Information Technology Reference
In-Depth Information
$
kitchen converge
$
kitchen login
Last login: Sun Jul 27 14:38:04 2014 from 10.0.2.2
Welcome to your Packer-built virtual machine.
[vagrant@default-centos65 ~]$
getent passwd eve
eve:x:2002:0:Eavesdrop:/home/eve:/bin/bash
[vagrant@default-centos65 ~]$
exit
logout
Connection to 127.0.0.1 closed.
You should notice that an account for
eve
got created. Your recipe is data driven, based on
the list of users maintained in the
users
databag. Whenever that list changes, a node will
pick up the change on its next scheduled Chef run. You didn't have to change the recipe to
get a new user account created.
Encrypted Data Bags
Data bag items can be encrypted with a shared key in order to store private information on
Chef Server in a secure fashion. Examples of secrets that you might want to store in an en-
crypted databag include:
▪ SSL certificates
▪ SSH keys
▪ Passwords
▪ License keys
Because node attributes are in plain text and can be searched—even though other nodes can't
change another node's attributes—node attributes are not secure. Encrypted data bags are a
great option, even when you want to secure an attribute for just one node, though secrets
aren't usually node specific.
Figure 13-5
shows more detail about how encrypted data bags work. When a data bag item is
created with
knife data bag create
, a file containing a shared key is passed on the com-
mand line. The shared key is used as the password to encrypt the data bag item contents.
When a node wants to decrypt the data bag item and access the secret in plain text, it must
also pass the same shared key on its
knife data bag
operations.
