If you've gone through the Learn Chef Rally modules, joined us for in-person training, or use Chef in your daily work, you may be considering the Chef certification program.
This is a perfect opportunity to check your skills by solving real-world infrastructure and automation challenges.
Being able to complete these tasks is a good indicator that you're ready for Chef certification. Of course, feel free to pair up with a coworker or refer to the documentation. Along the way, we'll point to resources in case you need a refresher.
Before you begin
Although not required, we recommend that you complete these challanges before starting this one.
In this challenge, you'll configure users such that they may only access the system during business hours. You'll also configure NTP to ensure your system has the current time.
You'll gain hands-on experience:
- working with data bags.
- using guards to ensure action is taken only when needed.
- using standard ruby methods, such as File.exist?, in your recipes.
- creating wrapper cookbooks.
- customizing how your cookbook behaves based on the current platform, for example, Ubuntu and CentOS.
chef-client to run as a service.
- using Berkshelf to manage dependencies.
- using roles and role attributes.
- using lazy evaluation to run code later during the
Here's what you need to complete this challenge.
- Bring up a terminal (or PowerShell if you're on Windows) and move to a directory to work in.
- Bring up a text editor that you're comfortable using. Atom, Sublime Text, and Visual Studio Code are a few graphical text editors that are popular among Chef users.
1. Limit user access to the system
In this task you'll refactor the
users cookbook you created in Challenge - Configure Tomcat on CentOS to use data bags to manage user accounts.
As an additional requirement, each user may only have access to the system between 9 AM and 5 PM.
Create a data bag
Start by creating a data bag locally. This page shows how to create a data bag that can be used with Test Kitchen.
Create data bag items
Next, create these data bag items. They define two users, "janedoe" and "johndoe", and a group named "staff".
"comment": "Jane Doe",
"comment": "John Doe",
"members": ["janedoe", "johndoe"]
Create the users cookbook
Next, create a cookbooks called
users. If you've gone through Challenge: Configure Tomcat, you can modify your existing
users cookbook or create one using a different name.
Use search to discover each user and group that's defined in your data bag. Use the user and group resources to add each user and group to the system.
Limit user access
Each user defined in the data bag may only access the system between 9 AM and 5 PM. To accomplish this, you'll ensure that these users are configured on the system only during these times. Running
chef-client periodically as a service or cron job helps ensure that the users are configured at specific times.
You can use the existence of a file to flag whether the users should be created or removed from the system. In other words, if the file exists, the users should be created; if the file does not exist, the users should be removed.
users cookbook to configure the file
/tmp/usersallowed using this logic. This code should run at the start of the
current_time = Time.now
if (current_time.hour >= 9) and (current_time.hour <= 17)
Next, modify your
users cookbook to create each user when
/tmp/usersallowed exists; otherwise, remove each user. You can use the Ruby
::File.exist? method in a guard to accomplish this.
Record when access changes
As an additional requirement, write the current date and time to a file named
/tmp/timestamp each time a users are added or removed from the system. To accomplish this:
- Use the file resource to manage
:nothing as your
file resource's action.
- Use a notification to send the
:create action to the
file resource when a user is added or removed.
- Use lazy evaluation to call the Ruby Time.now method to set the
Create the users role
Create a role named
users. In its run-list, specify the
users cookbook's default recipe.
If you completed Challenge: Configure Tomcat, also include the
base role from your
If you didn't complete this previous challenge, perform this step to set up your base role and create the
my_chef_client cookbook to set up
chef-client to run periodically.
2. Configure NTP
Because user access to the system is sensitive to the current time, it's important that your system's clock is synchronized to a time service.
In this task you'll configure NTP using a wrapper cookbook around the ntp cookbook on Chef Supermarket.
You'll also configure
chef-client to run as a service every 5 minutes.
Create the my_ntp cookbook
Start by creating a cookbook named
my_ntp that wraps version 2.0.0 of the
ntp community cookbook.
The NTP configuration file is
/etc/ntp.conf, and must need to be configured differently for Ubuntu and CentOS.
On CentOS, the file looks like this:
On Ubuntu, the file looks like this:
Add the cookbook to the base role
my_ntp cookbook's default recipe to the
base role. Your
base role already includes the
my_chef_client cookbook, which you created in a previous challenge. Specify in your
base role to run
chef-client every 5 minutes.
3. Verify the configuration
Verify your configuration using Test Kitchen on CentOS and Ubuntu test instances. Log in to your systems and verify they are configured as you expect.
As an optional exercise, write a few InSpec tests that verify the configuration automatically.
You can also write ChefSpec tests that verify whether the users have access to the system. How would you implement tests that check user access at various times of the day? What times would you test against?
4. (Optional) Deploy your cookbooks
In previous challenge exercises, you've already practiced the process of uploading your cookbooks, roles, and other data to the Chef server.
As an optional exercise, upload the cookbooks, roles, and data bag for this challenge to the Chef server and bootstrap a CentOS 7 or Ubuntu 16.04 node. Verify whether your users have access to the system based on the current time.