├── Dockerfile ├── README.md ├── configure_chef.sh └── run.sh /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:14.04 2 | MAINTAINER Clement Buisson 3 | 4 | ENV DEBIAN_FRONTEND noninteractive 5 | RUN apt-get update && \ 6 | apt-get install -yq --no-install-recommends wget curl rsync && \ 7 | wget --no-check-certificate --content-disposition "http://www.opscode.com/chef/download-server?p=ubuntu&pv=14.04&m=x86_64&v=12&prerelease=false&nightlies=false" && \ 8 | dpkg -i chef-server*.deb && \ 9 | rm chef-server*.deb && \ 10 | apt-get remove -y wget && \ 11 | rm -rf /var/lib/apt/lists/* 12 | COPY run.sh configure_chef.sh /usr/local/bin/ 13 | VOLUME /var/log 14 | CMD ["run.sh"] 15 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # chef-server 2 | 3 | chef-server will run Chef Server 12 in an Ubuntu Trusty 14.04 LTS container. 4 | Image Size: Approximately 1GB 5 | 6 | This is a fork of: [base/chef-server](https://registry.hub.docker.com/u/base/chef-server/). 7 | 8 | ## Environment 9 | ##### Protocol / Port 10 | Chef is running over HTTPS/443 by default. 11 | You can however change that to another port by adding `-e SSL_PORT=new_port` to the `docker run` command below and update the expose port `-p` accordingly. 12 | 13 | ##### SSL certificate 14 | When Chef Server gets configured it creates an SSL certificate based on the container's FQDN (i.e "103d6875c1c5" which is the "CONTAINER ID"). This default behiavior has been changed to always produce an SSL certificate file named "chef-server.crt". 15 | You can change the certificate name by adding `-e CONTAINER_NAME=new_name` to the `docker run` command. Remember to reflect that change in config.rb! 16 | 17 | ##### Logs 18 | `/var/log/` is accessible via a volume directory. Feel free to optionally to use it with the `docker run` command above by adding: `-v ~/chef-logs:/var/log` 19 | 20 | ##### DNS 21 | The container needs to be **DNS resolvable!** 22 | Be sure **'chef-server'** or **$CONTAINER_NAME** is pointing to the container's IP! 23 | This needs to be done to match the SSL certificate name with the `chef_server_url ` from knife's `config.rb` file. 24 | 25 | ## Start the container 26 | Docker command: 27 | 28 | ```bash 29 | $ docker run --privileged -t --name chef-server -d -p 443:443 cbuisson/chef-server 30 | ``` 31 | 32 | Follow the installation: 33 | 34 | ```bash 35 | $ docker logs -f chef-server 36 | ``` 37 | 38 | ## Setup knife 39 | 40 | Once Chef Server 12 is configured, you can download the Knife admin keys here: 41 | 42 | ```bash 43 | curl -Ok https://chef-server:$SSL_PORT/knife_admin_key.tar.gz 44 | ``` 45 | 46 | Then un-tar that archive and point your config.rb to the `admin.pem` and `my_org-validator.pem` files. 47 | 48 | *config.rb* example: 49 | 50 | ```ruby 51 | log_level :info 52 | log_location STDOUT 53 | cache_type 'BasicFile' 54 | node_name 'admin' 55 | client_key '/home/cbuisson/.chef/admin.pem' 56 | validation_client_name 'my_org-validator' 57 | validation_key '/home/cbuisson/.chef/my_org-validator.pem' 58 | chef_server_url 'https://chef-server:$SSL_PORT/organizations/my_org' 59 | ``` 60 | 61 | When the config.rb file is ready, you will need to get the SSL certificate file from the container to access Chef Server: 62 | 63 | ```bash 64 | cbuisson@server:~/.chef# knife ssl fetch 65 | WARNING: Certificates from chef-server will be fetched and placed in your trusted_cert 66 | directory (/home/cbuisson/.chef/trusted_certs). 67 | 68 | Knife has no means to verify these are the correct certificates. You should 69 | verify the authenticity of these certificates after downloading. 70 | 71 | Adding certificate for chef-server in /home/cbuisson/.chef/trusted_certs/chef-server.crt 72 | ``` 73 | 74 | You should now be able to use the knife command! 75 | ```bash 76 | cbuisson@server:~# knife user list 77 | admin 78 | ``` 79 | **Done!** 80 | 81 | ##### Note 82 | Chef-Server running inside a container isn't officially supported by [Chef](https://www.chef.io/about/) and as a result the webui isn't available. 83 | However the webui is not required since you can interact with Chef-Server via the `knife` and `chef-server-ctl` commands. 84 | 85 | ##### Tags 86 | v1.0: Chef Server 11 87 | v2.x: Chef Server 12 88 | -------------------------------------------------------------------------------- /configure_chef.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Create chef-server.rb with variables 4 | echo "nginx['enable_non_ssl']=false" > /etc/opscode/chef-server.rb 5 | 6 | if [[ -z $SSL_PORT ]]; then 7 | echo "nginx['ssl_port']=443" >> /etc/opscode/chef-server.rb 8 | else 9 | echo "nginx['ssl_port']=$SSL_PORT" >> /etc/opscode/chef-server.rb 10 | fi 11 | 12 | if [[ -z $CONTAINER_NAME ]]; then 13 | echo "nginx['server_name']=\"chef-server\"" >> /etc/opscode/chef-server.rb 14 | else 15 | echo "nginx['server_name']=\"$CONTAINER_NAME\"" >> /etc/opscode/chef-server.rb 16 | fi 17 | 18 | echo -e "\nRunning: 'chef-server-ctl reconfigure'. This step will take a few minutes..." 19 | chef-server-ctl reconfigure 20 | 21 | URL="http://127.0.0.1:8000/_status" 22 | CODE=1 23 | SECONDS=0 24 | TIMEOUT=60 25 | 26 | return=$(curl -sf ${URL}) 27 | 28 | if [[ -z "$return" ]]; then 29 | echo -e "\nINFO: Chef-Server isn't ready yet!" 30 | echo -e "Blocking until <${URL}> responds...\n" 31 | 32 | while [ $CODE -ne 0 ]; do 33 | 34 | curl -sf \ 35 | --connect-timeout 3 \ 36 | --max-time 5 \ 37 | --fail \ 38 | --silent \ 39 | ${URL} 40 | 41 | CODE=$? 42 | 43 | sleep 2 44 | echo -n "." 45 | 46 | if [ $SECONDS -ge $TIMEOUT ]; then 47 | echo "$URL is not available after $SECONDS seconds...stopping the script!" 48 | exit 1 49 | fi 50 | done; 51 | fi 52 | 53 | echo -e "\n\n$URL is available!\n" 54 | echo -e "\nSetting up admin user and default organization" 55 | chef-server-ctl user-create admin Admin User admin@myorg.com "passwd" --filename /etc/chef/admin.pem 56 | chef-server-ctl org-create my_org "Default organization" --association_user admin --filename /etc/chef/my_org-validator.pem 57 | echo -e "\nRunning: 'chef-server-ctl install chef-manage'"... 58 | chef-server-ctl install chef-manage 59 | echo -e "\nRunning: 'chef-server-ctl reconfigure'"... 60 | chef-server-ctl reconfigure 61 | echo "{ \"error\": \"Please use https:// instead of http:// !\" }" > /var/opt/opscode/nginx/html/500.json 62 | sed -i "s,/503.json;,/503.json;\n error_page 497 =503 /500.json;,g" /var/opt/opscode/nginx/etc/chef_https_lb.conf 63 | sed -i '$i\ location /knife_admin_key.tar.gz {\n default_type application/zip;\n alias /etc/chef/knife_admin_key.tar.gz;\n }' /var/opt/opscode/nginx/etc/chef_https_lb.conf 64 | echo -e "\nCreating tar file with the Knife keys" 65 | cd /etc/chef/ && tar -cvzf knife_admin_key.tar.gz admin.pem my_org-validator.pem 66 | echo -e "\nRestart Nginx..." 67 | chef-server-ctl restart nginx 68 | chef-server-ctl status 69 | touch /root/chef_configured 70 | echo -e "\n\nDone!\n" 71 | -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | sysctl -wq kernel.shmmax=17179869184 3 | sysctl -wq net.ipv6.conf.lo.disable_ipv6=0 4 | /opt/opscode/embedded/bin/runsvdir-start & 5 | if [ -f "/root/chef_configured" ] 6 | then 7 | echo -e "\nChef Server already configured!\n" 8 | chef-server-ctl status 9 | else 10 | echo -e "\nNew install of Chef-Server!" 11 | /usr/local/bin/configure_chef.sh 12 | fi 13 | tail -F /opt/opscode/embedded/service/*/log/current 14 | --------------------------------------------------------------------------------