How to manually set up a Chef node?
1. Install chef-client
Either use the https://www.chef.io/chef/install.sh script or download and install the correct chef-client package for your OS.
2. Create /etc/chef/client.rb
Perhaps you can use one of your bootstrapped nodes as a reference. The important bit is that you have chef_server_url
pointing at your Chef server.
Example:
/etc/chef/client.rb
chef_server_url "https://mychefserver.myorg.com/organizations/myorg"
validation_client_name "myorg-validator"
validation_key "/etc/chef/myorg-validator.pem"
log_level :info
3. Copy validation key
The key you got after running chef-server-ctl org-create
. If lost you can generate a new one from Chef Manage.
Copy the key to /etc/chef/myorg-validator.pem
(to what is configured as validation_key
in client.rb
)
4. Fetch SSL cert
Optionally, if the SSL certificate on your Chef server isn't signed (it probably isn't), you must manually fetch it so that knife/chef-client will trust the certificate.
mkdir /etc/chef/trusted_certs
knife ssl fetch -c /etc/chef/client.rb
See also http://jtimberman.housepub.org/blog/2014/12/11/chef-12-fix-untrusted-self-sign-certs/
Related videos on Youtube
user22a6db72d7249
Updated on September 18, 2022Comments
-
user22a6db72d7249 over 1 year
I have a Chef server running on Ubuntu 14.04 (see Note 1) and I can access the "Chef Manage" website by visiting the IP address (
mychefserver.myorg.com
) in my browser.I have a workstation running on Mac OS X El Capitan (see Note 2) and I can connect to the Chef server using
knife ssl check
andknife client list
.The problem:
knife
won't bootstrap my third machine (mynode.myorg.com
) as a node.$ knife bootstrap mynode.myorg.com --sudo --ssh-user myname --forward-agent --node-name mynode Creating new client for mynode Creating new node for mynode Connecting to mynode Failed to authenticate myname - trying password auth Enter your password: stty: 'standard input': unable to perform all requested operations ERROR: Net::SSH::AuthenticationFailed: Authentication failed for user myname@mynode@mynode
mynode.myorg.com
is a corporate machine. SSH is set up to allow only certificate-based authentication. SSH with password and SSH with private key is disallowed.It seems to me that since
knife bootstrap
uses password- or key-based SSH, and since I can reach a command line on the node by simply runningssh mynode.myorg.com
, my best option is to SSH into the node and set Chef up manually. Unfortunately, there is no documentation for how to create a Chef node that doesn't involve invokingknife bootstrap
from a workstation.What commands do I have to run locally on the node to recreate the work performed by
knife bootstrap
?
Note 1: Chef Server 12.4.1 setup steps
$ wget https://packagecloud.io/chef/stable/packages/ubuntu/trusty/chef-server-core_12.4.1-1_amd64.deb/download $ dpkg -i download $ cat > /etc/opscode/chef-server.rb server_name = 'mychefserver.myorg.com' api_fqdn server_name bookshelf['vip'] = server_name nginx['url'] = "https://#{server_name}/" nginx['server_name'] = server_name nginx['ssl_certificate'] = "/var/opt/opscode/nginx/ca/#{server_name}.crt" nginx['ssl_certificate_key'] = "/var/opt/opscode/nginx/ca/#{server_name}.key" ^D $ chef-server-ctl reconfigure $ chef-server-ctl install opscode-manage $ chef-server-ctl reconfigure $ opscode-manage-ctl reconfigure $ chef-server-ctl install opscode-reporting $ chef-server-ctl reconfigure $ opscode-reporting-ctl reconfigure $ chef-server-ctl user-create myname My Name [email protected] mypassword --filename myname.pem $ chef-server-ctl org-create myorg "My Org" --association_user myname
Note 2: ChefDK 0.11.2 workstation setup steps
$ wget URL: https://opscode-omnibus-packages.s3.amazonaws.com/mac_os_x/10.11/x86_64/chefdk-0.11.2-1.dmg $ hdiutil mount chefdk-0.11.2-1.dmg $ installer -package '/Volumes/Chef Development Kit/chefdk-0.11.2-1.pkg' -target '/Volumes/Macintosh HD' $ hdiutil unmount '/Volumes/Chef Development Kit/' $ chef generate app chef-repo $ cd chef-repo $ mkdir .chef $ cat > .chef/myname.pem -----BEGIN RSA PRIVATE KEY----- # …snip… -----END RSA PRIVATE KEY----- ^D $ cat > .chef/knife.rb log_level :info log_location STDOUT node_name 'myname' client_key "#{__dir__}/myname.pem" chef_server_url 'https://mychefserver.myorg.com/organizations/myorg' cookbook_path ["#{__dir__}/../chef-repo/cookbooks"] ^D $ knife ssl fetch
-
Supernini about 7 yearsTake care, if you try a ssl fetch with your client.rb you will received this message : ERROR: ArgumentError: Cannot sign the request without a client name, check that :node_name is assigned
-
P Satish Patro almost 5 yearsFor windows client?