Using Chef with AIX

Vess Natchev
vess@us.ibm.com
Power Cloud Team Leader
IBM Systems Lab Services

9.0
Why Use Chef ?
• Supported client available on AIX (https://www.chef.io/blog/2014/12/08/announcing-
chef-client-for-ibm-aix/)
– Available since December 8, 2014

• IBM and Chef work together !

• AIX cookbook with multiple resources available from IBM on official Chef
supermarket – https://supermarket.chef.io/cookbooks/aix

• Multiple examples available at chmod666.org (Benoit Creau’s site)

– E.g., http://chmod666.org/index.php/updating-tl-and-sp-using-chef/

• Wealth of additional docs and education available from Chef; e.g.,

https://docs.chef.io/chef_overview.html

© Copyright IBM Corporation 2015

Advantages ?
• Automation (build, deploy,
manage)
• Your infrastructure becomes:
– Versionable (chef-repo build over a
git repo)
– Testable
– Repeatable
• Chef turns infrastructure into
code
• Use it for:
– Patch Management
– Post-installation
– Configuration management

© Copyright IBM Corporation 2015

What Is Chef ?
• Automation platform (like Ansible, Puppet, Saltstack)
• Automate how systems/applications (we’ll talk here about
systems only) are:
– Deployed (ie. build time)
– Configured (ie. post-install time)
– Managed (the life of the system after its installation)
• Client/Server architecture:
– Chef Server : available only on x86 (https://downloads.chef.io/chef-server/)
– Chef Client : AIX Client available (https://downloads.chef.io/chef-client/aix/)
• Based on Ruby (You’ll have to learn Ruby if you want to
develop your own providers) (don’t worry ruby=super simple)
• Available for free (without premium features)
• Hosted server and support available provided by
Chef/Opscode (https://www.chef.io/chef/)
© Copyright IBM Corporation 2015
Chef Components
Terms 1/2
• A few things you need to know before beginning:
– Cookbook: A bunch of recipes, provider and templates
– Recipe: Describe what and how to do things (install a fileset, mount a
filesystem)
– Provider/resource: The piece of code that configure an item (create a
directory, changing a device attribute …)
– Node: where the chef-client is run
– Server: the chef server holds all nodes configuration data
(cookbooks,recipes,templates)
– Environment: production, test, dev, site, ….
– Templates: Used to generate static texts files (contains statements
and expressions)
– Roles: database, application, webserver

© Copyright IBM Corporation 2015

Terms 2/2
• What’s idempotence ?
– Running the tool over and over doesn't change the system after the
first time.
– For instance if you create a directory in a recipe if the directory
already exists chef will not try to recreate it.
• What’s convergence ?
– A recipe converges when you do an action (creating the directory: it
converge, not creating it: it does not converge)

© Copyright IBM Corporation 2015

chef-client installation 1/2
• Check for new versions – https://downloads.chef.io/chef. Updated often!

© Copyright IBM Corporation 2015

chef-client Installation 2/2
• Install any utf8 english language environment (not mandatory
but recommended to avoid any warning messages)
# smitty lang

© Copyright IBM Corporation 2015

What’s in the fileset ?
• chef-client
• chef-solo
• Ohai
• Ruby (chef is based on Ruby)
• Some « default » providers:
– cron
– group
– mount
– services
– inittab
# find /opt -type f | grep provider | grep aix
/opt/chef/embedded/apps/chef/lib/chef/provider/cron/aix.rb
/opt/chef/embedded/apps/chef/lib/chef/provider/group/aix.rb
/opt/chef/embedded/apps/chef/lib/chef/provider/ifconfig/aix.rb
/opt/chef/embedded/apps/chef/lib/chef/provider/mount/aix.rb
/opt/chef/embedded/apps/chef/lib/chef/provider/package/aix.rb
/opt/chef/embedded/apps/chef/lib/chef/provider/service/aix.rb
/opt/chef/embedded/apps/chef/lib/chef/provider/service/aixinit.rb
/opt/chef/embedded/apps/chef/lib/chef/provider/user/aix.rb

© Copyright IBM Corporation 2015

Ohai 1/2
• What’s Ohai ?
– Ohai is a tool that is used to detect attributes on a node, and then
provide these attributes to the chef-client at the start of every chef-
client run. Ohai is required by the chef-client and must be present on a
node. (Ohai is installed on a node as part of the chef-client install
process.)
– The types of attributes Ohai collects include (but are not limited to):
• Platform details
• Network usage
• Memory usage
• CPU data
• Kernel data
• Host names
• Fully qualified domain names
• Other configuration details
• You can create custom plugins
© Copyright IBM Corporation 2015
Ohai 2/2
• Ohai attributes accessible in any recipes, templates (it’s a
tree):

node[‘ipaddress’]
node[‘macaddress’]
node[‘os’]
node[‘os_version’]
node[‘platerform_version’]
node[‘virtualization’][‘lpar_name’]
node[‘virtualization][‘lpar_no’]

node[‘filesystem’][‘/dev/hd4’][‘kb_size’]
node[‘filesystem’][‘/dev/hd4’][‘kb_used]
node[‘filesystem’][‘/dev/hd4’][‘precent_used’]
node[‘filesystem’][‘/dev/hd4’][‘mount’]
node[‘filesystem’][‘/dev/hd4’][‘fs_type’]

© Copyright IBM Corporation 2015

Getting Started with Chef: chef-solo 1/2
• Before trying to work with chef-server, start with chef-solo
• You don’t need a chef-server to do that, just install the client on
an AIX box.
• Configuration:
– Create directories:

# mkdir –p ~/chef/cookbooks/aix/providers
# mkdir –p ~/chef/cookbooks/aix/recipes
# mkdir –p ~/chef/cookbooks/aix/resources

– Create solo.rb: Where are my Describes the

# cat solo.rb
cookbooks « run_list »
file_cache_path "/root/chef"
cookbook_path "/root/chef/cookbooks"
json_attribs "/root/chef/node.json"
– Create node.json:
# cat node.json Run all the recipes in
{ the cookbook called
"run_list": [ "recipe[aix]"] « aix »
}
© Copyright IBM Corporation 2015
Getting Started with Chef: chef-solo 2/2
• Running chef-solo:
# chef-solo -c ~/chef/solo.rb

• You will need to debug your recipes and provider:

– Run chef-solo in info mode (will print all Chef::Log.info)
# chef-solo -c ~/chef/solo.rb –l info

– Run chef-solo in debug mode (will print all Chef::Log.debug)

# chef-solo -c ~/chef/solo.rb –l debug

• Running particular recipes:

# chef-solo -c ~/chef/solo.rb –o
“recipe[aix::install_filesets],recipe[aix::install_ssh]”

Will only run recipes called « install_filesets » and « install_ssh »

• Running particular environment:
# chef-solo -c ~/chef/solo.rb –E production OR # chef-solo -c
~/chef/solo.rb –E oracle
© Copyright IBM Corporation 2015
Writing your first recipe ! Hello world ! 1/4
• Recipes are run from the top down:
# cat ~/chef/cookbook/aix/recipes/hello_world.rb
directory “/tmp/hello_ibm_techu” do
owner ‘root’
group ‘system’
mode ‘0755’
action :create
end
file “/tmp/hello_ibm_techu/hello” do
content “Hello IBM Technical university ! Chef
is AWESOME!”
end

• 1 – We are creating a directory /tmp/hello_ibm_techu

• 2 – We are writing a text in a file called hello in this directory

© Copyright IBM Corporation 2015

Writing your first recipe ! Hello world ! 2/4
• Running this recipe:

Creating the directory

Writing the file

2 resources ok !

© Copyright IBM Corporation 2015

Writing your first recipe ! Hello world ! 3/4
• Does it work ?

• Rerun it (idempotence !!!!!)

Already ok ! Do nothing !

0 resources !

© Copyright IBM Corporation 2015

Writing your first recipe ! Hello world ! 4/4
• Let’s change the content of the file
file “/tmp/hello_ibm_techu/hello” do
content “Tyrell : Is this to be an empathy test? Capillary
dilation of the so-called blush response? Fluctuation of the
pupil. Involuntary dilation of the iris...
Deckard: We call it Voight-Kampff for short.”
end

Removed !

1 resource ! Added!

© Copyright IBM Corporation 2015

Ohai custom plugins 1/2
• You may want to add your own custom attributes to ohai (in my
case I need the oslevel to do the update of my AIX hosts)
– It’s a piece of ruby code:
– In the example below I’m getting:
• The oslevel
• The nodename
• The partition name
• The memory mode

© Copyright IBM Corporation 2015

Ohai custom plugins 2/2
• Put your plugins in your chef client configuration:
# grep ohai client.rb
Ohai::Config[:plugin_path] << '/etc/chef/ohai_plugins'

• Or run ohai with plugins path:

# ohai -d /etc/chef/ohai_plugins

• Check it works:

• Now access oslevel with: node[‘aixcustom’][‘oslevel’]

© Copyright IBM Corporation 2015

Real-life Examples

© Copyright IBM Corporation 2015

Updating your servers with Chef 1/5
• What do you do when updating ?
– Checking with lppchk there are no broken filesets (lppchk)
– Committing all uncommitted filesets (installp)
– Remove any installed efix (emgr)
– Make a backup of your system (alt_disk_copy)
– Run the update:
• While doing the alt_disk_copy
– In the case mount a remote directory from your nim server
• Using nimclient
– The nimclient must be configured
• Using multibos
– In this case there is no need to make a backup of your system
– Umount all mounted directory
– Check with lppchk there are no broken filesets
– http://chmod666.org/index.php/updating-tl-and-sp-using-chef/
© Copyright IBM Corporation 2015
Updating you servers with Chef 2/5
– Providers available: multibos, emgr, nimclient, niminit, alt_disk_copy
– The recipes available:
• update_by_multibos
– Do a multibos and update it
• update_by_altdisk
– Do an alt_disk_copy and update it
• update_by_nimclient
– Create an alt_disk_copy (to backup you server)
– Use nimclient to do the update
– The nimclient providers needs a special naming convention of you nim
lpp_source to determine with sp/tl to apply

# nimclient -l -t lpp_source | grep 7100

7100-03-00-0000-lpp_source resources lpp_source
7100-03-01-1341-lpp_source resources lpp_source
7100-03-02-1412-lpp_source resources lpp_source
7100-03-03-1415-lpp_source resources lpp_source
7100-03-04-1441-lpp_source resources lpp_source
7100-03-05-1524-lpp_source resources lpp_source

© Copyright IBM Corporation 2015

Update your servers: update_by_multibos 3/5

Recipe
Execution

© Copyright IBM Corporation 2015

Update your server: update_by_altdisk 4/5

© Copyright IBM Corporation 2015

Update your servers update: by nimclient 5/5

© Copyright IBM Corporation 2015

Resources in AIX Cookbook
• https://supermarket.chef.io/cookbooks/aix
• Resources currently available:
– inittab
– subserver (inetd)
– tcpservice
– toolboxpackage (install packages from AIX Toolbox for Linux)
– chdev
– pagingspace
– no (network tunables)
– tunables (other tunables like vmo)
– multibos
– chsec
– etchosts
– niminit
– nimclient
– bootlist
– altdisk
– fixes
– volume_group
– logical_volume
– filesystem
– wpar
AIX postinstall with chef
• Super short example:
– Creating root home and .profile.
– Installing ssh and ssdpcm.
– Changing /etc/motd.
Recipe: aix7::ohai_custom
* ohai[reload] action reload
- re-run ohai and merge results into node attributes
* template[/etc/chef/ohai_plugins/aixcustom.rb] action create (up to date)
Recipe: aix7::create_fs_rootvg
* execute[hd3] action runThe filesystem size is already 2097152.
- execute chfs -a size=1024M /tmp
* execute[hd9var] action runThe filesystem size is already 1048576.
- execute chfs -a size=512M /var
* execute[/apps] action run (skipped due to not_if)
* mount[/apps] action mount (up to date)
Recipe: aix7::create_profile_root
* directory[/root] action create (up to date)
* user[root] action create (up to date)
* file[/root/.profile] action create (up to date)
Recipe: aix7::motd
* template[/tmp/motd] action create (up to date)
Recipe: aix7::install_ssh
* bff_package[openssh.license] action install (up to date)
* bff_package[openssh.base] action install
- install version 6.0.0.6103 of package openssh.base
* service[sshd] action start (up to date)
Recipe: aix7::install_sddpcm
* bff_package[devices.fcp.disk.ibm.mpio] action install
- install version 1.0.0.24 of package devices.fcp.disk.ibm.mpio
* bff_package[devices.sddpcm.71.rte] action install (up to date)

© Copyright IBM Corporation 2015

Integrating Chef with PowerVC
• What is the problem we are trying to solve?
– Automate and reliably repeat post-installation tasks – installing or updating filesets,
changing configuration files, accessing remote resources
– Tasks that would previously be executed via Korn or Bash shell scripts; or via NIM scripts
on AIX

• How are we solving the problem?

– We are automating registering with the Chef server for a new VM and executing a specific
role (which is associated with cookbooks and recipes)
– We are doing so via cloud-init, so that the admin or user is still using the PowerVC UI to
deploy the VM (server, storage, network automation) and perform post-install tasks (Chef
automation)
Requirements and Automation Sequence
• What is required?
– Standard Chef server and Chef workstation configuration (not shown)
• Specific roles, cookbooks and recipes created for AIX VMs (see later slides)
– Operational PowerVC environment that can provision AIX (not shown)
• Includes base cloud-init configuration
– AIX image in PowerVC that has chef-client installed (not shown)
– Chef-specific cloud-init configuration (see later slides)

• What is the sequence of events?

– PowerVC provisions image that has AIX and cloud-init installed and configured for Chef
– cloud-init runs at first boot and executes chef module (along with rest)
– chef-client registers with Chef server with a specific role
– Cookbooks and recipes configured for role on Chef server execute on VM
Chef Workstation and Server Configuration

• “aix71” role has been created

• Correct directory structure for cookbooks and recipes has been created within /chef-
repo
• Test recipe has been created
PowerVC Configuration

• Image that has AIX, cloud-init, chef-client install and configured has
been captured
AIX Configuration

• Make sure the chef module is set to run in the

config stage
• Add a Chef-specific stanza at the end that
contains:
– The Chef server URL and validation name
– The Chef server validation private key
– The list of roles that should be executed on
the deployed VM
End Result

• Once a standard PowerVC deploy has been performed, the test recipe defined for
the role executes on the new VM