RE: RE: Adding a feature in Chef Server UI

Chef Infra (archive)
1

You could reduce the security issue by using SSH with a private key to a non-root account, preferably one with minimal permissions. Add an entry to your sudoers file, and then use sudo to run the command.

You can further lock down the system with the SSH allowed_keys file; you can set it up that SSH will not get a terminal and can only execute the one command "sudo chef-client".

-----Original Message-----
From: Kadel-Garcia, Nico [mailto:NKadelGarcia-consultant@Scholastic.com]
Sent: Sunday, March 16, 2014 6:59 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Adding a feature in Chef Server UI

The chef server does not have the credentials to enforce that. You'd have to
execute something like a "knife ssh" command, with stored root passwords
or root ssh credentials. That's a big security issue.

--
Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428

From: anjumr06@gmail.com anjumr06@gmail.com
Sent: Sunday, March 16, 2014 9:32 PM
To: chef@lists.opscode.com
Subject: [chef] Adding a feature in Chef Server UI

Hi

I'm trying to integrate an 'execute recipe' functionality to my chef server ui.
It has to do the function of 'chef-client' from the UI. Please help me to do so.

Thanking you,
Anju

2

Hi,

Thank you for the suggestions. Is there any way to get the source code of
chef and build from it or contribute to chef. I want to add this
functionality. If some body already have done this please help me with the
implementation part.

Thank you,

On Mon, Mar 17, 2014 at 8:56 AM, Kevin Keane Subscription <
subscription@kkeane.com> wrote:

You could reduce the security issue by using SSH with a private key to a
non-root account, preferably one with minimal permissions. Add an entry to
your sudoers file, and then use sudo to run the command.

You can further lock down the system with the SSH allowed_keys file; you
can set it up that SSH will not get a terminal and can only execute the one
command "sudo chef-client".

-----Original Message-----
From: Kadel-Garcia, Nico [mailto:NKadelGarcia-consultant@Scholastic.com]
Sent: Sunday, March 16, 2014 6:59 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Adding a feature in Chef Server UI

The chef server does not have the credentials to enforce that. You'd
have to
execute something like a "knife ssh" command, with stored root passwords
or root ssh credentials. That's a big security issue.

--
Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428

From: anjumr06@gmail.com anjumr06@gmail.com
Sent: Sunday, March 16, 2014 9:32 PM
To: chef@lists.opscode.com
Subject: [chef] Adding a feature in Chef Server UI

Hi

I'm trying to integrate an 'execute recipe' functionality to my chef
server ui.
It has to do the function of 'chef-client' from the UI. Please help me
to do so.

Thanking you,
Anju

--
Regards,

Anju M R

3

While I'm sure you mean well, I think you underestimate what you are suggesting. I don't want to turn you off from contributing to Chef, but I think this is probably not something you would want to tackle right out of the starting gate. If you are looking for good remote-execution systems that are well integrated with Chef, you can get a trial version of Enterprise Chef I think.

--Noah

On Apr 2, 2014, at 9:48 PM, Anju M R anjumr.06@gmail.com wrote:

Hi,

Thank you for the suggestions. Is there any way to get the source code of chef and build from it or contribute to chef. I want to add this functionality. If some body already have done this please help me with the implementation part.

Thank you,

On Mon, Mar 17, 2014 at 8:56 AM, Kevin Keane Subscription subscription@kkeane.com wrote:
You could reduce the security issue by using SSH with a private key to a non-root account, preferably one with minimal permissions. Add an entry to your sudoers file, and then use sudo to run the command.

You can further lock down the system with the SSH allowed_keys file; you can set it up that SSH will not get a terminal and can only execute the one command "sudo chef-client".

-----Original Message-----
From: Kadel-Garcia, Nico [mailto:NKadelGarcia-consultant@Scholastic.com]
Sent: Sunday, March 16, 2014 6:59 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Adding a feature in Chef Server UI

The chef server does not have the credentials to enforce that. You'd have to
execute something like a "knife ssh" command, with stored root passwords
or root ssh credentials. That's a big security issue.

--
Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428

From: anjumr06@gmail.com anjumr06@gmail.com
Sent: Sunday, March 16, 2014 9:32 PM
To: chef@lists.opscode.com
Subject: [chef] Adding a feature in Chef Server UI

Hi

I'm trying to integrate an 'execute recipe' functionality to my chef server ui.
It has to do the function of 'chef-client' from the UI. Please help me to do so.

Thanking you,
Anju

--
Regards,

Anju M R

4

We do this kind of thing today with Rundeck, which integrates with Chef via
the chef-rundeck service. Other orchestration tools are available.

Rundeck: http://rundeck.org
Chef-Rundeck: GitHub - oswaldlabs/chef-rundeck: Integrates Chef with RunDeck, we are referring users to https://github.com/atheiman/better-chef-rundeck as this repository is inactive at this time. / "gem install
chef-rundeck"

There's a community Rundeck cookbook available that looks pretty good,
though we've been using an internally-written cookbook for a while.

On Wed, Apr 2, 2014 at 10:23 PM, Noah Kantrowitz noah@coderanger.netwrote:

While I'm sure you mean well, I think you underestimate what you are
suggesting. I don't want to turn you off from contributing to Chef, but I
think this is probably not something you would want to tackle right out of
the starting gate. If you are looking for good remote-execution systems
that are well integrated with Chef, you can get a trial version of
Enterprise Chef I think.

--Noah

On Apr 2, 2014, at 9:48 PM, Anju M R anjumr.06@gmail.com wrote:

Hi,

Thank you for the suggestions. Is there any way to get the source code
of chef and build from it or contribute to chef. I want to add this
functionality. If some body already have done this please help me with the
implementation part.

Thank you,

On Mon, Mar 17, 2014 at 8:56 AM, Kevin Keane Subscription <
subscription@kkeane.com> wrote:
You could reduce the security issue by using SSH with a private key to a
non-root account, preferably one with minimal permissions. Add an entry to
your sudoers file, and then use sudo to run the command.

You can further lock down the system with the SSH allowed_keys file; you
can set it up that SSH will not get a terminal and can only execute the one
command "sudo chef-client".

-----Original Message-----
From: Kadel-Garcia, Nico [mailto:
NKadelGarcia-consultant@Scholastic.com]
Sent: Sunday, March 16, 2014 6:59 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Adding a feature in Chef Server UI

The chef server does not have the credentials to enforce that. You'd
have to
execute something like a "knife ssh" command, with stored root
passwords
or root ssh credentials. That's a big security issue.

--
Nico Kadel-Garcia
Senior Systems Consultant
Email: nkadelgarcia-consultant@scholastic.com
Cell Phone: +1.339.368.2428

From: anjumr06@gmail.com anjumr06@gmail.com
Sent: Sunday, March 16, 2014 9:32 PM
To: chef@lists.opscode.com
Subject: [chef] Adding a feature in Chef Server UI

Hi

I'm trying to integrate an 'execute recipe' functionality to my chef
server ui.
It has to do the function of 'chef-client' from the UI. Please help me
to do so.

Thanking you,
Anju

--
Regards,

Anju M R