RE: Re: Re: Re: Re: Re: Re: RE: Re: Chef Node Access to Server via Relay Machine


#1

I would also love to have a way to manage devices that can’t run chef. I have several that I have been trying to figure out how to manage with chef. Trying to make chef run on all kinds of nodes is going to be a futile effort in the end, because there are just too many devices out there. Even if they run Linux under the hood, it is often impractical to access, and would defeat the whole purpose of having these devices.

Examples:

  • Cisco devices
  • DD-WRT and OpenWRT (they use Linux, but don’t have enough memory or storage space for chef)
  • Fortigate (I think it runs Linux under the hood, but accessing would mean drastic actions that defeat the whole purpose of having a security device)
  • Sonicwall
  • SIP phones.

Kevin Keane

The NetTech

760-721-8339

http://www.4nettech.com

Our values: Privacy, Liberty, Justice

See https://www.4nettech.com/corp/the-nettech-values.html

-----Original message-----
From: Tensibai Zhaoying tensibai@iabis.net
Sent: Sunday 13th July 2014 12:33
To: chef@lists.opscode.com
Subject: [chef] Re: Re: Re: Re: Re: Re: RE: Re: Chef Node Access to Server via Relay Machine

OK, sounds like I’ll have to work on it for Cisco nexus and checkpoint voiding (?) warranty if something else than their package is installed…

Thanks for the update Noah

---- Noah Kantrowitz a écrit ----

Cisco hasn’t really come up much. I know there are builds running on Arista and Cumulus gear, and I think I’ve heard work done on Broadcom and Juniper. All of those are running embedded linux (or something close enough to it) so it is mostly a question of compiling Ruby/Chef and making nice cookbooks and resources for configuration.

–Noah

On Jul 12, 2014, at 12:38 PM, Tensibai Zhaoying <tensibai@iabis.net mailto:tensibai@iabis.net > wrote:

?? How could chef run on a Cisco device ?
For the others I may one way or two, but in switches…

---- Noah Kantrowitz a écrit ----

This is was mostly being discussed as a way to work with Chef+networking hardware, and instead that has gone in the direction of running chef on the devices themselves.

–Noah

On Jul 12, 2014, at 12:13 AM, Tensibai Zhaoying <tensibai@iabis.net mailto:tensibai@iabis.net > wrote:

It makes me think about an old term: managed nodes, where client on the node is not possible for different reasons.

The main idea is box A run chef with ohai from box B got by ssh or other mean, converge localy and do the necessary changes by the same way.

Would be useful for dmz boxes, switches, and probably others I don’t think of.

Is the managed node still on the chef roadmap or is it something to be created from scratch ?

---- Noah Kantrowitz a écrit ----

What you are describing is a proxy, so if a proxy is disallowed you can’t do that either.

–Noah

On Jul 11, 2014, at 7:07 PM, Kapil Shardha <Kapil.Shardha@SimulationIQ.com mailto:Kapil.Shardha@SimulationIQ.com
wrote:

Thanks for the suggestion. I am aware of the proxy settings but in this case, setting up a proxy may or may not be allowed
(due to some constraints).

That is why I wanted to discuss and learn about some alternate solution.

I forgot to mention one point in my suggested approach. I will have to consider allowing/adding routes for other URLs if I
would be using some community cookbook where the files etc are hosted on AWS.

Thanks

-Kapil

-----Original Message-----

From: Julian C. Dunn [mailto:jdunn@aquezada.com mailto:jdunn@aquezada.com
]

Sent: Friday, July 11, 2014 5:16 PM

To: chef@lists.opscode.com mailto:chef@lists.opscode.com

Subject: [chef] Re: Chef Node Access to Server via Relay Machine

Why not just set up a proxy server between the Chef server and the node under management? Chef Client can connect to
the Chef Server via a HTTP proxy.

  • Julian

On Fri, Jul 11, 2014 at 4:58 PM, Kapil Shardha <Kapil.Shardha@simulationiq.com mailto:Kapil.Shardha@simulationiq.com
wrote:

Hi,

In the Chef requirement doc

(http://docs.opscode.com/chef_system_requirements.html http://docs.opscode.com/chef_system_requirements.html
) , it is

mentioned that each node and workstation must have access to the Chef

Server via HTTPS.

I have a scenario where a chef node is in an isolated network and does

not have direct connection/ access to internet. In this scenario the

Chef Server is hosted outside this network and is accessible over the

internet. The same network has another machine that can connect to the

internet. Is there a way to configure chef-client on the node to

connect to chef-server via the machine that can access internet, as a relay machine?

If not, I was thinking of following configuration and before I test it

out, just want to get some input from others:

  1.   Configure static mapping of Chef-server IP-URL in Hosts file (node
    

is running Windows OS)

  1.   On the node, create a static route for Chef-server IP with internet
    

accessing machine as the Gateway.

Do you see any issues with this setup?

Thanks

-Kapil

[ Julian C. Dunn <jdunn@aquezada.com mailto:jdunn@aquezada.com
* Sorry, I’m ]

[ WWW: http://www.aquezada.com/staff/julian http://www.aquezada.com/staff/julian&nbsp; ; ;
; * only Web 1.0 ]

[ gopher://sdf.org/1/users/keymaker/ http://sdf.org/1/users/keymaker/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; ;
; * compliant! ]

[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]