Bootstraping to download chef client package from LAN



I have RHEL environment and due to network security in place, our Redhat server can not communicate with internet.

when i try bootstraping node from workstation, it tries to download the chefclient package node from internet which is not allowed in our network.

Is there any way to download the client package on clients from any reporitory on LAN during bootstraping porcess, rather than the client trying to download it from internet.

Thank you.


Bootstrapping really just does a few things:

  • install the chef client
  • add the validation PEM and some basic configuration
  • run the chef client for the first time.

You can write a shell script that does the same thing, and invoke it with ssh.

Or if you are using kickstart, you can simply add all of these steps to your kickstart file.

In my own scenario, I have a ruby script that generates the kickstart file. In the %post section, I have this (obviously, my code still pulls chef from the Internet - you would have to change that part!):

%post --log=/root/ks-post2.log

set up for Chef

mkdir -p /etc/chef
cat >/etc/chef/validation.pem <<ENDVALIDATION
cat >/etc/chef/encrypted_data_bag_secret <<ENDDATABAG
cat >/etc/chef/client.rb <<ENDCHEF
chmod 600 /etc/chef/encrypted_data_bag_secret

This package can’t be installed with the intial batch because it comes from a repo that is not

set up yet at that stage.

yum install -y policycoreutils-python

echo 'Initial chef run’
echo “curl -L | sudo bash” >/root/firstrun.chef
echo “/usr/bin/chef-client --once --no-fork --runlist=main -l info -L /root/chef-initial-run.log” >>/root/firstrun.chef
chmod +x /root/firstrun.chef


Kevin Keane
Whom the IT Pros Call
The NetTech
Our values: Privacy, Liberty, Justice


You have a bunch of options, if you want to use knife bootsrap you can create your custom template following instructions here