Chef server as a chef-client on itself ok?


#1

Any reason I shouldn’t have the Chef server be a client on itself? I have
a couple of recipes that we roll out to all servers, like a NRPE
configuration for monitoring by Nagios and specific user accounts.

Eric Feldhusen


#2

We do that. It’s a machine that we’re managing, and this way all the logic
needed to build a Chef Server (and the components of such) are stored in
Chef code.
-M

On Tue, Oct 8, 2013 at 2:57 PM, Eric Feldhusen
efeldhusen.lists@gmail.comwrote:

Any reason I shouldn’t have the Chef server be a client on itself? I have
a couple of recipes that we roll out to all servers, like a NRPE
configuration for monitoring by Nagios and specific user accounts.

Eric Feldhusen


#3

same here. Chef server is a chef client too. some time the higher
precedence environments control the lower precedence environments chef
server,
e.g. prod chef -server -> chef client to itself
staging chef server -> chef client to itself
ops chef server -> chef client to staging . Ops is the environment where
all chef testing happens, the ops chef server has a CD (continuous
deployment) recipe, which erase the chef server, and restore all chef
artifacts (nodes, clients, cookbooks , databags etc) from git repo &
backup. This enables us to test the whole backup restore mechanism, as well
as ensures we dont have dangling cookbooks (not checked inside repo, not
present in Berksfile, but still present in chef server),
best
ranjib

On Tue, Oct 8, 2013 at 12:00 PM, Mike miketheman@gmail.com wrote:

We do that. It’s a machine that we’re managing, and this way all the logic
needed to build a Chef Server (and the components of such) are stored in
Chef code.
-M

On Tue, Oct 8, 2013 at 2:57 PM, Eric Feldhusen <efeldhusen.lists@gmail.com

wrote:

Any reason I shouldn’t have the Chef server be a client on itself? I
have a couple of recipes that we roll out to all servers, like a NRPE
configuration for monitoring by Nagios and specific user accounts.

Eric Feldhusen


#4

It totally should.

For a really extreme example, we manage hosted chef with chef (imagine
that?), which uses a private chef server, which in turn uses chef solo
(gotta start somewhere :)).

Monitoring the chef server for alerts and graph is important, and is
presume whatever you’re using internally is managed by chef with search so
adding the server itself is a good plan.

On Tuesday, October 8, 2013, Eric Feldhusen wrote:

Any reason I shouldn’t have the Chef server be a client on itself? I have
a couple of recipes that we roll out to all servers, like a NRPE
configuration for monitoring by Nagios and specific user accounts.

Eric Feldhusen


Joshua Timberman, Opscode, Inc.


#5

A couple of reasons, actually, but you have to determine whether or not they apply to you.

First, until Chef 10, the client and server code were intermingled. If you used a cookbook to configure the chef-client, it could accidentally hose your chef server. In my case, one of my recipes deleted the validation.pem key - which is correct on the client, but disastrous ont he server, since it would destroy the root of the PKI infrastructure. The solution was to special-case the chef-server.

In Chef 11, that’s no longer a problem. Great job, Opscode team!

Secondly - and that still applies - if you have a bug in one of your cookbooks, you could run into a chicken-and-egg problem. For instance, if you accidentally block port 443 in iptables. With most clients, it’s not a big deal - you fix it, and on the next chef run, the client is back. But if you mess up your chef server that way, you can’t even run chef-client and have to manually fix the problem. Granted, this type of problem can happen with other things besides chef; I once accidentally brought down our resolving DNS server. Ever since, I use a chef recipe to put the IP address of the chef server into /etc/hosts

Kevin Keane

The NetTech

760-721-8339

http://www.4nettech.com

Our values: Privacy, Liberty, Justice

See https://www.4nettech.com/corp/the-nettech-values.html

-----Original message-----
From: Eric Feldhusen efeldhusen.lists@gmail.com
Sent: Tuesday 8th October 2013 11:57
To: chef@lists.opscode.com
Subject: [chef] Chef server as a chef-client on itself ok?

Any reason I shouldn’t have the Chef server be a client on itself? I have a couple of recipes that we roll out to all servers, like a NRPE configuration for monitoring by Nagios and specific user accounts.

Eric Feldhusen


#6

Your ideas are intriguing to me and I wish to subscribe to your newsletter.

On Wednesday, October 9, 2013, Joshua Timberman wrote:

It totally should.

For a really extreme example, we manage hosted chef with chef (imagine
that?), which uses a private chef server, which in turn uses chef solo
(gotta start somewhere :)).

Monitoring the chef server for alerts and graph is important, and is
presume whatever you’re using internally is managed by chef with search so
adding the server itself is a good plan.

On Tuesday, October 8, 2013, Eric Feldhusen wrote:

Any reason I shouldn’t have the Chef server be a client on itself? I
have a couple of recipes that we roll out to all servers, like a NRPE
configuration for monitoring by Nagios and specific user accounts.

Eric Feldhusen


Joshua Timberman, Opscode, Inc.