Chef cookbook continuous deployment

chefcontinuous integrationJenkins

I'm trying to integrate my chef workflow to my usual continuous integration/deployment workflows.

I managed already to have a jenkins task which checks out the git repo and runs foodcritic but i can't figure out the last step: to push to cookbook to the chef server.

some ideas i thought of:

use knife: the problem is, that on the building nodes of my jenkins-server there is no knife installed and AFAIK knife needs a cookbook directory from which it would push the cookbook. On the other side i don't consider it a good practice to let the jenkins user execute all knife commands
use the knife ruby-gem and write some ruby-script to be used by jenkins: might work but i didn't want to experiment with that, because i don't think it is the best option anyway
make some REST-API calls with cURL or any similar library. After reading through the API-docs i don't think it's worth the hassle to implement that.

My the building node would be available as OSX and debian – if this is essential for my possible tool of choice.

So any experience would be appreciated!

Best Answer

If you want to push the cookbook to a chef server just for testing purposes, perhaps you will be better with chef-zero which is a "fast-start in-memory Chef server for testing and solo purposes".

Or, if you are just trying to test the cookbooks you can run the whole test without a chef server by using test-kitchen + minitest-chef-handler. I would suggest you don't use the "bats" but instead follow the minitest-chef-handler test cases examples

Serverfault Note: I still can't post more that 2 links for being a new member so try to follow them below:

minitest-chef-handler
  github: calavera/minitest-chef-handler

bats
  github: test-kitchen/test-kitchen/wiki/Getting-Started

test cases examples
  github: calavera/minitest-chef-handler#test-cases

Related Solutions

Chef best Practices/Questions

Edit This question and answer are years old. The definitive best practices are taught via the Learn Chef Rally self-paced training modules produced by Chef Software, Inc. The bulk of the original answer is below.

In this answer, "Chef" or "chef-client" usually refers to Chef Infra, the product. Opscode renamed to Chef Software, Inc in 2013. In April, 2019, Chef opened the source code for all its products, along with creating consistent brand naming.

Not clear if it's better to setup roles in ruby DSL, JSON, or from the management console? Why are there multiple ways to do the same thing?

2019 Update: Policyfiles are the best workflow to use. Roles are considered an inferior practice, and Chef Software, Inc. recommends migrating to Policyfiles.

There are multiple ways to do the same thing because people have different workflows. You pick the workflow that is best for your environment. Let me explain what the differences are so you can make an informed decision.

The Ruby DSL for Roles exists to make it easier to write roles without knowing the syntax of JSON. It is a simple way to get started with Roles. Once you have made changes, you upload them to the Chef Server with knife.

knife role from file myrole.rb

This converts the role to JSON and stores it on the server. If you have an environment that enforces the Chef Repository where your roles live as the source of truth, this works quite well.

JSON is what the Chef Server stores, so you also edit JSON directly in the management console. It does require more fields than the Ruby DSL in order for Knife to recognize it properly to upload. Those details are hidden to some degree via the web UI.

The disadvantage of using the webui/management console for editing roles is they aren't in your local version control system unless you download them from the server. You can do this with knife:

knife role show myrole -Fj

The -Fj tells knife to "display in JSON format." You can redirect the output to a .json file if you like.

Years ago update: There are additional knife commands for working with the files in the local chef repository. Currently these commands support only JSON format files. A community RFC is open which will address adding support for the Ruby DSL for these plugins. Here's a brief summary of the workflow.

Check content differences between the server and the local file.

knife diff roles/myrole.json

Upload a JSON formatted role file. The roles/ path is required. This gets mapped to the same API endpoint on the server.

knife upload roles/myrole.json

Download the content from the server overwriting the content of the file in the repository.

knife download roles/myrole.json

These commands come from knife-essentials, which is built into the chef client package.

Can you organize cookbooks into subdirectories? eg- we have custom software that I'd like to write a cookbook for and stick that into: chef-repo/cookbooks/ourcompanystuff/customsoftwarecookbook would this be a good practice?

No. Knife has an expectation of where cookbooks should live because it uses an API to upload cookbooks to the Server. This is set in the knife.rb with cookbook_path. In older versions of Chef Infra, you could specify an array of paths for cookbooks, but this is being deprecated because it required more maintenance and was confusing to users.

By convention we name customer specific or site specific cookbooks with the name prefixed in the cookbook diretory. For your example, it would be:

chef-repo/cookbooks/ourcompany_customsoftware

There might be multiple different cookbooks for "ourcompany" depending on what you're doing.

Further reference:

Do I create a cookbook for each type of role that specifies what it does? Do I have these cookbooks include other cookbooks (i.e.- the cookbook for my webserver role includes the apache cookbook). I'm not sure how cookbook inter-dependencies and inheritance are handled.

There is no direct relationship or dependency between roles and cookbooks.

Roles have a run list, which specifies the recipes and other roles that should be applied to any node that has that role. Nodes have a run list that can contain roles or recipes. When Chef runs on the node, it will expand the run list for all the roles and recipes it includes, and then download the cookbooks required. In a node run list:

recipe[apache2]

Chef will download the apache2 cookbook for the node so it can apply this recipe.

You might have a cookbook specific for a role in your infrastructure. More commonly you'll have cookbooks that are for setting up certain types of services like apache2, mysql, redis, haproxy, etc. Then you would put those into appropriate roles. If you have custom application specific things that need to happen to fulfill a role, then you could write this into a custom cookbook (like I referenced above).

Further reference:

Is there anything like puppets external node classifier so nodes automatically determine their roles?

"Yes." The Chef Infra Server does node data storage (in JSON) automatically, and the server also automatically indexes all the node data for search.

Further reference:

It seems like you can configure things with knife or within the management console, or editing JSON files? This is super confusing to me why there are so many ways to do things, it's paralyzing! Is there a reason to use one or the other?

The Chef Infra Server has a RESTful API that sends and receives JSON responses. Knife and the management console are user interfaces for interacting with the API from an administration point of view.

You can use the tool you like better, though the management console doesn't have as many features as Knife. Most people that use Chef Infra prefer the command-line interface for the power and flexibility it provides, even folks who are using Chef Infra on Windows. Further, knife is a plugin based tool that you can create new plugins to interact with the Chef Infra Server, or with other parts of your infrastruture.

Chef Infra is a set of libraries, primitives, and an API. It gives you the flexibility to build the configuration management system that works best for your infrastructure.

Debian – Optimal way to build and deploy a website as a .deb package

It seems that you create a binary debian package almost by hand using dpkg-deb command. While this approach is not that bad, you'll get better handling of a lot of things if you try to build packages by creating the source packages and then building binary packages out of those (even if it's architecture-independent files like PHP ones). This requires one-time configuration of several files in debian/ directory.

There is a special debian/rules file which decides what to run in order to build Debian packages of different flavors (i.e. source, binary, binary-independent) and to maintain build directory itself. You might consider running all your build tools from this file rather then invoking them one by one. To fix the problem with setting owners/permissions during the build from the unprivileged user you would need to run the whole process of building Debian packages under fakeroot wrapper. For official debian packages this can be achieved by running fakeroot debian/rules binary. However this is invoked from the dpkg-buildpackage so you just run fakeroot dpkg-buildpackage.

Debian is great by its developer tools (see packages debhelper, devscripts and related) and it appears you're not using them too(obviously because you build the packages under another operating system). They will save you a lot of time. For example, there are dh_fixperms which will fix permissions and ownership problems for you, dh_install to place files into the correct places, dh_link to create necessary symlinks and other dh_-like scripts. You might want to see how does it work in the real world, so here is a list of software implemented in PHP and packaged in Debian.

Another good tool for you will be git-buildpackage which is a wrapper for debian build tools designed to build packages maintained under Git DVCS.

You might want to look at general information for building with Git on Debian wiki page.

Unfortunately there is no phing in Debian, so you might want to ask someone to package it for Debian (so you would have your full build stack available in Debian) or just cook a Debian chroot with debootstrap and install phing manually in it.

If you're sticking to the Debian packages as a primary deployment mechanism together with some CI system here are some points:

Get the whole build stack into Debian, if possible. This will give you a possibility to build your software in a clean Debian chroot using tools like pbuilder or cowbuilder. Otherwise cook a Debian box for building. You might want to create a virtual machine and give it for other developers.
Organize a restricted Debian repository (creating GPG key for automatic signing for the repository is sufficient to reduce warnings coming from apt) and put the packages there. Add it to the target boxes' /etc/apt/sources.list.d/my-repository.list configuration file. Don't forget to import your key. This will give you information on dependencies you wouldn't have known if you installed the package with just dpkg -i *.deb until the installation phase itself.
You might want to install your sites from packages on some regular basis (like releases/nightly/etc) instead of installing them every build to save time and bandwith. I'm using mostly rsync and some Makefile to update database(idea borrowed from ruby database schema migration).
You might want to run some administrative commands from CI agent without password(for example, reloading webserver configuration when it's updated with sudo invoke-rc.d nginx reload. If so, restrict to run exact commands by modifying /etc/sudoers file respectively.

Best Answer

Related Solutions

Chef best Practices/Questions

Debian – Optimal way to build and deploy a website as a .deb package

Related Topic