アルパカchef日記3日目 data bagã«ã¤ã„㦠/ ã¾ãŸã¯ãƒ¦ãƒ¼ã‚¶ç®¡ç†ã‚¯ãƒƒã‚¯ãƒ–ックãªã©
2日目ã®ç¶šã。
コンセプトã¯こちらã‚’ã”å‚照下ã•ã„。
3日目ã®ç›®æ¨™
- ユーザ管ç†(data bag)
- ユーザ作æˆ
- bash_profile管ç†
- sudo
- ã“ã“ã®æ®µéšŽã§ ec2-userã®sudo権é™ã‚’剥奪ã—ã€æ–°ãƒ¦ãƒ¼ã‚¶ã«sudo権é™ã‚’付与
- security_limit
3日目を始ã‚ã‚‹å‰ã«ï¼šdata bag
ãƒ¦ãƒ¼ã‚¶æƒ…å ±ãªã©ã€ã‚¯ãƒƒã‚¯ãƒ–ックを跨るグãƒãƒ¼ãƒãƒ«ãªå€¤ã‚’
cookbookã«ã„ã¡ã„ã¡æ›¸ãã®ã¯å¾—ç–ã§ã¯ã‚ã‚Šã¾ã›ã‚“。
ã•ã‚‰ã«ç”Ÿã§ç½®ã„ã¦ãŠãã®ã‚‚æ°—ãŒå¼•ã‘ã¾ã™ã。
ãã‚“ãªã”è¦æœ›ã«ãŠç”ãˆã™ã‚‹ãŸã‚ã«ã€Œdata bagã€ã¨ã„ã†ä»•çµ„ã¿ãŒã‚ã‚Šã¾ã™ã€‚
databagを作æˆã—ã¦ãŠãã¨ã€è¤‡æ•°ã®ã‚¯ãƒƒã‚¯ãƒ–ックã«ã¾ãŸãŒã£ã¦ã„る共通ã®å¤‰æ•°ãªã©ã‚’ä¿å˜ã—ã¦ãŠãã“ã¨ãŒã§ãã¾ã™ã€‚
シークレットã‚ーを作æˆã™ã‚‹
ã¾ãšã¯data bagã‚’æš—å·/複åˆã™ã‚‹ãŸã‚ã®ã‚·ãƒ¼ã‚¯ãƒ¬ãƒƒãƒˆã‚ーを作æˆã—ã¾ã—ょã†ã€‚
以下ã®ã‚³ãƒžãƒ³ãƒ‰ã§data bag用ã®éµãƒ•ã‚¡ã‚¤ãƒ«ã‚’作ã£ã¦ãŠãã¾ã™ã€‚
openssl rand -base64 512 > data_bag_key # 「unable to write 'random state'ã€ã¨ã„ã†ã‚¨ãƒ©ãƒ¼ãŒå‡ºã‚‹å ´åˆã¯sudo実行ã—ã¾ã—ょã†
éµã‚’共通ディレクトリã«ç½®ã
chef-repo毎ã«éµã‚’作ã£ã¦ã‚‚ã„ã„ã®ã§ã™ãŒã€æ¯Žå›žä½œã‚‹ã®ã‚‚é¢å€’ãªã®ã§
今回ã¯å…±é€šã§å‚ç…§ã§ãã‚‹HOMEディレクトリ以下ã«ç½®ã„ã¦ã—ã¾ã„ã¾ã—ょã†ã€‚
mv data_bag_key ~/.chef/data_bag_key # knife.rbã«ã€Œencrypted_data_bag_secretã€ã‚’è¿½åŠ vi <chef-repo>/.chef/knife.rb ... encrypted_data_bag_secret "#{ENV['HOME']}/.chef/data_bag_key" ...
data bagを作æˆï¼ç·¨é›†ã™ã‚‹
knife soloコマンドã§data bagã‚’æ–°è¦ä½œæˆã—ã¾ã™ã€‚
ã“ã®æ™‚「EDITOR環境変数ã€ã‚’予ã‚è¨å®šã—ã¦ãŠãå¿…è¦ãŒã‚ã‚‹ã®ã§
未è¨å®šã®å ´åˆã¯ .bashrc ãªã©ã«è¿½è¨˜ã—ã¦ãŠãã¾ã—ょã†ã€‚
vi .bashrc ... " ä»¥ä¸‹ã‚’è¿½åŠ export EDITOR=vim ... # databagã®ä½œæˆ # 「databags/users/alpaca3.jsonã€ãŒä½œã‚‰ã‚Œã‚‹ knife solo data bag create users alpaca3 # 編集ã™ã‚‹å ´åˆã¯edit knife solo data bag edit users alpaca3
ã“ã®æ™‚ã®æ³¨æ„点ã¨ã—ã¦
databags/users/alpaca3.jsonを直接編集ã™ã‚‹ã“ã¨ã¯ã§ãã¾ã›ã‚“。*1
データを編集ã—ãŸã„å ´åˆã¯ knife solo data bag edit コマンドã‹ã‚‰è¡Œã†å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
ユーザ作æˆ
今回ã¯å®Œå…¨ã‚ªãƒªã‚¸ãƒŠãƒ«ã®ã€Œuser-originã€ã‚¯ãƒƒã‚¯ãƒ–ックを作りã¾ã™ã€‚
ãŒã€ãã®å‰ã«ãƒ¦ãƒ¼ã‚¶ã®data bagを作ã£ã¦ãŠãã¾ã—ょã†ã€‚
「alpaca3ã€ã¨ã„ã†ãƒ¦ãƒ¼ã‚¶ã‚’作りã¾ã™ã€‚
create databag
knife solo data bag create users alpaca3
/databags/users/alpaca3.json ã®ä¸èº«
以下ã®ã‚ˆã†ã«ç·¨é›†ã—ã¾ã—ょã†ã€‚
{ "id": "alpaca3", "name": "alpaca3", "password": "$1$xxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "ssh_key": "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxx" }
passwordã«ã¤ã„ã¦
chefã«è¨˜è¿°ã™ã‚‹ãƒ‘スワード文å—列ã¯shadow passwordã«ã™ã‚‹å¿…è¦ãŒã‚るよã†ã§ã™ã€‚
以下ã®ã‚³ãƒžãƒ³ãƒ‰ã§æ¨™æº–出力ã•ã‚ŒãŸæ–‡å—列をpasswordã®æ¬„ã«è¨å®šã—ã¾ã—ょã†ã€‚
openssl passwd -1 > input > verify input $1$xxxxxxxxxxxxxxxxxxxxxxxxxxxxx <- ã“ã‚Œï¼
※å‚考ドã‚ュメント
http://docs.opscode.com/resource_user.html#password-shadow-hash
ssh_keyã«ã¤ã„ã¦
今回ã¯ec2-userã®éµã‚’æ‹å€Ÿã—ã¾ã—ょã†ã€‚
一度 ec2-userã§ãƒã‚°ã‚¤ãƒ³ã—ã€ä»¥ä¸‹ã®ã‚³ãƒžãƒ³ãƒ‰ã§è¡¨ç¤ºã•ã‚ŒãŸæ–‡å—列を「ssh_keyã€ã«ã—ã¾ã™ã€‚*2
cat ~/.ssh/authorized_keys
/site_cookbooks/user-origin/recipes/default.rb を書ã
ã§ã¯ã€ãƒ¬ã‚·ãƒ”を書ã„ã¦ã„ãã¾ã™ã€‚
å°‘ã—é•·ããªã‚Šãã†ãªã®ã§å°å‡ºã—ã—ãªãŒã‚‰èª¬æ˜Žã—ã¾ã™ã€‚
# æš—å·åŒ–ã•ã‚ŒãŸãƒ‡ãƒ¼ã‚¿ãƒãƒƒã‚°ã®æƒ…å ±ã‚’å–å¾—
user = Chef::EncryptedDataBagItem.load("users", 'alpaca3')
user_name = user['name']
password = user['password']
ssh_key = user['ssh_key']
home = "/home/#{user_name}"
# 「alpaca3ã€ãƒ¦ãƒ¼ã‚¶ã®ä½œæˆ
user user_name do
password password
home home
shell "/bin/bash"
supports :manage_home => true # ホームディレクトリも管ç†ã™ã‚‹
end
# 「alpaca3ã€ã‚’wheelグループã«è¿½åŠ ã™ã‚‹
group "wheel" do
action [:modify]
members [user_name]
append true
endã¾ãšã¯ãƒ¦ãƒ¼ã‚¶ã®ä½œæˆã§ã™ã€‚
1行ã‚ã® Chef::EncryptedDataBagItem.load() を用ã„㦠databagã®ãƒ‡ãƒ¼ã‚¿ã‚’ãƒãƒ¼ãƒ‰ã—ã¦ã„ã¾ã™ã€‚
ãã®æƒ…å ±ã‚’ç”¨ã„ã¦ã€Œalpaca3ã€ãƒ¦ãƒ¼ã‚¶ã‚’作æˆã—ã¾ã™ã€‚
ãã®å¾Œã«ã€Œalpaca3ã€ãƒ¦ãƒ¼ã‚¶ã‚’wheelグループã«è¿½åŠ ã—ã¦ã„ã¾ã™ã€‚
次ã«ssh用ã®ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã‚„keyã‚’è¨å®šã—ã¾ã™ã€‚
「directoryã€ãƒªã‚½ãƒ¼ã‚¹ã‚’使ã£ã¦ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã‚’作æˆã—ãŸå¾Œã€
「fileã€ãƒªã‚½ãƒ¼ã‚¹ã‚’使ã£ã¦ãƒ•ã‚¡ã‚¤ãƒ«ã‚’アップãƒãƒ¼ãƒ‰ã—ã¦ã„ã¾ã™ã€‚
# .sshディレクトリを作りã¾ã™
directory "#{home}/.ssh" do
owner user_name
group user_name
end
# authorized_keysファイルを作りã¾ã™
authorized_keys_file ="#{home}/.ssh/authorized_keys"
file authorized_keys_file do
owner user_name
mode 0600
content "#{ssh_key} #{user_name}" # ファイルã®ä¸èº«ã‚’直接指定
not_if { ::File.exists?("#{authorized_keys_file}")} # æ—¢ã«ãƒ•ã‚¡ã‚¤ãƒ«ãŒå˜åœ¨ã—ã¦ã„ãŸã‚‰ãƒªã‚½ãƒ¼ã‚¹ã‚’実行ã—ãªã„
end
次ã«bash_profileã®ç®¡ç†ã§ã™ã€‚
ã¾ãšã¯bash_profileã‚’ã©ã®ã‚ˆã†ã«ç®¡ç†ã—よã†ã¨ã—ã¦ã„ã‚‹ã‹èª¬æ˜Žã—ãŸã„ã¨æ€ã„ã¾ã™ã€‚
<home>
├── .bash_profile # .bash_profile。.bash_profile_inc以下ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’èªã‚€è¨å®šã‚’入れã¦ãŠã
├── .bash_profile_inc # profile include用ディレクトリ
├── base_profile.sh # 共通profile
└── ... # ミドルウェア毎ã«bash_profileを用æ„ã™ã‚‹ä»–ã®æ§˜ã€…ãªãƒªã‚½ãƒ¼ã‚¹ãŒ .bash_profile_inc 以下ã«
å„々ã®profileã‚’ç½®ãよã†ãªé‹ç”¨ã§ã™ã€‚
ã“ã†ã™ã‚‹ã“ã¨ã«ã‚ˆã£ã¦ã€.bash_profile自体をã„ã˜ã‚‰ãªãã¦ã‚‚
リソース毎ã®æ§˜ã€…ãªprofileを管ç†ã—よã†ã¨ã—ã¦ã„ã¾ã™ã€‚
続ãã®ãƒ¬ã‚·ãƒ”ã¯ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚
# 1. bash_profile include用ã®ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã‚’作りã¾ã™
directory "#{home}/.bash_profile_inc" do
owner user_name
group user_name
end
# 2.「base_profile.sh(é™çš„ファイル)ã€ã‚’bash_profile include用ã®ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã«é…ç½®ã—ã¾ã™
cookbook_file "#{home}/.bash_profile_inc/base_profile.sh" do
source "base_profile.sh"
mode 0644
owner user_name
group user_name
end
# 3. bash_profile本体ã«ã€Œ.bash_profile_incディレクトリ以下ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’èªã¿è¾¼ã‚€ã€ã‚ˆã†ãªå‡¦ç†ã‚’è¿½åŠ ã—ã¦ã„ã¾ã™
script "include bash_profile" do
environment 'HOME' => home
user user_name
group user_name
interpreter "bash"
not_if "grep -q 'bash_profile_include' #{home}/.bash_profile"
flags "-e"
code <<-"EOH"
cat << EOF >> #{home}/.bash_profile 2>&1
# bash_profile_include
for file in \\`find ~/.bash_profile_inc -type f\\`; do
source \\$file
done
EOF
EOH
endã¾ãŸæ–°ã—ã„リソースãŒå‡ºã¦ããŸã®ã§ç°¡å˜ã«èª¬æ˜Žã‚’。
2. ã®ã€Œcookbook_fileã€ã¯filesディレクトリ以下ã«ç½®ã‹ã‚ŒãŸé™çš„ファイルをãã®ã¾ã¾ã‚µãƒ¼ãƒã«è»¢é€ã—ã¾ã™ã€‚
ã¡ãªã¿ã« 2. ã§ä½¿ç”¨ã—ã¦ã„ã‚‹é™çš„ファイルã®ä¸èº«ã¯
ç¾æ®µéšŽã§ä»¥ä¸‹ã®ã‚ˆã†ãªå†…容ã§ã™ã€‚
vi files/default/base_profile.sh # 今後育ã£ã¦ã„ãã¯ãš export LANG="ja_JP.UTF-8" alias sl='ls' alias ll='ls -l'
3. ã®ã€Œscriptã€ã¯ã€Œcodeã€ã«æ›¸ã‹ã‚ŒãŸå†…容をサーãƒä¸Šã§å®Ÿè¡Œã—ã¾ã™ã€‚
3. ã§è¡Œãªã£ã¦ã„る処ç†ã¯æ—¢å˜ã®.bash_profileã«è¿½è¨˜ã‚’è¡Œãªã£ã¦ã„ã‚‹ã®ã§
é‡è¤‡ã—ã¦å®Ÿè¡Œã—ãŸãã‚ã‚Šã¾ã›ã‚“。
ãã®ãŸã‚ not_if 㧠「bash_profile_includeã€ã¨ã„ã†æ–‡å—列ãŒå˜åœ¨ã—ãªã„時ã ã‘実行ã™ã‚‹ã‚ˆã†ã«ã—ã¦ã„ã¾ã™*3。
cooking
ã§ã¯nodes jsonã«è¿½åŠ ã—ã¦cookã—ã¾ã—ょã†ã€‚
vi nodes/ec2-chef-repo.json
{
"run_list":[
"recipe[selinux::disabled]",
"recipe[openssh]",
"recipe[ntp]",
"recipe[sysctl]",
"recipe[user-origin]"
]
}
# cook
knife solo cook ec2-chef-testã†ã¾ãã„ã£ãŸã§ã—ょã†ã‹ï¼Ÿ
今回ã¯åˆ©ç”¨ã—ã¾ã›ã‚“ã§ã—ãŸãŒã€DataBagã®å†…容をãã®ã¾ã¾ãƒ¦ãƒ¼ã‚¶ç™»éŒ²ã«ä½¿ã†ã‚ˆã†ãªãƒ¬ã‚·ãƒ”ã‚‚ã‚るよã†ã§ã™ã€‚
æ°—ã«ãªã‚‹æ–¹ã¯è©¦ã—ã¦ã¿ã¦ã¯ã„ã‹ãŒã§ã—ょã†ã‹ã€‚
https://github.com/opscode-cookbooks/users
sudo
sudo管ç†ã‚’ã—ã¾ã™ã€‚
デフォルトユーザã§ã‚ã‚‹ ec2-user ã«ç®¡ç†è€…権é™ã‚’æŒãŸã›ã‚‹ã®ã¯ã¡ã‚‡ã£ã¨å«Œãªã®ã§
ec2-userã®sudo権é™ã‚’剥奪ã—ã¦alpaca3ユーザã«sudo権é™ã‚’付ã‘ãŸã„ã¨æ€ã„ã¾ã™ã€‚
sudoクックブックã¯opscodeã®ã‚’ダウンãƒãƒ¼ãƒ‰ã—ã¾ã™ã€‚
# Berksfileã«ä»¥ä¸‹ã‚’è¿½åŠ ã€‚berks install も忘れãšã«ã€‚ cookbook 'sudo'
/site_cookbooks/sudo/attributes/default.rb を書ã
usersã¯alpaca3ã®ã¿ã«ã—ã¦ãŠãã¾ã™ã€‚
default['authorization']['sudo']['groups'] = [] default['authorization']['sudo']['users'] = ['alpaca3'] # 心é…ã§ã‚ã‚Œã°æœ€åˆã ã‘ec2-userを残ã—ãŸã¾ã¾ã«ã—ã¦ãŠã„ã¦ã‚‚良ã„ã§ã™ #default['authorization']['sudo']['users'] = ['ec2-user', 'alpaca3'] default['authorization']['sudo']['passwordless'] = true default['authorization']['sudo']['include_sudoers_d'] = false default['authorization']['sudo']['agent_forwarding'] = false default['authorization']['sudo']['sudoers_defaults'] = ['!lecture,tty_tickets,!fqdn']
cooking
ã§ã¯nodes jsonã«ãƒ¬ã‚·ãƒ”ã‚’è¿½åŠ ã—ã¦cookã—ã¾ã—ょã†ã€‚
vi nodes/ec2-chef-repo.json # sudo追記 ... # cook knife solo cook ec2-chef-test
ã“ã®ãƒ¬ã‚·ãƒ”ãŒæˆåŠŸã—ãŸã‚ã¨ã¯ ec2-userã§ã®sudoãŒã§ããªããªã‚Šã¾ã™ã€‚
ã™ãªã‚ã¡knife soloã®å®Ÿè¡Œã‚‚ã§ããªããªã‚Šã¾ã™ã€‚
ssh/configã§ãƒ¦ãƒ¼ã‚¶ã®æŒ‡å®šã€Œalpaca3ã€ã«å¤‰ãˆã¦ãŠãã¾ã—ょã†ã€‚
# ssh configè¨å®š vi .ssh/config Host ec2-chef-test HostName ec2-xxx-xxx-xxx-xxx.ap-northeast-1.compute.amazonaws.com IdentityFile /path/to/private.pem User alpaca3 Port 22
Caution!!!!
sudoクックブックã¯ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã®ã¾ã¾ï¼ˆsite-cookbooksを用æ„ã—ãªã„ã¾ã¾ï¼‰å®Ÿè¡Œã—ã¦ã—ã¾ã†ã¨
誰もsudoã§ããªããªã£ã¦ã—ã¾ã„ã¾ã™ï¼*4
ã”注æ„下ã•ã„。
security_limits
security_limitsもオリジナルã§ä½œæˆã—ã¦ã¿ã¾ã™ã€‚
出æ¥ä¸ŠãŒã‚‹ãƒ•ã‚¡ã‚¤ãƒ«ã¯ã“ã‚“ãªæ„Ÿã˜ã€‚
security_limits
├── attributes
│   └── default.rb
├── recipes
│   └── default.rb
└── templates
└── default
└── limits.conf.erb
/site_cookbooks/security_limits/attributes/default.rb
# è¨å®šã—ãŸã„ユーザé…列 default['security_limits']['users'] = ['alpaca3', 'nobody'] # soft / hard limitã®è¨å®š default['security_limits']['soft'] = 10240 default['security_limits']['hard'] = 10240
/site_cookbooks/security_limits/recipes/default.rb
# テンプレートèªã¿è¾¼ã‚€ template '/etc/security/limits.conf' do source "limits.conf.erb" mode "0644" variables( :users => node['security_limits']['users'], :hard_limit => node['security_limits']['hard'], :soft_limit => node['security_limits']['soft'] ) end
/site_cookbooks/security_limits/templates/default/limits.conf.erb
# Dynamically generated file dropped off by Chef! <% @users.each do |user| %> <%= user %> hard nofile <%= @hard_limit %> <%= user %> soft nofile <%= @soft_limit %> <% end %>
cooking
ã§ã¯nodes jsonã«ãƒ¬ã‚·ãƒ”ã‚’è¿½åŠ ã—ã¦cookã—ã¾ã—ょã†ã€‚
vi nodes/ec2-chef-repo.json # security_limits追記 ... # cook knife solo cook ec2-chef-test
ã†ã¾ãã„ãã¨ã€ã‚µãƒ¼ãƒä¸Šã«ä»¥ä¸‹ã®ã‚ˆã†ãªãƒ•ã‚¡ã‚¤ãƒ«ãŒä½œæˆã•ã‚Œã¦ã„ã‚‹ã¯ãšã§ã™ã€‚
$ cat /etc/security/limits.conf # Dynamically generated file dropped off by Chef! alpaca3 hard nofile 10240 alpaca3 soft nofile 10240 nobody hard nofile 10240 nobody soft nofile 10240
補足
今回ã€knife soloを実行ã™ã‚‹ãƒ¦ãƒ¼ã‚¶ã‚‚chefã§è¨å®š/作æˆã—ã¦ã„ã¾ã™ãŒã€
ã“ã‚Œã«é–¢ã—ã¦ã¯chef管ç†ã ã¨å¾®å¦™ã‹ãªã€œã¨æ€ã£ãŸã‚Šã—ã¦ã„ã¾ã™ã€‚*5
今回ã¯ã‚ãˆã¦chef管ç†ã§è¡Œã„ã¾ã—ãŸãŒã€
ã“ã®ã‚ãŸã‚Šã¯ã‚±ãƒ¼ã‚¹ãƒã‚¤ã‚±ãƒ¼ã‚¹ã§é‹ç”¨ã‚’変ãˆã¦ã‚‚良ã„ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã。
次回アジェンダ
共通ã§ä½¿ã†ã‚ˆã†ãªãƒ‘ッケージやミドルウェアをインストールã—ã¦ã¿ãŸã„ã¨æ€ã„ã¾ã™ã€‚
*1:直接表示ã—ã¦ã‚‚encryptã•ã‚ŒãŸãƒ‡ãƒ¼ã‚¿ãŒè¡¨ç¤ºã•ã‚Œã¾ã™
*2:ã‚ãˆã¦databagを使用ã—ã¦ã„ã¾ã™ãŒã€ãƒã‚°ã‚¤ãƒ³ã•ã›ãŸã„ã ã‘ã§ã‚れ㰠/home/ec2-user/.ssh/authorized_keys ã‚’ /home/alpaca3/.ssh/authorized_keys ã«ã‚³ãƒ”ーã™ã‚‹ã ã‘ã§ã‚‚良ã„ã§ã™ã
*3:んーã€å¾®å¦™
*4:デフォルト㯠['sudo']['users']=[] ã®ãŸã‚
*5:予ã‚作ã£ã¦ãŠã„ãŸã»ã†ãŒã„ã„ã®ã§ã¯ã€ã¨ã„ã†ãŠè©±
