3

I have a Chef server running on Ubuntu 14.04 (see Note 1) and I can access the "Chef Manage" website by visiting the IP address (mychefserver.myorg.com) in my browser.

I have a workstation running on Mac OS X El Capitan (see Note 2) and I can connect to the Chef server using knife ssl check and knife client list.

The problem: knife won't bootstrap my third machine (mynode.myorg.com) as a node.

$ knife bootstrap mynode.myorg.com --sudo --ssh-user myname --forward-agent --node-name mynode
Creating new client for mynode
Creating new node for mynode
Connecting to mynode
Failed to authenticate myname - trying password auth
Enter your password: stty: 'standard input': unable to perform all requested operations

ERROR: Net::SSH::AuthenticationFailed: Authentication failed for user myname@mynode@mynode

mynode.myorg.com is a corporate machine. SSH is set up to allow only certificate-based authentication. SSH with password and SSH with private key is disallowed.

It seems to me that since knife bootstrap uses password- or key-based SSH, and since I can reach a command line on the node by simply running ssh mynode.myorg.com, my best option is to SSH into the node and set Chef up manually. Unfortunately, there is no documentation for how to create a Chef node that doesn't involve invoking knife bootstrap from a workstation.

What commands do I have to run locally on the node to recreate the work performed by knife bootstrap?


Note 1: Chef Server 12.4.1 setup steps

$ wget https://packagecloud.io/chef/stable/packages/ubuntu/trusty/chef-server-core_12.4.1-1_amd64.deb/download
$ dpkg -i download
$ cat > /etc/opscode/chef-server.rb
server_name = 'mychefserver.myorg.com'
api_fqdn server_name
bookshelf['vip'] = server_name
nginx['url'] = "https://#{server_name}/"
nginx['server_name'] = server_name
nginx['ssl_certificate'] = "/var/opt/opscode/nginx/ca/#{server_name}.crt"
nginx['ssl_certificate_key'] = "/var/opt/opscode/nginx/ca/#{server_name}.key"
^D
$ chef-server-ctl reconfigure
$ chef-server-ctl install opscode-manage
$ chef-server-ctl reconfigure
$ opscode-manage-ctl reconfigure
$ chef-server-ctl install opscode-reporting
$ chef-server-ctl reconfigure
$ opscode-reporting-ctl reconfigure
$ chef-server-ctl user-create myname My Name myname@myorg.com mypassword --filename myname.pem
$ chef-server-ctl org-create myorg "My Org" --association_user myname

Note 2: ChefDK 0.11.2 workstation setup steps

$ wget URL: https://opscode-omnibus-packages.s3.amazonaws.com/mac_os_x/10.11/x86_64/chefdk-0.11.2-1.dmg
$ hdiutil mount chefdk-0.11.2-1.dmg
$ installer -package '/Volumes/Chef Development Kit/chefdk-0.11.2-1.pkg' -target '/Volumes/Macintosh HD'
$ hdiutil unmount '/Volumes/Chef Development Kit/'
$ chef generate app chef-repo
$ cd chef-repo
$ mkdir .chef
$ cat > .chef/myname.pem
-----BEGIN RSA PRIVATE KEY-----
# …snip…
-----END RSA PRIVATE KEY-----
^D
$ cat > .chef/knife.rb
log_level        :info
log_location     STDOUT
node_name        'myname'
client_key       "#{__dir__}/myname.pem"
chef_server_url  'https://mychefserver.myorg.com/organizations/myorg'
cookbook_path    ["#{__dir__}/../chef-repo/cookbooks"]
^D
$ knife ssl fetch
user22a6db72d7249
  • 503
  • 1
  • 7
  • 12

1 Answers1

9

1. Install chef-client

Either use the https://www.chef.io/chef/install.sh script or download and install the correct chef-client package for your OS.

2. Create /etc/chef/client.rb

Perhaps you can use one of your bootstrapped nodes as a reference. The important bit is that you have chef_server_url pointing at your Chef server.

Example:

/etc/chef/client.rb

chef_server_url           "https://mychefserver.myorg.com/organizations/myorg"
validation_client_name    "myorg-validator"
validation_key            "/etc/chef/myorg-validator.pem"
log_level                 :info

3. Copy validation key

The key you got after running chef-server-ctl org-create. If lost you can generate a new one from Chef Manage.

Copy the key to /etc/chef/myorg-validator.pem (to what is configured as validation_key in client.rb)

4. Fetch SSL cert

Optionally, if the SSL certificate on your Chef server isn't signed (it probably isn't), you must manually fetch it so that knife/chef-client will trust the certificate.

mkdir /etc/chef/trusted_certs
knife ssl fetch -c /etc/chef/client.rb

See also http://jtimberman.housepub.org/blog/2014/12/11/chef-12-fix-untrusted-self-sign-certs/

Fabrice Devaux
  • 216
  • 1
  • 1