Chef client for Ubuntu 14.04


#1

Hi,

How can I find the suitable version of chef-client for Ubuntu 14.04 LTS?

I’m going to upgrade my clients from Ubuntu 12.04 to 14.04, can I keep the
old version of Chef (11.6.0) on the clients?

My server is Ubuntu 12.04 , Chef :11.6.0

Thanks,

Mo


#2

Chef client downloads are here:
https://www.chef.io/download-chef-client/

You can also configure an apt repo from our packagecloud.io repository:
https://packagecloud.io/chef/stable

Thanks,
Matt Ray
Director of Partner Integration :: Chef
matt@chef.io :: 512.731.2218
mattray :: GitHub :: IRC :: Twitter

On Thu, May 7, 2015 at 10:59 AM, Mohammad Fattahian
mfattahian@masterfile.com wrote:

Hi,

How can I find the suitable version of chef-client for Ubuntu 14.04 LTS?

I’m going to upgrade my clients from Ubuntu 12.04 to 14.04, can I keep the
old version of Chef (11.6.0) on the clients?

My server is Ubuntu 12.04 , Chef :11.6.0

Thanks,

Mo


#3

I have a local apt repository, it has only " chef_11.8.2-2_all.deb , 435K".
I can’t get more packages whrn I run “debmirror”
(server=ca.archive.ubuntu.com)

Any idea?

Mo

-----Original Message-----
From: Matt Ray [mailto:matt@chef.io]
Sent: Thursday, May 07, 2015 12:26 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Chef client for Ubuntu 14.04

Chef client downloads are here:
https://www.chef.io/download-chef-client/

You can also configure an apt repo from our packagecloud.io repository:
https://packagecloud.io/chef/stable

Thanks,
Matt Ray
Director of Partner Integration :: Chef
matt@chef.io :: 512.731.2218
mattray :: GitHub :: IRC :: Twitter

On Thu, May 7, 2015 at 10:59 AM, Mohammad Fattahian
mfattahian@masterfile.com wrote:

Hi,

How can I find the suitable version of chef-client for Ubuntu 14.04 LTS?

I’m going to upgrade my clients from Ubuntu 12.04 to 14.04, can I keep
the old version of Chef (11.6.0) on the clients?

My server is Ubuntu 12.04 , Chef :11.6.0

Thanks,

Mo


#4

The version of Chef in the normal Ubuntu mirrors is almost immediately out
of date. Don’t use that. Use omnibus_updater cookbook or the packagecloud
repo Matt Ray mentioned.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Thu, May 7, 2015 at 10:00 AM, Mohammad Fattahian <
mfattahian@masterfile.com> wrote:

I have a local apt repository, it has only " chef_11.8.2-2_all.deb , 435K".
I can’t get more packages whrn I run “debmirror”
(server=ca.archive.ubuntu.com)

Any idea?

Mo

-----Original Message-----
From: Matt Ray [mailto:matt@chef.io]
Sent: Thursday, May 07, 2015 12:26 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Chef client for Ubuntu 14.04

Chef client downloads are here:
https://www.chef.io/download-chef-client/

You can also configure an apt repo from our packagecloud.io repository:
https://packagecloud.io/chef/stable

Thanks,
Matt Ray
Director of Partner Integration :: Chef
matt@chef.io :: 512.731.2218
mattray :: GitHub :: IRC :: Twitter

On Thu, May 7, 2015 at 10:59 AM, Mohammad Fattahian
mfattahian@masterfile.com wrote:

Hi,

How can I find the suitable version of chef-client for Ubuntu 14.04 LTS?

I’m going to upgrade my clients from Ubuntu 12.04 to 14.04, can I keep
the old version of Chef (11.6.0) on the clients?

My server is Ubuntu 12.04 , Chef :11.6.0

Thanks,

Mo


#5

So what happens if I update chef on clients and my server remains on old
version?

Mo

From: Morgan Blackthorne [mailto:stormerider@gmail.com]
Sent: Thursday, May 07, 2015 1:47 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Chef client for Ubuntu 14.04

The version of Chef in the normal Ubuntu mirrors is almost immediately out
of date. Don’t use that. Use omnibus_updater cookbook or the packagecloud
repo Matt Ray mentioned.

~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS

On Thu, May 7, 2015 at 10:00 AM, Mohammad Fattahian <
mfattahian@masterfile.com> wrote:

I have a local apt repository, it has only " chef_11.8.2-2_all.deb , 435K".
I can’t get more packages whrn I run “debmirror”
(server=ca.archive.ubuntu.com)

Any idea?

Mo

-----Original Message-----
From: Matt Ray [mailto:matt@chef.io]
Sent: Thursday, May 07, 2015 12:26 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Chef client for Ubuntu 14.04

Chef client downloads are here:
https://www.chef.io/download-chef-client/

You can also configure an apt repo from our packagecloud.io repository:
https://packagecloud.io/chef/stable

Thanks,
Matt Ray
Director of Partner Integration :: Chef
matt@chef.io :: 512.731.2218
mattray :: GitHub :: IRC :: Twitter

On Thu, May 7, 2015 at 10:59 AM, Mohammad Fattahian
mfattahian@masterfile.com wrote:

Hi,

How can I find the suitable version of chef-client for Ubuntu 14.04 LTS?

I’m going to upgrade my clients from Ubuntu 12.04 to 14.04, can I keep
the old version of Chef (11.6.0) on the clients?

My server is Ubuntu 12.04 , Chef :11.6.0

Thanks,

Mo


#6

On 05/07/2015 11:58 AM, Mohammad Fattahian wrote:

So what happens if I update chef on clients and my server remains on
old version?

Chef 11 and 12 client and server mix and match fine either way.


#7

After I added new repository for Chef and upgrade my system from 12.04 to
14.04 I got an error:

root@ test:~# chef-client -v

Chef: 12.3.0

root@test:~# chef-client

Starting Chef Client, version 12.3.0

Creating a new client identity for test.domain.com using the validator key.

[2015-05-07T16:46:17-04:00] ERROR: SSL Validation failure connecting to
host: xxxx.domain.com - SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed

================================================================================

Chef encountered an error attempting to create the client " test.domain.com
"

================================================================================

[2015-05-07T16:46:17-04:00] FATAL: Stacktrace dumped to
/var/chef/cache/chef-stacktrace.out

Chef Client failed. 0 resources updated in 1.306760691 seconds

[2015-05-07T16:46:17-04:00] ERROR: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed

[2015-05-07T16:46:17-04:00] FATAL: Chef::Exceptions::ChildConvergeError:
Chef run process exited unsuccessfully (exit code 1)

Any Idea?

From: Lamont Granquist [mailto:lamont@chef.io]
Sent: Thursday, May 07, 2015 4:05 PM
To: chef@lists.opscode.com
Cc: Mohammad Fattahian
Subject: Re: [chef] RE: Re: RE: Re: Chef client for Ubuntu 14.04

On 05/07/2015 11:58 AM, Mohammad Fattahian wrote:

So what happens if I update chef on clients and my server remains on old
version?

Chef 11 and 12 client and server mix and match fine either way.


#8

On Friday, May 8, 2015 at 6:33 AM, Mohammad Fattahian wrote:

After I added new repository for Chef and upgrade my system from 12.04 to 14.04 I got an error:

root@ test:~# chef-client -v
Chef: 12.3.0

root@test:~# chef-client
Starting Chef Client, version 12.3.0
Creating a new client identity for test.domain.com (http://test.domain.com) using the validator key.
[2015-05-07T16:46:17-04:00] ERROR: SSL Validation failure connecting to host: xxxx.domain.com (http://xxxx.domain.com) - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

================================================================================
Chef encountered an error attempting to create the client " test.domain.com (http://test.domain.com) "

[2015-05-07T16:46:17-04:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 1.306760691 seconds
[2015-05-07T16:46:17-04:00] ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
[2015-05-07T16:46:17-04:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Any Idea?

Chef 12 verifies the certificate of your Chef Server by default. You can use knife ssl check to debug this (on a server, you’d run knife ssl check -c /etc/chef/client.rb). If your server has a self-signed certificate, you can use knife ssl fetch to download the cert, roughly equivalent to clicking “trust this cert for this host” in your browser.


Daniel DeLeo


#9

Since very, very few servers have signed certificates, shouldn’t this check be turned off by default?

Nico Kadel-Garcia
Email: nkadel@gmail.com
Sent from iPhone

On May 8, 2015, at 12:17, “Daniel DeLeo” dan@kallistec.com wrote:

On Friday, May 8, 2015 at 6:33 AM, Mohammad Fattahian wrote:

After I added new repository for Chef and upgrade my system from 12.04 to 14.04 I got an error:

root@ test:~# chef-client -v
Chef: 12.3.0

root@test:~# chef-client
Starting Chef Client, version 12.3.0
Creating a new client identity for test.domain.com (http://test.domain.com) using the validator key.
[2015-05-07T16:46:17-04:00] ERROR: SSL Validation failure connecting to host: xxxx.domain.com (http://xxxx.domain.com) - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

================================================================================
Chef encountered an error attempting to create the client " test.domain.com (http://test.domain.com) "

[2015-05-07T16:46:17-04:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 1.306760691 seconds
[2015-05-07T16:46:17-04:00] ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
[2015-05-07T16:46:17-04:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Any Idea?

Chef 12 verifies the certificate of your Chef Server by default. You can use knife ssl check to debug this (on a server, you’d run knife ssl check -c /etc/chef/client.rb). If your server has a self-signed certificate, you can use knife ssl fetch to download the cert, roughly equivalent to clicking “trust this cert for this host” in your browser.


Daniel DeLeo


#10

i dont think so. its a serious security malpractice, its better if people
opt in for disabling check.

On Fri, May 8, 2015 at 4:44 PM, Nico Kadel-Garcia <
nkadel@skyhookwireless.com> wrote:

Since very, very few servers have signed certificates, shouldn’t this
check be turned off by default?

Nico Kadel-Garcia
Email: nkadel@gmail.com
Sent from iPhone

On May 8, 2015, at 12:17, “Daniel DeLeo” dan@kallistec.com wrote:

On Friday, May 8, 2015 at 6:33 AM, Mohammad Fattahian wrote:

After I added new repository for Chef and upgrade my system from 12.04
to 14.04 I got an error:

root@ test:~# chef-client -v
Chef: 12.3.0

root@test:~# chef-client
Starting Chef Client, version 12.3.0
Creating a new client identity for test.domain.com (
http://test.domain.com) using the validator key.

[2015-05-07T16:46:17-04:00] ERROR: SSL Validation failure connecting to
host: xxxx.domain.com (http://xxxx.domain.com) - SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify failed

================================================================================

Chef encountered an error attempting to create the client "
test.domain.com (http://test.domain.com) "

================================================================================

[2015-05-07T16:46:17-04:00] FATAL: Stacktrace dumped to
/var/chef/cache/chef-stacktrace.out

Chef Client failed. 0 resources updated in 1.306760691 seconds
[2015-05-07T16:46:17-04:00] ERROR: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed

[2015-05-07T16:46:17-04:00] FATAL:
Chef::Exceptions::ChildConvergeError: Chef run process exited
unsuccessfully (exit code 1)

Any Idea?

Chef 12 verifies the certificate of your Chef Server by default. You can
use knife ssl check to debug this (on a server, you’d run knife ssl check -c /etc/chef/client.rb). If your server has a self-signed
certificate, you can use knife ssl fetch to download the cert, roughly
equivalent to clicking “trust this cert for this host” in your browser.


Daniel DeLeo


#11

On Friday, May 8, 2015 at 4:58 PM, Ranjib Dey wrote:

i dont think so. its a serious security malpractice, its better if people opt in for disabling check.

On Fri, May 8, 2015 at 4:44 PM, Nico Kadel-Garcia <nkadel@skyhookwireless.com (mailto:nkadel@skyhookwireless.com)> wrote:

Since very, very few servers have signed certificates, shouldn’t this check be turned off by default?

Nico Kadel-Garcia
Email: nkadel@gmail.com (mailto:nkadel@gmail.com)
Sent from iPhone

100% Agree with Ranjib. When downloading code, potentially over the public internet, and running it as root, you need to take every precaution against a MITM attack.

We’ve put a ton of effort into making it easy to do the right thing. OpenSSL errors are usually incomprehensibly vague, so we wrote knife ssl check which can pull the SSL cert from an SSL connection and generally tell you exactly why it’s not valid (and we’ll update this for new cases as we find them and learn how to repro). Using the same mechanism, we can store the certs from the server locally, which won’t help if you’re already the victim of a MITM (we recommend you SSH into your Chef Server and compare the cert’s checksum), but will protect you from any future MITM attempt. We’ve also integrated this with knife bootstrap so that when you spin up new servers, we automatically copy your self-signed cert to the new machine, so it’s automatically able to verify the server certificate.


Daniel DeLeo