A single server Chef deployment for HPE OneView (Playground for testing) - HewlettPackard/chef-provisioning-oneview GitHub Wiki

Creating a single server Chef deployment for HPE OneView

Note: This is unlikely to ever be a supported deployment method and should only be used for training and educating around Chef and HPE OneView.

This is a low-level guide to deploying a server (in this example a virtual machine) that will use CentOS 7.x as its Linux distribution.

As this is a single server, it will combine not only the Chef Server but also the Chef Workstation tools and the HPE OneView Server deployment code.

Requirements

  • HPE OneView 1.2 - 2.x
  • ICSP
  • CentOS 7.x NetInstall or full DVD

Installation and Configuration

Operating System installation

This installation has been done using by following the CentOS installation screens and selecting:

[x] Minimal Installation

Then just ensuring that users and networking is configured accordingly, if networking required further configuration then use the nmtui command to configure the networking. Also ensure that the /etc/hosts file is configured with the IP address, hostname and FQDN for the chef server.

Example files for our chef lab host (chef.lab.local):

/etc/resolv.conf

search lab.local 
nameserver 1.0.0.1

/etc/hostname

chef

/etc/hosts

10.0.0.20	chef	chef.lab.local

/etc/sysconfig/networking-scripts/ifcfg-enXXXXXX

Be aware that missing /24 after entering an IP address in nmtui can result in the netmask or PREFIX being set wrong

...
DNS1=1.0.0.1
IPADDR=10.0.0.20
PREFIX=24
GATEWAY=10.0.0.1
...

Any networking changes can be commited with the command: systemctl restart network then confirmed by examining the output of hostname -a

Creating a chef user

This will create a chef user that we've creatively called chef and specifing the home directory as /home/chef.

Create the user:

useradd -s /bin/bash -d /home/chef -m chef

Set the password:

passwd chef

Add to sudo file:

visudo

...

...
root	ALL=(ALL)	ALL
chef	ALL=(ALL)	ALL
...

This pretty much concludes the basics of having a server configured ready for chef to be deployed upon.

Chef Server Installation

This is a slight deviation from the normal Chef installation, which typicall would be to pull it and other packages from the official CentOS repositories or the EPEL repository (Extra Packages for Enterprise Linux). The reason for this is the requirements for a more modern version of Ruby that is 2.1 or higher.

Install wget (optional, if you're happy with curl) and download chef-server

yum install wget -y
wget https://packagecloud.io/chef/stable/packages/el/7/chef-server-core-12.4.1-1.el7.x86_64.rpm/download

Install and configure Chef

The above command will download the latest release (as of 23/03/16) of the chef-server-core and save it locally in a file called download. This file can then be installed as follows:

yum install -ivhy download

Edit the file /etc/opscode/chef-server.rb, with the server_name = being the most important line. Is should look something like the following:

server_name = "chef.lab.local"
api_fqdn server_name
bookshelf['vip'] = server_name
nginx['url'] = "https://#{server_name}"
nginx['server_name'] = server_name
nginx['ssl_certificate'] = "/var/opt/opscode/nginx/ca/#{server_name}.crt"
nginx['ssl_certificate_key'] = "/var/opt/opscode/nginx/ca/#{server_name}.key"

Once the configuration has been saved the chef services can be reconfigured and brought up with the following line:

chef-server-ctl reconfigure

This will internally run the chef-solo command with some internal chef cookbooks to handle all of the configuration work for chef-server, this can take a couple of minutes.

Creating a User and Organisation for Chef

This uses the chef-server-ctl user-create command to create a user (modify as needed):

chef-server-ctl user-create user firstname surname [email protected] password

This uses the chef-server-ctl org-create command to create an organisation and add an admin user to it (modify as needed):

chef-server-ctl org-create org "My organisation" -a user

Install Chef Manage Web based UI (Optional usualy, used in this example)

These three lines will do the aditional required steps to download the components, configure and start the web based Chef management User Interface.

chef-server-ctl install opscode-manage
chef-server-ctl reconfigure
opscode-manage-ctl reconfigure

Apply Firewall configuration changes to allow external HTTP/HTTPs access:

firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --reload

Test all configuration work

chef-server-ctl test

Chef Workstation Installation (w/Ruby 2.1+ on same host)

Install Compilers and other dependencies

Due to a requirement of a version of Ruby that isn't provided by the CentOS repositories, it is required to build our own. This unfortunately means that the development tools (compilers, libraries need be installed):

yum groupinstall -y 'development tools'

Installation of Ruby Interpreter Management tools

Once the compilers and other dependancies have been installed the following steps will grab the Ruby interpreter management tools, set the ruby version to 2.2 and install it:

command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
curl -L get.rvm.io | bash -s stable
source /etc/profile.d/rvm.sh
rvm reload
rvm install 2.2

This can be tested with ruby -v to ensure that ruby is both installed and set to the correct version.

Installation of Chef Workstation tools

Opscode (developer of Chef) provides a single line installer for chef, that will pull an installation script that will automate the installation of the rest of the Chef toolchain.

curl -L https://www.opscode.com/chef/install.sh | bash

Once completed, test the tools are installed correctly with chef-client -v or knife -v.

Installation of HPE OneView Provisioing code

This one line will automate the downloading of not only the HPE OneView Ruby code, but also all of the dependencies that it requires.

gem install 'chef-provisioning-oneview'

Chef, HPE OneView and Insight Control Server Provisioning configuration

Chef workstation and knife tool configuration

Chef have simplified the configuration work required for an end user to have the workstation tools communicate correctly and securely with the server components. In order to grab this configuration a user needs to log into the Chef-Server web UI and download the "Starter Kit", which contains all of the configuration files and certificates to allow a workstation to speak to a chef-server. In our configuration:

  • Open Web Browser to http://10.0.0.20
  • Authenticate with the Username / Password we created with chef-server-ctl user-create earlier
  • Navigate to Administration tab, select our organisation and then select the "Download Starter Kit" option.

This .zip archive needs moving to the server and unzipping, in our example we will be making use of chef via the use of the chef user. So we will scp our starter kit to the chef users home directory:

scp starter\ kit.zip chef:10.0.0.20:
Password:

If we unzip this archive in the home directory correctly we should find that a .chef/ directory has been created in here we will the file knife.rb and some .pem files. These all contain the configuration details that the knife tool will use to authenticate to the chef-server.

We can test this will the following:

knife ssl fetch

and ...

knife ssl check
...
Connecting to host chef.lab.local:443
Successfully verified certificates from `chef.lab.local'

Chef configuration for HPE OneView and ICSP

The final configuration step for Chef to communicate with HPE OneView and HPE Insight Control Server Provisioning is to modify the /home/chef/.chef/knife.rb file and add the configuration details for the relevant servers:

This should be added under the existing configuration (don't modify existing if possible)

knife[:oneview_url]        = 'https://oneview.lab.local'
knife[:oneview_username]   = 'Administrator'
knife[:oneview_password]   = 'password'
knife[:oneview_ignore_ssl] = true # For self-signed certs

knife[:icsp_url]           = 'https://icsp.lab.local'
knife[:icsp_username]      = 'Administrator'
knife[:icsp_password]      = 'password'
knife[:icsp_ignore_ssl]    = true # For self-signed certs

knife[:node_root_password] = 'password123'

# If your Chef server has self-signed certs:
verify_api_cert              false
ssl_verify_mode              :verify_none

Creating Cookbooks and Recepies

TODO