Chef
Chef is a configuration management system written predominantly in Ruby (Private), previously Erlang (Private). Chef is built on the idea that configuration should be declarative and describe the desired start of the system, and the configuration management system should converge systems with this state, idempotently.
Concepts
- Nodes are hosts running the Client.
- Environments group related Nodes.
- Resources declare types of things which can be managed and the logic to converge the actual and desired states.
- Recipes declare the desired state of individual Resources.
- Actions describe a declarative state of a Recipe. Recipes will set a default.
- Cookbooks contain sets of related Recipes for easier deployment.
- Roles package up Cookbooks for reuse across projects and organisations.
- Policies are expressed in
Policyfiles
. - Attributes are details about Nodes, defined by their state, CLI arguments, Roles, Environments and Policies.
- Methods allow expression conditionals and modelling changes to the run list.
- Data Bags are data declarations managed with Knife which can be reused in Cookbooks.
Components
- Chef Infra Client is the agent which obtains configuration from the Server and applies it to the host.
- Chef Infra Server is responsible for orchestration across the clients:
- Bookshelf stores Cookbooks.
- Message Queues (RabbitMQ) are used for search index interactions.
- Search Index, using Solr for storage.
- Data Store stores node data (in PostgreSQL).
- Chef Workstation contains tools and utilities to maintain Chef assets and infrastructure:
chef-client
executes cookbooks.ohai
gathers system information.chef
manages cookbooks.knife
interacts with the server to manage nodes.chef-run
generates temporary run lists and executes cookbooks locally.- Test Kitchen allows integration testing of Chef configuration.
- InSpec adds compliance and auditing capabilities.
- ChefDK (Chef Development Kit) is the legacy product that was replaced with Chef Workstation.
- Chef Manage is a web UI for administration and compliance auditing.
- Hosted Chef hosts Chef Infra Server.
- Habitat provides automation pipelines for use in DevOps environments.
- Automate extends Habitat with collaboration features, collecting audit results and making them visible to compliance.
Installation
With Linux systems, Chef is distributed in a number of packages:
chef-workstation
Usage
Recipes
Recipes are declared using a Ruby DSL:
apt_repository 'nginx' do
uri 'http://nginx.org/packages/ubuntu'
components ['main']
arch 'amd64'
key 'https://nginx.org/keys/nginx_signing.key'
action :add
end
Recipes are executed in the order in which they're declared.
Cookbooks
Cookbooks:
my-cookbook/
:attributes/
recipes/
default.rb
files/
templates/
metadata.rb
LICENSE
README.md
Cookbooks can be found on the Chef Supermarket.
Resources
Custom resources allow extending the Infra Client with additional functionality, reusing existing resource definitions. They're declared in the resources
directory of cookbooks.
resource_name :my_resource
property :my_property, RubyType, default: 'my default'
action :do_something do
# Chef DSL for recipes
end
action :other_thing do
# More Chef DSL for recipes
end
Methods
include_recipe(name)
includes recipes declared elsewhere, useful for wrapping existingplatform_family(like_family)
can be used in conditionals.
Nodes
Nodes are hosts running the Chef Infra Client. Data about them is gathered by ohai
and stored in the Infra Server in a dictionary structure. You can inspect this data using Knife and Manage. There are two means of assigning roles to Nodes based on this collected data:
- Roles allow setting the
run_list
. - Policies is a newer concept, consolidating Cookbook dependency management into the Chef Infra Server component.
From the above, Chef derives run_lists
to execute. Environments allow grouping related nodes and attribute values.
Knife plugins allow communication with platforms directly, facilitating provisioning virtual machines.
knife node list
knife node show my-node
knife node run_list
knife search node 'attribute_glob:value_glob' [-a attribute_filter]
Supermarkets
Supermarkets are repositories of available cookbooks. A public one is hosted by Chef, and the source code is available for hosting privately. Note that hosting privately requires Chef Infra Server for OAuth.
Dependency managers like Berkshelf allow locking dependencies at specific versions.
Test Kitchen
Test Kitchen provides an environment for integration testing configurations, and a framework for performing assertions. It executes tests in a hypervisor or container runtime, using pre-built images assembled with tools like Bento or Packer.
- Drivers provide backends for controlling the compute environment.
- Provisioners describe how the configuration of the machine will be converged with the desired state (
chef_zero
in this context). - Verifiers execute the suites against the machine, verifying it's in the expected state. Common verifiers:
- InSpec (
inspec
) - ServerSpec (
serverspec
)
- InSpec (
The structure of a test workspace is usually overlaid into the existing cookbook directory:
my-cookbook/
spec/
test/
integration/
default_test.rb
my-cookbook_test.rb
kitchen.yml
provides the driver, provisioner and verifier details, along with a list of suites for execution.
Some common commands:
kitchen converge
executes the provisioner.kitchen login
gives us SSH or WinRM access.kitchen verify
audits the machine state.
InSpec profiles
Structure:
README.md
controls/
app.rb
other_app.rb
libraries/
resource.rb
files/
someconfig.yml
inspect.yml
Backlinks