Chef server to manage EC2 instances


#1

Hi,

I have setup a chef server on EC2, to manage EC2 instances. I have assigned
the DNS entry for chef.example.com to the public IP, so the web gui is
reachable from anywhere on the internet. When it comes to bootstrapping
clients, I can create an entry in /etc/hosts , which points chef.example.com to
the private IP, which seems more secure , or I can open port 4000 in the
firewall, and use the public IP address. Each has pros and cons.

The problem with adding the private IP into the hosts file, is that it’s
pre-bootstrap manual labor every time, and in the event of an IP change, it
will be a lot of fixing.

The problem with using the public IP, is that port 4000 is open to the world.
Is that dangerous?

Any general comments or suggestions?

Thanks.


#2

You can set an additional protection layer by using httpd in fron of Chef Server
http://wiki.opscode.com/display/chef/How+to+Proxy+Chef+Server+with+Apache

On Jan 23, 2013, at 4:56 PM, samuel.d.darwin@gmail.com samuel.d.darwin@gmail.com wrote:

Hi,

I have setup a chef server on EC2, to manage EC2 instances. I have assigned
the DNS entry for chef.example.com to the public IP, so the web gui is
reachable from anywhere on the internet. When it comes to bootstrapping
clients, I can create an entry in /etc/hosts , which points chef.example.com to
the private IP, which seems more secure , or I can open port 4000 in the
firewall, and use the public IP address. Each has pros and cons.

The problem with adding the private IP into the hosts file, is that it’s
pre-bootstrap manual labor every time, and in the event of an IP change, it
will be a lot of fixing.

The problem with using the public IP, is that port 4000 is open to the world.
Is that dangerous?

Any general comments or suggestions?

Thanks.


Vladimir Girnet
Senior Infrastructure Engineer
Tacit Knowledge
http://www.tacitknowledge.com


#3

±-----------------------------------------------------------------------------
| On 2013-01-23 06:56:08, samuel.d.darwin@gmail.com wrote:
|
| Any general comments or suggestions?

Set the record for “chef.example.com” to CNAME for the public EC2 DNS for that
instance. EC2 does split horizon so within EC2, the public name will resolve to
the private IP.

You probably don’t want to open :4000 to the world, no.

bdha
cyberpunk is dead. long live cyberpunk.