Chef Node Access to Server via Relay Machine


#1

Hi,

In the Chef requirement doc (http://docs.opscode.com/chef_system_requirements.html) , it is mentioned that each node and workstation must have access to the Chef Server via HTTPS.
I have a scenario where a chef node is in an isolated network and does not have direct connection/ access to internet. In this scenario the Chef Server is hosted outside this network and is accessible over the internet. The same network has another machine that can connect to the internet. Is there a way to configure chef-client on the node to connect to chef-server via the machine that can access internet, as a relay machine?

If not, I was thinking of following configuration and before I test it out, just want to get some input from others:

  1.   Configure static mapping of Chef-server IP-URL in Hosts file (node is running Windows OS)
    
  2.   On the node, create a static route for Chef-server IP with internet accessing machine as the Gateway.
    

Do you see any issues with this setup?

Thanks

-Kapil


#2

Why not just set up a proxy server between the Chef server and the
node under management? Chef Client can connect to the Chef Server via
a HTTP proxy.

  • Julian

On Fri, Jul 11, 2014 at 4:58 PM, Kapil Shardha
Kapil.Shardha@simulationiq.com wrote:

Hi,

In the Chef requirement doc
(http://docs.opscode.com/chef_system_requirements.html) , it is mentioned
that each node and workstation must have access to the Chef Server via
HTTPS.

I have a scenario where a chef node is in an isolated network and does not
have direct connection/ access to internet. In this scenario the Chef Server
is hosted outside this network and is accessible over the internet. The same
network has another machine that can connect to the internet. Is there a way
to configure chef-client on the node to connect to chef-server via the
machine that can access internet, as a relay machine?

If not, I was thinking of following configuration and before I test it out,
just want to get some input from others:

  1.   Configure static mapping of Chef-server IP-URL in Hosts file (node
    

is running Windows OS)

  1.   On the node, create a static route for Chef-server IP with internet
    

accessing machine as the Gateway.

Do you see any issues with this setup?

Thanks

-Kapil


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#3

Thanks for the suggestion. I am aware of the proxy settings but in this case, setting up a proxy may or may not be allowed (due to some constraints).

That is why I wanted to discuss and learn about some alternate solution.

I forgot to mention one point in my suggested approach. I will have to consider allowing/adding routes for other URLs if I would be using some community cookbook where the files etc are hosted on AWS.

Thanks

-Kapil

-----Original Message-----
From: Julian C. Dunn [mailto:jdunn@aquezada.com]
Sent: Friday, July 11, 2014 5:16 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Chef Node Access to Server via Relay Machine

Why not just set up a proxy server between the Chef server and the node under management? Chef Client can connect to the Chef Server via a HTTP proxy.

  • Julian

On Fri, Jul 11, 2014 at 4:58 PM, Kapil Shardha Kapil.Shardha@simulationiq.com wrote:

Hi,

In the Chef requirement doc
(http://docs.opscode.com/chef_system_requirements.html) , it is
mentioned that each node and workstation must have access to the Chef
Server via HTTPS.

I have a scenario where a chef node is in an isolated network and does
not have direct connection/ access to internet. In this scenario the
Chef Server is hosted outside this network and is accessible over the
internet. The same network has another machine that can connect to the
internet. Is there a way to configure chef-client on the node to
connect to chef-server via the machine that can access internet, as a relay machine?

If not, I was thinking of following configuration and before I test it
out, just want to get some input from others:

  1.   Configure static mapping of Chef-server IP-URL in Hosts file (node
    

is running Windows OS)

  1.   On the node, create a static route for Chef-server IP with internet
    

accessing machine as the Gateway.

Do you see any issues with this setup?

Thanks

-Kapil


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#4

What you are describing is a proxy, so if a proxy is disallowed you can’t do that either.

–Noah

On Jul 11, 2014, at 7:07 PM, Kapil Shardha Kapil.Shardha@SimulationIQ.com wrote:

Thanks for the suggestion. I am aware of the proxy settings but in this case, setting up a proxy may or may not be allowed (due to some constraints).

That is why I wanted to discuss and learn about some alternate solution.

I forgot to mention one point in my suggested approach. I will have to consider allowing/adding routes for other URLs if I would be using some community cookbook where the files etc are hosted on AWS.

Thanks

-Kapil

-----Original Message-----
From: Julian C. Dunn [mailto:jdunn@aquezada.com]
Sent: Friday, July 11, 2014 5:16 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Chef Node Access to Server via Relay Machine

Why not just set up a proxy server between the Chef server and the node under management? Chef Client can connect to the Chef Server via a HTTP proxy.

  • Julian

On Fri, Jul 11, 2014 at 4:58 PM, Kapil Shardha Kapil.Shardha@simulationiq.com wrote:

Hi,

In the Chef requirement doc
(http://docs.opscode.com/chef_system_requirements.html) , it is
mentioned that each node and workstation must have access to the Chef
Server via HTTPS.

I have a scenario where a chef node is in an isolated network and does
not have direct connection/ access to internet. In this scenario the
Chef Server is hosted outside this network and is accessible over the
internet. The same network has another machine that can connect to the
internet. Is there a way to configure chef-client on the node to
connect to chef-server via the machine that can access internet, as a relay machine?

If not, I was thinking of following configuration and before I test it
out, just want to get some input from others:

  1.   Configure static mapping of Chef-server IP-URL in Hosts file (node
    

is running Windows OS)

  1.   On the node, create a static route for Chef-server IP with internet
    

accessing machine as the Gateway.

Do you see any issues with this setup?

Thanks

-Kapil


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#5

It makes me think about an old term: managed nodes, where client on the node is not possible for different reasons.

The main idea is box A run chef with ohai from box B got by ssh or other mean, converge localy and do the necessary changes by the same way.

Would be useful for dmz boxes, switches, and probably others I don’t think of.

Is the managed node still on the chef roadmap or is it something to be created from scratch ?

---- Noah Kantrowitz a écrit ----

What you are describing is a proxy, so if a proxy is disallowed you can’t do that either.

–Noah

On Jul 11, 2014, at 7:07 PM, Kapil Shardha Kapil.Shardha@SimulationIQ.com wrote:

Thanks for the suggestion. I am aware of the proxy settings but in this case, setting up a proxy may or may not be allowed (due to some constraints).

That is why I wanted to discuss and learn about some alternate solution.

I forgot to mention one point in my suggested approach. I will have to consider allowing/adding routes for other URLs if I would be using some community cookbook where the files etc are hosted on AWS.

Thanks

-Kapil

-----Original Message-----
From: Julian C. Dunn [mailto:jdunn@aquezada.com]
Sent: Friday, July 11, 2014 5:16 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Chef Node Access to Server via Relay Machine

Why not just set up a proxy server between the Chef server and the node under management? Chef Client can connect to the Chef Server via a HTTP proxy.

  • Julian

On Fri, Jul 11, 2014 at 4:58 PM, Kapil Shardha Kapil.Shardha@simulationiq.com wrote:

Hi,

In the Chef requirement doc
(http://docs.opscode.com/chef_system_requirements.html) , it is
mentioned that each node and workstation must have access to the Chef
Server via HTTPS.

I have a scenario where a chef node is in an isolated network and does
not have direct connection/ access to internet. In this scenario the
Chef Server is hosted outside this network and is accessible over the
internet. The same network has another machine that can connect to the
internet. Is there a way to configure chef-client on the node to
connect to chef-server via the machine that can access internet, as a relay machine?

If not, I was thinking of following configuration and before I test it
out, just want to get some input from others:

  1.   Configure static mapping of Chef-server IP-URL in Hosts file (node
    

is running Windows OS)

  1.   On the node, create a static route for Chef-server IP with internet
    

accessing machine as the Gateway.

Do you see any issues with this setup?

Thanks

-Kapil


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#6

This is was mostly being discussed as a way to work with Chef+networking hardware, and instead that has gone in the direction of running chef on the devices themselves.

–Noah

On Jul 12, 2014, at 12:13 AM, Tensibai Zhaoying tensibai@iabis.net wrote:

It makes me think about an old term: managed nodes, where client on the node is not possible for different reasons.

The main idea is box A run chef with ohai from box B got by ssh or other mean, converge localy and do the necessary changes by the same way.

Would be useful for dmz boxes, switches, and probably others I don’t think of.

Is the managed node still on the chef roadmap or is it something to be created from scratch ?

---- Noah Kantrowitz a écrit ----

What you are describing is a proxy, so if a proxy is disallowed you can’t do that either.

–Noah

On Jul 11, 2014, at 7:07 PM, Kapil Shardha <Kapil.Shardha@SimulationIQ.com
wrote:

Thanks for the suggestion. I am aware of the proxy settings but in this case, setting up a proxy may or may not be allowed
(due to some constraints).

That is why I wanted to discuss and learn about some alternate solution.

I forgot to mention one point in my suggested approach. I will have to consider allowing/adding routes for other URLs if I
would be using some community cookbook where the files etc are hosted on AWS.

Thanks

-Kapil

-----Original Message-----

From: Julian C. Dunn [mailto:jdunn@aquezada.com
]

Sent: Friday, July 11, 2014 5:16 PM

To: chef@lists.opscode.com

Subject: [chef] Re: Chef Node Access to Server via Relay Machine

Why not just set up a proxy server between the Chef server and the node under management? Chef Client can connect to
the Chef Server via a HTTP proxy.

  • Julian

On Fri, Jul 11, 2014 at 4:58 PM, Kapil Shardha <Kapil.Shardha@simulationiq.com
wrote:

Hi,

In the Chef requirement doc

(http://docs.opscode.com/chef_system_requirements.html
) , it is

mentioned that each node and workstation must have access to the Chef

Server via HTTPS.

I have a scenario where a chef node is in an isolated network and does

not have direct connection/ access to internet. In this scenario the

Chef Server is hosted outside this network and is accessible over the

internet. The same network has another machine that can connect to the

internet. Is there a way to configure chef-client on the node to

connect to chef-server via the machine that can access internet, as a relay machine?

If not, I was thinking of following configuration and before I test it

out, just want to get some input from others:

  1.   Configure static mapping of Chef-server IP-URL in Hosts file (node
    

is running Windows OS)

  1.   On the node, create a static route for Chef-server IP with internet
    

accessing machine as the Gateway.

Do you see any issues with this setup?

Thanks

-Kapil

[ Julian C. Dunn <jdunn@aquezada.com
* Sorry, I’m ]

[ WWW: http://www.aquezada.com/staff/julian
; * only Web 1.0 ]

[ gopher://sdf.org/1/users/keymaker/
; * compliant! ]

[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#7

?? How could chef run on a Cisco device ?
For the others I may one way or two, but in switches…

---- Noah Kantrowitz a écrit ----

This is was mostly being discussed as a way to work with Chef+networking hardware, and instead that has gone in the direction of running chef on the devices themselves.

–Noah

On Jul 12, 2014, at 12:13 AM, Tensibai Zhaoying tensibai@iabis.net wrote:

It makes me think about an old term: managed nodes, where client on the node is not possible for different reasons.

The main idea is box A run chef with ohai from box B got by ssh or other mean, converge localy and do the necessary changes by the same way.

Would be useful for dmz boxes, switches, and probably others I don’t think of.

Is the managed node still on the chef roadmap or is it something to be created from scratch ?

---- Noah Kantrowitz a écrit ----

What you are describing is a proxy, so if a proxy is disallowed you can’t do that either.

–Noah

On Jul 11, 2014, at 7:07 PM, Kapil Shardha <Kapil.Shardha@SimulationIQ.com
wrote:

Thanks for the suggestion. I am aware of the proxy settings but in this case, setting up a proxy may or may not be allowed
(due to some constraints).

That is why I wanted to discuss and learn about some alternate solution.

I forgot to mention one point in my suggested approach. I will have to consider allowing/adding routes for other URLs if I
would be using some community cookbook where the files etc are hosted on AWS.

Thanks

-Kapil

-----Original Message-----

From: Julian C. Dunn [mailto:jdunn@aquezada.com
]

Sent: Friday, July 11, 2014 5:16 PM

To: chef@lists.opscode.com

Subject: [chef] Re: Chef Node Access to Server via Relay Machine

Why not just set up a proxy server between the Chef server and the node under management? Chef Client can connect to
the Chef Server via a HTTP proxy.

  • Julian

On Fri, Jul 11, 2014 at 4:58 PM, Kapil Shardha <Kapil.Shardha@simulationiq.com
wrote:

Hi,

In the Chef requirement doc

(http://docs.opscode.com/chef_system_requirements.html
) , it is

mentioned that each node and workstation must have access to the Chef

Server via HTTPS.

I have a scenario where a chef node is in an isolated network and does

not have direct connection/ access to internet. In this scenario the

Chef Server is hosted outside this network and is accessible over the

internet. The same network has another machine that can connect to the

internet. Is there a way to configure chef-client on the node to

connect to chef-server via the machine that can access internet, as a relay machine?

If not, I was thinking of following configuration and before I test it

out, just want to get some input from others:

  1.   Configure static mapping of Chef-server IP-URL in Hosts file (node
    

is running Windows OS)

  1.   On the node, create a static route for Chef-server IP with internet
    

accessing machine as the Gateway.

Do you see any issues with this setup?

Thanks

-Kapil

[ Julian C. Dunn <jdunn@aquezada.com
* Sorry, I’m ]

[ WWW: http://www.aquezada.com/staff/julian
; * only Web 1.0 ]

[ gopher://sdf.org/1/users/keymaker/
; * compliant! ]

[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#8

That is a great idea and quite powerful. It would enable chef-server, or a duly appointed node, to use cookbooks to manage almost anything. I have an immediate example: IBM Datapower. The config is nearly all XML.
Having chef able to manage the node externally via any combination of ssh, http, serial, directly or through another node removes these devices from my list of gaps.
Could do same for almost any special hardware by defining the primitives and adding recipes for the DCL

On Jul 12, 2014, at 3:13 AM, Tensibai Zhaoying tensibai@iabis.net wrote:

It makes me think about an old term: managed nodes, where client on the node is not possible for different reasons.

The main idea is box A run chef with ohai from box B got by ssh or other mean, converge localy and do the necessary changes by the same way.

Would be useful for dmz boxes, switches, and probably others I don’t think of.

Is the managed node still on the chef roadmap or is it something to be created from scratch ?

---- Noah Kantrowitz a écrit ----

What you are describing is a proxy, so if a proxy is disallowed you can’t do that either.

–Noah

On Jul 11, 2014, at 7:07 PM, Kapil Shardha Kapil.Shardha@SimulationIQ.com wrote:

Thanks for the suggestion. I am aware of the proxy settings but in this case, setting up a proxy may or may not be allowed (due to some constraints).

That is why I wanted to discuss and learn about some alternate solution.

I forgot to mention one point in my suggested approach. I will have to consider allowing/adding routes for other URLs if I would be using some community cookbook where the files etc are hosted on AWS.

Thanks

-Kapil

-----Original Message-----
From: Julian C. Dunn [mailto:jdunn@aquezada.com]
Sent: Friday, July 11, 2014 5:16 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Chef Node Access to Server via Relay Machine

Why not just set up a proxy server between the Chef server and the node under management? Chef Client can connect to the Chef Server via a HTTP proxy.

  • Julian

On Fri, Jul 11, 2014 at 4:58 PM, Kapil Shardha Kapil.Shardha@simulationiq.com wrote:

Hi,

In the Chef requirement doc
(http://docs.opscode.com/chef_system_requirements.html) , it is
mentioned that each node and workstation must have access to the Chef
Server via HTTPS.

I have a scenario where a chef node is in an isolated network and does
not have direct connection/ access to internet. In this scenario the
Chef Server is hosted outside this network and is accessible over the
internet. The same network has another machine that can connect to the
internet. Is there a way to configure chef-client on the node to
connect to chef-server via the machine that can access internet, as a relay machine?

If not, I was thinking of following configuration and before I test it
out, just want to get some input from others:

  1.   Configure static mapping of Chef-server IP-URL in Hosts file (node
    

is running Windows OS)

  1.   On the node, create a static route for Chef-server IP with internet
    

accessing machine as the Gateway.

Do you see any issues with this setup?

Thanks

-Kapil


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian ; * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ ; * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#9

Cisco hasn’t really come up much. I know there are builds running on Arista and Cumulus gear, and I think I’ve heard work done on Broadcom and Juniper. All of those are running embedded linux (or something close enough to it) so it is mostly a question of compiling Ruby/Chef and making nice cookbooks and resources for configuration.

–Noah

On Jul 12, 2014, at 12:38 PM, Tensibai Zhaoying tensibai@iabis.net wrote:

?? How could chef run on a Cisco device ?
For the others I may one way or two, but in switches…

---- Noah Kantrowitz a écrit ----

This is was mostly being discussed as a way to work with Chef+networking hardware, and instead that has gone in the direction of running chef on the devices themselves.

–Noah

On Jul 12, 2014, at 12:13 AM, Tensibai Zhaoying tensibai@iabis.net wrote:

It makes me think about an old term: managed nodes, where client on the node is not possible for different reasons.

The main idea is box A run chef with ohai from box B got by ssh or other mean, converge localy and do the necessary changes by the same way.

Would be useful for dmz boxes, switches, and probably others I don’t think of.

Is the managed node still on the chef roadmap or is it something to be created from scratch ?

---- Noah Kantrowitz a écrit ----

What you are describing is a proxy, so if a proxy is disallowed you can’t do that either.

–Noah

On Jul 11, 2014, at 7:07 PM, Kapil Shardha <Kapil.Shardha@SimulationIQ.com
wrote:

Thanks for the suggestion. I am aware of the proxy settings but in this case, setting up a proxy may or may not be allowed
(due to some constraints).

That is why I wanted to discuss and learn about some alternate solution.

I forgot to mention one point in my suggested approach. I will have to consider allowing/adding routes for other URLs if I
would be using some community cookbook where the files etc are hosted on AWS.

Thanks

-Kapil

-----Original Message-----

From: Julian C. Dunn [mailto:jdunn@aquezada.com
]

Sent: Friday, July 11, 2014 5:16 PM

To: chef@lists.opscode.com

Subject: [chef] Re: Chef Node Access to Server via Relay Machine

Why not just set up a proxy server between the Chef server and the node under management? Chef Client can connect to
the Chef Server via a HTTP proxy.

  • Julian

On Fri, Jul 11, 2014 at 4:58 PM, Kapil Shardha <Kapil.Shardha@simulationiq.com
wrote:

Hi,

In the Chef requirement doc

(http://docs.opscode.com/chef_system_requirements.html
) , it is

mentioned that each node and workstation must have access to the Chef

Server via HTTPS.

I have a scenario where a chef node is in an isolated network and does

not have direct connection/ access to internet. In this scenario the

Chef Server is hosted outside this network and is accessible over the

internet. The same network has another machine that can connect to the

internet. Is there a way to configure chef-client on the node to

connect to chef-server via the machine that can access internet, as a relay machine?

If not, I was thinking of following configuration and before I test it

out, just want to get some input from others:

  1.   Configure static mapping of Chef-server IP-URL in Hosts file (node
    

is running Windows OS)

  1.   On the node, create a static route for Chef-server IP with internet
    

accessing machine as the Gateway.

Do you see any issues with this setup?

Thanks

-Kapil

[ Julian C. Dunn <jdunn@aquezada.com
* Sorry, I’m ]

[ WWW: http://www.aquezada.com/staff/julian ;
; * only Web 1.0 ]

[ gopher://sdf.org/1/users/keymaker/ ;
; * compliant! ]

[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#10

OK, sounds like I’ll have to work on it for Cisco nexus and checkpoint voiding (?) warranty if something else than their package is installed…

Thanks for the update Noah

---- Noah Kantrowitz a écrit ----

Cisco hasn’t really come up much. I know there are builds running on Arista and Cumulus gear, and I think I’ve heard work done on Broadcom and Juniper. All of those are running embedded linux (or something close enough to it) so it is mostly a question of compiling Ruby/Chef and making nice cookbooks and resources for configuration.

–Noah

On Jul 12, 2014, at 12:38 PM, Tensibai Zhaoying tensibai@iabis.net wrote:

?? How could chef run on a Cisco device ?
For the others I may one way or two, but in switches…

---- Noah Kantrowitz a écrit ----

This is was mostly being discussed as a way to work with Chef+networking hardware, and instead that has gone in the direction of running chef on the devices themselves.

–Noah

On Jul 12, 2014, at 12:13 AM, Tensibai Zhaoying tensibai@iabis.net wrote:

It makes me think about an old term: managed nodes, where client on the node is not possible for different reasons.

The main idea is box A run chef with ohai from box B got by ssh or other mean, converge localy and do the necessary changes by the same way.

Would be useful for dmz boxes, switches, and probably others I don’t think of.

Is the managed node still on the chef roadmap or is it something to be created from scratch ?

---- Noah Kantrowitz a écrit ----

What you are describing is a proxy, so if a proxy is disallowed you can’t do that either.

–Noah

On Jul 11, 2014, at 7:07 PM, Kapil Shardha <Kapil.Shardha@SimulationIQ.com
wrote:

Thanks for the suggestion. I am aware of the proxy settings but in this case, setting up a proxy may or may not be allowed
(due to some constraints).

That is why I wanted to discuss and learn about some alternate solution.

I forgot to mention one point in my suggested approach. I will have to consider allowing/adding routes for other URLs if I
would be using some community cookbook where the files etc are hosted on AWS.

Thanks

-Kapil

-----Original Message-----

From: Julian C. Dunn [mailto:jdunn@aquezada.com
]

Sent: Friday, July 11, 2014 5:16 PM

To: chef@lists.opscode.com

Subject: [chef] Re: Chef Node Access to Server via Relay Machine

Why not just set up a proxy server between the Chef server and the node under management? Chef Client can connect to
the Chef Server via a HTTP proxy.

  • Julian

On Fri, Jul 11, 2014 at 4:58 PM, Kapil Shardha <Kapil.Shardha@simulationiq.com
wrote:

Hi,

In the Chef requirement doc

(http://docs.opscode.com/chef_system_requirements.html
) , it is

mentioned that each node and workstation must have access to the Chef

Server via HTTPS.

I have a scenario where a chef node is in an isolated network and does

not have direct connection/ access to internet. In this scenario the

Chef Server is hosted outside this network and is accessible over the

internet. The same network has another machine that can connect to the

internet. Is there a way to configure chef-client on the node to

connect to chef-server via the machine that can access internet, as a relay machine?

If not, I was thinking of following configuration and before I test it

out, just want to get some input from others:

  1.   Configure static mapping of Chef-server IP-URL in Hosts file (node
    

is running Windows OS)

  1.   On the node, create a static route for Chef-server IP with internet
    

accessing machine as the Gateway.

Do you see any issues with this setup?

Thanks

-Kapil

[ Julian C. Dunn <jdunn@aquezada.com
* Sorry, I’m ]

[ WWW: http://www.aquezada.com/staff/julian ;
; * only Web 1.0 ]

[ gopher://sdf.org/1/users/keymaker/ ;
; * compliant! ]

[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#11

I have a similar situation. But what we have done is set up firewall rules
so that the nodes can access the Chef Server. No files are allowed to be
installed directly from AWS or any other source. So they are copied to our
server and installed from there. That way we have a more secure network and
we can be assured we are installing the same version of the file each time.

JOHN HASTY
Software as a Service - DevOps
Software Group

Phone: 1-512-804-9968 IBM
E-mail: jahasty@us.ibm.com
2407 S Congress Ave Ste E-350
Austin, TX 78704
United States

From: Kapil Shardha Kapil.Shardha@SimulationIQ.com
To: "chef@lists.opscode.com" chef@lists.opscode.com
Date: 07/11/2014 09:08 PM
Subject: [chef] RE: Re: Chef Node Access to Server via Relay Machine

Thanks for the suggestion. I am aware of the proxy settings but in this
case, setting up a proxy may or may not be allowed (due to some
constraints).

That is why I wanted to discuss and learn about some alternate solution.

I forgot to mention one point in my suggested approach. I will have to
consider allowing/adding routes for other URLs if I would be using some
community cookbook where the files etc are hosted on AWS.

Thanks

-Kapil

-----Original Message-----
From: Julian C. Dunn [mailto:jdunn@aquezada.com]
Sent: Friday, July 11, 2014 5:16 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Chef Node Access to Server via Relay Machine

Why not just set up a proxy server between the Chef server and the node
under management? Chef Client can connect to the Chef Server via a HTTP
proxy.

  • Julian

On Fri, Jul 11, 2014 at 4:58 PM, Kapil Shardha
Kapil.Shardha@simulationiq.com wrote:

Hi,

In the Chef requirement doc
(http://docs.opscode.com/chef_system_requirements.html) , it is
mentioned that each node and workstation must have access to the Chef
Server via HTTPS.

I have a scenario where a chef node is in an isolated network and does
not have direct connection/ access to internet. In this scenario the
Chef Server is hosted outside this network and is accessible over the
internet. The same network has another machine that can connect to the
internet. Is there a way to configure chef-client on the node to
connect to chef-server via the machine that can access internet, as a
relay machine?

If not, I was thinking of following configuration and before I test it
out, just want to get some input from others:

  1.   Configure static mapping of Chef-server IP-URL in Hosts file
    

(node

is running Windows OS)

  1.   On the node, create a static route for Chef-server IP with
    

internet

accessing machine as the Gateway.

Do you see any issues with this setup?

Thanks

-Kapil


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#12

On Sat, Jul 12, 2014 at 8:48 PM, Noah Kantrowitz noah@coderanger.net wrote:

Cisco hasn’t really come up much. I know there are builds running on Arista and Cumulus gear, and I think I’ve heard work done on Broadcom and Juniper. All of those are running embedded linux (or something close enough to it) so it is mostly a question of compiling Ruby/Chef and making nice cookbooks and resources for configuration.

The Cisco Nexus 3000 and 9000 will run Chef Client – this is
something Cisco did themselves. We would like to see if they are
interested in expanding support to other devices.

http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/guide-c07-729907.html

  • Julian


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]