Friday, August 29, 2014

Configuring and Enabling Virutal MFA for AWS account

I tried enabling AWS MFA (Multi-Factor Authentication) for AWS root account, as it supports Virtual MFA applications such as Google Authenticator for iPhone or Android or Authenticator for Windows phone as for free and we can use AWS MFA itself without any charge as well.
This is a quick instruction to apply AWS MFA with Google Authenticator.

  1. Install Google Authenticator in your smartphone.
    Cf. Virtual MFA applications
  2. Enable virtual MFA application with the official instruction.

    * Sign in to the AWS Management Console and move to IAM section.
    * Click Manage MFA.

    * Select "A Virtual MFA device" and click "Next Step".


    * Just click "Next Step".


    * Scan the QR code on the screen by Google Authenticator and confirm the two codes and enter them.


    * Click "Finish" after successfully associating the MFA device.

  3. Confirm that the AWS root account is available with Google Authenticator.

    * Sign in to the AWS management console with your AWS root account.

    * Confirm the authentication code with Google Authenticator and enter the code.

  4. Delete your AWS account root access key.
    Security status, "Delete your root access keys" will be green after deleting it.

I checked the cloud providers that support Multi-Factor Authentication, but not so many providers support it?

Tuesday, August 12, 2014

ChefDK is easier to install Berkshelf than via gem on Amazon Linux AMI

I ended up installing the latest berkshelf, 3.x via gem on Amazon Linux AMI because it is quite difficult to deal with the dependency issues. Instead, I decided to use Chef Development Kit because it contains Berkshelf and is easy to install without worrying about such issues.

Installing ChefDK followed by the official instruction
$ sudo yum install https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chefdk-0.2.0-2.el6.x86_64.rpm

Confirming the installation pathpath
$ ll `which chef`
lrwxrwxrwx 1 root root 20 Aug 11 10:38 /usr/bin/chef -> /opt/chefdk/bin/chef

Confirming Berkshelf installed
$ /opt/chefdk/embedded/bin/gem list | grep 'berkshelf'
berkshelf (3.1.3)
berkshelf-api (1.4.0)
berkshelf-api-client (1.2.0)

Verifying the main components of ChefDK
$ chef verify
Running verification for component 'berkshelf'
Running verification for component 'test-kitchen'
Running verification for component 'chef-client'
Running verification for component 'chef-dk'
..............
---------------------------------------------
Verification of component 'chef-dk' succeeded.
Verification of component 'berkshelf' succeeded.
Verification of component 'chef-client' succeeded.
Verification of component 'test-kitchen' succeeded.

Installing knife solo
Just make sure that you install knife solo because ChedDK does not contain it.
$ chef gem install knife-solo

The following is the output that I failed to install chef via gem.

Installing berkshelf without specifying the version
Failed to install because of the lack of the dependent libraries.
$ gem i berkshelf
Fetching: addressable-2.3.6.gem (100%)
Successfully installed addressable-2.3.6
Fetching: multipart-post-2.0.0.gem (100%)
Successfully installed multipart-post-2.0.0
Fetching: faraday-0.9.0.gem (100%)
Successfully installed faraday-0.9.0
Fetching: berkshelf-api-client-1.2.0.gem (100%)
Successfully installed berkshelf-api-client-1.2.0
Fetching: hashie-2.1.2.gem (100%)
Successfully installed hashie-2.1.2
Fetching: buff-extensions-1.0.0.gem (100%)
Successfully installed buff-extensions-1.0.0
Fetching: varia_model-0.4.0.gem (100%)
Successfully installed varia_model-0.4.0
Fetching: buff-config-1.0.1.gem (100%)
Successfully installed buff-config-1.0.1
Fetching: buff-ruby_engine-0.1.0.gem (100%)
Successfully installed buff-ruby_engine-0.1.0
Fetching: buff-shell_out-0.1.1.gem (100%)
Successfully installed buff-shell_out-0.1.1
Fetching: minitar-0.5.4.gem (100%)
Successfully installed minitar-0.5.4
Fetching: retryable-1.3.5.gem (100%)
Successfully installed retryable-1.3.5
Fetching: buff-ignore-1.1.1.gem (100%)
Successfully installed buff-ignore-1.1.1
Fetching: hitimes-1.2.2.gem (100%)
Building native extensions.  This could take a while...
ERROR:  Error installing berkshelf:
        ERROR: Failed to build gem native extension.

    /usr/bin/ruby2.0 extconf.rb
checking for clock_gettime() in -lrt... *** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of necessary
libraries and/or headers.  Check the mkmf.log file for more details.  You may
need configuration options.

Provided configuration options:
        --with-opt-dir
        --without-opt-dir
        --with-opt-include
        --without-opt-include=${opt-dir}/include
        --with-opt-lib
        --without-opt-lib=${opt-dir}/lib64
        --with-make-prog
        --without-make-prog
        --srcdir=.
        --curdir
        --ruby=/usr/bin/ruby2.0
        --with-rtlib
        --without-rtlib
/usr/share/ruby/2.0/mkmf.rb:434:in `try_do': The compiler failed to generate an executable file. (RuntimeError)
You have to install development tools first.
        from /usr/share/ruby/2.0/mkmf.rb:519:in `try_link0'
        from /usr/share/ruby/2.0/mkmf.rb:534:in `try_link'
        from /usr/share/ruby/2.0/mkmf.rb:720:in `try_func'
        from /usr/share/ruby/2.0/mkmf.rb:950:in `block in have_library'
        from /usr/share/ruby/2.0/mkmf.rb:895:in `block in checking_for'
        from /usr/share/ruby/2.0/mkmf.rb:340:in `block (2 levels) in postpone'
        from /usr/share/ruby/2.0/mkmf.rb:310:in `open'
        from /usr/share/ruby/2.0/mkmf.rb:340:in `block in postpone'
        from /usr/share/ruby/2.0/mkmf.rb:310:in `open'
        from /usr/share/ruby/2.0/mkmf.rb:336:in `postpone'
        from /usr/share/ruby/2.0/mkmf.rb:894:in `checking_for'
        from /usr/share/ruby/2.0/mkmf.rb:945:in `have_library'
        from extconf.rb:10:in `

'
Gem files will remain installed in /home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2 for inspection. Results logged to /home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/c/gem_make.out

Installing hitimes via gem
Failed because the development tools should be installed before that.
$ gem i hitimes --verbose
HEAD https://rubygems.org/latest_specs.4.8.gz
302 Moved Temporarily
HEAD https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz
304 Not Modified
Installing gem hitimes-1.2.2
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/.travis.yml
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/CONTRIBUTING.md
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/HISTORY.md
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/LICENSE
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/Manifest.txt
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/README.md
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/Rakefile
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/examples/benchmarks.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/examples/stats.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/c/extconf.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/c/hitimes.c
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/c/hitimes_instant_clock_gettime.c
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/c/hitimes_instant_osx.c
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/c/hitimes_instant_windows.c
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/c/hitimes_interval.c
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/c/hitimes_interval.h
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/c/hitimes_stats.c
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/c/hitimes_stats.h
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/java/src/hitimes/Hitimes.java
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/java/src/hitimes/HitimesInterval.java
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/java/src/hitimes/HitimesService.java
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/java/src/hitimes/HitimesStats.java
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/lib/hitimes.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/lib/hitimes/metric.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/lib/hitimes/mutexed_stats.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/lib/hitimes/paths.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/lib/hitimes/stats.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/lib/hitimes/timed_metric.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/lib/hitimes/timed_value_metric.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/lib/hitimes/value_metric.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/lib/hitimes/version.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/spec/hitimes_spec.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/spec/interval_spec.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/spec/metric_spec.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/spec/mutex_stats_spec.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/spec/paths_spec.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/spec/spec_helper.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/spec/stats_spec.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/spec/timed_metric_spec.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/spec/timed_value_metric_spec.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/spec/value_metric_spec.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/spec/version_spec.rb
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/tasks/default.rake
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/tasks/extension.rake
/home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/tasks/this.rb
Building native extensions.  This could take a while...
/usr/bin/ruby2.0 extconf.rb
checking for clock_gettime() in -lrt... *** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of necessary
libraries and/or headers.  Check the mkmf.log file for more details.  You may
need configuration options.

Provided configuration options:
        --with-opt-dir
        --without-opt-dir
        --with-opt-include
        --without-opt-include=${opt-dir}/include
        --with-opt-lib
        --without-opt-lib=${opt-dir}/lib64
        --with-make-prog
        --without-make-prog
        --srcdir=.
        --curdir
        --ruby=/usr/bin/ruby2.0
        --with-rtlib
        --without-rtlib
/usr/share/ruby/2.0/mkmf.rb:434:in `try_do': The compiler failed to generate an executable file. (RuntimeError)
You have to install development tools first.
        from /usr/share/ruby/2.0/mkmf.rb:519:in `try_link0'
        from /usr/share/ruby/2.0/mkmf.rb:534:in `try_link'
        from /usr/share/ruby/2.0/mkmf.rb:720:in `try_func'
        from /usr/share/ruby/2.0/mkmf.rb:950:in `block in have_library'
        from /usr/share/ruby/2.0/mkmf.rb:895:in `block in checking_for'
        from /usr/share/ruby/2.0/mkmf.rb:340:in `block (2 levels) in postpone'
        from /usr/share/ruby/2.0/mkmf.rb:310:in `open'
        from /usr/share/ruby/2.0/mkmf.rb:340:in `block in postpone'
        from /usr/share/ruby/2.0/mkmf.rb:310:in `open'
        from /usr/share/ruby/2.0/mkmf.rb:336:in `postpone'
        from /usr/share/ruby/2.0/mkmf.rb:894:in `checking_for'
        from /usr/share/ruby/2.0/mkmf.rb:945:in `have_library'
        from extconf.rb:10:in `

'
ERROR:  Error installing hitimes:         ERROR: Failed to build gem native extension.     Building has failed. See above output for more information on the failure. Gem files will remain installed in /home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2 for inspection. Results logged to /home/ec2-user/.gem/ruby/2.0/gems/hitimes-1.2.2/ext/hitimes/c/gem_make.out

Installing "Development libraries" and "Development tools"
Succeeded without any fail.
$ sudo yum -y groupinstall "Development Libraries" "Development tools"
$ rpm -qa |grep ruby
ruby20-2.0.0.451-1.14.amzn1.x86_64
rubygem20-json-1.7.7-101.27.amzn1.x86_64
ruby20-libs-2.0.0.451-1.14.amzn1.x86_64
rubygem20-psych-2.0.0-1.14.amzn1.x86_64
rubygems20-2.0.14-1.14.amzn1.noarch
rubygem20-rdoc-4.0.1-2.18.amzn1.noarch
ruby20-devel-2.0.0.451-1.14.amzn1.x86_64
ruby20-irb-2.0.0.451-1.14.amzn1.noarch
ruby-2.0-0.3.amzn1.noarch
rubygem20-bigdecimal-1.2.0-1.14.amzn1.x86_64

Installing hitimes with gem again
Succeeded.
$ gem i hitimes --verbose
HEAD https://rubygems.org/latest_specs.4.8.gz
302 Moved Temporarily
HEAD https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz
304 Not Modified
Installing gem hitimes-1.2.2
...
Successfully installed hitimes-1.2.2
Parsing documentation for hitimes-1.2.2
Parsing sources...
100% [14/14]  lib/hitimes/version.rb                                           
Installing ri documentation for hitimes-1.2.2
Done installing documentation for hitimes after 0 seconds
1 gem installed

Installing berkshel via gem
Failed because libgecode failed to be compiled.
$ gem i berkshelf --verbose
...
virtual memory exhausted: Cannot allocate memory
make[1]: *** [gecode/int/extensional.o] Error 1
make[1]: *** Waiting for unfinished jobs....
fvirtual memory exhausted: Cannot allocate memory
make[1]: *** [gecode/int/rel.o] Error 1


make[1]: Leaving directory `/home/ec2-user/.gem/ruby/2.0/gems/dep-selector-libgecode-1.0.2/ext/libgecode3/vendor/gecode-3.7.3'
make: *** [compilelib] Error 2
extconf.rb:98:in `block in run': Failed to build gecode library. (GecodeBuild::BuildError)
        from extconf.rb:97:in `chdir'
        from extconf.rb:97:in `run'
        from extconf.rb:104:in `

'
ERROR:  Error installing berkshelf:         ERROR: Failed to build gem native extension.     Building has failed. See above output for more information on the failure. Gem files will remain installed in /home/ec2-user/.gem/ruby/2.0/gems/dep-selector-libgecode-1.0.2 for inspection. Results logged to /home/ec2-user/.gem/ruby/2.0/gems/dep-selector-libgecode-1.0.2/ext/libgecode3/gem_make.out

Installing libgecode with gem
Failed to complie libgecode.
$ gem i dep-selector-libgecode
...
virtual memory exhausted: Cannot allocate memory
make[1]: *** [gecode/int/element.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory `/home/ec2-user/.gem/ruby/2.0/gems/dep-selector-libgecode-1.0.2/ext/libgecode3/vendor/gecode-3.7.3'
make: *** [compilelib] Error 2
extconf.rb:98:in `block in run': Failed to build gecode library. (GecodeBuild::BuildError)
        from extconf.rb:97:in `chdir'
        from extconf.rb:97:in `run'
        from extconf.rb:104:in `

Gem files will remain installed in /home/ec2-user/.gem/ruby/2.0/gems/dep-selector-libgecode-1.0.2 for inspection.
Results logged to /home/ec2-user/.gem/ruby/2.0/gems/dep-selector-libgecode-1.0.2/ext/libgecode3/gem_make.out


ChefDK is quite helpful to resolve dependency issues.

Thursday, August 7, 2014

Installing cookbook on chef node


Installing chef on chef node
$ knife solo prepare chef-node01
Bootstrapping Chef...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 16519  100 16519    0     0  14721      0  0:00:01  0:00:01 --:--:-- 14722
Downloading Chef 11.14.2 for el...
downloading https://www.opscode.com/chef/metadata?v=11.14.2&prerelease=false&nightlies=false&p=el&pv=6&m=x86_64
  to file /tmp/install.sh.17808/metadata.txt
trying wget...
url     https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.14.2-1.el6.x86_64.rpm
md5     ffeffb67c310e6f76bb5d90ee7e30a3f
sha256  840946bc5f7931346131c0c77f2f5bfd1328245189fc6c8173b01eb040ffb58b
downloaded metadata file looks valid...
downloading https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-11.14.2-1.el6.x86_64.rpm
  to file /tmp/install.sh.17808/chef-11.14.2-1.el6.x86_64.rpm
trying wget...
Comparing checksum with sha256sum...
Installing Chef 11.14.2
installing with rpm...
warning: /tmp/install.sh.17808/chef-11.14.2-1.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:chef-11.14.2-1.el6               ################################# [100%]
Thank you for installing Chef!
Generating node config './nodes/chef-node01.json'...
Creating node object file
nodes/chef-node01.json
{   "run_list":[      "recipe[hello]"   ] }
Uploading chef-repo and running chef-solo on chef node
$ knife solo cook chef-node01
Running Chef on chef-node01...
Checking Chef version...
Uploading the kitchen...
Generating solo config...
Running Chef...
[2014-08-06T02:59:42+00:00] WARN: 
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.

To fix this issue add an entry like this to your configuration file:

```
  # Verify all HTTPS connections (recommended)
  ssl_verify_mode :verify_peer

  # OR, Verify only connections to chef-server
  verify_api_cert true
```

To check your SSL configuration, or troubleshoot errors, you can use the
`knife ssl check` command like so:

```
  knife ssl check -c /home/ec2-user/chef-solo/solo.rb
```

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Starting Chef Client, version 11.14.2
Compiling Cookbooks...
Converging 1 resources
Recipe: hello::default
  * log[Hello, Chef!] action write
  

Running handlers:
Running handlers complete
Chef Client finished, 1/1 resources updated in 1.310583027 seconds
I added the following entry to configure SSL for the chef-client.
~/chec-repo/.chef/knife.rb
ssl_verify_mode :verify_peer
The warning message has not output any more.
$ knife solo cook chef-node01
Running Chef on chef-node01...
Checking Chef version...
Uploading the kitchen...
Generating solo config...
Running Chef...
Starting Chef Client, version 11.14.2
Compiling Cookbooks...
Converging 1 resources
Recipe: hello::default
  * log[Hello, Chef!] action write
  

Running handlers:
Running handlers complete
Chef Client finished, 1/1 resources updated in 1.310583027 seconds
Creating a cookbook to install dstat
$ knife cookbook create dstat -o site-cookbooks
** Creating cookbook dstat
** Creating README for cookbook: dstat
** Creating CHANGELOG for cookbook: dstat
** Creating metadata for cookbook: dstat
Creating a recipe to install dstat


site-cookbooks/dstat/recipes/default.rb
package "dstat" do
  action :install
end
Adding run_list on object node file


nodes/chef-node01.json
  "run_list" : [
    "recipe[hello]", 
    "recipe[dstat]"
  ]
}
Running cookbook on chef node and specifying a recipe to run
$ knife solo cook chef-node01 -o dstat
Running Chef on chef-node01...
Checking Chef version...
Uploading the kitchen...
Generating solo config...
Running Chef...
Starting Chef Client, version 11.14.2
[2014-08-08T06:42:27+00:00] WARN: Run List override has been provided.
[2014-08-08T06:42:27+00:00] WARN: Original Run List: [recipe[hello], recipe[dstat]]
[2014-08-08T06:42:27+00:00] WARN: Overridden Run List: [recipe[dstat]]
Compiling Cookbooks...
Converging 1 resources
Recipe: dstat::default
  * package[dstat] action install
    - install version 0.7.0-1.5.amzn1 of package dstat

Running handlers:
Running handlers complete
Chef Client finished, 1/1 resources updated in 3.30466706 seconds 

Done. dstat is installed. 
$ rpm -q dstat
dstat-0.7.0-1.5.amzn1.noarch



Installing Chef solo, knife solo and confirming chef-solo runs with knife solo

Very begging of installing and setting up chef to use knife solo mainly for me.

Updating the latest packages and git

$ sudo yum -y update git
Installing Chef
$ curl -L https://www.opscode.com/chef/install.sh | sudo bash
Installing knife-solo
$ sudo /opt/chef/embedded/bin/gem install knife-solo --no-ri --no-rdoc
$ knife -v
Chef: 11.14.2
Confirming the path in which knife is installed
$ ll `which knife`
lrwxrwxrwx 1 root root 19 Aug  5 04:32 /usr/bin/knife -> /opt/chef/bin/knife
Configuring knife
$ knife configure \
-y \
--defaults \
-r /home/ec2-user/chef-repo
WARNING: No knife configuration file found
*****

You must place your client key in:
  /home/ec2-user/.chef/ec2-user.pem
Before running commands with Knife!

*****

You must place your validation key in:
  /etc/chef-server/chef-validator.pem
Before generating instance data with Knife!

***** 
Place the secret key file at /home/ec2-user/.chef/ec2-user.pem.
Initializing repository
$ knife solo init chef-repo
Creating kitchen...
Creating knife.rb in kitchen...
Creating cupboards...
Uninstalling Chef (if needed)
$ yum -y remove `rpm -q chef`
Creating cookbook
$ knife cookbook create hello -o site-cookbooks
Creating recipes
site-cookbooks/recipe/hello/default.rb
log "Hello, Chef!"
Creating node object file to execute recipe
This is just to confirm that knife solo runs at localhost.
node/localhost.json
{
  "run_list" : [
     "recipe[hello]"
  ]
}
Running chef-solo on remote host (Here, at localhost)
$ knife solo cook localhost
Running Chef on localhost...
Checking Chef version...
Uploading the kitchen...
Generating solo config...
Running Chef...
[2014-08-08T06:21:43+00:00] WARN: 
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.

To fix this issue add an entry like this to your configuration file:

```
  # Verify all HTTPS connections (recommended)
  ssl_verify_mode :verify_peer

  # OR, Verify only connections to chef-server
  verify_api_cert true
```

To check your SSL configuration, or troubleshoot errors, you can use the
`knife ssl check` command like so:

```
  knife ssl check -c /home/ec2-user/chef-solo/solo.rb
```

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Starting Chef Client, version 11.14.2
Compiling Cookbooks...
Converging 1 resources
Recipe: hello::default
  * log[Hello, Chef!] action write
  

Running handlers:
Running handlers complete
Chef Client finished, 1/1 resources updated in 1.430750102 seconds
If the SSL warning message appears, it is possible to disable by adding an entry on solo.rb. The detail is show at official HP, knife ssl check.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.

To fix this issue add an entry like this to your configuration file:

```
  # Verify all HTTPS connections (recommended)
  ssl_verify_mode :verify_peer

  # OR, Verify only connections to chef-server
  verify_api_cert true
```

To check your SSL configuration, or troubleshoot errors, you can use the
`knife ssl check` command like so:

```
  knife ssl check -c /home/ec2-user/chef-solo/solo.rb
```

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
~/chef-repo/.chef/knife.rb
ssl_verify_mode :verify_peer
Next is to install chef and cookbook on a remote host with knife solo and install a package.

Failed Access Denied: S3 properties on us-east-1 region

When I created s3 buckets at each regions including us-east-1, us-west1, us-west-2, and ap-northeast-1 and applied the IAM policies below to a IAM group. I got some of the properties of other than us-east-1 region somehow.
I created an IAM group and attached two IAM policies with the group.
  • IAM policy to define the buckets to operate and access source IP address.
{ "Statement": [ { "Condition": { "IpAddress": { "aws:SourceIp": [ "xxx.xxx.xxx.xxx/32", "xxx.xxx.xxx.xxx/32" ] } }, "Resource": [ "arn:aws:s3:::bucket_name.ap-northeast-1", "arn:aws:s3:::bucket_name.ap-northeast-1/*", "arn:aws:s3:::bucket_name.us-west-1", "arn:aws:s3:::bucket_name.us-west-1/*", "arn:aws:s3:::bucket_name.us-west-1", "arn:aws:s3:::bucket_name.us-west-1/*", "arn:aws:s3:::bucket_name.us-west-2", "arn:aws:s3:::bucket_name.us-west-2/*" ], "Action": "s3:*", "Effect": "Allow" } ], "Version": "2012-10-17" }
  • IAM policy to list all the buckets for a s3 tool like S3 Browser
{
  "Statement": [
    {
      "Resource": "*",
      "Action": "s3:List*",
      "Effect": "Allow"
    }
  ],
  "Version": "2012-10-17"
}
I got the properties of us-west-1, us-west-2, ap-northeast-1, but couldn't get those of us-east-1, though the same IAM policies are applied.


I successfully got the properties of us-east-1 after adding the action as follows.



{
  "Statement": [
    {
      "Resource": "*",
      "Action": [
        "s3:List*",
        "s3:Get*"
      ],
      "Effect": "Allow"
    }
  ],
  "Version": "2012-10-17"
}

I am wondering if us-east-1 (US standard) region is different from other regions in how to apply IAM policy because it is the 1st region of AWS???

Wednesday, August 6, 2014

Installing PostgreSQL on EC2 via Chef solo and Testing with serverspec

A quick introduction of installing and running tests on PostgreSQL on EC2.

Installing openssl and postgresql cookbooks from the community site
$ knife cookbook site install openssl postgresql
Generating md5 password for database
$ echo -n 'postgresq!' 'postgres' | openssl md5 | sed -e 's/.* /md5/'
md5f5a4fd94a405896c47f8153794b05596
Creating node object file
nodes/host.json
{
  "postgresql":{
    "password":{
      "postgres":"md5f5a4fd94a405896c47f8153794b05596"
    }
  },
  "run_list":[
    "recipe[postgresql]",
    "recipe[postgresql::server]"
  ]
}
Running chef-solo on remote hos
$ knife solo cook chef-node01
Running Chef on chef-node01...
Checking Chef version...
Uploading the kitchen...
Generating solo config...
Running Chef...

Starting Chef Client, version 11.14.2
Compiling Cookbooks...
Converging 16 resources
Recipe: postgresql::client
  * package[postgresql-devel] action install
    - install version 9.2-1.20.amzn1 of package postgresql-devel
Recipe: postgresql::server_redhat
  * group[postgres] action create
    - create group[postgres]
  * user[postgres] action create
    - create user postgres
  * directory[/var/lib/pgsql9/data] action create
    - create new directory /var/lib/pgsql9/data
    - change owner from '' to 'postgres'
    - change group from '' to 'postgres'
  * package[postgresql-server] action install
    - install version 9.2-1.20.amzn1 of package postgresql-server
  * template[/etc/sysconfig/pgsql/postgresql] action create
    - create new file /etc/sysconfig/pgsql/postgresql
    - update content in file /etc/sysconfig/pgsql/postgresql from none to 63ba59
    --- /etc/sysconfig/pgsql/postgresql 2014-08-06 07:19:54.316000518 +0000
    +++ /tmp/chef-rendered-template20140806-1663-1n0wbzo        2014-08-06 07:19:54.320000491 +0000
    @@ -1 +1,3 @@
    +PGDATA=/var/lib/pgsql9/data
    +PGPORT=5432
    - change mode from '' to '0644'
  * execute[/sbin/service postgresql initdb ] action run
    - execute /sbin/service postgresql initdb 
  * service[postgresql] action enable
    - enable service service[postgresql]
  * service[postgresql] action start
    - start service service[postgresql]
Recipe: postgresql::server
  * template[/var/lib/pgsql9/data/postgresql.conf] action create
    - update content in file /var/lib/pgsql9/data/postgresql.conf from 4c34f3 to 61e694
    --- /var/lib/pgsql9/data/postgresql.conf    2014-08-06 07:19:55.911989875 +0000
    +++ /tmp/chef-rendered-template20140806-1663-wl4pwj 2014-08-06 07:20:01.239954346 +0000
    @@ -1,577 +1,22 @@
    -# -----------------------------
     # PostgreSQL configuration file
    -# -----------------------------
    -#
    -# This file consists of lines of the form:
    -#
    -#   name = value
    -#
    -# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
    -# "#" anywhere on a line.  The complete list of parameter names and allowed
    -# values can be found in the PostgreSQL documentation.
    -#
    -# The commented-out settings shown in this file represent the default values.
    -# Re-commenting a setting is NOT sufficient to revert it to the default value;
    -# you need to reload the server.
    -#
    -# This file is read on server startup and when the server receives a SIGHUP
    -# signal.  If you edit the file on a running system, you have to SIGHUP the
    -# server for the changes to take effect, or use "pg_ctl reload".  Some
    -# parameters, which are marked below, require a server shutdown and restart to
    -# take effect.
    -#
    -# Any parameter can also be given as a command-line option to the server, e.g.,
    -# "postgres -c log_connections=on".  Some parameters can be changed at run time
    -# with the "SET" SQL command.
    -#
    -# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
    -#                MB = megabytes                     s   = seconds
    -#                GB = gigabytes                     min = minutes
    -#                                                   h   = hours
    -#                                                   d   = days
    +# This file was automatically generated and dropped off by chef!
    +# Please refer to the PostgreSQL documentation for details on
    +# configuration settings.
     
    -
    -#------------------------------------------------------------------------------
    -# FILE LOCATIONS
    -#------------------------------------------------------------------------------
    -
    -# The default values of these variables are driven from the -D command-line
    -# option or PGDATA environment variable, represented here as ConfigDir.
    -
    -#data_directory = 'ConfigDir'              # use data in another directory
    -                                   # (change requires restart)
    -#hba_file = 'ConfigDir/pg_hba.conf'        # host-based authentication file
    -                                   # (change requires restart)
    -#ident_file = 'ConfigDir/pg_ident.conf'    # ident configuration file
    -                                   # (change requires restart)
    -
    -# If external_pid_file is not explicitly set, no extra PID file is written.
    -#external_pid_file = ''                    # write an extra PID file
    -                                   # (change requires restart)
    -
    -
    -#------------------------------------------------------------------------------
    -# CONNECTIONS AND AUTHENTICATION
    -#------------------------------------------------------------------------------
    -
    -# - Connection Settings -
    -
    -#listen_addresses = 'localhost'            # what IP address(es) to listen on;
    -                                   # comma-separated list of addresses;
    -                                   # defaults to 'localhost'; use '*' for all
    -                                   # (change requires restart)
    -#port = 5432                               # (change requires restart)
    -# Note: In RHEL/Fedora installations, you can't set the port number here;
    -# adjust it in the service file instead.
    -max_connections = 100                      # (change requires restart)
    -# Note:  Increasing max_connections costs ~400 bytes of shared memory per
    -# connection slot, plus lock space (see max_locks_per_transaction).
    -#superuser_reserved_connections = 3        # (change requires restart)
    -#unix_socket_directories = '/var/run/postgresql, /tmp'     # comma-separated list of directories
    -                                   # (change requires restart)
    -#unix_socket_group = ''                    # (change requires restart)
    -#unix_socket_permissions = 0777            # begin with 0 to use octal notation
    -                                   # (change requires restart)
    -#bonjour = off                             # advertise server via Bonjour
    -                                   # (change requires restart)
    -#bonjour_name = ''                 # defaults to the computer name
    -                                   # (change requires restart)
    -
    -# - Security and Authentication -
    -
    -#authentication_timeout = 1min             # 1s-600s
    -#ssl = off                         # (change requires restart)
    -#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
    -                                   # (change requires restart)
    -#ssl_renegotiation_limit = 512MB   # amount of data between renegotiations
    -#ssl_cert_file = 'server.crt'              # (change requires restart)
    -#ssl_key_file = 'server.key'               # (change requires restart)
    -#ssl_ca_file = ''                  # (change requires restart)
    -#ssl_crl_file = ''                 # (change requires restart)
    -#password_encryption = on
    -#db_user_namespace = off
    -
    -# Kerberos and GSSAPI
    -#krb_server_keyfile = ''
    -#krb_srvname = 'postgres'          # (Kerberos only)
    -#krb_caseins_users = off
    -
    -# - TCP Keepalives -
    -# see "man 7 tcp" for details
    -
    -#tcp_keepalives_idle = 0           # TCP_KEEPIDLE, in seconds;
    -                                   # 0 selects the system default
    -#tcp_keepalives_interval = 0               # TCP_KEEPINTVL, in seconds;
    -                                   # 0 selects the system default
    -#tcp_keepalives_count = 0          # TCP_KEEPCNT;
    -                                   # 0 selects the system default
    -
    -
    -#------------------------------------------------------------------------------
    -# RESOURCE USAGE (except WAL)
    -#------------------------------------------------------------------------------
    -
    -# - Memory -
    -
    -shared_buffers = 32MB                      # min 128kB
    -                                   # (change requires restart)
    -#temp_buffers = 8MB                        # min 800kB
    -#max_prepared_transactions = 0             # zero disables the feature
    -                                   # (change requires restart)
    -# Note:  Increasing max_prepared_transactions costs ~600 bytes of shared memory
    -# per transaction slot, plus lock space (see max_locks_per_transaction).
    -# It is not advisable to set max_prepared_transactions nonzero unless you
    -# actively intend to use prepared transactions.
    -#work_mem = 1MB                            # min 64kB
    -#maintenance_work_mem = 16MB               # min 1MB
    -#max_stack_depth = 2MB                     # min 100kB
    -
    -# - Disk -
    -
    -#temp_file_limit = -1                      # limits per-session temp file space
    -                                   # in kB, or -1 for no limit
    -
    -# - Kernel Resource Usage -
    -
    -#max_files_per_process = 1000              # min 25
    -                                   # (change requires restart)
    -#shared_preload_libraries = ''             # (change requires restart)
    -
    -# - Cost-Based Vacuum Delay -
    -
    -#vacuum_cost_delay = 0ms           # 0-100 milliseconds
    -#vacuum_cost_page_hit = 1          # 0-10000 credits
    -#vacuum_cost_page_miss = 10                # 0-10000 credits
    -#vacuum_cost_page_dirty = 20               # 0-10000 credits
    -#vacuum_cost_limit = 200           # 1-10000 credits
    -
    -# - Background Writer -
    -
    -#bgwriter_delay = 200ms                    # 10-10000ms between rounds
    -#bgwriter_lru_maxpages = 100               # 0-1000 max buffers written/round
    -#bgwriter_lru_multiplier = 2.0             # 0-10.0 multipler on buffers scanned/round
    -
    -# - Asynchronous Behavior -
    -
    -#effective_io_concurrency = 1              # 1-1000; 0 disables prefetching
    -
    -
    -#------------------------------------------------------------------------------
    -# WRITE AHEAD LOG
    -#------------------------------------------------------------------------------
    -
    -# - Settings -
    -
    -#wal_level = minimal                       # minimal, archive, or hot_standby
    -                                   # (change requires restart)
    -#fsync = on                                # turns forced synchronization on or off
    -#synchronous_commit = on           # synchronization level;
    -                                   # off, local, remote_write, or on
    -#wal_sync_method = fsync           # the default is the first option
    -                                   # supported by the operating system:
    -                                   #   open_datasync
    -                                   #   fdatasync (default on Linux)
    -                                   #   fsync
    -                                   #   fsync_writethrough
    -                                   #   open_sync
    -#full_page_writes = on                     # recover from partial page writes
    -#wal_buffers = -1                  # min 32kB, -1 sets based on shared_buffers
    -                                   # (change requires restart)
    -#wal_writer_delay = 200ms          # 1-10000 milliseconds
    -
    -#commit_delay = 0                  # range 0-100000, in microseconds
    -#commit_siblings = 5                       # range 1-1000
    -
    -# - Checkpoints -
    -
    -#checkpoint_segments = 3           # in logfile segments, min 1, 16MB each
    -#checkpoint_timeout = 5min         # range 30s-1h
    -#checkpoint_completion_target = 0.5        # checkpoint target duration, 0.0 - 1.0
    -#checkpoint_warning = 30s          # 0 disables
    -
    -# - Archiving -
    -
    -#archive_mode = off                # allows archiving to be done
    -                           # (change requires restart)
    -#archive_command = ''              # command to use to archive a logfile segment
    -                           # placeholders: %p = path of file to archive
    -                           #               %f = file name only
    -                           # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
    -#archive_timeout = 0               # force a logfile segment switch after this
    -                           # number of seconds; 0 disables
    -
    -
    -#------------------------------------------------------------------------------
    -# REPLICATION
    -#------------------------------------------------------------------------------
    -
    -# - Sending Server(s) -
    -
    -# Set these on the master and on any standby that will send replication data.
    -
    -#max_wal_senders = 0               # max number of walsender processes
    -                           # (change requires restart)
    -#wal_keep_segments = 0             # in logfile segments, 16MB each; 0 disables
    -#replication_timeout = 60s # in milliseconds; 0 disables
    -
    -# - Master Server -
    -
    -# These settings are ignored on a standby server.
    -
    -#synchronous_standby_names = ''    # standby servers that provide sync rep
    -                           # comma-separated list of application_name
    -                           # from standby(s); '*' = all
    -#vacuum_defer_cleanup_age = 0      # number of xacts by which cleanup is delayed
    -
    -# - Standby Servers -
    -
    -# These settings are ignored on a master server.
    -
    -#hot_standby = off                 # "on" allows queries during recovery
    -                                   # (change requires restart)
    -#max_standby_archive_delay = 30s   # max delay before canceling queries
    -                                   # when reading WAL from archive;
    -                                   # -1 allows indefinite delay
    -#max_standby_streaming_delay = 30s # max delay before canceling queries
    -                                   # when reading streaming WAL;
    -                                   # -1 allows indefinite delay
    -#wal_receiver_status_interval = 10s        # send replies at least this often
    -                                   # 0 disables
    -#hot_standby_feedback = off                # send info from standby to prevent
    -                                   # query conflicts
    -
    -
    -#------------------------------------------------------------------------------
    -# QUERY TUNING
    -#------------------------------------------------------------------------------
    -
    -# - Planner Method Configuration -
    -
    -#enable_bitmapscan = on
    -#enable_hashagg = on
    -#enable_hashjoin = on
    -#enable_indexscan = on
    -#enable_indexonlyscan = on
    -#enable_material = on
    -#enable_mergejoin = on
    -#enable_nestloop = on
    -#enable_seqscan = on
    -#enable_sort = on
    -#enable_tidscan = on
    -
    -# - Planner Cost Constants -
    -
    -#seq_page_cost = 1.0                       # measured on an arbitrary scale
    -#random_page_cost = 4.0                    # same scale as above
    -#cpu_tuple_cost = 0.01                     # same scale as above
    -#cpu_index_tuple_cost = 0.005              # same scale as above
    -#cpu_operator_cost = 0.0025                # same scale as above
    -#effective_cache_size = 128MB
    -
    -# - Genetic Query Optimizer -
    -
    -#geqo = on
    -#geqo_threshold = 12
    -#geqo_effort = 5                   # range 1-10
    -#geqo_pool_size = 0                        # selects default based on effort
    -#geqo_generations = 0                      # selects default based on effort
    -#geqo_selection_bias = 2.0         # range 1.5-2.0
    -#geqo_seed = 0.0                   # range 0.0-1.0
    -
    -# - Other Planner Options -
    -
    -#default_statistics_target = 100   # range 1-10000
    -#constraint_exclusion = partition  # on, off, or partition
    -#cursor_tuple_fraction = 0.1               # range 0.0-1.0
    -#from_collapse_limit = 8
    -#join_collapse_limit = 8           # 1 disables collapsing of explicit
    -                                   # JOIN clauses
    -
    -
    -#------------------------------------------------------------------------------
    -# ERROR REPORTING AND LOGGING
    -#------------------------------------------------------------------------------
    -
    -# - Where to Log -
    -
    -#log_destination = 'stderr'                # Valid values are combinations of
    -                                   # stderr, csvlog, syslog, and eventlog,
    -                                   # depending on platform.  csvlog
    -                                   # requires logging_collector to be on.
    -
    -# This is used when logging to stderr:
    -logging_collector = on                     # Enable capturing of stderr and csvlog
    -                                   # into log files. Required to be on for
    -                                   # csvlogs.
    -                                   # (change requires restart)
    -
    -# These are only used if logging_collector is on:
    -#log_directory = 'pg_log'          # directory where log files are written,
    -                                   # can be absolute or relative to PGDATA
    -log_filename = 'postgresql-%a.log' # log file name pattern,
    -                                   # can include strftime() escapes
    -#log_file_mode = 0600                      # creation mode for log files,
    -                                   # begin with 0 to use octal notation
    -log_truncate_on_rotation = on              # If on, an existing log file with the
    -                                   # same name as the new log file will be
    -                                   # truncated rather than appended to.
    -                                   # But such truncation only occurs on
    -                                   # time-driven rotation, not on restarts
    -                                   # or size-driven rotation.  Default is
    -                                   # off, meaning append to existing files
    -                                   # in all cases.
    -log_rotation_age = 1d                      # Automatic rotation of logfiles will
    -                                   # happen after that time.  0 disables.
    -log_rotation_size = 0                      # Automatic rotation of logfiles will
    -                                   # happen after that much log output.
    -                                   # 0 disables.
    -
    -# These are relevant when logging to syslog:
    -#syslog_facility = 'LOCAL0'
    -#syslog_ident = 'postgres'
    -
    -# This is only relevant when logging to eventlog (win32):
    -#event_source = 'PostgreSQL'
    -
    -# - When to Log -
    -
    -#client_min_messages = notice              # values in order of decreasing detail:
    -                                   #   debug5
    -                                   #   debug4
    -                                   #   debug3
    -                                   #   debug2
    -                                   #   debug1
    -                                   #   log
    -                                   #   notice
    -                                   #   warning
    -                                   #   error
    -
    -#log_min_messages = warning                # values in order of decreasing detail:
    -                                   #   debug5
    -                                   #   debug4
    -                                   #   debug3
    -                                   #   debug2
    -                                   #   debug1
    -                                   #   info
    -                                   #   notice
    -                                   #   warning
    -                                   #   error
    -                                   #   log
    -                                   #   fatal
    -                                   #   panic
    -
    -#log_min_error_statement = error   # values in order of decreasing detail:
    -                                   #   debug5
    -                                   #   debug4
    -                                   #   debug3
    -                                   #   debug2
    -                                   #   debug1
    -                                   #   info
    -                                   #   notice
    -                                   #   warning
    -                                   #   error
    -                                   #   log
    -                                   #   fatal
    -                                   #   panic (effectively off)
    -
    -#log_min_duration_statement = -1   # -1 is disabled, 0 logs all statements
    -                                   # and their durations, > 0 logs only
    -                                   # statements running at least this number
    -                                   # of milliseconds
    -
    -
    -# - What to Log -
    -
    -#debug_print_parse = off
    -#debug_print_rewritten = off
    -#debug_print_plan = off
    -#debug_pretty_print = on
    -#log_checkpoints = off
    -#log_connections = off
    -#log_disconnections = off
    -#log_duration = off
    -#log_error_verbosity = default             # terse, default, or verbose messages
    -#log_hostname = off
    -#log_line_prefix = ''                      # special values:
    -                                   #   %a = application name
    -                                   #   %u = user name
    -                                   #   %d = database name
    -                                   #   %r = remote host and port
    -                                   #   %h = remote host
    -                                   #   %p = process ID
    -                                   #   %t = timestamp without milliseconds
    -                                   #   %m = timestamp with milliseconds
    -                                   #   %i = command tag
    -                                   #   %e = SQL state
    -                                   #   %c = session ID
    -                                   #   %l = session line number
    -                                   #   %s = session start timestamp
    -                                   #   %v = virtual transaction ID
    -                                   #   %x = transaction ID (0 if none)
    -                                   #   %q = stop here in non-session
    -                                   #        processes
    -                                   #   %% = '%'
    -                                   # e.g. '<%u%%%d> '
    -#log_lock_waits = off                      # log lock waits >= deadlock_timeout
    -#log_statement = 'none'                    # none, ddl, mod, all
    -#log_temp_files = -1                       # log temporary files equal or larger
    -                                   # than the specified size in kilobytes;
    -                                   # -1 disables, 0 logs all temp files
    -log_timezone = 'UTC'
    -
    -
    -#------------------------------------------------------------------------------
    -# RUNTIME STATISTICS
    -#------------------------------------------------------------------------------
    -
    -# - Query/Index Statistics Collector -
    -
    -#track_activities = on
    -#track_counts = on
    -#track_io_timing = off
    -#track_functions = none                    # none, pl, all
    -#track_activity_query_size = 1024  # (change requires restart)
    -#update_process_title = on
    -#stats_temp_directory = 'pg_stat_tmp'
    -
    -
    -# - Statistics Monitoring -
    -
    -#log_parser_stats = off
    -#log_planner_stats = off
    -#log_executor_stats = off
    -#log_statement_stats = off
    -
    -
    -#------------------------------------------------------------------------------
    -# AUTOVACUUM PARAMETERS
    -#------------------------------------------------------------------------------
    -
    -#autovacuum = on                   # Enable autovacuum subprocess?  'on'
    -                                   # requires track_counts to also be on.
    -#log_autovacuum_min_duration = -1  # -1 disables, 0 logs all actions and
    -                                   # their durations, > 0 logs only
    -                                   # actions running at least this number
    -                                   # of milliseconds.
    -#autovacuum_max_workers = 3                # max number of autovacuum subprocesses
    -                                   # (change requires restart)
    -#autovacuum_naptime = 1min         # time between autovacuum runs
    -#autovacuum_vacuum_threshold = 50  # min number of row updates before
    -                                   # vacuum
    -#autovacuum_analyze_threshold = 50 # min number of row updates before
    -                                   # analyze
    -#autovacuum_vacuum_scale_factor = 0.2      # fraction of table size before vacuum
    -#autovacuum_analyze_scale_factor = 0.1     # fraction of table size before analyze
    -#autovacuum_freeze_max_age = 200000000     # maximum XID age before forced vacuum
    -                                   # (change requires restart)
    -#autovacuum_vacuum_cost_delay = 20ms       # default vacuum cost delay for
    -                                   # autovacuum, in milliseconds;
    -                                   # -1 means use vacuum_cost_delay
    -#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
    -                                   # autovacuum, -1 means use
    -                                   # vacuum_cost_limit
    -
    -
    -#------------------------------------------------------------------------------
    -# CLIENT CONNECTION DEFAULTS
    -#------------------------------------------------------------------------------
    -
    -# - Statement Behavior -
    -
    -#search_path = '"$user",public'            # schema names
    -#default_tablespace = ''           # a tablespace name, '' uses the default
    -#temp_tablespaces = ''                     # a list of tablespace names, '' uses
    -                                   # only default tablespace
    -#check_function_bodies = on
    -#default_transaction_isolation = 'read committed'
    -#default_transaction_read_only = off
    -#default_transaction_deferrable = off
    -#session_replication_role = 'origin'
    -#statement_timeout = 0                     # in milliseconds, 0 is disabled
    -#vacuum_freeze_min_age = 50000000
    -#vacuum_freeze_table_age = 150000000
    -#bytea_output = 'hex'                      # hex, escape
    -#xmlbinary = 'base64'
    -#xmloption = 'content'
    -
    -# - Locale and Formatting -
    -
     datestyle = 'iso, mdy'
    -#intervalstyle = 'postgres'
    -timezone = 'UTC'
    -#timezone_abbreviations = 'Default'     # Select the set of available time zone
    -                                   # abbreviations.  Currently, there are
    -                                   #   Default
    -                                   #   Australia
    -                                   #   India
    -                                   # You can create your own file in
    -                                   # share/timezonesets/.
    -#extra_float_digits = 0                    # min -15, max 3
    -#client_encoding = sql_ascii               # actually, defaults to database
    -                                   # encoding
    -
    -# These settings are initialized by initdb, but they can be changed.
    -lc_messages = 'en_US.UTF-8'                        # locale for system error message
    -                                   # strings
    -lc_monetary = 'en_US.UTF-8'                        # locale for monetary formatting
    -lc_numeric = 'en_US.UTF-8'                 # locale for number formatting
    -lc_time = 'en_US.UTF-8'                            # locale for time formatting
    -
    -# default configuration for text search
     default_text_search_config = 'pg_catalog.english'
    -
    -# - Other Defaults -
    -
    -#dynamic_library_path = '$libdir'
    -#local_preload_libraries = ''
    -
    -
    -#------------------------------------------------------------------------------
    -# LOCK MANAGEMENT
    -#------------------------------------------------------------------------------
    -
    -#deadlock_timeout = 1s
    -#max_locks_per_transaction = 64            # min 10
    -                                   # (change requires restart)
    -# Note:  Each lock table slot uses ~270 bytes of shared memory, and there are
    -# max_locks_per_transaction * (max_connections + max_prepared_transactions)
    -# lock table slots.
    -#max_pred_locks_per_transaction = 64       # min 10
    -                                   # (change requires restart)
    -
    -
    -#------------------------------------------------------------------------------
    -# VERSION/PLATFORM COMPATIBILITY
    -#------------------------------------------------------------------------------
    -
    -# - Previous PostgreSQL Versions -
    -
    -#array_nulls = on
    -#backslash_quote = safe_encoding   # on, off, or safe_encoding
    -#default_with_oids = off
    -#escape_string_warning = on
    -#lo_compat_privileges = off
    -#quote_all_identifiers = off
    -#sql_inheritance = on
    -#standard_conforming_strings = on
    -#synchronize_seqscans = on
    -
    -# - Other Platforms and Clients -
    -
    -#transform_null_equals = off
    -
    -
    -#------------------------------------------------------------------------------
    -# ERROR HANDLING
    -#------------------------------------------------------------------------------
    -
    -#exit_on_error = off                       # terminate session on any error?
    -#restart_after_crash = on          # reinitialize after backend crash?
    -
    -
    -#------------------------------------------------------------------------------
    -# CUSTOMIZED OPTIONS
    -#------------------------------------------------------------------------------
    -
    -# Add settings for extensions here
    +lc_messages = 'en_US.UTF-8'
    +lc_monetary = 'en_US.UTF-8'
    +lc_numeric = 'en_US.UTF-8'
    +lc_time = 'en_US.UTF-8'
    +listen_addresses = 'localhost'
    +log_directory = 'pg_log'
    +log_filename = 'postgresql-%a.log'
    +log_rotation_age = '1d'
    +log_rotation_size = 0
    +log_truncate_on_rotation = on
    +logging_collector = on
    +max_connections = 100
    +port = 5432
    +shared_buffers = '32MB'
Recipe: postgresql::server_redhat
  * service[postgresql] action restart
    - restart service service[postgresql]
Recipe: postgresql::server
  * template[/var/lib/pgsql9/data/pg_hba.conf] action create
    - update content in file /var/lib/pgsql9/data/pg_hba.conf from 8daecd to 1ac5b0
    --- /var/lib/pgsql9/data/pg_hba.conf        2014-08-06 07:19:55.911989875 +0000
    +++ /tmp/chef-rendered-template20140806-1663-h07dtu 2014-08-06 07:20:04.507932555 +0000
    @@ -1,90 +1,25 @@
    +# This file was automatically generated and dropped off by Chef!
    +
     # PostgreSQL Client Authentication Configuration File
     # ===================================================
     #
     # Refer to the "Client Authentication" section in the PostgreSQL
    -# documentation for a complete description of this file.  A short
    -# synopsis follows.
    -#
    -# This file controls: which hosts are allowed to connect, how clients
    -# are authenticated, which PostgreSQL user names they can use, which
    -# databases they can access.  Records take one of these forms:
    -#
    -# local      DATABASE  USER  METHOD  [OPTIONS]
    -# host       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
    -# hostssl    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
    -# hostnossl  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
    -#
    -# (The uppercase items must be replaced by actual values.)
    -#
    -# The first field is the connection type: "local" is a Unix-domain
    -# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
    -# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
    -# plain TCP/IP socket.
    -#
    -# DATABASE can be "all", "sameuser", "samerole", "replication", a
    -# database name, or a comma-separated list thereof. The "all"
    -# keyword does not match "replication". Access to replication
    -# must be enabled in a separate record (see example below).
    -#
    -# USER can be "all", a user name, a group name prefixed with "+", or a
    -# comma-separated list thereof.  In both the DATABASE and USER fields
    -# you can also write a file name prefixed with "@" to include names
    -# from a separate file.
    -#
    -# ADDRESS specifies the set of hosts the record matches.  It can be a
    -# host name, or it is made up of an IP address and a CIDR mask that is
    -# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
    -# specifies the number of significant bits in the mask.  A host name
    -# that starts with a dot (.) matches a suffix of the actual host name.
    -# Alternatively, you can write an IP address and netmask in separate
    -# columns to specify the set of hosts.  Instead of a CIDR-address, you
    -# can write "samehost" to match any of the server's own IP addresses,
    -# or "samenet" to match any address in any subnet that the server is
    -# directly connected to.
    -#
    -# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
    -# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert".  Note that
    -# "password" sends passwords in clear text; "md5" is preferred since
    -# it sends encrypted passwords.
    -#
    -# OPTIONS are a set of options for the authentication in the format
    -# NAME=VALUE.  The available options depend on the different
    -# authentication methods -- refer to the "Client Authentication"
    -# section in the documentation for a list of which options are
    -# available for which authentication methods.
    -#
    -# Database and user names containing spaces, commas, quotes and other
    -# special characters must be quoted.  Quoting one of the keywords
    -# "all", "sameuser", "samerole" or "replication" makes the name lose
    -# its special character, and just match a database or username with
    -# that name.
    -#
    -# This file is read on server startup and when the postmaster receives
    -# a SIGHUP signal.  If you edit the file on a running system, you have
    -# to SIGHUP the postmaster for the changes to take effect.  You can
    -# use "pg_ctl reload" to do that.
    +# documentation for a complete description of this file.
     
    -# Put your actual configuration here
    -# ----------------------------------
    -#
    -# If you want to allow non-local connections, you need to add more
    -# "host" records.  In that case you will also need to make PostgreSQL
    -# listen on a non-local interface via the listen_addresses
    -# configuration parameter, or via the -i or -h command line switches.
    +# TYPE  DATABASE        USER            CIDR-ADDRESS            METHOD
     
    +###########
    +# Other authentication configurations taken from chef node defaults:
    +###########
     
    +local   all             postgres                                ident
     
    -# TYPE  DATABASE        USER            ADDRESS                 METHOD
    +local   all             all                                     ident
     
    +host    all             all             127.0.0.1/32            md5
    +
    +host    all             all             ::1/128                 md5
    +
     # "local" is for Unix domain socket connections only
    -local   all             all                                     peer
    -# IPv4 local connections:
    -host    all             all             127.0.0.1/32            ident
    -# IPv6 local connections:
    -host    all             all             ::1/128                 ident
    -# Allow replication connections from localhost, by a user with the
    -# replication privilege.
    -#local   replication     postgres                                peer
    -#host    replication     postgres        127.0.0.1/32            ident
    -#host    replication     postgres        ::1/128                 ident
    +local   all             all                                     ident
Recipe: postgresql::server_redhat
  * service[postgresql] action restart
    - restart service service[postgresql]
Recipe: postgresql::server
  * bash[assign-postgres-password] action run
    - execute "bash"  "/tmp/chef-script20140806-1663-1l0j7z2"
Recipe: postgresql::server_redhat
  * service[postgresql] action restart
    - restart service service[postgresql]

Running handlers:
Running handlers complete
Chef Client finished, 17/21 resources updated in 23.96606356 seconds
Running tests to confirm postgresql is installed, running and activated
spec/chef-node01/postgres_spec.rb
require 'spec_helper'

describe package('postgresql9') do
  it { should be_installed }
end

describe service('postgresql') do
  it { should be_enabled   }
  it { should be_running   }
end

describe user('postgres') do
  it { should exist }
end

describe port(5432) do
  it { should be_listening }
end

describe file('/var/lib/pgsql9/data/postgresql.conf') do
  it { should be_file }
end


$ rspec spec/chef-node01/postgres_spec.rb 

Package "postgresql9"
  should be installed

Service "postgresql"
  should be enabled
  should be running

User "postgres"
  should exist []

Port "5432"
  should be listening

File "/var/lib/pgsql9/data/postgresql.conf"
  should be file

Finished in 0.34722 seconds
6 examples, 0 failures

I should try attributes to use host specific properties next.


iJAWS@Doorkeeper