On Wed, 08 Feb 2012, AJ Christensen wrote:
On 8 February 2012 11:27, kallen@groknaut.net wrote:
is there anything special i need to do to get my new chef server to use
the validation.pem and webui.pem i "tell" it to use? here's what i'm doing:
/etc/init.d/chef-server stop
{"ok":true}
cp /tmp/validation.pem.from-backup /etc/chef/validation.pem
cp /tmp/webui.pem.from-backup /etc/chef/webui.pem
/etc/init.d/chef-server start
but.. it creates new keys anyway:
[Tue, 07 Feb 2012 22:19:25 +0000] INFO: Creating validation key...
[Tue, 07 Feb 2012 22:19:25 +0000] INFO: Creating new key pair for chef-webui
what to do?
my goal is to be able to bring up a chef server from backups in case of
emergency.
Yo,
Like I mentioned in IRC, if you want to bring your chef-server back
from a backup, you'll need to have backups of the Chef couchdb
database. Chef stores the public keys in the database as part of the
Authentication system.
Restoring the database before starting the chef-server processes
should cause it to not recreate the webui or validation clients,
allowing you to reuse your old private keys.
It's been years since I've tried to do this, but I'm sure others have
performed the task recently.
ah. restoring the couchdb from backup is the part i missed. i got it
to work, but i have questions:
-
i was not able to couchdb-load immediately after deleting the fresh
chef couchdb. i had to start chef-server to cause a fresh one to be
created. what to do?
-
i wasn't able to couchdb-load without using --ignore-errors. is that
expected? safe?
here's what i did:
btw, my couchdb dumps are created like so:
couchdb-dump http://127.0.0.1:5984/chef | gzip -9c > $BACKUPDIR/chef.$(date +%F).couchdb.gz
on brand new chef server:
/etc/init.d/chef-server stop
{"ok":true}
Loading document '000657bb-31cb-4d01-bce5-b8da60c7c0fd'
Traceback (most recent call last):
[snip]
couchdb.http.ResourceNotFound: ('not_found', 'no_db_file')
i guess that's because there's no /var/lib/couchdb/1.0.1/chef.couch file.
how do i make one without firing up the chef-server?
i fire it up again, knowing it'll create validation and webui keys:
/etc/init.d/chef-server start
now we have /var/lib/couchdb/1.0.1/chef.couch
/etc/init.d/chef-server stop
[snip]Loading document '9ffe08eb-9497-45a7-8a67-7fc2650ed92e'
Loading document '_design/checksums'
Traceback (most recent call last):
File "/usr/bin/couchdb-load", line 9, in
load_entry_point('CouchDB==0.8', 'console_scripts', 'couchdb-load')()
File "/usr/lib/pymodules/python2.7/couchdb/tools/load.py", line 87, in main
password=options.password, ignore_errors=options.ignore_errors)
File "/usr/lib/pymodules/python2.7/couchdb/tools/load.py", line 50, in load_db
db[docid] = doc
File "/usr/lib/pymodules/python2.7/couchdb/client.py", line 333, in setitem
status, headers, data = self.resource.put_json(id, body=content)
File "/usr/lib/pymodules/python2.7/couchdb/http.py", line 405, in put_json
status, headers, data = self.put(*a, **k)
File "/usr/lib/pymodules/python2.7/couchdb/http.py", line 384, in put
return self._request('PUT', path, body=body, headers=headers, **params)
File "/usr/lib/pymodules/python2.7/couchdb/http.py", line 419, in _request
credentials=self.credentials)
File "/usr/lib/pymodules/python2.7/couchdb/http.py", line 306, in request
raise ResourceConflict(error)
couchdb.http.ResourceConflict: ('conflict', 'Document update conflict.')
couchdb-load --input=/tmp/chef.2012-02-07.couchdb http://127.0.0.1:5984/chef --ignore-errors
.. loads successfully
cp /tmp/validation.pem.backup /etc/chef/validation.pem
cp /tmp/webui.pem.backup /etc/chef/webui.pem
/etc/init.d/chef-server start
chef server log gives no indication new keys were generated. yay \o/
using the contents of my ~/.chef from the original chef server:
kallen@cheftain03:~$ knife client list
.. lovely output
JFWs. yay.