Migrating chef servers

Is there an easy way to migrate chef servers without having to re-gen the client keys for every node and copy a new validation.pem file?

Kendrick Martin

Install Engineer

O: +1 503.553.2462

webtrendshttp://www.webtrends.com/

Real -Time Relevance. Remarkable ROI.™

London | Portland | San Francisco | Melbourne | Tokyo

replicate the couchdb

On Tue, Jul 3, 2012 at 10:35 PM, Kendrick Martin <
Kendrick.Martin@webtrends.com> wrote:

Is there an easy way to migrate chef servers without having to re-gen
the client keys for every node and copy a new validation.pem file? ****

---

Kendrick Martin****

Install Engineer****

O: +1 503.553.2462****

---

webtrends http://www.webtrends.com/****

---

Real -Time Relevance. Remarkable ROI.™****

---

London | Portland | San Francisco | Melbourne | Tokyo****

---

---

---

---

---

---

---

you can actually use the chef api to do this in irb, should just garb the
client objects, change couchdb and invoke save on them.
by default the couchdb binds on loclhost, u need to change the second
couchdb's binding port to 0.0.0.0 to do this.

On Tue, Jul 3, 2012 at 11:23 PM, Ranjib Dey ranjibd@thoughtworks.comwrote:

replicate the couchdb

On Tue, Jul 3, 2012 at 10:35 PM, Kendrick Martin <
Kendrick.Martin@webtrends.com> wrote:

Is there an easy way to migrate chef servers without having to re-gen
the client keys for every node and copy a new validation.pem file? ****

---

Kendrick Martin****

Install Engineer****

O: +1 503.553.2462****

---

webtrends http://www.webtrends.com/****

---

Real -Time Relevance. Remarkable ROI.™****

---

London | Portland | San Francisco | Melbourne | Tokyo****

---

---

---

---

---

---

---

I tried tarring the /var/lib/chef, /etc/chef, /etc/couchdb, and /var/lib/couchdb directories on my old server, and replacing them on my new server, but I’m getting failed to authenticate errors when using knife against the new server.

From: Ranjib Dey [mailto:ranjibd@thoughtworks.com]
Sent: Tuesday, July 03, 2012 10:53 AM
To: chef@lists.opscode.com
Subject: [chef] Re: Migrating chef servers

replicate the couchdb
On Tue, Jul 3, 2012 at 10:35 PM, Kendrick Martin <Kendrick.Martin@webtrends.commailto:Kendrick.Martin@webtrends.com> wrote:
Is there an easy way to migrate chef servers without having to re-gen the client keys for every node and copy a new validation.pem file?

Kendrick Martin

Install Engineer

O: +1 503.553.2462

webtrendshttp://www.webtrends.com/

Real -Time Relevance. Remarkable ROI.™

London | Portland | San Francisco | Melbourne | Tokyo

can u verify if your old and new couch db has the same public key for the
apiclient you are using in knife.rb?

On Tue, Jul 3, 2012 at 11:34 PM, Kendrick Martin <
Kendrick.Martin@webtrends.com> wrote:

I tried tarring the /var/lib/chef, /etc/chef, /etc/couchdb, and
/var/lib/couchdb directories on my old server, and replacing them on my
new server, but I’m getting failed to authenticate errors when using knife
against the new server.****

---

From: Ranjib Dey [mailto:ranjibd@thoughtworks.com]
Sent: Tuesday, July 03, 2012 10:53 AM
To: chef@lists.opscode.com
Subject: [chef] Re: Migrating chef servers****

---

replicate the couchdb****

On Tue, Jul 3, 2012 at 10:35 PM, Kendrick Martin <
Kendrick.Martin@webtrends.com> wrote:****

Is there an easy way to migrate chef servers without having to re-gen the
client keys for every node and copy a new validation.pem file? ****

---

Kendrick Martin****

Install Engineer****

O: +1 503.553.2462****

---

webtrends http://www.webtrends.com/****

---

Real -Time Relevance. Remarkable ROI.™****

---

London | Portland | San Francisco | Melbourne | Tokyo****

---

---

---

---

---

---

---

---

How would I go about retrieving the public key from the db?

From: Ranjib Dey [mailto:ranjibd@thoughtworks.com]
Sent: Tuesday, July 03, 2012 11:11 AM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Migrating chef servers

can u verify if your old and new couch db has the same public key for the apiclient you are using in knife.rb?

On Tue, Jul 3, 2012 at 11:34 PM, Kendrick Martin <Kendrick.Martin@webtrends.commailto:Kendrick.Martin@webtrends.com> wrote:
I tried tarring the /var/lib/chef, /etc/chef, /etc/couchdb, and /var/lib/couchdb directories on my old server, and replacing them on my new server, but I’m getting failed to authenticate errors when using knife against the new server.

From: Ranjib Dey [mailto:ranjibd@thoughtworks.commailto:ranjibd@thoughtworks.com]
Sent: Tuesday, July 03, 2012 10:53 AM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Migrating chef servers

replicate the couchdb
On Tue, Jul 3, 2012 at 10:35 PM, Kendrick Martin <Kendrick.Martin@webtrends.commailto:Kendrick.Martin@webtrends.com> wrote:
Is there an easy way to migrate chef servers without having to re-gen the client keys for every node and copy a new validation.pem file?

Kendrick Martin

Install Engineer

O: +1 503.553.2462

webtrendshttp://www.webtrends.com/

Real -Time Relevance. Remarkable ROI.™

London | Portland | San Francisco | Melbourne | Tokyo

fyi, there are previous posts on the chef list on this very topic. i had
to go thru this myself. i refer you to previous posts, not as an RTFM-jibe,
but just so you know :>

let's see... some of my notes:

The chef-server uses an RSA keypair. The private portion of this pair
is called the chef-validator and is "validation.pem" which all clients
use. The public portion of the pair is stored as data inside chef-server's
couchdb. This keypair is generated for the first time the first moment
the chef-server starts.

To provide this same keypair to a recovered chef-server, the idea is to load
a dump of the couchdb onto a new server.

1. you must dump the couchdb from the old chef server.
2. you must load that dump on the new chef server AFTER you have deleted
   the brand new chef server's couchdb. like so:

new-chef# curl -XDELETE http://127.0.0.1:5984/chef
new-chef# curl -XPUT http://127.0.0.1:5984/chef
new-chef# couchdb-load --input=chef_couchdb_dump http://127.0.0.1:5984/chef --ignore-errors 1>couchdb-load.stdout 2>couchdb-load.stderr

give that a whirl?

kallen

On Tue, 03 Jul 2012, Kendrick Martin wrote:

How would I go about retrieving the public key from the db?

From: Ranjib Dey [mailto:ranjibd@thoughtworks.com]
Sent: Tuesday, July 03, 2012 11:11 AM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Migrating chef servers

can u verify if your old and new couch db has the same public key for the apiclient you are using in knife.rb?

On Tue, Jul 3, 2012 at 11:34 PM, Kendrick Martin <Kendrick.Martin@webtrends.commailto:Kendrick.Martin@webtrends.com> wrote:
I tried tarring the /var/lib/chef, /etc/chef, /etc/couchdb, and /var/lib/couchdb directories on my old server, and replacing them on my new server, but I'm getting failed to authenticate errors when using knife against the new server.

From: Ranjib Dey [mailto:ranjibd@thoughtworks.commailto:ranjibd@thoughtworks.com]
Sent: Tuesday, July 03, 2012 10:53 AM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Migrating chef servers

replicate the couchdb
On Tue, Jul 3, 2012 at 10:35 PM, Kendrick Martin <Kendrick.Martin@webtrends.commailto:Kendrick.Martin@webtrends.com> wrote:
Is there an easy way to migrate chef servers without having to re-gen the client keys for every node and copy a new validation.pem file?

Kendrick Martin

Install Engineer

O: +1 503.553.2462

webtrendshttp://www.webtrends.com/

Real -Time Relevance. Remarkable ROI.(tm)

London | Portland | San Francisco | Melbourne | Tokyo

irb>
require "chef"
Chef::Config.from_file('your knife.rb')
Chef::ApiClient.list.keys.each do |ac_name|
ac=Chef::ApiClient.load(ac_name)
p ac.public_key
end

On Wed, Jul 4, 2012 at 2:01 AM, Kendrick Martin <
Kendrick.Martin@webtrends.com> wrote:

How would I go about retrieving the public key from the db?****

---

From: Ranjib Dey [mailto:ranjibd@thoughtworks.com]
Sent: Tuesday, July 03, 2012 11:11 AM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Migrating chef servers****

---

can u verify if your old and new couch db has the same public key for the
apiclient you are using in knife.rb?****

---

On Tue, Jul 3, 2012 at 11:34 PM, Kendrick Martin <
Kendrick.Martin@webtrends.com> wrote:****

I tried tarring the /var/lib/chef, /etc/chef, /etc/couchdb, and
/var/lib/couchdb directories on my old server, and replacing them on my
new server, but I’m getting failed to authenticate errors when using knife
against the new server.****

---

From: Ranjib Dey [mailto:ranjibd@thoughtworks.com]
Sent: Tuesday, July 03, 2012 10:53 AM
To: chef@lists.opscode.com
Subject: [chef] Re: Migrating chef servers****

---

replicate the couchdb****

On Tue, Jul 3, 2012 at 10:35 PM, Kendrick Martin <
Kendrick.Martin@webtrends.com> wrote:****

Is there an easy way to migrate chef servers without having to re-gen the
client keys for every node and copy a new validation.pem file? ****

---

Kendrick Martin****

Install Engineer****

O: +1 503.553.2462****

---

webtrends http://www.webtrends.com/****

---

Real -Time Relevance. Remarkable ROI.™****

---

London | Portland | San Francisco | Melbourne | Tokyo****

---

---

---

---

---

---

---

---

---