[chef] Re: question about data bags - best practice

["Moser, Kevin" < >]

Take a look at chef-vault (https://github.com/nordstrom/chef-vault)  Keeps 
the data encrypted using the private key of the client itself.

You are right however that setting the value into a node attribute persists 
that data, in a chef-client run, back to the chef server at the end of a 
successful run.  You don't want to decrypt your passwords and then put them 
in an attribute.  You want to decrypt and use that value to define a resource 
at compile time.  At the end of convergence that resource leaves memory and 
your decrypted values go away.

Kevin

From: Vladimir Skubriev 
<
 <mailto:
 >>
Reply-To: 
"
 <mailto:
 >"
 
<
 <mailto:
 >>
Date: Tuesday, August 6, 2013 6:20 AM
To: 
"
 <mailto:
 >"
 
<
 <mailto:
 >>
Subject: [chef] question about data bags - best practice

Now i write cookbook bacula for setup bacula server and clients.

I have multiple recipes: database - for setup mysql db, server for setup 
bacula-director and storage and client for setup bacula-fd on clients.

I write next code for load passwords for encrypted data bags:


encrypted_data_bag_secret_path = 
"#{node['chef']['encrypted_data_bag_secret_path']}/encrypted_data_bag_secret"
bacula_secret = 
Chef::EncryptedDataBagItem.load_secret("#{encrypted_data_bag_secret_path}")

# ------- Setup mysql service users passwords used in cookbook for succesful 
installation of MYSQL
item = Chef::EncryptedDataBagItem.load("bacula","mysql_root", bacula_secret)
node.set['mysql']['server_root_password'] = item['password']
node.set['mysql']['server_repl_password'] = item['password']
node.set['mysql']['server_debian_password'] = item['password']

# ------- Setup mysql user "bacula"
item = Chef::EncryptedDataBagItem.load("bacula","mysql_bacula", bacula_secret)
node.set['bacula']['mysql']['name'] = item['name']
node.set['bacula']['mysql']['password'] = item['password']

# ------- Setup bacula passwords used at director and storage machine
item = Chef::EncryptedDataBagItem.load("bacula","director", bacula_secret)
node.set['bacula']['director']['password'] = item['password']

item = Chef::EncryptedDataBagItem.load("bacula","monitor", bacula_secret)
node.set['bacula']['monitor']['password'] = item['password']

item = Chef::EncryptedDataBagItem.load("bacula","storage", bacula_secret)
node.set['bacula']['storage']['password'] = item['password']

item = Chef::EncryptedDataBagItem.load("bacula","root", bacula_secret)
node.set['bacula']['root']['password'] = item['password']

As we can see this single recipe set node parametrs, which later used in my 
other recipes.

I think that this is not best practice. Because:

1. This code place in /recipes/_loaddatabags.rb And this recipe run with 
include_recipe in several recipes for example in database, server and storage 
recipe.

I think it's code must run once. This is a main problem.

2. This code setup node vars. What happens after the recipe is executed ? 
Where traces remain with our passwords in an open way. Except of course the 
configuration files ?

3. I think that should be a funtion or lwrp for this entitys. But I cannot 
represent to self how can i do it. Chef examples on site is very small.

4. As my small practice I cannot represent how can i architect/design this in 
best way?

5. Where better to define these variables (['mysql']['server_root_password'], 
['bacula']['director']['password']) ? In what part of cookbook ? What do you 
think ?

6. I use chef 10.x version. Maybe there are other more elegant ways to work 
with data bag's

7. I plan to lay out your cookbook on opscode in the future. And I would like 
it to be ideologically correct.

8. I have not seen in cookbooks from opscode use of data bags. Why ?

Thank you very much.


--
Best regards,

CVision Lab System Administrator
Vladmir Skubriev

  *   English - detected
  *   English

  *   English

<javascript:void(0);>