Hello all,
In Policy ->Clients->create
I created a key to use for several nodes?
Can I use the same pem file to bootstrap multiple nodes
Yes but make sure you delete it after the bootstrap by adding “recipe[chef-client::delete_validation]”, in the node run_list.
thanks for the quic reponse , how do you use it actually while bootstrap or after installing the client.
thanks
You can added it during the bootstrap or after but make sure it gets deleted for security reason.
Note: the chef-client cookbook https://supermarket.chef.io/cookbooks/chef-client/versions/0.99.1 has to be uploaded on the chef server.
still not working
knife bootstrap x.x.x.x root -P --identity-file /data/chef-keys/mru-esx.pem --node-name dumburtle
Missing the -x before the root
knife bootstrap x.x.x.x -x root -P --identity-file /data/chef-keys/mru-esx.pem --node-name dumburtle
yes but the .pem file doesnt seems to go on the server?
Mmm i am not sure if you can do it this way… i usually do it on our azure machines using the “Unattended Installs” https://docs.chef.io/install_bootstrap.html
This link might help https://stackoverflow.com/questions/24788920/chef-clients-and-validators
try to follow these steps: https://serverfault.com/questions/761167/how-to-manually-set-up-a-chef-node
- Install chef-client
Either use the https://www.chef.io/chef/install.sh script or download and install the correct chef-client package for your OS.
- Create /etc/chef/client.rb
Perhaps you can use one of your bootstrapped nodes as a reference. The important bit is that you have chef_server_url pointing at your Chef server.
Example:
/etc/chef/client.rb
chef_server_url "https://mychefserver.myorg.com/organizations/myorg"
validation_client_name "myorg-validator"
validation_key "/etc/chef/myorg-validator.pem"
log_level :info
3. Copy validation key
The key you got after running chef-server-ctl org-create. If lost you can generate a new one from Chef Manage.
Copy the key to /etc/chef/myorg-validator.pem (to what is configured as validation_key in client.rb)
- Fetch SSL cert
Optionally, if the SSL certificate on your Chef server isn’t signed (it probably isn’t), you must manually fetch it so that knife/chef-client will trust the certificate.
mkdir /etc/chef/trusted_certs
knife ssl fetch -c /etc/chef/client.rb
See also http://jtimberman.housepub.org/blog/2014/12/11/chef-12-fix-untrusted-self-sign-certs/
thanks will try soon
seems to work but its not like automatic from the server , i have to connect into thenode and type chef-client
have a look at this: https://serverfault.com/questions/410208/is-there-a-more-elegant-way-to-remotely-run-chef-client
very interestting let me test and let you know
is there a way to make the client.rb file grab the cookbook on registration to the chef server
On Azure you can do it via the Chef extension, or you can use the bash/powershell script provided by chef in here: https://docs.chef.io/install_bootstrap.html
#!/bin/bash -xev
Do some chef pre-work
/bin/mkdir -p /etc/chef
/bin/mkdir -p /var/lib/chef
/bin/mkdir -p /var/log/chef
Setup hosts file correctly
cat > “/etc/hosts” << EOF
10.0.0.5 compliance-server compliance-server.automate.com
10.0.0.6 chef-server chef-server.automate.com
10.0.0.7 automate-server automate-server.automate.com
EOF
cd /etc/chef/
Install chef
curl -L https://omnitruck.chef.io/install.sh | bash || error_exit ‘could not install chef’
Create first-boot.json
cat > “/etc/chef/first-boot.json” << EOF
{
“run_list” :[
“role[base]”
]
}
EOF
NODE_NAME=node-$(cat /dev/urandom | tr -dc ‘a-zA-Z0-9’ | fold -w 4 | head -n 1)
Create client.rb
/bin/echo ‘log_location STDOUT’ >> /etc/chef/client.rb
/bin/echo -e “chef_server_url “https://aut-chef-server/organizations/my-org”” >> /etc/chef/client.rb
/bin/echo -e “validation_client_name “my-org-validator”” >> /etc/chef/client.rb
/bin/echo -e “validation_key “/etc/chef/my_org_validator.pem”” >> /etc/chef/client.rb
/bin/echo -e “node_name “${NODE_NAME}”” >> /etc/chef/client.rb
sudo chef-client -j /etc/chef/first-boot.json