diff --git a/README.md b/README.md index 145f8fc..ea81aeb 100644 --- a/README.md +++ b/README.md @@ -1,27 +1,43 @@ -# chef-server - -chef-server will run Chef Server 12 in an Ubuntu Trusty 14.04 LTS container. +# Chef Server Docker Container Image +![N|Solid](https://i.imgur.com/xPY9jpK.png) +chef-server will run Chef Server 12 in an Ubuntu Trusty 14.04 LTS container. Image Size: Approximately 1GB This is a fork of: [base/chef-server](https://registry.hub.docker.com/u/base/chef-server/). -## Environment -##### Protocol / Port -Chef is running over HTTPS/443 by default. +# Environment +#### Protocol / Port +Chef is running over HTTPS/443 by default. You can however change that to another port by adding `-e SSL_PORT=new_port` to the `docker run` command below and update the expose port `-p` accordingly. -##### SSL certificate -When Chef Server gets configured it creates an SSL certificate based on the container's FQDN (i.e "103d6875c1c5" which is the "CONTAINER ID"). This default behiavior has been changed to always produce an SSL certificate file named "chef-server.crt". +# SSL certificate +When Chef Server gets configured it creates an SSL certificate based on the container's FQDN (i.e "103d6875c1c5" which is the "CONTAINER ID"). This default behavior has been changed to always produce an SSL certificate file named "chef-server.crt". You can change the certificate name by adding `-e CONTAINER_NAME=new_name` to the `docker run` command. Remember to reflect that change in config.rb! -##### Logs +# Logs `/var/log/` is accessible via a volume directory. Feel free to optionally to use it with the `docker run` command above by adding: `-v ~/chef-logs:/var/log` -##### DNS -The container needs to be **DNS resolvable!** -Be sure **'chef-server'** or **$CONTAINER_NAME** is pointing to the container's IP! +# DNS +The container needs to be **DNS resolvable!** +Be sure **'chef-server'** or **$CONTAINER_NAME** is pointing to the container's IP! This needs to be done to match the SSL certificate name with the `chef_server_url ` from knife's `config.rb` file. +# Setup Chef User & Organization +The following parameters have been added to assist you in defining a default chef user and organization. + +| Parameter | Description | +| ------------- |:-------------:| +| CHEF_USER | Define your chef username. If not set, username defaults to admin. | +| CHEF_PASS | Define your chef user's password. Default generates a random password. | +| CHEF_MAIL | Sets your chef user's email address. Default is admin@. | +| CHEF_ORG | Defines the name of the organization that is created during setup. Default is set to 'my_org'. | +| CHEF_ORGDESC | Sets your chef organization's description. If not set, default is 'Default organization'. | + +Set these parameters after the `-e` switch. Example below. +```bash +$ sudo docker run --privileged -t -e CONTAINER_NAME='' -e CHEF_USER='' -e CHEF_PASS='' -e CHEF_MAIL='' -e CHEF_ORG='' -e CHEF_ORGDESC='' --name chef-server -d -p 443:443 cbuisson/chef-server +``` + ## Start the container Docker command: @@ -37,13 +53,22 @@ $ docker logs -f chef-server ## Setup knife -Once Chef Server 12 is configured, you can download the Knife admin keys here: +Once Chef Server 12 is configured, you can download the Knife admin keys with these steps: + +#### Login to a shell session on your container. ```bash -curl -Ok https://chef-server:$SSL_PORT/knife_admin_key.tar.gz +sudo docker exec -it /bin/bash +``` +#### Copy your user & organization pem keys. +```bash +cat /etc/chef/.pem +cat /etc/chef/-validator.pem +``` +Save the above keys to your local workstation (where you have knife installed). Then create a config.rb file with the contents. +```bash +vim ~/.chef/config.rb ``` - -Then un-tar that archive and point your config.rb to the `admin.pem` and `my_org-validator.pem` files. *config.rb* example: @@ -52,36 +77,36 @@ log_level :info log_location STDOUT cache_type 'BasicFile' node_name 'admin' -client_key '/home/cbuisson/.chef/admin.pem' +client_key '/home//.chef/.pem' validation_client_name 'my_org-validator' -validation_key '/home/cbuisson/.chef/my_org-validator.pem' -chef_server_url 'https://chef-server:$SSL_PORT/organizations/my_org' +validation_key '/home//.chef/-validator.pem' +chef_server_url 'https://:$SSL_PORT/organizations/' ``` When the config.rb file is ready, you will need to get the SSL certificate file from the container to access Chef Server: ```bash -cbuisson@server:~/.chef# knife ssl fetch +@server:~/.chef# knife ssl fetch WARNING: Certificates from chef-server will be fetched and placed in your trusted_cert -directory (/home/cbuisson/.chef/trusted_certs). +directory (/home//.chef/trusted_certs). Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading. -Adding certificate for chef-server in /home/cbuisson/.chef/trusted_certs/chef-server.crt +Adding certificate for chef-server in /home//.chef/trusted_certs/chef-server.crt ``` You should now be able to use the knife command! ```bash -cbuisson@server:~# knife user list +@server:~# knife user list admin ``` **Done!** ##### Note -Chef-Server running inside a container isn't officially supported by [Chef](https://www.chef.io/about/) and as a result the webui isn't available. +Chef-Server running inside a container isn't officially supported by [Chef](https://www.chef.io/about/) and as a result the webui isn't available. However the webui is not required since you can interact with Chef-Server via the `knife` and `chef-server-ctl` commands. ##### Tags -v1.0: Chef Server 11 +v1.0: Chef Server 11 v2.x: Chef Server 12 diff --git a/configure_chef.sh b/configure_chef.sh index 77fc998..b0b1250 100755 --- a/configure_chef.sh +++ b/configure_chef.sh @@ -10,8 +10,10 @@ else fi if [[ -z $CONTAINER_NAME ]]; then + chefFQDN=$(uname -n) echo "nginx['server_name']=\"chef-server\"" >> /etc/opscode/chef-server.rb else + chefFQDN="$CONTAINER_NAME" echo "nginx['server_name']=\"$CONTAINER_NAME\"" >> /etc/opscode/chef-server.rb fi @@ -52,17 +54,48 @@ fi echo -e "\n\n$URL is available!\n" echo -e "\nSetting up admin user and default organization" -chef-server-ctl user-create admin Admin User admin@myorg.com "passwd" --filename /etc/chef/admin.pem -chef-server-ctl org-create my_org "Default organization" --association_user admin --filename /etc/chef/my_org-validator.pem + +if [[ -z $CHEF_MAIL ]]; then + chefMail="admin@$chefFDQN"; +else + chefMail="$CHEF_MAIL" +fi + + +if [[ -z $CHEF_USER ]]; then + chefUser="admin"; +else + chefUser="$CHEF_USER" +fi + +if [[ -z $CHEF_PASS ]]; then + chefPass=$(strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 32 | tr -d '\n'; echo) + echo "$chefPass" >> /etc/chef/chefUserPass.txt +else + chefPass="$CHEF_PASS"; +fi + +chef-server-ctl user-create "$chefUser" "$chefUser" "User" "$chefMail" "$chefPass" --filename "/etc/chef/$chefUser.pem" + +if [[ -z $CHEF_ORG ]]; then + chefOrg="my_org"; +else + chefOrg="$CHEF_ORG" +fi + +if [[ -z $CHEF_ORGDESC ]]; then + chefOrgDesc="Default organization" +else + chefOrgDesc="$CHEF_ORGDESC"; +fi + +chef-server-ctl org-create "$chefOrg" "$chefOrgDesc" --association_user "$chefUser" --filename "/etc/chef/$chefOrg-validator.pem" echo -e "\nRunning: 'chef-server-ctl install chef-manage'"... chef-server-ctl install chef-manage echo -e "\nRunning: 'chef-server-ctl reconfigure'"... chef-server-ctl reconfigure echo "{ \"error\": \"Please use https:// instead of http:// !\" }" > /var/opt/opscode/nginx/html/500.json sed -i "s,/503.json;,/503.json;\n error_page 497 =503 /500.json;,g" /var/opt/opscode/nginx/etc/chef_https_lb.conf -sed -i '$i\ location /knife_admin_key.tar.gz {\n default_type application/zip;\n alias /etc/chef/knife_admin_key.tar.gz;\n }' /var/opt/opscode/nginx/etc/chef_https_lb.conf -echo -e "\nCreating tar file with the Knife keys" -cd /etc/chef/ && tar -cvzf knife_admin_key.tar.gz admin.pem my_org-validator.pem echo -e "\nRestart Nginx..." chef-server-ctl restart nginx chef-server-ctl status