How do I manage a single chef server to be used by all

Question

I'm past being new to Chef, though NOT an expert by any means. Using open-source Chef, I'm setting up a single chef server that will have ALL my company's cookbooks that aim to install our product application on a VMs that's running a base OS, say RHEL 5.10. I'm segregating the cookbook files in version control, but how do I segregate them when I funnel them in the ONE chef server? Here are my challenges:

• My company has different products, say ProdA, ProdB, and ProdA and ProdB are totally different.
• Even though these two products may share common applications, the implementation of the application in each product is different. For example, even though I install ActiveMQ on both products, ActiveMQ is installed differently on each product.
• Also I need to be able to install, on a whim, different versions of ProdA software on VMs slated for ProdA. Same for ProdB, for VMs slated for ProdB. I will NEVER instal ProdA software on VMs slated for ProdB, and vise-versa.
• A certain set of cookbooks may work for v1.0 of ProdA software, while a different set may work for v2.0 of ProdA software
• One group of developers may be working on ProdA cookbooks concurrently; a different group of developers may work on ProdB cookbooks I want to segregate each developers' version of his/her cookbook.
• I want to segregate developers' cookbooks, from cookbooks used by QA, or the customer

Here's a simple work flow, extending my ActiveMQ I alluded to above

• Dev1 works on a cookbook to install ActiveMQ on ProdA. Also Dev11 works on a cookbook to install ActiveMQ on ProdB. Again even though they're both for ActiveMQ, the installation is different. How do we segregate the two ActiveMQ cookbooks, give them different name - ProdA_ActiveMQ vs. ProdB_ActiveMQ? This just looks ogly!
• Dev2 wants to tweak Dev1's ProdA/ActiveMQ cookbook, and does test it in his local environment. Now Dev2 wants other devs to try it so he uploads it to the chef server. How can we ensure that he doesn't break everybody's ActiveMQ installation?
• Version 1.0-1.4 of ProdA uses version 0.1.0 of ActiveMQ cookbook, but version 1.4-1.20 of ProdA needs version 0.2.0 of ActiveMQ. How can I model this?
• I'm working on a feature for Version 2.0 of ProdA. But my manager tells me to work on a hot field problem on version 1.44 or our product. How do I quickly know what set of cookbooks were used to install v 1.44 of ProdA?

I know this may be a loaded post. Is there a better forum for this? Can someone point me to a link where pieces of my scenario are done? Thanks.

Answer 1

When running chef at scale there are three ways to isolate configuration between users.

1. Use enterprise chef and setup an chef "organisation" for functional group of users
2. Use open source chef server and setup a server for each functional group of users.
3. Create chef "environments" for each functional group, within a single instance of chef server.

I would love to see more discussion or publications from users operating chef at scale. Some of us need to support dev teams who do not use chef and cannot live with a one size fits all server setup.

Options 1 + 2

In practice, I have discovered that enterprise chef "organisations" are functionally the same as running separate servers. You still need to load cookbooks, roles, data bags, separately into each.

I maintain this approach is simple to understand but complex to maintain. Each instance of chef server/organisation requires its own chef repo, access keys and Jenkins loading jobs.

Option 3

Using chef environments is harder to understand. Once it is properly understood I think it's simpler to implement. Berkshelf is tool that makes it all possible.

First of all don't be mislead by the chef documentation. The examples of environments they give are global in nature:

• Development
• Test
• Production

This gives the impression that all production applications would share the same set of cookbooks. Once the number of apps starts to increase, you start getting into lots of trouble with conflicting run-times. Berkshelf v2.0 really sucked here... It frequently loaded inconsistent sets of cookbooks with absolutely no warning :-(

So.. Berkshelf v3.0 to the rescue and Jamie Winsor's blog posting on cookbook patterns:

• Application, Wrapper, Library and Environment cookbooks

The Environment cookbook pattern proposes a chef environment for each application instance.

• app1-dev
• app1-test
• app1-prod

The "Berkshelf.lock" is committed and saved into the Environment cookbook version and used to load the cookbook dependencies of a particular environment. An example of this pattern in action is the berkshelf-api installation.

The lightbulb for me was then I found the following chef search condition in the haproxy cookbook

pool_members = search("node", "role:#{node['haproxy']['app_server_role']} AND chef_environment:#{node.chef_environment}") || []

The members of the load balanced pool share a common role and environment. So... Either the role is application instance specific or the environment is!

Answer 2

As mentioned up in the comments, this is generally solved through the use of library and wrapper cookbooks. You would have a shared activemq cookbook (possibly from the community site or written in-house) which provides a the core configuration steps for ActiveMQ. The nfor each environment you would have a cookbook/recipe like prod_a::activemq or which sets whatever specific attributes or other things you need for that environment and then either uses include_recipe or LWRPs from the activemq cookbook. You can find more information about this environment cookbook pattern on Jamie's blog. You can also check out poise-appenv if you want an intermediate layer of environment-y config. You can use knife-solve to always see which versions of each cookbook are active on a given node.