cloudlab-chef-tutorial.scrbl 48.3 KB
Newer Older
1 2 3 4
#lang scribble/manual

@(require "defs.rkt")

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
@title[#:tag "cloudlab-chef-tutorial" #:version apt-version]{CloudLab Chef Tutorial}
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

This tutorial will walk you through the process of creating and using 
an instance of the Chef configuration management system on @(tb). 

@margin-note{Chef is both the name of a company and the name of a popular modern configuration management system 
written in Ruby and Erlang. A large variety of tutorials, articles, technical docs and training opportunities
is available at the @link[""]{Chef official website}. 
Also, refer to the @link[""]{Customer Stories} page to see how Chef is used
in production environments, including very large installations (e.g., at Facebook, Bloomberg, and Yahoo!).}


In the process of taking this tutorial, you will learn to:

    @item{Create your own instance of Chef using a pre-defined profile}
    @item{Explore profile parameters allowing to customize components of your Chef deployments} 
    @item{Access monitoring and management capabilities provided by Chef}
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
24 25 26 27 28 29 30
    @item{Use Chef to perform two exercises:
        @item{Install and configure NFS, the Network File System, on experiment nodes}
        @item{Install and configure an instance of the Apache web server, as well as run a benchmark against it}
    @item{Terminate your experiment}
31 32 33
    @item{Learn where to get more information}

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
34 35 36 37

This tutorial will demonstrate how experiments can be managed on @(tb), as well as show
how experiment resources can be administered using Chef. 
By following the instructions provided below, you will learn how to take advantage of the powerful features of Chef
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
39 40 41
for configuring multi-node software environments.
The exercises included in this tutorial are built around simple but realistic 
configurations. In the process of recreating these configurations on nodes running 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
default images, you will explore individual components of Chef and 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
43 44
follow the configuration management workflow applicable to more complex configurations and experiments. 

45 46 47 48 49 50 51 52 53 54 55 56 57 58

This tutorial assumes that:

    @item{You have an existing account on @bold{either}: @itemlist[
        @item{CloudLab (Instructions for getting an account can
            be found @seclink["register"]{here}.)}
        @item{The @link[""]{GENI portal}.
            (Instructions for getting an account can be found

59 60

@section[#:tag "chef-tutorial-body"]{Launching Chef Experiments}
62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79

Once you have logged in to @(tb), you will ``instantiate'' a @seclink["profiles"]{``profile''}
to create an @seclink["experiments"]{experiment}. (An experiment in @(tb) is similar
to a @link[""]{``slice''} in
GENI.) Profiles are @(tb)'s way of packaging up configurations and experiments
so that they can be shared with others. Each experiment is separate:
the experiment that you create for this tutorial will be an instance of a profile provided by
the facility, but running on resources that are dedicated to you, which you
have complete control over. This profile uses local disk space on the nodes, so
anything you store there will be lost when the experiment terminates.

@margin-note{The Chef cluster we are building in this tutorial is very small, but @(tb)
has @seclink["hardware"]{large clusters} that can be used for larger-scale

For this tutorial, we will use a profile that launches a Chef cluster --- a set of 
interconnected nodes running Chef components such as Chef server, workstation, clients. 
The @(tb) staff have built this profile by scripting installation procedures for 
these components. The developed scripts will run on the experiment nodes after they boot
81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98
and customize them (create necessary user accounts, install packages, establish authentication
between the nodes, etc.) to create a fully functional Chef cluster with a 
multi-node, production-like structure.

See this manual's @seclink["profiles"]{section on profiles} for more
information about how they work.

@itemlist[#:style 'ordered
    @instructionstep["Select a profile"]{

        After logging in, you will be taken to the
        ``@link[""]{Start an
        Experiment}'' page automatically if you do not have any current,
        running experiments. You can get back to this page at any time by
        selecting the ``Start Experiment'' link from the ``Actions'' menu.
        By default, this page suggests launching the OpenStack profile which
        is discribed in detail in the @seclink["cloudlab-tutorial"]{OpenStack tutorial}.
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
        Go to the list of available profile by clicking ``Change Profile'': 
100 101 102


Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
103 104 105 106
        Find the profile by typing @bold{ChefCluster} in the search bar. Then, select the profile with the
        specified name in the list displayed below the search bar. 
        A 2-node preview should now be shown along with high-level profile information. 
        Click ``Select Profile'' at the bottom of the page: 
107 108 109

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
        After you select the correct profile, click ``Next'':
111 112 113 114 115 116 117 118 119


    @instructionstep["Set parameters"
                     #:screenshot "chef-tutorial/params-next.png"]{

    Profiles in CloudLab can have @emph{parameters} that affect how they are
    configured; for example, this profile has parameters that allow you to
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
120 121
    set the number of client nodes, specify the repository with the infrastructure
    code we plan to use, obtain copies of the application-specific infrastructure code developed 
122 123 124 125 126 127 128 129
    by the global community of Chef developers, etc. 

    For this tutorial, we will leave all parameters at their defaults and
    just click ``Next''.
    @instructionstep["Choose experiment name"]{
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
130 131
        You may optionally give your experiment a meaningful name, e.g., ``chefdemo''.
        This is useful if you have many experiments running at once.
132 133 134 135 136 137 138 139 140

    @instructionstep["Select a cluster"
                     #:screenshot "chef-tutorial/select-cluster.png"]{
        @(tb) has multiple clusters available to it. Some profiles can run
        on any cluster, some can only run on specific ones due to specific hardware
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
141 142
        constraints. @bold{ChefCluster} can only run on the x86-based clusters.
        This excludes the CloudLab Utah cluster which is built on ARMv8 nodes. 
143 144 145 146 147 148 149 150 151 152 153 154
        Refer to the @seclink["hardware"]{Hardware} section for more information.

        @bold{Note:} If you are at an in-person tutorial, the instructor will
        tell you which cluster to select. Otherwise, you may select any compatible and available

        @margin-note{The dropdown menu for the clusters shows you both the
        health (outer ring) and available resources (inner dot) of each
        cluster. The ``Check Cluster Status'' link opens a page (in a new
        tab) showing the current utilization of all @(tb) clusters.}

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
155 156
    @instructionstep["Click Finish!"]{
        When you click the ``Finish'' button, @(tb) will start
157 158 159 160 161 162 163 164 165
        provisioning the resources that you requested on the cluster that
        you selected.

    @instructionstep["CloudLab instantiates your profile"]{
        @(tb) will take a few minutes to bring up your experiment, as
        many things happen at this stage, including selecting suitable
        hardware, loading disk images on local storage, booting bare-metal
        machines, re-configuring the network topology, etc. While this is
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
        happening, you will see the topology with yellow node icons:
167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185

        @margin-note{Provisioning is done using the 
        @link[""]{GENI APIs}; it
        is possible for advanced users to bypass the @(tb) portal and
        call these provisioning APIs from their own code. A good way to
        do this is to use the @link[""]{@tt{geni-lib} library for Python.}}

        As soon as a set of resources have been assigned to you, you will see
        details about them if you switch to the "List View" tab (though you will not be
        able to log in until they have gone through the process of imaging and
        booting.) While you are waiting for your resources to become available,
        you may want to have a look at the
        user manual}, or use the ``Sliver'' button to watch the logs of the
        resources (``slivers'') being provisioned and booting.

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    @instructionstep["Your resources are ready!"]{
187 188 189 190 191 192 193 194 195 196
         Shortly, the web interface will report the state as ``Booted''.
         @bold{Important:} A ``Booted'' status indicates that resources are
         provisioned and booted; this particular profile runs scripts to
         complete the Chef setup, and it will be a few more minutes before
         Chef becomes fully functional. You will be able to tell that the configuration process
         has finished when the status changes from ``Booted'' to ``Ready''. Until then,
         you will likely see that the startup scripts (i.e. programs that run at the beginning
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
197 198 199
         of the experiment to set it up) run longer on @tt{head} than on
         @tt{node-0}  --- a lot more work is required to install the Chef server than the client.
         In the Topology View tab, mouse over the circle in the @tt{head}'s icon, 
200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240
         to confirm the current state of the node. 

@section{Exploring Your Experiment}

While the startup scripts are still running,
you will have a few minutes to look at various parts
of the @(tb) experiment page and learn what resources you now have access to and what
you can do with them.

@subsection{Experiment Status}

The panel at the top of the page shows the status of your experiment --- you can
see which profile it was launched with, when it will expire, etc. The
buttons in this area let you make a copy of the profile (so that you can
@seclink["creating-profiles"]{customize it}), ask to hold on to the resources
for longer, or release them immediately.


Note that the default lifetime for experiments on @(tb) is less than a day;
after this time, the resources will be reclaimed and their disk contents will
be lost. If you need to use them for longer, you can use the ``Extend'' button
and provide a description of why they are needed. Longer extensions require
higher levels of approval from @(tb) staff. You might also consider
@seclink["creating-profiles"]{creating a profile} of your own if you might need
to run a customized environment multiple times or want to share it with others.

You can click on the title of the panel to expand or collapse it.

@subsection{Profile Instructions}

Profiles may contain written instructions for their use. Clicking on the title
of the ``Profile Instructions'' panel will expand or collapse it. In this
case, the instructions provide a link to the Chef server web console. 
(Don't click on the link yet --- it is likely that Chef is still being configured; 
for now, let's keep exploring the @(tb) interface.)

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
241 242 243 244
Also, notice the list of private and public hostnames of the experiment nodes
included in the instructions. You will use the public hostnames (shown in bold)
in the exercise with the Apache web server and apache benchmark.

245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262

@subsection{Topology View}

We have already used the topology viewer to see the node status; let's take a closer look
at the topology of this experiment. This
profile has two nodes connected by a 10 Gigabit LAN, which is represented by
a gray box in the middle of the topology. The names given for each node are
the names assigned as part of the profile; this way, every time you instantiate
a profile, you can refer to the nodes using the same names, regardless of which
physical hardware was assigned to them. The green boxes around each node
indicate that they are up; click the ``Refresh Status'' button to initiate a
fresh check. 

@margin-note{You can also run several networking tests 
by clicking the ``Run Linktest'' button at the bottom of the page. The available tests include:
    @item{Level 1 --- Connectivity and Latency}
    @item{Level 2 --- Plus Static Routing}
264 265 266 267 268 269 270 271 272
    @item{Level 3 --- Plus Loss}
    @item{Level 4 --- Plus Bandwidth}
Higher levels will take longer to complete and require patience.


If an experiment has startup services, their statuses are indicated by small icons in
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
the upper right corners of the node icons. You can mouse over this icon to see a
description of the current status. In this profile, the startup services
on the client node(s), such as @tt{node-0}, typically complete quickly, but
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
276 277
the scripts on @tt{head} take much longer. The screenshot above shows the state of the 
experiment when all startup scripts complete.
278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318

It is important to note that every node in @(tb) has at least two
network interfaces: one ``control network'' that carries public IP
connectivity, and one ``experiment network'' that is isolated from the Internet
and all other experiments. It is the experiment net that is shown in this
topology view.  You will use the control network to @(ssh) into your nodes,
interact with their web interfaces, etc. This separation gives you more
freedom and control in the private experiment network, and sets up a clean
environment for @seclink["repeatable-research"]{repeatable research}.

@subsection{List View}

The list view tab shows similar information to the topology view, but in a
different format. It shows the identities of the nodes you have been
assigned, and the full @(ssh) command lines to connect to them. In some
browsers (those that support the @tt{ssh://} URL scheme), you can click on the
SSH commands to automatically open a new session. On others, you may need to
cut and paste this command into a terminal window. Note that only public-key
authentication is supported, and you must have set up an @(ssh) keypair on your
account @bold{before} starting the experiment in order for authentication to


@subsection{Manifest View}

The final default tab shows a
@link[""]{manifest} detailing the hardware that has been assigned to you. This is the
@seclink["rspecs"]{``request'' RSpec} that is used to define the profile,
annotated with details of the hardware that was chosen to instantiate your
request. This information is available on the nodes themselves using the
@link[""]{@tt{geni-get}} command, 
enabling you to do rich scripting that is fully aware of both the requested
topology and assigned resources.

@margin-note{Most of the information displayed on the @(tb) status page comes
directly from this manifest; it is parsed and laid out in-browser.}


@subsection[#:tag "chef-tutorial-actions"]{Actions}
320 321 322 323 324 325 326 327

In both the topology and list views, you have access to several actions that
you may take on individual nodes. In the topology view, click on the node to
access this menu; in the list view, it is accessed through the icon in the
``Actions'' column. Available actions include rebooting (power cycling) a node,
and re-loading it with a fresh copy of its disk image (destroying all data on
the node).  While nodes are in the process of rebooting or re-imaging, they
will turn yellow in the topology view. When they have completed, they will
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
328 329 330
become green again. The @seclink["chef-tutorial-web-shell"]{shell} 
action is described in more detail below and will be used as
the main method for issuing commands on the experiment nodes throughout this tutorial.
331 332 333 334 335


@section{Brief Introduction to Chef}

While the startup scripts are running, let's take a quick look at the architecture of a typical 
337 338 339 340 341 342 343 344 345
Chef intallation. The diagram provided at the official @link[""]{Overview of Chef} page
demonstrates the relationships between individual Chef components. While there is a number of optional, advanced
components that we don't use in this tutorial, it is worth noting the following:

  @item{Chef clients can run on a variety of resources: virtual and physical servers, cloud instances,
  storage and networking devices, containers, etc. All clients connect and listen to 
  the central, infrastructure-wide Chef server.}

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
  @item{The Chef server has a web interface. The server manages @bold{cookbooks}, which are fundamental 
  units of configuration management that define configurations and contain 
  everything that is required to instantiate those configurations. Additionally, 
349 350 351 352 353 354 355 356 357 358 359
  the server manages @bold{run lists}, which can be viewed as mappings between collections of cookbooks 
  and the clients on which they need to execute.}

  @item{A workstation represents a machine from which a Chef administrator
  connects to and controls the server. It typically has a copy of @bold{chef-repo}, 
  the repository which contains cookbooks and other code artifacts. The administrator
  modifies cookbooks locally and submits them to the server to make them available
  to all clients.}

  @item{@bold{Recipes}, shown next to cookbooks on the workstation, are the "building blocks" from which
  cookbooks are assembled. Recipes can be viewed as individual scripts accomplishing specific
  fine-grained tasks, such as create a user, install a package, clone a repository, configure a network interface, etc.
361 362 363
  Cookbooks, which include one or more recipes, are responsible for "bigger" tasks: 
  install and configure a database, install and run a web server, and so on.}
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
  @item{Another type of Chef code artifacts (not shown in the diagram) is called @bold{role}.
  A role can include one or more cookbooks and specific recipes (each cookbook and recipe can be used
366 367
  in several roles if necessary). Roles typically define complete node configurations;
  for instance, in a simple case, one role corresponds to a master node on a cluster with a set of specific services, 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
368 369
  while another role defines how the rest of the cluster nodes, so-called ``worker'' nodes, should be configured.
  After being created on the workstation, these roles are submitted to the server by the administrator 
370 371 372
  and then assigned to specific nodes via the run lists.}

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
373 374 375 376 377 378 379 380 381 382 383 384
In the experiment we have launched, @tt{head} runs all three: the server, the workstation, and the client
(there is no conflict between these components), while @tt{node-0} runs only the client. If this profile is instantiated
with the arbitrary number N of clients, there will be N ``client-only'' nodes
named @tt{node-0},@tt{node-1},...,@tt{node-(N-1)}. 
Another profile parameter allows choosing the repository from which chef-repo is cloned; 
by default, it points to @link[""]{emulab/chef-repo}.
The startup scrips in this profile also obtain and install copies of public cookbooks
hosted at the respository called @link[""]{Supermarket}. 
Specifically, the exercises in this tutorial rely on the @link[""]{nfs} 
and @link[""]{apache2} cookbooks --- both
should be installed on your experiment now in accordance with the default value of the
corresponding profile parameter we have used.
385 386 387

@section{Logging in to the Chef Web Console}

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
388 389
As soon as the startup scripts complete, you will likely recieve an email confirming that Chef is installed and operational.

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434
@verbatim{Dear User,

Chef server and workstataion should now be 
installed on

To explore the web management console, copy 
this hostname and paste it into your browser. 
Installation log can be found at /var/log/init-chef.log 
on the server node.

To authenticate, use the unique credentials 
saved in /root/.chefauth on the server node.

Below are several Chef commands which detail the launched experiment:

# chef -v
Chef Development Kit Version: 0.7.0
chef-client version: 12.4.1
berks version: 3.2.4
kitchen version: 1.4.2

# knife cookbook list
apache2               3.1.0
apt                   2.9.2
emulab-apachebench    1.0.0
emulab-nfs            0.1.0
nfs                   2.2.6

# knife node list

# knife role list

# knife status -r
1 minute  ago, head, [], ubuntu 14.04.
0 minutes ago, node-0, [], ubuntu 14.04.

Happy automation with Chef!

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
In some cases, you will not be able to see this email --- 
email filters (e.g., if you are using a university email account) may classify it as spam.
This will not be a problem since the email is supposed to provide useful but noncritical information.
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
439 440
You can still access the Chef web console using the link included in the profile instructions
and also obtain the credentials as described in the instructions.

442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489
When you receive this email or see in the topology viewer that the startup scripts completed,
you can proceed to the following step.

@subsection[#:tag "chef-tutorial-web-shell"]{Web-based Shell}

@(tb) provides a browser-based shell for logging into your nodes, which is
accessed through the action menu described above. While this shell is
functional, it is most suited to light, quick tasks; if you are going to do
serious work, on your nodes, we recommend using a standard terminal
and @(ssh) program.

This shell can be used even if you did not establish an @(ssh) keypair with
your account.

Three things of note:

    @item{Your browser may require you to click in the shell window before
        it gets focus.}

    @item{Depending on your operating system and browser, cutting and pasting into
        the window may not work. If keyboard-based pasting does not
        work, try right-clicking to paste.}

    @item{@bold{The recommended browsers are Chrome and Firefox.}
          The web-based shell does not work reliably in Safari.
          It is not guaranteed that it works smoothly in other browsers.}

Create a shell tab for @tt{head} by choosing ``Shell'' in the
Actions menu for @tt{head} in either the topology or the list view.
The new tab will be labeled ``head''. It will allow typing shell commands
and executing them on the node. All shell commands used throughout this tutorial
should be issued using this shell tab.

While you are here, switch to the @italic{root} user by typing:

@verbatim{@bold{sudo su -}}


Your prompt, the string which is printed on every line before the cursor,
should change to @tt{root@"@"head}.
All commands in the rest of the tutorial should be executed under @italic{root}.

@subsection{Chef Web Console}

Type the following to print Chef credentials:

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
@verbatim{@bold{cat /root/.chefauth}}
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
492 493 494

You should see the unique login and password that have been 
generated by the startup scripts specifically for your instance of Chef:
495 496 497 498


Expand the ``Profile Instructions'' panel and
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
click on the ``Chef web console'' link. 

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
501 502 503 504 505 506 507 508 509 510 511
@bold{Warning:} When your browser first points to this link, you will see a warning 
about using a self-signed SSL certificate. Using self-signed certificates
is not a good option in production scenarios, but it is totally acceptable 
in this short-term experimentation environment. We will ignore this warning and proceed to using the Chef console. 
The sequence of steps for ignoring it depends on your browser.
In Chrome, you will see a message saying "Your connection is not private". Click ``Advanced''
at the bottom of the page and choose ``Proceed to <hostname> (unsafe)''. In Firefox, 
the process is slightly different: click ``Advanced'', choose ``Add Exception'', and
click ``Confirm Security Exception''.

When the login page is finally displayed, use the credentials you have printed in the shell:
512 513 514 515


Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
516 517 518
If you see a console like the one above, with both @tt{head} and @tt{node-0} listed on the ``Nodes'' tab,
you have a working Chef cluster! You can now proceed to managing your nodes using 
Chef recipes, cookbooks, and roles. 
519 520 521 522

In the rest of the tutorial, we demonstrate how you can use several pre-defined cookbooks and roles.
Development of cookbooks and roles is a subject of another tutorial (many such tutorials can be
found online). Our goal in the following sections is to walk you through
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
523 524
the process of using existing cookbooks and roles --- the process which is the same for simple 
and more complex configurations. You will learn how to modify run lists and 
apply cookbooks and roles to your nodes, run them, check their status,
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
and explore individual components of cookbooks and roles. 
527 528 529

@section{Configuring NFS}

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
Now that you have a working instance of Chef where both @tt{head} and @tt{node-0} 
can be controlled using Chef, let's start modifying the software stacks 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
532 533
on these nodes by installing NFS and exporting a directory from @tt{head} to 
534 535 536

@itemlist[#:style 'ordered
  @instructionstep["Modify the run list on head"]{
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    Click on the row for @tt{head} in the node list (so the entire row is highlighted in orange),
538 539 540 541 542
    and then click "Edit" in the Run List panel in the bottom right corner of the page: 
  @instructionstep["Apply nfs role:"]{
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
543 544
    In the popup window, find the role called @tt{nfs} in the Available Roles list on the left, drag and drop it into
    the "Current Run List" field on the right. When this is done, click "Save Run List". 
545 546 547 548 549 550 551
  @instructionstep["Repeat the last two steps for node-0:"]{

    At this point, @tt{nfs} role is assigned to both nodes, but nothing has executed yet.
553 554 555
  @instructionstep["Check the status from the shell"]{
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
556 557
    Before proceeding to applying these updates, 
    let's check the role assignment from the shell by typing:
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
558 559 560

    @verbatim{@bold{knife status -r}}

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    The run lists for your nodes should be printed inside square brackets:
562 563 564 565 566 567

    The output of this command also conveniently shows when Chef applied changes to your
    nodes last (first column) and what operating systems run on the nodes (last column). 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
  @instructionstep["Trigger the updates"]{
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    Run the assigned role on @tt{head} by typing: 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
572 573 574
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
575 576 577 578 579
    As a part of the startup procedure,
    passwordless @tt{ssh} connections are enabled between the nodes. 
    Therefore, you can use @tt{ssh} to run commands remotely,
    on the nodes other than @tt{head}, from the same shell.
    Execute the same command on @tt{node-0} by typing: 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
580 581

    @verbatim{@bold{ssh node-0 chef-client}}
582 583 584
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
585 586 587 588
    When nodes execute the ``@code{chef-client}'' command, 
    they contact the server and request the cookbooks, recipes, and roles have been
    assigned to them in their run lists. The server responds with those artifacts, 
    and the nodes execute them in the specified order. 
589 590 591
  @instructionstep["Verify that NFS is working"]{

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
592 593 594 595 596 597 598
    After updating both nodes, you should have a working NFS configuration in which
    the @code{/exp-share} directory is exported from @tt{head} and mounted on @tt{node-0}.

    @margin-note{The name of the NFS directory is one of the attributes that is set in the @tt{nfs} role.
    To explore other attributes and see how this role is implemented, take a look at
    the @code{/chef-repo/roles/nfs.rb} file on @tt{head}} 

    The simplest way to test that this configuration is functioning properly 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
600 601
    is to create a file on one node and check that this file becomes
    available on the other node. 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
602 603 604 605 606 607 608 609 610 611 612 613 614 615 616
    Follow these commands to test it (the lines that start with the # sign are comments): 

    # List files in the NFS directory /exp-share on head; should be empty
    @bold{ls /exp-share/}

    # List the same directory remotely on node-0; also empty
    @bold{ssh node-0 ls /exp-share/}

    # Create an empty file in this derectory locally
    @bold{touch /exp-share/NFS-is-configured-by-Chef}

    # Find the same file on node-0
    @bold{ssh node-0 ls /exp-share/}
617 618 619


Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    If you can see the created file on @tt{node-0}, your NFS is working as expected. 
621 622 623 624
    Now you can easily move files between your nodes using the @code{/exp-share} directory. 

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
625 626 627
@bold{Summary:} You have just installed and configured NFS by assigning a Chef
role and running it on your nodes.  
You can create much more complex software environments 
by repeating these simple steps and installing more software components on your nodes.
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
629 630 631 632 633
Additionally, installing NFS on a set of nodes is not a subject of
a research experiment but rather an infrastructure prerequisite for 
many distributed systems. You can automate installation and configuration procedures
in those systems using a system like Chef and save a lot of time
when you need to periodically recreate them or create multiple instances of those systems.  
634 635 636 637

@subsection{Exploring The Structure}

It is worth looking at how the role you have just used is implemented. Stored at 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
@code{/chef-repo/roles/nfs.rb} on @tt{head}, it should include the following code: 

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660
# This role depends on the emulab-nfs cookbook;
# emulab-nfs depends on the nfs cookbook
# available at:
# Make sure it is installed; If it is not, try: knife cookbook site install nfs
name "nfs"
description "Role applied to all NFS nodes - server and client"
  "nfs" => {
    "server" => "head",
    "dir" => "/exp-share",
    "export" => {
      "network" => "",
      "writeable" => true
run_list [ "emulab-nfs" ]
661 662 663 664 665

You can see a number of domain-specific Ruby attributes in this file. 
@code{name} and @code{description} are self-describing attributes.
The @code{override_attribute} attribute allows you to control high-level configuration
parameters, including (but not limited to) the name of the node running the NFS server,
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
666 667
the directory being exported and mounted, the network in which this directory is 
shared, and the ``write'' permission in this directory (granted or not). 
668 669 670 671
The @code{run_list} attribute includes a single cookbook called @code{emulab-nfs}. 

You are probably wondering now about how the same cookbook
can perform different actions on different nodes.
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
672 673 674 675 676
Indeed, the @tt{emulab-nfs} cookbook has just installed NFS server on @tt{head} and
NFS client on @tt{node-0}. You can take a look at the implementation
of the @code{default.rb}, the default recipe in the @tt{emulab-nfs} cookbook which
gets called when the cookbook is executed. You should find the following code
at @code{/chef-repo/cookbooks/emulab-nfs/recipes/default.rb}: 

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
678 679 680 681 682 683 684 685 686 687 688 689
# Cookbook Name:: emulab-nfs
# Recipe:: default

if node["hostname"] == node["nfs"]["server"]
  include_recipe "emulab-nfs::export"
  include_recipe "emulab-nfs::mount"

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
691 692 693 694 695 696 697 698 699 700
The @code{if} statement above allows comparing the hostname of the node on which
the cookbook is running with one of the attributes specified in the role.
Based on this comparison, the recipe takes the appropriate actions by
calling the code from two other recipes in this cookbook.
Optionally, you can explore @code{/chef-repo/cookbooks/emulab-nfs/recipes/export.rb} and 
to see how these recipes are implemented.

Obviously, this is not the only possible structure for this configuration.  
You can alternatively create two roles, such as @tt{nfs-server} and @tt{nfs-client},
that will call the corresponding recipes without the need for the described comparison. 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
702 703 704 705 706
Since a single model cannot fit perfectly all scenarios, Chef provides 
the developer with enough flexibility to organize the code into structures 
that match specific environment and application needs.

@section{Apache Web Server and ApacheBench Benchmarking tool}

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
708 709 710 711 712 713 714
In this exercise, we are going to switch gears and experiment with 
different software --- @code{apache2}, the Apache HTTP web server, and the @code{ab} benchmarking tool.
You will explore more Chef capabilities and perform administrative
tasks, primarily from the command line. 

We recommend you to continue using the shell tab for @tt{head} (again, make sure that your commands are
executed as @italic{root}). Run the commands described below in that shell.
715 716

@itemlist[#:style 'ordered
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
  @instructionstep["Add a role to the head's run list"]{
    Issue the command in bold (the rest is the expected output):
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
719 720 721 722 723 724 725

    @verbatim{@bold{knife node run_list add head "role[apache2]"}                                              
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
  @instructionstep["Add two roles to the node-0's run list"]{
    Run the two @code{knife} commands listed below (also on @tt{head}) in order to assign two roles to @tt{node-0}:
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
729 730 731 732 733 734 735 736 737 738 739 740 741 742 743

    @verbatim{@bold{knife node run_list add node-0 "role[apache2]"}
    @bold{knife node run_list add node-0 "role[apachebench]"}
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
745 746 747 748 749 750
    Notice that we did not exclude the @tt{nfs} role from the run lists. 
    Configuration updates in Chef are @italic{idempotent}, which means that an update can be applied to a node 
    multiple times, and every time the update will yield identical configuration (regardless of the node’s previous state)
    Thus, this time, when you run ``@code{chef-client}'' again, Chef will do the right thing: 
    the state of each individual component will be inspected, and 
    all NFS-related tasks will be silently skipped because NFS is already installed. 
751 752
  @instructionstep["Trigger updates on all nodes"]{
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
753 754 755 756 757 758 759 760 761 762 763 764 765 766
    In the previous section, we updated one node at a time. 
    Try the ``batch'' update - run a single command that 
    will trigger configuration procedures on all client nodes: 

    @verbatim{@bold{knife ssh "name:*" chef-client} resolving cookbooks for run list: 
      ["emulab-nfs", "apache2", "apache2::mod_autoindex", "emulab-apachebench"] resolving cookbooks for run list: 
      ["emulab-nfs", "apache2", "apache2::mod_autoindex"] Synchronizing Cookbooks:
    .... Chef Client finished, 5/123 resources updated in 04 seconds
    You should see interleaved output from the ``@code{chef-client}'' 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    command running on both nodes at the same time.

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    The last command uses a node search based on the ``@code{name:*}'' criteria.
    As a result, every node will execute ``@code{chef-client}''. In cases where it is necessary,
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
772 773
    you can use more specific search strings, such as, for instance, ``@code{name:head}''
    and ``@code{name:node-*}''.
774 775 776
  @instructionstep["Check that the webservers are running"]{
    One of the attributes in the @code{apache2} role configures the web server
    such that it runs on the port @code{8080}. Let's check that the web servers 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    are running via checking the status of that port:
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
780 781 782 783

    @verbatim{@bold{knife ssh "name:*" "netstat -ntpl | grep 8080" } tcp6 0 0 :::8080 :::* LISTEN 9415/apache2 tcp6 0 0 :::8080 :::* LISTEN 30248/apache2 }

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    Note that this command sends an arbitrary command (unrelated to Chef)
786 787
    to a group of nodes. With this functionality, the @code{knife} command-line utility 
    can be viewed as an orchestration tool for managing groups of nodes that is capable 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    of replacing @code{pdsh}, the Parallel Distributed Shell utility, that is often used on computing clusters.
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
789 790

    The output that is similar to the one above indicates that both @code{apache2} web servers are running. 
791 792 793 794 795
    The command that you have just issued uses @code{netstat}, a command-line tool that displays network connections, 
    routing tables, interface statistics, etc. Using @code{knife}, you have run 
    @code{netstat} in combination with a Linux pipe and a @code{grep} command 
    for filtering output and displaying the information only on the port @code{8080}.
796 797
  @instructionstep["Check benchmarking results on node-0"]{
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
798 799

    Many different actions have taken place on @tt{node-0}, including: 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
801 802 803 804
      @item{@code{apache2} has been installed and configured}
      @item{@code{ab}, a benchmarking tool from the @code{apache2-utils} package, has been installed and executed}
      @item{benchmarking results have been saved, and plots have been created using the @code{gnuplot} utility}
      @item{the plots have been made available using the installed web server} 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
806 807 808 809

    To see how the last three tasks are performed using Chef, you can take a look at the
    @link[""]{default.rb} recipe inside 
    the @code{emulab-apachebench} cookbook. In the in-person tutorial, let's proceed to 
810 811 812
    the following steps and leave the discussion of this specific recipe 
    and abstractions used in Chef recipes in general to the end of the tutorial.  

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
813 814 815 816 817
    Obtain the @tt{node-0}'s public hostname (refer to the list included in the profile instructions), 
    and construct the following URL: 
    @verbatim{http://<node-0's public hostname>:8080}
    With the right hostname, copy and paste this URL into your browser to access the web server running on @tt{node-0} 
    and serving the benchmarking graphs. You should see a directory listing like this:
818 819 820 821

    You can explore the benchmarking graphs by clicking at the listed links. 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    So far, @code{ab} has run against the local host (i.e. @tt{node-0}), therefore the
823 824 825
    results may not be so interesting. Do not close the window with your browser
    since one of the following steps will ask you to go back to it to see more results.
  @instructionstep["Modify a role"]{
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
828 829 830 831 832
    Just like the @tt{nfs} role described in the previous section, @tt{apachebench} has a number of
    attributes that define its behavior. We will use the Chef web console to update the value
    for one of its attributes.

    In the console, click on the Policy tab at the top of the page, choose ``Roles'' in the panel on the left,
    and select ``apachebench'' in the displayed list of roles.
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
834 835 836
    Select the Attributes tab in the middle of the page.
    At the bottom of the page, you should now see 
    a panel called ``Override Attributes''. Click the ``Edit'' button inside that panel:  
837 838 839 840

    In the popup window, change the @code{target_host} attribute from @code{null}
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    to the @tt{head}'s public hostname (refer to the hostnames listed in the profile instructions).
842 843
    Don't forget to use double quotes around the hostname. Also, let's modify the list of 
    ports against which we will run the benchmark. Change @code{80} to @code{8080} since nothing interesting is running
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    on port @code{80}, while the @code{apache2} server you have just installed  
    is listening on the port @code{8080}. Leave the port @code{443} in the list --- this 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    is the port on which the Chef web console is running. 
    Here is an example of the recommended changes: 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
849 850 851 852 853 854 855 856 857 858

    When these changes are complete, click "Save Attributes". 
    @bold{Alternative:} It turns out that you don't have to use the Chef web console for modifying this role. 
    Take a look at the two steps described below to see how we can modify this role from the shell
    or @bold{skip} to running the benchmark.
    This is what you need to make the described changes without using the web console:
    @itemlist[#:style 'ordered
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
859 860 861 862
      @item{Edit the file @code{/chef-repo/roles/apachebench.rb} on @tt{head} using a text editor of your choice (e.g., @code{vi})}
      @item{After making the suggested changes, ``push'' the updated role to the server by typing:
            @code{knife role from file /chef-repo/roles/apachebench.rb}}
863 864
    @instructionstep["Run the benchmark against head"]{
865 866

    The updated version of the role is available on the server now. 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    You can run it on @tt{node-0} using the following command: 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    @verbatim{@bold{knife ssh "role:apachebench" chef-client}}

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
871 872 873
    This command, unlike the @code{knife} commands you issued in the previous steps, uses a search based on the assigned roles.
    In other words, it will find the nodes to which the @tt{apachebench} role has been assigned by now --- in our case, only 
    @tt{node-0} --- and execute ``@code{chef-client}'' on them.  
874 875
  @instructionstep["Check benchmarking results again"]{
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
    Go back to your browser window and update the page to see the directory listing with new benchmarking results. 
877 878 879 880
    The first two (the most recent) graphs represent the results of benchmarking 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
881 882 883
    of the web services running on @tt{head} performed from @tt{node-0}. Among many interesting facts
    that are revealed by these graphs, you will see that the response time is much higher 
    on the port @code{443} than on the port @code{8080}.
886 887 888

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922
@bold{Summary:} You have just performed an experiment with @code{apache2} and @code{ab} in
a very automated manner. The Chef role you have used performed many tasks,
including setting up the infrastructure, running a benchmark, saving and processing results, as well as
making them easily accessible. The following section will shed some light on how
these tasks were accomplished and also how they can be customized.    

@subsection{Understanding the Internals}

Below we describe some of the key points about the pieces of infrastructure code you have just used. 

The @tt{apache2} role is stored at @link[""]{roles/apache2.rb}
as part of the @link[""]{emulab/chef-repo}.
Note that the run list specified in this role includes a cookbook @code{apache2}
(the recipe called @code{default.rb} inside the cookbook is used)
and also a recipe @code{mod_autoindex} from the same cookbook.
This cookbook is one of the cookbooks that have been obtained from @link[""]{Chef Supermarket}.
All administrative work for installing and configuring the web server is performed by the recipes 
in this cookbook, while the role demonstrates an example of how that cookbook can be ``wrapped''
into a specification that satisfy specific application needs.

The @tt{apachebench} role is stored at @link[""]{roles/apachebench.rb}
It specifies values for several attributes and adds a custom cookbook @tt{emulab-apachebench} to the run list.
We use the ``@code{emulab}'' prefix in the names of the cookbooks that have been developed by the CloudLab staff 
to emphasize that they are developed for @link[""]{Emulab} and derived testbeds such as @(tb). 
This also allows distinguishing them from the Supermarket cookbooks, which are installed in the same directory on @tt{head}.  

Inside the @link[""]{default.rb}  
recipe in @tt{emulab-apachebench} you can find many key words, including 
@code{package}, @code{log}, @code{file}, @code{execute}, @code{template}, etc.
They are called Chef @bold{resources}. These elements, which allow defining fine-grained configuration tasks and actions,
are available for many common administrative needs. You can refer to the 
@link[""]{list of supported Chef resources}
and see examples of how they can be used.  

Another item that is worth mentioning is the  
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953
``@code{ignore_failure true}'' attribute used in some of the resources.
It allows the recipe to continue execution even when something does not
go as expected (shell command fail, necessary files do not exist, etc.).
Also, when relying on specific files in your recipes, you 
can augment resources with additional checks like ``@code{only_if{::File.exists?(<file name>)}}'' 
and ``@code{not_if{::File.exists?(<file name>)}}'' to make your infrastructure code
more reliable and repeatable (this refers to the notion of @italic{idempotent} code mentioned earlier). 

@section{Final Remarks about Chef on CloudLab}

In this tutorial, you had a chance to explore the Chef configuration management system and used
some of its powerful features for configuration management in a multi-node experiment on @(tb).
Even though the instructions walked you through the process of configurating only two nodes,
you can use the demonstrated code artifacts, such as roles, cookbooks, recipes, and resources,
and apply them to infrastructure in larger experiments. With the @code{knife} commands like the ones shown
above, you can ``orchestrate'' diverse and complex applications and environments.  

When establishing such orchestration in your experiments, you can take advantage of 
the relevant pieces of intrastructure code, e.g., available through Chef @link[""]{Supermarket}.
In cases when you have to develop your own custom code,
you may adopt the structure and the abstractions supported by Chef
and aim to develop infrastructure code that is modular, flexible, and easy to use.
The @bold{ChefCluster} profile is available to all users on @(tb). 
If you are interested in learning more about Chef and developing custom infrastructure code
for your experiments, this profile will spare you from the need to set up 
necessary components every time and allow you to run a fully functional Chef installation
for your specific needs.
@section{Terminating Your Experiment}
954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970

Resources that you hold in @(tb) are real, physical machines and are
therefore limited and in high demand. When you are done, you should release
them for use by other experimenters. Do this via the ``Terminate'' button on
the @(tb) experiment status page.


@bold{Note:} When you terminate an experiment, all data on the nodes is lost,
so make sure to copy off any data you may need before terminating.

If you were doing a real experiment, you might need to hold onto the nodes for
longer than the default expiration time. You would request more time by using
the ``Extend'' button the on the status page. You would need to provide a
written justification for holding onto your resources for a longer period of

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
@section{Future Steps}

Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
973 974
Now that you've got a feel for how Chef can help manage
experiment resources, there are several things you might try next:
975 976 977

    @item{Learn more about Chef at the @link[""]{Chef official website}} 
Dmitry Duplyakin's avatar
Dmitry Duplyakin committed
978 979 980 981 982 983 984
    @item{Explore existing cookbooks and roles in the @link[""]{emulab/chef-repo} repository} 
    @item{Follow the steps in the 
          @link[""]{Guide to Writing Chef Cookbooks} 
          blog post by Joshua Timberman, a Chef developer and one of the active members of the Chef community
    @item{Configure a LAMP (Linux, Apache, MySql, and PHP) stack using Chef by following the 
    @link[""]{Creating Your First Chef Cookbook} tutorial }