@server-name.kosmos.org --run-list "role[base],role[kvm_host]" --secret-file .chef/encrypted_data_bag_secret
|
|
|
|
### Bootstrap a new VM
|
|
|
|
knife zero bootstrap ubuntu@zerotier-ip-address -x ubuntu --sudo --run-list "role[base],role[kvm_guest]" --secret-file .chef/encrypted_data_bag_secret
|
|
|
|
### Bootstrap a new VM with environment and role/app (postgres replica as example)
|
|
|
|
knife zero bootstrap ubuntu@10.1.1.134 -x ubuntu --sudo --environment production --run-list "role[base],role[kvm_guest],role[postgresql_replica]" --secret-file .chef/encrypted_data_bag_secret
|
|
|
|
### Run Chef Zero on a host server
|
|
|
|
knife zero converge -p2222 name:server-name.kosmos.org
|
|
|
|
### Run Chef Zero on a VM
|
|
|
|
knife zero converge -a knife_zero.host name:vm-name-23
|
|
|
|
### Update Chef Client on a server:
|
|
|
|
knife zero converge name:dev.kosmos.org --client-version 15.3.14
|
|
|
|
## Managing cookbooks
|
|
|
|
Cookbooks are managed via Berkshelf. Run `berks --help` for command help.
|
|
|
|
Install cookbooks listed in Berksfile:
|
|
|
|
berks install
|
|
|
|
Vendor installed cookbooks to the `cookbooks/` dir:
|
|
|
|
berks vendor cookbooks/ --delete
|
|
|
|
## "Expired" TLS certificates
|
|
|
|
If you encounter expired TLS certificates during a Chef run (e.g. for remote
|
|
files), the issue is likely that the certificate has been issued by Let's
|
|
Encrypt and Chef is still using its own, outdated CA cert store (see
|
|
[here](https://github.com/chef/chef/issues/12126#issuecomment-932067530) for
|
|
example).
|
|
|
|
As a hotfix, you can manually remove the "DST Root CA X3" cert from
|
|
`/opt/chef/embedded/ssl/cert.pem` on the machine you're trying to converge.
|