About keys in chef-server and nodes


#1

I read a doc http://docs.opscode.com/chef_private_keys.html

Each node stores its private key locally.
agrees

This private key is generated as part of the bootstrap process that
initially installs the chef-client on the node.
How I can understand:
During bootstrap process server generate ONLY two keys.
One saved only on client - private key (private key never save on the
server and saved only on the client.) = /etc/chef/client.pem
Other saved only on server - public key(and we can see this key via web
interface tab clients).
OK ?

The first time chef-client runs on that node, it uses the
chef-validator to authenticate, but then on each subsequent run it uses
the private key generated for that client by the server.

How I can understand - Now I have nodes private keys only on my nodes in
/etc/chef/client.pem?

How I can automate assembly of this keys and put them to the
chef-repo/.chef folder, to backup them ?


Best regards,

CVision Lab System Administrator
Vladmir Skubriev


#2

On Fri, 06 Dec 2013 18:00:45 +0400 Vladimir Skubriev
skubriev@cvisionlab.com wrote:

I read a doc http://docs.opscode.com/chef_private_keys.html

Each node stores its private key locally.
agrees

This private key is generated as part of the bootstrap process that
initially installs the chef-client on the node.
How I can understand:
During bootstrap process server generate ONLY two keys.
One saved only on client - private key (private key never save on the
server and saved only on the client.) = /etc/chef/client.pem
Other saved only on server - public key(and we can see this key via
web interface tab clients).
OK ?

The first time chef-client runs on that node, it uses the
chef-validator to authenticate, but then on each subsequent run it
uses the private key generated for that client by the server.

How I can understand - Now I have nodes private keys only on my nodes
in /etc/chef/client.pem?

How I can automate assembly of this keys and put them to the
chef-repo/.chef folder, to backup them ?

You don’t. You simply don’t. Secret/private keys are only functional
when only the owner has them. In case of the client-keys for chef, only
the machine owning that key should have it. If someone else gets access
to that machines key, it can do all funny things with that machine.

And you don’t actually need a backup of that private key, its only used
for that concrete machine to contact the chef server. If that machine
has to be re-installed, you just delete that client (not the node, onyl
the client!) from the chef-server and during the first run of
chef-client one the freshly installed machine, it uses the
validation-key to re-register the client and create a new private key.
If the node-name didn’t change, it will pick up the runlist and state
stored in chef and re-create everything.
Of course, if you deleted the validation key from the nodes in between
(which you should do), you also have to place the validation-key on the
node during install again.

Have fun,

Arnold


#3

08.12.2013 00:57, Arnold Krille пишет:

On Fri, 06 Dec 2013 18:00:45 +0400 Vladimir Skubriev
skubriev@cvisionlab.com wrote:

I read a doc http://docs.opscode.com/chef_private_keys.html

Each node stores its private key locally.
agrees

This private key is generated as part of the bootstrap process that
initially installs the chef-client on the node.
How I can understand:
During bootstrap process server generate ONLY two keys.
One saved only on client - private key (private key never save on the
server and saved only on the client.) = /etc/chef/client.pem
Other saved only on server - public key(and we can see this key via
web interface tab clients).
OK ?

The first time chef-client runs on that node, it uses the
chef-validator to authenticate, but then on each subsequent run it
uses the private key generated for that client by the server.

How I can understand - Now I have nodes private keys only on my nodes
in /etc/chef/client.pem?

How I can automate assembly of this keys and put them to the
chef-repo/.chef folder, to backup them ?
You don’t. You simply don’t. Secret/private keys are only functional
when only the owner has them. In case of the client-keys for chef, only
the machine owning that key should have it. If someone else gets access
to that machines key, it can do all funny things with that machine.

And you don’t actually need a backup of that private key, its only used
for that concrete machine to contact the chef server. If that machine
has to be re-installed, you just delete that client (not the node, onyl
the client!) from the chef-server and during the first run of
chef-client one the freshly installed machine, it uses the
validation-key to re-register the client and create a new private key.
If the node-name didn’t change, it will pick up the runlist and state
stored in chef and re-create everything.
Of course, if you deleted the validation key from the nodes in between
(which you should do), you also have to place the validation-key on the
node during install again.

Have fun,

Arnold
There may be only two alternatives:

  1. When I lost a server public key, then
    I must delete only /etc/chef/client.pem on the client, and re-run
    bootstrap with valid /etc/chef/validation.key

  2. When I lost a client.pem, then
    I must delete only public key of that client on the server, and re-run
    bootstrap with valid /etc/chef/validation.key
    Or may be I must remove /etc/chef/client.pem in this case too?

I am right ?

So backup of private keys is does not make sense.

But backup of public keys is make sense, and significant only for
archiving goals to the backup server - not chef-repo git repository. ?

Or do a full server backup (as suggested to me in the previous message)
with a second (backup goal) git repo with all objects from the server.

Thank you for help.


Best regards,

CVision Lab System Administrator
Vladmir Skubriev