Chef Server 12 - first cut

mpasternacki · mpasternacki · commit db5cbcc1b4a4 · 2014-09-16T01:40:08.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,17 +1,28 @@
 # -*- conf -*-
 
 FROM ubuntu:12.04
-#TAG 11.1.1
+#TAG 12.0.0-rc.3
 MAINTAINER Maciej Pasternacki <maciej@3ofcoins.net>
 
-ENV PATH /opt/chef-server/embedded/sbin:/opt/chef-server/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 EXPOSE 80 443
-VOLUME /var/opt/chef-server
+VOLUME /var/opt/opscode
 
-ADD https://opscode-omnibus-packages.s3.amazonaws.com/ubuntu/12.04/x86_64/chef-server_11.1.1-1_amd64.deb /chef-server.deb
-RUN dpkg -i /chef-server.deb && rm -v /chef-server.deb
+ADD https://packagecloud.io/chef/stable/download?distro=precise&filename=chef-server-core_12.0.0-rc.3-1_amd64.deb /chef-server-core.deb
+
+RUN set -e -x ; \
+    export DEBIAN_FRONTEND=noninteractive ; \
+    apt-get update -q --yes ; \
+    apt-get install -q --yes logrotate vim-nox ; \
+    dpkg -i /chef-server-core.deb ; \
+    rm -rf /chef-server-core.deb /var/lib/apt/lists/* /var/cache/apt/archives/* ; \
+    mkdir -p /etc/cron.hourly ; \
+    ln -sfv /var/opt/opscode/log /var/log/opscode ; \
+    ln -sfv /var/opt/opscode/etc /etc/opscode ; \
+    ln -sfv /opt/opscode/sv/logrotate /opt/opscode/service ; \
+    ln -sfv /opt/opscode/embedded/bin/sv /opt/opscode/init/logrotate
 
 ADD init.rb /init.rb
-ADD chef-server.rb /etc/chef-server/chef-server.rb
+ADD chef-server.rb /.chef/chef-server.rb
+ADD logrotate /opt/opscode/sv/logrotate
 
-CMD [ "/opt/chef-server/embedded/bin/ruby", "/init.rb" ]
+CMD [ "/opt/opscode/embedded/bin/ruby", "/init.rb" ]
diff --git a/README.md b/README.md
@@ -0,0 +1,150 @@
+Chef Server
+===========
+
+This image runs
+[Chef Server core](https://downloads.getchef.com/chef-server/). The
+latest version is published as `3ofcoins/chef-server`. Git repository
+containing the Dockerfile lives at
+https://github.com/3ofcoins/docker-images/tree/master/public/chef-server
+
+Environment Variables
+---------------------
+
+ - `PUBLIC_URL` - should be configured to a full public URL of the
+   endpoint (e.g. `https://chef.example.com`)
+ - `OC_AD_ADMINISTRATORS` - if set, it should be a comma-separated
+   list of users that will be allowed to add oc_id applications
+
+Ports
+-----
+
+Ports 80 (HTTP) and 443 (HTTPS) are exposed.
+
+Volumes
+-------
+
+`/var/opt/opscode` directory, that holds all Chef server data, is a
+volume. Directories `/var/log/opscode` and `/etc/opscode` are linked
+there as, respectively, `log` and `etc`.
+
+If there is a file `etc/chef-server-local.rb` in this volume, it will
+be read at the end of `chef-server.rb` and it can be used to customize
+Chef Server's settings.
+
+Signals
+-------
+
+ - `docker kill -s HUP $CONTAINER_ID` will run `chef-server-ctl reconfigure`
+ - `docker kill -s USR1 $CONTAINER_ID` will run `chef-server-ctl status`
+
+Usage
+-----
+
+### Prerequisites and first start
+
+The `kernel.shmmax` and `kernel.shmall` sysctl values should be set to
+a high value on the host. You may also run Chef server as a privileged
+container to let it autoconfigure -- but the setting will propagate to
+host anyway, and it would be the only reason for making the container
+privileged, so it is better to avoid it.
+
+First start will automatically run `chef-server-ctl
+reconfigure`. Subsequent starts will not run `reconfigure`, unless
+file `/var/opt/opscode/bootstrapped` has been deleted. You can run
+`reconfigure` (e.g. after editing `etc/chef-server.rb`) using
+`docker-enter` or by sending SIGHUP to the container: `docker kill
+-HUP $CONTAINER_ID`.
+
+### Maintenance commands
+
+Chef Server's design makes it impossible to wrap it cleanly in
+a container - it will always be necessary to run custom
+commands. While some of the management commands may work with linked
+containers with varying amount of ugly hacks, it is simpler to have
+one way of interacting with the software that is closest to
+interacting with a Chef Server installed directly on host (and thus
+closest to supported usage).
+
+You will need `nsenter` utility and
+[`docker-enter`](https://github.com/jpetazzo/nsenter) script by
+[Jérôme Petazzoni](https://github.com/jpetazzo) on your Docker
+host. The easiest way to install it is to run the installer Docker
+image:
+
+    docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter
+
+Then, you can use the `docker-enter` script to run `chef-server-ctl`
+commands (note that the command is `ctl`, not `chef-server-ctl`; `ctl`
+is a wrapper that sets missing environment variables, lack of which
+would confuse `chef-server-ctl`):
+
+    docker-enter $CONTAINER_ID chef-server-ctl status
+    docker-enter $CONTAINER_ID chef-server-ctl user-add …
+    docker-enter $CONTAINER_ID chef-server-ctl org-add …
+    docker-enter $CONTAINER_ID chef-server-ctl …
+
+### Publishing the endpoint
+
+This container is not supposed to listen on a publically available
+port. It is very strongly recommended to use a proxy server, such as
+[nginx](http://nginx.org/), as a public endpoint.
+
+Unfortunately, Chef's logic for figuring out the absolute URL of
+various pieces (oc_id, bookshelf, erchef API, etc) for links and
+redirects is twisted and fragile. There are `chef-server.rb` settings,
+but some pieces insist on using the `Host:` header of the request, and
+it doesn't seem possible to use plain HTTP endpoint and have the Chef
+Server generate HTTPS redirects everywhere.
+
+The main setting you need to configure is `PUBLIC_URL` environment
+variable. It needs to contain full public URL, as seen by `knife` and
+`chef-client` (e.g. `PUBLIC_URL=https://chef-api.example.com/`).
+
+Then, you need to make sure that the proxy passes proper `Host:`
+header to the Chef Server, and talks with the Chef Server on
+the same protocol that the final endpoint will use (i.e. proxy that
+listens on HTTPS would need to use Chef Server's self-signed HTTPS
+endpoint; proxy that listens on plain HTTP would need to talk to HTTP
+endpoint).
+
+If you prefer to avoid overhead of encrypting the connection between
+proxy and the Chef Server, it *should* be sufficient to rewrite the
+`Location:` headers (`proxy_redirect` in nginx, `ProxyPassReverse` in
+Apache). It works for me, but I can't guarantee you won't bump into
+a wrong URL generated by the server.
+
+A sample nginx configuration looks like this:
+
+    server {
+      listen 443 ssl;
+      server_name chef.example.com;
+      ssl_certificate /path/to/chef.example.com.pem;
+      ssl_certificate_key /path/to/chef.example.com.key;
+      client_max_body_size 4G;
+      location / {
+          proxy_pass http://127.0.0.1:5000;
+          proxy_set_header Host $host;
+          proxy_set_header X-Forwarded-Proto https;
+          proxy_redirect default;
+          proxy_redirect http://chef.example.com https://chef.example.com;
+      }
+    }
+
+### Backup and restore
+
+1. `docker stop chef-server`
+2. Archive `/var/opt/opscode` volume (delete the `bootstrapped` file
+   from the archive to force `chef-server-ctl reconfigure` run on the
+   new container)
+3. `docker start chef-server`
+
+Same thing works for upgrades: just reuse container, remembering to
+remove the `bootstrapped` file. You may also need to remove the
+symlinks in `/var/opt/opscode/service` and/or run `chef-server-ctl
+upgrade` via `docker-enter`.
+
+### Chef Plugins
+
+**UNSUPPORTED.** No idea how to handle this (especially that this is
+the point at which licensing issues start to occur). Most likely, a
+separate image based off this one would be necessary.
diff --git a/chef-server.rb b/chef-server.rb
@@ -1,18 +1,35 @@
+# THIS FILE WILL BE OVERWRITTEN ON CONTAINER START.  Please create a
+# new file named `chef-server-local.rb` for custom settings.
+
+# Read parameters that originally came from Docker's environment
+# variables, and were saved to a file to support docker-enter
+
+_env = Hash[ Dir['/.chef/env/*']
+    .map { |f| [ File.basename(f), File.read(f).strip ] } ]
+
 require 'uri'
-_uri = ::URI.parse(ENV['PUBLIC_URL'] || 'https://127.0.0.1/')
+_uri = ::URI.parse(_env['PUBLIC_URL'] || 'https://127.0.0.1/')
 
-topology "standalone"
+# Set environment variables that may be missing when chef-server-ctl
+# runs from docker-enter
+ENV['HOME']     ||= '/'
+ENV['HOSTNAME'] ||= File.read('/etc/hostname').strip
+ENV['PATH']     ||= '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
+ENV['EDITOR']   ||= 'vim'
 
 if _uri.port == _uri.default_port
   api_fqdn _uri.hostname
 else
   api_fqdn "#{_uri.hostname}:#{_uri.port}"
 end
 
-nginx['url'] = _uri.to_s
-bookshelf['url'] = _uri.to_s
 bookshelf['external_url'] = _uri.to_s
-erchef['base_resource_url'] = _uri.to_s
-
+bookshelf['url'] = _uri.to_s
 nginx['enable_non_ssl'] = true
-chef_server_webui['enable'] = !ENV['DISABLE_WEBUI']
+nginx['url'] = _uri.to_s
+nginx['x_forwarded_proto'] = _uri.scheme
+oc_id['administrators'] = _env['OC_ID_ADMINISTRATORS'].to_s.split(',')
+opscode_erchef['base_resource_url'] = _uri.to_s
+
+_local = File.join(File.dirname(__FILE__), 'chef-server-local.rb')
+instance_eval(File.read(_local), _local) if File.exist?(_local)
diff --git a/init.rb b/init.rb
@@ -8,58 +8,124 @@
 
 STDOUT.sync = true
 
+$processes = {}
+
 def log(message)
   puts "[#{DateTime.now}] INIT: #{message}"
 end
 
+def run!(*args, &block)
+  log "Starting: #{args}" if ENV['DEBUG']
+  pid = Process.spawn(*args)
+  log "Started #{pid}: #{args.join ' '}"
+  $processes[pid] = block || ->{ log "#{args.join ' '}: #{$?}" }
+  pid
+end
+
+def reconfigure! reason=nil
+  if $reconf_pid
+    if reason
+      log "#{reason}, but cannot reconfigure: already running"
+    else
+      log "Cannot reconfigure: already running"
+    end
+    return
+  end
+
+  if reason
+    log "#{reason}, reconfiguring"
+  else
+    log "Reconfiguring"
+  end
+
+  $reconf_pid = run! '/usr/bin/chef-server-ctl', 'reconfigure' do
+    log "Reconfiguration finished: #{$?}"
+    $reconf_pid = nil
+  end
+end
+
+def shutdown!
+  unless $runsvdir_pid
+    log "ERROR: no runsvdir pid at exit"
+    exit 1
+  end
+
+  if $reconf_pid
+    log "Reconfigure running as #{$reconf_pid}, stopping..."
+    Process.kill 'TERM', $reconf_pid
+    (1..5).each do
+      if $reconf_pid
+        sleep 1
+      else
+        break
+      end
+    end
+    if $reconf_pid
+      Process.kill 'KILL', $reconf_pid
+    end
+  end
+
+  run! '/usr/bin/chef-server-ctl', 'stop' do
+    log 'chef-server-ctl stop finished, stopping runsvdir'
+    Process.kill('HUP', $runsvdir_pid)
+  end
+end
+
 log "Starting #{$PROGRAM_NAME}"
 
-log 'Initializing sysctl for postgres'
-unless system 'sysctl -w kernel.shmmax=17179869184 kernel.shmall=4194304'
-  fail 'sysctl FAIL'
+{ shmmax: 17179869184, shmall: 4194304 }.each do |param, value|
+  if ( actual = File.read("/proc/sys/kernel/#{param}").to_i ) < value
+    log "kernel.#{param} = #{actual}, setting to #{value}."
+    begin
+      File.write "/proc/sys/kernel/#{param}", value.to_s
+    rescue
+      log "Cannot set kernel.#{param} to #{value}: #{$!}"
+      log "You may need to run the container in privileged mode or set sysctl on host."
+      raise
+    end
+  end
+end
+
+log 'Preparing configuration ...'
+FileUtils.mkdir_p %w'/var/opt/opscode/log /var/opt/opscode/etc /.chef/env', verbose: true
+FileUtils.cp '/.chef/chef-server.rb', '/var/opt/opscode/etc', verbose: true
+
+%w'PUBLIC_URL OC_ID_ADMINISTRATORS'.each do |var|
+  File.write(File.join('/.chef/env', var), ENV[var].to_s)
 end
 
-{ '/var/log/chef-server' => 'log',
-  '/etc/chef-server' => 'etc'
-}.each do |target, link|
-  unless File.exist?(target) || File.symlink?(target)
-    log "Linking #{target} as #{link}"
-    FileUtils.mkdir_p "/var/opt/chef-server/#{link}"
-    FileUtils.ln_s "/var/opt/chef-server/#{link}", target
+$runsvdir_pid = run! '/opt/opscode/embedded/bin/runsvdir-start' do
+  log "runsvdir exited: #{$?}"
+  if $?.success? || $?.exitstatus == 111
+    exit
+  else
+    exit $?.exitstatus
   end
 end
 
-log 'Starting runsvdir ...'
-$pid = Process.spawn(
-  '/opt/chef-server/embedded/bin/runsvdir', '-P', '/opt/chef-server/sv',
-  "log: #{'.' * 128}")
-log "Started runsvdir (#{$pid})"
+Signal.trap 'TERM' do
+  shutdown!
+end
+
+Signal.trap 'INT' do
+  shutdown!
+end
 
-Signal.trap('TERM') do
-  log 'Got SIGTERM, shutting down runsvdir ...'
-  Process.kill('HUP', $pid)
+Signal.trap 'HUP' do
+  reconfigure! 'Got SIGHUP'
 end
 
-Signal.trap('INT') do
-  log 'Got SIGINT, shutting down runsvdir ...'
-  Process.kill('HUP', $pid)
+Signal.trap 'USR1' do
+  log 'Chef Server status:'
+  run! '/usr/bin/chef-server-ctl', 'status'
 end
 
-unless File.exist? '/var/opt/chef-server/bootstrapped'
-  pid = Process.spawn '/usr/bin/chef-server-ctl', 'reconfigure'
-  log "Not bootstrapped, running `chef-server-ctl reconfigure' (#{pid})"
+unless File.exist? '/var/opt/opscode/bootstrapped'
+  reconfigure! 'Not bootstrapped'
 end
 
 loop do
-  chld = Process.wait
-  if chld == $pid
-    log "Runsvdir exited (#{$?}), exiting"
-    if $?.success? || $?.exitstatus == 111
-      break
-    else
-      exit $?.exitstatus
-    end
-  else
-    log "Reaped PID #{chld} (#{$?})"
-  end
+  log $? if ENV['DEBUG']
+  handler = $processes.delete(Process.wait)
+  handler.call if handler
 end
diff --git a/logrotate/log/run b/logrotate/log/run
@@ -0,0 +1,4 @@
+#!/bin/sh
+set -e
+mkdir -p /var/log/opscode/logrotate
+exec svlogd -tt /var/log/opscode/logrotate
diff --git a/logrotate/run b/logrotate/run
