Ceci est une ancienne révision du document !


Version : 2023.01

Dernière mise-à-jour : 2023/11/10 13:48

LDF705 - OHAI et Attributs Automatiques, Databags

Contenu du Module

  • LDF705 - OHAI et Attributs Automatiques, Data Bags
    • Contenu du Module
    • Infrastructure
    • LAB #1 - OHAI et Attributs Automatiques
      • 1.1 - Création du Cookbook et de la Recette,
      • 1.2 - Préparer les Noeuds targeta et targetb
      • 1.3 - Bootstraper les Clients
    • LAB #2 - Data Bags
      • 2.1 - Présentation
      • 2.2 - Création de Data Bags
      • 2.3 - Utilisation de Data Bags
      • 2.4 - Data Bags Cryptés

Infrastructure

L'infrastructure utilisée dans ce module est la suivante.

Type Machine FQDN IP OS Version CPUs RAM (Mo) HDD (Go) User MdP MdP root
VM workstation.ittraining.loc 10.0.2.111 Ubuntu 18.04.6 LTS 8 8192 50 trainee trainee S/O
VM client.ittraining.loc 10.0.2.112 Ubuntu 18.04.6 LTS 4 4096 50 trainee trainee S/O
VM targeta.i2tch.loc 10.0.2.52 Debian 9.7 2 2048 20 trainee trainee fenestros
VM targetb.i2tch.loc 10.0.2.53 CentOS 7.6.1810 2 2048 20 trainee trainee fenestros

Commencez donc par modifier le fichier /etc/hosts de votre VM workstation.ittraining.loc :

root@workstation:~/chef-repo/cookbooks# vi /etc/hosts
root@workstation:~/chef-repo/cookbooks# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       workstation
10.0.2.110      chefserver.ittraining.loc   chefserver
10.0.2.111      workstation.ittraining.loc  workstation
10.0.2.112      client.ittraining.loc       client
10.0.2.52       targeta.i2tch.loc       targeta 
10.0.2.53       targetb.i2tch.loc       targetb

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

LAB #1 - OHAI et Attributs Automatiques

1.1 - Création du Cookbook

Créez un Cookbook nommé apache :

root@workstation:~/chef-repo/cookbooks# cd ..

root@workstation:~/chef-repo# chef generate cookbook cookbooks/apache
Generating cookbook apache
- Ensuring correct cookbook content

Your cookbook is ready. Type `cd cookbooks/apache` to enter it.

There are several commands you can run to get started locally developing and testing your cookbook.
Type `delivery local --help` to see a full list of local testing commands.

Why not start by writing an InSpec test? Tests for the default recipe are stored at:

test/integration/default/default_test.rb

If you'd prefer to dive right in, the default recipe can be found at:

recipes/default.rb

A faire - Pour plus d'information concernant la commande chef generate cookbook, consultez cette page.

Lors de la création du Cookbook, une arborescence est créée dans le répertoire chef-repo/cookbooks/apache :

root@workstation:~/chef-repo# ls -l cookbooks/apache
total 40
-rw-r--r-- 1 root root  150 nov.   6 10:11 CHANGELOG.md
-rw-r--r-- 1 root root 1176 nov.   6 10:11 chefignore
-rw-r--r-- 1 root root  741 nov.   6 10:11 kitchen.yml
-rw-r--r-- 1 root root   70 nov.   6 10:11 LICENSE
-rw-r--r-- 1 root root  676 nov.   6 10:11 metadata.rb
-rw-r--r-- 1 root root  507 nov.   6 10:11 Policyfile.rb
-rw-r--r-- 1 root root   54 nov.   6 10:11 README.md
drwxr-xr-x 2 root root 4096 nov.   6 10:11 recipes
drwxr-xr-x 3 root root 4096 nov.   6 10:11 spec
drwxr-xr-x 3 root root 4096 nov.   6 10:11 test

Une Recette par défaut, appelé default.rb a été créée dans le sous-répertoire recipes :

root@workstation:~/chef-repo# ls -l cookbooks/apache/recipes/
total 4
-rw-r--r-- 1 root root 97 nov.   6 10:11 default.rb

Ce fichier prend la forme suivante :

root@workstation:~/chef-repo# cat cookbooks/apache/recipes/default.rb 
#
# Cookbook:: apache
# Recipe:: default
#
# Copyright:: 2023, The Authors, All Rights Reserved.

Étudions maintenant une Recette destinée à installer, activer et démarrer Apache sur un système CentOS et un système Debian en utilisant des Attributs Automatiques :

root@workstation:~/chef-repo# vi cookbooks/apache/recipes/default.rb 

root@workstation:~/chef-repo# cat cookbooks/apache/recipes/default.rb 
#
# Cookbook:: apache
# Recipe:: default
#
# Copyright:: 2023, The Authors, All Rights Reserved.
package_name = "httpd"
service_name = "httpd"
doc_root = "/var/www/html"

if node["platform"] == "centos"
  package_name = "httpd"
  service_name = "httpd"
  doc_root = "/var/www/html"
elsif node["platform"] == "debian"
  package_name = "apache2"
  service_name = "apache2"
  doc_root = "/var/www/html"
end

package package_name do
  action :install
end

service service_name do
  action [:start, :enable]
end

cookbook_file "#{doc_root}/index.html" do
  source "index.html"
  mode "0644"
end

Ce fichier commence avec la déclaration des valeurs par défaut de trois variables :

  • package_name,
  • service_name,
  • doc_root“.

Important - Notez que ces variables ont une portée du Cookbook. Ces trois lignes sont necéssaires pour déclarer les variables.

Il continue avec la mise en place d'un test. Dans ce test, la valeur de l'Attribut Automatique platform est examinée. Dans le cas où la valeur est :

  • centos, les valeurs de trois variables package_name, service_name et doc_root” sont fixées aux valeurs par défaut, * debian, les valeurs de trois variables package_name, service_name et doc_root“ sont modifiées à apache2, apache2 et /var/www respectivement.

Ensuite la Ressource :

  • package utilise la valeur de la variable package_name pour installer le bon paquet sur le Noeud concerné,
  • service utilise la valeur de la variable service_name pour activer et démarrer le bon service sur le Noeud concerné,
  • cookbook_file utilise la valeur de la variable doc_root pour copier le fichier référencé par source vers la bonne destination sur le Noeud concerné.

Créez le répertoire /root/chef-repo/apache/files/ :

root@workstation:~/chef-repo# mkdir cookbooks/apache/files

Créez maintenant le fichier /root/chef-repo/apache/files/index.html :

root@workstation:~/chef-repo# vi cookbooks/apache/files/index.html

root@workstation:~/chef-repo# cat cookbooks/apache/files/index.html
<html>
<title>OHIO et Chef</title>
<body> Wow! It works!</body>
</html>

Téléversez le Cookbook vers le Chef Infra Server :

root@workstation:~/chef-repo# knife cookbook upload apache
Uploading apache         [0.1.0]
Uploaded 1 cookbook.

1.2 - Préparer les Noeuds targeta et targetb

Configurez les deux nouveaux clients targeta et targetb.

root@workstation:~/chef-repo# ssh -l trainee 10.0.2.52
Debian GNU/Linux 9
trainee@10.0.2.52's password: trainee
Linux targeta.i2tch.loc 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Mar 21 08:47:45 2021 from 10.0.2.10
trainee@targeta:~$ su -
Mot de passe : fenestros
root@targeta:~# systemctl status apache2
Unit apache2.service could not be found.
root@targeta:~# 

Editez la directive PermitRootLogin du fichier /etc/ssh/sshd_config afin de permettre l'utilisateur root de se connecter au client :

root@targeta:~# vi /etc/ssh/sshd_config

root@targeta:~# cat /etc/ssh/sshd_config
...
PermitRootLogin yes 
...

root@targeta:~# systemctl restart ssh

Editez ensuite le fichier /etc/hosts :

root@targeta:~# vi /etc/hosts

root@targeta:~# cat /etc/hosts
127.0.0.1       localhost
10.0.2.110      chefserver.ittraining.loc   chefserver
10.0.2.111      workstation.ittraining.loc  workstation
10.0.2.52       targeta.i2tch.loc    targeta
10.0.2.53       targetb.i2tch.loc    targetb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Mettez à jour les dépôts des paquets :

root@targeta:~# sed -i s/ftp.fr.debian.org/archive.debian.org/g /etc/apt/sources.list

root@targeta:~# sed -i '/debian-security/d' /etc/apt/sources.list

root@targeta:~# sed -i '/stretch-updates/d' /etc/apt/sources.list

root@targeta:~# apt update
Ign:1 http://archive.debian.org/debian stretch InRelease
Réception de:2 http://archive.debian.org/debian stretch Release [118 kB]
Réception de:3 http://archive.debian.org/debian stretch Release.gpg [3 177 B]
Réception de:4 http://archive.debian.org/debian stretch/main Sources [6 736 kB]
Réception de:5 http://archive.debian.org/debian stretch/main amd64 Packages [7 080 kB]
Réception de:6 http://archive.debian.org/debian stretch/main Translation-fr [1 894 kB]
Réception de:7 http://archive.debian.org/debian stretch/main Translation-en [5 377 kB]
21,2 Mo réceptionnés en 6s (3 302 ko/s)                                                                                                                                                                      
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances       
Lecture des informations d'état... Fait
226 packages can be upgraded. Run 'apt list --upgradable' to see them.

Consultez la liste des Attributs Automatiques :

root@targeta:~# ohai | more
{
  "init_package": "systemd",
  "keys": {
    "ssh": {
      "host_rsa_public": "AAAAB3NzaC1yc2EAAAADAQABAAABAQCyniXxtEUmEsWSRkTc6fbNhGVEvTmu+3YD/JleRkDSMRGy0i58Vbao2Cu7Rhg/tC6FbYOMKBvveZhFa8gphUneSqSsLdyxokubj4fO4PEW/wv0SSo2rEfuGXp6oLm4EQgWrLIOJPpRDy5kwRIU8XPc
PduyiRFInMEBv62BYqpxS9DBaz40oH0bif+WgrIO01Led/mZ2A0rUzr+9gUFUcpUxX9tZC4geCxsKcW1i/FuWTrWr7f4+Zwbz89bt9eA+BK4trJ5hUhAdHUxcX3rAKGZU9ruAxciuQVzQ8f/HYNVSWg3cNB4g08+0/rHSasMFrhIkk86RX/16mGTHGKpuyId",
      "host_ecdsa_public": "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKVU5pimWmTgKKazpAyInMjuQYlCvJ2GmX68P+81m1KfypeD8N8QiQfPtgucevPfAXraDtzAZjSTRK+2DcRwnmM=",
      "host_ecdsa_type": "ecdsa-sha2-nistp256",
      "host_ed25519_public": "AAAAC3NzaC1lZDI1NTE5AAAAILL1bKUqdRZiqXicr229LWK9iKNveAbKM5UiQPA7VFoH"
    }
  },
  "memory": {
    "swap": {
      "cached": "0kB",
      "total": "2095100kB",
      "free": "2095100kB"
    },
    "hugepages": {
      "total": "0",
      "free": "0",
      "reserved": "0",
      "surplus": "0"
    },
    "directmap": {
      "4k": "55160kB",
      "2M": "2041856kB"
    },
    "total": "2052288kB",
    "free": "1460856kB",
    "available": "1805260kB",
    "buffers": "38048kB",
    "cached": "411952kB",
    "active": "213712kB",
    "inactive": "284764kB",
    "dirty": "8kB",
    "writeback": "0kB",
    "anon_pages": "48532kB",
    "mapped": "41324kB",
    "slab": "72612kB",
    "slab_reclaimable": "59524kB",
    "slab_unreclaim": "13088kB",
    "page_tables": "4440kB",
    "nfs_unstable": "0kB",
    "bounce": "0kB",
    "commit_limit": "3121244kB",
    "committed_as": "697488kB",
    "vmalloc_total": "34359738367kB",
    "vmalloc_used": "0kB",
    "vmalloc_chunk": "0kB",
    "hugepage_size": "2048kB"
  },
  "network": {
    "interfaces": {
      "lo": {
        "mtu": "65536",
--Plus--

Quittez la VM targeta :

root@targeta:~# exit
déconnexion
trainee@targeta:~$ exit
déconnexion
Connection to 10.0.2.52 closed.

Connectez-vous à la VM targetb :

root@workstation:~/chef-repo/cookbooks# ssh -l trainee 10.0.2.53
The authenticity of host '10.0.2.53 (10.0.2.53)' can't be established.
ECDSA key fingerprint is SHA256:RgOsp/XI7JHNq+oIfHKw+jkHdtTnBIh+Dd7kVmHRxtU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.2.53' (ECDSA) to the list of known hosts.
trainee@10.0.2.53's password: trainee
Last login: Sun Mar 21 08:53:18 2021 from 10.0.2.10
[trainee@targetb ~]$ su -
Password: fenestros
Last login: dim. mars 21 08:53:25 CET 2021 on pts/0

Modifiez la directive PermitRootLogin du fichier /etc/ssh/sshd_config afin de permettre l'utilisateur root de se connecter au client :

[root@targetb ~]# vi /etc/ssh/sshd_config 

[root@targetb ~]# cat /etc/ssh/sshd_config 
#       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
...
PermitRootLogin yes
...

[root@targetb ~]# systemctl restart sshd

Editez ensuite le fichier /etc/hosts :

[root@targetb ~]# vi /etc/hosts

[root@targetb ~]# cat /etc/hosts
127.0.0.1               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6
10.0.2.110      chefserver.ittraining.loc   chefserver
10.0.2.111      workstation.ittraining.loc  workstation
10.0.2.52       targeta.i2tch.loc    targeta
10.0.2.53       targetb.i2tch.loc    targetb

Consultez la liste des Attributs Automatiques :

[root@targetb ~]# ohai | more
{
  "kernel": {
    "name": "Linux",
    "release": "3.10.0-957.1.3.el7.x86_64",
    "version": "#1 SMP Thu Nov 29 14:49:43 UTC 2018",
    "machine": "x86_64",
    "processor": "x86_64",
    "os": "GNU/Linux",
    "modules": {
      "ip6t_rpfilter": {
        "size": "12595",
        "refcount": "1"
      },
      "ipt_REJECT": {
        "size": "12541",
        "refcount": "2"
      },
      "nf_reject_ipv4": {
        "size": "13373",
        "refcount": "1"
      },
      "ip6t_REJECT": {
        "size": "12625",
        "refcount": "2"
      },
      "nf_reject_ipv6": {
        "size": "13717",
        "refcount": "1"
      },
      "xt_conntrack": {
        "size": "12760",
        "refcount": "13"
      },
      "ip_set": {
        "size": "45644",
        "refcount": "0"
      },
      "nfnetlink": {
        "size": "14490",
        "refcount": "1"
      },
      "ebtable_nat": {
        "size": "12807",
        "refcount": "1"
      },
      "ebtable_broute": {
        "size": "12731",
        "refcount": "1"
      },
      "bridge": {
        "size": "151336",
        "refcount": "1",
        "version": "2.3"
      },
      "stp": {
--More--

Déconnectez-vous de la VM :

[root@targetb ~]# exit
déconnexion

trainee@targetb:~$ exit
déconnexion

1.3 - Bootstraper les Clients

Commmencez avec la VM targeta :

root@workstation:~/chef-repo# knife bootstrap 10.0.2.52 --ssh-user root --ssh-password fenestros --node-name targeta
--ssh-user: This flag is deprecated. Use -U/--connection-user instead.
--ssh-password: This flag is deprecated. Use -P/--connection-password instead.
Connecting to 10.0.2.52
The authenticity of host '10.0.2.52 ()' can't be established.
fingerprint is SHA256:Tk/PXJFmWnE96DhFsYAaFqgHQXPJhw+ArPP/GG9IJTw.

Are you sure you want to continue connecting
? (Y/N) y
Connecting to 10.0.2.52
Creating new client for targeta
Creating new node for targeta
Bootstrapping 10.0.2.52
 [10.0.2.52] -----> Installing Chef Omnibus (stable/15)
downloading https://omnitruck.chef.io/chef/install.sh
  to file /tmp/install.sh.1583/install.sh
trying wget...
 [10.0.2.52] debian 9 x86_64
Getting information for chef stable 15 for debian...
downloading https://omnitruck.chef.io/stable/chef/metadata?v=15&p=debian&pv=9&m=x86_64
  to file /tmp/install.sh.1587/metadata.txt
 [10.0.2.52] trying wget...
 [10.0.2.52] sha1       168e534c58f9e17394bc9ba7112ee2280fecdd79
sha256  a50884a3c0be26875c329de9a1cea854eacb0a0a1ed031301ee6c29aad0f19ed
url     https://packages.chef.io/files/stable/chef/15.17.4/debian/9/chef_15.17.4-1_amd64.deb
version 15.17.4
 [10.0.2.52] 
 [10.0.2.52] downloaded metadata file looks valid...
 [10.0.2.52] downloading https://packages.chef.io/files/stable/chef/15.17.4/debian/9/chef_15.17.4-1_amd64.deb
  to file /tmp/install.sh.1587/chef_15.17.4-1_amd64.deb
 [10.0.2.52] trying wget...
 [10.0.2.52] Comparing checksum with sha256sum...
 [10.0.2.52] Installing chef 15
installing with dpkg...
 [10.0.2.52] Sélection du paquet chef précédemment désélectionné.
 [10.0.2.52] (Lecture de la base de données... 91215 fichiers et répertoires déjà installés.)
 [10.0.2.52] Préparation du dépaquetage de .../chef_15.17.4-1_amd64.deb ...
 [10.0.2.52] Dépaquetage de chef (15.17.4-1) ...
 [10.0.2.52] Paramétrage de chef (15.17.4-1) ...
 [10.0.2.52] Thank you for installing Chef Infra Client! For help getting started visit https://learn.chef.io
 [10.0.2.52] Starting the first Chef Infra Client Client run...
 [10.0.2.52] +---------------------------------------------+
✔ 2 product licenses accepted.
+---------------------------------------------+
 [10.0.2.52] Starting Chef Infra Client, version 15.17.4
 [10.0.2.52] 
 [10.0.2.52] resolving cookbooks for run list: []
 [10.0.2.52] 
 [10.0.2.52] Synchronizing Cookbooks:
 [10.0.2.52] 
 [10.0.2.52] Installing Cookbook Gems:
Compiling Cookbooks...
[2023-11-07T12:51:58+01:00] WARN: Node targeta has an empty run list.
 [10.0.2.52] Converging 0 resources
 [10.0.2.52] 
 [10.0.2.52] 
 [10.0.2.52] 
 [10.0.2.52] Running handlers:
 [10.0.2.52] 
 [10.0.2.52] Running handlers complete

 [10.0.2.52] Chef Infra Client finished, 0/0 resources updated in 01 seconds
 [10.0.2.52] 
 [10.0.2.52] [2023-11-07T12:51:58+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates.

Important - Notez l'avertissement [2023-11-07T12:51:58+01:00] WARN: Node targeta has an empty run list.. Cet avertissment est du au fait qu'aucune Recette n'a été précisée lors de l'exécution de la commande.

Ré-exéctuez la commande knife bootstrap en y ajoutant -r 'recipe[apache]' :

root@workstation:~/chef-repo# knife bootstrap 10.0.2.52 --ssh-user root --ssh-password fenestros --node-name targeta -r 'recipe[apache]'
--ssh-user: This flag is deprecated. Use -U/--connection-user instead.
--ssh-password: This flag is deprecated. Use -P/--connection-password instead.
Connecting to 10.0.2.52
The authenticity of host '10.0.2.52 ()' can't be established.
fingerprint is SHA256:Tk/PXJFmWnE96DhFsYAaFqgHQXPJhw+ArPP/GG9IJTw.

Are you sure you want to continue connecting
? (Y/N) Y
Connecting to 10.0.2.52
Node targeta exists, overwrite it? (Y/N) Y
Client targeta exists, overwrite it? (Y/N) Y
Creating new client for targeta
Creating new node for targeta
Bootstrapping 10.0.2.52
 [10.0.2.52] -----> Existing Chef Infra Client installation detected
 [10.0.2.52] Starting the first Chef Infra Client Client run...
 [10.0.2.52] Starting Chef Infra Client, version 15.17.4
 [10.0.2.52] 
 [10.0.2.52] resolving cookbooks for run list: ["apache"]
 [10.0.2.52] 
 [10.0.2.52] Synchronizing Cookbooks:
 [10.0.2.52] 
 [10.0.2.52]   
 [10.0.2.52] - apache (0.1.0)
 [10.0.2.52] 
 [10.0.2.52] Installing Cookbook Gems:
 [10.0.2.52] Compiling Cookbooks...
 [10.0.2.52] 
 [10.0.2.52] Converging 3 resources
 [10.0.2.52] 
 [10.0.2.52] Recipe: apache::default
 [10.0.2.52] 
 [10.0.2.52]   
 [10.0.2.52] * apt_package[apache2] action install
 [10.0.2.52] 
    - install version 2.4.25-3+deb9u9 of package apache2
  * service[apache2] action start
 [10.0.2.52]  (up to date)
  * service[apache2] action enable
 [10.0.2.52]  (up to date)
 [10.0.2.52]   * cookbook_file[/var/www/html/index.html] action create
 [10.0.2.52] 
 [10.0.2.52]     
 [10.0.2.52] - create new file /var/www/html/index.html
 [10.0.2.52] 
 [10.0.2.52]     
 [10.0.2.52] - update content in file /var/www/html/index.html from none to 10664a
 [10.0.2.52] 
 [10.0.2.52]     
 [10.0.2.52] --- /var/www/html/index.html    2023-11-07 13:13:02.181522947 +0100
 [10.0.2.52] 
 [10.0.2.52]     
 [10.0.2.52] +++ /var/www/html/.chef-index20231107-2029-1nw15nc.html 2023-11-07 13:13:02.177522927 +0100
 [10.0.2.52] 
 [10.0.2.52]     
 [10.0.2.52] @@ -1 +1,5 @@
 [10.0.2.52] 
 [10.0.2.52]     
 [10.0.2.52] +<html>
 [10.0.2.52] 
 [10.0.2.52]     
 [10.0.2.52] +<title>OHIO et Chef</title>
 [10.0.2.52] 
 [10.0.2.52]     
 [10.0.2.52] +<body> Wow! It works!</body>
 [10.0.2.52] 
 [10.0.2.52]     
 [10.0.2.52] +</html>
 [10.0.2.52] 
 [10.0.2.52]     
 [10.0.2.52] - change mode from '' to '0644'
 [10.0.2.52] 

 [10.0.2.52] 
 [10.0.2.52] 
 [10.0.2.52] Running handlers:
 [10.0.2.52] 
 [10.0.2.52] Running handlers complete

 [10.0.2.52] Chef Infra Client finished, 2/4 resources updated in 17 seconds
 [10.0.2.52] 
 [10.0.2.52] [2023-11-07T13:13:02+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates

Connectez-vous à la VM targeta et vérifiez l'installation du paquet apache2 :

root@workstation:~/chef-repo# ssh -l trainee 10.0.2.52
Debian GNU/Linux 9
trainee@10.0.2.52's password: trainee
Linux targeta.i2tch.loc 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Nov  7 13:25:32 2023 from 10.0.2.111
trainee@targeta:~$ su -
Mot de passe : fenestros

root@targeta:~# systemctl status apache2
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2023-11-07 13:13:00 CET; 14min ago
 Main PID: 2717 (apache2)
   CGroup: /system.slice/apache2.service
           ├─2717 /usr/sbin/apache2 -k start
           ├─2719 /usr/sbin/apache2 -k start
           └─2721 /usr/sbin/apache2 -k start

nov. 07 13:13:00 targeta.i2tch.loc systemd[1]: Starting The Apache HTTP Server...
nov. 07 13:13:00 targeta.i2tch.loc systemd[1]: Started The Apache HTTP Server.

root@targeta:~# exit
déconnexion

trainee@targeta:~$ exit
déconnexion
Connection to 10.0.2.52 closed.

Procédez ensuite avec la VM targetb :

root@workstation:~/chef-repo# knife bootstrap 10.0.2.53 --ssh-user root --ssh-password fenestros --node-name targetb -r 'recipe[apache]'
--ssh-user: This flag is deprecated. Use -U/--connection-user instead.
--ssh-password: This flag is deprecated. Use -P/--connection-password instead.
Connecting to 10.0.2.53
The authenticity of host '10.0.2.53 ()' can't be established.
fingerprint is SHA256:PokJEptX8i3G+Qdy2WFX9xWby1d+l/0FhVyN1onGXnQ.

Are you sure you want to continue connecting
? (Y/N) Y
Connecting to 10.0.2.53
Creating new client for targetb
Creating new node for targetb
Bootstrapping 10.0.2.53
 [10.0.2.53] -----> Installing Chef Omnibus (stable/15)
downloading https://omnitruck.chef.io/chef/install.sh
  to file /tmp/install.sh.21113/install.sh
trying wget...
 [10.0.2.53] el 7 x86_64
Getting information for chef stable 15 for el...
downloading https://omnitruck.chef.io/stable/chef/metadata?v=15&p=el&pv=7&m=x86_64
  to file /tmp/install.sh.21123/metadata.txt
 [10.0.2.53] trying wget...
 [10.0.2.53] sha1       9e066d888611971a1dceb7c3eaf0375a6c61ebd0
sha256  0aaf56d149bdddc73b501322777ac378e2ffb63aa6eb714d93b16714e166e4f0
url     https://packages.chef.io/files/stable/chef/15.17.4/el/7/chef-15.17.4-1.el7.x86_64.rpm
version 15.17.4
 [10.0.2.53] 
 [10.0.2.53] downloaded metadata file looks valid...
 [10.0.2.53] downloading https://packages.chef.io/files/stable/chef/15.17.4/el/7/chef-15.17.4-1.el7.x86_64.rpm
  to file /tmp/install.sh.21123/chef-15.17.4-1.el7.x86_64.rpm
 [10.0.2.53] trying wget...
 [10.0.2.53] Comparing checksum with sha256sum...
 [10.0.2.53] Installing chef 15
installing with rpm...
 [10.0.2.53] warning: /tmp/install.sh.21123/chef-15.17.4-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
 [10.0.2.53] Preparing...                          
 [10.0.2.53] ########################################
 [10.0.2.53] Updating / installing...
chef-15.17.4-1.el7                    
 [10.0.2.53] #
...
 [10.0.2.53] #
 [10.0.2.53] Thank you for installing Chef Infra Client! For help getting started visit https://learn.chef.io
 [10.0.2.53] Starting the first Chef Infra Client Client run...
 [10.0.2.53] +---------------------------------------------+
✔ 2 product licenses accepted.
+---------------------------------------------+
 [10.0.2.53] Starting Chef Infra Client, version 15.17.4
 [10.0.2.53] resolving cookbooks for run list: ["apache"]
 [10.0.2.53] Synchronizing Cookbooks:
 [10.0.2.53]   - apache (0.1.0)
 [10.0.2.53] Installing Cookbook Gems:
Compiling Cookbooks...
 [10.0.2.53] Converging 3 resources
Recipe: apache::default
  * yum_package[httpd] action install
 [10.0.2.53] 
    - install version 0:2.4.6-99.el7.centos.1.x86_64 of package httpd
  * service[httpd] action start
 [10.0.2.53] 
    - start service service[httpd]
  * service[httpd] action enable
 [10.0.2.53] 
    - enable service service[httpd]
  * cookbook_file[/var/www/html/index.html] action create
 [10.0.2.53] 
    - create new file /var/www/html/index.html
    - update content in file /var/www/html/index.html from none to 10664a
    --- /var/www/html/index.html        2023-11-07 13:09:34.001959916 +0100
    +++ /var/www/html/.chef-index20231107-23588-8oklnl.html     2023-11-07 13:09:34.001959916 +0100
    @@ -1 +1,5 @@
    +<html>
    +<title>OHIO et Chef</title>
    +<body> Wow! It works!</body>
    +</html>
    - change mode from '' to '0644'
 [10.0.2.53] 
    - restore selinux security context

 [10.0.2.53] 
Running handlers:
Running handlers complete
Chef Infra Client finished, 4/4 resources updated in 32 seconds
 [10.0.2.53] [2023-11-07T13:09:34+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates.

Connectez-vous à la VM targetb et vérifiez l'installation du paquet httpd :

root@workstation:~/chef-repo# ssh -l trainee 10.0.2.53
trainee@10.0.2.53's password: trainee
Last login: Tue Nov  7 13:22:36 2023 from workstation.ittraining.loc
[trainee@targetb ~]$ su -
Password: fenestros
Last login: mar. nov.  7 13:22:46 CET 2023 on pts/0

[root@targetb ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2023-11-07 13:09:33 CET; 20min ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 24003 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─24003 /usr/sbin/httpd -DFOREGROUND
           ├─24004 /usr/sbin/httpd -DFOREGROUND
           ├─24005 /usr/sbin/httpd -DFOREGROUND
           ├─24006 /usr/sbin/httpd -DFOREGROUND
           ├─24007 /usr/sbin/httpd -DFOREGROUND
           └─24008 /usr/sbin/httpd -DFOREGROUND

Nov 07 13:09:33 targetb.i2tch.loc systemd[1]: Starting The Apache HTTP Server...
Nov 07 13:09:33 targetb.i2tch.loc systemd[1]: Started The Apache HTTP Server.

[root@targetb ~]# exit
logout

[trainee@targetb ~]$ exit
logout
Connection to 10.0.2.53 closed.

LAB #2 - Data Bags

2.1 - Présentation

Les Data Bags regroupent des informations sous la forme de fichiers au format JSON. Ces informations peuvent être ensuite ré-utilisées dans des Recettes. Les Data Bags sont manipulés par la commande knige data bag.

2.2 - Création de Data Bags

Commencez par créer le répertoire data_bags et data_bags/users :

root@workstation:~/chef-repo# mkdir -p data_bags/users

L'information concernant les sous-commandes de la commande knife data bag peut être affichée en passant l'option –help à la commande :

root@workstation:~/chef-repo# knife data bag --help
FATAL: Cannot find subcommand for: 'data bag --help'
Available data bag subcommands: (for details, knife SUB-COMMAND --help)

** DATA BAG COMMANDS **
knife data bag create BAG [ITEM] (options)
knife data bag delete BAG [ITEM] (options)
knife data bag edit BAG ITEM (options)
knife data bag from file BAG FILE|FOLDER [FILE|FOLDER..] (options)
knife data bag list (options)
knife data bag show BAG [ITEM] (options)

Actuellement, aucun Data Bag n'existe :

root@workstation:~/chef-repo# knife data bag list

Créez donc un Data Bag dénommé users sur le Chef Infra Server :

root@workstation:~/chef-repo# knife data bag create users
Created data_bag[users]

Créez ensuite les fichiers user1.json et user2.json contenant des informations concernant user1 et user2 respectivement :

root@workstation:~/chef-repo# vi data_bags/users/user1.json

root@workstation:~/chef-repo# cat data_bags/users/user1.json
{
    "id": "user1",
    "comment": "This is user1",
    "uid": "1001",
    "gid": "100",
    "home": "/home/user1",
    "shell": "/bin/bash",
    "platform": "centos"
}

root@workstation:~/chef-repo# vi data_bags/users/user2.json

root@workstation:~/chef-repo# cat data_bags/users/user2.json
{
    "id": "user2",
    "comment": "This is user2",
    "uid": "1002",
    "gid": "100",
    "home": "/home/user2",
    "shell": "/bin/bash",
    "platform": "centos"
}

Pour téléverser les informations, il convient d'utiliser la commande knife data bag from file <data_bag> <fichier1.json> <fichier1.json> … :

root@workstation:~/chef-repo# knife data bag from file users data_bags/users/user1.json data_bags/users/user2.json
Updated data_bag_item[users::user1]
Updated data_bag_item[users::user2]

Listez maintenant les Data Bags disponibles :

root@workstation:~/chef-repo# knife data bag list
users

Pour voir le contenu du Data Bag, utilisez la commande knife data bag show <data_bag> :

root@workstation:~/chef-repo# knife data bag show users
user1
user2

Pour voir les informations du Data Bag, utilisez la commande knife data bag show <data_bag>/<fichier.json> :

root@workstation:~/chef-repo# knife data bag show users/user1
comment
gid
home
id
platform
shell
uid

Vous pouvez rechercher des informations dans un Data Bag avec la commande knife seearch <data_bag> :

root@workstation:~/chef-repo# knife search users "*:*"
2 items found

chef_type: data_bag_item
comment:   This is user1
data_bag:  users
gid:       100
home:      /home/user1
id:        user1
platform:  centos
shell:     /bin/bash
uid:       1001

chef_type: data_bag_item
comment:   This is user2
data_bag:  users
gid:       100
home:      /home/user2
id:        user2
platform:  centos
shell:     /bin/bash
uid:       1002
root@workstation:~/chef-repo# knife search users "comment:This*"
2 items found

chef_type: data_bag_item
comment:   This is user1
data_bag:  users
gid:       100
home:      /home/user1
id:        user1
platform:  centos
shell:     /bin/bash
uid:       1001

chef_type: data_bag_item
comment:   This is user2
data_bag:  users
gid:       100
home:      /home/user2
id:        user2
platform:  centos
shell:     /bin/bash
uid:       1002

Pour isoler une seule information, utilisez l'option -a :

root@workstation:~/chef-repo# knife search users "platform:centos" -a comment
2 items found

:
  comment: This is user1

:
  comment: This is user2

Dans le cas où, le groupe affecté aux utilisateurs ne soit pas présent sur les noeuds, il faudarit créer un Data Bag groups :

root@workstation:~/chef-repo# mkdir data_bags/groups
root@workstation:~/chef-repo# knife data bag create groups
Created data_bag[groups]
root@workstation:~/chef-repo# vi data_bags/groups/group1.json

root@workstation:~/chef-repo# cat data_bags/groups/group1.json
{
    "id": "100",
    "gid": "100",
    "members": ["user1", "user2"]
}
root@workstation:~/chef-repo# knife data bag from file groups data_bags/groups/group1.json
Updated data_bag_item[groups::100]
root@workstation:~/chef-repo# knife data bag show groups
100
root@workstation:~/chef-repo# knife data bag show groups 100
gid:     100
id:      100
members:
  user1
  user2

2.3 - Utilisation de Data Bags

Créez un Cookbook dénommé users :

root@workstation:~/chef-repo# chef generate cookbook cookbooks/users
Generating cookbook users
- Ensuring correct cookbook content

Your cookbook is ready. Type `cd cookbooks/users` to enter it.

There are several commands you can run to get started locally developing and testing your cookbook.
Type `delivery local --help` to see a full list of local testing commands.

Why not start by writing an InSpec test? Tests for the default recipe are stored at:

test/integration/default/default_test.rb

If you'd prefer to dive right in, the default recipe can be found at:

recipes/default.rb

Installez le paquet tree :

root@workstation:~/chef-repo# apt install tree
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  gir1.2-goa-1.0 gir1.2-snapd-1
Use 'apt autoremove' to remove them.
The following NEW packages will be installed:
  tree
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 40,7 kB of archives.
After this operation, 105 kB of additional disk space will be used.
Get:1 http://fr.archive.ubuntu.com/ubuntu bionic/universe amd64 tree amd64 1.7.0-5 [40,7 kB]
Fetched 40,7 kB in 1s (66,2 kB/s)
Selecting previously unselected package tree.
(Reading database ... 223000 files and directories currently installed.)
Preparing to unpack .../tree_1.7.0-5_amd64.deb ...
Unpacking tree (1.7.0-5) ...
Setting up tree (1.7.0-5) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

Utilisez la commande tree pour visualiser l'arborescence du Cookbook créé :

root@workstation:~/chef-repo# tree cookbooks/users
cookbooks/users
├── CHANGELOG.md
├── chefignore
├── kitchen.yml
├── LICENSE
├── metadata.rb
├── Policyfile.rb
├── README.md
├── recipes
│   └── default.rb
├── spec
│   ├── spec_helper.rb
│   └── unit
│       └── recipes
│           └── default_spec.rb
└── test
    └── integration
        └── default
            └── default_test.rb

7 directories, 11 files

Créez une recette pour extraire les informations du Data Bag users pour chaque instance de la valeur de l'id et de créer l'utilisateur concerné :

root@workstation:~/chef-repo# vi cookbooks/users/recipes/default.rb 
root@workstation:~/chef-repo# cat cookbooks/users/recipes/default.rb 
#
# Cookbook:: users
# Recipe:: default
#
# Copyright:: 2023, The Authors, All Rights Reserved.
search("users", "platform:centos").each do |user_data|
  user user_data['id'] do
    comment user_data['comment']
    uid user_data['uid']
    gid user_data['gid']
    home user_data['home']
    shell user_data['shell']
  end
end

Connectez-vous à targeta.i2tch.loc et exécutez la commande chef-client :

root@workstation:~/chef-repo# ssh -l trainee 10.0.2.52
Debian GNU/Linux 9
trainee@10.0.2.52's password: trainee
Linux targeta.i2tch.loc 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Nov  7 16:34:29 2023 from 10.0.2.111
trainee@targeta:~$ su -
Mot de passe : fenestros

root@targeta:~# chef-client
Starting Chef Infra Client, version 15.17.4
resolving cookbooks for run list: ["apache", "users"]
Synchronizing Cookbooks:
  - apache (0.1.0)
  - users (0.1.0)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 5 resources
Recipe: apache::default
  * apt_package[apache2] action install (up to date)
  * service[apache2] action start (up to date)
  * service[apache2] action enable (up to date)
  * cookbook_file[/var/www/html/index.html] action create (up to date)
Recipe: users::default
  * linux_user[user1] action create
    - create user user1
  * linux_user[user2] action create
    - create user user2

Running handlers:
Running handlers complete
Chef Infra Client finished, 2/6 resources updated in 02 seconds
[2023-11-07T16:45:51+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates.

Vérifiez le contenu du fichier **/etc/passwd** :

<code>
root@targeta:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
rtkit:x:105:109:RealtimeKit,,,:/proc:/bin/false
dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd:x:107:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
messagebus:x:108:111::/var/run/dbus:/bin/false
usbmux:x:109:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
lightdm:x:112:115:Light Display Manager:/var/lib/lightdm:/bin/false
pulse:x:113:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false
avahi:x:114:119:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
saned:x:115:120::/var/lib/saned:/bin/false
trainee:x:1000:1000:trainee,,,:/home/trainee:/bin/bash
ntp:x:116:121::/home/ntp:/bin/false
user1:x:1001:100:This is user1:/home/user1:/bin/bash
user2:x:1002:100:This is user2:/home/user2:/bin/bash

Sortez de la machine :

root@targeta:~# exit
déconnexion

trainee@targeta:~$ exit
déconnexion
Connection to 10.0.2.52 closed.

Connectez-vous à targetb.i2tch.loc et exécutez la commande chef-client :

root@workstation:~/chef-repo# ssh -l trainee 10.0.2.53
trainee@10.0.2.53's password: trainee
Last login: Tue Nov  7 16:35:22 2023 from workstation.ittraining.loc
[trainee@targetb ~]$ su -
Password: fenestros
Last login: mar. nov.  7 13:37:44 CET 2023 on pts/0

[root@targetb ~]# chef-client
Starting Chef Infra Client, version 15.17.4
resolving cookbooks for run list: ["apache", "users"]
Synchronizing Cookbooks:
  - apache (0.1.0)
  - users (0.1.0)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 5 resources
Recipe: apache::default
  * yum_package[httpd] action install (up to date)
  * service[httpd] action start (up to date)
  * service[httpd] action enable (up to date)
  * cookbook_file[/var/www/html/index.html] action create (up to date)
Recipe: users::default
  * linux_user[user1] action create
    - create user user1
  * linux_user[user2] action create
    - create user user2

Running handlers:
Running handlers complete
Chef Infra Client finished, 2/6 resources updated in 05 seconds
[2023-11-07T16:48:07+01:00] WARN: This release of Chef Infra Client became end of life (EOL) on May 1st 2021. Please update to a supported release to receive new features, bug fixes, and security updates.

Vérifiez le contenu du fichier /etc/passwd :

[root@targetb ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
systemd-bus-proxy:x:999:997:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:998:996:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:997:995:User for polkitd:/:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
colord:x:996:993:User for colord:/var/lib/colord:/sbin/nologin
libstoragemgmt:x:995:992:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
setroubleshoot:x:994:991::/var/lib/setroubleshoot:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
chrony:x:993:990::/var/lib/chrony:/sbin/nologin
unbound:x:992:989:Unbound DNS resolver:/etc/unbound:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
geoclue:x:991:988:User for geoclue:/var/lib/geoclue:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sssd:x:990:987:User for sssd:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
gnome-initial-setup:x:989:984::/run/gnome-initial-setup/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
trainee:x:1000:1000:trainee:/home/trainee:/bin/bash
vboxadd:x:988:1::/var/run/vboxadd:/bin/false
saned:x:987:981:SANE scanner daemon user:/usr/share/sane:/sbin/nologin
gluster:x:986:980:GlusterFS daemons:/run/gluster:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
user1:x:1001:100:This is user1:/home/user1:/bin/bash
user2:x:1002:100:This is user2:/home/user2:/bin/bash

Sortez de la machine :

[root@targetb ~]# exit
logout
[trainee@targetb ~]$ exit
logout
Connection to 10.0.2.53 closed.

2.4 - Data Bags Cryptés

Pour chiffrer le contenu d'un Data Bag, commencez par créer une clef :

root@workstation:~/chef-repo# openssl rand -base64 512 | tr -d '\r\n' > secret.key
root@workstation:~/chef-repo# ls
cookbooks  data_bags  groups  README.md  roles  secret.key

Créez maintenant le Data Bag secret-users en spécifiant le fichier de la clef :

root@workstation:~/chef-repo# knife data bag create secret-users --secret-file secret.key
Created data_bag[secret-users]

Listez les Dta Bags présents sur le Chef Infra Server :

root@workstation:~/chef-repo# knife data bag list
groups
secret-users
users

Chiffrez maintenant le fichier user1.json :

root@workstation:~/chef-repo# knife data bag from file secret-users data_bags/users/user1.json --secret-file secret.key
Updated data_bag_item[secret-users::user1]

Listez le contenu du Data Bag secret-users :

root@workstation:~/chef-repo# knife data bag show secret-users
user1

Essayez de voir les informations concernant user1 :

root@workstation:~/chef-repo# knife data bag show secret-users user1
WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data.
comment:
  auth_tag:       iJISCqTLO9YCeTfXXQ3GMw==
  
  cipher:         aes-256-gcm
  encrypted_data: 2h3z057qS837n28peJgau72e6jAex4jRxWuhxX8UAm4=
  
  iv:             g5iYCldnxsdnwbhs
  
  version:        3
gid:
  auth_tag:       xXjGcMe0eagiBmJSuNhxwA==
  
  cipher:         aes-256-gcm
  encrypted_data: lqzRYH/jentz4lQ7uf37fiN+knypDA==
  
  iv:             r1xKr2yqpDesrf7V
  
  version:        3
home:
  auth_tag:       Eog/Q9hdRakkJecxev3kBQ==
  
  cipher:         aes-256-gcm
  encrypted_data: KsU8l/1gkfV06zHiJ/k5/b16N+QrJiJLdirNCm3g
  
  iv:             Fftm8pXUXecILNoI
  
  version:        3
id:       user1
platform:
  auth_tag:       Z3qppY9e9/96hP63E2fSCQ==
  
  cipher:         aes-256-gcm
  encrypted_data: U++OOEn5iv9yLjviKzHaO4ZE+AVkTnI6dA==
  
  iv:             rjKccpgF91Ou+Vkm
  
  version:        3
shell:
  auth_tag:       aoRh+XxNEFEcCt7nhjqoBw==
  
  cipher:         aes-256-gcm
  encrypted_data: 5DcNDaX6oeQDE7mQSmM/efJ451Eorw+Hyt7EXw==
  
  iv:             Ttg9HlPH8OmMjLEv
  
  version:        3
uid:
  auth_tag:       tSan3VvGegSVUWq97MOWhA==
  
  cipher:         aes-256-gcm
  encrypted_data: 3f6x4Xcb60aXtfG9M1/ZN/RG3av0VIY=
  
  iv:             C1+YZeWp5OQHonPq
  
  version:        3

Pour pouvoir consulter les informations en clair, il est nécessaire d'utiliser la clef :

root@workstation:~/chef-repo# knife data bag show secret-users user1 --secret-file secret.key
Encrypted data bag detected, decrypting with provided secret.
comment:  This is user1
gid:      100
home:     /home/user1
id:       user1
platform: centos
shell:    /bin/bash
uid:      1001

Copyright © 2023 Hugh Norris.

Menu