It’s been an incredibly long time since my last C4SC post. I’ll blame most of that on my recent wedding a couple of months ago. The rest of the blame goes to the time crunch we’re working under on my current contract. There’s no sign of any slowdown on the horizon, but I’ve made a conscious decision to take back my blogging time in 2013. So hopefully I’ll be able to get back in the habit…
To kick off my return to blogging, I thought I’d start with another C4SC series that reflects the majority of my recent work in DevOps while setting up our Production, Staging, QA and Integration environments. I’ve been using a combination of capistrano and chef-solo to setup and bootstrap our servers preparing them to host our Rails sites or backend services. Our production environment Linux distribution is Red Hat Enterprise Linux (RHEL) which is very similar to the freely available CentOS. Personally, I’d much rather be using Ubuntu because it just seems so much easier to work with… With that said, I’m going to do my best to provide equivalent code samples for both RHEL and Ubuntu in this and upcoming posts.
This post will take you through the prerequisite steps for setting up an admin user to drive chef-solo. I’ll talk about chef-solo in detail later in the series, but right now the concentration is on Linux fundamentals.
Add a Deploy User (Context – Linux Installation / VM)
First things first. We need a sudo user account other than root that we can use to deploy code and cook up some chef recipes. During the installation process for RHEL or CentOS, you’ll set up the machine root account. An Ubuntu installation is a bit different whereas you’ll actually create an admin user account with root privileges (no root account password is ever specified). Log into the machine under the root or admin account and execute the following commands to create a chef_admin user account:
Configure root and chef_admin Users (Context – Linux Installation / VM)
Now that we’ve created the chef_admin account and set the password, we’ll need to make a few additional configurations. First, we need to give chef_admin sudo privileges on the machine. Here we add a line to the /etc/sudoers configuration file.
echo "chef_admin ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
Next as a security measure, we should remove SSH access for the root user. This is an optional step, but something you’ll want to consider as it removes the ability for the root user to connect remotely (without having direct access to the machine.
# RHEL / CentOS
echo "DenyUsers root" >> /etc/ssh/sshd_config
echo "DenyGroups root" >> /etc/ssh/sshd_config
/sbin/service sshd restart
echo "DenyUsers root" >> /etc/ssh/ssh_config
echo "DenyGroups root" >> /etc/ssh/ssh_config
Copy SSH Key (Context – Host OS)
Assuming you already have an SSH key that you want to use for the chef_admin account, it now needs to be copied to the Linux installation. From your local system (or your Host OS) use the ssh-copy-id command to copy the necessary key.
ssh-copy-id -i ~/.ssh/chef_admin_rsa firstname.lastname@example.org
A quick note for OSX users: You’ll need to use homebrew to install the ssh-copy-id script before you execute this command.
brew install ssh-copy-id
[Optional] Remove Password Access for chef_admin (Context – Host OS)
Similarly to the step above where we removed SSH access for the root user, we should remove password access for the chef_admin user. This step will prohibit access for any users without the chef_admin_rsa SSH key. Create an SSH connection to the Linux installation and execute the following commands:
sudo su root
passwd --delete chef_admin
Update: Enabling SSH Server on System Startup
Depending on the installation options or the version of the OS that you’re using, you may need to ensure the SSH server starts when the machine boots. I recently ran into this issue testing against CentOS 6.5.
chkconfig sshd on