Container improvements

- The SSL certificate will be named 'chef-server.crt' by default - Disabled non SSH traffic (HTTP requests to SSL port will fail) - Moved all the Chef configuration commands out of 'run.sh'
c-buisson · Mar 3, 2017 · 91bec1f · 91bec1f
1 parent 3f52f78
commit 91bec1f
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@ This is a fork of: [base/chef-server](https://registry.hub.docker.com/u/base/che
 ## Environment
 Chef is running over HTTPS/443 by default. You can however change that to another port by updating the `CHEF_PORT` variable and the expose port `-p`.
 
-## Usage
+## Start the container
 *Launch the container:*
 
 ```
@@ -21,10 +21,16 @@ $ docker run --privileged -e CHEF_PORT=443 --name chef-server -d -p 443:443 cbui
 $ docker run --privileged -e CHEF_PORT=443 --name chef-server -d -v ~/chef-logs:/var/log -v ~/install-chef-out:/root -p 443:443 cbuisson/chef-server
 ```
 
+**Note:** By default `chef-server-ctl reconfigure` will create SSL certificates based on the container's FQDN (i.e "103d6875c1c5" which is its "CONTAINER ID"), I have changed that behiavior to always have a SSL certificate file named "chef-server.crt". You can change the certificate name by adding  `-e CONTAINER_NAME=new_name` to the `docker run` command. Remember to reflect that change in config.rb!
+
+'chef-server' or $CONTAINER_NAME **need to be resolvable by hostname!**
+
+## Setup knife
+
 Once Chef Server 12 is configured, you can download the Knife admin keys here:
 
 ```
-$ curl -Ok https://CONTAINER_ID:CHEF_PORT/knife_admin_key.tar.gz
+curl -Ok https://chef-server:$CHEF_PORT/knife_admin_key.tar.gz
 ```
 
 Then un-tar that archive and point your config.rb to the `admin.pem` and `admin-validator.pem` files.
@@ -39,28 +45,28 @@ node_name                'admin'
 client_key               '/home/cbuisson/.chef/admin.pem'
 validation_client_name   'admin-validator'
 validation_key           '/home/cbuisson/.chef/admin-validator.pem'
-chef_server_url          'https://CONTAINER_ID:CHEF_PORT/organizations/my_org'
+chef_server_url          'https://chef-server:$CHEF_PORT/organizations/my_org'
 ```
-Note: CONTAINER_ID **needs** to be resolvable by hostname!
 
-When the config.rb file is ready, you will need to get the SSL certificate files from the container to access Chef Server:
+When the config.rb file is ready, you will need to get the SSL certificate file from the container to access Chef Server:
 
 ```bash
 cbuisson@t530:~/.chef# knife ssl fetch
-WARNING: Certificates from 512ab20b1e0d will be fetched and placed in your trusted_cert
+WARNING: Certificates from chef-server will be fetched and placed in your trusted_cert
 directory (/home/cbuisson/.chef/trusted_certs).
 
 Knife has no means to verify these are the correct certificates. You should
 verify the authenticity of these certificates after downloading.
 
-Adding certificate for 512ab20b1e0d in /home/cbuisson/.chef/trusted_certs/512ab20b1e0d.crt
+Adding certificate for chef-server in /home/cbuisson/.chef/trusted_certs/chef-server.crt
 ```
 
 You should now be able to use the knife command!
 ```bash
 cbuisson@t530:~# knife user list
 admin
 ```
+**Done!**
 
 ##### Known issue
 `chef-manage-ctl reconfigure` needs to run in order to access the Chef webui. When this command is executed within the container, it blocks here:
@@ -71,4 +77,4 @@ Therefore the Chef Server 12 webui isn't available at the moment, however this i
 
 ##### Tags
 v1.0: Chef Server 11
-v2.0: Chef Server 12
+v2.X: Chef Server 12
diff --git a/configure_chef.sh b/configure_chef.sh
@@ -1,5 +1,15 @@
 #/bin/bash -x
 
+cat > /etc/opscode/chef-server.rb << EOL
+nginx['enable_non_ssl']=false
+nginx['ssl_port']=$CHEF_PORT
+EOL
+if [[ ! -z $CONTAINER_NAME ]]; then
+  echo "nginx['server_name']=\"$CONTAINER_NAME\"" >> /etc/opscode/chef-server.rb
+else
+  echo "nginx['server_name']=\"chef-server\"" >> /etc/opscode/chef-server.rb
+fi
+
 chef-server-ctl reconfigure |tee /root/out.txt
 
 URL="http://127.0.0.1:8000/_status"
@@ -32,8 +42,8 @@ if [[ -z "$return" ]]; then
       echo "$URL is not available after $SECONDS seconds...stopping the script!" |tee -a /root/out.txt
       exit 1
     fi
-
   done;
+
   echo -e "\n\n$URL is available!\n" |tee -a /root/out.txt
   echo -e "\nSetting up admin user and default organization" |tee -a /root/out.txt
   chef-server-ctl user-create admin Admin User [email protected] "passwd"  --filename /etc/chef/admin.pem |tee -a /root/out.txt
@@ -42,4 +52,14 @@ if [[ -z "$return" ]]; then
   chef-server-ctl install chef-manage |tee -a /root/out.txt
   echo -e "\nRunning: chef-server-ctl reconfigure" |tee -a /root/out.txt
   chef-server-ctl reconfigure |tee -a /root/out.txt
+  echo "{ \"error\": \"Please use https:// instead of http:// !\" }" > /var/opt/opscode/nginx/html/500.json
+  sed -i "s,/503.json;,/503.json;\n    error_page 497 =503 /500.json;,g" /var/opt/opscode/nginx/etc/chef_https_lb.conf
+  sed -i '$i\    location /knife_admin_key.tar.gz {\n      default_type application/zip;\n      alias /etc/chef/knife_admin_key.tar.gz;\n    }' /var/opt/opscode/nginx/etc/chef_https_lb.conf
+  echo -e "\nCreating tar file with the Knife keys" |tee -a /root/out.txt
+  cd /etc/chef/ && tar -cvzf knife_admin_key.tar.gz admin.pem admin-validator.pem
+  echo -e "\nRestart Nginx..." |tee -a /root/out.txt
+  chef-server-ctl restart nginx
+  chef-server-ctl status |tee -a /root/out.txt
+  touch /root/chef_configured
+  echo -e "\n\nDone!\n" |tee -a /root/out.txt
 fi
diff --git a/run.sh b/run.sh
@@ -7,14 +7,5 @@ if [ -f "/root/chef_configured" ]
     chef-server-ctl status |tee -a /root/out.txt
   else
     /usr/local/bin/configure_chef.sh
-    sed -i "s,    listen 443;,    listen $CHEF_PORT;,g" /var/opt/opscode/nginx/etc/chef_https_lb.conf
-    sed -i '$i\    location /knife_admin_key.tar.gz {\n      default_type application/zip;\n      alias /etc/chef/knife_admin_key.tar.gz;\n    }' /var/opt/opscode/nginx/etc/chef_https_lb.conf
-    echo -e "\nCreating tar file with the Knife keys" |tee -a /root/out.txt
-    cd /etc/chef/ && tar -cvzf knife_admin_key.tar.gz admin.pem admin-validator.pem
-    echo -e "\nRestart Nginx..." |tee -a /root/out.txt
-    chef-server-ctl restart nginx
-    chef-server-ctl status |tee -a /root/out.txt
-    touch /root/chef_configured
-    echo -e "\n\nDone!\n" |tee -a /root/out.txt
 fi
 tail -F /opt/opscode/embedded/service/*/log/current