Chef Server & Client Install and configuration how to

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Below is an example configuration, using Ubuntu as the Chef server, as well as Ubuntu or Solaris (11/12) as the Chef Client.

Chef Server Installation and Configuration

First lets download the the Chef Ubuntu pkg.

wget https://web-dl.packagecloud.io/chef/stable/packages/ubuntu/trusty/chef-server-core_12.12.0-1_amd64.deb

# Now install the pkg
dpkg -i chef-server-core_12.12.0-1_amd64.deb

Once the installation is completed, the official docs stat to issue a re-configure (I am not sure why a fresh install requires a reconfigure 🙂 ).

chef-server-ctl reconfigure

Next, will create/add an administrator.

# chef-server-ctl user-create USER_NAME FIRST_NAME LAST_NAME EMAIL 'PASSWORD' --filename FILE_NAME

chef-server-ctl user-create admin Admin User admin@devtech101.com '1234qwer' --filename adminuser.pem

Next, will create/add an organization.

# chef-server-ctl org-create short_name 'full_organization_name' --association_user user_name --filename ORGANIZATION-validator.pem

chef-server-ctl org-create devtech101 'DevTech, Inc.' --association_user admin --filename validation.pem

In order to use the Chef Web GUI the below needs to be run.

chef-server-ctl install chef-manage

Now the we need to reconfigure the main program to work with the new web GUI.

chef-server-ctl reconfigure
chef-manage-ctl reconfigure

Note: In order the use Chef Push Jobs and Reporting additional steps are needed described here

Next will move on to the client installation and configuration

Note: In most cases the client can be pushed out from the server, however in my case I am using a Solaris client which might/will not work with that install method, so a simple pkg install was used to do the instillation.

Solaris Client installation

Note: Make sure to configure ntp (client and server must have the same time to work).

cp /etc/inet/ntp.client /etc/inet/ntp.conf

Modify /etc/inet/ntp.conf

server pool.ntp.org
...

Enable the ntp service

svcadm enable ntp

Download the Solaris package (p5p) install file.
Now lets verify the Solaris Chef pkg name.

pkg list -g file:///tmp/chef-12.18.31-1.i386.p5p
NAME (PUBLISHER)                                  VERSION                    IFO
developer/versioning/chef (Omnibus)               12.18.31-1                 i--

Now lets install the Chef package.

pkg install -g file:///tmp/chef-12.18.31-1.i386.p5p developer/versioning/chef
...

Now, lets complete the chef-client related configuration, so the client can register with the server for the first time.

We need the chef validation name as was configured initially to be add in the client.rb below.
You can get the name in the Chef Web GUI/Manager go to Policy->Clients->Create.

Next, create the client.rb file and trust directory.

cd /etc/chef
mkdir trusted_certs
cp validation.pem /etc/chef/validation.pem

Below is a sample client.rb file example.

cat /etc/chef/client.rb
log_level               :info
log_location            STDOUT

ssl_verify_mode         :verify_none
chef_server_url         "https://chef-server.devtech101.com/organizations/devtech101"

validation_client_name  "devtech101-validator"
validation_key          "/etc/chef/validation.pem"
client_key              "/etc/chef/client.pem"
node_name               "chef-client"

Now lets try to register the client, this process will generate and download the clients certificate in the /etc/chef/trusted_certs.

knife ssl fetch -c /etc/chef/client.rb

If all worked correct we are now ready to run chef-client for the first time.
Now run chef-client, carefully inspect the output, make sure it completed without errors.

chef-client
...

Once the run is completed the client should now be fully registered.
Note: Successful registration can be verified in the Web GUI or bu using knife client list (Knife configuration is below)

Proxy/firewall notes

If the install is on a computer behind a proxy/firewall, you might see the errors below by trying to run chef-client.
To address this issue, make sure to add the chef server ip or fqdn to your no_proxy list.

chef-client
...
chef server chef-client "response: http 503 - 503 "service unavailable""
...

# Solution - add your chef server to your no_proxy.
export no_proxy=127.0.0.0/8,chef-server...

Knife Client Configuration

Note: All examples ran on the Chef server itself. if knife has to run on one of the clients, the knife.rb should be changed to use a certificate that has access.

To use the knife utility additional configuration is needed which is outlined below.
First create a .chef directory.

mkdir ~/.chef

Now, lets create the knife.rb

cat ~/.chef/knife.rb
log_level               :info
log_location            STDOUT

ssl_verify_mode         :verify_none
chef_server_url         "https://chef-server.devtech101.com/organizations/devtech101"

validation_client_name  'chef-validator'
validation_key           '/etc/chef-server/chef-validator.pem'
client_key              "/root/.chef/client.pem"
node_name               "chef-server"
syntax_check_cache_path '/root/.chef/syntax_check_cache'
cookbook_path           [ '/var/chef/cookbooks' ]

Now, knife should work nicely, to test just run.

knife client list

Cookbooks and Recipes configuration

In Chef Cookbooks and Recipes define what client configurations to modify, then run-list’s define which client should run what.

To use Cookbooks, first of, you can create your own, or use one of the ready Chef supermarket Cookbook’s – available at the Chef Supermarket.
Note: In the recent versions of Chef, there are multiple options to create your own Cookbook.

Using pre canned supermarket Cookbook / Recipes

For the examples below I am using /var/chef which seems to be the default in Ubuntu.

The example below is using the dns supermarket Cookbook.
The steps to use a Supermarket Cookbook is summarized below.

  • Download the Cookbook
  • Extract the Cookbook (and or modify)
  • Upload the Cookbook
  • Add the Cookbook to a node run_list

Note: I am using /var/chef/cookbooks_src to save the supermarket source Cookbook, but you can use your own.

cd /var/chef
mkdir cookbooks_src 
cd cookbooks_src
knife cookbook site download dns

Next, lets extract the source cookbook for use (or modify as needed).

cd /var/chef/cookbook
tar xf ../cookbooks_src/dns-0.1.2.tar.gz

Lastly, lets upload the code to the Chef server for actual use.
Note: You will most likely get dependency errors (like I got), just make sure to download and extract all other dependency cookbook’s in the cookbook directory (follow the same process as dns).

# This will upload all 
knife cookbook upload -a

# Or just upload dns cookbook
knife cookbook upload dns

Creating your own cookbook’s

First we need to generate the cookbook file & directory structure.
For older versions the simplest way is/was to use knife cookbook create..

knife cookbook create testCookbook
WARN: This command is being deprecated in favor of `chef generate cookbook` and will soon return an error.
Please use `chef generate cookbook` instead of this command.
 at /opt/chefdk/embedded/lib/ruby/gems/2.3.0/gems/chef-12.18.31/lib/chef/knife.rb:443:in `block in run_with_pretty_exceptions'
** Creating cookbook testCookbook in /var/chef/cookbooks
** Creating README for cookbook: testCookbook
** Creating CHANGELOG for cookbook: testCookbook
** Creating metadata for cookbook: testCookbook

Note: There are other options to generate a cookbook, more on that latter.

After the cookbook is generated, first thing we need to do is configure the general version, I am using the environame json format.
Create an environame.json file.

cd /var/chef/environments
cat environame.json 
{
    "name": "production",
    "description": "The production environment defined as JSON",
    "chef_type": "environment",
    "json_class": "Chef::Environment",
    "default_attributes": {
    },
    "override_attributes": {
    },
    "cookbook_versions": {
        "example": "= 1.0.0"
    }
}

Next, lets configure a test cookbook, the cookbook name is testCookbook.
The testCookbook is configured to do two actions.

  • update the system with apt-get
  • install apache

To run apt-get we will added this to the default.rb.
There are two ways to configure any additional actions like install apache.

  • Use the default.rb just keep on adding actions (or call an include file), more below
  • Create separate actions file like apache.rb, just added the action to the run list, this gives you an additional flexibility

Note: The default cookbook will always use/run what is configured in the default.rb file.

Now, Lets get to actual the configuration.
First example uses the default.rb to update the system with apt-get, then calls an include to install & enable apache.

cd /var/chef/cookbooks/testCookbook/recipes

cat default.rb
#
# Cookbook Name:: testCookbook
# Recipe:: default
#
# Copyright 2017, YOUR_COMPANY_NAME
#
# All rights reserved - Do Not Redistribute
#

execute "update-upgrade" do
  command "apt-get -q update "
  action :run
end

include_recipe ‘testCookbook::apache’

And the apache.rb

cat apache.rb
package "apache2" do
  action :install
end

service "apache2" do
  action [:enable, :start]
end

Next, to use the new cookbook, we need to upload the cookbook to the Chef server and finally add it to the run list.

# Upload cookbook
knife cookbook upload testCookbook

# Add finally to the node run list.
knife node run_list add chef-server "recipe[testCookbook]"

Now we are ready to test the new cookbook, just run chef-client, if all is configured correctly, you should see the system update and apache being installed.

The second option is to call the apache.rb direct, and not with the default.rb.
Note: The include_recipe is commend out (or omit the line)

cd /var/chef/cookbooks/testCookbook/recipes

cat default.rb
#
# Cookbook Name:: testCookbook
# Recipe:: default
#
# Copyright 2017, YOUR_COMPANY_NAME
#
# All rights reserved - Do Not Redistribute
#

execute "update-upgrade" do
  command "apt-get -q update "
  action :run
end

# include_recipe ‘testCookbook::apache’

Now in the run list lets call both actions

knife node run_list add chef-server "recipe[testCookbook]"
knife node run_list add chef-server "recipe[testCookbook::apche]"

Now to execute both actions, just run chef-client same as in option one.

To update the cookbook version change the version number in metadata.json and metadata.rb

Note: The options to generate a cookbook file & directory structure was changed in recent versions covered below, the rest of the process is mostly similar.

In the recent versions of Chef the recommend way to generate a cookbook has changed, giving you more flexibility.

  
# Old style, now being depreciated (but still works)
knife cookbook create myCookbook

# New style, used for adding a new cookbook in your existing cookbooks git folder.
chef generate cookbook myCookbook

# Generate a Chef cookbook repo, (just one cookbook per repo)
chef generate repo myCookbook

# Generate a Chef cookbook app, a hybrid approach (multiple cookbooks in same repo, or just one cookbook per repo)
chef generate app myCookbook

To upload your own cookbook to the public supermarket, read here Chef Supermarket upload

helpful Chef commends

cookbook commends

Working with the public cookbooks

knife cookbook site list
knife cookbook site search dns
knife cookbook site show dns 0.1.2
knife cookbook site download dns 0.1.2

Note: if making changes to packages, change version in metadata.json and metadata.rb

Generate your own cookbook

knife cookbook create mycookbook
chef generate cookbook mycookbook
chef generate repo mycookbook
chef generate app mycookbook

Adding and removing recipe from run list

# Add to run list
knife node run_list add chef-server "recipe[myapp]"
knife node run_list add chef-server "recipe[myapp::apache]"

# Remove from run list
knife node run_list remove chef-server "recipe[myapp]"
knife node run_list remove chef-server "recipe[myapp::apache]"

Manipulate client ACL

Default grant access was assigned to first admin user create
knife user list –user user1 –key /tmp/user1.pem
Note: to use anther user, it can easily be done in the Web GUI, create the new user then download certificate (pem) file, then use the pem key to access the Chef server.

Chef general

Chef restart / status

chef-server-ctl restart
chef-server-ctl status

Chef backup

knife acl add nodes loadtest read client backup
knife backup export -D /tmp/ -c backup.rb -V

Interested in Puppet check out one of this posts

how to install configure puppet server – part one
How to install and configure puppet server – part two

References

Chef Server – Install
How to manually set up a Chef node?

Leave a Reply

avatar
3000
  Subscribe  
Notify of