Table of Contents:
Chef is a configuration management tool (like Puppet, Ansible, SaltStack, CFEngine). It is a tool which manages the configuration of centrally managed Linux servers, compute clusters, and desktops at SLAC. Examples of configuration items Chef manages include: sudo privileges, login access privileges, logging, software repositories, cronjobs, baseline security configuration. Chef is the configuration management tool for CentOS 7 and later, Red Hat Enterprise Linux (RHEL) 7 and later, and Ubuntu 16.04 and later. Operating systems earlier than those (RHEL 5 and 6, Solaris) are centrally managed using Taylor (a locally written configuration management tool).
To get Chef installed on a SLAC owned Linux server, contact unix-admin@slac.stanford.edu . To get Chef installed on a SLAC owned Linux desktop, contact ithelp@slac.stanford.edu .
If you prefer to install Chef yourself, that is also possible. Run this command as root (or sudo):
curl -s yum.slac.stanford.edu/go-chef | sudo -i /bin/sh |
You can also place the above command in your kickstart %post script if you are doing automated network installations. If you want to use a non-default chef configuration, you can create a json file named /root/kickstart-chef.json with your configuration options and it will be used by the go-chef script. You can email unix-admin@slac.stanford.edu for help with this.
Chef-client logs are sent to syslog and a local log file. You can view the logs using these methods on each host which is managed:
sudo less -r /var/log/chef/client.log sudo journalctl -t chef-client sudo grep -w chef-client /var/log/everything |
The logs are also sent to the central syslog server, and to Splunk. On the central syslog server, the log can be viewed here (this is for OCIO staff only):
ssh loghost grep -w chef-client /u2/today/SYSLOG/daemon |
Directories with Chef information, and some useful Chef commands:
/var/chef/cache/cookbooks/ | This directory contains the cookbooks downloaded from the chef server. |
/var/chef/cache/backup/ | This directory contains backup files of any changes made by chef. |
sudo -i /root/knife-node-show | This script will show configuration details for the current host. |
/afs/slac/g/scs/systems/report/chef/system.info/ | This directory contains information about each host managed by chef |
(this is a work in progress....)
Configuration Item | Chef attribute name for this item | Notes | How to enable it |
---|---|---|---|
sudo access | authorization.sudo.users | Request sudo access using this form: https://www.slac.stanford.edu/comp/unix/auth/superuser-req.shtml | |
restrict local login access | limit_login | ||
do not update the default boot kernel | kernel_updatedefault | ||
home directory location | override_homedir | The default home directory location is /home (local to the host). The home directory listed in the LDAP directory service can be enabled instead. Be sure the directory services home directory location is actually available on this host first. | |
These are the steps to grant an OCIO admin full access to the Chef Infrastructure.
Note: for minimal access (eg, to create GitHub Pull Requests and GitHub Issues), just steps 1a and 1b are needed.
Everyone in unix-admin should have steps 1a and 1b done, and optionally all steps for full access.