CentOS中怎么安装Cheff工作站

Chef是一个IT基础设施自动化软件，它可以管理你组织中所有的服务器和网络设备。当我们想与Chef服务器、任何物理节点（服务器、网络设备等）的基础设施进行交互时，我们需要一个Chef工作站。

使用以下命令下载ChefDK

在CentOS 7上

cd ~wget https://packages.chef.io/stable/el/7/chefdk-0.11.2-1.el7.x86_64.rpm

在CentOS 6上

cd ~wget https://packages.chef.io/stable/el/6/chefdk-0.11.2-1.el6.x86_64.rpm

安装 ChefDK

使用RPM安装刚刚下载的ChefDK

# rpm -ivh chefdk-0.11.2-1.el7.x86_64.rpmPreparing...                          ################################# [100%]Updating / installing...  1:chefdk-0.11.2-1.el7              ################################# [100%]Thank you for installing Chef Development Kit!

ChefDK默认安装到/opt/chefdk目录下，如下所示

# ls -l /opt/chefdk/drwxr-xr-x. 2 root root  4096 Mar  3 13:50 bindrwxr-xr-x. 7 root root    62 Mar  3 13:50 embedded-rw-r--r--. 1 root root 13249 Feb 22 14:26 version-manifest.json-rw-r--r--. 1 root root  8233 Feb 22 14:26 version-manifest.txt

验证ChefDK的安装

执行chef verify，验证所有来自ChefDK的不同组件，确保他们都工作正常，没有任何问题

# chef verifyRunning verification for component 'berkshelf'Running verification for component 'test-kitchen'Running verification for component 'tk-policyfile-provisioner'Running verification for component 'chef-client'Running verification for component 'chef-dk'Running verification for component 'chef-provisioning'Running verification for component 'chefspec'Running verification for component 'generated-cookbooks-pass-chefspec'Running verification for component 'rubocop'Running verification for component 'fauxhai'Running verification for component 'knife-spork'Running verification for component 'kitchen-vagrant'Running verification for component 'package installation'Running verification for component 'openssl'Running verification for component 'inspec'.......---------------------------------------------Verification of component 'test-kitchen' succeeded.Verification of component 'chef-dk' succeeded.Verification of component 'chefspec' succeeded.Verification of component 'rubocop' succeeded.Verification of component 'knife-spork' succeeded.Verification of component 'openssl' succeeded.Verification of component 'berkshelf' succeeded.Verification of component 'chef-client' succeeded.Verification of component 'fauxhai' succeeded.Verification of component 'inspec' succeeded.Verification of component 'tk-policyfile-provisioner' succeeded.Verification of component 'kitchen-vagrant' succeeded.Verification of component 'chef-provisioning' succeeded.Verification of component 'package installation' succeeded.Verification of component 'generated-cookbooks-pass-chefspec' succeeded.

下面是chef verify失败的案例。注意：Ruby在Chef中是必须的，它被嵌入在了ChefDK中。

# chef verify../opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/mixlib-shellout-2.2.6/lib/mixlib/shellout.rb:289:in `invalid!': Expected process to exit with [0], but received '1' (Mixlib::ShellOut::ShellCommandFailed)---- Begin output of /usr/bin/ohai -v ----STDOUT:STDERR: /opt/chefdk/embedded/lib/ruby/site_ruby/2.1.0/rubygems/dependency.rb:319:in `to_specs': Could not find 'chef-config' (= 12.8.0) - did find: [chef-config-12.7.2] (Gem::LoadError)

以上错误信息显示："Could not find ‘chef-config’ (= 12.8.0) – did find: [chef-config-12.7.2] (Gem::LoadError)"，在安装的ChefDK中chef-config的版本是12.7.2的旧版本，在手动安装chef-confg 12.8.0版本后再执行chef verify，显示验证成功。

验证ChefDK版本

执行 chef -version命令，显示ChefDK的版本号以及所有附带组件

# chef --versionChef Development Kit Version: 0.11.2chef-client version: 12.7.2berks version: 4.2.0kitchen version: 1.5.0

设置Chef 环境变量

设置Chef相关的环境变量，如：GEM_ROOT GEM_HOME GEM_PATH。

export GEM_ROOT="/opt/chefdk/embedded/lib/ruby/gems/2.1.0"export GEM_HOME="/root/.chefdk/gem/ruby/2.1.0"export GEM_PATH="/root/.chefdk/gem/ruby/2.1.0:/opt/chefdk/embedded/lib/ruby/gems/2.1.0"

此外，如果你的系统上已经安装了ruby，你需要更新与ruby相关的PATH变量，如下所示

export PATH="/opt/chefdk/bin:/root/.chefdk/gem/ruby/2.1.0/bin:/opt/chefdk/embedded/bin:/opt/chefdk/bin:/root/.chefdk/gem/ruby/2.1.0/bin:/opt/chefdk/embedded/bin:/opt/chefdk/bin:/root/.chefdk/gem/ruby/2.1.0/bin:/opt/chefdk/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin"

显示所有Chef设置的环境变量。

chef shell-init bash

想要快速设置这些环境变量，可以将其添加到bash_profile文件中，如下所示。

echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile

访问Chef的Firewalld规则

为了访问Chef服务器上的Chef Manage GUI，添加以下firewalld规则，开放Chef服务器上的相应端口。

firewall-cmd --direct  --add-rule ipv4 \filter INPUT_direct 0 -i eth0 -p tcp \--dport 443 -j ACCEPTfirewall-cmd --direct  --add-rule ipv4 \filter INPUT_direct 0 -i eth0 -p tcp \--dport 80 -j ACCEPTfirewall-cmd --direct  --add-rule ipv4 \filter INPUT_direct 0 -i eth0 -p tcp \--dport 9683 -j ACCEPTfirewall-cmd --reload

从Chef Manage GUI下载Starter Kit

登录到Chef Manage GUI，单击"Administration"选项，从列表中选择"organization"。此例中，"organization"为"example"，选中organization之后，点击左侧菜单中的"Starter Kit"。

按下"Download（下载）"按钮之后，会跳出一个警告信息，按下"Proceed"，它会将chef-starter.zip文件下载到本地机器。

解压缩 Starter Kit

将chef-starter.zip文件传输到Chef工作站并解压到root的home目录下

# cd ~# unzip chef-starter.zipArchive:  chef-starter.zip  creating: chef-repo/cookbooks/  creating: chef-repo/cookbooks/starter/  creating: chef-repo/cookbooks/starter/templates/  creating: chef-repo/cookbooks/starter/templates/default/ inflating: chef-repo/cookbooks/starter/templates/default/sample.erb    creating: chef-repo/cookbooks/starter/files/  creating: chef-repo/cookbooks/starter/files/default/ inflating: chef-repo/cookbooks/starter/files/default/sample.txt    creating: chef-repo/cookbooks/starter/recipes/ inflating: chef-repo/cookbooks/starter/recipes/default.rb    creating: chef-repo/cookbooks/starter/attributes/ inflating: chef-repo/cookbooks/starter/attributes/default.rb   inflating: chef-repo/cookbooks/starter/metadata.rb   inflating: chef-repo/cookbooks/chefignore   inflating: chef-repo/README.md     inflating: chef-repo/.gitignore      creating: chef-repo/.chef/  creating: chef-repo/roles/ inflating: chef-repo/.chef/knife.rb   inflating: chef-repo/roles/starter.rb   inflating: chef-repo/.chef/ramesh.pem   inflating: chef-repo/.chef/example-validator.pem

如果你手动创建了chef-repo文件夹，那你就需要手动创建上述的子目录，复制knife.rb文件、organization-validator.pem文件（如：example-validator.pem）、username.pem文件（如：ramesh.pem）到上面显示的目录中。

Chef服务器的SSL证书

在这个阶段如果执行knife client list会得到以下错误信息

# cd ~/chef-repo# knife client listERROR: SSL Validation failure connecting to host: centos.example.com - SSL_connect returned=1 errno=0 state=error: certificate verify failedERROR: Could not establish a secure connection to the server.Use `knife ssl check` to troubleshoot your SSL configuration.If your Chef Server uses a self-signed certificate, you can use`knife ssl fetch` to make knife trust the server's certificates.Original Exception: OpenSSL::SSL::SSLError: SSL Error connecting to https://centos.example.com/organizations/example/clients - SSL_connect returned=1 errno=0 state=error: certificate verify failed

证书验证失败，因为我们没有从Chef服务器下载SSL证书，此时可以执行以下"knife ssl fetch"。

# cd ~/chef-repo# knife ssl fetchWARNING: Certificates from centos.example.com will be fetched and placed in your trusted_certdirectory (/root/chef-repo/.chef/trusted_certs).Knife has no means to verify these are the correct certificates. You shouldverify the authenticity of these certificates after downloading.

证书将会下载到以下truster_certs目录中

# ls -l /root/chef-repo/.chef/trusted_certs-rw-r--r--. 1 root root 1379 Mar 20 20:17 centos_example_com.crt# cat /root/chef-repo/.chef/trusted_certs/centos_example_com.crt-----BEGIN CERTIFICATE-----MIIDzDCCArSgAwIBAgIBADANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJVUzEQMA4GA1UECgwHWW91Q29ycDETMBEGA1UECwwKT3BlcmF0aW9uczEbMBkGA1UEAwwSZXJhdGlvbnMxGzAZBgNVBAMMEmNlbnRvcy5leGFtcGxlLmNvbTCCASIwDQYJKoZI....WLyr2ORLMcck/OGsubabO/koMNTqhl2JJPECNiDJh06MeZ/2+BOwGZSpXDbw+vFENJAsLfsTzihGWZ58einMFA==-----END CERTIFICATE-----

Chef工作站的最终确认

如果Chef工作站工作正常，当你执行"knife client list"时，它会显示所有连接工作站的客户端。由于我们刚刚安装它，因此只能看到刚刚我们创建的组织（organization）

# cd ~/chef-repo# knife client listexample-validator

如果你现有的Chef工作站机器上已经有5个服务器连接到它了，你会看到以下信息

# knife client listexample-validatornode1node2node3node4node5