Configuring Chef-Solo-different override_attributes in one role

chefchef-solo

First off, I'm using Chef Solo and I would like things to stay as automated as possible. So I have a problem that I'm not quite sure how to solve. I'm setting up the deployment of a lot of different Linux boxes, and all of them are going to require custom installation nodes/roles.
Example:

/nodes/app_server.json

{
"run_list": [ "role[app_server]" ]
}

/roles/app_server.rb

name 'app_server'
description 'App_Server'
override_attributes({ "apache" => {
                                      "proxypass" => [" /  http://localhost:8080/"]
                                  }
                   })
run_list 'recipe[app_server]'

My issue is that I'm going to be running a script to install chef on all these different boxes, but each one is going to have a different ip in-between http://[xxxxxx]:8080/

I need a way to be able to -via command line- specify those ip's without having to create like a hundred node or role files.

I've looked at an example on their website that shows:

The Web Server Role

description "The base role for systems that serve HTTP traffic"
run_list "recipe[apache2]", "recipe[apache2::mod_ssl]", "role[monitor]"
env_run_lists "prod" => ["recipe[apache2]"], "staging" => ["recipe[apache2::staging]"],"_default" => []
default_attributes "apache2" => { "listen_ports" => [ "80", "443" ] }
override_attributes "apache2" => { "max_children" => "50" }

which seems like it would be useful, but I would like to set different override set's for each env_run_list config and then when I run all the chef commands, be able to target each one that I want.

Am I going about this in the wrong fashion? I've scoured all of the docs for nodes/roles/environments etc and haven't found any solution that requires me to not have to make a dozen different files.

Best Answer

Without access to your app_server recipe, I infer that you are using the node['apache']['proxypass'] attribute to populate a line in an apache config file generated from a template.

My guess is that the relevant line in your template looks something like this:

ProxyPass <%= node['apache']['proxypass'] %>

I think you will have greater success if you use more granular elements to compose that line in your template. If the IP address you wish to proxy requests to will differ in every environment, you can make use of Chef's search facilities to determine the required IP address and pass that IP address to the template as a variable.

The code in your recipe might look something like this:

# this search assumes that the role 'myapp_backend' is in the run list of the backend server you need to discover.
# the search returns an array of node objects, for simplicity we'll just take the first result.
proxypass_backend = search(:node, "roles:myapp_backend AND chef_environment:#{node.chef_environment}").first

template ::File.join(node['apache']['dir'],'sites-available','myapp.conf') do
  variables({
    :proxypass_local_path => '/',
    :proxypass_remote_ip => proxypass_backend['ipaddress'],
    :proxypass_remote_port => '8080',
    :proxypass_remote_path => '/'
  })
  source 'myapp.conf.erb'
end

And the line in your template would look something like this:

ProxyPass <%= @proxypass_local_path %> http://<%= @proxypass_remote_ip %>:<%= proxypass_remote_port %><%= @proxypass_remote_path %>

For the sake of simplicity I've specified static values for the remote port and path, but those could also be set using attribute values that can be overridden at the role or environment level. Because search returns entire node objects, any attribute of a node returned by a search (e.g. the port a service is running on) can be used to populate template variables as well (e.g. proxypass_remote_port).

Related Solutions

Chef best Practices/Questions

Edit This question and answer are years old. The definitive best practices are taught via the Learn Chef Rally self-paced training modules produced by Chef Software, Inc. The bulk of the original answer is below.

In this answer, "Chef" or "chef-client" usually refers to Chef Infra, the product. Opscode renamed to Chef Software, Inc in 2013. In April, 2019, Chef opened the source code for all its products, along with creating consistent brand naming.

Not clear if it's better to setup roles in ruby DSL, JSON, or from the management console? Why are there multiple ways to do the same thing?

2019 Update: Policyfiles are the best workflow to use. Roles are considered an inferior practice, and Chef Software, Inc. recommends migrating to Policyfiles.

There are multiple ways to do the same thing because people have different workflows. You pick the workflow that is best for your environment. Let me explain what the differences are so you can make an informed decision.

The Ruby DSL for Roles exists to make it easier to write roles without knowing the syntax of JSON. It is a simple way to get started with Roles. Once you have made changes, you upload them to the Chef Server with knife.

knife role from file myrole.rb

This converts the role to JSON and stores it on the server. If you have an environment that enforces the Chef Repository where your roles live as the source of truth, this works quite well.

JSON is what the Chef Server stores, so you also edit JSON directly in the management console. It does require more fields than the Ruby DSL in order for Knife to recognize it properly to upload. Those details are hidden to some degree via the web UI.

The disadvantage of using the webui/management console for editing roles is they aren't in your local version control system unless you download them from the server. You can do this with knife:

knife role show myrole -Fj

The -Fj tells knife to "display in JSON format." You can redirect the output to a .json file if you like.

Years ago update: There are additional knife commands for working with the files in the local chef repository. Currently these commands support only JSON format files. A community RFC is open which will address adding support for the Ruby DSL for these plugins. Here's a brief summary of the workflow.

Check content differences between the server and the local file.

knife diff roles/myrole.json

Upload a JSON formatted role file. The roles/ path is required. This gets mapped to the same API endpoint on the server.

knife upload roles/myrole.json

Download the content from the server overwriting the content of the file in the repository.

knife download roles/myrole.json

These commands come from knife-essentials, which is built into the chef client package.

Can you organize cookbooks into subdirectories? eg- we have custom software that I'd like to write a cookbook for and stick that into: chef-repo/cookbooks/ourcompanystuff/customsoftwarecookbook would this be a good practice?

No. Knife has an expectation of where cookbooks should live because it uses an API to upload cookbooks to the Server. This is set in the knife.rb with cookbook_path. In older versions of Chef Infra, you could specify an array of paths for cookbooks, but this is being deprecated because it required more maintenance and was confusing to users.

By convention we name customer specific or site specific cookbooks with the name prefixed in the cookbook diretory. For your example, it would be:

chef-repo/cookbooks/ourcompany_customsoftware

There might be multiple different cookbooks for "ourcompany" depending on what you're doing.

Further reference:

Do I create a cookbook for each type of role that specifies what it does? Do I have these cookbooks include other cookbooks (i.e.- the cookbook for my webserver role includes the apache cookbook). I'm not sure how cookbook inter-dependencies and inheritance are handled.

There is no direct relationship or dependency between roles and cookbooks.

Roles have a run list, which specifies the recipes and other roles that should be applied to any node that has that role. Nodes have a run list that can contain roles or recipes. When Chef runs on the node, it will expand the run list for all the roles and recipes it includes, and then download the cookbooks required. In a node run list:

recipe[apache2]

Chef will download the apache2 cookbook for the node so it can apply this recipe.

You might have a cookbook specific for a role in your infrastructure. More commonly you'll have cookbooks that are for setting up certain types of services like apache2, mysql, redis, haproxy, etc. Then you would put those into appropriate roles. If you have custom application specific things that need to happen to fulfill a role, then you could write this into a custom cookbook (like I referenced above).

Further reference:

Is there anything like puppets external node classifier so nodes automatically determine their roles?

"Yes." The Chef Infra Server does node data storage (in JSON) automatically, and the server also automatically indexes all the node data for search.

Further reference:

It seems like you can configure things with knife or within the management console, or editing JSON files? This is super confusing to me why there are so many ways to do things, it's paralyzing! Is there a reason to use one or the other?

The Chef Infra Server has a RESTful API that sends and receives JSON responses. Knife and the management console are user interfaces for interacting with the API from an administration point of view.

You can use the tool you like better, though the management console doesn't have as many features as Knife. Most people that use Chef Infra prefer the command-line interface for the power and flexibility it provides, even folks who are using Chef Infra on Windows. Further, knife is a plugin based tool that you can create new plugins to interact with the Chef Infra Server, or with other parts of your infrastruture.

Chef Infra is a set of libraries, primitives, and an API. It gives you the flexibility to build the configuration management system that works best for your infrastructure.

Windows – Using Chef Solo to provision a Windows EC2 instance and bootstrap it

Most Windows bootstrap resources are focused on Hosted Chef and using the knife-windows plugin.

However this should be possible with Chef solo.

If you're not building an AMI with chef-client on it then your first step is to get the Full Chef Windows installer on there.

Fortunately, as I recall, winrm is enabled by default on the Windows Amazon AMIs. Take a look here for a potential bootstrap solution : https://stackoverflow.com/a/13284313/2205881

You could bootstrap other stuff at the same time; like Ruby Windows Installer etc. In the same process grab your cookbooks, roles etc and kick off your Chef provisioning.

UPDATE

I've started doing this in a slightly different way, using a --user-data-file when creating the instance. This can be used with the AWS API, command-line-tools or simply pasted into the web interface when Launching the Instance.

I'm using Chocolatey, a package manager, to install chef-client.

<script> @powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%systemdrive%\chocolatey\bin cinst chef-client </script>

Basically: <script> tells AWS's user data scripts we've got a batch file to process.
@powershell... (etc) is a command to install Chocolatey from it's docs.
cinst chef-client installs the chef-client package.

None of this requires any user input. User data is executed as a local administrator.

All Amazon AMIs run their user data on first boot (by default) and not on subsequent boots. So this is a very simple way to get chef-client in place without needing to connect to RDP or even obtain your Administrator password.

Best Answer

Related Solutions

Chef best Practices/Questions

Windows – Using Chef Solo to provision a Windows EC2 instance and bootstrap it

Related Topic