[chef] Re: Best Practices for Retrieving Generated Passwords


Chronological Thread 
  • From: Jay Feldblum < >
  • To:
  • Subject: [chef] Re: Best Practices for Retrieving Generated Passwords
  • Date: Mon, 3 Dec 2012 12:44:37 -0500

Dane,

Chef has data-bags, where you can use like your own custom database tables in the chef-server's database however you like. Provided, usually, you're using them in single-writer/many-reader fashion, with the human sysadmin usually being the single writer.

But if you need additional capabilities like transactions, you can of course set up your own database that offers those capabilities (e.g. your own postgres db on a central server somewhere) and use that database from your recipes. Or if you already have a database, you can just use that database from your recipes. There are ruby drivers for many popular database systems, and because your recipes are just ruby, you can usually use them from your recipes.

Cheers,
Jay

On Mon, Dec 3, 2012 at 11:12 AM, Dane Elwell < " target="_blank"> > wrote:
Hi,

I work for a small ISP with about 23,000 servers and I'm trying to get some configuration management in the mix to help deploy/support a new product we're about to roll out.

I'm currently in the process of biting off more than I can chew with Chef, so some of this may be Chef 101. I apologise if I'm asking stupid questions, but I've not been able to find a solid answer elsewhere (and I would consider my Google-fu fairly tuned).

We have an in-house application that helps us to manage our inventory, assets, passwords, etc for the all the servers we host. I need to get Chef to configure a server with users and passwords, along with generating some other information to go into various configuration files on the server. These must all be retrieved and placed into our in-house system so we have them all on record.

I've had a look at the Users cookbook and I see this can generate passwords and such, and then (from what I can ascertain) those items become available through `knife node show nodename -m`. Which is fine for the odd server here and there, but I intend to use this to deploy a few hundred servers, so automation is a must.

Two questions:

* (Likely Chef 101 but I've not seen how to do this yet) Is there a way I can store arbitrary data for the local node somewhere? For example, if I generate a username and password for a haproxy statistics page, where can I then retrieve these from? Use of an encrypted databag? This is probably me just not RTFM to be fair - links appreciated.

* How can I gather this username/password information in a more automated way? Is there an API of some kind that can be called to retrieve this information from the Chef server? Unfortunately the in-house system is developed by a separate team, so I don't have many options for integration beyond "here's an API, implement this". I'm more than happy to write glue code for this if necessary.

I hope my requirements make sense, and I apologise again for being clueless. :)

Dane




Archive powered by MHonArc 2.6.16.

§