Name: knife-ec2
Owner: Cloudant
Description: Chef knife plug-in for EC2
Created: 2015-03-25 19:42:12.0
Updated: 2016-07-06 01:08:01.0
Pushed: 2016-07-19 17:48:10.0
Size: 849
Language: Ruby
GitHub Committers
| User | Most Recent Commit | # Commits |
|---|
Other Committers
| User | Most Recent Commit | # Commits |
|---|
This is the official Chef Knife plugin for Amazon EC2. This plugin gives knife the ability to create, bootstrap, and manage EC2 instances.
#chef and #chef-hacking on FreenodeIf you're using ChefDK, simply install the Gem:
ef gem install knife-ec2
If you're using bundler, simply add Chef and Knife EC2 to your Gemfile:
'knife-ec2'
If you are not using bundler, you can install the gem manually from Rubygems:
m install knife-ec2
Depending on your system's configuration, you may need to run this command with root privileges.
In order to communicate with the Amazon's EC2 API you will need to pass Knife your AWS Access Key, Secret Access Key, and if using STS your session token. This can be done in several ways:
The easiest way to configure your Amazon EC2 credentials for knife-ec2 is to specify them in your your knife.rb file:
e[:aws_access_key_id] = "Your AWS Access Key ID"
e[:aws_secret_access_key] = "Your AWS Secret Access Key"
Additionally if using AWS STS:
e[:aws_session_token] = "Your AWS Session Token"
Note: If your knife.rb file will be checked into a source control management system, or is otherwise accessible by others, you may want to use one of the other configuration methods to avoid exposing your credentials.
Knife-ec2 can also read your credentials from shell environmental variables. Export AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN variables in your shell then add the following configuration to your knife.rb file:
e[:aws_access_key_id] = ENV['AWS_ACCESS_KEY_ID']
e[:aws_secret_access_key] = ENV['AWS_SECRET_ACCESS_KEY']
Additionally if using AWS STS:
e[:aws_session_token] = ENV['AWS_SESSION_TOKEN']
You also have the option of passing your AWS API Key/Secret into the individual knife subcommands using the --aws-access-key-id and --aws-secret-access-key command options
Example of provisioning a new t2.micro Ubuntu 14.04 webserver:
ife ec2 server create -r 'role[webserver]' -I ami-cd0fd6be -f t2.micro --aws-access-key-id 'Your AWS Access Key ID' --aws-secret-access-key "Your AWS Secret Access Key"
Amazon's newer credential config file format is also supported by knife:
ault]
access_key_id = Your AWS Access Key ID
secret_access_key = Your AWS Secret Access Key
In this case, you can point the aws_credential_file option to this file in your knife.rb file, like so:
e[:aws_credential_file] = "/path/to/credentials/file"
Since the Knife config file is just Ruby you can also avoid hardcoding your home directory, which creates a configuration that can be used for any user:
e[:aws_credential_file] = File.join(ENV['HOME'], "/.aws/credentials")
If you have multiple profiles in your credentials file you can define which profile to use. The default profile will be used if not supplied,
e[:aws_profile] = "personal"
Amazon's newer configuration file format is also supported by knife:
ault]
on = "specify_any_supported_region"
In this case you can point the aws_config_file option to this file in your knife.rb file, like so:
e[:aws_config_file] = "/path/to/configuration/file"
Since the Knife config is just Ruby you can also avoid hardcoding your name directory, which creates a config that can be used for any user:
e[:aws_config_file] = File.join(ENV['HOME'], "/.aws/configuration")
If you have multiple profiles in your configuration file you can define which profile to use. The default profile will be used if not supplied,
e[:aws_profile] = "personal"
In this case configuration file format is:
file personal]
on = "specify_any_supported_region"
The following configuration options may be set in your knife.rb:
knife-ec2 now includes the ability to retrieve the encrypted data bag secret and validation keys directly from a cloud-based assets store (currently only S3 is supported). To enable this functionality, you must first upload keys to S3 and give them appropriate permissions. The following is a suggested set of IAM permissions required to make this work:
tatement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::example.com/chef/*"
]
}
http or https based: 'http://example.com/chef/my-validator.pem's3 based: 's3://chef/my-validator.pem'knife.rb to set the source URLs:e[:validation_key_url] = 'http://example.com/chef/my-validator.pem'
e[:s3_secret] = 'http://example.com/chef/encrypted_data_bag_secret'
--validation-key-url s3://chef/my-validator.pem--s3-secret s3://chef/encrypted_data_bag_secretThis plugin provides the following Knife subcommands. Specific command options can be found by invoking the subcommand with a --help flag
knife ec2 server createProvisions a new server in the Amazon EC2 and then perform a Chef bootstrap (using the SSH or WinRM protocols). The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists (provided by the provisioning). It is primarily intended for Chef Client systems that talk to a Chef server. The examples below create Linux and Windows instances:
eate some instances -- knife configuration contains the AWS credentials
Linux instance via ssh
e ec2 server create -I ami-d0f89fb9 --ssh-key your-public-key-id -f m1.medium --ssh-user ubuntu --identity-file ~/.ssh/your-private-key
Windows instance via the WinRM protocol -- --ssh-key is still required due to EC2 API operations that need it to grant access to the Windows instance
-spot-price` option lets you specify the spot pricing
e ec2 server create -I ami-173d747e -G windows -f m1.medium --user-data ~/your-user-data-file -x '.\a_local_user' -P 'yourpassword' --ssh-key your-public-key-id --spot-price price-in-USD
ss --server-connect-attribute to specify the instance attribute that we will try to connect to via ssh/winrm
ssible values of --server-connect-attribute: private_dns_name, private_ip_address, public_dns_name, public_ip_address
--server-connect-attribute is not specified, knife attempts to determine if connecting to the instance's public or private IP is most appropriate based on other settings
e ec2 server create -I ami-173d747e -x ubuntu --server-connect-attribute public_ip_address
View additional information on configuring Windows images for bootstrap in the documentation for knife-windows.
The knife ec2 server create command also supports the following options for bootstrapping a Windows node after the VM s created:
rm_password The WinRM password
rm_authentication_protocol Defaults to negotiate, supports kerberos, can be set to basic for debugging
rm_transport Defaults to plaintext, use ssl for improved security
rm_port Defaults to 5985 plaintext transport, or 5986 for SSL
trust_file The CA certificate file to use to verify the server when using SSL
rm_ssl_verify_mode Defaults to verify_peer, use verify_none to skip validation of the server certificate during testing
beros_keytab_file The Kerberos keytab file used for authentication
beros_realm The Kerberos realm used for authentication
beros_service The Kerberos service used for authentication
knife ec2 server deleteDeletes an existing server in the currently configured AWS account. By default, this does not delete the associated node and client objects from the Chef server. To do so, add the --purge flag
knife ec2 server listOutputs a list of all servers in the currently configured AWS account. Note, this shows all instances associated with the account, some of which may not be currently managed by the Chef server.
right 2009-2015 Chef Software, Inc.
nsed under the Apache License, Version 2.0 (the "License");
may not use this file except in compliance with the License.
may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
ss required by applicable law or agreed to in writing, software
ributed under the License is distributed on an "AS IS" BASIS,
OUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
the License for the specific language governing permissions and
tations under the License.