Chef 12 and AWS AutoScaling

Hello guys,

Just to know, how are you guys are dealing with Chef and AutoScaling?

I’m using hostname such as ‘mordor’ and I was trying to scale such as
’mordor1’, and after ‘mordor2’ and etc, using the knife node create to
’reserve’ this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• https://github.com/chef/chef-server/issues/263

So, I would like to know how you guys are working with this – best
praticies and tips

Thanks!

–
– Tiago Cruz

We're pushing autoscaling notifications to an SQS queue, and we have a
process that reads those messages from the queue, looks for terminations,
and uses the Chef API to delete nodes/clients. I think most folks are doing
something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale such as
'mordor1', and after 'mordor2' and etc, using the knife node create to
'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this -- best
praticies and tips

Thanks!

--
-- Tiago Cruz

Hello Gabriel, thanks for your reply!

This is about the 'termination', and about the 'startupt' of a new
instance? How are you dealing with the hostname issue?

I'm using "name_of_some_city+auto_increment_number", such as:

• sanfrancisco1..2..3
• dublin1..2..3

But I'm with problems to register this using Chef 12. If I run the 'knife
node create' before, the client need to setup the ACL to grant permission
to update itself.

So, I would like to know how are you guys doing to register the instance in
the autoscaling time. I think that is impossible to use knife bootstrap
here, right?

Thanks a lot!

On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf grosendorf@gmail.com
wrote:

We're pushing autoscaling notifications to an SQS queue, and we have a
process that reads those messages from the queue, looks for terminations,
and uses the Chef API to delete nodes/clients. I think most folks are doing
something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale such as
'mordor1', and after 'mordor2' and etc, using the knife node create to
'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this -- best
praticies and tips

Thanks!

--
-- Tiago Cruz

--
-- Tiago Cruz

We use user data and IAM roles. User data pulls down the validator.pem from
S3 (authenticated using IAM), writes the chef config and first-boot.json,
then kicks off the first Chef run.

HTH,
Gabriel

On Tue, Jun 2, 2015 at 5:08 PM Tiago Cruz tiago.tuxkiller@gmail.com wrote:

Hello Gabriel, thanks for your reply!

This is about the 'termination', and about the 'startupt' of a new
instance? How are you dealing with the hostname issue?

I'm using "name_of_some_city+auto_increment_number", such as:

• sanfrancisco1..2..3
• dublin1..2..3

But I'm with problems to register this using Chef 12. If I run the 'knife
node create' before, the client need to setup the ACL to grant permission
to update itself.

So, I would like to know how are you guys doing to register the instance
in the autoscaling time. I think that is impossible to use knife bootstrap
here, right?

Thanks a lot!

On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf grosendorf@gmail.com
wrote:

We're pushing autoscaling notifications to an SQS queue, and we have a
process that reads those messages from the queue, looks for terminations,
and uses the Chef API to delete nodes/clients. I think most folks are doing
something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale such as
'mordor1', and after 'mordor2' and etc, using the knife node create to
'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this -- best
praticies and tips

Thanks!

--
-- Tiago Cruz

--
-- Tiago Cruz

That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

--Peter

On Wed, Jun 3, 2015 at 11:00 AM, Gabriel Rosendorf grosendorf@gmail.com
wrote:

We use user data and IAM roles. User data pulls down the validator.pem
from S3 (authenticated using IAM), writes the chef config and
first-boot.json, then kicks off the first Chef run.

HTH,
Gabriel

On Tue, Jun 2, 2015 at 5:08 PM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello Gabriel, thanks for your reply!

This is about the 'termination', and about the 'startupt' of a new
instance? How are you dealing with the hostname issue?

I'm using "name_of_some_city+auto_increment_number", such as:

• sanfrancisco1..2..3
• dublin1..2..3

But I'm with problems to register this using Chef 12. If I run the 'knife
node create' before, the client need to setup the ACL to grant permission
to update itself.

So, I would like to know how are you guys doing to register the instance
in the autoscaling time. I think that is impossible to use knife bootstrap
here, right?

Thanks a lot!

On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf <grosendorf@gmail.com

wrote:

We're pushing autoscaling notifications to an SQS queue, and we have a
process that reads those messages from the queue, looks for terminations,
and uses the Chef API to delete nodes/clients. I think most folks are doing
something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale such as
'mordor1', and after 'mordor2' and etc, using the knife node create to
'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this -- best
praticies and tips

Thanks!

--
-- Tiago Cruz

--
-- Tiago Cruz

--

Peter Burkholder — Customer Success Engineer

Unavailability: May 19, Training. June 11-12, DevOpsDays DC

301-204-5767 – pburkholder@chef.io – *my: *Linkedin
http://www.linkedin.com/in/pburkholder Twitter
http://www.twitter.com/pburkholder Cal
https://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEK
endar

CHEF

CHEF.IO http://www.chef.io/

TM

chef.io http://www.chef.io/ Blog http://www.chef.io/blog/ Facebook
https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube https://www.youtube.com/getchef

I'd love to hear other approaches. I'm not crazy about the way were
handling it, it was just our only idea
On Wed, Jun 3, 2015 at 11:07 Peter Burkholder pburkholder@chef.io wrote:

That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

--Peter

On Wed, Jun 3, 2015 at 11:00 AM, Gabriel Rosendorf grosendorf@gmail.com
wrote:

We use user data and IAM roles. User data pulls down the validator.pem
from S3 (authenticated using IAM), writes the chef config and
first-boot.json, then kicks off the first Chef run.

HTH,
Gabriel

On Tue, Jun 2, 2015 at 5:08 PM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello Gabriel, thanks for your reply!

This is about the 'termination', and about the 'startupt' of a new
instance? How are you dealing with the hostname issue?

I'm using "name_of_some_city+auto_increment_number", such as:

• sanfrancisco1..2..3
• dublin1..2..3

But I'm with problems to register this using Chef 12. If I run the
'knife node create' before, the client need to setup the ACL to grant
permission to update itself.

So, I would like to know how are you guys doing to register the instance
in the autoscaling time. I think that is impossible to use knife bootstrap
here, right?

Thanks a lot!

On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We're pushing autoscaling notifications to an SQS queue, and we have a
process that reads those messages from the queue, looks for terminations,
and uses the Chef API to delete nodes/clients. I think most folks are doing
something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale such as
'mordor1', and after 'mordor2' and etc, using the knife node create to
'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this -- best
praticies and tips

Thanks!

--
-- Tiago Cruz

--
-- Tiago Cruz

--

Peter Burkholder — Customer Success Engineer

Unavailability: May 19, Training. June 11-12, DevOpsDays DC

301-204-5767 – pburkholder@chef.io – *my: *Linkedin
http://www.linkedin.com/in/pburkholder Twitter
http://www.twitter.com/pburkholder Cal
https://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEK
endar

CHEF

CHEF.IO http://www.chef.io/

TM

chef.io http://www.chef.io/ Blog http://www.chef.io/blog/
Facebook https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube https://www.youtube.com/getchef

That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

You can solve that security issue if you create a base image with
chef-client installed and the validator key inside (only accessible by
root). That way you don't need to use an IAM role and only users with sudo
access will be able to use the validator key. Or, you can also delete the
validator key after the initial registration process.

2015-06-03 16:27 GMT+01:00 Gabriel Rosendorf grosendorf@gmail.com:

I'd love to hear other approaches. I'm not crazy about the way were
handling it, it was just our only idea
On Wed, Jun 3, 2015 at 11:07 Peter Burkholder pburkholder@chef.io wrote:

That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

--Peter

On Wed, Jun 3, 2015 at 11:00 AM, Gabriel Rosendorf grosendorf@gmail.com
wrote:

We use user data and IAM roles. User data pulls down the validator.pem
from S3 (authenticated using IAM), writes the chef config and
first-boot.json, then kicks off the first Chef run.

HTH,
Gabriel

On Tue, Jun 2, 2015 at 5:08 PM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello Gabriel, thanks for your reply!

This is about the 'termination', and about the 'startupt' of a new
instance? How are you dealing with the hostname issue?

I'm using "name_of_some_city+auto_increment_number", such as:

• sanfrancisco1..2..3
• dublin1..2..3

But I'm with problems to register this using Chef 12. If I run the
'knife node create' before, the client need to setup the ACL to grant
permission to update itself.

So, I would like to know how are you guys doing to register the
instance in the autoscaling time. I think that is impossible to use knife
bootstrap here, right?

Thanks a lot!

On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We're pushing autoscaling notifications to an SQS queue, and we have a
process that reads those messages from the queue, looks for terminations,
and uses the Chef API to delete nodes/clients. I think most folks are doing
something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale such as
'mordor1', and after 'mordor2' and etc, using the knife node create to
'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this -- best
praticies and tips

Thanks!

--
-- Tiago Cruz

--
-- Tiago Cruz

--

Peter Burkholder — Customer Success Engineer

Unavailability: May 19, Training. June 11-12, DevOpsDays DC

301-204-5767 – pburkholder@chef.io – *my: *Linkedin
http://www.linkedin.com/in/pburkholder Twitter
http://www.twitter.com/pburkholder Cal
https://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEK
endar

CHEF

CHEF.IO http://www.chef.io/

TM

chef.io http://www.chef.io/ Blog http://www.chef.io/blog/
Facebook https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube https://www.youtube.com/getchef

This topic is something i am investigating in the last couple of days. We
are moving to AWS and i am exploring the AWS.

I now have an AMI created with the chef-client installed as a service. Now
i am trying to find how to update the chef's run-list and trigger a
chef-client run when AWS creates the instance (scaling out) without manual
interference. And also to set the node name parameter in the chef-server as
the FQDN or the public IP of the node.

• Okram

On Wed, Jun 3, 2015 at 10:00 AM, Pedro Vilaça pmvilaca@gmail.com wrote:

That approach works, but remember that, unless you take particular

precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

You can solve that security issue if you create a base image with
chef-client installed and the validator key inside (only accessible by
root). That way you don't need to use an IAM role and only users with sudo
access will be able to use the validator key. Or, you can also delete the
validator key after the initial registration process.

2015-06-03 16:27 GMT+01:00 Gabriel Rosendorf grosendorf@gmail.com:

I'd love to hear other approaches. I'm not crazy about the way were
handling it, it was just our only idea
On Wed, Jun 3, 2015 at 11:07 Peter Burkholder pburkholder@chef.io
wrote:

That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

--Peter

On Wed, Jun 3, 2015 at 11:00 AM, Gabriel Rosendorf <grosendorf@gmail.com

wrote:

We use user data and IAM roles. User data pulls down the validator.pem
from S3 (authenticated using IAM), writes the chef config and
first-boot.json, then kicks off the first Chef run.

HTH,
Gabriel

On Tue, Jun 2, 2015 at 5:08 PM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello Gabriel, thanks for your reply!

This is about the 'termination', and about the 'startupt' of a new
instance? How are you dealing with the hostname issue?

I'm using "name_of_some_city+auto_increment_number", such as:

• sanfrancisco1..2..3
• dublin1..2..3

But I'm with problems to register this using Chef 12. If I run the
'knife node create' before, the client need to setup the ACL to grant
permission to update itself.

So, I would like to know how are you guys doing to register the
instance in the autoscaling time. I think that is impossible to use knife
bootstrap here, right?

Thanks a lot!

On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We're pushing autoscaling notifications to an SQS queue, and we have
a process that reads those messages from the queue, looks for terminations,
and uses the Chef API to delete nodes/clients. I think most folks are doing
something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale such
as 'mordor1', and after 'mordor2' and etc, using the knife node create to
'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this -- best
praticies and tips

Thanks!

--
-- Tiago Cruz

--
-- Tiago Cruz

--

Peter Burkholder — Customer Success Engineer

Unavailability: May 19, Training. June 11-12, DevOpsDays DC

301-204-5767 – pburkholder@chef.io – *my: *Linkedin
http://www.linkedin.com/in/pburkholder Twitter
http://www.twitter.com/pburkholder Cal
https://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEK
endar

CHEF

CHEF.IO http://www.chef.io/

TM

chef.io http://www.chef.io/ Blog http://www.chef.io/blog/
Facebook https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube https://www.youtube.com/getchef

--
Regards
nirish okram

You can use the User-Data field to put in any type of script you want,
including one to install the chef-client and start a first run.

You will need to make the validation.pem and client.rb configuration file
available to the node as well as a JSON file with first run data (such as
assigning an initial runlist or role). This can be stored as a part of a
base image or in S3 (in which case give the box an IAM role capable of
accessing the bucket. It's worth noting that anyone who gets on the box
will have access to the bucket).

To set the node name you can get the external hostname of the machine at
http://169.254.169.254/latest/meta-data/public-hostname/ and the ip at
http://169.254.169.254/latest/meta-data/public-ip/ (part of the cloud
instance api)

On Thu, Jun 4, 2015 at 4:45 PM, niristotle okram nirish.okram@gmail.com
wrote:

This topic is something i am investigating in the last couple of days. We
are moving to AWS and i am exploring the AWS.

I now have an AMI created with the chef-client installed as a service. Now
i am trying to find how to update the chef's run-list and trigger a
chef-client run when AWS creates the instance (scaling out) without manual
interference. And also to set the node name parameter in the chef-server as
the FQDN or the public IP of the node.

• Okram

On Wed, Jun 3, 2015 at 10:00 AM, Pedro Vilaça pmvilaca@gmail.com wrote:

That approach works, but remember that, unless you take particular

precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

You can solve that security issue if you create a base image with
chef-client installed and the validator key inside (only accessible by
root). That way you don't need to use an IAM role and only users with sudo
access will be able to use the validator key. Or, you can also delete the
validator key after the initial registration process.

2015-06-03 16:27 GMT+01:00 Gabriel Rosendorf grosendorf@gmail.com:

I'd love to hear other approaches. I'm not crazy about the way were
handling it, it was just our only idea
On Wed, Jun 3, 2015 at 11:07 Peter Burkholder pburkholder@chef.io
wrote:

That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

--Peter

On Wed, Jun 3, 2015 at 11:00 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We use user data and IAM roles. User data pulls down the validator.pem
from S3 (authenticated using IAM), writes the chef config and
first-boot.json, then kicks off the first Chef run.

HTH,
Gabriel

On Tue, Jun 2, 2015 at 5:08 PM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello Gabriel, thanks for your reply!

This is about the 'termination', and about the 'startupt' of a new
instance? How are you dealing with the hostname issue?

I'm using "name_of_some_city+auto_increment_number", such as:

• sanfrancisco1..2..3
• dublin1..2..3

But I'm with problems to register this using Chef 12. If I run the
'knife node create' before, the client need to setup the ACL to grant
permission to update itself.

So, I would like to know how are you guys doing to register the
instance in the autoscaling time. I think that is impossible to use knife
bootstrap here, right?

Thanks a lot!

On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We're pushing autoscaling notifications to an SQS queue, and we have
a process that reads those messages from the queue, looks for terminations,
and uses the Chef API to delete nodes/clients. I think most folks are doing
something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz <
tiago.tuxkiller@gmail.com> wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and
AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale such
as 'mordor1', and after 'mordor2' and etc, using the knife node create to
'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this -- best
praticies and tips

Thanks!

--
-- Tiago Cruz

--
-- Tiago Cruz

--

Peter Burkholder — Customer Success Engineer

Unavailability: May 19, Training. June 11-12, DevOpsDays DC

301-204-5767 – pburkholder@chef.io – *my: *Linkedin
http://www.linkedin.com/in/pburkholder Twitter
http://www.twitter.com/pburkholder Cal
https://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEK
endar

CHEF

CHEF.IO http://www.chef.io/

TM

chef.io http://www.chef.io/ Blog http://www.chef.io/blog/
Facebook https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube https://www.youtube.com/getchef

--
Regards
nirish okram

--
Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.com

I wrote up a blog post a while ago detailing some of the pieces you need to
get AWS autoscaling working together with Chef:

http://blog.froese.org/2015/04/12/packer-aws-autoscale-chef/

And here's some example user-data that we use to register a node:

We're building an AMI that has Chef and launching that with an IAM
Profile/Role that has access to the bucket.

Hope that helps at all.

On Thu, Jun 4, 2015 at 5:53 PM Yoshi Spendiff yoshi.spendiff@indochino.com
wrote:

You can use the User-Data field to put in any type of script you want,
including one to install the chef-client and start a first run.

You will need to make the validation.pem and client.rb configuration file
available to the node as well as a JSON file with first run data (such as
assigning an initial runlist or role). This can be stored as a part of a
base image or in S3 (in which case give the box an IAM role capable of
accessing the bucket. It's worth noting that anyone who gets on the box
will have access to the bucket).

To set the node name you can get the external hostname of the machine at
http://169.254.169.254/latest/meta-data/public-hostname/ and the ip at
http://169.254.169.254/latest/meta-data/public-ip/ (part of the cloud
instance api)

On Thu, Jun 4, 2015 at 4:45 PM, niristotle okram nirish.okram@gmail.com
wrote:

This topic is something i am investigating in the last couple of days. We
are moving to AWS and i am exploring the AWS.

I now have an AMI created with the chef-client installed as a service.
Now i am trying to find how to update the chef's run-list and trigger a
chef-client run when AWS creates the instance (scaling out) without manual
interference. And also to set the node name parameter in the chef-server as
the FQDN or the public IP of the node.

• Okram

On Wed, Jun 3, 2015 at 10:00 AM, Pedro Vilaça pmvilaca@gmail.com wrote:

That approach works, but remember that, unless you take particular

precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

You can solve that security issue if you create a base image with
chef-client installed and the validator key inside (only accessible by
root). That way you don't need to use an IAM role and only users with sudo
access will be able to use the validator key. Or, you can also delete the
validator key after the initial registration process.

2015-06-03 16:27 GMT+01:00 Gabriel Rosendorf grosendorf@gmail.com:

I'd love to hear other approaches. I'm not crazy about the way were
handling it, it was just our only idea
On Wed, Jun 3, 2015 at 11:07 Peter Burkholder pburkholder@chef.io
wrote:

That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

--Peter

On Wed, Jun 3, 2015 at 11:00 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We use user data and IAM roles. User data pulls down the
validator.pem from S3 (authenticated using IAM), writes the chef config and
first-boot.json, then kicks off the first Chef run.

HTH,
Gabriel

On Tue, Jun 2, 2015 at 5:08 PM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello Gabriel, thanks for your reply!

This is about the 'termination', and about the 'startupt' of a new
instance? How are you dealing with the hostname issue?

I'm using "name_of_some_city+auto_increment_number", such as:

• sanfrancisco1..2..3
• dublin1..2..3

But I'm with problems to register this using Chef 12. If I run the
'knife node create' before, the client need to setup the ACL to grant
permission to update itself.

So, I would like to know how are you guys doing to register the
instance in the autoscaling time. I think that is impossible to use knife
bootstrap here, right?

Thanks a lot!

On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We're pushing autoscaling notifications to an SQS queue, and we
have a process that reads those messages from the queue, looks for
terminations, and uses the Chef API to delete nodes/clients. I think most
folks are doing something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz <
tiago.tuxkiller@gmail.com> wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and
AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale such
as 'mordor1', and after 'mordor2' and etc, using the knife node create to
'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this --
best praticies and tips

Thanks!

--
-- Tiago Cruz

--
-- Tiago Cruz

--

Peter Burkholder — Customer Success Engineer

Unavailability: May 19, Training. June 11-12, DevOpsDays DC

301-204-5767 – pburkholder@chef.io – *my: *Linkedin
http://www.linkedin.com/in/pburkholder Twitter
http://www.twitter.com/pburkholder Cal
https://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEK
endar

CHEF

CHEF.IO http://www.chef.io/

TM

chef.io http://www.chef.io/ Blog http://www.chef.io/blog/
Facebook https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube https://www.youtube.com/getchef

--
Regards
nirish okram

--
Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.com

I manage separate chef server orgs for each chef environments (dev, stage
prod). As i start exploring for the migration to AWS, i bootstrapped a node
on AWS manually using the below manual command.

knife bootstrap --bootstrap-version 11.18.12 -r
chef-client::service -x ec2-user -E dev -N --sudo

The node now have the below files in it.

-rw------- 1 root root 1678 Jun 4 23:11 client.pem
-rw-r--r-- 1 root root 264 Jun 4 23:11 client.rb
-rw------- 1 root root 685 Jun 4 23:11 encrypted_data_bag_secret
-rw-r--r-- 1 root root 38 Jun 4 23:11 first-boot.json
-rw------- 1 root root 1679 Jun 4 23:11 validation.pem

& the first-boot.json looks like this:
{"run_list":["chef-client::service"]}

I DELETED the '/etc/chef/client.pem' from the node and made and AMI out of
the node to avoid chef server seeing the nodes as duplicates.

So as phase1 of my play, i tried to use this AMI with the AWS auto scaling.
While creating the 'launch configuration', i selected this AMI and
specified the below as 'user data'

#!/bin/bash
chef-client -r role[lmn] -E dev

But i dont think that this script/command from the 'user-data' is not being
executed when the EC2 instance is brought up by the auto-scaling. there is
no new 'client.pem' on the node. Neither there is anything in the
/var/log/cloud-init.log

Any ideas are welcome and appreciated.

On Thu, Jun 4, 2015 at 5:27 PM, Darron Froese darron@froese.org wrote:

I wrote up a blog post a while ago detailing some of the pieces you need
to get AWS autoscaling working together with Chef:

Using Amazon Auto Scaling Groups with Packer and Chef · darron froese

And here's some example user-data that we use to register a node:

AWS user-data to register with a Chef server. We are assuming that Chef is already installed during a previous AMI building phase. · GitHub

We're building an AMI that has Chef and launching that with an IAM
Profile/Role that has access to the bucket.

Hope that helps at all.

On Thu, Jun 4, 2015 at 5:53 PM Yoshi Spendiff <
yoshi.spendiff@indochino.com> wrote:

You can use the User-Data field to put in any type of script you want,
including one to install the chef-client and start a first run.

You will need to make the validation.pem and client.rb configuration file
available to the node as well as a JSON file with first run data (such as
assigning an initial runlist or role). This can be stored as a part of a
base image or in S3 (in which case give the box an IAM role capable of
accessing the bucket. It's worth noting that anyone who gets on the box
will have access to the bucket).

To set the node name you can get the external hostname of the machine at
http://169.254.169.254/latest/meta-data/public-hostname/ and the ip at
http://169.254.169.254/latest/meta-data/public-ip/ (part of the cloud
instance api)

On Thu, Jun 4, 2015 at 4:45 PM, niristotle okram nirish.okram@gmail.com
wrote:

This topic is something i am investigating in the last couple of days.
We are moving to AWS and i am exploring the AWS.

I now have an AMI created with the chef-client installed as a service.
Now i am trying to find how to update the chef's run-list and trigger a
chef-client run when AWS creates the instance (scaling out) without manual
interference. And also to set the node name parameter in the chef-server as
the FQDN or the public IP of the node.

• Okram

On Wed, Jun 3, 2015 at 10:00 AM, Pedro Vilaça pmvilaca@gmail.com
wrote:

That approach works, but remember that, unless you take particular

precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

You can solve that security issue if you create a base image with
chef-client installed and the validator key inside (only accessible by
root). That way you don't need to use an IAM role and only users with sudo
access will be able to use the validator key. Or, you can also delete the
validator key after the initial registration process.

2015-06-03 16:27 GMT+01:00 Gabriel Rosendorf grosendorf@gmail.com:

I'd love to hear other approaches. I'm not crazy about the way were
handling it, it was just our only idea
On Wed, Jun 3, 2015 at 11:07 Peter Burkholder pburkholder@chef.io
wrote:

That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

--Peter

On Wed, Jun 3, 2015 at 11:00 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We use user data and IAM roles. User data pulls down the
validator.pem from S3 (authenticated using IAM), writes the chef config and
first-boot.json, then kicks off the first Chef run.

HTH,
Gabriel

On Tue, Jun 2, 2015 at 5:08 PM Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Hello Gabriel, thanks for your reply!

This is about the 'termination', and about the 'startupt' of a new
instance? How are you dealing with the hostname issue?

I'm using "name_of_some_city+auto_increment_number", such as:

• sanfrancisco1..2..3
• dublin1..2..3

But I'm with problems to register this using Chef 12. If I run the
'knife node create' before, the client need to setup the ACL to grant
permission to update itself.

So, I would like to know how are you guys doing to register the
instance in the autoscaling time. I think that is impossible to use knife
bootstrap here, right?

Thanks a lot!

On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We're pushing autoscaling notifications to an SQS queue, and we
have a process that reads those messages from the queue, looks for
terminations, and uses the Chef API to delete nodes/clients. I think most
folks are doing something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz <
tiago.tuxkiller@gmail.com> wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and
AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale
such as 'mordor1', and after 'mordor2' and etc, using the knife node create
to 'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this --
best praticies and tips

Thanks!

--
-- Tiago Cruz

--
-- Tiago Cruz

--

Peter Burkholder — Customer Success Engineer

Unavailability: May 19, Training. June 11-12, DevOpsDays DC

301-204-5767 – pburkholder@chef.io – *my: *Linkedin
http://www.linkedin.com/in/pburkholder Twitter
http://www.twitter.com/pburkholder Cal
https://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEK
endar

CHEF

CHEF.IO http://www.chef.io/

TM

chef.io http://www.chef.io/ Blog http://www.chef.io/blog/
Facebook https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube
https://www.youtube.com/getchef

--
Regards
nirish okram

--
Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.com

--
Regards
nirish okram

Try to look in your /var/log/messages:

[tiago.cruz@losgatos2 ~]$ sudo grep user-data /var/log/messages | wc -l
2482

Also, put some 'echo' to debug in your user-data script

On Fri, Jun 5, 2015 at 6:46 PM, niristotle okram nirish.okram@gmail.com
wrote:

I manage separate chef server orgs for each chef environments (dev, stage
prod). As i start exploring for the migration to AWS, i bootstrapped a node
on AWS manually using the below manual command.

knife bootstrap --bootstrap-version 11.18.12 -r
chef-client::service -x ec2-user -E dev -N --sudo

The node now have the below files in it.

-rw------- 1 root root 1678 Jun 4 23:11 client.pem
-rw-r--r-- 1 root root 264 Jun 4 23:11 client.rb
-rw------- 1 root root 685 Jun 4 23:11 encrypted_data_bag_secret
-rw-r--r-- 1 root root 38 Jun 4 23:11 first-boot.json
-rw------- 1 root root 1679 Jun 4 23:11 validation.pem

& the first-boot.json looks like this:
{"run_list":["chef-client::service"]}

I DELETED the '/etc/chef/client.pem' from the node and made and AMI out of
the node to avoid chef server seeing the nodes as duplicates.

So as phase1 of my play, i tried to use this AMI with the AWS auto
scaling. While creating the 'launch configuration', i selected this AMI and
specified the below as 'user data'

#!/bin/bash
chef-client -r role[lmn] -E dev

But i dont think that this script/command from the 'user-data' is not
being executed when the EC2 instance is brought up by the auto-scaling.
there is no new 'client.pem' on the node. Neither there is anything in the
/var/log/cloud-init.log

Any ideas are welcome and appreciated.

On Thu, Jun 4, 2015 at 5:27 PM, Darron Froese darron@froese.org wrote:

I wrote up a blog post a while ago detailing some of the pieces you need
to get AWS autoscaling working together with Chef:

Using Amazon Auto Scaling Groups with Packer and Chef · darron froese

And here's some example user-data that we use to register a node:

AWS user-data to register with a Chef server. We are assuming that Chef is already installed during a previous AMI building phase. · GitHub

We're building an AMI that has Chef and launching that with an IAM
Profile/Role that has access to the bucket.

Hope that helps at all.

On Thu, Jun 4, 2015 at 5:53 PM Yoshi Spendiff <
yoshi.spendiff@indochino.com> wrote:

You can use the User-Data field to put in any type of script you want,
including one to install the chef-client and start a first run.

You will need to make the validation.pem and client.rb configuration
file available to the node as well as a JSON file with first run data (such
as assigning an initial runlist or role). This can be stored as a part of a
base image or in S3 (in which case give the box an IAM role capable of
accessing the bucket. It's worth noting that anyone who gets on the box
will have access to the bucket).

To set the node name you can get the external hostname of the machine at
http://169.254.169.254/latest/meta-data/public-hostname/ and the ip at
http://169.254.169.254/latest/meta-data/public-ip/ (part of the cloud
instance api)

On Thu, Jun 4, 2015 at 4:45 PM, niristotle okram <nirish.okram@gmail.com

wrote:

This topic is something i am investigating in the last couple of days.
We are moving to AWS and i am exploring the AWS.

I now have an AMI created with the chef-client installed as a service.
Now i am trying to find how to update the chef's run-list and trigger a
chef-client run when AWS creates the instance (scaling out) without manual
interference. And also to set the node name parameter in the chef-server as
the FQDN or the public IP of the node.

• Okram

On Wed, Jun 3, 2015 at 10:00 AM, Pedro Vilaça pmvilaca@gmail.com
wrote:

That approach works, but remember that, unless you take particular

precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

You can solve that security issue if you create a base image with
chef-client installed and the validator key inside (only accessible by
root). That way you don't need to use an IAM role and only users with sudo
access will be able to use the validator key. Or, you can also delete the
validator key after the initial registration process.

2015-06-03 16:27 GMT+01:00 Gabriel Rosendorf grosendorf@gmail.com:

I'd love to hear other approaches. I'm not crazy about the way were
handling it, it was just our only idea
On Wed, Jun 3, 2015 at 11:07 Peter Burkholder pburkholder@chef.io
wrote:

That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

--Peter

On Wed, Jun 3, 2015 at 11:00 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We use user data and IAM roles. User data pulls down the
validator.pem from S3 (authenticated using IAM), writes the chef config and
first-boot.json, then kicks off the first Chef run.

HTH,
Gabriel

On Tue, Jun 2, 2015 at 5:08 PM Tiago Cruz <
tiago.tuxkiller@gmail.com> wrote:

Hello Gabriel, thanks for your reply!

This is about the 'termination', and about the 'startupt' of a new
instance? How are you dealing with the hostname issue?

I'm using "name_of_some_city+auto_increment_number", such as:

• sanfrancisco1..2..3
• dublin1..2..3

But I'm with problems to register this using Chef 12. If I run the
'knife node create' before, the client need to setup the ACL to grant
permission to update itself.

So, I would like to know how are you guys doing to register the
instance in the autoscaling time. I think that is impossible to use knife
bootstrap here, right?

Thanks a lot!

On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We're pushing autoscaling notifications to an SQS queue, and we
have a process that reads those messages from the queue, looks for
terminations, and uses the Chef API to delete nodes/clients. I think most
folks are doing something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz <
tiago.tuxkiller@gmail.com> wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and
AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale
such as 'mordor1', and after 'mordor2' and etc, using the knife node create
to 'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this --
best praticies and tips

Thanks!

--
-- Tiago Cruz

--
-- Tiago Cruz

--

Peter Burkholder — Customer Success Engineer

Unavailability: May 19, Training. June 11-12, DevOpsDays DC

301-204-5767 – pburkholder@chef.io – *my: *Linkedin
http://www.linkedin.com/in/pburkholder Twitter
http://www.twitter.com/pburkholder Cal
https://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEK
endar

CHEF

CHEF.IO http://www.chef.io/

TM

chef.io http://www.chef.io/ Blog http://www.chef.io/blog/
Facebook https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube
https://www.youtube.com/getchef

--
Regards
nirish okram

--
Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.com

--
Regards
nirish okram

--
-- Tiago Cruz

i think i hit an AMI issue or an CentOS issue now. There is none in
the /var/log/messages
but there are this entry in the /var/log/boot.log

Starting cloud-init: Cloud-init v. 0.7.5 running 'init' at Fri, 05 Jun 2015
22:13:00 +0000. Up 36.27 seconds.
2015-06-05 22:13:01,222 - util.py[WARNING]: Unable to change the ownership
of /var/log/cloud-init.log to user syslog, group adm

On Fri, Jun 5, 2015 at 2:59 PM, Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Try to look in your /var/log/messages:

[tiago.cruz@losgatos2 ~]$ sudo grep user-data /var/log/messages | wc -l
2482

Also, put some 'echo' to debug in your user-data script

On Fri, Jun 5, 2015 at 6:46 PM, niristotle okram nirish.okram@gmail.com
wrote:

I manage separate chef server orgs for each chef environments (dev, stage
prod). As i start exploring for the migration to AWS, i bootstrapped a node
on AWS manually using the below manual command.

knife bootstrap --bootstrap-version 11.18.12 -r
chef-client::service -x ec2-user -E dev -N --sudo

The node now have the below files in it.

-rw------- 1 root root 1678 Jun 4 23:11 client.pem
-rw-r--r-- 1 root root 264 Jun 4 23:11 client.rb
-rw------- 1 root root 685 Jun 4 23:11 encrypted_data_bag_secret
-rw-r--r-- 1 root root 38 Jun 4 23:11 first-boot.json
-rw------- 1 root root 1679 Jun 4 23:11 validation.pem

& the first-boot.json looks like this:
{"run_list":["chef-client::service"]}

I DELETED the '/etc/chef/client.pem' from the node and made and AMI out
of the node to avoid chef server seeing the nodes as duplicates.

So as phase1 of my play, i tried to use this AMI with the AWS auto
scaling. While creating the 'launch configuration', i selected this AMI and
specified the below as 'user data'

#!/bin/bash
chef-client -r role[lmn] -E dev

But i dont think that this script/command from the 'user-data' is not
being executed when the EC2 instance is brought up by the auto-scaling.
there is no new 'client.pem' on the node. Neither there is anything in the
/var/log/cloud-init.log

Any ideas are welcome and appreciated.

On Thu, Jun 4, 2015 at 5:27 PM, Darron Froese darron@froese.org wrote:

I wrote up a blog post a while ago detailing some of the pieces you need
to get AWS autoscaling working together with Chef:

Using Amazon Auto Scaling Groups with Packer and Chef · darron froese

And here's some example user-data that we use to register a node:

AWS user-data to register with a Chef server. We are assuming that Chef is already installed during a previous AMI building phase. · GitHub

We're building an AMI that has Chef and launching that with an IAM
Profile/Role that has access to the bucket.

Hope that helps at all.

On Thu, Jun 4, 2015 at 5:53 PM Yoshi Spendiff <
yoshi.spendiff@indochino.com> wrote:

You can use the User-Data field to put in any type of script you want,
including one to install the chef-client and start a first run.

You will need to make the validation.pem and client.rb configuration
file available to the node as well as a JSON file with first run data (such
as assigning an initial runlist or role). This can be stored as a part of a
base image or in S3 (in which case give the box an IAM role capable of
accessing the bucket. It's worth noting that anyone who gets on the box
will have access to the bucket).

To set the node name you can get the external hostname of the machine
at http://169.254.169.254/latest/meta-data/public-hostname/ and the ip
at http://169.254.169.254/latest/meta-data/public-ip/ (part of the
cloud instance api)

On Thu, Jun 4, 2015 at 4:45 PM, niristotle okram <
nirish.okram@gmail.com> wrote:

This topic is something i am investigating in the last couple of days.
We are moving to AWS and i am exploring the AWS.

I now have an AMI created with the chef-client installed as a service.
Now i am trying to find how to update the chef's run-list and trigger a
chef-client run when AWS creates the instance (scaling out) without manual
interference. And also to set the node name parameter in the chef-server as
the FQDN or the public IP of the node.

• Okram

On Wed, Jun 3, 2015 at 10:00 AM, Pedro Vilaça pmvilaca@gmail.com
wrote:

That approach works, but remember that, unless you take particular

precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

You can solve that security issue if you create a base image with
chef-client installed and the validator key inside (only accessible by
root). That way you don't need to use an IAM role and only users with sudo
access will be able to use the validator key. Or, you can also delete the
validator key after the initial registration process.

2015-06-03 16:27 GMT+01:00 Gabriel Rosendorf grosendorf@gmail.com:

I'd love to hear other approaches. I'm not crazy about the way were
handling it, it was just our only idea
On Wed, Jun 3, 2015 at 11:07 Peter Burkholder pburkholder@chef.io
wrote:

That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

--Peter

On Wed, Jun 3, 2015 at 11:00 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We use user data and IAM roles. User data pulls down the
validator.pem from S3 (authenticated using IAM), writes the chef config and
first-boot.json, then kicks off the first Chef run.

HTH,
Gabriel

On Tue, Jun 2, 2015 at 5:08 PM Tiago Cruz <
tiago.tuxkiller@gmail.com> wrote:

Hello Gabriel, thanks for your reply!

This is about the 'termination', and about the 'startupt' of a
new instance? How are you dealing with the hostname issue?

I'm using "name_of_some_city+auto_increment_number", such as:

• sanfrancisco1..2..3
• dublin1..2..3

But I'm with problems to register this using Chef 12. If I run
the 'knife node create' before, the client need to setup the ACL to grant
permission to update itself.

So, I would like to know how are you guys doing to register the
instance in the autoscaling time. I think that is impossible to use knife
bootstrap here, right?

Thanks a lot!

On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We're pushing autoscaling notifications to an SQS queue, and we
have a process that reads those messages from the queue, looks for
terminations, and uses the Chef API to delete nodes/clients. I think most
folks are doing something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz <
tiago.tuxkiller@gmail.com> wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and
AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale
such as 'mordor1', and after 'mordor2' and etc, using the knife node create
to 'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this --
best praticies and tips

Thanks!

--
-- Tiago Cruz

--
-- Tiago Cruz

--

Peter Burkholder — Customer Success Engineer

Unavailability: May 19, Training. June 11-12, DevOpsDays DC

301-204-5767 – pburkholder@chef.io – *my: *Linkedin
http://www.linkedin.com/in/pburkholder Twitter
http://www.twitter.com/pburkholder Cal
https://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEK
endar

CHEF

CHEF.IO http://www.chef.io/

TM

chef.io http://www.chef.io/ Blog http://www.chef.io/blog/
Facebook https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube
https://www.youtube.com/getchef

--
Regards
nirish okram

--
Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.com

--
Regards
nirish okram

--
-- Tiago Cruz

--
Regards
nirish okram

Looks like you found the problem, but generally if there is nothing in
/var/log/cloud-init.log or /var/log/cloud-init-output.log then your
user-data script probably didn't run.

It's also worth bearing in mind that different operating systems having
different capabilities of their cloud-init system. It was originally
developed on Ubuntu I think, and Amazon has done a fair bit of work to get
it working on amazon linux in an up to date fashion, but some other distros
are further behind so you may hit a few problems.

On Fri, Jun 5, 2015 at 3:29 PM, niristotle okram nirish.okram@gmail.com
wrote:

i think i hit an AMI issue or an CentOS issue now. There is none in the /var/log/messages
but there are this entry in the /var/log/boot.log

Starting cloud-init: Cloud-init v. 0.7.5 running 'init' at Fri, 05 Jun
2015 22:13:00 +0000. Up 36.27 seconds.
2015-06-05 22:13:01,222 - util.py[WARNING]: Unable to change the ownership
of /var/log/cloud-init.log to user syslog, group adm

On Fri, Jun 5, 2015 at 2:59 PM, Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

Try to look in your /var/log/messages:

[tiago.cruz@losgatos2 ~]$ sudo grep user-data /var/log/messages | wc -l
2482

Also, put some 'echo' to debug in your user-data script

On Fri, Jun 5, 2015 at 6:46 PM, niristotle okram nirish.okram@gmail.com
wrote:

I manage separate chef server orgs for each chef environments (dev,
stage prod). As i start exploring for the migration to AWS, i bootstrapped
a node on AWS manually using the below manual command.

knife bootstrap --bootstrap-version 11.18.12 -r
chef-client::service -x ec2-user -E dev -N --sudo

The node now have the below files in it.

-rw------- 1 root root 1678 Jun 4 23:11 client.pem
-rw-r--r-- 1 root root 264 Jun 4 23:11 client.rb
-rw------- 1 root root 685 Jun 4 23:11 encrypted_data_bag_secret
-rw-r--r-- 1 root root 38 Jun 4 23:11 first-boot.json
-rw------- 1 root root 1679 Jun 4 23:11 validation.pem

& the first-boot.json looks like this:
{"run_list":["chef-client::service"]}

I DELETED the '/etc/chef/client.pem' from the node and made and AMI out
of the node to avoid chef server seeing the nodes as duplicates.

So as phase1 of my play, i tried to use this AMI with the AWS auto
scaling. While creating the 'launch configuration', i selected this AMI and
specified the below as 'user data'

#!/bin/bash
chef-client -r role[lmn] -E dev

But i dont think that this script/command from the 'user-data' is not
being executed when the EC2 instance is brought up by the auto-scaling.
there is no new 'client.pem' on the node. Neither there is anything in the
/var/log/cloud-init.log

Any ideas are welcome and appreciated.

On Thu, Jun 4, 2015 at 5:27 PM, Darron Froese darron@froese.org wrote:

I wrote up a blog post a while ago detailing some of the pieces you
need to get AWS autoscaling working together with Chef:

Using Amazon Auto Scaling Groups with Packer and Chef · darron froese

And here's some example user-data that we use to register a node:

AWS user-data to register with a Chef server. We are assuming that Chef is already installed during a previous AMI building phase. · GitHub

We're building an AMI that has Chef and launching that with an IAM
Profile/Role that has access to the bucket.

Hope that helps at all.

On Thu, Jun 4, 2015 at 5:53 PM Yoshi Spendiff <
yoshi.spendiff@indochino.com> wrote:

You can use the User-Data field to put in any type of script you want,
including one to install the chef-client and start a first run.

You will need to make the validation.pem and client.rb configuration
file available to the node as well as a JSON file with first run data (such
as assigning an initial runlist or role). This can be stored as a part of a
base image or in S3 (in which case give the box an IAM role capable of
accessing the bucket. It's worth noting that anyone who gets on the box
will have access to the bucket).

To set the node name you can get the external hostname of the machine
at http://169.254.169.254/latest/meta-data/public-hostname/ and the
ip at http://169.254.169.254/latest/meta-data/public-ip/ (part of the
cloud instance api)

On Thu, Jun 4, 2015 at 4:45 PM, niristotle okram <
nirish.okram@gmail.com> wrote:

This topic is something i am investigating in the last couple of
days. We are moving to AWS and i am exploring the AWS.

I now have an AMI created with the chef-client installed as a
service. Now i am trying to find how to update the chef's run-list and
trigger a chef-client run when AWS creates the instance (scaling out)
without manual interference. And also to set the node name parameter in
the chef-server as the FQDN or the public IP of the node.

• Okram

On Wed, Jun 3, 2015 at 10:00 AM, Pedro Vilaça pmvilaca@gmail.com
wrote:

That approach works, but remember that, unless you take particular

precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

You can solve that security issue if you create a base image with
chef-client installed and the validator key inside (only accessible by
root). That way you don't need to use an IAM role and only users with sudo
access will be able to use the validator key. Or, you can also delete the
validator key after the initial registration process.

2015-06-03 16:27 GMT+01:00 Gabriel Rosendorf grosendorf@gmail.com:

I'd love to hear other approaches. I'm not crazy about the way were
handling it, it was just our only idea
On Wed, Jun 3, 2015 at 11:07 Peter Burkholder pburkholder@chef.io
wrote:

That approach works, but remember that, unless you take particular
precautions, any user on the system can then use the node's IAM role to get
the validator.pem from S3 and then create his/her own client on the
chef-server.

--Peter

On Wed, Jun 3, 2015 at 11:00 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We use user data and IAM roles. User data pulls down the
validator.pem from S3 (authenticated using IAM), writes the chef config and
first-boot.json, then kicks off the first Chef run.

HTH,
Gabriel

On Tue, Jun 2, 2015 at 5:08 PM Tiago Cruz <
tiago.tuxkiller@gmail.com> wrote:

Hello Gabriel, thanks for your reply!

This is about the 'termination', and about the 'startupt' of a
new instance? How are you dealing with the hostname issue?

I'm using "name_of_some_city+auto_increment_number", such as:

• sanfrancisco1..2..3
• dublin1..2..3

But I'm with problems to register this using Chef 12. If I run
the 'knife node create' before, the client need to setup the ACL to grant
permission to update itself.

So, I would like to know how are you guys doing to register the
instance in the autoscaling time. I think that is impossible to use knife
bootstrap here, right?

Thanks a lot!

On Fri, May 29, 2015 at 10:17 AM, Gabriel Rosendorf <
grosendorf@gmail.com> wrote:

We're pushing autoscaling notifications to an SQS queue, and we
have a process that reads those messages from the queue, looks for
terminations, and uses the Chef API to delete nodes/clients. I think most
folks are doing something similar.

Best,
Gabriel

On Fri, May 29, 2015 at 9:12 AM Tiago Cruz <
tiago.tuxkiller@gmail.com> wrote:

Hello guys,

Just to know, how are you guys are dealing with Chef and
AutoScaling?

I'm using hostname such as 'mordor' and I was trying to scale
such as 'mordor1', and after 'mordor2' and etc, using the knife node create
to 'reserve' this hostname while the machine is created.

It was working on Chef 11, but stopped now on Chef 12

• 'knife node create' and node that already exist · Issue #263 · chef/chef-server · GitHub

So, I would like to know how you guys are working with this --
best praticies and tips

Thanks!

--
-- Tiago Cruz

--
-- Tiago Cruz

--

Peter Burkholder — Customer Success Engineer

Unavailability: May 19, Training. June 11-12, DevOpsDays DC

301-204-5767 – pburkholder@chef.io – *my: *Linkedin
http://www.linkedin.com/in/pburkholder Twitter
http://www.twitter.com/pburkholder Cal
https://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEK
endar

CHEF

CHEF.IO http://www.chef.io/

TM

chef.io http://www.chef.io/ Blog http://www.chef.io/blog/
Facebook https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube
https://www.youtube.com/getchef

--
Regards
nirish okram

--
Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.com

--
Regards
nirish okram

--
-- Tiago Cruz

--
Regards
nirish okram

--
Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.com