I am looking at using Chef to help manage end user devices (primarily macos), some of which are remote and on different networks.
I can't ssh to bootstrap devices, but I can use another tool to run arbitrary scripts to get chef installed. So far I've been using a slightly mod'd version of this script to get chef initially installed.
- Remove the org_cert bit
- Added 10.14 to the script
- Ignore admin check for now
I've tested by the running the
chef-client command with daemonise and pointing to the runlist that's inserted etc, which seems to mostly have worked.
Part of the tutorials point to the
chef-client cookbook which I am keen to use, but is it wise to use it in this scenario?
If a client picks up the chef-client cookbook and runs it, is it going to potentially wipe out the bootstrap install I've just ran?
Or if configured correctly will it ensure the chef client is installed correctly on every run?
Im conscious that I don't want to get it working, and then make a device uncontactable again because the config passed wasn't correct in the role. On the other hand, I want to ensure the client is always correctly configured as per the config from the server.
So far I've been testing using a Mac VM and have the client reporting back in the UI and run history. However under nodes the Mac host does seem to be missing some information:
(vagrant just my learning vm on ubuntu)
ARANDOMSERIAL being the macos VM in virtualbox. Is the result typical when running on Macos?
I'm not doing anything fancy currently, just running a role that places some files whilst I figure out what config I'd need to pass to the chef-client cookbook.
From a lot of reading, there seems to be suggestion that you need to get a certificate from the Chef Server (CA Cert?) to the host as well as the client certificate that get generated during the initial run? Any idea how / where you can get that from hosted chef.
Appreciate any help or guidance around these issues, or if anyone is doing similar.