Small business server via chef - true way


#1

Earlier we used the Zentyal small business server. But because it very
buggy, we want to learn chef and using it for automation setuping server
and workstations.

For example this software delete one half of our users in ldap catalog
after minor update and after this we decided that chef is very robust.

Now we want to setup next services:

  1. Openldap + Kerberos kadmind and kdc at the same server. + Sudoldap
  2. DNS bind view 2 views for intranet and internet.
  3. DHCP with dynamic updates of bind zones.
  4. Firewall iptables with forwarding rules for share our localnet
    services, for example redmine, internal’s ftps and others to the world
  5. Samba share with ldap users lookup and kerberos negotiate authentication.
  6. NFS - no problems that’s very easy i think.
  7. NTP clients and server. - no problems that’s very easy i think.
  8. OpenVPN server with server-bridge configuration
    And may be any more in future of course

Due to this servers roles i must writing recipes for a each component.
Sometimes i use community cookbook, but sometimes i can’t using
community cookbooks because we use very specific configuration of some
services.

For example openldap. Openldap community cookbook used eliminated
components for example libnss-ldap instead of libnss-ldapd. And many
other things do not satisfy our requirements.

What is best practic for this reason: “Community cookbook do not satisfy
requirements”? One of the know to me method using chef-edit, may be
there are other methods ?

Suppose I write their own recipes and cookbooks for setup
openldap+kerberos+sudoldap. What’s next?

Suppose I want to change my configuration, ldap schema, add user, etc. I
must consider this at the planning phase? I think will be a lot of work
due this.

I call this primary components of a it infrastructure if a System kernel.

System kernel for our network contains the following components:
openldap, sudo-ldap modifications, kerberos kdc + kadmind, dns, dhcp.

May be this is way to nowhere. Maybe system kernel should not be
configured via chef because will be a lot of work ?

May be using chef only with simple components, ntp, apt, nfs ?

On good way we want save all data in one place. I thought that happen to
use chef in all infrastructure. But now i’am starting count a work time
for release this - and start to get nervous.

Because, as I can not understand how it all right to associate. I learch
chef only one with a half a week. I think that this is impossible to
create a zentyal via only chef one person.

While on the other hand I understand that nothing complicated. But the
question that asks me to specific deadlines.

Next i want to say, that I manually write recipes to up openldap with
sudo-ldap and kerberos kdc, kadmind. for a last week.

I dont’t understand where i can keep users with passwords. Leaders did
not want me to store passwords in the cleartext. Of course this is not
true way. But kerberos need this when creating pricipials.

I don’t know about ldap password. May be you can write to the database
password hashes. With kerberos this is impossible. So do not get to use
the kerberos if leaders don’t want to store cleartext password despite
chef data bags encryption.

Next i have a question about ideas about configuration of bind+ dhcpd +
firewall included data bags vs attributes vs mysql database. What do
think about this?

Data necessary for this is: computer names, mac addresses, ip addresses etc.

And what is the goal of a recipes must be for me?

Configuring all from scratch with users, computers and etc options from
the “database” on the empty server if current server is dies ?

Is this this is a true way? It may be easier to throw the discs to the
new(reserve) hardware, and fix some configs?

Of course in future I have any more questions.

I think that this goal is very common in many organizations in the
world. I would like to hear your opinion about my work and goals.

In perspective in the long term if it works I would create a separate
repository for the project, so that everyone could use my achievements
and participated in the creation of “Chef small business server project”

Unless of course you have not overpersuade.

Thank you very much. Sorry for bad english.


Best regards,

CVision Lab System Administrator
Vladmir Skubriev