Overview and Objectives
This post features a walkthrough on how to set up and get started with a trial version of Chef Automate in minutes on your Alibaba Cloud Elastic Compute Service (ECS) Ubuntu machine.
About Chef Automate
Chef Automate is a full suite of an enterprise platform to enable continuous automation for delivering infrastructure, compliance, applications effortlessly. It provides actionable insights into the state of your compliance, configurations with an auditable history of every change that’s been applied to your environments.
Chef Automate integrates with the open-source products Chef, InSpec and Habitat and it comes with a comprehensive 24×7 support services for the entire platform, including open source components.
- Chef is for infrastructure automation. It helps you to turn infrastructure into code and serve it up quickly with a historical change backlogs.
- InSpec is for compliance automation. It helps you to assess your infrastructure’s adherence to compliance requirements, correct compliance failures, and monitor your infrastructure on an ongoing basis.
- Habitat is for application automation. It is a way to build and run your applications both on containers and using traditional services, such as the cloud or on-premise.
In this walkthrough, we will guide you to install Chef Automate on Ubuntu machine and introduce the core features of it.
You should have an Alibaba Cloud account. If you don’t have one already, visit the Free Trial page for a free account.
Installing Chef Automate
Step 1: Launch Alibaba Cloud ECS Instance for Linux Machine
Chef Automate requires the following minimum system resources in order to work on Ubuntu 16.04 instance:
- 4GB Ram
- 5 GB free disk space
- 2 CPUs
In order to match with these requirements, we will launch
ecs.t5-lc1m2.large instance which has 2 vCPU+4Gib memory with 40 GiB Ultra Cloud Disks. Follow the steps below to launch an instance with this configuration.
1. Login to your Alibaba Cloud ECS Management Console, where you will be redirected to the main dashboard.
2. Click Elastic Compute Service under the Products section. This will take you to the ECS overview dashboard.
3. Click Create Instance button. It will redirect you to ECS instance creating wizard. Here, you will have two types of purchase depending on your needs: Basic Purchase and Advanced Purchase. For the sake of the guide, we’ll pick
Basic Purhcases. Pick a data center region launch your ECS instance. Choose instance type as Burstable Type t5 2C4G where it perfectly matches with Chef Automate minimum system requirements.
4. You will now select the Operating System from the dropdown menu. Select Ubuntu as operating system and 16.04 64bit for the version.
5. We’ll use VPC network type and pay-by-traffic billing type for the demo, therefore we don’t need to customize them. However, to be able to connect Chef Automate from the local computer, we’ll need a public IP address. Therefore, increase the bandwidth 1Mbps or more to allocate a public IP address for your instance.
6. Review the details of your purchase configuration, and make changes if needed. Click Buy Now to confirm and launch your server.
7. You will see your instances in the Instances section of ECS dashboard.
8. Click Manage to see detailed informations about your instance. We’ll use SSH for connecting our instance. First, save your instance’s public IP address. Next, change the login password of the instance by clicking Moreand Reset Password from the
Basic Information section.
9. Enter a new password and restart the instance for the new password to take effect.
10. Navigate to Security Groups from the left panel and select Add Rules.
11. We’ll use Port 22 to connect the instance and Port 443 to reach the Chef Automate Web UI. Check whether the instance is already set to allow inbound traffic from Port 22 and 443.
If not, select Add Security Group Rules to create a new rule.
Step 2: Connect ECS Instance Using SSH
Here we’ll show you how to connect ECS instance using
terminal on Mac or Linux. If you are using Windows computer to connect the instance, please follow Alibaba's comprehensive guide about it.
Open terminal and run
ssh root@[your-instance-public-ip] firstly. Then it will ask you to add host key fingerprint to local storage, write
yes. Finally, enter your logon password that you setup at step 9 above. The outputs will look as similar below:
LocalMacbook:~ local$ ssh firstname.lastname@example.org
The authenticity of host '220.127.116.11 (18.104.22.168)' can't be established.
ECDSA key fingerprint is SHA256:mIPEqy7CFf6Xv9/5NDxTksbX+t/4IY6+hB0D6+8+NFE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '22.214.171.124' (ECDSA) to the list of known hosts.
Welcome to Alibaba Cloud Elastic Compute Service !
Last login: Sun Feb 10 05:16:29 2019 from *********
At this stage, you are successfully logged in your Ubuntu 16.04 instance run on Alibaba Cloud. Let’s first update the package list before starting to install anything else. Run the command shown as below.
root@iZrj91bne18a1ghb4zbdn6Z:~# sudo apt-get update
Step 3: Install Chef Automate
In order to install Chef Automate, run
curl command as shown below. It will download latest Chef Automate Linux Package installer from the Chef's official package distribution service and unzip the executable installer file.
root@iZrj91bne18a1ghb4zbdn6Z:~# curl https://packages.chef.io/files/current/automate/latest/chef-automate_linux_amd64.zip | gunzip - > chef-automate && chmod +x chef-automate
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 8689k 100 8689k 0 0 17.3M 0 --:--:-- --:--:-- --:--:-- 17.3M
Run the command below to setup Chef Automate on your instance.
root@iZrj91bne18a1ghb4zbdn6Z:~# sudo ./chef-automate deploy
You will be prompted to accept Chef’s Terms of Service and Master License and Services Agreement. Once you’ve accepted these agreements, the installer will make a pre-flight checks. If everything works well, then it will download, configure, and deploy Chef Automate. Otherwise, try to solve the failed checks by reading the information provided by the installer.
When installer completes, it will return an URL address to access the Web UI. However, it won’t work as we didn’t set up fully qualified domain name (FQDN) of the instance. For the sake of the demo installation, we’ll change the FQDN with our instance’s public ip address. However, in production environment, you should prefer obtaining a domain name for your services.
To change the FQDN of your Chef Automate installation with your instance’s public ip address, create a .toml file that contains the partial configuration:
fqdn = "your-instance-s-public-ip-address"
chef-automate config patch </path/to/your-file.toml> to deploy your change. Now from your web browser, you can navigate to https://your-instances-public-ip-address to reach Chef Automate Web UI. It might take a minute or so for the site to become available after launch.
The first time you connect you will be presented with a screen saying Your connection is not private. The reason for this is you are using HTTPS, but there is no SSL certificate. That’s OK in our test environment, so click on Advanced then Proceed to your-instance-public-ip-address (unsafe).
You will be prompted for login credentials. You can find these credentials in the file
automate-credentials.tomlwithin the instance, so connect to the instance and cat that file.
root@iZrj91bne18a1ghb4zbdn6Z:~# sudo cat automate-credentials.toml
You will then be prompted to register for a 60 day trial license. Fill in the form as appropriate, click to agree the Terms and Conditions and click Sign Up.
It will show you a date for when the trial license will expire. Click It’s ok, I know what I am doing to see the main Chef Automate screen.
At the top, you will see six tabs — Event Feeds, Client Runs, Compliance, Scan Jobs, Asset Store, and Settings. The default view upon login is the Event Feeds tab. This tab shows a timeline representing Chef Server and Compliance events.
Configure Chef Automate
Chef Automate installs a
chef-automate CLI to provide some configuration commands to help you work and configure your existing Chef Automate installation. Above, at Step 3, we already used it to configure FQDN settings of our installation. Here, we'll explain some more use cases where you can work with it.
Important: The commands below might require
chef-automate config showshows you your current Chef Automate settings with the exception of default configurations.
- Chef Automate uses TOML file format for configuration files. In order to update your existing Chef Automate configuration, create a file which includes your changes and save it with
.tomlfile extension. Then use
chef-automate patch </path/to/partial-config.toml>to apply any changes into your existing configuration. This command is sufficient in most situations while dealing with Chef Automate settings.
- If you want to replace the current Chef Automate settings with completely new one, use
chef-automate config set </path/to/full-config.toml>command. To be able to generate the configuration file with minimum settings needed to deploy Chef Automate, you can use
chef-automate init-configcommand. Below we'll describe those settings and how to change them.
- Chef Automate FQDN: We already used this option above to reach Chef Automate Web UI. Create a
.tomlfile that contains the partial configuration as shown below:
fqdn = "example.fqdn.com"
chef-automate config patch </path/to/fqdn-patch-file.toml> to apply changes.
- Update Strategy: It allows you to decide how Chef Automate will be upgraded. The default option is
at-oncewhich upgrades the installation when new packages are detected. If you want to freeze the installation with current set of packages, create a
.tomlfile that contains the partial configuration as shown below:
upgrade_strategy = "none"
chef-automate config patch </path/to/update-strategy-patch-file.toml> to apply changes.
- Load Balancer Certificate and Private Key: When we try to open Chef Automate Web UI, the browser returned an error regarding SSL certificate. In order to fix this error, you should update Load Balancer Certificate and Private Key regarding your FQDN settings. Create a
.tomlfile that contains the partial configuration which contains the SSL certificate and its private key as shown below:
# The TLS certificate for the load balancer frontend.
cert = """-----BEGIN CERTIFICATE-----
# The TLS RSA key for the load balancer frontend.
key = """-----BEGIN RSA PRIVATE KEY-----
<your private key>
-----END RSA PRIVATE KEY-----
chef-automate config patch </path/to/load-balancer-patch-file.toml> to apply changes.
- Global Log Level: By default, Chef Automate will initialize all services at the
infolog level, but there are following settings available:
fatal. In order to change the logging level of services, create a
.tomlfile that contains the partial configuration for logging level as shown below:
level = "debug"
chef-automate config patch </path/to/log-level-patch-file.toml> to apply changes.
Here, we explain only the minimal configurations that you might need during the first baby steps of using Chef Automate. If you want to learn more about the configuration options of Chef Automate, please check the comprehensive documentation that explains all other configuration options in detail.