A Dockerfile and scripts to backup and restore a chef server using knife ec backup. Backups use Azure blob storage but are just bash so can be tuned/altered to use anything.
This is something I spent some time getting together for my day job, so hopefully this will help others wanting to do a chef migration. Lots of information is out there, but not quite all the pieces were put together. This brings them closer.
If you have a single chef server doing all your operations, and are running it in the cloud, I recommend this method of upgrading as it allows you to test your new server, and it lends to much less nail biting during the upgrade process.
You'll want to edit the following files to get this working:
- admin.pem - This needs to be a valid chef admin user's .pem file.
- knife.rb - Needs to be a valid knife.rb. Notably, it needs to point to the right user and chef server.
- scripts/config.sh - A number of variables need to be edited here.
Using knife ec backup
This is a knife module which connects to the chef server via its API.
Using Docker for backups reduces the need to think about dependancies for knife ec backup which can be a bit finicky.
You'll also want a valid /root/.chef/knife.rb and user .pem file in the same directory for your backups. Best to use chef-server-ctl to create a user. The creation of the knife.rb and pem file is outside the scope of this document.
There is a build.sh file which will create the container for you if you don't want to think about the docker commands to do so.
The run.sh script is sufficient to run the container. Once in the container, there's a /root/backup.sh file which you can use to run your backups. You can configure this to launch the container and the script via cron.
We can use the same container to restore the chef server.
You'll need to provision a server and install chef-server on it as documented here.
- Download the package from https://downloads.chef.io/chef-server/.
- Run
sudo dpkg -i /tmp/chef-server-core-<version>.deb - Run
sudo chef-server-ctl reconfigure
At this point you'll have a server ready for a restore.
If you plan on reusing the fqdn and certificates from your old server
In the /etc/opscode/chef-server.rb file you'll want to ensure you have the following specified (with values filled in as appropriate):
api_fqdn 'mychefserver.contoso.com'
nginx['ssl_certificate'] = '/var/opt/opscode/nginx/ca/mychefserver.contoso.com.crt'
nginx['ssl_certificate_key'] = '/var/opt/opscode/nginx/ca/mychefserver.contoso.com.key'From here you can run the container on the new server you're restoring to:
docker run --rm -it --network="host" -v /data:/data -v /etc/chef:/etc/chef -v/etc/opscode/:/etc/opscode -v/var/opt/opscode/nginx/ca:/var/opt/opscode/nginx/ca docker-ec-backup /bin/bashThe restore process will copy the server config files with the restore.sh command, and then require a chef-server-ctl reconfigure. After which restore2.sh can be run to restore all the data to the new server.
After this, test the new server by pointing some test nodes to it, and performing a few chef runs. You can point to a new server with the same fqdn by making an entry in the /etc/hosts file to override DNS.
Best Practices for Migrating your Chef Server
Migrating your Chef Server with knife-ec-backup and knife-tidy
Backup and Restore a Chef server (uses chef-server-ctl)
knife-ec-backup github