It has been a while since I have posted anything so let's start off 2017 with some work using BOSH. What is BOSH? A question you didn't even know you wanted to ask. Some documentation can be found on their site at bosh.io. As they state on their site, BOSH was developed to deploy Cloud Foundry, but it can deploy other software as well.
The Problem
With the newer versions of the BOSH director (the virtual machine that controls the deployments), it has updated its policy to randomize the passwords for the vcap SSH user password. This change is great because now it is not the default password (cloud cow) any more. But the bad thing is now you don't know what this random password is and an operator cannot SSH into the deployment VMs any more without having to use the BOSH CLI. What if a service account is needed on the deployment VMs? Any new account will be blown away after a redeploy or upgrade.
The Answer
Good news!!! There is a BOSH release to save the day. The os-conf BOSH release answers the above problem and solves a few more. You can view the project on GitHub. The job that we are going to focus on is the user_add job. With this job, you can add either a public key or an encrypted password for the user to be added.
The os-conf release uses a newer feature for the BOSH director called the runtime config. This feature allows you to apply configuration outside of the deployment manifest to all deployments the director manages. You can find more information about this feature on their site. I have successfully tested the os-conf release 10 with the BOSH director release 260.
Upload Release
Before you can use the release, you have to upload it to your BOSH director. You can do that with the following BOSH CLI commands. Make sure you have the BOSH CLI installed before running these commands.
[user@linux_prompt]$ bosh login
[user@linux_prompt]$ bosh upload release https://bosh.io/d/github.com/cloudfoundry/os-conf-release?v=10
If you don't have access to the Internet on the machine where the BOSH CLI is installed, you can move the release local to the server and run the following command.
[user@linux_prompt]$ bosh upload release os-conf-release-10.tgz
Job Configuration
Below I have a sample addon deployment manifest so you can see the structure.
The easiest way to create the encrypted password is using an Ubuntu box. You can install the following package to get the command mkpasswd; sudo apt-get install whois. Once it is installed, you can create the password by running; mkpasswd -m sha-512 <PASSWORD> <SALT>. Replace <PASSWORD> with your password and <SALT> with at least an eight character string. Once you have the encrypted string, you can added it to your manifest.
Apply Configuration
Once the addon deployment manifest is complete, here are the steps to run it.
[user@linux_prompt]$ bosh login
[user@linux_prompt]$ bosh update runtime-config addon_example.yml
[user@linux_prompt]$ bosh runtime-config
[user@linux_prompt]$ bosh download manifest deployment1 deployment1.yml
[user@linux_prompt]$ bosh deployment deployment1.yml
[user@linux_prompt]$ bosh deploy
So these commands do the following things:
- Logs into your BOSH director
- Updates the runtime-config with your addon deployment manifest
- View the updated runtime-config
- Downloads the deployment manifest for the deployment called deployment1
- Sets your current deployment to deployment1
- Redeploys the VMs in the deployment which in turns adds the new user configured in the addon deployment manifest.
You have to run the bosh deploy command on the deployment your updating. This command is the only way it applies the new configuration after the runtime-config has been updated.
Summary
So now you have a new SSH user that is applied to your deployment that will always return even after a redeploy. Again, this is only one job that the os-conf BOSH release can do. You can update the SSH login banner, DNS search domains, etc. It is a great way to update your VMs without having to manually customize the BOSH stemcell.
Hopefully, you learned something new about a BOSH director feature and a supplemental BOSH release.
~RRRII
Summary
So now you have a new SSH user that is applied to your deployment that will always return even after a redeploy. Again, this is only one job that the os-conf BOSH release can do. You can update the SSH login banner, DNS search domains, etc. It is a great way to update your VMs without having to manually customize the BOSH stemcell.
Hopefully, you learned something new about a BOSH director feature and a supplemental BOSH release.
~RRRII
i am quite new to these softwares and wish to learn about them for my daily work purposes. it was quite difficult for me to grasp the concept till now but your blog seems to help
ReplyDelete