v 3.0.0

ChefConf 2015Introduction to Chef Analytics Platform

v 3.0.0

PrerequisitesHave an ssh client Have a good text editor (Atom, Sublime, vim, emacs) Have ChefDK (latest) installed Git & GitHub Account (Optional) Chef Fundamentals Training (or equivalent experience)

v 3.0.0

Chef Development Kit Version: 0.4.0

Confirm your setup$ chef -v

v 3.0.0

S C O T T F O R D

larryebaum@chef.io smford22smford22

@sford422

larryebaum@yahoo.com

S O L U T I O N S E N G I N E E R

v 3.0.0

L A R R Y

E I C H E N B A U M

larryebaum@chef.io larryebaumlarryebaum

@larryebaum

larryebaum@yahoo.com

v 3.0.0

DISCUSSIONIntroduce Yourselves

Name

Current job role

Previous job roles/background

Experience with Chef and/or config management

Favorite Text Editor

6

v 3.0.0

Agenda

Introduction to the Chef Analytics Platform

Workshop Environment Setup

Installing the Analytics Platform

Using the Analytics Platform

v 3.0.0

Course Objectives & Style

v 3.0.0

Course ObjectivesAfter completing this course you will be able to:

Install Chef Server and Chef Analytics using Chef Provisioning Understand the Chef Analytics platform including: • chef-client --audit-mode • Actions • Controls • Rules • Notifications

Write compliance controls recipes for your infrastructure, and use rules to and notifications to be alerted when tests succeed or fail

v 3.0.0

Training is a discussionLots of hands on labs Lots of typing Ask questions when they come to you Ask for help when you need it Help each other We will troubleshoot and fix bugs on the spot

v 3.0.0

Just an IntroductionToday is just an Introduction to the Chef Analytics Platform We’ll cover lots of topics but won’t go too deep on any of them We will have a Q&A with some of the Engineers from the Analytics Team at the end of the workshop

v 3.0.0

Login to Workshop HipChat Channel

v 3.0.0

Login to HipChatFor the purpose of this class, and in an effort to work together as a team, we have setup a public HipChat channel for all of us to use. You will need to create an account if you do not have one, but you can find that link here…

http://bit.ly/1D3bs4i

v 3.0.0

HipChat Quick Tips• @all notifies everyone regardless if they are present or not

• @here notifies everyone currently in the room

• @username to address a specific person in the room

• /code <paste code> allows you to paste code snippets in the room

v 3.0.0

Get logged in and say hello!

v 3.0.0

CheckpointAt this point you should have: • ChefDK • A programmers text editor • SSH client • Logged into workshop HipChat channel

v 3.0.0

Introduction to the Analytics Platform

The promise of the coded business

Transformation to high-velocity

Regulatory compliance frameworks

OFAC USA PATRIOT Act Gramm-Leach-Bliley Act Red Flags Rule

Bank Secrecy Act Sarbanes-Oxley Regulation E Dodd-Frank

False Claims Act HIPAA European Central Bank regulations Prudential Regulation Authority

Financial Conduct Authority HITECH PCI DSS

The conflict between compliance and velocity

The compliance challenge

The velocity challenge

Reconciling compliance and velocity

Analyze

• Be clear about what the desired system outcome actually is

• Take regulatory requirements and enterprise policies into account

• Choosing the desired state and expressing it at an appropriate level of detail can be more challenging problems than writing the automation code itself!

Specify

• Closing the gap between specifying and implementing regulations requires an unambiguous expression of the requirement in human- and machine-readable form.

• A domain-specific formal language (DSL) can achieve this level of clarity and precision.

• Chef recipes, tests and compliance rules are ideal for the task.

Examplepackage  'apache2'

service  'apache2'  do    action  [:start,  :enable]  end

Test

• Automated tests give confidence that the requirement has actually been met

• Writing the tests first give developers and system administrators a clear set of standards that must be met for compliant systems.

• Automated tests scale better than manual tests.

Example

Certify

• A separate certification step is not always required • In some cases, regulatory requirements or

organizational processes do require a final human sign off

• The better your tests, the shorter the certification step can be

• Be sure not to confuse certification and testing

The changing role of the compliance officer

A single accelerated cycle

1980

1981

1982

1983

1984

1985

1986

1987

1988

1989

1994 1999 2004 2009 2012 2013 2014 2015 2016 2017 2018 2019

Enterprises Have Nearly Unlimited Computing Resources

Virtual NodesPhysical Hardware

1980Mainframe

1990Client/Server

2000Datacenter

2010+Web-Scale

20

40

60

80

100

120Mill

ions

Mill

ions

of S

erve

rs

Exponential Increase in Size Leads toOperational Complexity

Web Servers

Application Servers

Database

Exponential Increase in Size Leads toOperational Complexity

Web Servers

Application Servers

Database

Add 1 server20+ Changes

12+ New Dependences

Speed of Execution Requires Visibility

• Change tracking • Security logs • Auditing • Performance monitoring

Chef Analytics Keeps Your Finger on the Pulse of Your Infrastructure

Chef Analytics Provides Three Core Components

• Actions and Run History • Record any policy or administrative changes to any object managed by Chef Server

• Track changes through all sources including management console, knife command or direct application of chef-client

• Real-time Reporting • Browse events in a friendly web UI with search, filters and sorting options

• Integrate with existing tools via API • Notifications

• Alert teams of every change through built-in messaging and email integration

• Extend notifications to existing systems with simple webhook architecture

Chef Analytics History

• Launched in May 2014 • Builds on Reporting (Run history) feature shipped in 2013

• Adds new fundamental data collection components • Actions – track policy modifications on the Chef Server

• Compliance – assert controls on changes to infrastructure and policy

• Pluggable analytics pipeline

• Chef Actions component available now!

Chef Analytics Architecture

Chef Analytics Data Flow

Reporting - Who did what on your Chef Server?

• Single view of what is changing in your infrastructure • Success/Failure status of individual Chef Client runs • Rollups of success/failure counts • Rollups of run durations

• Drill-down detail to individual resource convergence • State before/after

• Diffs (e.g. for templates, files)

• Errors

Reporting – what’s happening on chef-client runs ?

Actions – The Real-time Event Stream

• Provide a read-only view of what happened

• Can be customized to meet audit and compliance reporting requirements

• Allow administrators to react to events as they happen or after the fact investigation

• “What happened just before nodes started failing runs?”

• “When did our systems gets patched for Heartbleed?”

Controls

• A control is an automated test that is built into a cookbook

• Can be used to test the state of the system for compliance

• Wrapper around ServerSpec testing framework • Can be used to create audit tests around compliance frameworks such as PCI, HIPAA, and Sarbanes-Oxley

Rules and Notifications

• Create specialized rule sets to match the output of audits in your infrastructure

• Send notifications • Integrate with HipChat • Send email alerts • Web hooks to api endpoints • Integrations with third party solutions like Splunk

v 3.0.0

Workshop Environment Setup

v 3.0.0

Objectives

• Understand the different configuration options when installing Chef Analytics

• Use Chef Provisioning to deploy a Chef Server & Analytics Server in AWS

• Login to Chef Server and Analytics • Setup your workstation to manage infrastructure with Chef • Bootstrap a node to your Chef server and configure it with Chef

v 3.0.0

Installing Chef Analytics

Prerequisites• An x86_64 compatible system architecture:

• RHEL/CentOS (5.x, 6.x) • Ubuntu (10.04, 12.04, 13.04)

• Chef server version 12.0.3 or Enterprise Chef version 11.3 • chef-client version 12.1 is required for audit-mode • The Chef management console must be installed on the Chef server prior to

installing Chef analytics • Chef reporting is installed on the Chef server • A resolvable hostname that is specified using a FQDN or an IP address • A local mail transfer agent that allows the Chef server to send email notifications • A connection to NTP to prevent clock drift

Chef Analytics Data FlowAnalytics maps 1:1 with a Chef Server

Supported Configurations

• Standalone • Everything installed on one server • Configured to a Chef Server

• Tiered • 1 Backend server • Multiple front end servers behind a load balancer • Configured to a Chef Server

v 3.0.0

LOCAL

# Install Chef Server

- Stand up a instance to install on

- SSH to the instance

- Download the chef-server-12 package

- Install the package

- Create a /etc/opscode/chef-server.rb config file with <FQDN>

- Configure the server with ‘chef-server-ctl reconfigure’

- Install opscode-manage package

- Run opscode-manage-ctl reconfigure

- Install opscode-reporting

- Run opscode-reporting-ctl reconfigure

- Install opscode-analytics package

- Run opscode-analytics-ctl reconfigure

- Run chef-server-tcl reconfigure

Installation Steps - Chef Server

http://docs.chef.io/server/install_server.html

v 3.0.0

LOCAL

# Install Chef Analytics

- Stand up a instance to install on

- SSH to the instance

- Download the chef-analytics package

- Install the package

# Configure Chef Server with Analytics server

- Configure oc_id and RabbitMQ remote access /etc/opscode/chef-server.rb

- run chef-server-ctl reconfigure

- scp /etc/opscode-analytics to the Analytics host

# Configure Analytics

- Add analytics FQDN to /etc/opscode-analytics/opscode-analytics.rb

- run opscode-analytics-ctl reconfigure

Installation Steps - Chef Analytics

http://docs.chef.io/server/install_server.html

OR…( maybe there’s a better way )

v 3.0.0

Chef Provisioning

Chef Provisioning

• Originally released as Chef Metal at ChefConf 2014 • Allows creation of instances in Chef Recipes • Orchestrate complex deployment of applications • Moves more towards “Infrastructure as Code”

https://github.com/chef/chef-provisioning

v 3.0.0

LOCAL

require 'chef/provisioning/aws_driver' with_driver 'aws'

machine "scott-test" do machine_options( :ssh_username => 'root', :image_id => 'ami-b6bdde86', :bootstrap_options => { :instance_type => 't1.micro', :key_name => 'chefconf2015' } ) end

machine resource

https://github.com/chef/chef-provisioning

v 3.0.0

LOCAL

require 'chef/provisioning/aws_driver'

with_driver 'aws'

with_machine_options( bootstrap_options: { instance_type: 't1.micro', key_name: 'chefconf', security_group_ids: 'default' }, ssh_username: 'root', image_id: 'ami-a9de9c99' )

chef provisioning drivers

https://github.com/chef/chef-provisioning

v 3.0.0

LOCAL

•machine•machine_batch•machine_execute•machine_file•machine_image

Chef Provisioning • AWS• FOG• Azure• Vagrant• vsphere• Docker, LXC• Hanlon, OpenCrowBar• More coming….

https://github.com/chef/chef-provisioning

v 3.0.0

LOCAL

require 'chef/provisioning'

machine_batch do

machines %w(primary secondary web1 web2)

end

machine 'primary' do

recipe 'initial_ha_setup'

end

machine 'secondary' do

recipe 'initial_ha_setup'

end

machine_batch do

%w(primary secondary).each do |name|

machine name do

recipe 'rest_of_my_configuration'

end

end

Chef Provisioning Recipe

https://github.com/chef/chef-provisioning

v 3.0.0

Legend

Workshop Virtual Machines

• Each student will be provided: • 1 Node to use for Chef Provisioning • 1 Node to manage with Chef

http://bit.ly/1DlXOYD

v 3.0.0

REMOTE

Three different places to run commands

$ ssh chef@<EXTERNAL-IP-ADDRESS>This is an example of a command you run on your workstation

[chef@provisioning-node ~]$ whoami

[chef@hostname ~]$ whoami

This is an example of a command you run on your provisioning node

This is an example of a command you run on your target node

v 3.0.0

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

options=3<RXCSUM,TXCSUM>

inet6 ::1 prefixlen 128

inet 127.0.0.1 netmask 0xff000000

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

nd6 options=1<PERFORMNUD>

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether 78:31:c1:c8:de:92

inet6 fe80::7a31:c1ff:fec8:de92%en0 prefixlen 64 scopeid 0x4

inet 192.168.1.71 netmask 0xffffff00 broadcast 192.168.1.255

nd6 options=1<PERFORMNUD>

Example of a Terminal command$ ifconfig

v 3.0.0

Example of editing a file on your workstation

file "hello.txt" do content "Hello, world!"end

Open in editor: ~/hello.rb

The file named "hello.txt" is created with the content "Hello, world!".

v 3.0.0

Login to Provisioning Node

v 3.0.0

chef@ec2-52-11-67-70.us-west-2.compute.amazonaws.com's password:Last login: Mon Mar 16 22:43:58 2015 from 99.8.186.151[chef@provisioning-node ~]$

SSH to your Provisioning Node$ ssh chef@<EXTERNAL-IP-PROVISIONING-NODE>

v 3.0.0

[default]region = us-west-2aws_access_key_id = <ACCESS KEY PROVIDED>aws_secret_access_key = <SECRET KEY PROVIDED>

Setup AWS Credentials[chef@provisioning-node ~]$ cat ~/.aws/config

v 3.0.0

total 8-r--------. 1 chef chef 1675 Mar 20 18:00 chefconf2015-r--------. 1 chef chef 394 Mar 20 18:00 chefconf2015.pub-rw-r--r--. 1 chef chef 0 Mar 20 20:29 known_hosts

SSH Keys Configured[chef@provisioning-node ~]$ ls -l .ssh

v 3.0.0

Initialized empty Git repository in /home/chef/analytics-cluster/.git/

remote: Counting objects: 29, done.

remote: Compressing objects: 100% (23/23), done.

remote: Total 29 (delta 2), reused 29 (delta 2), pack-reused 0

Unpacking objects: 100% (29/29), done.

Git clone the analytics-cluster cookbook[chef@provisioning-node ~]$ git clone https://github.com/opscode-cookbooks/analytics-cluster.git

https://github.com/opscode-cookbooks/analytics-cluster.git

v 3.0.0

{ "name": "<firstname-lastname>", "description": "An example environment for a Chef Server and Chef Analytics", "json_class": "Chef::Environment", "chef_type": "environment", "override_attributes": { "analytics-cluster": { "id": "<firstname-lastname>", "aws": { "key_name": "chefconf2015", "ssh_username": "root", "image_id": "ami-cda985fd", "subnet_id": "subnet-8f847cd6", "security_group_ids": "sg-63291806", "use_private_ip_for_ssh": false }, "chef-server": { "flavor": "m3.medium", "organization": "chefadmin" }, "analytics": { "flavor": "m3.medium" } } }

Create an Environment file [chef@provisioning-node ~]$ cd analytics-cluster

[chef@provisioning-node analytics-cluster ]$ cat environments/<firstname-lastname>.json

v 3.0.0

LOCAL

environments/<firstname-lastname>.json{ "name": "<firstname-lastname>", "description": "An example environment for a Chef Server and Chef Analytics", "json_class": "Chef::Environment", "chef_type": "environment", "override_attributes": { "analytics-cluster": { "id": "<firstname-lastname>", "aws": { "key_name": "chefconf2015", "ssh_username": "root", "image_id": "ami-cda985fd", "subnet_id": "subnet-8f847cd6", "security_group_ids": "sg-63291806", "use_private_ip_for_ssh": false }, "chef-server": { "flavor": "m3.medium", "organization": "chefadmin" }, "analytics": { "flavor": "m3.medium" } } }}

http://bit.ly/1Gub7Ha

v 3.0.0

source 'https://rubygems.org'

gem 'berkshelf', '~> 3.2'

gem 'chef', '~> 12.0'

gem 'chef-provisioning', git: 'https://github.com/chef/chef-provisioning.git',

ref: 'master'

gem 'chef-provisioning-aws', git: 'https://github.com/chef/chef-provisioning-aws.git',

ref: 'master'

Run bundle install[chef@provisioning-node ~]$ bundle install

v 3.0.0

Updating https://github.com/chef/chef-provisioning.git

Updating https://github.com/chef/chef-provisioning-aws.git

Fetching gem metadata from https://rubygems.org/........

Fetching additional metadata from https://rubygems.org/..

Resolving dependencies...

Using rake 10.4.2

Using addressable 2.3.7

Using builder 3.2.2

Using gyoku 1.2.3

Using mini_portile 0.6.2

Using nokogiri 1.6.6.2

Using akami 1.2.2

Using json 1.8.2

Using aws-sdk-v1 1.63.0

Using multipart-post 2.0.0

Using faraday 0.9.1

…

Run bundle install[chef@provisioning-node ~]$ bundle install

v 3.0.0

source 'https://supermarket.chef.io'

metadata

cookbook 'chef-server-12',

path: 'vendor/chef-server-12'

cookbook 'chef-server-ingredient',

git: 'https://github.com/opscode-cookbooks/chef-server-ingredient.git',

branch: ‘master’

Berksfile[chef@provisioning-node]$ cat Berksfile

v 3.0.0

Resolving cookbook dependencies...Fetching 'analytics-cluster' from source at .Fetching 'chef-server-12' from source at vendor/chef-server-12Using chef-server-ingredient (0.3.0) from git@github.com:opscode-cookbooks/chef-server-ingredient.git (at master)Using chef-server-12 (0.1.3) from source at vendor/chef-server-12Using analytics-cluster (0.1.0) from source at .Using packagecloud (0.0.17)Vendoring analytics-cluster (0.1.0) to cookbooks/analytics-clusterVendoring chef-server-12 (0.1.3) to cookbooks/chef-server-12Vendoring chef-server-ingredient (0.3.0) to cookbooks/chef-server-ingredientVendoring packagecloud (0.0.17) to cookbooks/packagecloud…

Run bundle exec berks vendor cookbooks[chef@provisioning-node ~]$ bundle exec berks vendor cookbooks

v 3.0.0

Starting Chef Client, version 12.0.3[2015-03-18T08:15:38-07:00] WARN: Run List override has been provided.[2015-03-18T08:15:38-07:00] WARN: Original Run List: [][2015-03-18T08:15:38-07:00] WARN: Overridden Run List: [recipe[analytics-cluster::setup_chef_server]]resolving cookbooks for run list: ["analytics-cluster::setup_chef_server"]Synchronizing Cookbooks: - analytics-cluster - chef-server-12 - chef-server-ingredient - packagecloudCompiling Cookbooks...Converging 10 resourcesRecipe: analytics-cluster::setup_chef_server * machine[chef-server-<environment>] action converge ... ...

+node_name 'chefadmin' +chef_server_url 'https://54.148.24.47/organizations/chefadmin' +client_key '/Users/scottford/chef-repo/cookbooks/analytics-cluster/.chef/../.chef/analytics-cluster-data/chefadmin.pem' +cookbook_path '/Users/scottford/chef-repo/cookbooks/analytics-cluster/.chef/local-mode-cache/cache/cookbooks' +trusted_certs_dir '/Users/scottford/chef-repo/cookbooks/analytics-cluster/.chef/trusted_certs'* execute[upload all cookbooks] action run - execute knife cookbook upload --all --cookbook-path /Users/scottford/chef-repo/cookbooks/analytics-cluster/.chef/local-mode-cache/cache/cookbooks[2015-03-18T08:35:47-07:00] WARN: Skipping final node save because override_runlist was given

Running handlers:Running handlers completeChef Client finished, 9/10 resources updated in 730.648963 seconds

Run analytics-cluster::setup_chef_server[chef@provisioning-node ~]$ bundle exec chef-client –z -o analytics-cluster::setup_chef_server –E <firstname-lastname>

v 3.0.0

Starting Chef Client, version 12.0.3[2015-03-18T08:15:38-07:00] WARN: Run List override has been provided.[2015-03-18T08:15:38-07:00] WARN: Original Run List: [][2015-03-18T08:15:38-07:00] WARN: Overridden Run List: [recipe[analytics-cluster::setup_analytics]]resolving cookbooks for run list: ["analytics-cluster::setup_analytics"]Synchronizing Cookbooks: - analytics-cluster - chef-server-12 - chef-server-ingredient - packagecloudCompiling Cookbooks...Converging 10 resourcesRecipe: analytics-cluster::setup_chef_server * machine[analytics-<environment>] action converge ... ... * chef_server_ingredient[opscode-analytics] action reconfigure * execute[opscode-analytics-reconfigure] action run - execute opscode-analytics-ctl reconfigure

Running handlers:Running handlers completeChef Client finished, 11/13 resources updated in 241.197843043 seconds- run 'chef-client -l auto' on analytics-server-scott-ford[2015-03-18T08:43:46-07:00] WARN: Skipping final node save because override_runlist was given

Running handlers:Running handlers completeChef Client finished, 5/5 resources updated in 458.067242 seconds

Run analytics-cluster::setup_analytics[chef@provisioning-node ~]$ bundle exec chef-client –z -o analytics-cluster::setup_analytics –E <firstname-lastname>

v 3.0.0

Show Analytics Public Hostname[chef@provisioning-node ~]$ knife node show analytics-server-<firstname>-<lastname> -a ec2.public_hostname

v 3.0.0

Lab Gist1. Logon to provisioning node 2. clone analytics-cluster cookbook 3. bundle install 4. bundle exec berks vendor cookbooks 5. create environment file 6. bundle exec chef-client -z -o analytics-cluster::setup_chef_server -E <firstname-

lastname> 7. bundle exec chef-client -z -o analytics-cluster::setup_analytics -E <firstname-

lastname>

http://bit.ly/1HZu9Hi

v 3.0.0

CheckpointAt this point you should have: • ChefDK • A programmers text editor • SSH client • Logged into workshop HipChat channel • Chef Server & Chef Analytics

v 3.0.0

Setup your Chef Repo

v 3.0.0

Setup your Org on the Chef Server•Create an account •Setup an organization

•Download your Starter Kit

•Setup chef-repo on your workstation

v 3.0.0

Exercise: Set up a working directoryMake a working directory on your laptop under your home directory called ‘~/analytics-workshop', i.e.

Windows:- C:\Users\you\analytics-workshop

Mac/*nix:- /Users/you/analytics-workshop

Navigate to this working directory

v 3.0.0

WARNING: Certificates from 52.123.22.235 will be fetched and placed in your trusted_cert directory (/Users/scottford/analytics-workshop/chef-repo/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading.

Adding certificate for 52.123.22.235 in /Users/scottford/analytics-workshop/chef-repo/.chef/trusted_certs/52.123.22.235.crt

Exercise: use knife ssl fetch$ knife ssl fetch

v 3.0.0

<your-org>-validator.pem

Exercise: Test your workstation$ knife client list

v 3.0.0

Lab Gist1. Logon to your Chef Server 2. Download Starter Kit 3. Create a working directory ~/chef-repo 4. Use knife ssl fetch to pull in self-signed certs 5. Validate config

http://bit.ly/1CrAczG

v 3.0.0

Bootstrap A Node

v 3.0.0

uvo164727i3mvh1jup2.vm.cld.sr --2014-05-13 04:31:10-- https://www.opscode.com/chef/install.sh

uvo164727i3mvh1jup2.vm.cld.sr Resolving www.opscode.com... 184.106.28.90

uvo164727i3mvh1jup2.vm.cld.sr Connecting to www.opscode.com|184.106.28.90|:443... connected.

uvo164727i3mvh1jup2.vm.cld.sr HTTP request sent, awaiting response... 200 OK

uvo164727i3mvh1jup2.vm.cld.sr Length: 15934 (16K) [application/x-sh]

uvo164727i3mvh1jup2.vm.cld.sr Saving to: `STDOUT'

uvo164727i3mvh1jup2.vm.cld.sr

100%[======================================>] 15,934 --.-K/s in 0s

uvo164727i3mvh1jup2.vm.cld.sr

uvo164727i3mvh1jup2.vm.cld.sr 2014-05-13 04:31:10 (538 MB/s) - written to stdout [15934/15934]

uvo164727i3mvh1jup2.vm.cld.sr

uvo164727i3mvh1jup2.vm.cld.sr Downloading Chef 11.8.2 for el...

uvo164727i3mvh1jup2.vm.cld.sr downloading https://www.opscode.com/chef/metadata?v=11.8.2&prerelease=false&nightlies=false&p=el&pv=6&m=x86_64

uvo164727i3mvh1jup2.vm.cld.sr to file /tmp/install.sh.41533/metadata.txt

uvo164727i3mvh1jup2.vm.cld.sr trying wget...

uvo164727i3mvh1jup2.vm.cld.sr url https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.8.2-1.el6.x86_64.rpm

...

Exercise: Bootstrap the target node$ knife bootstrap <external address> --sudo –x chef –P chef –N "node1"

v 3.0.0

$ git clone https://github.com/opscode-cookbooks/chef-client.git

Exercise: Use git to clone the chef-client cookbook

$ cd chef-repo/cookbooks

Cloning into 'chef-client'... remote: Counting objects: 2876, done. remote: Total 2876 (delta 0), reused 0 (delta 0), pack-reused 2876 Receiving objects: 100% (2876/2876), 601.53 KiB | 0 bytes/s, done. Resolving deltas: 100% (1405/1405), done. Checking connectivity... done.

v 3.0.0

Download chef-client cookbook from github.com

https://github.com/opscode-cookbooks/chef-client

1. click Download ZIP

2. Unzip into chef-repo/cookbooks/

3. cd into that directory

v 3.0.0

$ berks install

Exercise: Use Berkshelf to install dependencies

$ cd chef-repo/cookbooks/chef-client

Resolving cookbook dependencies... Fetching 'chef-client' from source at . Fetching cookbook index from https://supermarket.chef.io... Using apt (2.7.0) Using chef-client (4.2.4) from source at . Using build-essential (2.2.1) Using chef_handler (1.1.6) Using cron (1.6.1) Using logrotate (1.9.1) Using runit (1.5.18) Using windows (1.36.6) Using yum (3.5.3) Using yum-epel (0.6.0)

v 3.0.0

Uploaded apt (2.7.0) to: 'https://52.123.22.235:443/organizations/analytics-workshop' Uploaded build-essential (2.2.1) to: 'https://52.123.22.235:443/organizations/analytics-workshop' Uploaded chef-client (4.2.4) to: 'https://52.123.22.235:443/organizations/analytics-workshop' Uploaded chef_handler (1.1.6) to: 'https://52.123.22.235:443/organizations/analytics-workshop' Uploaded cron (1.6.1) to: 'https://52.123.22.235:443/organizations/analytics-workshop' Uploaded logrotate (1.9.1) to: 'https://52.123.22.235:443/organizations/analytics-workshop' Uploaded runit (1.5.18) to: 'https://52.123.22.235:443/organizations/analytics-workshop' Uploaded windows (1.36.6) to: 'https://52.123.22.235:443/organizations/analytics-workshop' Uploaded yum (3.5.3) to: 'https://52.123.22.235:443/organizations/analytics-workshop' Uploaded yum-epel (0.6.0) to: 'https://52.123.22.235:443/organizations/analytics-workshop'

Exercise: Use Berkshelf to upload chef-client and dependencies

$ berks upload --ssl-verify=false

v 3.0.0

Create a base role

name "base"description "A base role"run_list "recipe[chef-client]", "recipe[chef-client::config]"default_attributes( "chef_client" => { "config" => { "ssl_verify_mode" => ":verify_peer", } })

Open in editor: chef-repo/roles/base.rb

http://bit.ly/1GHODmd

v 3.0.0

Updated Role base!

Exercise: Upload base role$ knife role from file base.rb

v 3.0.0

node1:

run_list:

role[base]

Exercise: Set run list for managed node$ knife node run_list set node1 'role[base]'

v 3.0.0

Starting Chef Client, version 11.12.8

resolving cookbooks for run list: ["chef-client::delete_validation", "chef-client"]

Synchronizing Cookbooks:

- chef-client

Compiling Cookbooks...

...

Exercise: Run chef-clientchef@node1$ sudo chef-client

v 3.0.0

root 8933 0.3 2.2 130400 37816 ? Sl 03:19 0:01 /opt/chef/embedded/bin/ruby /usr/bin/chef-client -d -c /etc/chef/client.rb -L /var/log/chef/client.log -P /var/run/chef/client.pid -i 1800 -s 300

Exercise: Verify chef-client is runningchef@node1$ ps awux | grep chef-client

v 3.0.0

Lab Gist1. Bootstrap your node 2. Pull down chef-client cookbook 3. Use Berkshelf to pull down cookbook dependencies 4. Use Berkshelf to upload chef-client cookbook 5. Create a base role 6. Update your node’s run_list to use the base role 7. Re-run chef-client

http://bit.ly/1CrABSA

v 3.0.0

CheckpointAt this point you should have: • ChefDK • A programmers text editor • SSH client • Logged into workshop HipChat channel • Chef Server & Chef Analytics • A node bootstrapped with a base role

v 3.0.0

Using the Analytics Platform

v 3.0.0

Objectives

• Understand the functionality of the Chef Analytics Web UI

• Understand Chef Actions

• Understand audit mode in chef-client 12.1.1

• Understand control recipes and their usage

• Manage Chef on your target instance with the chef-client community cookbook

v 3.0.0

Chef Analytics WebUI

Logon to Chef AnalyticsOpen a browser and go to the public hostname of your analytics ec2 instance.

$ knife node show <firstname-lastname>-analytics-server -a ec2.public_hostname

Logon to Chef Analytics

Chef Analytics WebUI

Chef Actions - Who did what on your Chef Server?

• Provide a read-only view of what happened

• Road to audit and compliance reporting

• Allow administrators to react to events as they happen

• Enable after the fact investigation

• “What happened just before nodes started failing runs?”

• “When did our systems gets patched for Heartbleed?”

Chef Analytics WebUI - Actions

• The run history for all nodes

• Which users made which changes

• Changes made to each node object

• The history of every cookbook (and cookbook version)

• How and where policy settings—roles, environments, and data bags—are applied

Actions

Chef Analytics WebUI - Actions

• Remote hostname

• Request ID

• Chef Server hostname

• Node object information (Previous/Diff/Current)

Actions Details

Chef Analytics WebUI - Search

• Filter Results by Time

Search

Chef Analytics WebUI - Search

• Save - Searches can be saved for later use

Search

Chef Analytics WebUI - Export

• CSV

• JSON

Export

v 3.0.0

chef-client audit-mode

chef-client audit-mode• Released with chef-client version 12.1.1 • Allows the ability to evaluate audit rules • Runs in the following modes:

• disabled (default) - does not run audits • enabled - runs all audits after the chef-client run • audit-only - chef-client run that does not build the resource collection or converge the node

• Can be configured in /etc/chef/client.rb file

v 3.0.0

[2015-03-24T18:30:43+00:00] WARN: Chef-client has been configured to skip converge and run only audits. Audit mode is an experimental feature currently under development. API changes may occur. Use at your own risk. * To enable audit mode after converge, use command line option `--audit-mode enabled` or set `:audit_mode = :enabled` in your config file. * To disable audit mode, use command line option `--audit-mode disabled` or set `:audit_mode = :disabled` in your config file. * To only run audit mode, use command line option `--audit-mode audit-only` or set `:audit_mode = :audit_only` in your config file. Audit mode is disabled by default. Starting Chef Client, version 12.1.1 resolving cookbooks for run list: ["chef-client", "chef-client::config", "chef-client::delete_validation"] Synchronizing Cookbooks: - chef-client - cron - logrotate - windows - chef_handler Compiling Cookbooks... Starting audit phase

Exercise: chef-client --audit-mode audit-only

[chef@hostname ~] sudo chef-client --audit-mode audit-only

v 3.0.0

Update base role

name "base" description "A base role" run_list "recipe[chef-client]", "recipe[chef-client::config]" default_attributes( "chef_client" => { "config" => { "ssl_verify_mode" => ":verify_peer", "audit_mode" => ":enabled", "log_location" => "STDOUT", } } )

Open in editor: chef-repo/roles/base.rb

http://bit.ly/19tS3vG

v 3.0.0

Updated Role base!

Exercise: Upload role$ knife role from file base.rb

v 3.0.0

Recipe: chef-client::config * template[/etc/logrotate.d/chef-client] action create (up to date) * file[/var/log/chef/client.log] action create (up to date) * template[/etc/chef/client.rb] action create - update content in file /etc/chef/client.rb from 6389f9 to 53658d --- /etc/chef/client.rb 2015-03-24 18:47:39.253084909 +0000 +++ /tmp/chef-rendered-template20150324-30285-1lrucoc 2015-03-24 18:47:58.363085532 +0000 @@ -1,4 +1,6 @@ +audit_mode :enabled chef_server_url "https://52.123.22.235/organizations/analytics-workshop" +log_location STDOUT ssl_verify_mode :verify_peer validation_client_name "analytics-workshop-validator" verify_api_cert true - restore selinux security context * ruby_block[reload_client_config] action create - execute the ruby block reload_client_config

Exercise: re-run chef-client[chef@hostname ~] sudo chef-client

v 3.0.0

Lab Gist1. Update Base role to add audit_mode :enabled /etc/chef/client.rb 2. Upload Base role 3. Re-run chef-client

http://bit.ly/1NC48y1

v 3.0.0

CheckpointAt this point you should have: • ChefDK • A programmers text editor • SSH client • Logged into workshop HipChat channel • Chef Server & Chef Analytics • A node bootstrapped with a base role • audit_mode enabled in /etc/chef/client.rb

v 3.0.0

Controls

Controls• A control is an automated test that is built into a cookbook

• Can be used to test the state of the system for compliance

• Wrapper around ServerSpec testing framework • Can be used to create audit tests around compliance frameworks such as PCI, HIPAA, and Sarbanes-Oxley

http://docs.chef.io/analytics/dsl_recipe.html

Controls Examplecontrol_group "audit name" do control "mysql package" do it "should be installed" do expect(package("mysql")).to be_installed end end end

Control Groups:

• Start with control_group and an end statement

http://docs.chef.io/analytics/dsl_recipe.html

Controls Examplecontrol_group "audit name" do control "mysql package" do it "should be installed" do expect(package("mysql")).to be_installed end end end

Control Groups:

• Start with control_group and an end statement

• Each control_group has a Name

http://docs.chef.io/analytics/dsl_recipe.html

Controls Examplecontrol_group "audit name" do control "mysql package" do it "should be installed" do expect(package("mysql")).to be_installed end end end

Control Groups:

• Start with control_group and an end statement

• Each control group has a Name • control_groups have one or

more control methods

http://docs.chef.io/analytics/dsl_recipe.html

Controls Examplecontrol_group "audit name" do control "mysql package" do it "should be installed" do expect(package("mysql")).to be_installed end end end

Control Groups:

• Start with control_group and an end statement

• Each control group has a Name • control_groups have one or

more control methods • Each control method has Name

http://docs.chef.io/analytics/dsl_recipe.html

Controls Examplecontrol_group "audit name" do control "mysql package" do it "should be installed" do expect(package("mysql")).to be_installed end end end

Control Groups:

• Start with control_group and an end statement

• Each control group has a Name • control_groups have one or

more control methods • Each control method has Name • Each control method can have

one or more it statements that define a specific test to run

http://docs.chef.io/analytics/dsl_recipe.html

Controls Examplecontrol_group "audit name" do control "mysql package" do it "should be installed" do expect(package("mysql")).to be_installed end end end

Control Groups:

• Start with control_group and an end statement

• Each control group has a Name • control_groups have one or

more control methods • Each control method has Name • Each control method can have

one or more it statements that define a specific test to run

• it statements allow for specific tests where expect things .to or .to_not be something

http://docs.chef.io/analytics/dsl_recipe.html

v 3.0.0

Starting audit phase

Audit Mode mysql package should be installed (FAILED - 1)

Failures:

1) Audit Mode mysql package should be installed Failure/Error: expect(package("mysql")).to be_installed expected Package "mysql" to be installed # /var/chef/cache/cookbooks/grantmc/recipes/default.rb:22:in 'block (3 levels) in from_file'

Finished in 0.5745 seconds (files took 0.46481 seconds to load) 1 examples, 1 failures

Failed examples:

rspec /var/chef/cache/cookbooks/grantmc/recipes/default.rb:21 # Audit Mode mysql package should be installed

Example audit output

http://docs.chef.io/analytics/dsl_recipe.html

Controls Matchers• Directory (be_directory, be_directory, be_mounted) • File Matcher (be_executable, be_file, be_grouped_into, contain, be_writable, be_owned_by, etc)

• Service (be_enabled, be_installed, be_running, etc) • Port (be_listening) • Package (be_installed)

http://docs.chef.io/analytics/dsl_recipe.html

v 3.0.0

Compiling Cookbooks... Recipe: code_generator::cookbook * directory[/Users/scottford/analytics-workshop/chef-repo/audit-chef-client] action create - create new directory /Users/scottford/analytics-workshop/chef-repo/audit-chef-client * template[/Users/scottford/analytics-workshop/chef-repo/audit-chef-client/metadata.rb] action create_if_missing - create new file /Users/scottford/analytics-workshop/chef-repo/audit-chef-client/metadata.rb - update content in file /Users/scottford/analytics-workshop/chef-repo/audit-chef-client/metadata.rb from none to 65f7d2 (diff output suppressed by config) * template[/Users/scottford/analytics-workshop/chef-repo/audit-chef-client/README.md] action create_if_missing - create new file /Users/scottford/analytics-workshop/chef-repo/audit-chef-client/README.md - update content in file /Users/scottford/analytics-workshop/chef-repo/audit-chef-client/README.md from none to 694cc1 (diff output suppressed by config)

Exercise: generate a cookbook to audit chef-client

$ chef generate cookbook cookbooks/audit-chef-client

$ cd cookbooks/audit-chef-client

v 3.0.0

Exercise: Create a control recipe

control_group 'Audit Chef Client' do control "Validate chef-client config file" do let(:config_file) { file("/etc/chef/client.rb") } it "should exist with correct permissions" do expect(config_file).to be_mode(644) end it "ssl_verify_mode should be set to :verify_peer" do expect(config_file.content).to match(/ssl_verify_mode :verify_peer/) end end

control 'Check for a validation.pem' do it "The validation.pem should NOT exist" do expect(file("/etc/chef/validation.pem")).to_not be_file end endend

Open in editor: recipes/default.rb

http://bit.ly/1NBDCoA

Controls Examplecontrol_group 'Audit Chef Client' do

control "Validate chef-client config file" do

let(:config_file) { file("/etc/chef/client.rb") }

it "should exist with correct permissions" do

expect(config_file).to be_file

expect(config_file).to be_mode(644)

end

it "ssl_verify_mode should be set to :verify_peer" do

expect(config_file.content).to match(/ssl_verify_mode :verify_peer/)

end

end

control 'Check for a validation.pem' do

it "The validation.pem should NOT exist" do

expect(file("/etc/chef/validation.pem")).to_not be_file

end

end

end

Audit chef-client

• A control_group • Name ‘Audit Chef Client’ • With two control

statements: • Validate chef-client

config file • Check for a

validation.pem • let method allows you to

define a helper method that can be cached across multiple calls in the same example

v 3.0.0

Uploading audit-chef-client [0.1.0] Uploaded 1 cookbook.

Exercise: Upload audit-chef-client cookbook$ knife cookbook upload audit-chef-client

v 3.0.0

name "base" description "A base role" run_list "recipe[chef-client]", “recipe[chef-client::config]”, “recipe[audit-chef-client]” default_attributes( "chef_client" => { "config" => { "ssl_verify_mode" => ":verify_peer", "audit_mode" => ":enabled", "log_location" => "STDOUT", } } )

Open in editor: chef-repo/roles/base.rb

http://bit.ly/1NxaQDt

Update base role

v 3.0.0

Updated Role base!

Exercise: Upload role$ knife role from file base.rb

v 3.0.0

Audit Chef Client Validate chef-client config file should exist with correct permissions ssl_verify_mode should be set to :verify_peer Check for a validation.pem The validation.pem should NOT exist (FAILED - 1)

Failures:

1) Audit Chef Client Check for a validation.pem The validation.pem should NOT exist Failure/Error: expect(file("/etc/chef/validation.pem")).to_not be_file expected `File "/etc/chef/validation.pem".file?` to return false, got true

* directory[/etc/chef/client.d] action create (up to date) * ruby_block[reload_client_config] action nothing (skipped due to action :nothing)

Exercise: re-run chef-client[chef@hostname ~] sudo chef-client

v 3.0.0

Lab Gist1. Create a audit-chef-client cookbook 2. Create a control recipe for auditing chef-client 3. Upload audit-chef-client cookbook 4. Update Base role to add default recipe from audit-chef-client to your node’s run_list 5. Upload Base role to Chef server 6. Re-run chef-client

http://bit.ly/1GaGoi0

v 3.0.0

CheckpointAt this point you should have: • ChefDK • A programmers text editor • SSH client • Logged into workshop HipChat channel • Chef Server & Chef Analytics • A node bootstrapped with a base role • audit_mode enabled in /etc/chef/client.rb • A control recipe that audits the configuration of chef-client

v 3.0.0

Rules and Notifications

Objectives

• Understand Chef Analytics Notifications and how to implement them

• Understand the Rules in Chef Analytics and how to implement them

• Write Rules that trigger notifications to HipChat

• Install the knife-analytics plugin and use it to create and rules and notifications for Chef Analytics

Notifications

• Adds a language which allows you to express rules on • Run Start • Run End • Resource convergence • Actions

• “When someone not in the ‘siteops’ group modifies the DNS cookbook, alert the siteops team via email to siteops@example.com”

• “When the /etc/ssh/ssh_config file is modified, raise audit rule 24.1”

Notification Rulesrule  (action)  when      organization_name  =  "production"  and      action  =  "create"  and      entity_type  =  "node"  then      notify(“smtp”),      audit("Rule  3.2  –  Node  Creation"),      log("Fired  a  rule  for  org  <obj.organization_name>")

Creating Notifications via the WebUI

Creating Notifications via the WebUI1. Open Chef Analytics

Creating Notifications via the WebUI1. Open Chef Analytics

2. Click on Notifications

Creating Notifications via the WebUI1. Open Chef Analytics

2. Click on Notifications

3. Click the ‘+’ and choose the type of notification you want to set

Creating Notifications via the WebUI1. Give the Notification a

Name

2. Fill in the details

3. Click Save

Creating Rules via the WebUI1. Open Chef Analytics

2. Click on Rules

3. Click the ‘+’ to add a rule

Creating Rules via the WebUI1. Give the Rule a Name

Creating Rules via the WebUI1. Give the Rule a Name

2. Write the rules

Creating Rules via the WebUI1. Give the Rule a Name

2. Write the rules

3. Click Save

v 3.0.0

knife-analytics

v 3.0.0

Successfully installed knife-analytics-0.2.1 1 gem installed

Exercise: Install knife-analytics plugin$ chef gem install knife-analytics

v 3.0.0

# See https://docs.getchef.com/config_rb_knife.html for more information on knife configuration options

current_dir = File.dirname(__FILE__) log_level :info log_location STDOUT node_name "fords" client_key "#{current_dir}/fords.pem" validation_client_name "analytics-workshop-validator" validation_key "#{current_dir}/analytics-workshop-validator.pem" chef_server_url "https://52.123.22.235/organizations/analytics-workshop" analytics_server_url "https://52.123.22.235/organizations/analytics-workshop" syntax_check_cache_path "#{ENV['HOME']}/.chef/syntaxcache" cookbook_path ["#{current_dir}/../cookbooks"]

Exercise: Update knife.rb configuration$ cat .chef/knife.rb

v 3.0.0

WARNING: Certificates from 52.123.22.235 will be fetched and placed in your trusted_cert directory (/Users/scottford/analytics-workshop/chef-repo/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading.

Adding certificate for 52.123.22.235 in /Users/scottford/analytics-workshop/chef-repo/.chef/trusted_certs/54_68_54_16.crt

Exercise: Fetch Chef Analytics SSL certs$ knife ssl fetch --server-url <CHEF ANALYTICS SERVER>

v 3.0.0

** CHEF ANALYTICS COMMANDS ** knife action list knife action show <id> knife alert list knife alert show <id> knife notification create <notification.json> knife notification list knife notification show <id> knife rule create <rule.json> knife rule list knife rule show <id>

knife-analytics options$ knife analytics help

v 3.0.0

<NO OUTPUT>

Create a local directory for notifications and rules

$ mkdir rules notifications

v 3.0.0

Exercise: Create HipChat Notification for successful rules

{ "org_name": “<YOUR ORG>", "name": "hipchat-success", "modified_by": “<USER NAME>", "notification_type": "hipchat", "delivery_options": { "room": “<HIPCHAT API ID>", "api_token": “<HIPCHAT API TOKEN>", "from": “<firstname-lastname>-analytics", "api_version": "2", "color": "green", "notify": "1" }}

Open in editor: notifications/hipchat_succeed.json

http://bit.ly/1Iz73oe

v 3.0.0

Exercise: Create HipChat Notification for failed rules

{ "org_name": “<YOUR ORG>", "name": "hipchat-fail", "modified_by": “<USER NAME>", "notification_type": "hipchat", "delivery_options": { "room": “<HIPCHAT API ID>", "api_token": “<HIPCHAT API TOKEN>", "from": “<firstname-lastname>-analytics", "api_version": "2", "color": "red", "notify": "1" }}

Open in editor: notifications/hipchat_fail.json

http://bit.ly/1NjrPcx

v 3.0.0

<NO OUTPUT>

Create notification with knife$ knife notification create notifications/hipchat_succeed.json

$ knife notification create notifications/hipchat_fail.json

v 3.0.0

Exercise: Create a rule for run_control

{ "name": "Send Control to HipChat", "org_name": “<YOUR ORG>", "modified_by": "<USERNAME>", "rule": "rules \"Run Control\"\n rule on run_control\n when\n status = \"success\"\n then\n notify(\”hipchat-success\", \”<YOUR NAME> had success in run_control \\\"{{ message.name }}\\\" on node {{ message.run.node_name }}\")\n end\n\n rule on run_control\n when\n status = \"failure\"\n then\n notify(\”hipchat-failure\", \"<YOUR NAME> has a FAILURE on run_control \\\"{{ message.name }}\\\" on node {{ message.run.node_name }}\")\n end\nend", "with": { "priority": 0 }, "active": true}

Open in editor: rules/send_hipchat.json

http://bit.ly/1CFNom2

v 3.0.0

<NO OUTPUT>

Create notification with knife$ knife rule create rules/send_hipchat.json

v 3.0.0

Audit Chef Client Validate chef-client config file should exist with correct permissions ssl_verify_mode should be set to :verify_peer Check for a validation.pem The validation.pem should NOT exist (FAILED - 1)

Failures:

1) Audit Chef Client Check for a validation.pem The validation.pem should NOT exist Failure/Error: expect(file("/etc/chef/validation.pem")).to_not be_file expected `File "/etc/chef/validation.pem".file?` to return false, got true

* directory[/etc/chef/client.d] action create (up to date) * ruby_block[reload_client_config] action nothing (skipped due to action :nothing)

Exercise: re-run chef-client[chef@hostname ~] sudo chef-client

Login To HipChat1. Give the Notification a

Name

2. Fill in the details

3. Click Save

v 3.0.0

Update base role

name "base" description "A base role" run_list "recipe[chef-client]", “recipe[chef-client::config]”, “recipe[chef-client::delete_validation]”, “recipe[audit-chef-client]” default_attributes( "chef_client" => { "config" => { "ssl_verify_mode" => ":verify_peer", "audit_mode" => ":enabled", "log_location" => "STDOUT", } } )

Open in editor: chef-repo/roles/base.rb

http://bit.ly/1CrlcSo

v 3.0.0

Updated Role base!

Exercise: Upload role$ knife role from file base.rb

v 3.0.0

Recipe: chef-client::delete_validation * file[/etc/chef/validation.pem] action delete - delete file /etc/chef/validation.pem Starting audit phase

Audit Chef Client Validate chef-client config file should exist with correct permissions ssl_verify_mode should be set to :verify_peer Check for a validation.pem The validation.pem should NOT exist

Finished in 0.46837 seconds (files took 0.60923 seconds to load) 3 examples, 0 failures Auditing complete

Running handlers: Running handlers complete Chef Client finished, 1/16 resources updated in 12.113568488 seconds 3/3 Audits succeeded

Exercise: re-run chef-client[chef@hostname ~] sudo chef-client

Login To HipChat1. Give the Notification a

Name

2. Fill in the details

3. Click Save

v 3.0.0

Lab Gist1. Install knife-analytics plugin 2. Create a rules and notifications directory in chef-repo 3. Create a notification configuration with HipChat for successful and failed audits 4. Create a rule to send to HipChat upon successful and failed chef-client runs

http://bit.ly/1Ms6T81

v 3.0.0

CheckpointAt this point you should have: • ChefDK • A programmers text editor • SSH client • Logged into workshop HipChat channel • Chef Server & Chef Analytics • A node bootstrapped with a base role • audit_mode enabled in /etc/chef/client.rb • A control recipe that audits the configuration of chef-client • A notification configured to integrate with HipChat • A rule configured to send notifications to HipChat based on successful and failed audit rules

v 3.0.0

Q&A Time

Further Resources

• http://docs.chef.io/analytics/

• http://serverspec.org/

• https://github.com/opscode/chef-provisioning

• https://github.com/opscode/chef-provisioning-aws