Chef调配配方以创建AWS安全组,如何从服务器vs Chef客户端运行
[英]chef provisioning recipe to make AWS security groups, how to run from server vs chef client
问题描述
I need to keep track of my AWS security groups better. 
我需要更好地跟踪我的AWS安全组。
The recipes that use chef/provisioning/aws_driver would let me make recipes per SG and track IPs added/etc. 使用Chef / Provisioning / aws_driver的配方可以让我按SG制作配方并跟踪添加的IP /等。
I can run them just fine locally with chef-client -z -r 我可以使用Chef-client -z -r在本地运行它们
What I really want is to upload the cookbook to my chef server and run it any time I need to change a SG. 我真正想要的是将食谱上传到我的厨师服务器,并在需要更改SG时随时运行。 But chef seems to require recipes apply to nodes, not to AWS cloudiness. 但是厨师似乎要求配方适用于节点,而不适用于AWS云。
Basically I want to run chef-client from my workstation and have it execute a cookbook that doesn't impact any running servers, or create them, but rather hits AWS and converges the resources specified. 基本上,我想从我的工作站上运行Chef-client,并让它执行不会影响任何正在运行的服务器的菜谱,也不会创建它们,而是访问AWS并收敛指定的资源。
2 个解决方案
解决方案1
0 2015-06-04 21:58:47
If you create a client.rb for your workstation with the chef server URL and keys: 如果使用厨师服务器URL和密钥为工作站创建client.rb,请执行以下操作:
chef_server_url "http://servername/organizations/myorg"
validation_key "path/to/validation/key"
client_key "path/to/client/key"
you should be able to run provisioning recipes that have been uploaded to the server. 您应该能够运行已上传到服务器的配置配方。 Eg if they're in a 'provisioning' cookbook: 例如,如果他们在“配置”食谱中:
chef-client -c client.rb -o provisioning::myrecipe
解决方案2
0 2015-08-30 20:15:42
You probably want to create a provisioning node. 您可能想要创建一个供应节点。 Chef Server is essentially a glorified database and isn't intended to be an active controller. Chef Server本质上是一个荣耀的数据库,并不是要成为主动控制器。 There is Chef Push Jobs, but even that is pushing to nodes. 有Chef Push Jobs,但即使这样也正在推送到节点。
Instead, create a node that is essentially a proxy for the resource that can't run chef client itself, and have that run chef client as a CRON service. 相反,创建一个节点,该节点实质上是不能运行Chef客户端本身的资源的代理,并将该节点作为CRON服务运行。 Of course you don't need to create a separate node for every resource, one node can easily manage many of them. 当然,您无需为每种资源创建一个单独的节点,一个节点可以轻松地管理其中的许多资源。 If you have a very large number you might have to start partitioning these resources. 如果数量很多,则可能必须开始对这些资源进行分区。 Or you might partition for security causes. 或者您可能出于安全原因进行分区。
If everything is a declarative resource that behaves idempotently (as all good Chef things should be), then you can have two nodes with the same recipes to provide redundancy. 如果一切都是声明性的资源,并且表现得很全(就像所有好的Chef一样),那么您可以使两个节点具有相同的配方来提供冗余。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.