24. Create new vhost configuration
●
●
Copy default-site.erb as cvepatch.erb in
cookbooks/webserver/templates/default/
Insert patch lines into template
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
●
Upload cookbook and chef-client run
●
Any results?
25. Welcome Chef resources
template "#{node['apache']['dir']}/sitesavailable/default" do
source 'default-site.erb'
owner 'root'
group node['apache']['root_group']
mode '0644'
notifies :restart, 'service[apache2]'
end
26. New template resource
in ../cookbooks/webserver/recipes/default.rb
template "#{node['apache']['dir']}/sitesavailable/cvepatch" do
owner 'root'
group node['apache']['root_group']
mode '0644'
notifies :restart, 'service[apache2]'
end
Upload cookbook, run chef-client, check results
27. How default site is enabled?
apache_site 'default' do
enable node['apache']['default_site_enabled']
end
You can visualize it as a function call..
apache_site('default',true)
… and this is called “definition”
28. Enable new vhost
in ../cookbooks/webserver/recipes/default.rb
apache_site 'cvepatch' do
enable true
end
apache_site 'cvepatch'
●
Upload cookbook and chef-client run
29. Error? Again?
STDOUT: Action 'configtest' failed.
The Apache error log may have more information.
...fail!
STDERR: Syntax error on line 6 of
/etc/apache2/sites-enabled/cvepatch:
Invalid command 'RewriteEngine', perhaps
misspelled or defined by a module not included in
the server configuration
It seems like we forgot about mod_rewrite...
30. Final recipe
include_recipe "apache2"
include_recipe "apache2::mod_rewrite"
template "#{node['apache']['dir']}/sites-available/cvepatch" do
owner
'root'
group
node['apache']['root_group']
mode
'0644'
notifies :restart, 'service[apache2]'
end
apache_site 'cvepatch'
31. Still have to disable default site
ls -la /etc/apache2/sites-enabled/
../cookbooks/attributes/default.rb → false
../roles/node.rb → true
Chef Server GUI → true
? how to make it false finally?
40. Platform specificity
We know that our Ubuntu server is reliable
enough and don't need logging more than 'warn'
level.
While the rest of our servers need 'debug' level
logging.
What to do?
Something like that we met when we were
disabling default site with attributes...
41. “Smart” templates
<% if node['platform']=='ubuntu' %>
#This is Ubuntu
LogLevel warn
<% else %>
LogLevel debug
<% end %>
44. Many server domains
The problem now is that we would like to use
different domains and one vhost configuration
only.
So you need ServerAlias included several
times and list of additional domains set as
attribute.
Expected changes:
●
attributes/default.rb
●
templates/default/ubuntu/cvepatch.erb
48. htpasswd
We need this contents to be in
node['apache']['dir']/htpasswd
admin:$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0
Copy/paste from http://goo.gl/6sEYT5
50. Putting file to server #1
../cookbooks/webserver/recipes/default.rb
file "#{node['apache']['dir']}/htpasswd" do
owner 'root'
group node['apache']['root_group']
mode '0644'
backup false
content "admin:
$apr1$ejZO6aAi$9zUZFyNxkX7pHOfqnjs8/0"
end
51. Putting file to server #2
●
'content' attribute is not really scalable – what if
we need 2Kb of text inside?
●
Lets first comment out with # content attribute
●
create file
../cookbooks/webserver/files/default/htpasswd
●
and put root (not admin!) and password hash to it
●
Change resource from 'file' to 'cookbook_file'
52. What to do till the next meeting?
http://dougireton.com/blog/2013/02/16/ch
ef-cookbook-anti-patterns/