用Chef实现自动编译安装和配置apache2

小秦在这里写一下如果从下载源码、编译到安装一个apache的服务器。当然啦这个其实完全不实用,目的主要还是为了学习Chef。

1.建立cookbook
首先小秦建立一个cookbook:

[root@CENSVR03 chef-repo]# knife cookbook create install_apache
** Creating cookbook install_apache
** Creating README for cookbook: install_apache
** Creating CHANGELOG for cookbook: install_apache
** Creating metadata for cookbook: install_apache

然后upload下:

[root@CENSVR03 chef-repo]# knife cookbook upload install_apache
Uploading install_apache [0.1.0]
Uploaded 1 cookbook.
[root@CENSVR03 chef-repo]# knife node run_list add node01 recipe[install_apache]
node01:
  run_list: recipe[install_apache]

并在client上看看能不能运行:

[root@CENSVR02 ~]# sudo chef-client
[2014-05-14T23:43:37-07:00] WARN:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.

To fix this issue add an entry like this to your configuration file:

```
  # Verify all HTTPS connections (recommended)
  ssl_verify_mode :verify_peer

  # OR, Verify only connections to chef-server
  verify_api_cert true
```

To check your SSL configuration, or troubleshoot errors, you can use the
`knife ssl check` command like so:

```
  knife ssl check -c /etc/chef/client.rb
```

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 

Starting Chef Client, version 11.12.4
resolving cookbooks for run list: ["install_apache"]
Synchronizing Cookbooks:
  - install_apache
Compiling Cookbooks...
Converging 0 resources

Running handlers:
Running handlers complete

Chef Client finished, 0/0 resources updated in 3.898555773 seconds

2.思路
由于recipe的执行顺序是从上往下的,所以小秦现在这里理一下思路:
首先,我需要client下载apache的源代码包。
然后,我需要client对这个源码进行解压、编译和安装
再然后我需要生成apache的配置文件
最后我要启动这个服务
在上面这些做完后,小秦也会通过chef去设置一下iptables。不过这个步骤在我们把上面的这些都做好后再去实现

3.编写recipe
3.1 下载apache的源代码包
这里的下载有很多方法,比如从自己搭建的ftp上下载,或直接从apache官网下载。这里使用remote_file这个resource从本地下载(当然啦,也是通过http协议,小秦自己搭了一个)。除了下载apache外,还会下载它的几个依赖包:

directory "/tmp/apache_images" do
    owner "root"
    group "root"
    action :create
end

remote_file "/tmp/apache_images/apr-1.4.5.tar.gz" do
    source "http://192.168.19.33/apr-1.4.5.tar.gz"
end

remote_file "/tmp/apache_images/apr-util-1.3.12.tar.gz" do
    source "http://192.168.19.33/apr-util-1.3.12.tar.gz"
end

remote_file "/tmp/apache_images/pcre-8.10.zip" do
    source "http://192.168.19.33/pcre-8.10.zip"
end

remote_file "/tmp/apache_images/httpd-2.4.3.tar.gz" do
    source "http://192.168.19.33/httpd-2.4.3.tar.gz"
end

3.2 源码包的编译
这里小秦写了个脚本。这个脚本会的执行相关的解压缩、编译等命令:

#!/bin/bash

cd /tmp/apache_images

tar -vxzf apr-1.4.5.tar.gz
cd apr-1.4.5
./configure --prefix=/usr/local/apr
make && make install

cd ..

tar -vxzf apr-util-1.3.12.tar.gz
cd apr-util-1.3.12
./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr/bin/apr-1-config
make && make install

cd ..

unzip pcre-8.10.zip
cd pcre-8.10
./configure --prefix=/usr/local/pcre
make && make install

cd ..

tar -vxzf httpd-2.4.3.tar.gz
cd httpd-2.4.3
./configure --prefix=/usr/local/apache2 --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --with-pcre=/usr/local/pcre --enable-so --enable-rewrite
make && make install

cd ..

所以这里要做的事情就是让client指定这个文件。所以我们先把这个文件下载到客户端:

remote_file "/tmp/apache_images/install_apache2.sh" do
    source "http://192.168.19.33/install_apache2.sh"
end

然后我们让客户端执行这个脚本:

bash "run_install_apached" do
    user "root"
    cwd "/tmp/apache_images"
    code <<-EOH
    ./install_apache2.sh
    EOH
end

3.3 生成配置文件
这里小秦对apached的配置文件做一些非常简单的修改。主要就是把监听的端口从80改成8888。这里使用了template这个resource:

template "/usr/local/apache2/conf/httpd.conf" do
    source "httpd.conf.erb"
    variables({
        :LsnPort => 8888
        })
end

httpd.conf.erb中对应的地方则是:

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen <%= @LsnPort %>

3.4 启动该服务
这一步其实比较简单,通过execute就可以了。我们把上面的template的代码改一下,设置成当这个配置文件修改好后就运行apache:

execute "start_apache" do
    command "/usr/local/apache2/bin/apachectl start"
    action :nothing
end

template "/usr/local/apache2/conf/httpd.conf" do
    source "httpd.conf.erb"
    variables({
        :LsnPort => 8888
        })
    notifies :run, "execute[start_apache]"
end

然后就可以通过8888访问我们的apache啦~

4.配置iptables
这里小秦把iptables单独列出来,因为在这里会使用社区中别人写的iptables来配置防火墙。
先下载社区中的这个防火墙:

[root@CENSVR03 chef-repo]# knife cookbook site install iptables

把这个加到客户端的run list中:

[root@CENSVR03 chef-repo]# knife node run_list add node01 recipe[iptables]
node01:
  run_list:
    recipe[install_apache]
    recipe[iptables]

配置iptables的template,加入我们的8888端口,同时在recipe的最后也加上这个:

[root@CENSVR03 default]# cat 8888.erb
# Open port 8888
-I INPUT 1 -p tcp --dport 8888 -j ACCEPT
[root@CENSVR03 recipes]# tail default.rb
    source "iptables_load.erb"
    mode 0755
    variables :iptables_save_file => iptables_save_file
  end
end

iptables_rule "all_established"
iptables_rule "all_icmp"
iptables_rule ""8888

上传这个防火墙:

[root@CENSVR03 chef-repo]# knife cookbook upload iptables

然后客户端同步后就能看到对应的8888端口已经打开了:

[root@CENSVR02 conf]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8888 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FWR (0 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

发表评论

电子邮件地址不会被公开。 必填项已用*标注

*