chef sever 12

On production enviroment, chef server is recommended when you need to manage more than one machine at a time.

three types:

  • Hosted Enterprise Chef
  • On Premises (Private) Enterprise Chef
  • Open Source Chef

There is a good tutorial about setting up chef server 12. However, there are some differences when applying to the latest chef-server release version. For our example,

Enviroment:

  • workstation: macOS Sierra 10.12.2
  • chef server and nodes: Vagrant based CentOS 6.5
  • Chef verion: →↓
λ angeldswang [my/chef_projects/demo] → chef --version
Chef Development Kit Version: 1.0.3
chef-client version: 12.16.42
delivery version: master (83358fb62c0f711c70ad5a81030a6cae4017f103)
berks version: 5.2.0
kitchen version: 1.14.2

Install Enterprise Chef Server

Create a Top-level Chef-repo Directory

It will help you handle the additional files necessary to manage Enterprise Chef beyond the cookbooks themselves. And usually, you’ll definitely be using more than one cookbook in your project, so we first create a subdirectory named cookbooks. For now, your directory structure will be like:

λ angeldswang [my/chef_projects/demo] → tree -a
.
└── chef-repo
    └── cookbooks

2 directories, 0 files

Generate Cookbook for Chef server

Turn to the cookbooks directory, since we are using chef development kit, we’ll generate a cookbook by chef generate cookbook command.

λ angeldswang [demo/chef-repo/cookbooks] → chef generate cookbook server
Generating cookbook server
- Ensuring correct cookbook file content
- Committing cookbook files to git
- Ensuring delivery configuration
- Ensuring correct delivery build cookbook content
- Adding delivery configuration to feature branch
- Adding build cookbook to feature branch
- Merging delivery content feature branch to master

Your cookbook is ready. Type `cd server` to enter it.
...

λ angeldswang [demo/chef-repo/cookbooks] → tree -aL 2
.
└── server
    ├── .delivery
    ├── .git
    ├── .gitignore
    ├── .kitchen.yml
    ├── Berksfile
    ├── README.md
    ├── chefignore
    ├── metadata.rb
    ├── recipes
    ├── spec
    └── test

6 directories, 6 files

Then edit the .kitchen.yml file to use the CentOS 6.5 basebox provided by learningchef (basically we’ll follow the chapter 9 & 10 in this book). Since we’ll build a chef server with some client nodes in a local network, we need to assign a private network address to the server, like 192.168.33.34.

---
driver:
  name: vagrant

provisioner:
  name: chef_solo
  # You may wish to disable always updating cookbooks in CI or other testing environments.
  # For example:
  #   always_update_cookbooks: <%= !ENV['CI'] %>
  always_update_cookbooks: true

verifier:
  name: inspec

platforms:
  - name: centos65
    driver:
      box: learningchef/centos65
      box_url: learningchef/centos65
      network:
        - ["private_network", {ip: "192.168.33.34"}]
      customize:
        memory: 1536

suites:
  - name: default
    run_list:
      - recipe[server::default]
    verifier:
      inspec_tests:
        - test/recipes
    attributes:

Notice that, if you set always_update_cookbooks: true, you need run berks install first to create Berksfile.lock, from which Kitchen will upload the latest cookbooks.

Prepare attributes and recipes

Before we build our chef server, we’ll write attributes and recipes to make sure the chef server can be installed automatically. Run chef generate attribute default to create the default attributes file and add the chef server download url according to your linux distribution, in our case, we’ll choose Red Hat Enterprise Linux 6’s version.

Define package download url in attributes/default.rb

default['server']['url'] = \
'https://packages.chef.io/files/stable/chef-server/12.11.1/el/6/'\
'chef-server-core-12.11.1-1.el6.x86_64.rpm'

Add install and reconfigure actions in recipes/default.rb

package_url = node['server']['url']
package_name = ::File.basename(package_url)
package_local_path = "#{Chef::Config[:file_cache_path]}/#{package_name}"

remote_file package_local_path do
  source package_url
end

package package_name do
  source package_local_path
  provider Chef::Provider::Package::Rpm
  notifies :run, 'execute[reconfigure-chef-server]', :immediately
end

execute 'reconfigure-chef-server' do
  command 'chef-server-ctl reconfigure'
  action :nothing
end

Then you can run kitchen converge to build the server node. Depends on your network speed, it’ll take your 10 ~ 50 mins.

Configure Chef Server

Since chef server 12.0, the management web UI is not enabled by default. That means you need configure your chef server through the command line, which mainly includes two things:

  • Create an admin user
  • Create an organization

Both of them can be performed by chef-server-ctl subcommands: user-create and org-create respectively.

λ angeldswang [chef-repo/cookbooks/server] at  master !?
→ kitchen login
Last login: Sat Jan 21 17:25:50 2017 from 10.0.2.2

[vagrant@default-centos65 ~]$ sudo chef-server-ctl user-create angeldswang Angelds Wang angeldswang@gmail.com 123456 -f angeldswang.pem
[vagrant@default-centos65 ~]$ sudo chef-server-ctl org-create chefserver_demo "chef server demo V12" --association_user angeldswang -f chefserver_demo-validator.pem
[vagrant@default-centos65 ~]$ ls
angeldswang.pem  chefserver_demo-validator.pem

You can refer to the chef document for detail options. And now we create the admin user and the organization he belongs to. Notice that there were two secret keys also being created respectively. They will be used to validate the security of connection request. Next we’ll show how to use the secret keys to construct connection to chef server.

Configure knife

From now on, we’ll use knife, a command-line tool that provides an interface between a local chef-repo and the chef server, to manage our chef server from our local machine. First of all, let’s mkdir a new directory to place the configuration files about knife, usually a .chef directory under the top-level directory of the repository, for our case, it’s the chef-repo/. Before configuing our knife, we need to copy above two secret keys to the .chef directory.

λ angeldswang [chef_projects/demo/chef-repo] → scp -o PubkeyAuthentication=no vagrant@192.168.33.34:/home/vagrant/angeldswang.pem .chef/
λ angeldswang [chef_projects/demo/chef-repo] → scp -o PubkeyAuthentication=no vagrant@192.168.33.34:/home/vagrant/chefserver_demo-validator.pem .chef/

Then you need create a chef-repo/.chef/knife.rb file by your hand.

current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                "angeldswang"
client_key               "#{current_dir}/angeldswang.pem"
validation_client_name   "chefserver_demo-validator"
validation_key           "#{current_dir}/chefserver_demo-validator.pem"
chef_server_url          "https://default-centos65:443/organizations/chefserver_demo"
cache_type               'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path            ["#{current_dir}/../cookbooks"]

Since the default server domain is default-centos65, the chef_server_url should be https://default-centos65:443/organizations/chefserver_demo. And make sure you can access the domain from your local machine, remember to add the host setting 192.168.33.34 default-centos65 to your /etc/hosts.

For now, you can use knife to check the connection by running knife client list, which asks chef server to list valid clients. However, you’ll encounter the following problem.

λ angeldswang [chef_projects/demo/chef-repo] → knife client list
ERROR: SSL Validation failure connecting to host: default-centos65 - SSL_connect returned=1 errno=0 state=error: certificate verify failed
ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
`knife ssl fetch` to make knife trust the server's certificates.

This is because the chef server will generate a self-signed SSL certificate during the installation process, but your local workstation doesn’t have the certificate. As the message hint, you can use knife ssl fetch to get the certificate. For our case, it should be placed at chef-repo/.chef/trusted_certs/default-centos65.crt. Then run knife client list again, it should work right now.

λ angeldswang [chef_projects/demo/chef-repo] → knife client list
chefserver_demo-validator

If you still have some problem with this step, you can check out this article for more helpful information.

Just out of curiosity, you can visit the chef_server_url on your browser, https://default-centos65:443/organizations/chefserver_demo. It’s cool, but you must be suggested to install the Management Console manually if you want to use browser to manage your chef server. All right, let’s do that.

First, login to the chef server, and run

  • chef-server-ctl install chef-manage
  • chef-server-ctl reconfigure
  • chef-manage-ctl reconfigure

all of these commands should be runned with sudo.

For a long long journey, you can access the chef management web UI by signin with the user created by chef-server-ctl user-create.

chef manager