Introduction to Chef

An Extemporaneous IntroductionTo Chef

Kevin A. SmithDirector of Server Engineering

Who am I?

• Director of Server Engineering @ Opscode

• Software developer for 17 years

• 7 years with Erlang

• Alumni of DCRI, SAS, Red Hat, Basho

• Erlang In Practice @ PragProg

Agenda

• Infrastructure as Code

• Configuration Management

• Chef 101

• Chef in Large Environments

http://www.flickr.com/photos/koalazymonkey/3590953001/

Infrastructure as Code

Building and managing infrastructure programmatically

Infrastructure as Code

Enable the reconstruction of the business from

nothing but a source code repository, an application

data backup, and bare metal resources.

Infrastructure as Code

Configuration Management

The Old Way

Manual Configuration

• Labor intensive

• Error prone

• Hard to reproduce

Scripting

• Very brittle

• Throw away, one off scripts

• grep sed awk perl

• curl | bash

File Distribution

• NFS mounts

• rdist

• scp-on-a-for-loop

• rsync on cron

This does not scale!

for i in `cat servers.txt` ; do scp ntp.conf root@$i:/etc/ntpd.conf ; donefor i in `cat servers.txt` ; do ssh root@$i /etc/init.d/ntpd restart ; donefor i in `cat servers.txt` ; do ssh root@$i chkconfig ntpd on ; done

See nodes grow.

Load Balancer

ApplicationServer

Database

ApplicationServer

Load Balancer

ApplicationServer

Database

ApplicationServer

Load Balancer

Database

Grow, nodes. Grow!

Datacenter #1

Load Balancer

AppServer

Database

AppServer

Load Balancer

Database

Datacenter #2

Load Balancer

AppServer

Database

AppServer

Load Balancer

Database

Internet

There are a lot of nodes!

A New Way

Declarative Configuration

• Define policy

• Say what, not how

• Abstract interface to resources

Idempotence

• Property of a declarative interface

• f(x) = x

• Eliminates brittleness

• Safe to run over and over

package "ntp" do action :installend

template "/etc/ntp.conf" do source "ntp.conf.erb" owner "root" group "root" mode 0644 notifies :restart, "service[ntpd]"end

service "ntpd" do action [:enable,:start]end

Convergence

• Running an agent “converges” a system onto desired state

• Fights entropy and unauthorized changes

• Update function inputs to deal with changing requirements

$ echo “boom” > /etc/ntp.conf$ chef-client

$ grep server /etc/ntp.conf | head -n 1us.pool.ntp.org

$ ps -e | grep ntp 1799 ? 00:00:00 ntpd

$ /etc/init.d/ntpd stop$ chef-client

ps -e | grep ntp 1822 ? 00:00:00 ntpd

Chef 101

http://www.flickr.com/photos/lapstrake/2711240606/in/photostream/

The chef-client runs on your systems.

Clients talk to a Chef server.

Client server conversations are protected with SSL and

RSA signatures.

Each system running Chef is called a Managed Node.

Chef API Server

RDBMS

Search Engine

Asset Store

Managed Node

ChefClient

System Architecture

Nodes have attributes

{ "kernel": { "machine": "x86_64", "name": "Darwin", "os": "Darwin", "version": "Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010; root:xnu-1504.7.4~1/RELEASE_I386", "release": "10.4.0" }, "platform_version": "10.6.4", "platform": "mac_os_x", "platform_build": "10F569", "domain": "local", "os": "darwin", "current_user": "mray", "ohai_time": 1278602661.60043, "os_version": "10.4.0", "uptime": "18 days 17 hours 49 minutes 18 seconds", "ipaddress": "10.13.37.116", "hostname": "morbo", "fqdn": "morbomorbo.local", "uptime_seconds": 1619358 }

Platform

Kernel

Hostname, etc.

Node attributes are searchable.

$ knife search node ‘platform:mac_os_x’

search(:node, ‘platform:mac_os_x’)

Nodes have “to do” lists.

Nodes have a Run List

% knife node show hadoop-prod.example.com -r{ "run_list": [ "role[base]", "role[hadoop-worker]" ]}

Nodes can have Roles.

Aspirational Roles

• webserver

• database_master

• monitoring

• hadoop-worker

Roles have Attributes and a run list.

Roles

name "hadoop-worker"description "Hadoop cluster member”

run_list( "role[base]", "recipe[java]", "recipe[hadoop]", “recipe[hadoop-config]")

default_attributes( "hadoop-config" => { "config_path" => “/etc/hadoop” })

chef-client configures resources on managed nodes.

cookbook_file

template service

package

deploy

git

http_request

link

ruby_block

logbash

execute

remote_file

user

Chef Resources

• Have a type.

• Have a name.

• Have parameters.

• Take action to put the resource in the declared state.

• Can send notifications to other resources.

package "apache2" do action :installend

template "/etc/apache2/apache2.conf" do source "apache2.conf.erb" owner "root" group "root" mode 0644 notifies :restart, "service[apache2]"end

service "apache2" do supports :restart => true action [:enable, :start]end

package “hadoop” { yum install hadoopapt-get install hadooppacman sync hadooppkg_add -r hadoop

Chef Providers

Recipes are collections of resources.

Chef Recipes

• Resources are evaluated in the order they appear.

package "haproxy" do action :installend

template "/etc/haproxy/haproxy.cfg" do source "haproxy.cfg.erb" owner "root" group "root" mode 0644 notifies :restart, "service[haproxy]"end

service "haproxy" do supports :restart => true action [:enable, :start]end

Chef Recipes

• Recipes can include other recipes.

• Included recipes are also evaluated in order.

include_recipe "apache2"include_recipe "apache2::mod_rewrite"include_recipe "apache2::mod_deflate"include_recipe "apache2::mod_headers"include_recipe "apache2::mod_php5"

Chef Recipes

• Extend recipes with Ruby.

%w{ php5 php5-dev php5-cgi }.each do |pkg|

package pkg do action :install end

end

• Dynamic configuration through search.

pool_members = search("node", "role:app_server")

template "/etc/haproxy/haproxy.cfg" do source "haproxy.cfg.erb" owner "root" group "root" mode 0644 variables :pool_members => pool_members notifies :restart, "service[haproxy]"end

Chef Recipes

Cookbooks are packages for recipes and related files.

Cookbook Metadata

maintainer "Opscode, Inc."maintainer_email "[email protected]"license "Apache 2.0"description "Installs/Configures tomcat"long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))version "0.10.3"

%w{ java jpackage }.each do |cb| depends cbend

%w{ debian ubuntu centos redhat fedora }.each do |os| supports osend

recipe "tomcat::default", "Installs and configures Tomcat"

Cookbooks are Source Code

% git logcommit d640a8c6b370134d7043991894107d806595cc35Author: jtimberman <[email protected]>

Import nagios version 1.0.0

commit c40c818498710e78cf73c7f71e722e971fa574e7Author: jtimberman <[email protected]>

installation and usage instruction docs

commit 99d0efb024314de17888f6b359c14414fda7bb91Author: jtimberman <[email protected]>

Import haproxy version 1.0.1

commit c89d0975ad3f4b152426df219fee0bfb8eafb7e4Author: jtimberman <[email protected]>

add mediawiki cookbook

commit 89c0545cc03b9be26f1db246c9ba4ce9d58a6700Author: jtimberman <[email protected]>

multiple environments in data bag for mediawiki

OSS & Community Oriented

• Apache 2.0 License

• Wiki, mailing lists, shared cookbook repos

• http://community.opscode.com

• Healthy ecosystem

• 20k+ users

• Hundreds of contributors

• Community tooling: Food Critic, Test Kitchen, Berkshelf

Chef In“Large” Environments

New Server

• Ground up rewrite Ruby/C Erlang

• Order of magnitude more scalable

• 2k nodes 20k+ nodes per server*

*Depending on specific work load

High Scalability Users

• Facebook

• Cycle Computing

• edmunds.com

Push Execution

• Converge infrastructure on demand

• Real-timey view of managed infrastructure

• Reduces change latency

• 4k nodes now, 10k soon

Network Automation

• Network provisioning and configuration

• VLANs, QoS, etc.

• Partnered w/Arista on PoC (Fall 2012)

• More coming soon!

Thank You