Pem files

Hi all -

The pem file management portion of the setup of chef is a tad bit confusing.

When you have your own chef-server, what’s the process for getting the
proper files for a local-dev knife setup?

Also, once those are in place, shouldn’t I be able to execute knife ssh
commands w/o a password?

Anyone? Is it really legit to scp them down to all the agents?

On Tue, Sep 20, 2011 at 2:16 PM, Maven User maven.2.user@gmail.com wrote:

Hi all -

The pem file management portion of the setup of chef is a tad bit
confusing.

When you have your own chef-server, what's the process for getting the
proper files for a local-dev knife setup?

Also, once those are in place, shouldn't I be able to execute knife ssh
commands w/o a password?

Yup, scp (secure copy), or sftp provides an encrypted transfer mechanism.

On our chef server, I create linux user accounts for whomever needs access, and drop their .pem file into their local dir, and let them scp/sftp it for themselves. Or they can ssh into the chef server and set up their knife.rb setup locally on the chef server itself.

On Sep 21, 2011, at 1:30 PM, Maven User wrote:

Anyone? Is it really legit to scp them down to all the agents?

On Tue, Sep 20, 2011 at 2:16 PM, Maven User maven.2.user@gmail.com wrote:
Hi all -

The pem file management portion of the setup of chef is a tad bit confusing.

When you have your own chef-server, what's the process for getting the proper files for a local-dev knife setup?

Also, once those are in place, shouldn't I be able to execute knife ssh commands w/o a password?

Another option I've done in the past, simply cat the pem, and then copy/paste from the terminal output into another pem file on the target machine.

On Sep 21, 2011, at 1:30 PM, Maven User wrote:

Anyone? Is it really legit to scp them down to all the agents?

On Tue, Sep 20, 2011 at 2:16 PM, Maven User maven.2.user@gmail.com wrote:
Hi all -

The pem file management portion of the setup of chef is a tad bit confusing.

When you have your own chef-server, what's the process for getting the proper files for a local-dev knife setup?

Also, once those are in place, shouldn't I be able to execute knife ssh commands w/o a password?

Hi all,

I have written some cookbooks for my needs including, IPVS/LVS loadbalancer with heartbeat, a users::roles recipe, an alternative rvm cookbook which builds/packages/installs to reprepro and uses it to install in future (as the existing rvm compilation takes too long IMHO), etc.

My target OS is debian/ubuntu so I’ve only bothered writing debian/ubuntu… so should I write the others distros too?

Also, I hate installing chef (client) under system ruby and having chef (client) run as root. I hate having a system ruby because it interferes a bit with having multiple rubies installed via RVM in some cases, so I have also rewritten a bootstrap procedure to install chef client under rvm as a non-privileged user. It all works fine, and no system ruby installed at all- perfect.

I am not sure if anybody is interested in any of this, but if I should be uploading it somewhere please dont hesitate to tell me what I should do with it all.

Thanks
Geoff

Hi Geoff,

First of all I want to say that all is very nice!

On 09/23/2011 05:38 PM, Geoff Meakin Acid wrote:

Hi all,

I have written some cookbooks for my needs including, IPVS/LVS loadbalancer with heartbeat, a users::roles recipe, an alternative rvm cookbook which builds/packages/installs to reprepro and uses it to install in future (as the existing rvm compilation takes too long IMHO), etc.

It would be great to have a cookbook for reprepro with some kind of
uploading automation. For now I'm using reprepro manually and that's not
very handy. If it's possible to just upload changes and built deb
packages to this reprepro node via ssh and if it can automatically add
those into the repository it will be great))

My target OS is debian/ubuntu so I've only bothered writing debian/ubuntu.. so should I write the others distros too?

Also, I hate installing chef (client) under system ruby and having chef (client) run as root. I hate having a system ruby because it interferes a bit with having multiple rubies installed via RVM in some cases, so I have also rewritten a bootstrap procedure to install chef client under rvm as a non-privileged user. It all works fine, and no system ruby installed at all- perfect.

I think that many folks will be interested in an RVM cookbook...
Why do you hate running chef-client as root? How will it be possible to
mangle the system configuration when running with dropped privileges?
Maybe I just misunderstand something.

Best,
Denis

I am not sure if anybody is interested in any of this, but if I should be uploading it somewhere please dont hesitate to tell me what I should do with it all.

Thanks
Geoff

I think that many folks will be interested in an RVM cookbook...
Why do you hate running chef-client as root? How will it be possible to mangle the system configuration when running with dropped privileges? Maybe I just misunderstand something.

Ah yes it still needs privileges, so instead of running "$ chef-client", it runs "$ sudo -E chef-client", with chef in sudoers and /sbin paths appropriately set up. I just dont like running anything as root, but that's because I'm paranoid :wink:

I'll see what I can do about tidying some stuff up and then send it out somehow. I probably wont make the 'cookbook competition', but then I'm a bit of a latecomer to chef :slight_smile:

On 09/23/2011 06:02 PM, Geoff Meakin Acid wrote:

I think that many folks will be interested in an RVM cookbook...
Why do you hate running chef-client as root? How will it be possible to mangle the system configuration when running with dropped privileges? Maybe I just misunderstand something.
Ah yes it still needs privileges, so instead of running "$ chef-client", it runs "$ sudo -E chef-client", with chef in sudoers and /sbin paths appropriately set up. I just dont like running anything as root, but that's because I'm paranoid :wink:

Haha that's good) But don't try to get very far with that...

I'll see what I can do about tidying some stuff up and then send it out somehow. I probably wont make the 'cookbook competition', but then I'm a bit of a latecomer to chef :slight_smile:

I enter this
Terrapins-MacBook-Pro:.chef Terrapin$ scp -i ~/.ssh/private_key ubuntu@ec2-18-191-14-213.us-east-2.compute.amazonaws.com:/drop/chefadmin.pem ~/learn-chef/.chef/chefadmin.pem

Warning: Identity file /Users/Terrapin/.ssh/private_key not accessible: No such file or directory.

And get this:
Permission denied (publickey).
Terrapins-MacBook-Pro:.chef Terrapin$

Then I tried listing where the PEM file to access the ec2 instance is stored:

Terrapins-MacBook-Pro:.chef Terrapin$ scp -i ~/ec2d/paid.pem ec2-18-191-14-213.us-east-2.compute.amazonaws.com:/drop/chefadmin.pem ~/learn-chef/.chef/chefadmin.pem
Warning: Identity file /Users/Terrapin/ec2d/paid.pem not accessible: No such file or directory.
Permission denied (publickey).

Same response. Can anyone help?