Skip to content

timwelch/chefstarter

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
sudoers.d
sudoers.d
 
 
supervisord
supervisord
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
chefstarter.go
chefstarter.go
 
 

Repository files navigation

chefstarter

A cURL-able chef-client (or puppet, or...) launcher. Launch chef-client remotely with HTTP Basic Auth and TLS support. Written in Go.

Why

I run a technical operations team responsible for over 400 Linux instances that are provisioned by Chef. We regularly find ourselves needing to invoke a chef-client run manually across a large number of machines. Before chefstarter, we used dsh to SSH into the instances and kick off chef-client. This technique has several disadvanteges:

  • It requires SSH keys to be provisioned if you're running it from unattended automation/deployment scripts. SSH authentication is appropriate for most systems work but for merely launching the chef-client process, less intensive and less secure authentication may be perfectly fine.
  • It requires a SSH client. chefstarter, on the other hand, receives its commands over HTTP and you only need cURL to kick off a Chef run on a node.
  • If you manage large numbers of nodes, your SSH host keys are continually being added/changed, so you have to either pre-add them (painful) or be prepared to accept new keys manually when they come along.

How

chefstarter does one thing and one thing only: it launches chef-client when an authenticated HTTP request is made to a pre-arranged URL path. You run it as a daemon (preferably under something like supervisord. You run it as a non-root user with sudo NOPASSWD access to execute chef-client (and only chef-client). See example supervisord and sudoers files in this repository.

Command-line Flags

./chefstarter -h
Usage of ./chefstarter:
  -user="chefstarter": HTTP Basic Auth username (Default: chefstarter)
  -pass="": HTTP Basic Auth password
  -path="/": Request path to initiate chef-client run (Default: /)
  -command="sudo chef-client": Command to execute upon successful authentication (Default: 'sudo chef-client')
  -listen=":7100": IP:port to listen on (Default: listen on all interfaces on port 7100)
  -wait=false: Wait until chef-client completes run before returning HTTP response
  -ssl=false: Enable HTTPS (true/false)
  -cert="": HTTPS X.509 Public Certificate file
  -key="": HTTPS X.509 Private Key file

Synchronous vs Asynchronous Operation

If you set the -wait flag to true, chefstarter will execute chef-client synchronously and capture the exit code when it finishes. If there's an error executing chef-client or if it returns a non-zero exit code, chefstarter will return a 500 HTTP response code. If chef-client executes and returns an exit code of zero (no errors), chefstarter returns 200 OK.

Path

I recommend that you use the -path setting to specify a secret path that will trigger the chef-client run. If you set -path=/startchefnow, the Chef run will only kick off if a GET /startchefnow request is received. If any other path is requested, it simply returns 404 Not Found. The default is to kick off a run when GET / is received--you should probably set it to something that only your organization knows.

Firewalling

I recommend that you use firewall ACLs to restrict access to chefstarter's TCP port.

Author

chefstarter was created by Chris Snell

About

Launch chef-client remotely, with HTTP Basic Auth

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages

  • Go 100.0%