Hey all,
I’m relatively new to chef so I’m wondering if there’s any security issues if I make an ec2 ami of an instance that’s running chef server?
Currently to create an open source chef server, I’d have to
At this point, I’d like to make an EC2 ami & reuse it in future.
Thank you for your help in advance! 
Ritesh
On Fri, Dec 20, 2013 at 1:18 AM, Ritesh Angural
ritesh.angural@gmail.com wrote:
I’m relatively new to chef so I’m wondering if there’s any security issues if I make an ec2 ami of an instance that’s running chef server?
Currently to create an open source chef server, I’d have to
- Create EC2 instance
- SSH into the instance
- Wget & dpfg using the omnibus installer
- sudo chef-server-ctl reconfigure
At this point, I’d like to make an EC2 ami & reuse it in future.
If you do point #4 and then snapshot the machine, the generated keys
for the Chef server will be identical for every instance you launch
from the AMI. That could be a security problem.
You should also be aware of
https://tickets.opscode.com/browse/CHEF-4883. Until we have a fix,
ensure that you launch the instance into a security group that doesn't
have wide-open ports.
--
[ Julian C. Dunn jdunn@aquezada.com * Sorry, I'm ]
[ WWW: Julian Dunn's Blog - Commentary on media, technology, and everything in between. * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]
Thanks Julian! Exactly the clarification I was looking for 
Ritesh
On Dec 20, 2013, at 10:56 PM, Julian C. Dunn jdunn@aquezada.com wrote:
On Fri, Dec 20, 2013 at 1:18 AM, Ritesh Angural
ritesh.angural@gmail.com wrote:I’m relatively new to chef so I’m wondering if there’s any security issues if I make an ec2 ami of an instance that’s running chef server?
Currently to create an open source chef server, I’d have to
- Create EC2 instance
- SSH into the instance
- Wget & dpfg using the omnibus installer
- sudo chef-server-ctl reconfigure
At this point, I’d like to make an EC2 ami & reuse it in future.
If you do point #4 and then snapshot the machine, the generated keys
for the Chef server will be identical for every instance you launch
from the AMI. That could be a security problem.You should also be aware of
https://tickets.opscode.com/browse/CHEF-4883. Until we have a fix,
ensure that you launch the instance into a security group that doesn't
have wide-open ports.
- Julian
--
[ Julian C. Dunn jdunn@aquezada.com * Sorry, I'm ]
[ WWW: Julian Dunn's Blog - Commentary on media, technology, and everything in between. * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]