I manage separate chef server orgs for each chef environments (dev, stage
prod). As i start exploring for the migration to AWS, i bootstrapped a node
on AWS manually using the below manual command.
knife bootstrap --bootstrap-version 11.18.12 -r
chef-client::service -x ec2-user -E dev -N --sudo
The node now have the below files in it.
-rw------- 1 root root 1678 Jun 4 23:11 client.pem
-rw-r--r-- 1 root root 264 Jun 4 23:11 client.rb
-rw------- 1 root root 685 Jun 4 23:11 encrypted_data_bag_secret
-rw-r--r-- 1 root root 38 Jun 4 23:11 first-boot.json
-rw------- 1 root root 1679 Jun 4 23:11 validation.pem
& the first-boot.json looks like this:
{"run_list":["chef-client::service"]}
I DELETED the '/etc/chef/client.pem' from the node and made and AMI out of
the node to avoid chef server seeing the nodes as duplicates.
So as phase1 of my play, i tried to use this AMI with the AWS auto scaling.
While creating the 'launch configuration', i selected this AMI and
specified the below as 'user data'
#!/bin/bash
chef-client -r role[lmn] -E dev
But i dont think that this script/command from the 'user-data' is not being
executed when the EC2 instance is brought up by the auto-scaling. there is
no new 'client.pem' on the node. Neither there is anything in the
/var/log/cloud-init.log
Any ideas are welcome and appreciated.
On Thu, Jun 4, 2015 at 5:27 PM, Darron Froese darron@froese.org wrote:
I wrote up a blog post a while ago detailing some of the pieces you need
to get AWS autoscaling working together with Chef:
Using Amazon Auto Scaling Groups with Packer and Chef · darron froese
And here's some example user-data that we use to register a node:
AWS user-data to register with a Chef server. We are assuming that Chef is already installed during a previous AMI building phase. · GitHub
We're building an AMI that has Chef and launching that with an IAM
Profile/Role that has access to the bucket.
Hope that helps at all.
On Thu, Jun 4, 2015 at 5:53 PM Yoshi Spendiff <
yoshi.spendiff@indochino.com> wrote:
You can use the User-Data field to put in any type of script you want,
including one to install the chef-client and start a first run.
You will need to make the validation.pem and client.rb configuration file
available to the node as well as a JSON file with first run data (such as
assigning an initial runlist or role). This can be stored as a part of a
base image or in S3 (in which case give the box an IAM role capable of
accessing the bucket. It's worth noting that anyone who gets on the box
will have access to the bucket).
To set the node name you can get the external hostname of the machine at
http://169.254.169.254/latest/meta-data/public-hostname/ and the ip at
http://169.254.169.254/latest/meta-data/public-ip/ (part of the cloud
instance api)
On Thu, Jun 4, 2015 at 4:45 PM, niristotle okram nirish.okram@gmail.com
wrote:
This topic is something i am investigating in the last couple of days.
We are moving to AWS and i am exploring the AWS.
I now have an AMI created with the chef-client installed as a service.
Now i am trying to find how to update the chef's run-list and trigger a
chef-client run when AWS creates the instance (scaling out) without manual
interference. And also to set the node name parameter in the chef-server as
the FQDN or the public IP of the node.
On Wed, Jun 3, 2015 at 10:00 AM, Pedro Vilaça pmvilaca@gmail.com
wrote:
That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.
You can solve that security issue if you create a base image with
chef-client installed and the validator key inside (only accessible by
root). That way you don't need to use an IAM role and only users with sudo
access will be able to use the validator key. Or, you can also delete the
validator key after the initial registration process.
2015-06-03 16:27 GMT+01:00 Gabriel Rosendorf grosendorf@gmail.com:
I'd love to hear other approaches. I'm not crazy about the way were
handling it, it was just our only idea
On Wed, Jun 3, 2015 at 11:07 Peter Burkholder pburkholder@chef.io
wrote:
That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.
--Peter
On Wed, Jun 3, 2015 at 11:00 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:
We use user data and IAM roles. User data pulls down the
validator.pem from S3 (authenticated using IAM), writes the chef config and
first-boot.json, then kicks off the first Chef run.
HTH,
Gabriel
On Tue, Jun 2, 2015 at 5:08 PM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:
Hello Gabriel, thanks for your reply!
This is about the 'termination', and about the 'startupt' of a new
instance? How are you dealing with the hostname issue?
I'm using "name_of_some_city+auto_increment_number", such as:
- sanfrancisco1..2..3
- dublin1..2..3
But I'm with problems to register this using Chef 12. If I run the
'knife node create' before, the client need to setup the ACL to grant
permission to update itself.
So, I would like to know how are you guys doing to register the
instance in the autoscaling time. I think that is impossible to use knife
bootstrap here, right?
Thanks a lot!
On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:
We're pushing autoscaling notifications to an SQS queue, and we
have a process that reads those messages from the queue, looks for
terminations, and uses the Chef API to delete nodes/clients. I think most
folks are doing something similar.
Best,
Gabriel
On Fri, May 29, 2015 at 9:12 AM Tiago Cruz <
tiago.tuxkiller@gmail.com> wrote:
Hello guys,
Just to know, how are you guys are dealing with Chef and
AutoScaling?
I'm using hostname such as 'mordor' and I was trying to scale
such as 'mordor1', and after 'mordor2' and etc, using the knife node create
to 'reserve' this hostname while the machine is created.
It was working on Chef 11, but stopped now on Chef 12
So, I would like to know how you guys are working with this --
best praticies and tips
Thanks!
--
-- Tiago Cruz
--
-- Tiago Cruz
--
Peter Burkholder — Customer Success Engineer
Unavailability: May 19, Training. June 11-12, DevOpsDays DC
301-204-5767 – pburkholder@chef.io – *my: *Linkedin
http://www.linkedin.com/in/pburkholder Twitter
http://www.twitter.com/pburkholder Cal
https://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEK
endar
CHEF
CHEF.IO http://www.chef.io/
TM
chef.io http://www.chef.io/ Blog http://www.chef.io/blog/
Facebook https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube
https://www.youtube.com/getchef
--
Regards
nirish okram
--
Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.com
--
Regards
nirish okram