3ofcoins / docker-chef-server Goto Github PK

Docker image running Chef server

Shell 29.96% Ruby 64.37% Dockerfile 5.67%

docker-chef-server's Introduction

Chef Server

This image runs Chef Server 12. The latest version is published as quay.io/3ofcoins/chef-server:latest. Version tags are available; current one is quay.io/3ofcoins/chef-server:12.18.14.

Git repository containing the Dockerfile lives at https://github.com/3ofcoins/docker-chef-server/

Environment Variables

PUBLIC_URL - should be configured to a full public URL of the endpoint (e.g. https://chef.example.com)
OC_ID_ADMINISTRATORS - if set, it should be a comma-separated list of users that will be allowed to add oc_id applications

Ports

Ports 80 (HTTP) and 443 (HTTPS) are exposed.

Volumes

/var/opt/opscode directory, that holds all Chef server data, is a volume. Directories /var/log/opscode and /etc/opscode are linked there as, respectively, log and etc.

If there is a file etc/chef-server-local.rb in this volume, it will be read at the end of chef-server.rb and it can be used to customize Chef Server's settings.

Signals

docker kill -s HUP $CONTAINER_ID will run chef-server-ctl reconfigure
docker kill -s USR1 $CONTAINER_ID will run chef-server-ctl status

Usage

Prerequisites and first start

First start will automatically run chef-server-ctl reconfigure. Subsequent starts will not run reconfigure, unless file /var/opt/opscode/bootstrapped has been deleted or hostname has changed (i.e. on upgrade). You can run reconfigure (e.g. after editing etc/chef-server.rb) using docker-enter or by sending SIGHUP to the container: docker kill -HUP $CONTAINER_ID.

Upgrading

Just kill the old container and start a new one using the same data volume. The image will automatically run chef-server-ctl upgrade when version of chef-server-core package changes. You will need to run chef-server-ctl cleanup afterwards.

If the repository is lagging, to build a new image with new Chef Server version, all you need to do is update the variables on top of the install.sh script.

Maintenance commands

Chef Server's design makes it impossible to wrap it cleanly in a container - it will always be necessary to run custom commands. While some of the management commands may work with linked containers with varying amount of ugly hacks, it is simpler to have one way of interacting with the software that is closest to interacting with a Chef Server installed directly on host (and thus closest to supported usage).

This means you need Docker 1.3+ with docker exec feature, and run chef-server-ctl commands like:

docker exec $CONTAINER_ID chef-server-ctl status
docker exec $CONTAINER_ID chef-server-ctl user-create …
docker exec $CONTAINER_ID chef-server-ctl org-create …
docker exec $CONTAINER_ID chef-server-ctl …

If you have Docker older than 1.3 and can't upgrade, you should be able to get by with nsenter utility and docker-enter script by Jérôme Petazzoni on your Docker host. The easiest way to install it is to run the installer Docker image:

docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter

Then, you can use the docker-enter script to run chef-server-ctl commands:

docker-enter $CONTAINER_ID chef-server-ctl …

Publishing the endpoint

This container is not supposed to listen on a publically available port. It is very strongly recommended to use a proxy server, such as nginx, as a public endpoint.

Unfortunately, Chef's logic for figuring out the absolute URL of various pieces (oc_id, bookshelf, erchef API, etc) for links and redirects is twisted and fragile. There are chef-server.rb settings, but some pieces insist on using the Host: header of the request, and it doesn't seem possible to use plain HTTP endpoint and have the Chef Server generate HTTPS redirects everywhere.

The main setting you need to configure is PUBLIC_URL environment variable. It needs to contain full public URL, as seen by knife and chef-client (e.g. PUBLIC_URL=https://chef-api.example.com/).

Then, you need to make sure that the proxy passes proper Host: header to the Chef Server, and talks with the Chef Server on the same protocol that the final endpoint will use (i.e. proxy that listens on HTTPS would need to use Chef Server's self-signed HTTPS endpoint; proxy that listens on plain HTTP would need to talk to HTTP endpoint).

If you prefer to avoid overhead of encrypting the connection between proxy and the Chef Server, it should be sufficient to rewrite the Location: headers (proxy_redirect in nginx, ProxyPassReverse in Apache). It works for me, but I can't guarantee you won't bump into a wrong URL generated by the server.

A sample nginx configuration looks like this:

server {
  listen 443 ssl;
  server_name chef.example.com;
  ssl_certificate /path/to/chef.example.com.pem;
  ssl_certificate_key /path/to/chef.example.com.key;
  client_max_body_size 4G;
  location / {
      proxy_pass http://127.0.0.1:5000;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect default;
      proxy_redirect http://chef.example.com https://chef.example.com;
  }
}

Backup and restore

$ docker exec chef-server chef-server-backup

Backup will be created in /var/opt/opscode/backup/latest, and all previous backups will be in their own timestamped directories. Backups will use hardlinks to share unchanged files. The backups will take form of JSON files with user and organization details, and each organization's chef repository dump generated with knife download.

There is no full restore script yet; you'll need to create orgs & users based on JSON files, and then use knife upload to upload each organization's data separately. The restore script is being worked on, but some pieces can't be restored (in particular, users' passwords), and other pieces seem tricky (in particular, ACLs).

Alternatively, one can take a binary backup of data volume (it is not possible to read anything from such backup without starting up whole Chef server, and it takes much more disk space, though):

docker stop chef-server
Archive /var/opt/opscode volume (delete the bootstrapped file from the archive to force chef-server-ctl reconfigure run on the new container)
docker start chef-server

Same thing works for upgrades: just reuse container, remembering to remove the bootstrapped file. You may also need to remove the symlinks in /var/opt/opscode/service and/or run chef-server-ctl upgrade via docker exec.

Chef Plugins

UNSUPPORTED. No idea how to handle this (especially that this is the point at which licensing issues start to occur). Most likely, a separate image based off this one would be necessary.

Alternatives

An alternative image is maintained at https://github.com/trueability/docker-chef-server / https://hub.docker.com/r/trueability/chef-server/ and it might be more frequently updated than this one.

docker-chef-server's People

Contributors

Stargazers

Watchers

docker-chef-server's Issues

Build with ubi-8 baseline

I've checked out this project, attempting to modify it to build on a ubi-8 kernel base vice ubuntu 16.04
Attaching the modified Dockerfile and install.sh. The build succeeds but I get an error during startup:

Starting Chef Infra Client, version 16.17.51
Patents: https://www.chef.io/patents
resolving cookbooks for run list: ["infra-server::default"]
Synchronizing Cookbooks:
  - infra-server (0.1.2)
  - runit (5.1.7)
  - packagecloud (1.0.1)
  - yum-epel (4.5.0)
  - enterprise (1.2.0)
Installing Cookbook Gems:
Compiling Cookbooks...

================================================================================
Recipe Compile Error in /var/opt/opscode/local-mode-cache/cookbooks/infra-server/attributes/default.rb
================================================================================

NoMethodError
-------------
undefined method `[]' for nil:NilClass

Cookbook Trace: (most recent call first)
----------------------------------------
  /var/opt/opscode/local-mode-cache/cookbooks/infra-server/attributes/default.rb:590:in `from_file'

Relevant File Content:
----------------------
/var/opt/opscode/local-mode-cache/cookbooks/infra-server/attributes/default.rb:

583:  default['private_chef']['postgresql']['db_connection_superuser'] = nil
584:  default['private_chef']['postgresql']['shell'] = '/bin/sh'
585:  default['private_chef']['postgresql']['home'] = "#{var_base}/postgresql"
586:  default['private_chef']['postgresql']['user_path'] = "/opt/#{ChefUtils::Dist::Org::LEGACY_CONF_DIR}/embedded/bin:/opt/#{ChefUtils::Dist::Org::LEGACY_CONF_DIR}/bin:$PATH"
587:  default['private_chef']['postgresql']['vip'] = '127.0.0.1'
588:  default['private_chef']['postgresql']['port'] = 5432
589:  # We want to listen on all the loopback addresses, because we can't control which one localhost resolves to.
590>> default['private_chef']['postgresql']['listen_address'] = node['network']['interfaces']['lo']['addresses'].keys.join(',')
591:  default['private_chef']['postgresql']['max_connections'] = 350
592:  default['private_chef']['postgresql']['keepalives_idle'] = 60
593:  default['private_chef']['postgresql']['keepalives_interval'] = 15
594:  default['private_chef']['postgresql']['keepalives_count'] = 2
595:  default['private_chef']['postgresql']['md5_auth_cidr_addresses'] = [ '127.0.0.1/32', '::1/128' ]
596:  default['private_chef']['postgresql']['wal_level'] = 'minimal'
597:  default['private_chef']['postgresql']['archive_mode'] = 'off' # "cannot be enabled when wal_level is set to minimal"
598:  default['private_chef']['postgresql']['archive_command'] = ''
599:  default['private_chef']['postgresql']['archive_timeout'] = 0 # 0 is disabled.

System Info:
------------
chef_version=16.17.51
platform=redhat
platform_version=8.6
ruby=ruby 2.7.5p203 (2021-11-24 revision f69aeb8314) [x86_64-linux]
program_name=/opt/opscode/embedded/bin/chef-client
executable=/opt/opscode/embedded/bin/chef-client


Running handlers:
Running handlers complete
Chef Infra Client failed. 0 resources updated in 01 seconds
[2022-08-08T19:56:52+00:00] FATAL: Stacktrace dumped to /var/opt/opscode/local-mode-cache/chef-stacktrace.out
[2022-08-08T19:56:52+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2022-08-08T19:56:52+00:00] FATAL: NoMethodError: undefined method `[]' for nil:NilClass
/init.rb:135:in `block (2 levels) in <main>': chef-server-ctl upgrade: pid 19 exit 1 (RuntimeError)
        from /init.rb:151:in `block in <main>'
        from /init.rb:148:in `loop'
        from /init.rb:148:in `<main>'

Have you had any experience in building this in a rhel/centos environment? Any suggestions?
Dockerfile.txt
install-rh.sh.txt

100% CPU when oc_id is running

Hi, thanks for dockerizing Chef Server 12. I've be using it for a couple of months.

Problem

From the beginning I was experiencing 100% CPU usage. I noticed a process which was being killed by sth and started again and again and again:

opscode    842 90.0  0.7  55548 16092 ?        Rsl  16:51   0:00 /opt/opscode/embedded/bin/ruby bin/rails server -p 9090 -b 127.0

I've read somewhere that this process is invoked by oc_id Chef component. oc_id is "OAuth2 provider for extensions like Analytics or Supermarket" as written on https://github.com/chef/chef-server . When I stopped that component with chef-server-ctl stop oc_id, there is no more the above process starting in a loop and CPU usage is lowered greatly.

Hacky solution

In order to make those changes preserve chef-server container reboots, I replaced this method with:

def run!(*args, &block)
  log "Starting: #{args}" if ENV['DEBUG']
  pid = Process.spawn(*args)
  log "Started #{pid}: #{args.join ' '}"
  log "Stopping oc_id"
  `chef-server-ctl stop oc_id`
  $processes[pid] = block || ->{ log "#{args.join ' '}: #{$?}" }
  pid
end

This is obviously not pretty, but works.

I think it would be best to parametrize it: whether or not to stop (or start) oc_id at chef-server boot up. I don't use neither Analytics nor Supermarket nor Management Console, so I don't need oc_id, but I think others might need it. And of course it would be best to find a better implementation than this hacky solution. What do you think?

Backup command requires rsync installed

Hi,

First of all, thanks for creating this container! It made setting up a a Chef server really easy.

I am using the container/image quay.io/3ofcoins/chef-server:12.18.14 and I am getting the following errors. Ill try create a pull request for adding rsync

root@7cf394faf939:/# chef-server-ctl backup
Locating rsync..
[ERROR] rsync must be installed in order to run this command

After running (inside the container)

root@7cf394faf939:/# apt update
...
root@7cf394faf939:/# apt install nano rsync

The command runs

It might not be an issue with this, but there was a couple of permission issues in the process

Bringing down the Chef Server
ok: down: bookshelf: 1s, normally up
ok: down: nginx: 1s, normally up
ok: down: oc_bifrost: 0s, normally up
ok: down: oc_id: 0s, normally up
ok: down: opscode-chef-mover: 0s, normally up
ok: down: opscode-erchef: 1s, normally up
ok: down: opscode-expander: 0s, normally up
ok: down: opscode-solr4: 0s, normally up
ok: down: rabbitmq: 0s, normally up
ok: down: redis_lb: 1s, normally up
Dumping Postgresql database to /tmp/chef_backup20181117-1780-14zmbg4/chef_backup-2018-11-17-20-28-27.sql
could not change directory to "/tmp/d20181117-1780-120wb2p": Permission denied
ok: down: postgresql: 1s, normally up
Writing backup manifest
Creating backup tarball
/opt/opscode/embedded/lib/ruby/gems/2.5.0/gems/mixlib-shellout-2.3.2/lib/mixlib/shellout/unix.rb:185: warning: conflicting chdir during another chdir block
tar: Removing leading `/' from member names
Bringing up the Chef Server
ok: run: bookshelf: (pid 2091) 0s
ok: run: nginx: (pid 2162) 0s
ok: run: oc_bifrost: (pid 2175) 0s
ok: run: oc_id: (pid 2248) 0s
ok: run: opscode-chef-mover: (pid 2263) 0s
ok: run: opscode-erchef: (pid 2330) 0s
ok: run: opscode-expander: (pid 2648) 1s
ok: run: opscode-solr4: (pid 2778) 0s
ok: run: postgresql: (pid 2887) 0s
ok: run: rabbitmq: (pid 2332) 45s
ok: run: redis_lb: (pid 3074) 0s
Exporting tarball to /var/opt/chef-backup
Cleaning up /tmp/chef_backup20181117-1780-14zmbg4
Backup Complete!

URI::InvalidURIError on first run

I built a docker image from current master branch using docker build -t 3ofcoins/docker-chef-server .

But I can't run it propoerly, it breaks like this:

$ echo $PUBLIC_URL                          
https://chef.example.com

$ docker run --rm 3ofcoins/docker-chef-server
[2018-11-20T20:40:33+00:00] INIT: Starting /init.rb
[2018-11-20T20:40:33+00:00] INIT: Preparing configuration ...
mkdir -p /var/opt/opscode/log /var/opt/opscode/etc /.chef/env
cp /.chef/chef-server.rb /var/opt/opscode/etc
[2018-11-20T20:40:33+00:00] INIT: Started 8: /opt/opscode/embedded/bin/runsvdir-start
/opt/opscode/embedded/bin/runsvdir-start: line 24: ulimit: pending signals: cannot modify limit: Operation not permitted
/opt/opscode/embedded/bin/runsvdir-start: line 37: /proc/sys/fs/file-max: Read-only file system
[2018-11-20T20:40:33+00:00] INIT: Not bootstrapped, reconfiguring
[2018-11-20T20:40:33+00:00] INIT: Started 17: /usr/bin/chef-server-ctl reconfigure
Starting Chef Client, version 14.3.37
resolving cookbooks for run list: ["private-chef::default"]
Synchronizing Cookbooks:
  - private-chef (0.1.1)
  - enterprise (0.14.1)
  - openssl (8.5.5)
  - runit (4.1.1)
  - packagecloud (1.0.0)
  - yum-epel (3.3.0)
Installing Cookbook Gems:
Compiling Cookbooks...
Recipe: private-chef::default
  * directory[/etc/opscode] action create (up to date)
  * directory[/etc/opscode/logrotate.d] action create
    - create new directory /etc/opscode/logrotate.d
    - change mode from '' to '0755'
    - change owner from '' to 'root'
    - change group from '' to 'root'
/var/opt/opscode/local-mode-cache/cookbooks/private-chef/recipes/oc-chef-pedant.rb:41: warning: constant OpenSSL::SSL::SSLContext::METHODS is deprecated
  
  ================================================================================
  Recipe Compile Error in /var/opt/opscode/local-mode-cache/cookbooks/private-chef/recipes/default.rb
  ================================================================================
  
  URI::InvalidURIError
  --------------------
  bad URI(is not URI?): :443
  
  Cookbook Trace:
  ---------------
    /var/opt/opscode/local-mode-cache/cookbooks/private-chef/libraries/helper.rb:128:in `nginx_ssl_url'
    /var/opt/opscode/local-mode-cache/cookbooks/private-chef/recipes/oc-chef-pedant.rb:59:in `block in from_file'
    /var/opt/opscode/local-mode-cache/cookbooks/private-chef/recipes/oc-chef-pedant.rb:53:in `from_file'
    /var/opt/opscode/local-mode-cache/cookbooks/private-chef/recipes/default.rb:185:in `from_file'
  
  Relevant File Content:
  ----------------------
  /var/opt/opscode/local-mode-cache/cookbooks/private-chef/libraries/helper.rb:
  
  121:    def bookshelf_s3_url
  122:      # Using URI#to_s to strip ":443" for https and ":80" for http
  123:      URI("#{node['private_chef']['nginx']['x_forwarded_proto']}://#{vip_for_uri('bookshelf')}:#{node['private_chef']['bookshelf']['vip_port']}").to_s
  124:    end
  125:  
  126:    def nginx_ssl_url
  127:      # Using URI#to_s to strip ":443" for https and ":80" for http
  128>>     URI("#{node['private_chef']['nginx']['url']}:#{node['private_chef']['nginx']['ssl_port']}").to_s
  129:    end
  130:  
  131:    def db_connection_uri
  132:      db_protocol = "postgres"
  133:      db_user     = node['private_chef']['opscode-erchef']['sql_user']
  134:      db_password = PrivateChef.credentials.get('opscode_erchef', 'sql_password')
  135:      db_vip      = vip_for_uri('postgresql')
  136:      db_name     = "opscode_chef"
  137:  
  
  System Info:
  ------------
  chef_version=14.3.37
  platform=ubuntu
  platform_version=16.04
  ruby=ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
  program_name=/opt/opscode/embedded/bin/chef-client
  executable=/opt/opscode/embedded/bin/chef-client
  
  
  Running handlers:
  Running handlers complete
  Chef Client failed. 1 resources updated in 05 seconds
[2018-11-20T20:40:43+00:00] FATAL: Stacktrace dumped to /var/opt/opscode/local-mode-cache/chef-stacktrace.out
[2018-11-20T20:40:43+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2018-11-20T20:40:43+00:00] FATAL: URI::InvalidURIError: bad URI(is not URI?): :443
[2018-11-20T20:40:43+00:00] INIT: Reconfiguration finished: pid 17 exit 1

Unable to run the container

Hello,

Could you please share the Docker Run command to make it working silently ?

Moreover, what are the values recommanded for Kernel values on Ubuntu

Thank you

Notice of Official Fork

Unfortunately, it seems that the code base and Docker image here are no longer being maintained. I have attempted to help contribute to keep the project up-to-date, but the pull-requests have been un-merged. I have also attempted to contact "offline" as well via email, but have not received any responses.

I appreciate all of the work that has gone into this project/repo, however for our needs we really require keeping in line with upstream stable versions from Chef and so it has become necessary to fork our own repo and maintenance of Chef Server for Docker.

We welcome any and all feedback and contributions: