DevOps

Déploiement continu d’infrastructure

Chef

  • Chef est un logiciel de gestion de configuration écrit en Ruby. Il utilise un langage dédié (appelé domain-specific language ou DSL) en pure-Ruby pour l’écriture de configuration du système d’exploitation sous la forme de « recettes » (recipes) ou de « livres de recettes » (cookbook).
  • Il s’intègre avec Bitbucket.

Automate

  • Chef Automate fournit une suite complète de fonctionnalités d’entreprise pour gérer le flux de travail du code (infrastructure as code) au déploiement (Sur site, Amazon, Azure, Google…), la visibilité et la conformité.

Compliance

  • Chef Compliance est une solution qui permet d’évaluer l’adhésion de l’infrastructure aux exigences de conformité et de surveiller cette infrastructure de façon continue.

Private Supermarket

  • Chef Supermarket est le site de cookbooks communautaires. Il fournit un référentiel de cookbooks. La version privée présenté ici aide à formaliser les processus internes de gestion des versions de cookbooks (par exemple, «un cookbook n’est pas publié tant qu’il n’est pas publié sur le supermarché Chef privé»).

Installation

Caractéristiques

Noms :  dolb01.devops.local        (172.16.71.253)
        dosi02.devops.local        (172.16.71.71)
        dosi03.devops.local        (172.16.71.72)
        dosi04.devops.local        (172.16.71.73)
        dosi05.devops.local        (172.16.71.74)
        dosi06.devops.local        (172.16.71.75)
        dosi07.devops.local        (172.16.71.76)
        dosi08.devops.local        (172.16.71.77)
        dosi09.devops.local        (172.16.71.78)
        dosi10.devops.local        (172.16.71.79)
Alias : chef.devops.local          (-> dosi02 & dosi03)
OS :    Ubuntu Server 16.04.3 LTS
CPU :   x2
RAM :   4GB
HD :    80 GB (thin provisioning)

Ajout des serveurs au domaine

  • Ajout du compte gregory.tabourin à ces groupes

Groupe domain local : “DOLB01_Administrators” (Load balancer pour chef server FE1 et FE2)
Groupe domain local : “DOSI02_Administrators” (Chef Server Frontend 1 / Push Jobs Server)
Groupe domain local : “DOSI03_Administrators” (Chef Server Frontend 2 / Push Jobs Server)
Groupe domain local : “DOSI04_Administrators” (Chef Server Backend 1)
Groupe domain local : “DOSI05_Administrators” (Chef Server Backend 2)
Groupe domain local : “DOSI06_Administrators” (Chef Server Backend 3)
Groupe domain local : “DOSI07_Administrators” (Chef Automate)
Groupe domain local : “DOSI08_Administrators” (Chef Compliance)
Groupe domain local : “DOSI09_Administrators” (Chef Supermarket)
Groupe domain local : “DOSI10_Administrators” (Chef Runner)
Groupe domain local : “Chef_Users

  • Le reste de la procédure est identique à l’ajout du serveur DOSI01 au domaine.

Installation des serveurs backend

DOSI04, DOSI05 et DOSI06

  • Installation des packages

sudo curl -L https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef-backend

DOSI04 (Master)

  • Modification du fichier de configuration

sudo nano /etc/chef-backend/chef-backend.rb


   publish_address '172.16.71.73'

  • Création du cluster

sudo chef-backend-ctl create-cluster

  • Copier le contenu du ficher de configuation pour les serveurs DOSI05 et DOSI06

sudo cat /etc/chef-backend/chef-backend-secrets.json

DOSI05 et DOSI06

  • Coller le contenu du fichier de configuration

sudo nano /home/administrator/chef-backend-secrets.json

  • Joindre le cluster

sudo chef-backend-ctl join-cluster 172.16.71.73 -s /home/administrator/chef-backend-secrets.json

  • Choisir l’option 1 pour l’adresse IP

Choose the IP Address for this node : 1

  • Contrôler l’état des services

sudo chef-backend-ctl status

Installation des serveurs frontend

DOSI02 et DOSI03

sudo curl -L https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef-server

DOSI04

  • Création des fichiers de configuration pour les serveurs DOSI02 et DOSI03

sudo chef-backend-ctl gen-server-config dosi02.devops.local -f chef-server.rb.FE1
sudo chef-backend-ctl gen-server-config dosi03.devops.local -f chef-server.rb.FE2

DOSI02 et DOSI03

  • Copier le contenu des fichiers de configuration

sudo nano /etc/opscode/chef-server.rb

DOSI02

  • Rajouter les lignes suivantes au fichier de configuration

sudo nano /etc/opscode/chef-server.rb

 

   nginx['ssl_certificate'] = "/etc/ssl/devops.local/dosi02.crt"
   nginx['ssl_certificate_key'] = "/etc/ssl/devops.local/dosi02.key"

  • Créer le fichier de requête de certificat SSL

sudo mkdir /etc/ssl/devops.local/
sudo nano /etc/ssl/devops.local/dosi02.cnf

 

   [ req ]
   default_bits = 2048
   default_md = sha256
   encrypt_key = no
   prompt = no
   distinguished_name = dn
   req_extensions = req_ext

   [ dn ]
   CN = dosi02.devops.local
   C = CH
   L = Geneva
   ST = Geneva
   O = DevOps
   OU = Ops

   [ req_ext ]
   subjectAltName = DNS:dosi02.devops.local

 

sudo openssl genrsa -out /etc/ssl/devops.local/dosi02.key 2048
sudo openssl req -new -config /etc/ssl/devops.local/dosi02.cnf -key /etc/ssl/devops.local/dosi02.key -out /etc/ssl/devops.local/dosi02.csr

  • Générer le certificat sur DOCA01 (http://doca01.devops.local/Certsrv)

sudo cat /etc/ssl/devops.local/dosi02.csr

  • Coller le contenu du certificat et ajouter celui de ca.devops.local

sudo nano /etc/ssl/devops.local/dosi02.crt

  • Reconfigurer le serveur

sudo chef-server-ctl reconfigure

  • Installer l’interface de management

sudo chef-server-ctl install chef-manage
sudo chef-server-ctl reconfigure
sudo chef-manage-ctl reconfigure

  • Contrôler l’état des services

sudo chef-backend-ctl status

DOSI03

  • Dupliquer la procédure précédente de DOSI02 en adaptant le nom de serveur.

Installation du load balancer

DOLB01

  • Installation de HAProxy

sudo apt-get -y install haproxy

  • Vérification de la version

haproxy -v

  • Copier le contenu du certificat du root CA

sudo nano /usr/local/share/ca-certificates/ca.devops.local.crt

  • Importer le certificat

sudo update-ca-certificates

  • Générer un certificat, comme pour DOSI02

mkdir /etc/ssl/devops.local/

sudo nano /etc/ssl/devops.local/chef.cnf


[...]


sudo nano /etc/ssl/devops.local/chef.crt

sudo cat /etc/ssl/devops.local/chef.crt /etc/ssl/devops.local/chef.key \
| sudo tee /etc/ssl/devops.local/chef.pem

  • Rajouter au fichier de configuration

sudo nano /etc/haproxy/haproxy.cfg

 

option forwardfor
option http-server-close
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth user:password

frontend localhost_http
   bind 172.16.71.253:80
   mode http
   reqadd X-Forwarded-Proto:\ http
   default_backend nodes

frontend localhost_https
   bind 172.16.71.253:443 ssl crt /etc/ssl/devops.local/chef.pem
   mode http
   reqadd X-Forwarded-Proto:\ https
   default_backend nodes

backend nodes
   http-request redirect scheme https code 301 if !{ ssl_fc }
   balance leastconn
   stick-table type ip size 200k expire 30m
   stick on src
   default-server inter 10s fall 2
   server dosi02 172.16.71.71:443 check ssl verify none id 1
   server dosi03 172.16.71.72:443 check ssl verify none id 2

  • Redémarrage du service

sudo service haproxy restart

Installation des service Push Jobs

DOSI02 et DOSI03

  • Installation et configuration

wget https://packages.chef.io/files/stable/opscode-push-jobs-server/2.2.6/ubuntu/16.04/opscode-push-jobs-server_2.2.6-1_amd64.deb

sudo chef-server-ctl install opscode-push-jobs-server --path /home/DEVOPS.LOCAL/gregory.tabourin/opscode-push-jobs-server_2.2.6-1_amd64.deb
sudo opscode-push-jobs-server-ctl reconfigure
sudo chef-server-ctl reconfigure

Installation du serveur compliance

DOSI08

  • Téléchargement

wget https://packages.chef.io/files/stable/chef-compliance/1.11.6/ubuntu/16.04/chef-compliance_1.11.6-1_amd64.deb

  • Générer un certificat, comme pour DOSI02

mkdir /etc/ssl/devops.local/

sudo nano /etc/ssl/devops.local/dosi08.cnf


[...]


sudo nano /etc/ssl/devops.local/dosi08.crt

  • Installation

sudo dpkg -i /home/DEVOPS.LOCAL/gregory.tabourin/chef-compliance_1.11.6-1_amd64.deb
sudo chef-compliance-ctl reconfigure --accept-license

  • Configuration

sudo nano /etc/chef-compliance/chef-compliance.rb

 

   ssl['certificate'] = "/etc/ssl/devops.local/dosi08.crt"
   ssl['certificate_key'] = "/etc/ssl/devops.local/dosi08.key"

 

sudo chef-compliance-ctl reconfigure

  • Naviguer à l’adresse « https://sodi08.devops.local/#/setup », compléter le tutoriel, créer un compte administrateur et terminer.

 

  • Intégrer Chef compliance à Chef server

sudo -i
chef-compliance-ctl connect chef-server

 

   Please confirm or provide values for:
   * Chef Server (OCID) APP-ID for Compliance [compliance_server]:
   * Name for Chef Server Authentication in Chef Compliance [Chef Server]:
   * Allow Self-signed SSL certificates [false]: true
   * Compliance Server URL [https://dosi08]: https://dosi08.devops.local

   Reusing existing shared secret for chef-gate...
   Please reconfigure Chef Compliance by running this command:
   chef-compliance-ctl reconfigure

   Please run the command delimited by --- on the Chef Server node as administrator:
---
   CHEF_APP_ID="compliance_server" AUTH_ID="Chef Server" COMPLIANCE_URL="https://dosi08.devops.local" INSECURE_SSL="true" CHEF_GATE_COMPLIANCE_SECRET="xxx" CHEF_GATE_OIDC_CLIENT_ID="xxx=@dosi08.devops.local" bash <( curl -k https://dosi08.devops.local/static/chef-gate.sh )
---

   chef-compliance-ctl reconfigure
   chef-compliance-ctl restart core

DOSI02 et DOSI03

  • Importer la configuration

CHEF_APP_ID="compliance_server" AUTH_ID="Chef Server" COMPLIANCE_URL="https://dosi08.devops.local" INSECURE_SSL="true" CHEF_GATE_COMPLIANCE_SECRET="xxx" CHEF_GATE_OIDC_CLIENT_ID="xxx=@dosi08.devops.local" bash <( curl -k https://dosi08.devops.local/static/chef-gate.sh )

  • Copier la ligne de commande en sortie du script

DOSI08

  • Coller la ligne de commande et reconfigurer

chef-compliance-ctl auth add --client-id "xxx" --client-secret "xxx" --id "Chef Server" --type ocid --chef-url https://chef.devops.local --insecure true

chef-compliance-ctl reconfigure

Installation du serveur supermarket

DOSI02 et DOSI03

  • Configuration

sudo nano /etc/opscode/chef-server.rbsudo nano /etc/opscode/chef-server.rb oc_id['applications'] ||= {} oc_id['applications']['supermarket'] = {   'redirect_uri' => 'https://dosi09.devops.local/auth/chef_oauth2/callback' }
sudo chef-server-ctl reconfigure

  • Récupération de la configuration pour Chef supermarket

sudo chef-server-ctl oc-id-show-app supermarketsudo chef-server-ctl oc-id-show-app supermarket

{
"name": "supermarket",
"uid": "xxx",
"secret": "xxx",
"redirect_uri": "https://dosi09.devops.local/auth/chef_oauth2/callback" }

DOSI09

  • Téléchargement

wget https://packages.chef.io/files/stable/supermarket/3.1.34/ubuntu/16.04/supermarket_3.1.34-1_amd64.deb

  • Générer un certificat, comme pour DOSI02

mkdir /etc/ssl/devops.local/

sudo nano /etc/ssl/devops.local/dosi09.cnf


[...]


sudo nano /etc/ssl/devops.local/dosi09.crt

  • Copier le certificat sur dosi07

sudo nano /etc/delivery/supermarket.crt/

  • Installation

sudo dpkg -i /home/DEVOPS.LOCAL/gregory.tabourin/supermarket_3.1.34-1_amd64.deb

  • Configuration

sudo supermarket-ctl reconfigure
sudo nano /etc/supermarket/supermarket.rb

 

# Supermarket configuration
#
# Attributes here will be applied to configure the application and the services
# it uses.
#
# Most of the attributes in this file are things you will not need to ever
# touch, but they are here in case you need them.
#
# A `supermarket-ctl reconfigure` should pick up any changes made here.
#
# If /etc/supermarket/supermarket.json exists, its attributes will be loaded
# after these, so if you have that file with the contents:
#
# { "redis": { "enable": false } }
#
# for example, it will set the node['supermarket']['redis'] attribute to false.
#
# ## Common Use Cases
#
# These are examples of things you may want to do, depending on how you set up
# the application to run.
#
# ### Chef Identity
#
# You will have to set this up in order to log into Supermarket and upload
# cookbooks with your Chef server keys.
#
# See the "Chef OAuth2 Settings" section below
#
# ### Using an external Postgres database
#
# Disable the provided Postgres instance and connect to your own:
#
# default['supermarket']['postgresql']['enable'] = false
# default['supermarket']['database']['user'] = 'my_db_user_name'
# default['supermarket']['database']['name'] = 'my_db_name''
# default['supermarket']['database']['host'] = 'my.db.server.address'
# default['supermarket']['database']['port'] = 5432
#
# ### Using an external Redis server
#
# Disable the provided Redis server and use on reachable on your network:
#
# default['supermarket']['redis']['enable'] = false
# default['supermarket']['redis_url'] = 'redis://my.redis.host:6379/0/mydbname
#
# ### Bring your on SSL certificate
#
# If a key and certificate are not provided, a self-signed certificate will be
# generated. To use your own, provide the paths to them and ensure SSL is
# enabled in Nginx:
#
default['supermarket']['nginx']['force_ssl'] = true
default['supermarket']['ssl']['certificate'] = '/etc/ssl/devops.local/dosi09.crt'
default['supermarket']['ssl']['certificate_key'] = '/etc/ssl/devops.local/dosi09.key'
#
# ## Top-level attributes
#
# These are used by the other items below. More app-specific top-level
# attributes are further down in this file.
#
# The fully qualified domain name. Will use the node's fqdn if nothing is
# specified.
# default['supermarket']['fqdn'] = (node['fqdn'] || node['hostname']).downcase
#
# The URL for the Chef server. Used with the "Chef OAuth2 Settings" and
# "Chef URL Settings" below. If this is not set, authentication and some of the
# links in the application will not work.
# default['supermarket']['chef_server_url'] = nil
#
# default['supermarket']['config_directory'] = '/etc/supermarket'
# default['supermarket']['install_directory'] = '/opt/supermarket'
# default['supermarket']['app_directory'] = "#{node['supermarket']['install_directory']}/embedded/service/supermarket"
# default['supermarket']['log_directory'] = '/var/log/supermarket'
# default['supermarket']['var_directory'] = '/var/opt/supermarket'
# default['supermarket']['data_directory'] = '/var/opt/supermarket/data'
# default['supermarket']['user'] = 'supermarket'
# default['supermarket']['group'] = 'supermarket'
#
# ## Enterprise
#
# The "enterprise" cookbook provides recipes and resources we can use for this
# app.
#
#default['enterprise']['name'] = 'supermarket'
#
# Enterprise uses install_path internally, but we use install_directory because
# it's more consistent. Alias it here so both work.
# default['supermarket']['install_path'] = node['supermarket']['install_directory']
#
# An identifier used in /etc/inittab (default is 'SV'). Needs to be a unique
# (for the file) sequence of 1-4 characters.
# default['supermarket']['sysvinit_id'] = 'SUP'
#
# ## Nginx
#
# These attributes control Supermarket-specific portions of the Nginx
# Configuration and the virtual host for the Supermarket Rails app.
# default['supermarket']['nginx']['enable'] = true
# default['supermarket']['nginx']['force_ssl'] = true
# default['supermarket']['nginx']['non_ssl_port'] = 80
# default['supermarket']['nginx']['ssl_port'] = 443
# default['supermarket']['nginx']['directory'] = "#{node['supermarket']['var_directory']}/nginx/etc"
# default['supermarket']['nginx']['log_directory'] = "#{node['supermarket']['log_directory']}/nginx"
# default['supermarket']['nginx']['log_rotation']['file_maxbytes'] = 104857600
# default['supermarket']['nginx']['log_rotation']['num_to_keep'] = 10
# default['supermarket']['nginx']['log_x_forwarded_for'] = false
#
# Redirect to the FQDN
# default['supermarket']['nginx']['redirect_to_canonical'] = true
#
# Controls nginx caching, used to cache some endpoints
# default['supermarket']['nginx']['cache']['enable'] = false
# default['supermarket']['nginx']['cache']['directory'] = "#{node['supermarket']['var_directory']}/nginx//cache"
#
# These attributes control the main nginx.conf, including the events and http
# contexts.
#
#
# These will be copied to the top-level nginx namespace and used in a
# template from the community nginx cookbook
# (https://github.com/miketheman/nginx/blob/master/templates/default/nginx.conf.erb)
# default['supermarket']['nginx']['user'] = node['supermarket']['user']
# default['supermarket']['nginx']['group'] = node['supermarket']['group']
# default['supermarket']['nginx']['dir'] = node['supermarket']['nginx']['directory']
# default['supermarket']['nginx']['log_dir'] = node['supermarket']['nginx']['log_directory']
# default['supermarket']['nginx']['pid'] = "#{node['supermarket']['nginx']['directory']}/nginx.pid"
# default['supermarket']['nginx']['daemon_disable'] = true
# default['supermarket']['nginx']['gzip'] = 'on'
# default['supermarket']['nginx']['gzip_static'] = 'off'
# default['supermarket']['nginx']['gzip_http_version'] = '1.0'
# default['supermarket']['nginx']['gzip_comp_level'] = '2'
# default['supermarket']['nginx']['gzip_proxied'] = 'any'
# default['supermarket']['nginx']['gzip_vary'] = 'off'
# default['supermarket']['nginx']['gzip_buffers'] = nil
# default['supermarket']['nginx']['gzip_types'] = %w[
# text/plain
# text/css
# application/x-javascript
# text/xml
# application/xml
# application/rss+xml
# application/atom+xml
# text/javascript
# application/javascript
# application/json
# ]
# default['supermarket']['nginx']['gzip_min_length'] = 1000
# default['supermarket']['nginx']['gzip_disable'] = 'MSIE [1-6]\.'
# default['supermarket']['nginx']['keepalive'] = 'on'
# default['supermarket']['nginx']['keepalive_timeout'] = 65
# default['supermarket']['nginx']['worker_processes'] = node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1
# default['supermarket']['nginx']['worker_connections'] = 1024
# default['supermarket']['nginx']['worker_rlimit_nofile'] = nil
# default['supermarket']['nginx']['multi_accept'] = false
# default['supermarket']['nginx']['event'] = nil
# default['supermarket']['nginx']['server_tokens'] = nil
# default['supermarket']['nginx']['server_names_hash_bucket_size'] = 64
# default['supermarket']['nginx']['sendfile'] = 'on'
# default['supermarket']['nginx']['access_log_options'] = nil
# default['supermarket']['nginx']['error_log_options'] = nil
# default['supermarket']['nginx']['disable_access_log'] = false
# default['supermarket']['nginx']['default_site_enabled'] = false
# default['supermarket']['nginx']['types_hash_max_size'] = 2048
# default['supermarket']['nginx']['types_hash_bucket_size'] = 64
# default['supermarket']['nginx']['proxy_read_timeout'] = nil
# default['supermarket']['nginx']['client_body_buffer_size'] = nil
# default['supermarket']['nginx']['client_max_body_size'] = '250m'
# default['supermarket']['nginx']['default']['modules'] = []
#
# ## Postgres
#
# default['supermarket']['postgresql']['enable'] = true
# default['supermarket']['postgresql']['username'] = node['supermarket']['user']
# default['supermarket']['postgresql']['data_directory'] = "#{node['supermarket']['var_directory']}/postgresql/9.3/data"
#
# ### Logs
# default['supermarket']['postgresql']['log_directory'] = "#{node['supermarket']['log_directory']}/postgresql"
# default['supermarket']['postgresql']['log_rotation']['file_maxbytes'] = 104857600
# default['supermarket']['postgresql']['log_rotation']['num_to_keep'] = 10
#
# ### DB settings
# default['supermarket']['postgresql']['checkpoint_completion_target'] = 0.5
# default['supermarket']['postgresql']['checkpoint_segments'] = 3
# default['supermarket']['postgresql']['checkpoint_timeout'] = '5min'
# default['supermarket']['postgresql']['checkpoint_warning'] = '30s'
# default['supermarket']['postgresql']['effective_cache_size'] = '128MB'
# default['supermarket']['postgresql']['listen_address'] = '127.0.0.1'
# default['supermarket']['postgresql']['max_connections'] = 350
# default['supermarket']['postgresql']['md5_auth_cidr_addresses'] = ['127.0.0.1/32', '::1/128']
# default['supermarket']['postgresql']['port'] = 15432
# default['supermarket']['postgresql']['shared_buffers'] = "#{(node['memory']['total'].to_i / 4) / (1024)}MB"
# default['supermarket']['postgresql']['shmmax'] = 17179869184
# default['supermarket']['postgresql']['shmall'] = 4194304
# default['supermarket']['postgresql']['work_mem'] = "8MB"
#
# ## Rails
#
# The Rails app for Supermarket
# default['supermarket']['rails']['enable'] = true
# default['supermarket']['rails']['port'] = 13000
# default['supermarket']['rails']['log_directory'] = "#{node['supermarket']['log_directory']}/rails"
# default['supermarket']['rails']['log_rotation']['file_maxbytes'] = 104857600
# default['supermarket']['rails']['log_rotation']['num_to_keep'] = 10
#
# ## Redis
#
# default['supermarket']['redis']['enable'] = true
# default['supermarket']['redis']['bind'] = '127.0.0.1'
# default['supermarket']['redis']['directory'] = "#{node['supermarket']['var_directory']}/redis"
# default['supermarket']['redis']['log_directory'] = "#{node['supermarket']['log_directory']}/redis"
# default['supermarket']['redis']['log_rotation']['file_maxbytes'] = 104857600
# default['supermarket']['redis']['log_rotation']['num_to_keep'] = 10
# default['supermarket']['redis']['port'] = 16379
#
# ## Runit
#
# This is missing from the enterprise cookbook
# see (https://github.com/chef-cookbooks/enterprise-chef-common/pull/17)
#
# Will be copied to the root node.runit namespace.
# default['supermarket']['runit']['svlogd_bin'] = "#{node['supermarket']['install_directory']}/embedded/bin/svlogd"
#
# ## Sidekiq
#
# Used for background jobs
#
# default['supermarket']['sidekiq']['enable'] = true
# default['supermarket']['sidekiq']['concurrency'] = 25
# default['supermarket']['sidekiq']['log_directory'] = "#{node['supermarket']['log_directory']}/sidekiq"
# default['supermarket']['sidekiq']['log_rotation']['file_maxbytes'] = 104857600
# default['supermarket']['sidekiq']['log_rotation']['num_to_keep'] = 10
# default['supermarket']['sidekiq']['timeout'] = 30
#
# ## SSL
#
# default['supermarket']['ssl']['directory'] = '/var/opt/supermarket/ssl'
#
# Paths to the SSL certificate and key files. If these are not provided we will
# attempt to generate a self-signed certificate and use that instead.
# default['supermarket']['ssl']['enabled'] = true
# default['supermarket']['ssl']['certificate'] = nil
# default['supermarket']['ssl']['certificate_key'] = nil
# default['supermarket']['ssl']['ssl_dhparam'] = nil
#
# These are used in creating a self-signed cert if you haven't brought your own.
# default['supermarket']['ssl']['country_name'] = "US"
# default['supermarket']['ssl']['state_name'] = "WA"
# default['supermarket']['ssl']['locality_name'] = "Seattle"
# default['supermarket']['ssl']['company_name'] = "My Supermarket"
# default['supermarket']['ssl']['organizational_unit_name'] = "Operations"
# default['supermarket']['ssl']['email_address'] = "you@example.com"
#
# ### Cipher settings
#
# Based off of the Mozilla recommended cipher suite
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Ciphersuite
#
# SSLV3 was removed because of the poodle attack. (https://www.openssl.org/~bodo/ssl-poodle.pdf)
#
# If your infrastructure still has requirements for the vulnerable/venerable SSLV3, you can add
# "SSLv3" to the below line.
# default['supermarket']['ssl']['ciphers'] = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-$
# default['supermarket']['ssl']['protocols'] = 'TLSv1 TLSv1.1 TLSv1.2'
# default['supermarket']['ssl']['session_cache'] = 'shared:SSL:4m'
# default['supermarket']['ssl']['session_timeout'] = '5m'
#
# ## Unicorn
#
# Settings for main Rails app Unicorn application server. These attributes are
# used with the template from the community Unicorn cookbook:
# https://github.com/chef-cookbooks/unicorn/blob/master/templates/default/unicorn.rb.erb
#
# Full explanation of all options can be found at
# http://unicorn.bogomips.org/Unicorn/Configurator.html
#
# default['supermarket']['unicorn']['name'] = 'supermarket'
# default['supermarket']['unicorn']['copy_on_write'] = true
# default['supermarket']['unicorn']['enable_stats'] = false
# default['supermarket']['unicorn']['forked_user'] = node['supermarket']['user']
# default['supermarket']['unicorn']['forked_group'] = node['supermarket']['group']
# default['supermarket']['unicorn']['listen'] = ["127.0.0.1:#{node['supermarket']['rails']['port']}"]
# default['supermarket']['unicorn']['pid'] = "#{node['supermarket']['var_directory']}/rails/run/unicorn.pid"
# default['supermarket']['unicorn']['preload_app'] = true
# default['supermarket']['unicorn']['worker_timeout'] = 15
# default['supermarket']['unicorn']['worker_processes'] = node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1
#
# These are not used, but you can set them if needed
# default['supermarket']['unicorn']['before_exec'] = nil
# default['supermarket']['unicorn']['stderr_path'] = nil
# default['supermarket']['unicorn']['stdout_path'] = nil
# default['supermarket']['unicorn']['unicorn_command_line'] = nil
# default['supermarket']['unicorn']['working_directory'] = nil
#
# These are defined a recipe to be specific things we need that you
# could change here, but probably should not.
# default['supermarket']['unicorn']['before_fork'] = nil
# default['supermarket']['unicorn']['after_fork'] = nil
#
# ## Database
#
# default['supermarket']['database']['user'] = node['supermarket']['postgresql']['username']
# default['supermarket']['database']['name'] = 'supermarket'
# default['supermarket']['database']['host'] = node['supermarket']['postgresql']['listen_address']
# default['supermarket']['database']['port'] = node['supermarket']['postgresql']['port']
# default['supermarket']['database']['pool'] = node['supermarket']['sidekiq']['concurrency']
# default['supermarket']['database']['extensions'] = { 'plpgsql' => true, 'pg_trgm' => 'true' }
#
# ## App-specific top-level attributes
#
# These are used by Rails and Sidekiq. Most will be exported directly to
# environment variables to be used by the app.
#
# Items that are set to nil here and also set in the development environment
# configuration (https://github.com/chef/supermarket/blob/master/.env) will
# use the value from the development environment. Set them to something other
# than nil to change them.
#
# default['supermarket']['fieri_url'] = 'http://localhost:13000/fieri/jobs'
# default['supermarket']['fieri_supermarket_endpoint'] = 'https://localhost:13000'
# default['supermarket']['fieri_key'] = nil
# default['supermarket']['from_email'] = nil
# default['supermarket']['github_access_token'] = nil
# default['supermarket']['github_key'] = nil
# default['supermarket']['github_secret'] = nil
# default['supermarket']['google_analytics_id'] = nil
# default['supermarket']['newrelic_agent_enabled'] = 'false'
# default['supermarket']['newrelic_app_name'] = nil
# default['supermarket']['newrelic_license_key'] = nil
# default['supermarket']['datadog_tracer_enabled'] = 'false'
# default['supermarket']['datadog_app_name'] = nil
# default['supermarket']['port'] = node['supermarket']['nginx']['force_ssl'] ? node['supermarket']['nginx']['ssl_port'] : node['supermarket']['non_ssl_port']
# default['supermarket']['protocol'] = node['supermarket']['nginx']['force_ssl'] ? 'https' : 'http'
# default['supermarket']['pubsubhubbub_callback_url'] = nil
# default['supermarket']['pubsubhubbub_secret'] = nil
# default['supermarket']['redis_url'] = 'redis://127.0.0.1:16379/0/supermarket'
# default['supermarket']['redis_jobq_url'] = nil
# default['supermarket']['sentry_url'] = nil
# default['supermarket']['api_item_limit'] = 100
#
# ### Chef URL Settings
#
# URLs for various links used within Supermarket
# default['supermarket']['chef_identity_url'] = "#{node['supermarket']['chef_server_url']}/id"
# default['supermarket']['chef_manage_url'] = node['supermarket']['chef_server_url']
# default['supermarket']['chef_profile_url'] = node['supermarket']['chef_server_url']
# default['supermarket']['chef_sign_up_url'] = "#{node['supermarket']['chef_server_url']}/signup?ref=community"
#
# URLs for Chef Software, Inc. sites. Most of these have defaults set in
# Supermarket already, but you can customize them here to your liking
# default['supermarket']['chef_domain'] = 'chef.io'
# default['supermarket']['chef_blog_url'] = "https://www.#{node['supermarket']['chef_domain']}/blog"
# default['supermarket']['chef_docs_url'] = "https://docs.#{node['supermarket']['chef_domain']}"
# default['supermarket']['chef_downloads_url'] = "https://downloads.#{node['supermarket']['chef_domain']}"
# default['supermarket']['chef_www_url'] = "https://www.#{node['supermarket']['chef_domain']}"
# default['supermarket']['learn_chef_url'] = "https://learn.#{node['supermarket']['chef_domain']}"
#
# ### Chef OAuth2 Settings
#
# These settings configure the service to talk to a Chef identity service.
#
# An Application must be created on the Chef server's identity service to do
# this. With the following in /etc/opscode/chef-server.rb:
#
# oc_id['applications'] = { 'my_supermarket' => { 'redirect_uri' => 'https://my.supermarket.server.fqdn/auth/chef_oauth2/callback' } }
#
# Run `chef-server-ctl reconfigure`, then these values should available in
# /etc/opscode/oc-id-applications/my_supermarket.json.
#
# The chef_oauth2_url should be the root URL of your Chef server.
#
# If you are using a self-signed certificate on your Chef server without a
# properly configured certificate authority, chef_oauth2_verify_ssl must be
# false.
default['supermarket']['chef_oauth2_app_id'] = 'xxx'
default['supermarket']['chef_oauth2_secret'] = 'xxx'
default['supermarket']['chef_oauth2_url'] = 'https://chef.devops.local'
default['supermarket']['chef_oauth2_verify_ssl'] = false
#
# ### CLA Settings
#
# These are used for the Contributor License Agreement features. You only need
# them if the cla and/or join_ccla features are enabled (see "Features" below.)
# default['supermarket']['ccla_version'] = nil
# default['supermarket']['cla_signature_notification_email'] = nil
# default['supermarket']['cla_report_email'] = nil
# default['supermarket']['curry_cla_location'] = nil
# default['supermarket']['curry_success_label'] = nil
# default['supermarket']['icla_location'] = nil
# default['supermarket']['icla_version'] = nil
# default['supermarket']['seed_cla_data'] = nil
#
# ### Features
#
# These control the feature flags that turn features on and off.
#
# Available features are:
#
# * announcement: Display the Supermarket initial launch announcement banner
# (this will most likely be of no use to you, but could be made a
# configurable thing in the future.)
# * cla: Enable the Contributor License Agreement features
# * collaborator_groups: Enable collaborator groups, allowing management of collaborators through groups
# * fieri: Use the fieri service to report on cookbook quality (requires
# fieri_url, fieri_supermarket_endpoint, and fieri_key to be set.)
# * github: Enable GitHub integration, used with CLA signing
# * gravatar: Enable Gravatar integration, used for user avatars
# * join_ccla: Enable joining of Corporate CLAs
# * tools: Enable the tools section
# default['supermarket']['features'] = 'tools, gravatar'
#
# ### Air Gapped Settings
# This controls whether your Supermarket will reach out to 3rd party services like certain fonts
# and Google Analytics.
# default['supermarket']['air_gapped'] = 'false'
#
# ### robots.txt Settings
#
# These control the "Allow" and "Disallow" paths in /robots.txt. See
# http://www.robotstxt.org/robotstxt.html for more information. Only a single
# line for each item is supported. If a value is nil, the line will not be
# present in the file.
# default['supermarket']['robots_allow'] = '/'
# default['supermarket']['robots_disallow'] = nil
#
# ### S3 Settings
#
# If these are not set, uploaded cookbooks will be stored on the local
# filesystem (this means that running multiple application servers will require
# some kind of shared storage, which is not provided.)
#
# If these are set, cookbooks will be uploaded to the to the given S3 bucket
# using the provided credentials. A cdn_url can be used for an alias if the
# given S3 bucket is behind a CDN like CloudFront.
# default['supermarket']['s3_access_key_id'] = nil
# default['supermarket']['s3_bucket'] = nil
# default['supermarket']['s3_secret_access_key'] = nil
# default['supermarket']['cdn_url'] = nil
#
#
# ### Additional S3 Settings
# By default, Supermarket will use domain style S3 urls that look like this
# bucketname.s3.amazonaws.com
# This style of url will work across all regions
# If this is set as ':s3_path_url', the S3 urls will look like this
# s3.amazonaws.com/bucketname.
# This will only work if the S3 bucket is in N. Virginia.
# If your S3 bucket name as had "." in it - i.e. "my.bucket.name",
# you must use the path style url and your S3 bucket must be in N. Virginia
# default['supermarket']['s3_domain_style'] = ':s3_domain_url'
#
# ### SMTP Settings
#
# If none of these are set, the :sendmail delivery method will be used. Using
# the sendmail delivery method requires that a working mail transfer agent
# (usually set up with a relay host) be configured on this machine.
#
# SMTP will use the 'plain' authentication method.
# default['supermarket']['smtp_address'] = nil
# default['supermarket']['smtp_password'] = nil
# default['supermarket']['smtp_port'] = nil
# default['supermarket']['smtp_user_name'] = nil
#
# ### StatsD Settings
#
# If these are present, metrics can be reported to a StatsD server.
# default['supermarket']['statsd_url'] = nil
# default['supermarket']['statsd_port'] = nil

sudo supermarket-ctl reconfigure

  • Se connecter avec l’utilisateur delivery et l’autoriser sur le serveur supermarket

Installation du serveur automate

DOSI07

  • Générer un certificat, comme pour DOSI02

mkdir /etc/ssl/devops.local/

sudo nano /etc/ssl/devops.local/dosi07.cnf


[...]


sudo nano /etc/ssl/devops.local/dosi07.crt

DOSI02

  • Création de l’utilisateur « delivery » et de l’organisation « DevOps »

sudo chef-server-ctl user-create delivery Administrator DevOps delivery@devops.local 'motdepasse' --filename delivery.pem

sudo chef-server-ctl org-create devops 'DevOps' --filename devops-validator.pem -a delivery

  • Se loguer et associer l’utilisateur gregory.tabourin

DOSI07

  • Installation

sudo chef-server-ctl user-create delivery Administrator DevOps delivery@devops.local 'motdepasse' --filename delivery.pem


sudo chef-server-ctl org-create devops 'DevOps' --filename devops-validator.pem -a delivery

  • Vérification des pré-requis

sudo automate-ctl preflight-check

  • Quelques corrections que j’ai du apporter

#Modification du login de l'utilisateur "Delivery"

sudo apt install sssd-tools

sudo sss_override user-add delivery -h /opt/delivery/embedded -s /bin/bash -c "CHEF Delivery" -n "CHEF Delivery"

#Error PF08: The vm.swappiness level should satisfy: '>= 1, <= 20'
sudo nano /etc/rc.local
sysctl -w vm.swappiness=1

#Error PF08: The vm.max_map_count level should satisfy: '>= 256000'
sudo nano /etc/rc.local
sudo nano /etc/rc.local

#Error PF08: The vm.dirty_expire_centisecs level should satisfy: '>= 10000, <= 30000'
sudo nano /etc/rc.local
sysctl -w vm.dirty_expire_centisecs=30000

#Error PF10: The minimum ephemeral ports count should be at least 30000
sudo nano /etc/rc.local
sysctl -w net.ipv4.ip_local_port_range='35000 65000'

#Error PF09: The transparent huge page setting for enabled should be 'never'
#Error PF09: The transparent huge page setting for defrag should be 'never'
sudo apt install sysfsutils
sudo nano /etc/sysfs.conf
kernel/mm/transparent_hugepage/enabled = never
kernel/mm/transparent_hugepage/defrag = never

#Error PF12: The block device read-ahead for device '/dev/mapper/dosi07--vg-root' mounted at '/' should satisfy '>= 4096'
sudo nano /etc/rc.local
blockdev --setra 4096 /dev/mapper/dosi07--vg-root

  • Vérification des pré-requis

sudo automate-ctl preflight-check

  • Setup

sudo automate-ctl setup --license /home/administrator/automate.license \
--key /home/administrator/delivery.pem \
--server-url https://chef.devops.local/organizations/devops \
--fqdn dosi07.devops.local \
--enterprise devops \
--supermarket-fqdn dosi09.devops.local

  • Configuration SSL

sudo nano /etc/delivery/delivery.rb

   delivery['ssl_certificates'] = {
      'dosi07.devops.local' => {
      'key' => 'file:////etc/ssl/devops.local/dosi07.key',
      'crt' => 'file:///etc/ssl/devops.local/dosi07.crt'
      }
   }
   nginx['ssl_ciphers'] = "HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK"
   nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"

  • Intégration Active Directory

sudo nano /etc/delivery/delivery.rb

   delivery['ldap_hosts'] = ["dodc01.devops.local"]
   delivery['ldap_port'] = 3269
   delivery['ldap_timeout'] = 5000
   delivery['ldap_base_dn'] = "OU=Users,OU=DevOps,DC=devops,DC=local"
   delivery['ldap_bind_dn'] = "CN=zzbindldap,OU=Service accounts,OU=DevOps,DC=devops,DC=local"
   delivery['ldap_bind_dn_password'] = "motdepasse"
   delivery['ldap_encryption'] = "start_tls"
   delivery['ldap_attr_login'] = 'sAMAccountName'
   delivery['ldap_attr_mail'] = 'mail'
   delivery['ldap_attr_full_name'] = 'fullName'

sudo automate-ctl reconfigure

  • Se loguer sur https://dosi07.devops.local et ajouter le compte LDAP gregory.tabourin au groupe admin

Exécuter la collecte de données automatiquement avec Chef Server

DOSI07
  • Configuration

sudo nano /etc/delivery/delivery.rb
   data_collector['token'] = 'token'

sudo automate-ctl reconfigure

DOSI02 et DOSI03
  • Configuration

sudo chef-server-ctl set-secret data_collector token 'token'

  • Redémarrage des services

sudo chef-server-ctl restart nginx
sudo chef-server-ctl restart opscode-erchef

Configurer l’analyse de conformité

DOSI02 et DOSI03
  • Configuration

sudo nano /etc/opscode/chef-server.rb
   data_collector['root_url'] = 'https://dosi07.devops.local/data-collector/v0/'
   profiles['root_url'] = 'https://dosi07.devops.local'

sudo chef-server-ctl reconfigure

Lier Automate à Bitbucket

  • Se connecter au serveur Automate

Installation du runner

DOSI07

  • Test de connexion SSH

ssh delivery@dosi10.devops.local -p 22

  • Installation

sudo automate-ctl install-runner dosi10.devops.local delivery --password motdepasse --yes

  • En cas de problème (sur DOSI10)

sudo chmod 755 -R ~/.chef
sudo chmod 777 -R /etc/chef

  • Réinstaller