In Part I of this blog we went over some tips and basic steps to creating a new Chef Cookbook. In Part II of this series we explored in detail the zNcrypt cookbook and recipe to perform a basic installation of zNcrypt. In this edition we will use chef data bags to activate the zNcrypt installation.
Data bags are very useful to pass configuration information to recipes using json. For zNcrypt, we will use a data bag to pass license/passphrase information to the cookbook. There are two basic ways to setup a data bag, you can use the knife command or you can setup the data bag programmatically.
knife data bag create BAG [ITEM] (options)
In our zNcrypt cookbook we will not use knife commands but rather setup the data bag programmatically. Let's review how we do this in the default.rb recipe. We start with a data_bag('license_pool') command to check if the data bag exists, if this call fails the "rescue" section will setup the new data bag.
|# check if the data bag exists, use a begin / rescue to handle the exception
begin
# check if there is a license pool already and skip creating
data_bag('license_pool')
rescue
Here in the rescue section of the code, we will use the OpenSSL cookbook to generate a strong password, then setup a license and activation code for each of the servers in our environment. See the openssl cookbook for more information on how to use the secure_password https://github.com/opscode/cookbooks/tree/master/openssl
|# check if the data bag exists, use a begin / rescue to handle the exception
begin
#include the secure password from openssl recipe
::Chef::Recipe.send(:include, Opscode::OpenSSL::Password)
# create a data bag for licensing pool
license_pool = Chef::DataBag.new
license_pool.name('license_pool')
license_pool.save
# create json for data bag item for each node
ubuntu = {
# use the node name as the id
"id" => "ubuntu",
# set your product key provided by Gazzang
# this license will auto reset every hour, if your first registrationi
# fails try again in an hour or contact sales@gazzang.com
"license" => "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
# set your activation code provided by Gazzang
"activation_code" => "123412341234",
# random passphrase
"passphrase" => secure_password,
# random passphrase
"passphrase2" => secure_password,
}
databag_item = Chef::DataBagItem.new
databag_item.data_bag('license_pool')
databag_item.raw_data = ubuntu
databag_item.save
Now that we have setup the data bag, let's see how it will be used in our cookbook to activate zNcrypt in the activate.rb recipe. We will use the Chef "node.name" attribute to select the license that matches the server. We can then construct the string to pass as argument to the ezncrypt-activate command.
# check if there is a license pool otherwise skip activation
data_bag('license_pool')
license=data_bag_item('license_pool',"#{node.name}")['license']
activation_code=data_bag_item('license_pool',"#{node.name}")['activation_code']
# we also need a passhprase and second passphrase, we will generate a random one
passphrase=data_bag_item('license_pool',"#{node.name}")['passphrase']
passphrase2=data_bag_item('license_pool',"#{node.name}")['passphrase2']
# build the arguments to the activate command
activate_args="--activate --license=#{license} --activation-code=#{activation_code} --passphrase=#{passphrase} --passphrase2=#{passphrase2}"
script"activate zNcrypt"do
interpreter"bash"
user"root"
code<<-eoh codemkdir="" var="" log="" ezncrypt="" ezncrypt-activate="" activate_args="" eoh="" end="" lt="" pre="">
One problem with this example is that the data bag stores the encryption password in clear text. In future blogs we will see how we can use Chef encrypted data bags to protect the encryption password.
As you can see data bags are a very useful method to pass configuration to cookbooks. Another method to pass configuration information to cookbooks is using Chef Attributes. Please read the next blog to see how we will use Chef Attributes to setup the zNcrypt configuration directories.
