Chef Server 12 is now supported

c-buisson · c-buisson · commit 3f52f78fc873 · 2017-03-02T16:53:07.000-08:00
- The container won't reconfigure Chef after a reboot
- Better logging
- Removed unused commands
diff --git a/Dockerfile b/Dockerfile
@@ -1,22 +1,17 @@
 FROM ubuntu:14.04
 MAINTAINER Clement Buisson <clement.buisson@gmail.com>
-#This is a fork of base/chef-server
 
 ENV DEBIAN_FRONTEND noninteractive
 RUN apt-get update && \
     apt-get install -yq --no-install-recommends wget curl && \
-    wget --no-check-certificate --content-disposition "http://www.opscode.com/chef/download-server?p=ubuntu&pv=14.04&m=x86_64&v=11&prerelease=false&nightlies=false" && \
+    wget --no-check-certificate --content-disposition "http://www.opscode.com/chef/download-server?p=ubuntu&pv=14.04&m=x86_64&v=12&prerelease=false&nightlies=false" && \
     dpkg -i chef-server*.deb && \
     rm chef-server*.deb && \
     apt-get remove -y wget && \
     rm -rf /var/lib/apt/lists/*
 
-RUN dpkg-divert --local --rename --add /sbin/initctl
-RUN ln -sf /bin/true /sbin/initctl
-
-ADD reconfigure_chef.sh /usr/local/bin/
+ADD configure_chef.sh /usr/local/bin/
 ADD run.sh /usr/local/bin/
-CMD rsyslogd -n
 VOLUME /root/
 VOLUME /var/log
 CMD ["run.sh"]
diff --git a/README.md b/README.md
@@ -1,50 +1,74 @@
 # chef-server
 
-chef-server is running Chef Server 11 in a Ubuntu Trusty 14.04 LTS container.
-Image Size: 1.025 GB
+chef-server will run Chef Server 12 in an Ubuntu Trusty 14.04 LTS container.
+Image Size: 1.124 GB
 
 This is a fork of: [base/chef-server](https://registry.hub.docker.com/u/base/chef-server/).
 
 ## Environment
 Chef is running over HTTPS/443 by default. You can however change that to another port by updating the `CHEF_PORT` variable and the expose port `-p`.
 
-You will need to use Chef 11.X in order to be able to use Knife.
-Check Knife's version:
-```bash
-cbuisson@t530:~# knife -v
-Chef: 11.16.4
-```
-*If you have Chef 12 installed on your Docker server, you will need to use* `knife ssl fetch` *in order to get the SSL certificates from the container. Don't forget to update `chef_server_url` with the container ID in knife.rb!*
-
 ## Usage
-*With log output:*
+*Launch the container:*
 
 ```
-$ docker run --privileged -e CHEF_PORT=443 --name chef-server -d -v ~/chef-logs:/var/log -v ~/install-chef-out:/root -p 443:443 cbuisson/chef-server
+$ docker run --privileged -e CHEF_PORT=443 --name chef-server -d -p 443:443 cbuisson/chef-server
 ```
 
-*Just the container:*
+*Launch the container with logs volumes:*
 
 ```
-$ docker run --privileged -e CHEF_PORT=443 --name chef-server -d -p 443:443 cbuisson/chef-server
+$ docker run --privileged -e CHEF_PORT=443 --name chef-server -d -v ~/chef-logs:/var/log -v ~/install-chef-out:/root -p 443:443 cbuisson/chef-server
 ```
 
-Once the Chef server is configured, you can download the Knife admin keys here:
+Once Chef Server 12 is configured, you can download the Knife admin keys here:
 
 ```
-$ curl -Ok https://IP_HOST:CHEF_PORT/knife_admin_key.tar.gz
+$ curl -Ok https://CONTAINER_ID:CHEF_PORT/knife_admin_key.tar.gz
 ```
 
-Then un-tar that archive and point your knife.rb to the `admin.pem` and `chef-validator.pem` files.
+Then un-tar that archive and point your config.rb to the `admin.pem` and `admin-validator.pem` files.
 
-*knife.rb* example:
-```bash
+*config.rb* example:
+
+```ruby
 log_level                :info
 log_location             STDOUT
 cache_type               'BasicFile'
 node_name                'admin'
 client_key               '/home/cbuisson/.chef/admin.pem'
-validation_client_name   'chef-validator'
-validation_key           '/home/cbuisson/.chef/chef-validator.pem'
-chef_server_url          'https://IP_HOST:CHEF_PORT'
+validation_client_name   'admin-validator'
+validation_key           '/home/cbuisson/.chef/admin-validator.pem'
+chef_server_url          'https://CONTAINER_ID:CHEF_PORT/organizations/my_org'
+```
+Note: CONTAINER_ID **needs** to be resolvable by hostname!
+
+When the config.rb file is ready, you will need to get the SSL certificate files from the container to access Chef Server:
+
+```bash
+cbuisson@t530:~/.chef# knife ssl fetch
+WARNING: Certificates from 512ab20b1e0d will be fetched and placed in your trusted_cert
+directory (/home/cbuisson/.chef/trusted_certs).
+
+Knife has no means to verify these are the correct certificates. You should
+verify the authenticity of these certificates after downloading.
+
+Adding certificate for 512ab20b1e0d in /home/cbuisson/.chef/trusted_certs/512ab20b1e0d.crt
 ```
+
+You should now be able to use the knife command!
+```bash
+cbuisson@t530:~# knife user list
+admin
+```
+
+##### Known issue
+`chef-manage-ctl reconfigure` needs to run in order to access the Chef webui. When this command is executed within the container, it blocks here:
+```bash
+* ruby_block[wait for redis service socket] action run
+```
+Therefore the Chef Server 12 webui isn't available at the moment, however this isn't required to use Chef since Knife is working.
+
+##### Tags
+v1.0: Chef Server 11
+v2.0: Chef Server 12
diff --git a/configure_chef.sh b/configure_chef.sh
@@ -0,0 +1,45 @@
+#/bin/bash -x
+
+chef-server-ctl reconfigure |tee /root/out.txt
+
+URL="http://127.0.0.1:8000/_status"
+CODE=1
+SECONDS=0
+TIMEOUT=60
+
+return=`curl -sf ${URL}`
+echo "${URL} returns: ${return}" |tee -a /root/out.txt
+
+if [[ -z "$return" ]]; then
+  echo "Error while running chef-server-ctl reconfigure" |tee -a /root/out.txt
+  echo -e "Blocking until <${URL}> responds...\n" |tee -a /root/out.txt
+
+  while [ $CODE -ne 0 ]; do
+
+    curl -sf \
+         --connect-timeout 3 \
+         --max-time 5 \
+         --fail \
+         --silent \
+         ${URL}
+
+    CODE=$?
+
+    sleep 2
+    echo -n "." |tee -a /root/out.txt
+
+    if [ $SECONDS -ge $TIMEOUT ]; then
+      echo "$URL is not available after $SECONDS seconds...stopping the script!" |tee -a /root/out.txt
+      exit 1
+    fi
+
+  done;
+  echo -e "\n\n$URL is available!\n" |tee -a /root/out.txt
+  echo -e "\nSetting up admin user and default organization" |tee -a /root/out.txt
+  chef-server-ctl user-create admin Admin User admin@myorg.com "passwd"  --filename /etc/chef/admin.pem |tee -a /root/out.txt
+  chef-server-ctl org-create my_org "Default organization" --association_user admin --filename /etc/chef/admin-validator.pem |tee -a /root/out.txt
+  echo -e "\nRunning: chef-server-ctl install chef-manage" |tee -a /root/out.txt
+  chef-server-ctl install chef-manage |tee -a /root/out.txt
+  echo -e "\nRunning: chef-server-ctl reconfigure" |tee -a /root/out.txt
+  chef-server-ctl reconfigure |tee -a /root/out.txt
+fi
diff --git a/reconfigure_chef.sh b/reconfigure_chef.sh
diff --git a/run.sh b/run.sh
@@ -1,103 +1,20 @@
 #!/bin/bash -xe
 sysctl -w kernel.shmmax=17179869184
-/opt/chef-server/embedded/bin/runsvdir-start &
-/usr/local/bin/reconfigure_chef.sh
-hostname=`hostname`
-cat > /var/opt/chef-server/nginx/etc/chef_https_lb.conf << EOL
-server {
-  listen $CHEF_PORT;
-  server_name $hostname;
-  access_log /var/log/chef-server/nginx/access.log opscode;
-
-  ssl on;
-  ssl_certificate /var/opt/chef-server/nginx/ca/${hostname}.crt;
-  ssl_certificate_key /var/opt/chef-server/nginx/ca/${hostname}.key;
-
-  ssl_session_timeout 5m;
-
-  ssl_protocols SSLv3 TLSv1;
-  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
-  ssl_prefer_server_ciphers on;
-
-  root /var/opt/chef-server/nginx/html;
-
-  client_max_body_size 250m;
-
-  proxy_set_header Host \$host:\$server_port;
-  proxy_set_header X-Real-IP \$remote_addr;
-  proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-  proxy_set_header X-Forwarded-Proto https;
-  proxy_pass_request_headers on;
-  proxy_connect_timeout   1;
-  proxy_send_timeout      300;
-  proxy_read_timeout      300;
-
-  error_page 404 =404 /404.html;
-  error_page 503 =503 /503.json;
-
-  location /nginx_status {
-    stub_status on;
-    access_log   off;
-    allow 127.0.0.1;
-    deny all;
-    }
-
-  location /knife_admin_key.tar.gz {
-    default_type application/zip;
-    alias /etc/chef-server/knife_admin_key.tar.gz;
-  }
-
-  location /version {
-    types { }
-    default_type text/plain;
-    alias /opt/chef-server/version-manifest.txt;
-  }
-
-  location /docs {
-    index index.html ;
-    alias /opt/chef-server/docs;
-  }
-
-  # bookshelf
-  location ~ "/bookshelf/{0,1}.*$" {
-    proxy_pass http://bookshelf;
-  }
-
-  location ~ "^/(?:stylesheets|javascripts|images|facebox|css|favicon|robots|humans)/{0,1}.*$" {
-    if (\$http_x_chef_version ~* "^(\d+\.\d+?)\..+$") {
-      error_page 400 =400 /400-chef_client_manage.json;
-      return 400;
-    }
-    proxy_pass http://chef_server_webui;
-    proxy_pass_request_headers off;
-    proxy_cache webui-cache;
-    proxy_cache_valid 200 302 300m;
-    proxy_cache_valid 404 1m;
-  }
-
- location = /_status {
-    proxy_pass http://erchef/_status;
-  }
-
- location = /_status/ {
-    proxy_pass http://erchef/_status;
-  }
-
-  location / {
-    set \$my_upstream erchef;
-    if (\$http_x_ops_userid = "") {
-      set \$my_upstream chef_server_webui;
-    }
-    proxy_redirect http://\$my_upstream /;
-    proxy_pass http://\$my_upstream;
-  }
-}
-EOL
-cd /etc/chef-server/ && tar -cvzf knife_admin_key.tar.gz admin.pem chef-validator.pem
-cat > /etc/chef-server/chef-server.rb << EOL
-nginx['ssl_port'] = $CHEF_PORT
-EOL
-chef-server-ctl restart nginx
-chef-server-ctl status >> /root/out.txt
-echo "Done!" >> /root/out.txt
-tail -F /opt/chef-server/embedded/service/*/log/current
+/opt/opscode/embedded/bin/runsvdir-start &
+if [ -f "/root/chef_configured" ]
+  then
+    echo -e "\nChef Server already configured!\n" |tee -a /root/out.txt
+    chef-server-ctl status |tee -a /root/out.txt
+  else
+    /usr/local/bin/configure_chef.sh
+    sed -i "s,    listen 443;,    listen $CHEF_PORT;,g" /var/opt/opscode/nginx/etc/chef_https_lb.conf
+    sed -i '$i\    location /knife_admin_key.tar.gz {\n      default_type application/zip;\n      alias /etc/chef/knife_admin_key.tar.gz;\n    }' /var/opt/opscode/nginx/etc/chef_https_lb.conf
+    echo -e "\nCreating tar file with the Knife keys" |tee -a /root/out.txt
+    cd /etc/chef/ && tar -cvzf knife_admin_key.tar.gz admin.pem admin-validator.pem
+    echo -e "\nRestart Nginx..." |tee -a /root/out.txt
+    chef-server-ctl restart nginx
+    chef-server-ctl status |tee -a /root/out.txt
+    touch /root/chef_configured
+    echo -e "\n\nDone!\n" |tee -a /root/out.txt
+fi
+tail -F /opt/opscode/embedded/service/*/log/current
