* This article shows how to add multiple users by using chef recipe. I used 'template' and cookbook_file in this example.
This post assumes that readers are already installed and configured chef-server and clients.
In terms of security, this article may not be excellent. So, do use carefully. If you are in the situation that the security is the real issue, use the "data bag encryption" for public or private key.
1. Create cookbook
root@knife2:/home/young/chef-repo# knife cookbook create user add
2. Making templates/user.txt.erb
root@knife2:/home/young/chef-repo# vi cookbooks/useradd/templates/default/user.txt.erb
user1:users_group
user2:users_group
user3:users_group
user4:users_group
3. Create authorized_keys file.
I used vi to paster public key. Could use scp or other method.
root@knife2:/home/young/chef-repo# vi cookbooks/useradd/templates/default/authorized_keys
blablabla……..^^
4. Lastly, I made recipes/default.rb
root@knife2:/home/young/chef-repo# vi cookbooks/useradd/recipes/default.rb
#
# Cookbook Name:: useradd
# Recipe:: default
#
# Copyright 2014, My Future Company
#
# All rights reserved - Do Not Redistribute
#
# Author ohyoungjooung@gmail.com
template '/root/users' do
source 'user.txt.erb'
end
cookbook_file "/root/authorized_keys" do
source "authorized_keys"
mode 0600
end
bash 'useradding' do
user "root"
cwd "/root"
code <<-EOH
check(){
if [[ $?=="0" ]]
then
echo "$1 is successful"
else
echo "failed to achive mission"
exit 1
fi
}
groupadd users_group
for i in $(cat users)
do
USER=`echo $i | cut -d':' -f1`
GROUP=`echo $i | cut -d':' -f2`
#RUN COMMAND OF useradd
useradd $USER -g $GROUP -m
check "$USER useradd"
mkdir /home/$USER/.ssh
check "$USER mkdir"
cp authorized_keys /home/$USER/.ssh/
check "$USER authcp"
chmod 0700 /home/$USER/.ssh
chown -R $USER /home/$USER/.ssh
chmod 0600 /home/$USER/.ssh/authorized_keys
done
rm -f /root/users
rm -f /root/authorized_keys
EOH
end
root@knife2:/home/young/chef-repo# knife cookbook upload useradd
Uploading useradd [0.1.0]
Uploaded 1 cookbook
# On node of chef-clint1
root@chef-client1:~# chef-client -o useradd
* bash[useradding] action run[2014-01-30T11:35:55+09:00] INFO: Processing bash[useradding] action run (useradd::default line 14)
[2014-01-30T11:35:55+09:00] INFO: bash[useradding] ran successfully
- execute "bash" "/tmp/chef-script20140130-8091-1449qkb"
[2014-01-30T11:35:55+09:00] INFO: Chef Run complete in 0.277210052 seconds
[2014-01-30T11:35:55+09:00] INFO: Running report handlers
[2014-01-30T11:35:55+09:00] INFO: Report handlers complete
Chef Client finished, 2 resources updated
root@chef-client1:~# cat /etc/passwd | grep user
user1:x:1003:1004::/home/user1:/bin/sh
user2:x:1004:1004::/home/user2:/bin/sh
user3:x:1005:1004::/home/user3:/bin/sh
user4:x:1006:1004::/home/user4:/bin/sh
root@chef-client1:~#
6. Using knife bootstrap on chef-client2 server. If you already ssh setting like private an public key password authentication won't be necessary.
root@knife2:/home/young/chef-repo# knife bootstrap chef-client2 -r 'recipe[useradd]' -x young --sudo
Bootstrapping Chef on chef-client2
Failed to authenticate young - trying password auth
Enter your password:
chef-client2 Starting Chef Client, version 11.8.2
chef-client2 resolving cookbooks for run list: ["useradd"]
chef-client2 Synchronizing Cookbooks:
chef-client2 - useradd
chef-client2 Compiling Cookbooks...
chef-client2 Converging 2 resources
chef-client2 Recipe: useradd::default
chef-client2 * template[/tmp/users] action create
chef-client2 - create new file /tmp/users
chef-client2 - update content in file /tmp/users from none to ebcaf0
chef-client2 --- /tmp/users 2014-01-30 11:43:59.452210250 +0900
chef-client2 +++ /tmp/chef-rendered-template20140130-11865-15ixyap 2014-01-30 11:43:59.452210250 +0900
chef-client2 @@ -1 +1,6 @@
chef-client2 +user1:users_group
chef-client2 +user2:users_group
chef-client2 +user3:users_group
chef-client2 +user4:users_group
chef-client2 +
chef-client2
chef-client2 * bash[useradding] action run
chef-client2 - execute "bash" "/tmp/chef-script20140130-11865-30nl8s"
chef-client2
chef-client2 Chef Client finished, 2 resources updated
*Conclusion
This recipe is not sufficient because it does not include password.
But it maybe useful for sysadmins to add many users for multiple servers in no time.
https://github.com/ohyoungjooung2/useradd
No comments:
Post a Comment