Connecting Chef Server to Amazon RDS
I previously wrote some notes on Chef Server’s external PostgreSQL support. I thought I’d also put together some technical details on using it with Amazon RDS.
The following assumes some familiarity with AWS, RDS, PostgreSQL, and Chef Server.
RDS
The Chef backend and frontend servers will all need access to the database. The security groups will need to allow that access, port 5432 by default.
Chef opens a large number of connections to the database, so if you use a small
RDS instance type you may run out of connections with the default parameters.
If you run in to that (or just want to proactively avoid it) you’ll need to
increase max_connections
in your RDS Postgres parameter group.
The master user created with the instance is almost, but not quite, a Postgres
superuser. My preference is to reserve that account for administrative use and
create a second user to put in chef-server.rb
.
Creating an RDS instance in the console will allow you to create a new database. Leave that blank. Chef will create all of its structures during initial setup.
Once the instance shows ready, you will need to create the slightly-less privileged user for the Chef server to use. Log in to the RDS instance as the master user:
Run this at the psql prompt to create the new user:
Naturally, replace chef
and secret
with your preferred values (or don’t,
I’m not your security admin). Exit from psql with \q
or ctrl-D
.
Chef Server
Most of the chef-server.rb
configuration is the same regardless of what
Postgres you use. There are a few additional parameters to configure the
external database, covered in the Chef Server
documentation. A summary:
Once chef-server.rb
is ready, run chef-server-ctl reconfigure
and complete
the remaining configurations just as you would for the bundled Postgres.
Un-configuring (cleansing)
Running chef-server-ctl cleanse
works as expected. The external database
content will only be purged if you pass --with-external
. If you don’t include
it, chef-server-ctl
will helpfully put a cleanup SQL script in the
opscode-cleanse
backup directory and tell you about it.
Backup and Restore
The recommended tool for backup and restore is knife ec
backup. Recent versions of Chef
server put knife at /opt/opscode/bin/knife
. You’ll need to give it
--sql-host yourrdsinstance.rds.amazonaws.com
to back up and restore.
You also need a working knife
configuration and connectivity to your load
balancer (if you use one). You will need to either pass the --server-url
argument or put the chef_server_url
setting in .chef/knife.rb
. If you don’t
disable SSL verification (which you shouldn’t) you will also need to knife ssl
fetch
the first time to set up the trust.
You can probably also do a regular PostgreSQL RDS backup along with saving a
copy of /etc/opscode
and /var/opt/opscode
somewhere secure (like a
locked-down S3 bucket), but you’d run the risk of filesystem and database being
out of sync if your environment is busy.
Migrating to/from External PostgreSQL
There is no specific migration tool between the embedded Postgres and an
external database. You will need to use knife ec
to backup from one and
restore to the other.
Feedback?
Comments welcome. Best channels are probably Twitter @mkheironimus or email heironimus@gmail.com.