Search code examples
rubyrouteschef-infrachef-recipe

Configuring static routes with chef.io

Currently I want to use (opscode) Chef to configure all our routes on our machines. Since I'm very lazy, I already searched on the internet for an ready-to-go cookbook but couldn't find anything. I know, that Chef has a feature to configure routes "https://docs.chef.io/resource_route.html", but this is not enough for our use-case. We have VMs in different placement zones (prod, preprod, dev) in MZ and DMZ with different gateways on each. If I can't find a cookbook that can differentiate that, I need to write one by myself. My idea was to analyze the node-name via ruby and use a loop and the chef-route resource to create all routes.

if /_prod/ =~ Chef::Config[:node_name]

So my hope is, that somebody is already using chef to configure routes in a enterprise-size and can help me out or that the community provides me some ideas on developing the cookbook by myself

Solution

  • Your environment description (around chef particularly) is not really detailed, so I'll answer on how I see it:

    1. Chef environments to locks cookbooks in the dev/QA/Prod (could be extended to dev/dev DMZ/QA/QA DMZ/Prod/Prod DMZ , etc)
    2. One wrapper (role) cookbook to set attributes like gateway, static routes per type of box or per group of routes you wish to set
    3. A code cookbook containing the recipe using the attributes defined before.

    Depending on the way you'll have one or many wrapper cookbooks on your node runlist. Making a change to a route (in a wrapper) will go through locking them in the corresponding environment.

    For the routes management, maybe a wrapper per "zone" is the best idea if one of your zone match exactly one environment.

    WARNING: This is an exemple based on my current environment and how I would do it, I do not actually use the code below.

    For our infrastructure, we have 3 QA environments (too much) within the same security zone (vlan), so we need to change the routing with the apps lifecycle, it's where the locking mechanism comes handy to change part of the nodes routing and not the whole nodes in the zone.

    For the cookbook (the point 3 above, let's name it 'my_routing_cookbook'), it's quite "simple" In the attributes let's have:

    default['sec']['default'] = { gw: '192.168.1.250', device: 'eth1' }
default['sec']['routes']['172.16.0.0/16'] = { gw: '192.168.1.254', device: 'eth0' }
default['sec']['routes']['10.0.0.0/8'] = { gw: '192.168.1.254', device: 'eth0' }

    In the recipe:

    route '0.0.0.0/0' do
  gateway node['sec']['default']['gw']
  device node['sec']['default']['device']
end
node['sec']['routes'].each as |r,properties|
  route r do
    gateway properties['gw']
    device properties['device']
  end
end

    The default gateway could be in the route list, I just think it's easiest for non networking people to retain it's the default gateway like this.

    For the point 2, each wrapper cookbook will depend on this one and set it's own attributes. Thoose cookbooks will have a default.rb just calling include_recipe 'my_routing_cookbook'

    Hope it will help you getting started.