Chef Cheatsheet

Download all cookbooks

$ cd ~/chef-repo

$ knife download cookbooks

Download all roles

$ cd ~/chef-repo

$ knife download roles

Download Specific Cookbook

$ knife download cookbooks/cert-QValent\*  --cookbook-version 0.1.0

Creating cookbook

$ cd ~/chef-repo

$ knife cookbook create newrelic-config     /OR/     cd cookbooks; chef generate cookbook newrelic-config

$ cd cookbooks/newrelic-config/recipes

$ touch update_config.rb

 $notepad update_config.rb

[...Author Recipe.....]

Upload cookbook

$ cd ~\chef-repo

$ ruby -c .\cookbooks\cert-QValent\recipes\qvalent-bit.rb

$ foodcritic .\cookbooks\trendMicro\recipes\*

$ knife cookbook test newrelic-config

$ knife cookbook upload newrelic-config

Modify role and include new recipe

$ vim  .\roles\portalapps.json

  >> "recipe[newrelic-config::update_config]"

Upload Role

$ knife upload .\roles\portalapps.json

Assign Role to Nodes

$ knife node list

$ knife node edit sit9-portalapps-ip-0a9a1670

Download cookbook from supermarket

$ knife cookbook site download

Vagrant Cheatsheet

Setting up new system

-Install VirtualBox

-Install Vagrant

- $ vagrant plugin install vagrant-vbguest

- $ vagrant box add hashicorp/precise64    (centos/7)

-Create Vagrantfile (see below)

- $ vagrant up

Debuggin issues

$ set VAGRANT_LOG=info

$ vagrant up

Vagrantfile

# -*- mode: ruby -*-

# vi: set ft=ruby :

Vagrant.configure("2") do |config|

  config.vm.box = "hashicorp/precise64"

  config.vm.network "public_network"

end

Set regional settings to Australia (Powershell)

# Script to configure language settings for each user

#Write settings to reg key for all users who logon to machine
#$RegKeyPath = "HKU:\Control Panel\International"

# Import 'International' module to Powershell session
Import-Module International

#Set Location to Australia
Set-WinSystemLocale en-AU
Set-WinHomeLocation -GeoId 0xC

# Set regional format (datetime etc.) to English (Australia) - this applies to all users
Set-Culture en-AU

# Check language list for non-US input languages, exit if found
#$currentlist = Get-WinUserLanguageList
#$currentlist  ForEach-Object {if(($_.LanguageTag -ne en-AU) -and ($_.LanguageTag -ne en-US)){exit}}

# Set the language list for the user, forcing English (Australia) to be the only language
Set-WinUserLanguageList en-AU -Force
Set-WinCultureFromLanguageListOptOut 0

Chef cheatsheet

Creating cookbook

cd ~/chef-repo

knife cookbook create newrelic-config              /OR/               cd cookbooks; chef generate cookbook newrelic-config

cd cookbooks/newrelic-config/recipes

touch update_config.rb

notepad update_config.rb

[...Author Recipe.....]

Upload cookbook

cd ~\chef-repo

foodcritic .\cookbooks\trendMicro\recipes\*

knife cookbook test newrelic-config

knife cookbook upload newrelic-config

Modify role and include new recipe

vim  .\roles\portalapps.json

  >> "recipe[newrelic-config::update_config]"

Upload Role

knife upload .\roles\portalapps.json

Install a .CER file on Windows with PowerShell

$S3BucketName="myinfrastructure"
$tDir = "C:\source"
$S3file="ip-0a901597.cloud.example.com.au.cer"
$Key="certificates/Prod/$S3file"
$targetPath="$tDir\$S3file"
Read-S3Object -BucketName $S3BucketName -Key $Key -file $targetPath
Import-Certificate -FilePath $targetPath -CertStoreLocation Cert:\LocalMachine\My

Hardened CIS AWS AMI

I had a need to create a hardened (CIS) base image for a project.The AMI created from this project was not used directly, but rather as a base image to other application-specific Stacks.

The following is a Packer file:

{
    "variables": {
        "aws_access_key": "",
        "aws_secret_key": "",
        "aws_region": "{{ env `AWS_DEFAULT_REGION` }}",
        "bitbucket_branch": "",
        "bitbucket_buildnumber": "",
        "bitbucket_commit": "",
        "bootstrap_commit": ""
    },
    "builders": [{
        "type": "amazon-ebs",
        "access_key": "{{user `aws_access_key`}}",
        "secret_key": "{{user `aws_secret_key`}}",
        "region": "ap-southeast-2",
        "vpc_id": "vpc-1cceEXAMPLE8178",
        "subnet_id": "subnet-b8fEXAMPLE1e0dc",
        "associate_public_ip_address": true,
        "ssh_private_ip": false,
        "ssh_pty": true,
        "source_ami": "ami-240EXAMPLEef546",
        "instance_type": "c4.large",
        "ssh_username": "ec2-user",
        "ami_name": "CIS-AWSLinux-Base {{isotime | clean_ami_name}}",
        "ami_users": ["<Account_Number>"],
        "launch_block_device_mappings":[{
          "device_name":"/dev/xvda",
          "volume_size":30,
          "volume_type":"gp2",
          "encrypted":false,
          "delete_on_termination":true
       }],
        "tags": {
            "OS_Version": "AWSLinux",
            "Name": "CIS-AWSLinux-Base",
            "Timestamp": "{{timestamp}}",
            "AMI_Branch": "{{user `bitbucket_branch`}}",
            "AMI_Build_Number": "{{ user `bitbucket_buildnumber`}}",
            "AMI_Commit": "{{ user `bitbucket_commit`}}",
            "Bootstrap_Commit": "{{ user `bootstrap_commit`}}"
        }
    }],
    "provisioners": [{
        "type": "shell",
        "inline": [
            "sleep 30",
            "sudo bash -c 'echo export PATH=\\$PATH:/opt/aws/bin/ >> /etc/profile'",
            "sudo yum clean all",
            "sudo yum -y update",
            "sudo yum -y install epel-release",
            "sudo yum install -y libselinux libselinux-utils libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils awslogs",
            "sudo sh -c 'selinux=1 security=selinux enforcing=1'",
            "sudo sh -c 'touch /.autorelabel'",
            "sudo cp -prv /boot/grub/menu.lst /boot/grub/menu.lst.default",
            "sudo sed -i 's/selinux=0/selinux=1 security=selinux enforcing=1/g' /boot/grub/menu.lst",
            "sudo sed -i 's/selinux=0/selinux=1 security=selinux enforcing=1/g' /etc/grub.conf",
            "sudo yum -y install augeas git python36 python-pip36 bc unzip wget telnet jq nfs-utils",
            "sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm",
            "sudo pip install pystache argparse python-daemon requests",
            "sudo pip install --upgrade pbr",
            "sudo pip install --upgrade pip",
            "sudo mkdir /efs",
            "sudo chmod 755 /efs",
            "sudo sed -i 's/^server/#server/g' /etc/ntp.conf",
            "sudo sed -ie \"\\$aserver 169.254.169.123 prefer iburst\" /etc/ntp.conf",
            "sudo sed -i 's/daemon//g' /etc/init.d/ntpd",
            "sudo sed -i 's/$OPTIONS//g' /etc/init.d/ntpd",
            "sudo rm -f /root/.ssh/authorized_keys"
        ]
    }],
    "post-processors": [
        [{
            "type": "manifest",
            "output": "manifest.json",
            "strip_path": true
        }]
    ]
}

Build as follows:

packer build -var bitbucket_commit=${MAINCOMMIT} -var chef_commit=${CHEFCOMMIT} -var bootstrap_commit=${BOOTSTRAPCOMMIT} -var bitbucket_branch=${BITBUCKET_BRANCH} -var bitbucket_buildnumber=${BITBUCKET_BUILD_NUMBER} packer.json