- Ubuntu
- The server you wish to configure as Chef-Server make sure it is accessible by hostname.
Login into the server, the first task you need to perform is to ensure that the hostname of the server is a resolvable fully qualified domain name (FQDN) or IP address. You can check this by typing:
hostname -fThe result should be an address where the server can be reached. If this is not the case, you can set this to a domain name or IP address where the server can be reached by editing this file:
cat /etc/hostsThe file will look similar to this:
127.0.1.1 current_hostname current_hostname_alias
127.0.0.1 localhostModify the top line to reflect the fully qualified domain name or the IP address, followed by a space and any alias you want to use for your host. Add a line beneath the two lines shown that has your server's public IP address in the first column, and the information that you modified at the end of the 127.0.1.1 line to the end. It should look something like this:
127.0.1.1 fqdn_or_IP_address host_alias
127.0.0.1 localhost
IP_address fqdn_or_IP_address host_aliasSo, if I do not have a domain name, my IP address is 192.168.0.121, and if I also want my host reachable by the hostname "chef", I could have a file that looks like this:
127.0.0.1 localhost
127.0.1.1 192.168.0.121 chef.cldcvr.com cldcvr-chef
192.168.0.121 chef.cldcvr.com cldcvr-chef
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allroutershostname -fThe result should be a value that you can use to reach your Chef server from anywhere in your infrastructure.
cd ~
wget https://packages.chef.io/stable/ubuntu/14.04/chef-server-core_12.6.0-1_amd64.deb
Once the download is complete, install the package by typing
dpkg -i chef-server-core_12.6.0-1_amd64.debThis will install the base Chef 12 system onto the server. If you have selected a server with less powerful hardware than the recommended amount, this step may fail. Once the installation is complete, you must call the reconfigure command, which configures the components that make up the server to work together in your specific environment:
chef-server-ctl reconfigureNext, we need to create an admin user. This will be the username that will have access to make changes to the infrastructure components in the organization we will be creating.
chef-server-ctl user-create USERNAME FIRST_NAME LAST_NAME EMAIL PASSWORDFor our example, we will create a user with the following information:
Username: ccadmin
First Name: ccadmin
Last Name: ccadmin
Email: [email protected]
Password: examplepass
Filename: ccadmin.pemsudo chef-server-ctl user-create ccadmin ccadmin ccadmin [email protected] password -f ccadmin.pemYou should now have a private key called ccadmin.pem in your current directory.
Now that you have a user, you can create an organization with the org-create subcommand. An organization is simply a grouping of infrastructure and configuration within Chef. The command has the following general syntax:
chef-server-ctl org-create SHORTNAME LONGNAME --association_user USERNAMEWe will create an organization with the following qualities:
Short Name: cldcvr
Long Name: cldcvr
Association User: ccadmin
Filename: cldcvr-validator.pemTo create an organization with the above qualities, we will use the following command:
chef-server-ctl org-create cldcvr "cldcvr" --association_user ccadmin -f cldcvr-validator.pemFollowing this, you should have two .pem key files in your home directory. In our case, they will be called ccadmin.pem and cldcvr-validator.pem.
chef-server-ctl install chef-manage
chef-server-ctl reconfigure
chef-manage-ctl reconfigureWe will need to connect to this server and download these keys to our workstation momentarily. For now though, our Chef server installation is complete.
Now that our Chef server is up and running, our next course of action is to configure a workstation. The actual infrastructure coordination and configuration does not take place on the Chef server. This work is done on a workstation which then uploads the data to the server to influence the Chef environment.
Clone the Chef Repo:
- The Chef configuration for your infrastructure is maintained in a hierarchical file structure known collectively as a Chef repo.
- The general structure of this can be found in a GitHub repository provided by the Chef team.
- We will use git to clone this repo onto our workstation to work as a basis for our infrastructure's Chef repository.
First, we need to install git through the apt packaging tools. Update your packaging index and install the tool by typing:
apt-get update
apt-get install gitOnce you have git installed, you can clone the Chef repository onto your machine. For this guide, we will simply clone it to our home directory:
cd ~
git clone https://github.com/chef/chef-repo.gitThe tool we are interested in at this point is the bundled knife command, which can communicate with and control both the Chef server and any Chef clients.
cd ~
wget https://packages.chef.io/stable/ubuntu/12.04/chefdk_0.14.25-1_amd64.debOnce the .deb package has been downloaded, you can install it by typing:
dpkg -i chefdk_0.14.25-1_amd64.deb After the installation, you can verify that all of the components are available in their expected location through the new chef command:
chef verify
echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile
source ~/.bash_profileDownload the Authentication Keys to the Workstation
mkdir ~/chef-repo/.chefDownload Keys when Connecting to a Chef Server with Passwords
scp [email protected]:/root/ccadmin.pem ~/chef-repo/.chef
scp [email protected]:/root/cldcvr-validator.pem ~/chef-repo/.chef
#If chef server and chef workstation are configured on same server
cp *.pem chef-repo/.chef/.Once you are back on your local computer, you will need to add the SSH keys you use to connect to the Chef server to an SSH agent. OpenSSH, the standard SSH suite, includes an SSH agent that can be started by typing:
eval $(ssh-agent)
ssh-add
ssh -A [email protected]Configuring Knife to Manage your Chef Environment
vim chef-repo/.chef/knife.rbfile should have following content:
current_dir = File.dirname(__FILE__)
log_level :info
log_location STDOUT
node_name "ccadmin"
client_key "#{current_dir}/ccadmin.pem"
validation_client_name "cldcvr-validator"
validation_key "#{current_dir}/cldcvr-validator.pem"
chef_server_url "https://192.168.0.121/organizations/cldcvr"
syntax_check_cache_path "#{ENV['HOME']}/.chef/syntaxcache"
cookbook_path ["#{current_dir}/../cookbooks"]
When you are finished, save and close the knife.rb file. Now, we will test the configuration file by trying out a simple knife command. We need to be in our
~/chef-repo directory for our configuration file to be read correctly:
cd ~/chef-repo
knife client listThis first attempt should fail with an error that looks like this:
ERROR: SSL Validation failure connecting to host: server_domain_or_IP - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
ERROR: Could not establish a secure connection to the server.
Use knife ssl check to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
knife ssl fetch to make knife trust the server's certificates.
Original Exception: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Solve error by following command:
knife ssl check
mkdir ~/chef-repo/.chef/trusted_certs
cp /var/opt/opscode/nginx/ca/192.168.0.121.crt ~/chef-repo/.chef/trusted_certs/.
knife ssl check
knife client list
cldcvr-validatorSetup Knife EC2 on workstation refer: https://github.com/chef/knife-ec2 Bootstrapping a New Node with Knife
knife bootstrap 192.168.0.124 -x ccadmin -A --sudo -N test
knife client list
cldcvr-validator
test
knife node list
test