Server Tuning
The server configuration file contains a list of all configuration options that are available for the Chef Infra Server. Some of these values should be modified for large-scale installations.
Note
Customize the Config File
The /etc/opscode/chef-server.rb
file contains all of the non-default
configuration settings used by the Chef Infra Server. The default
settings are built into the Chef Infra Server configuration and should
only be added to the chef-server.rb
file to apply non-default values.
These configuration settings are processed when the
chef-server-ctl reconfigure
command is run. The chef-server.rb
file
is a Ruby file, which means that conditional statements can be used
within it.
Use Conditions
Use a case
statement to apply different values based on whether the
setting exists on the front-end or back-end servers. Add code to the
server configuration file similar to the following:
role_name = ChefServer['servers'][node['fqdn']]['role']
case role_name
when 'backend'
# backend-specific configuration here
when 'frontend'
# frontend-specific configuration here
end
Recommended Settings
The following settings are typically added to the server configuration file (no equal sign is necessary to set the value):
api_fqdn
The FQDN for the Chef Infra Server. This setting is not in the server configuration file by default. When added, its value should be equal to the FQDN for the service URI used by the Chef Infra Server. For example:
api_fqdn "chef.example.com"
.bootstrap
Default value:
true
.ip_version
Use to set the IP version:
"ipv4"
or"ipv6"
. When set to"ipv6"
, the API listens on IPv6 and front end and back end services communicate via IPv6 when a high availability configuration is used. When configuring for IPv6 in a high availability configuration, be sure to set the netmask on the IPv6backend_vip
attribute. Default value:"ipv4"
.notification_email
Default value:
info@example.com
.
SSL Protocols
The following settings are often modified from the default as part of the tuning effort for the nginx service and to configure the Chef Infra Server to use SSL certificates:
nginx['ssl_certificate']
The SSL certificate used to verify communication over HTTPS. Default value:
nil
.nginx['ssl_certificate_key']
The certificate key used for SSL communication. Default value:
nil
.nginx['ssl_ciphers']
The list of supported cipher suites that are used to establish a secure connection. To favor AES256 with ECDHE forward security, drop the
RC4-SHA:RC4-MD5:RC4:RSA
prefix. For example:nginx['ssl_ciphers'] = "HIGH:MEDIUM:!LOW:!kEDH: \ !aNULL:!ADH:!eNULL:!EXP: \ !SSLv2:!SEED:!CAMELLIA: \ !PSK"
nginx['ssl_protocols']
The SSL protocol versions that are enabled. SSL 3.0 is supported by the Chef Infra Server; however, SSL 3.0 is an obsolete and insecure protocol. Transport Layer Security (TLS)—TLS 1.0, TLS 1.1, and TLS 1.2—has effectively replaced SSL 3.0, which provides for authenticated version negotiation between Chef Infra Client and Chef Infra Server, which ensures the latest version of the TLS protocol is used. For the highest possible security, it is recommended to disable SSL 3.0 and allow all versions of the TLS protocol. For example:
nginx['ssl_protocols'] = 'TLSv1 TLSv1.1 TLSv1.2'
Note
See https://www.openssl.org/docs/man1.0.2/man1/ciphers.html for more
information about the values used with the nginx['ssl_ciphers']
and
nginx['ssl_protocols']
settings.
For example, after copying the SSL certificate files to the Chef Infra
Server, update the nginx['ssl_certificate']
and
nginx['ssl_certificate_key']
settings to specify the paths to those
files, and then (optionally) update the nginx['ssl_ciphers']
and
nginx['ssl_protocols']
settings to reflect the desired level of
hardness for the Chef Infra Server:
nginx['ssl_certificate'] = '/etc/pki/tls/private/name.of.pem'
nginx['ssl_certificate_key'] = '/etc/pki/tls/private/name.of.key'
nginx['ssl_ciphers'] = 'HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK'
nginx['ssl_protocols'] = 'TLSv1 TLSv1.1 TLSv1.2'
Optional Services Tuning
The following settings are often used to for performance tuning of the Chef Infra Server in larger installations.
Note
When changes are made to the chef-server.rb file the Chef Infra Server must be reconfigured by running the following command:
chef-server-ctl reconfigure
bookshelf
The following setting is often modified from the default as part of the tuning effort for the bookshelf service:
bookshelf['vip']
The virtual IP address. Default value:
node['fqdn']
.
opscode-erchef
The following settings are often modified from the default as part of the tuning effort for the opscode-erchef service:
opscode_erchef['db_pool_size']
The number of open connections to PostgreSQL that are maintained by the service. If failures indicate that the opscode-erchef service ran out of connections, try increasing the
postgresql['max_connections']
setting. If failures persist, then increase this value (in small increments) and also increase the value forpostgresql['max_connections']
. Default value:20
.opscode_erchef['s3_url_ttl']
The amount of time (in seconds) before connections to the server expire. If Chef Infra Client runs are timing out, increase this setting to
3600
, and then adjust again if necessary. Default value:900
.opscode_erchef['strict_search_result_acls']
Use to specify that search results only return objects to which an actor
(user, client, etc.) has read access, as determined by ACL settings.
This affects all searches. When true
, the performance of the Chef
management console may increase because it enables the Chef management
console to skip redundant ACL checks. To ensure the Chef management
console is configured properly, after this setting has been applied with
a chef-server-ctl reconfigure
run chef-manage-ctl reconfigure
to
ensure the Chef management console also picks up the setting. Default
value: false
.
Warning
When true
, opscode_erchef['strict_search_result_acls']
affects all
search results and any actor (user, client, etc.) that does not have
read access to a search result will not be able to view it. For example,
this could affect search results returned during a Chef Infra Client
runs if a Chef Infra Client does not have permission to read the
information.
postgresql
The following setting is often modified from the default as part of the tuning effort for the postgresql service:
postgresql['max_connections']
The maximum number of allowed concurrent connections. This value should only be tuned when the
opscode_erchef['db_pool_size']
value used by the opscode-erchef service is modified. Default value:350
. If there are more than two front end machines in a cluster, thepostgresql['max_connections']
setting should be increased. The increased value depends on the number of machines in the front end, but also the number of services that are running on each of these machines.- Each front end machine always runs the oc_bifrost and opscode-erchef services.
- The Reporting add-on adds the reporting service.
- The Chef Push Jobs service adds the push_jobs service.
Each of these services requires 25 connections, above the default value.
Use the following formula to help determine what the increased value should be:
new_value = current_value + [ (# of front end machines - 2) * (25 * # of services) ]
For example, if the current value is 350, there are four front end machines, and all add-ons are installed, then the formula looks like:
550 = 350 + [(4 - 2) * (25 * 4)]