-
Notifications
You must be signed in to change notification settings - Fork 16
A single server Chef deployment for HPE OneView (Playground for testing)
Note: This is unlikely to ever be a supported deployment method and should only be used for training and educating around Chef and HPE OneView.
This is a low-level guide to deploying a server (in this example a virtual machine) that will use CentOS 7.x as its Linux distribution.
As this is a single server, it will combine not only the Chef Server but also the Chef Workstation tools and the HPE OneView Server deployment code.
- HPE OneView 1.2 - 2.x
- ICSP
- CentOS 7.x NetInstall or full DVD
This installation has been done using by following the CentOS installation screens and selecting:
[x] Minimal Installation
Then just ensuring that users and networking is configured accordingly, if networking required further configuration then use the nmtui command to configure the networking. Also ensure that the /etc/hosts file is configured with the IP address, hostname and FQDN for the chef server.
/etc/resolv.conf
search lab.local
nameserver 1.0.0.1
/etc/hostname
chef
/etc/hosts
10.0.0.20 chef chef.lab.local
/etc/sysconfig/networking-scripts/ifcfg-enXXXXXX
Be aware that missing /24 after entering an IP address in nmtui can result in the netmask or PREFIX being set wrong
...
DNS1=1.0.0.1
IPADDR=10.0.0.20
PREFIX=24
GATEWAY=10.0.0.1
...
Any networking changes can be commited with the command: systemctl restart network then confirmed by examining the output of hostname -a
This will create a chef user that we've creatively called chef and specifing the home directory as /home/chef.
Create the user:
useradd -s /bin/bash -d /home/chef -m chef
Set the password:
passwd chef
Add to sudo file:
visudo
...
...
root ALL=(ALL) ALL
chef ALL=(ALL) ALL
...
This pretty much concludes the basics of having a server configured ready for chef to be deployed upon.
This is a slight deviation from the normal Chef installation, which typicall would be to pull it and other packages from the official CentOS repositories or the EPEL repository (Extra Packages for Enterprise Linux). The reason for this is the requirements for a more modern version of Ruby that is 2.1 or higher.
Install wget (optional, if you're happy with curl) and download chef-server
yum install wget -y
wget https://packagecloud.io/chef/stable/packages/el/7/chef-server-core-12.4.1-1.el7.x86_64.rpm/download
Install and configure Chef
The above command will download the latest release (as of 23/03/16) of the chef-server-core and save it locally in a file called download. This file can then be installed as follows:
yum install -ivhy download
Edit the file /etc/opscode/chef-server.rb, with the server_name = being the most important line. Is should look something like the following:
server_name = "chef.lab.local"
api_fqdn server_name
bookshelf['vip'] = server_name
nginx['url'] = "https://#{server_name}"
nginx['server_name'] = server_name
nginx['ssl_certificate'] = "/var/opt/opscode/nginx/ca/#{server_name}.crt"
nginx['ssl_certificate_key'] = "/var/opt/opscode/nginx/ca/#{server_name}.key"
Once the configuration has been saved the chef services can be reconfigured and brought up with the following line:
chef-server-ctl reconfigure
This will internally run the chef-solo command with some internal chef cookbooks to handle all of the configuration work for chef-server, this can take a couple of minutes.
Creating a User and Organisation for Chef
This uses the chef-server-ctl user-create command to create a user (modify as needed):
chef-server-ctl user-create user firstname surname user@email.com password
This uses the chef-server-ctl org-create command to create an organisation and add an admin user to it (modify as needed):
chef-server-ctl org-create org "My organisation" -a user
Install Chef Manage Web based UI (Optional usualy, used in this example)
These three lines will do the aditional required steps to download the components, configure and start the web based Chef management User Interface.
chef-server-ctl install opscode-manage
chef-server-ctl reconfigure
opscode-manage-ctl reconfigure
Apply Firewall configuration changes to allow external HTTP/HTTPs access:
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --reload
Test all configuration work
chef-server-ctl test
Install Compilers and other dependencies
Due to a requirement of a version of Ruby that isn't provided by the CentOS repositories, it is required to build our own. This unfortunately means that the development tools (compilers, libraries need be installed):
yum groupinstall -y 'development tools'
Installation of Ruby Interpreter Management tools
Once the compilers and other dependancies have been installed the following steps will grab the Ruby interpreter management tools, set the ruby version to 2.2 and install it:
command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
curl -L get.rvm.io | bash -s stable
source /etc/profile.d/rvm.sh
rvm reload
rvm install 2.2
This can be tested with ruby -v to ensure that ruby is both installed and set to the correct version.
Installation of Chef Workstation tools
Opscode (developer of Chef) provides a single line installer for chef, that will pull an installation script that will automate the installation of the rest of the Chef toolchain.
curl -L https://www.opscode.com/chef/install.sh | bash
Once completed, test the tools are installed correctly with chef-client -v or knife -v.
Installation of HPE OneView Provisioing code
This one line will automate the downloading of not only the HPE OneView Ruby code, but also all of the dependencies that it requires.
gem install 'chef-provisioning-oneview'
Chef workstation and knife tool configuration
Chef have simplified the configuration work required for an end user to have the workstation tools communicate correctly and securely with the server components. In order to grab this configuration a user needs to log into the Chef-Server web UI and download the "Starter Kit", which contains all of the configuration files and certificates to allow a workstation to speak to a chef-server. In our configuration:
- Open Web Browser to
http://10.0.0.20 - Authenticate with the Username / Password we created with
chef-server-ctl user-createearlier - Navigate to Administration tab, select our organisation and then select the "Download Starter Kit" option.
This .zip archive needs moving to the server and unzipping, in our example we will be making use of chef via the use of the chef user. So we will scp our starter kit to the chef users home directory:
scp starter\ kit.zip chef:10.0.0.20:
Password:
If we unzip this archive in the home directory correctly we should find that a .chef/ directory has been created in here we will the file knife.rb and some .pem files. These all contain the configuration details that the knife tool will use to authenticate to the chef-server.
We can test this will the following:
knife ssl fetch
and ...
knife ssl check
...
Connecting to host chef.lab.local:443
Successfully verified certificates from `chef.lab.local'
Chef configuration for HPE OneView and ICSP
The final configuration step for Chef to communicate with HPE OneView and HPE Insight Control Server Provisioning is to modify the /home/chef/.chef/knife.rb file and add the configuration details for the relevant servers:
This should be added under the existing configuration (don't modify existing if possible)
knife[:oneview_url] = 'https://oneview.lab.local'
knife[:oneview_username] = 'Administrator'
knife[:oneview_password] = 'password'
knife[:oneview_ignore_ssl] = true # For self-signed certs
knife[:icsp_url] = 'https://icsp.lab.local'
knife[:icsp_username] = 'Administrator'
knife[:icsp_password] = 'password'
knife[:icsp_ignore_ssl] = true # For self-signed certs
knife[:node_root_password] = 'password123'
# If your Chef server has self-signed certs:
verify_api_cert false
ssl_verify_mode :verify_none
TODO