If you have existing nodes, they’ll be fine. You don’t have to re-bootstrap those nodes unless you’ve removed them from the Chef Server another way.
Only new nodes need to be bootstrapped with the new validation.pem. (and after they are bootstrapped, you should get rid of the validation.pem from that node)
Steve
Steven Murawski
Community Software Development Engineer @ Chef
Microsoft MVP - PowerShell
http://stevenmurawski.com [http://stevenmurawski.com/]
On 7/13/2015 6:57:27 PM, o haya ohaya@yahoo.com wrote:
Hi,
I found this page:
which hinted that I should remove the client.pem from the node and then try run a “knife bootstrap”. I copied the c:\chef\validation.pem before doing that, so I could compare afterwards. I also took note of the Chef client version on the node which was 12.3.0.
Then, from the new workstation, I did "knife bootstrap windows winrm 192.168.0.111 -x “Admini…” -P xxxxx
and, it took quite awhile but then it finished:
- In the Chef web app, I saw the new node, node1
- On the node, the c:\chef\validation.pem had changed (and BTW was also the same PEM as the one on the node I had rebootstrapped just before that)
- On the node, chef-client now works again and Chef client software is now 12.4.1 on the node.
So overall, although a bit traumatic, this has been a good learning experience, thanks to Steven and Galen(!), but during this, I realized we already have a bunch of nodes at our office and if I keep things as is now, those nodes will no longer be able to work with the new workstation, so I think that, after all of this, I’ll have to restore my Chefserver and Chef workstation to be safe.
Thanks,
Jim
On Mon, 7/13/15, Steven Murawski wrote:
Subject: [chef] Re: Re: Re: HELP! I think that I really messed up Chef configuration :(!!
To: “o haya” , "Galen Emery"
Cc: “o haya” , chef@lists.opscode.com, "Galen Emery"
Date: Monday, July 13, 2015, 5:59 PM
Once you click the starter
kit, you get a warning about invalidating your previous
keys. Once you go past that, your previous validator
and user PEMs are invalid and you need to use the new one.
This does not reset existing client PEM
files.
Going back to
whether or not you should uninstall the chef client from the
workstation with ChefDK - it depends. If the
workstation is being managed with Chef and you expect a
particular version of Chef Client, leave it.
Otherwise, feel free to
uninstall.
With ChefDK,
you can run
chef
shell-init powershell |
invoke-expression
This will
make sure ChefDK is earlier on your system path (for that
shell session) and that most of your environmental variables
for working with Chef’s embedded ruby install are
correct. I include that line in my PowerShell profile,
so that is set every time I open a PowerShell
session.
Steve
Steve
Steven MurawskiCommunity Software Development Engineer @
ChefMicrosoft MVP - PowerShell
http://stevenmurawski.com
On 7/13/2015 4:41:03
PM, o haya wrote:Hi,
Once I had clicked that starter kit button, did generate
some new key or keys inside the Chef server itself, so the
PEMs that were on the workstation before that are all
invalidated at that point?
What about the Chef nodes? Are there keys/PEMs that need to
be replaced on all the nodes now also? I think that when I
tried a chef-client run after I did the starter kit button
that I was getting 401 errors also, so I guess there must be
something on the nodes that needs to be replaced?
Jim
On Mon, 7/13/15, Galen Emery wrote:
Subject: Re: [chef] Re: Re: HELP! I think that I really
messed up Chef configuration :(!!
To: “o haya”
Cc: chef@lists.opscode.com, “Galen Emery” ,
“Steven Murawski”
Date: Monday, July 13, 2015, 5:22 PM
In short,
yes.
The key piece is that
knife looks for a .chef folder and a knife.rb inside of
it,
that tells it which server to talk to and what user to
authenticate as.
You can
either generate new ones, or copy/move your repository
from
one workstation to another.
On Mon, Jul 13, 2015 at
2:13 PM, o haya
wrote:
Hi,
Thanks.
As I said in the 2nd msg (or 3rd) I think that
conceptually,
I thought that "oh, I want a new/different
workstation", so I basically just followed the steps
that I did when I did the initial workstation (including
creating the new starter kit). I didn’t realize
that
in doing that, I was basically wiping out the original
configuration (if I’m understanding what you and
Steven
are trying to explain).
Is that correct?
Going back, I wasn’t necessarily looking for a new
workstation… it was more that I just wanted the
workstation
to be on a different machine, because of some reasons I
had
in my testing.
Given all that, could I just have move the whole
chef-repo
directory from the original machine to the new (the AD
machine) machine instead of generating the new starter,
etc., or instead of doing generating a new knife.rb, and
the
other two PEMs?
In other words, could I just have:
directory from the original Chef workstation to the
c:\user\Admiistrator\chef-repo directory on
the
AD machine?
Thanks,
Jim
On Mon, 7/13/15, Galen Emery
wrote:
Subject: [chef] Re: Re: HELP! I think that I really
messed
up Chef configuration :(!!
To: chef@lists.opscode.com
Cc: “Steven Murawski” ,
ohaya@yahoo.com
Date: Monday, July 13, 2015, 5:04 PM
Jim,
To create a new Chef
Workstation there’s a couple different options
rather
than using the starter kit.
At the end of the day, the workstation needs
these things inside a .chef folder:
- knife.rb file with the correct user and
server to talk to.
- user.pem for that
user.3*) organization-validator.pem (for
old-style
bootstraps)
You can generate the knife.rb file from the
Manage UI, or just copy it from your current
workstation.
You can
either copy your pem file around, or create a new user
for
your separate workstation. To create a new
user: 1. Go to the signup page
(http://chefserver/signup)
and create a new user.
- Sign in as your
other user and invite the new one to the organization
and
assign whatever rights you wish.
- Log in
as new user and accept the invite.
-
Generate key-pair for new user and stick in the .chef
directory.
To create a new
validator key (If you don’t use the validator-style
bootstraps, then you don’t need to do this), go
into
the
Manage UI > Policy > Clients > Create New
(Select
Validation Client). This will give you a new
validator
client to work with.
Hope
that helps!
On Mon, Jul 13, 2015 at
1:51 PM, o haya
wrote:
Hi,
Also, from some reading, it seems like, with regards to
the
keys, I should not have clicked that starter kit button
and
gotten a new ZIP file?
So what SHOULD I have done when I wanted to create the
“new” Chef workstation?
Thanks again,
Jim
On Mon, 7/13/15, o haya
wrote:
Subject: Re: [chef] HELP! I think that I really
messed
up Chef configuration :(!!
To: chef@lists.opscode.com,
“Steven Murawski”
Cc: ohaya@yahoo.com
Date: Monday, July 13, 2015, 4:41 PM
Hi Steven,
Wow! Thanks - I think this
was very helpful (but still not sure):
Re. the knife:
The original one, that is kind of working
still, but broken now:
PS
C:\Users\Administrator\chef-repo>
get-command knife |
format-list *
HelpUri :
FileVersionInfo : File:
C:\opscode\chefdk\bin\knife.bat
InternalName:
OriginalFilename:
FileVersion:
FileDescription:
Product:
ProductVersion:
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language:
Path :
C:\opscode\chefdk\bin\knife.bat
Extension
: .bat
Definition
:
C:\opscode\chefdk\bin\knife.bat
Visibility : Public
OutputType :
{System.String}
Name
: knife.bat
CommandType
: Application
ModuleName
:
Module
:
RemotingCapability :
PowerShell
Parameters
:
ParameterSets :
The new one, which doesn’t work at all:
C:\Users\Administrator\chef-repo>exit
PS C:\Users\Administrator\chef-repo>
get-command knife | format-list *
HelpUri :
FileVersionInfo : File:
c:\opscode\chef\bin\knife.bat
InternalName:
OriginalFilename:
FileVersion:
FileDescription:
Product:
ProductVersion:
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language:
Path :
c:\opscode\chef\bin\knife.bat
Extension
: .bat
Definition
: c:\opscode\chef\bin\knife.bat
Visibility : Public
OutputType :
{System.String}
Name
: knife.bat
CommandType
: Application
ModuleName
:
Module
:
RemotingCapability :
PowerShell
Parameters
:
ParameterSets :
So it does look like on the “new”
one, I’m picking up the knife from a Chef client,
and
not from the Chef DK?
Is
that correct?
How can I fix that? Should I just uninstall
the Chef client from that machine (this is the AD
machine,
which did have a Chef client on it originally)?
Re. the PEMS, can you clarify
what you meant when you said:
"so you’ll need to replace those
with
the ones from the most recent starter
kit"
Which are “those” and where do I get
“the ones from the most recent starter kit”
(specifically)?
Thanks again!
Jim
On Mon, 7/13/15, Steven Murawski
wrote:
Subject: Re: [chef]
HELP! I think that I really messed up Chef
configuration
:(!!
To: chef@lists.opscode.com
Cc: “o haya”
Date: Monday, July 13, 2015, 4:05 PM
So, when you requested the
starter kit, your previous user pem and
validation.pem
were invalidated, so you’ll need to
replace those with
the ones from the most
recent starter kit.
The second part could
be a couple of
things. Do you have
another install of Chef on the system?
If
you have a Chef Client install as well, you may be
resolving knife from that install rather than
ChefDK. (and
each will have their own
copy of the various gems). You
can test
that from PowerShell by using Get-Command knife |
format-list * and checking out the path it is
coming
from.
Steve
Steven MurawskiCommunity Software Development
Engineer @
ChefMicrosoft MVP -
PowerShell
http://stevenmurawski.com
On 7/13/2015 2:52:27
PM, o haya
wrote:Hi,
I originally had the
following
configuration:
Chef
Server (CENTOS 6.6)
Chef
Workstation (Windows 2008 w/ChefDK
installed)
Test AD
(Windows 2008)
Test Nodes
(Windows 2008)
…
…
I
(probably stupidly) decided that I want
to
put the Chef Workstation on the Test AD machine.
I’ll try to describe what I’ve done,
but things are
so messed up at this point,
I’m not sure exactly
what’s going
on or what I did.
So, I ran the ChefDK
installer on the AD
machine. Then, I
think I got the quickstart ZIP from the
Chef server, and I unzipped in in the chef-repo
directory
on
the AD machine.
After
that, basically nothing worked.
The first
thing I ran into was that the
Chef-client
(the nodes) could not register anymore, getting
401 errors when i try to run chef-client on
them.
So then, I thought I should try to
re-bootstrap the nodes but I can’t seem to
get the
knife-windows to work on the new
Chef workstation.
I run "chef gem
install
knife-windows" in the
chef-repo directory, but then
when I try to
run "knife bootstrap windows winrm "
it says that the host I’m trying to
bootstrap is
“windows”.
I think that I have some OVAs that I backed
up from earlier, so I’m going to try to
see if I can
restore them, but can anyone
tell me or point me to what
went wrong?
Is there just no way to “move” the
Chef Workstation or make a 2nd instance once
it’s
installed? It seems like all the
pieces (the nodes, the
Chef server and the
workstation) are permanently linked
together?
Thanks,
Jim
–
Galen
Emery
