Question about Chef running as root


#1

Hello all,

I’m fairly new to Chef. I stepped through some parts of the documentation
to understand what Chef is all about, and I have a rough idea.

So I am working on a project now that already uses Chef to deploy to
servers. I kind of jumped into the middle of it (it was al written by
someone else). The way it currently works from what I can see, is the when
the scripts are run, it logs into the server as root, and then does what it
needs to do based on json files. This has worked well so far, but now I am
facing an issue with deploying to Amazon EC2 instances.

With Amazon EC2, we can’t log in as root by default, only whatever user
that is assigned (i.e. "ubuntu for Ubuntu instances, “ec2-user” for RHEL
etc.). I cannot change that at the moment, so I have to find another way to
do it.

My question is: does Chef always run as root? Is there a way to bypass the
root user altogether, and use another user with all the privileges? How
would you recommend that I tackle this?

As I said, I’m very new to this so kindly bear with me.

Thank you!


#2

Hi, Ahmed,

When you bootstrap the node, if you pass in the --sudo flag, it will log in
as the specified user and escalate privileges after that. When knife runs
on the host later, it needs to be run with sudo.

That’s pretty much it!

Michael Della Bitta


Appinions
18 East 41st Street, 2nd Floor
New York, NY 10017-6271

www.appinions.com

Where Influence Isn’t a Game

On Wed, May 8, 2013 at 9:40 AM, Ahmed H. ahmed.hammad@gmail.com wrote:

Hello all,

I’m fairly new to Chef. I stepped through some parts of the documentation
to understand what Chef is all about, and I have a rough idea.

So I am working on a project now that already uses Chef to deploy to
servers. I kind of jumped into the middle of it (it was al written by
someone else). The way it currently works from what I can see, is the when
the scripts are run, it logs into the server as root, and then does what it
needs to do based on json files. This has worked well so far, but now I am
facing an issue with deploying to Amazon EC2 instances.

With Amazon EC2, we can’t log in as root by default, only whatever user
that is assigned (i.e. "ubuntu for Ubuntu instances, “ec2-user” for RHEL
etc.). I cannot change that at the moment, so I have to find another way to
do it.

My question is: does Chef always run as root? Is there a way to bypass the
root user altogether, and use another user with all the privileges? How
would you recommend that I tackle this?

As I said, I’m very new to this so kindly bear with me.

Thank you!


#3

in most cases chef needs to run as root (in fact any config management
system), as it will try to do administrative tasks (like user creations,
permissions handling, package management etc). That said, this is not
imposed implicitly, which means you can very well run chef as a non-root
user and do things that the user is able to do (like creating files in
side the user home directory , executing commands etc) , just make sure you
point chef to a caching directory & config where the user has permissions
(i used .chef/cache in the home directory, and .chef/client.rb for configs).

As per your requirement, you can wrap the invocation with sudo, both ubuntu
user and ec2-user has sudoers privilege. The bootstrap plugin specifically
provides --sudo option for this (and you dont have to do this explicitly),
also the knife-ec2 plugin assumes this and sets it for ya (it uses the
bootstrap plugin internally)

regards
ranjib

On Wed, May 8, 2013 at 6:40 AM, Ahmed H. ahmed.hammad@gmail.com wrote:

Hello all,

I’m fairly new to Chef. I stepped through some parts of the documentation
to understand what Chef is all about, and I have a rough idea.

So I am working on a project now that already uses Chef to deploy to
servers. I kind of jumped into the middle of it (it was al written by
someone else). The way it currently works from what I can see, is the when
the scripts are run, it logs into the server as root, and then does what it
needs to do based on json files. This has worked well so far, but now I am
facing an issue with deploying to Amazon EC2 instances.

With Amazon EC2, we can’t log in as root by default, only whatever user
that is assigned (i.e. "ubuntu for Ubuntu instances, “ec2-user” for RHEL
etc.). I cannot change that at the moment, so I have to find another way to
do it.

My question is: does Chef always run as root? Is there a way to bypass the
root user altogether, and use another user with all the privileges? How
would you recommend that I tackle this?

As I said, I’m very new to this so kindly bear with me.

Thank you!


#4

Thanks for the quick response. You mention bootstrapping the node. Is that
part of the Chef deployment?

When digging through I found a Capfile. How does this tie into Chef? Also,
not sure if it makes a difference but this is a chef-solo deployment.

Thanks again!

On Wed, May 8, 2013 at 10:50 AM, Ranjib Dey dey.ranjib@gmail.com wrote:

in most cases chef needs to run as root (in fact any config management
system), as it will try to do administrative tasks (like user creations,
permissions handling, package management etc). That said, this is not
imposed implicitly, which means you can very well run chef as a non-root
user and do things that the user is able to do (like creating files in
side the user home directory , executing commands etc) , just make sure you
point chef to a caching directory & config where the user has permissions
(i used .chef/cache in the home directory, and .chef/client.rb for configs).

As per your requirement, you can wrap the invocation with sudo, both
ubuntu user and ec2-user has sudoers privilege. The bootstrap plugin
specifically provides --sudo option for this (and you dont have to do this
explicitly), also the knife-ec2 plugin assumes this and sets it for ya (it
uses the bootstrap plugin internally)

regards
ranjib

On Wed, May 8, 2013 at 6:40 AM, Ahmed H. ahmed.hammad@gmail.com wrote:

Hello all,

I’m fairly new to Chef. I stepped through some parts of the documentation
to understand what Chef is all about, and I have a rough idea.

So I am working on a project now that already uses Chef to deploy to
servers. I kind of jumped into the middle of it (it was al written by
someone else). The way it currently works from what I can see, is the when
the scripts are run, it logs into the server as root, and then does what it
needs to do based on json files. This has worked well so far, but now I am
facing an issue with deploying to Amazon EC2 instances.

With Amazon EC2, we can’t log in as root by default, only whatever user
that is assigned (i.e. "ubuntu for Ubuntu instances, “ec2-user” for RHEL
etc.). I cannot change that at the moment, so I have to find another way to
do it.

My question is: does Chef always run as root? Is there a way to bypass
the root user altogether, and use another user with all the privileges? How
would you recommend that I tackle this?

As I said, I’m very new to this so kindly bear with me.

Thank you!


#5

A Capfile is used by Capistrano https://github.com/capistrano/capistrano,
which isn’t part of Chef. As to how it’s tied in, I don’t know. That
would depend on the code in question. Any chance you could share any of
what you’re working on in any fashion? It sounds like you’re certainly
dealing with something pretty custom.

-Matt

On Wed, May 8, 2013 at 11:37 AM, Ahmed H. ahmed.hammad@gmail.com wrote:

Thanks for the quick response. You mention bootstrapping the node. Is that
part of the Chef deployment?

When digging through I found a Capfile. How does this tie into Chef? Also,
not sure if it makes a difference but this is a chef-solo deployment.

Thanks again!

On Wed, May 8, 2013 at 10:50 AM, Ranjib Dey dey.ranjib@gmail.com wrote:

in most cases chef needs to run as root (in fact any config management
system), as it will try to do administrative tasks (like user creations,
permissions handling, package management etc). That said, this is not
imposed implicitly, which means you can very well run chef as a non-root
user and do things that the user is able to do (like creating files in
side the user home directory , executing commands etc) , just make sure you
point chef to a caching directory & config where the user has permissions
(i used .chef/cache in the home directory, and .chef/client.rb for configs).

As per your requirement, you can wrap the invocation with sudo, both
ubuntu user and ec2-user has sudoers privilege. The bootstrap plugin
specifically provides --sudo option for this (and you dont have to do this
explicitly), also the knife-ec2 plugin assumes this and sets it for ya (it
uses the bootstrap plugin internally)

regards
ranjib

On Wed, May 8, 2013 at 6:40 AM, Ahmed H. ahmed.hammad@gmail.com wrote:

Hello all,

I’m fairly new to Chef. I stepped through some parts of the
documentation to understand what Chef is all about, and I have a rough idea.

So I am working on a project now that already uses Chef to deploy to
servers. I kind of jumped into the middle of it (it was al written by
someone else). The way it currently works from what I can see, is the when
the scripts are run, it logs into the server as root, and then does what it
needs to do based on json files. This has worked well so far, but now I am
facing an issue with deploying to Amazon EC2 instances.

With Amazon EC2, we can’t log in as root by default, only whatever user
that is assigned (i.e. "ubuntu for Ubuntu instances, “ec2-user” for RHEL
etc.). I cannot change that at the moment, so I have to find another way to
do it.

My question is: does Chef always run as root? Is there a way to bypass
the root user altogether, and use another user with all the privileges? How
would you recommend that I tackle this?

As I said, I’m very new to this so kindly bear with me.

Thank you!


#6

I don’t think I can share what I have at the moment but I’ll double check.

As for Amazon EC2, which caused the issue in the first place…I can only
SSH into it with the key (using the -i ) command. I know I can get rid
of that through Amazon but that would cause a big security hole which I
don’t want to do. How can I get around that?

I thought about aliasing ssh to include the key in every command, but I’m
not sure if that’ll work.

Thanks again, you’ve all been quite helpful :slight_smile:

On Wed, May 8, 2013 at 11:49 AM, Matthew Moretti werebus@gmail.com wrote:

A Capfile is used by Capistrano https://github.com/capistrano/capistrano,
which isn’t part of Chef. As to how it’s tied in, I don’t know. That
would depend on the code in question. Any chance you could share any of
what you’re working on in any fashion? It sounds like you’re certainly
dealing with something pretty custom.

-Matt

On Wed, May 8, 2013 at 11:37 AM, Ahmed H. ahmed.hammad@gmail.com wrote:

Thanks for the quick response. You mention bootstrapping the node. Is
that part of the Chef deployment?

When digging through I found a Capfile. How does this tie into Chef?
Also, not sure if it makes a difference but this is a chef-solo deployment.

Thanks again!

On Wed, May 8, 2013 at 10:50 AM, Ranjib Dey dey.ranjib@gmail.com wrote:

in most cases chef needs to run as root (in fact any config management
system), as it will try to do administrative tasks (like user creations,
permissions handling, package management etc). That said, this is not
imposed implicitly, which means you can very well run chef as a non-root
user and do things that the user is able to do (like creating files in
side the user home directory , executing commands etc) , just make sure you
point chef to a caching directory & config where the user has permissions
(i used .chef/cache in the home directory, and .chef/client.rb for configs).

As per your requirement, you can wrap the invocation with sudo, both
ubuntu user and ec2-user has sudoers privilege. The bootstrap plugin
specifically provides --sudo option for this (and you dont have to do this
explicitly), also the knife-ec2 plugin assumes this and sets it for ya (it
uses the bootstrap plugin internally)

regards
ranjib

On Wed, May 8, 2013 at 6:40 AM, Ahmed H. ahmed.hammad@gmail.com wrote:

Hello all,

I’m fairly new to Chef. I stepped through some parts of the
documentation to understand what Chef is all about, and I have a rough idea.

So I am working on a project now that already uses Chef to deploy to
servers. I kind of jumped into the middle of it (it was al written by
someone else). The way it currently works from what I can see, is the when
the scripts are run, it logs into the server as root, and then does what it
needs to do based on json files. This has worked well so far, but now I am
facing an issue with deploying to Amazon EC2 instances.

With Amazon EC2, we can’t log in as root by default, only whatever user
that is assigned (i.e. "ubuntu for Ubuntu instances, “ec2-user” for RHEL
etc.). I cannot change that at the moment, so I have to find another way to
do it.

My question is: does Chef always run as root? Is there a way to bypass
the root user altogether, and use another user with all the privileges? How
would you recommend that I tackle this?

As I said, I’m very new to this so kindly bear with me.

Thank you!


#7

you can pass the -i flag to knife bootstrap or knife-ec2 as well.

On Wed, May 8, 2013 at 9:15 AM, Ahmed H. ahmed.hammad@gmail.com wrote:

I don’t think I can share what I have at the moment but I’ll double check.

As for Amazon EC2, which caused the issue in the first place…I can only
SSH into it with the key (using the -i ) command. I know I can get rid
of that through Amazon but that would cause a big security hole which I
don’t want to do. How can I get around that?

I thought about aliasing ssh to include the key in every command, but I’m
not sure if that’ll work.

Thanks again, you’ve all been quite helpful :slight_smile:

On Wed, May 8, 2013 at 11:49 AM, Matthew Moretti werebus@gmail.comwrote:

A Capfile is used by Capistranohttps://github.com/capistrano/capistrano,
which isn’t part of Chef. As to how it’s tied in, I don’t know. That
would depend on the code in question. Any chance you could share any of
what you’re working on in any fashion? It sounds like you’re certainly
dealing with something pretty custom.

-Matt

On Wed, May 8, 2013 at 11:37 AM, Ahmed H. ahmed.hammad@gmail.com wrote:

Thanks for the quick response. You mention bootstrapping the node. Is
that part of the Chef deployment?

When digging through I found a Capfile. How does this tie into Chef?
Also, not sure if it makes a difference but this is a chef-solo deployment.

Thanks again!

On Wed, May 8, 2013 at 10:50 AM, Ranjib Dey dey.ranjib@gmail.comwrote:

in most cases chef needs to run as root (in fact any config management
system), as it will try to do administrative tasks (like user creations,
permissions handling, package management etc). That said, this is not
imposed implicitly, which means you can very well run chef as a non-root
user and do things that the user is able to do (like creating files in
side the user home directory , executing commands etc) , just make sure you
point chef to a caching directory & config where the user has permissions
(i used .chef/cache in the home directory, and .chef/client.rb for configs).

As per your requirement, you can wrap the invocation with sudo, both
ubuntu user and ec2-user has sudoers privilege. The bootstrap plugin
specifically provides --sudo option for this (and you dont have to do this
explicitly), also the knife-ec2 plugin assumes this and sets it for ya (it
uses the bootstrap plugin internally)

regards
ranjib

On Wed, May 8, 2013 at 6:40 AM, Ahmed H. ahmed.hammad@gmail.comwrote:

Hello all,

I’m fairly new to Chef. I stepped through some parts of the
documentation to understand what Chef is all about, and I have a rough idea.

So I am working on a project now that already uses Chef to deploy to
servers. I kind of jumped into the middle of it (it was al written by
someone else). The way it currently works from what I can see, is the when
the scripts are run, it logs into the server as root, and then does what it
needs to do based on json files. This has worked well so far, but now I am
facing an issue with deploying to Amazon EC2 instances.

With Amazon EC2, we can’t log in as root by default, only whatever
user that is assigned (i.e. "ubuntu for Ubuntu instances, “ec2-user” for
RHEL etc.). I cannot change that at the moment, so I have to find another
way to do it.

My question is: does Chef always run as root? Is there a way to bypass
the root user altogether, and use another user with all the privileges? How
would you recommend that I tackle this?

As I said, I’m very new to this so kindly bear with me.

Thank you!


#8

Just to clarify a couple of things I read in your email that could be part of the confusion:

  • when you run “knife bootstrap” against a target node, you can/should login as yourself and use the “–sudo” option. This option opens a SSH session under your login and then runs the rest of the bootstrap under the “sudo” environment that you specified. This is entirely do-able with EC2 where you’ll ssh into the EC2 instance as the “ubuntu” user, for example, if you’re running Ubuntu instances.
  • On the target node, there is an agent that runs, called the chef-client, that normally runs as root. Even if your node doesn’t allow direct login as root, your chef-client can still run as root, and in most cases, for the tasks that the chef-client needs to do, this is almost a requirement. In theory, you can run the chef-client as another user, but you will need to work out the cascading permissions issues that will surely crop up. The chef-client runs under a pull model, where it will reach out to the chef server to get its set of instructions and other data that it’ll need for the chef run (aka cookbooks, recipes, attributes, etc). Once it gets all that data from the server, it runs independently of the server and uploads some data back at the end of the run that reports on the new state of the node. The chef-client will need to access HTTPS 443 port to reach the server, so make sure your firewalls are playing nicely.

HTH,
Dang Nguyen

On 5/8/13 6:40 AM, “Ahmed H.” <ahmed.hammad@gmail.commailto:ahmed.hammad@gmail.com> wrote:

Hello all,

I’m fairly new to Chef. I stepped through some parts of the documentation to understand what Chef is all about, and I have a rough idea.

So I am working on a project now that already uses Chef to deploy to servers. I kind of jumped into the middle of it (it was al written by someone else). The way it currently works from what I can see, is the when the scripts are run, it logs into the server as root, and then does what it needs to do based on json files. This has worked well so far, but now I am facing an issue with deploying to Amazon EC2 instances.

With Amazon EC2, we can’t log in as root by default, only whatever user that is assigned (i.e. "ubuntu for Ubuntu instances, “ec2-user” for RHEL etc.). I cannot change that at the moment, so I have to find another way to do it.

My question is: does Chef always run as root? Is there a way to bypass the root user altogether, and use another user with all the privileges? How would you recommend that I tackle this?

As I said, I’m very new to this so kindly bear with me.

Thank you!


#9

In all docs I’ve read, the assumption is that one is working with Ubuntu.
But that is not always the case.

There are slight differences when using, say, CentOS; the “–sudo” part
didn’t work for me. I had to use root to bootstrap a node.

Also, in CentOS 6.4, I had to disable selinux and stop iptables so I could
access HTTPS from a remote web client. Don’t know whether that’s an issue
in Ubuntu.

-lun

On Wed, May 8, 2013 at 1:50 PM, Nguyen, Dang Dang.Nguyen@disney.com wrote:

Just to clarify a couple of things I read in your email that could be part
of the confusion:

  • when you run “knife bootstrap” against a target node, you can/should
    login as yourself and use the “–sudo” option. This option opens a SSH
    session under your login and then runs the rest of the bootstrap under the
    "sudo" environment that you specified. This is entirely do-able with EC2
    where you’ll ssh into the EC2 instance as the “ubuntu” user, for example,
    if you’re running Ubuntu instances.
  • On the target node, there is an agent that runs, called the
    chef-client, that normally runs as root. Even if your node doesn’t allow
    direct login as root, your chef-client can still run as root, and in most
    cases, for the tasks that the chef-client needs to do, this is almost a
    requirement. In theory, you can run the chef-client as another user, but
    you will need to work out the cascading permissions issues that will surely
    crop up. The chef-client runs under a pull model, where it will reach out
    to the chef server to get its set of instructions and other data that it’ll
    need for the chef run (aka cookbooks, recipes, attributes, etc). Once it
    gets all that data from the server, it runs independently of the server and
    uploads some data back at the end of the run that reports on the new state
    of the node. The chef-client will need to access HTTPS 443 port to reach
    the server, so make sure your firewalls are playing nicely.

HTH,
Dang Nguyen

On 5/8/13 6:40 AM, “Ahmed H.” ahmed.hammad@gmail.com wrote:

Hello all,

I’m fairly new to Chef. I stepped through some parts of the documentation
to understand what Chef is all about, and I have a rough idea.

So I am working on a project now that already uses Chef to deploy to
servers. I kind of jumped into the middle of it (it was al written by
someone else). The way it currently works from what I can see, is the when
the scripts are run, it logs into the server as root, and then does what it
needs to do based on json files. This has worked well so far, but now I am
facing an issue with deploying to Amazon EC2 instances.

With Amazon EC2, we can’t log in as root by default, only whatever user
that is assigned (i.e. "ubuntu for Ubuntu instances, “ec2-user” for RHEL
etc.). I cannot change that at the moment, so I have to find another way to
do it.

My question is: does Chef always run as root? Is there a way to bypass the
root user altogether, and use another user with all the privileges? How
would you recommend that I tackle this?

As I said, I’m very new to this so kindly bear with me.

Thank you!


#10

I have used centos with chef and the sudo option worked for me. As of now
chef does not support selinux. I recall someara had done some work on
supporting security context.
On May 10, 2013 9:53 AM, “Lunixer” lunixer@gmail.com wrote:

In all docs I’ve read, the assumption is that one is working with Ubuntu.
But that is not always the case.

There are slight differences when using, say, CentOS; the “–sudo” part
didn’t work for me. I had to use root to bootstrap a node.

Also, in CentOS 6.4, I had to disable selinux and stop iptables so I could
access HTTPS from a remote web client. Don’t know whether that’s an issue
in Ubuntu.

-lun

On Wed, May 8, 2013 at 1:50 PM, Nguyen, Dang Dang.Nguyen@disney.comwrote:

Just to clarify a couple of things I read in your email that could be
part of the confusion:

  • when you run “knife bootstrap” against a target node, you
    can/should login as yourself and use the “–sudo” option. This option opens
    a SSH session under your login and then runs the rest of the bootstrap
    under the “sudo” environment that you specified. This is entirely do-able
    with EC2 where you’ll ssh into the EC2 instance as the “ubuntu” user, for
    example, if you’re running Ubuntu instances.
  • On the target node, there is an agent that runs, called the
    chef-client, that normally runs as root. Even if your node doesn’t allow
    direct login as root, your chef-client can still run as root, and in most
    cases, for the tasks that the chef-client needs to do, this is almost a
    requirement. In theory, you can run the chef-client as another user, but
    you will need to work out the cascading permissions issues that will surely
    crop up. The chef-client runs under a pull model, where it will reach out
    to the chef server to get its set of instructions and other data that it’ll
    need for the chef run (aka cookbooks, recipes, attributes, etc). Once it
    gets all that data from the server, it runs independently of the server and
    uploads some data back at the end of the run that reports on the new state
    of the node. The chef-client will need to access HTTPS 443 port to reach
    the server, so make sure your firewalls are playing nicely.

HTH,
Dang Nguyen

On 5/8/13 6:40 AM, “Ahmed H.” ahmed.hammad@gmail.com wrote:

Hello all,

I’m fairly new to Chef. I stepped through some parts of the documentation
to understand what Chef is all about, and I have a rough idea.

So I am working on a project now that already uses Chef to deploy to
servers. I kind of jumped into the middle of it (it was al written by
someone else). The way it currently works from what I can see, is the when
the scripts are run, it logs into the server as root, and then does what it
needs to do based on json files. This has worked well so far, but now I am
facing an issue with deploying to Amazon EC2 instances.

With Amazon EC2, we can’t log in as root by default, only whatever user
that is assigned (i.e. "ubuntu for Ubuntu instances, “ec2-user” for RHEL
etc.). I cannot change that at the moment, so I have to find another way to
do it.

My question is: does Chef always run as root? Is there a way to bypass
the root user altogether, and use another user with all the privileges? How
would you recommend that I tackle this?

As I said, I’m very new to this so kindly bear with me.

Thank you!


#11

I don’t want to hijack this thread, will open another one to discuss the
sudo part.

-lun


#12

Just for the record… tried again and the sudo option does work in centos.

-lun

On Fri, May 10, 2013 at 10:15 AM, Lunixer lunixer@gmail.com wrote:

I don’t want to hijack this thread, will open another one to discuss the
sudo part.

-lun


#13

I’m running chef on CentOS 6.4 with SELinux enabled and IPTables running, but there are a number of tricks to observe:

  • Older versions of chef will clobber SELinux contexts. With these versions, after each chef run, you will need to run restorecon on any files chef may have touched. Chef 11.4 has mostly fixed that (there are still a few issues with the RemoteDirectory resource, I believe). This fix is not documented, but rather seems to be an artifact of some redesign.

  • Don’t use the Apache community cookbook, or any cookbooks that depend on it. Just as you say, it was written with Ubuntu in mind, and I don’t think it really matches the SELinux contexts in CentOS. You can of course come up with fixed SELinux contexts, but that is a fairly massive undertaking to get it right.

  • I don’t really see why iptables would be a problem. Are you generating the iptables configurations using chef, and if so, which cookbook are you using?

Personally, I’m using shorewall-lite, and I use chef to auto-generate the shorewall files.

-----Original message-----
From: Lunixer lunixer@gmail.com
Sent: Friday 10th May 2013 9:53
To: chef@lists.opscode.com
Subject: [chef] Re: Re: Question about Chef running as root

In all docs I’ve read, the assumption is that one is working with Ubuntu. But that is not always the case.

There are slight differences when using, say, CentOS; the “–sudo” part didn’t work for me. I had to use root to bootstrap a node.

Also, in CentOS 6.4, I had to disable selinux and stop iptables so I could access HTTPS from a remote web client. Don’t know whether that’s an issue in Ubuntu.

-lun

On Wed, May 8, 2013 at 1:50 PM, Nguyen, Dang <Dang.Nguyen@disney.com mailto:Dang.Nguyen@disney.com > wrote:
Just to clarify a couple of things I read in your email that could be part of the confusion:

  • when you run “knife bootstrap” against a target node, you can/should login as yourself and use the “–sudo” option. This option opens a SSH session under your login and then runs the rest of the bootstrap under the “sudo” environment that you specified. This is entirely do-able with EC2 where you’ll ssh into the EC2 instance as the “ubuntu” user, for example, if you’re running Ubuntu instances.
  • On the target node, there is an agent that runs, called the chef-client, that normally runs as root. Even if your node doesn’t allow direct login as root, your chef-client can still run as root, and in most cases, for the tasks that the chef-client needs to do, this is almost a requirement. In theory, you can run the chef-client as another user, but you will need to work out the cascading permissions issues that will surely crop up. The chef-client runs under a pull model, where it will reach out to the chef server to get its set of instructions and other data that it’ll need for the chef run (aka cookbooks, recipes, attributes, etc). Once it gets all that data from the server, it runs independently of the server and uploads some data back at the end of the run that reports on the new state of the node. The chef-client will need to access HTTPS 443 port to reach the server, so make sure your firewalls are playing nicely.
    HTH,
    Dang Nguyen

On 5/8/13 6:40 AM, “Ahmed H.” <ahmed.hammad@gmail.com mailto:ahmed.hammad@gmail.com > wrote:

Hello all,

I’m fairly new to Chef. I stepped through some parts of the documentation to understand what Chef is all about, and I have a rough idea.

So I am working on a project now that already uses Chef to deploy to servers. I kind of jumped into the middle of it (it was al written by someone else). The way it currently works from what I can see, is the when the scripts are run, it logs into the server as root, and then does what it needs to do based on json files. This has worked well so far, but now I am facing an issue with deploying to Amazon EC2 instances.

With Amazon EC2, we can’t log in as root by default, only whatever user that is assigned (i.e. "ubuntu for Ubuntu instances, “ec2-user” for RHEL etc.). I cannot change that at the moment, so I have to find another way to do it.

My question is: does Chef always run as root? Is there a way to bypass the root user altogether, and use another user with all the privileges? How would you recommend that I tackle this?

As I said, I’m very new to this so kindly bear with me.

Thank you!