search

chef / effortless

Automated best practices for Chef Infra and Chef InSpec
https://chef.io
Apache License 2.0
33 stars 38 forks source link

[Feature Idea] Remote Install Script for Effortless #149

Open danielcbright opened 5 years ago

danielcbright commented 5 years ago

Problem Statement

Currently, there are multiple lines of code required to be manipulated in an inline powershell or bash script for a Packer template in order to get an image built with Packer. This is also true with any other tool used to build an image (such as AWS user_data. This causes many points at which there could be a possible mis-configuration, missed step, etc...

For example, if I were to install Effortless Audit and Config using a Packer template, I would need to write something like this for a Windows 2016 Server:

"provisioners": [
      {
        "type": "powershell",
        "inline": [
          "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))",
          "C:/ProgramData/chocolatey/choco install habitat -y",
          "New-NetFirewallRule -DisplayName \"Habitat TCP\" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 9631,9638",
          "New-NetFirewallRule -DisplayName \"Habitat UDP\" -Direction Inbound -Action Allow -Protocol UDP -LocalPort 9638",
          "C:\\ProgramData\\chocolatey\\bin\\hab license accept",
          "C:\\ProgramData\\chocolatey\\bin\\hab pkg install core/windows-service",
          "C:\\ProgramData\\chocolatey\\bin\\hab pkg exec core/windows-service install",
          "C:\\ProgramData\\chocolatey\\bin\\hab pkg install core/hab-sup",
          "C:\\ProgramData\\chocolatey\\bin\\hab pkg install -z \"{{ user `hab_auth_token` }}\" dbright/config-baseline",
          "C:\\ProgramData\\chocolatey\\bin\\hab pkg install -z \"{{ user `hab_auth_token` }}\" dbright/audit-01-win",
          "$env:PATH = \"$(C:\\ProgramData\\chocolatey\\bin\\hab pkg path stuartpreston/chef-client-detox)/bin\"",
          "$env:PATH = \"$(C:\\ProgramData\\chocolatey\\bin\\hab pkg path stuartpreston/inspec)/bin;$env:PATH\"",
          "cd $(C:\\ProgramData\\chocolatey\\bin\\hab pkg path dbright/config-baseline)",
          "Write-Host 'Starting Chef Infra Client Run'",
          "chef-client -z -c config/bootstrap-config.rb",
          "Write-Host 'Starting InSpec Run'",
          "inspec exec \"$(C:\\ProgramData\\chocolatey\\bin\\hab pkg path dbright/audit-01-win)/dist.tar.gz\" --json-config \"$(C:\\ProgramData\\chocolatey\\bin\\hab pkg path dbright/audit-01-win)/config/bootstrap-inspec.json\" --no-distinct-exit",
          "C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Scripts\\InitializeInstance.ps1 -Schedule",
          "C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Scripts\\SysprepInstance.ps1 -NoShutdown"
        ]
      }

That is a TON of things to keep updated, and a lot of error prone steps, multiply this over many Packer builds (not just Packer, anything installing Effortless in an automated manner), and you have many more opportunities for human error.

Possible Solution

Other tools, such as Chocolately get around this by having a remote install script that can be called with a single line. If we had a similar way of calling our Hab installer and required Effortless packages by calling a remote install script, and setting some Packer variables that would be read in, then we can control the install process and make it more seamless.

echohack commented 5 years ago

Hey Daniel. The team took a look at this issue during triage and we don't quite understand the problem you're trying to solve here.

We're guessing this has something to do with the packer template / bootstrap workflow with Effortless.

Can you please reach out to the team (or to @OBrienCommaJosh to discuss more deeply?

echohack commented 5 years ago

During triage we worked with @danielcbright to suss out the problem here:

The idea is that people building packer templates need a way to bootstrap effortless on a packer template. The esssence of this is to build a script and curl it down for both Linux and Windows.

curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | sudo bash

Furthermore, it's desirable that this bootstrap process set up the UUID for the Habitat Supervisor / chef-client such that they can be set by the bootstrap script -- this allows someone who is building packer templates to report packer builds into Chef Automate under the same UUID.