Using Chef offline

Chef Infra (archive)
1

Does anyone know if there is a way to have chef pre-download cookbook
dependencies from remote urls into a “cache”.
I have a lot of computers that have no internet access but would like to
use chef and community cookbooks to manage them. It is a real pain to
manually download the remote files and override the file locations in the
cookbooks. I have looked around but really haven’t found a good way to
manage this, but maybe I missed something. Any suggestions? If there is
currently no capability for this, any suggestions on how I should modify
chef to incorporate this functionality?

Thanks!
Tim

2

Use chef-solo or chef-client local mode. Berkshelf can handle downloading the cookbooks and putting them in a format either of those can use (berks vendor).

--Noah

On May 19, 2015, at 7:18 PM, Tim Leicy tleicy@gmail.com wrote:

Does anyone know if there is a way to have chef pre-download cookbook dependencies from remote urls into a "cache".
I have a lot of computers that have no internet access but would like to use chef and community cookbooks to manage them. It is a real pain to manually download the remote files and override the file locations in the cookbooks. I have looked around but really haven't found a good way to manage this, but maybe I missed something. Any suggestions? If there is currently no capability for this, any suggestions on how I should modify chef to incorporate this functionality?

Thanks!
Tim

3

This works fine for getting the cookbooks and the cookbook dependencies
themselves, such as the recipes, etc but I am looking for a way to get the
files that are specified inside of the cookbooks.
For example in the opscode boost cookbook:

there is a call to get a remote file
remote_file "#{Chef::Config[:file_cache_path]}/#{node['boost']['file']}" do
source node['boost']['source'] + node['boost']['file']
mode "0644"
action :create_if_missing
end

This makes an http request to sourceforge.

I am looking for a way that these remote files can be 'cached' or
downloaded on my internet connected machines so that I can then transfer
the data to my non internet connected machines without having to modify
anything in the cookbooks themselves I don't think that there is anyway for
Berkshelf to do this but I maybe wrong.

On Tue, May 19, 2015 at 7:21 PM, Noah Kantrowitz noah@coderanger.net
wrote:

Use chef-solo or chef-client local mode. Berkshelf can handle downloading
the cookbooks and putting them in a format either of those can use (berks
vendor).

--Noah

On May 19, 2015, at 7:18 PM, Tim Leicy tleicy@gmail.com wrote:

Does anyone know if there is a way to have chef pre-download cookbook
dependencies from remote urls into a "cache".
I have a lot of computers that have no internet access but would like to
use chef and community cookbooks to manage them. It is a real pain to
manually download the remote files and override the file locations in the
cookbooks. I have looked around but really haven't found a good way to
manage this, but maybe I missed something. Any suggestions? If there is
currently no capability for this, any suggestions on how I should modify
chef to incorporate this functionality?

Thanks!
Tim

4

No, that is not something you could do in an automated way. If you change you recipe code to use cookbook_file resources instead then you wouldn't have this issue, but you would have to take care of keeping the file in your cookbook up to date somehow. In general you won't find many community cookbooks designed for this, so you'll probably have to mostly write your own. Not being able to do stuff like install packages makes Chef somewhat less useful, so I wouldn't expect most people to accept patches to this end. A better option is probably a local squid caching proxy or similar that can sit between your offline servers and the internet. Chef supports all the standard HTTP proxy stuffs, so easy to plug in to something like that.

--Noah

On May 19, 2015, at 8:16 PM, Tim Leicy tleicy@gmail.com wrote:

This works fine for getting the cookbooks and the cookbook dependencies themselves, such as the recipes, etc but I am looking for a way to get the files that are specified inside of the cookbooks.
For example in the opscode boost cookbook: https://github.com/opscode-cookbooks/boost/blob/master/recipes/source.rb there is a call to get a remote file
remote_file "#{Chef::Config[:file_cache_path]}/#{node['boost']['file']}" do
source node['boost']['source'] + node['boost']['file']
mode "0644"
action :create_if_missing
end

This makes an http request to sourceforge.

I am looking for a way that these remote files can be 'cached' or downloaded on my internet connected machines so that I can then transfer the data to my non internet connected machines without having to modify anything in the cookbooks themselves I don't think that there is anyway for Berkshelf to do this but I maybe wrong.

On Tue, May 19, 2015 at 7:21 PM, Noah Kantrowitz noah@coderanger.net wrote:
Use chef-solo or chef-client local mode. Berkshelf can handle downloading the cookbooks and putting them in a format either of those can use (berks vendor).

--Noah

On May 19, 2015, at 7:18 PM, Tim Leicy tleicy@gmail.com wrote:

Does anyone know if there is a way to have chef pre-download cookbook dependencies from remote urls into a "cache".
I have a lot of computers that have no internet access but would like to use chef and community cookbooks to manage them. It is a real pain to manually download the remote files and override the file locations in the cookbooks. I have looked around but really haven't found a good way to manage this, but maybe I missed something. Any suggestions? If there is currently no capability for this, any suggestions on how I should modify chef to incorporate this functionality?

Thanks!
Tim

5

since most recipes use packages etc, which internally might invoke network
calls , like apt, yum etc, they will not work.
i use server less bootstrap frequently, in similar manner noah has
explained, use berks to vendorize the cookbooks, then scp it and run
chef-client in localmode. in some cases i also use fpm to make a debian
out of the vendor cookbooks , which significantly reduces the bootstrapping
time.

you should consider either setting up local package repos (like yum, or
debian repo, gem repos etc) and point your nodes to them, or test
individual cookbooks one by one an reduce network dependency, i.e restrict
chef resources to a handful or non-network bound resources .. like
cookbook_file, template, file, service .. etc.

you can use container to ease some of these testing as well. like in ubuntu
you can stand up a lxc container without network (network type empty) and
test your cookbooks.

On Tue, May 19, 2015 at 8:21 PM, Noah Kantrowitz noah@coderanger.net
wrote:

No, that is not something you could do in an automated way. If you change
you recipe code to use cookbook_file resources instead then you wouldn't
have this issue, but you would have to take care of keeping the file in
your cookbook up to date somehow. In general you won't find many community
cookbooks designed for this, so you'll probably have to mostly write your
own. Not being able to do stuff like install packages makes Chef somewhat
less useful, so I wouldn't expect most people to accept patches to this
end. A better option is probably a local squid caching proxy or similar
that can sit between your offline servers and the internet. Chef supports
all the standard HTTP proxy stuffs, so easy to plug in to something like
that.

--Noah

On May 19, 2015, at 8:16 PM, Tim Leicy tleicy@gmail.com wrote:

This works fine for getting the cookbooks and the cookbook dependencies
themselves, such as the recipes, etc but I am looking for a way to get the
files that are specified inside of the cookbooks.
For example in the opscode boost cookbook:
https://github.com/opscode-cookbooks/boost/blob/master/recipes/source.rb
there is a call to get a remote file
remote_file "#{Chef::Config[:file_cache_path]}/#{node['boost']['file']}"
do
source node['boost']['source'] + node['boost']['file']
mode "0644"
action :create_if_missing
end

This makes an http request to sourceforge.

I am looking for a way that these remote files can be 'cached' or
downloaded on my internet connected machines so that I can then transfer
the data to my non internet connected machines without having to modify
anything in the cookbooks themselves I don't think that there is anyway for
Berkshelf to do this but I maybe wrong.

On Tue, May 19, 2015 at 7:21 PM, Noah Kantrowitz noah@coderanger.net
wrote:
Use chef-solo or chef-client local mode. Berkshelf can handle
downloading the cookbooks and putting them in a format either of those can
use (berks vendor).

--Noah

On May 19, 2015, at 7:18 PM, Tim Leicy tleicy@gmail.com wrote:

Does anyone know if there is a way to have chef pre-download cookbook
dependencies from remote urls into a "cache".
I have a lot of computers that have no internet access but would like
to use chef and community cookbooks to manage them. It is a real pain to
manually download the remote files and override the file locations in the
cookbooks. I have looked around but really haven't found a good way to
manage this, but maybe I missed something. Any suggestions? If there is
currently no capability for this, any suggestions on how I should modify
chef to incorporate this functionality?

Thanks!
Tim

6

If you happen to use Vagrant in combination with Chef, you could also have
a look at the vagrant-cachier [1] plugin.

It does a great job of transparently caching all kinds of things for you,
including downloaded files if they are downloaded to
Chef::Config[:file_cache_path]

HTH,
Torben

[1] GitHub - fgrehm/vagrant-cachier: Caffeine reducer
Am 20.05.2015 06:39 schrieb "Ranjib Dey" dey.ranjib@gmail.com:

since most recipes use packages etc, which internally might invoke network
calls , like apt, yum etc, they will not work.
i use server less bootstrap frequently, in similar manner noah has
explained, use berks to vendorize the cookbooks, then scp it and run
chef-client in localmode. in some cases i also use fpm to make a debian
out of the vendor cookbooks , which significantly reduces the bootstrapping
time.

you should consider either setting up local package repos (like yum, or
debian repo, gem repos etc) and point your nodes to them, or test
individual cookbooks one by one an reduce network dependency, i.e restrict
chef resources to a handful or non-network bound resources .. like
cookbook_file, template, file, service .. etc.

you can use container to ease some of these testing as well. like in
ubuntu you can stand up a lxc container without network (network type
empty) and test your cookbooks.

On Tue, May 19, 2015 at 8:21 PM, Noah Kantrowitz noah@coderanger.net
wrote:

No, that is not something you could do in an automated way. If you change
you recipe code to use cookbook_file resources instead then you wouldn't
have this issue, but you would have to take care of keeping the file in
your cookbook up to date somehow. In general you won't find many community
cookbooks designed for this, so you'll probably have to mostly write your
own. Not being able to do stuff like install packages makes Chef somewhat
less useful, so I wouldn't expect most people to accept patches to this
end. A better option is probably a local squid caching proxy or similar
that can sit between your offline servers and the internet. Chef supports
all the standard HTTP proxy stuffs, so easy to plug in to something like
that.

--Noah

On May 19, 2015, at 8:16 PM, Tim Leicy tleicy@gmail.com wrote:

This works fine for getting the cookbooks and the cookbook dependencies
themselves, such as the recipes, etc but I am looking for a way to get the
files that are specified inside of the cookbooks.
For example in the opscode boost cookbook:
https://github.com/opscode-cookbooks/boost/blob/master/recipes/source.rb
there is a call to get a remote file
remote_file
"#{Chef::Config[:file_cache_path]}/#{node['boost']['file']}" do
source node['boost']['source'] + node['boost']['file']
mode "0644"
action :create_if_missing
end

This makes an http request to sourceforge.

I am looking for a way that these remote files can be 'cached' or
downloaded on my internet connected machines so that I can then transfer
the data to my non internet connected machines without having to modify
anything in the cookbooks themselves I don't think that there is anyway for
Berkshelf to do this but I maybe wrong.

On Tue, May 19, 2015 at 7:21 PM, Noah Kantrowitz noah@coderanger.net
wrote:
Use chef-solo or chef-client local mode. Berkshelf can handle
downloading the cookbooks and putting them in a format either of those can
use (berks vendor).

--Noah

On May 19, 2015, at 7:18 PM, Tim Leicy tleicy@gmail.com wrote:

Does anyone know if there is a way to have chef pre-download cookbook
dependencies from remote urls into a "cache".
I have a lot of computers that have no internet access but would like
to use chef and community cookbooks to manage them. It is a real pain to
manually download the remote files and override the file locations in the
cookbooks. I have looked around but really haven't found a good way to
manage this, but maybe I missed something. Any suggestions? If there is
currently no capability for this, any suggestions on how I should modify
chef to incorporate this functionality?

Thanks!
Tim

7

I am trying to do an initial chef-client run on a client (the chef server is named “chef-server”)

My question is, where do I set it so that it goes to “chef-server” instead of local-host.

chef_server_url is wrong below and should be

chef_server_url  "https://chef-server:443”

root@chef-client:~/chef-repo/.chef# chef-client
[2015-05-19T22:08:19-07:00] INFO: Forking chef instance to converge…
Starting Chef Client, version 12.3.0
[2015-05-19T22:08:19-07:00] INFO: *** Chef 12.3.0 ***
[2015-05-19T22:08:19-07:00] INFO: Chef-client pid: 9159
Creating a new client identity for chef-client using the validator key.
[2015-05-19T22:08:23-07:00] INFO: Client key /etc/chef/client.pem is not present - registering
[2015-05-19T22:08:23-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 1/5
[2015-05-19T22:08:28-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 2/5
[2015-05-19T22:08:33-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 3/5
[2015-05-19T22:08:38-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 4/5
[2015-05-19T22:08:43-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 5/5

================================================================================
Chef encountered an error attempting to create the client “chef-client”

Network Error:

There was a network error connecting to the Chef Server:
Connection refused - Connection refused connecting to https://localhost/clients, giving up

Relevant Config Settings:

chef_server_url “https://localhost:443

If your chef_server_url is correct, your network could be down.

[2015-05-19T22:08:48-07:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 29.021418726 seconds
[2015-05-19T22:08:48-07:00] ERROR: Connection refused - Connection refused connecting to https://localhost/clients, giving up
[2015-05-19T22:08:48-07:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
root@chef-client:~/chef-repo/.chef#

8

The knife.rb’s have it set correctly, but it doesn’t help.

root@chef-client:~/chef-repo/.chef# grep chef_server_url /root/.chef/knife.rb /root/chef-repo/.chef/knife.rb
/root/.chef/knife.rb:chef_server_url 'https://chef-server:443'
/root/chef-repo/.chef/knife.rb:chef_server_url "https://chef-server/organizations/unixish"
root@chef-client:~/chef-repo/.chef#

On May 19, 2015, at 10:18 PM, Stuart Cracraft smcracraft@me.com wrote:

I am trying to do an initial chef-client run on a client (the chef server is named “chef-server”)

My question is, where do I set it so that it goes to “chef-server” instead of local-host.

chef_server_url is wrong below and should be

chef_server_url "https://chef-server:443

root@chef-client:~/chef-repo/.chef# chef-client
[2015-05-19T22:08:19-07:00] INFO: Forking chef instance to converge...
Starting Chef Client, version 12.3.0
[2015-05-19T22:08:19-07:00] INFO: *** Chef 12.3.0 ***
[2015-05-19T22:08:19-07:00] INFO: Chef-client pid: 9159
Creating a new client identity for chef-client using the validator key.
[2015-05-19T22:08:23-07:00] INFO: Client key /etc/chef/client.pem is not present - registering
[2015-05-19T22:08:23-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 1/5
[2015-05-19T22:08:28-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 2/5
[2015-05-19T22:08:33-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 3/5
[2015-05-19T22:08:38-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 4/5
[2015-05-19T22:08:43-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 5/5

================================================================================
Chef encountered an error attempting to create the client "chef-client"

Network Error:

There was a network error connecting to the Chef Server:
Connection refused - Connection refused connecting to https://localhost/clients, giving up

Relevant Config Settings:

chef_server_url "https://localhost:443"

If your chef_server_url is correct, your network could be down.

[2015-05-19T22:08:48-07:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 29.021418726 seconds
[2015-05-19T22:08:48-07:00] ERROR: Connection refused - Connection refused connecting to https://localhost/clients, giving up
[2015-05-19T22:08:48-07:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
root@chef-client:~/chef-repo/.chef#

9

Client config goes in /etc/chef/client.rb by default.

--Noah

On May 19, 2015, at 10:18 PM, Stuart Cracraft smcracraft@me.com wrote:

I am trying to do an initial chef-client run on a client (the chef server is named “chef-server”)

My question is, where do I set it so that it goes to “chef-server” instead of local-host.

chef_server_url is wrong below and should be

chef_server_url "https://chef-server:443

root@chef-client:~/chef-repo/.chef# chef-client
[2015-05-19T22:08:19-07:00] INFO: Forking chef instance to converge...
Starting Chef Client, version 12.3.0
[2015-05-19T22:08:19-07:00] INFO: *** Chef 12.3.0 ***
[2015-05-19T22:08:19-07:00] INFO: Chef-client pid: 9159
Creating a new client identity for chef-client using the validator key.
[2015-05-19T22:08:23-07:00] INFO: Client key /etc/chef/client.pem is not present - registering
[2015-05-19T22:08:23-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 1/5
[2015-05-19T22:08:28-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 2/5
[2015-05-19T22:08:33-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 3/5
[2015-05-19T22:08:38-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 4/5
[2015-05-19T22:08:43-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 5/5

================================================================================
Chef encountered an error attempting to create the client "chef-client"

Network Error:

There was a network error connecting to the Chef Server:
Connection refused - Connection refused connecting to https://localhost/clients, giving up

Relevant Config Settings:

chef_server_url "https://localhost:443"

If your chef_server_url is correct, your network could be down.

[2015-05-19T22:08:48-07:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 29.021418726 seconds
[2015-05-19T22:08:48-07:00] ERROR: Connection refused - Connection refused connecting to https://localhost/clients, giving up
[2015-05-19T22:08:48-07:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
root@chef-client:~/chef-repo/.chef#

10

On May 19, 2015, at 10:25 PM, Noah Kantrowitz noah@coderanger.net wrote:

Client config goes in /etc/chef/client.rb by default.

Tried that as well just now:

root@chef-client:~/chef-repo# cat /etc/chef/client.rb
validation_key "/etc/chef/validation.pem"
cache_type 'BasicFile'
log_level :info
log_location STDOUT
chef_server_url "https://chef-server:443"
root@chef-client:~/chef-repo# knife node list
ERROR: Your private key could not be loaded from /etc/chef/client.pem
Check your configuration file and ensure that your private key is readable
root@chef-client:~/chef-repo# chef-client
[2015-05-19T22:47:07-07:00] INFO: Forking chef instance to converge...
Starting Chef Client, version 12.3.0
[2015-05-19T22:47:07-07:00] INFO: *** Chef 12.3.0 ***
[2015-05-19T22:47:07-07:00] INFO: Chef-client pid: 9921
Creating a new client identity for chef-client using the validator key.
[2015-05-19T22:47:09-07:00] INFO: Client key /etc/chef/client.pem is not present - registering
[2015-05-19T22:47:10-07:00] ERROR: SSL Validation failure connecting to host: chef-server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

================================================================================
Chef encountered an error attempting to create the client "chef-client"

[2015-05-19T22:47:10-07:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 2.952521073 seconds
[2015-05-19T22:47:10-07:00] ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
[2015-05-19T22:47:10-07:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
root@chef-client:~/chef-repo# knife ssl check
Connecting to host chef-server:443
Successfully verified certificates from `chef-server'
root@chef-client:~/chef-repo# knife ssl fetch
WARNING: Certificates from chef-server will be fetched and placed in your trusted_cert
directory (/root/chef-repo/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for chef-server in /root/chef-repo/.chef/trusted_certs/chef-server.crt
root@chef-client:~/chef-repo# chef-client
[2015-05-19T22:47:48-07:00] INFO: Forking chef instance to converge...
Starting Chef Client, version 12.3.0
[2015-05-19T22:47:48-07:00] INFO: *** Chef 12.3.0 ***
[2015-05-19T22:47:48-07:00] INFO: Chef-client pid: 10091
Creating a new client identity for chef-client using the validator key.
[2015-05-19T22:47:50-07:00] INFO: Client key /etc/chef/client.pem is not present - registering
[2015-05-19T22:47:50-07:00] ERROR: SSL Validation failure connecting to host: chef-server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

================================================================================
Chef encountered an error attempting to create the client "chef-client"

[2015-05-19T22:47:50-07:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 2.671493154 seconds
[2015-05-19T22:47:51-07:00] ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
[2015-05-19T22:47:51-07:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
root@chef-client:~/chef-repo#

On May 19, 2015, at 10:18 PM, Stuart Cracraft smcracraft@me.com wrote:

I am trying to do an initial chef-client run on a client (the chef server is named “chef-server”)

My question is, where do I set it so that it goes to “chef-server” instead of local-host.

chef_server_url is wrong below and should be

chef_server_url "https://chef-server:443

root@chef-client:~/chef-repo/.chef# chef-client
[2015-05-19T22:08:19-07:00] INFO: Forking chef instance to converge...
Starting Chef Client, version 12.3.0
[2015-05-19T22:08:19-07:00] INFO: *** Chef 12.3.0 ***
[2015-05-19T22:08:19-07:00] INFO: Chef-client pid: 9159
Creating a new client identity for chef-client using the validator key.
[2015-05-19T22:08:23-07:00] INFO: Client key /etc/chef/client.pem is not present - registering
[2015-05-19T22:08:23-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 1/5
[2015-05-19T22:08:28-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 2/5
[2015-05-19T22:08:33-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 3/5
[2015-05-19T22:08:38-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 4/5
[2015-05-19T22:08:43-07:00] ERROR: Connection refused connecting to https://localhost/clients, retry 5/5

================================================================================
Chef encountered an error attempting to create the client "chef-client"

Network Error:

There was a network error connecting to the Chef Server:
Connection refused - Connection refused connecting to https://localhost/clients, giving up

Relevant Config Settings:

chef_server_url "https://localhost:443"

If your chef_server_url is correct, your network could be down.

[2015-05-19T22:08:48-07:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 29.021418726 seconds
[2015-05-19T22:08:48-07:00] ERROR: Connection refused - Connection refused connecting to https://localhost/clients, giving up
[2015-05-19T22:08:48-07:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
root@chef-client:~/chef-repo/.chef#

11

On May 19, 2015, at 10:49 PM, Stuart Cracraft smcracraft@me.com wrote:

On May 19, 2015, at 10:25 PM, Noah Kantrowitz noah@coderanger.net wrote:

Client config goes in /etc/chef/client.rb by default.

Tried that as well just now:

Knife and chef-client use entirely different configs. You can copy the server cert to /etc/chef/trusted_certs/ manually or use knife bootstrap from your workstation if you want to follow the normal workflow.

--Noah

12

I often work on my laptop while disconnected from the internet. I use “wget -X” to mirror files while I do have access. For example:

wget -X http://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-12.3.0-1.el6.x86_64.rpm

This creates the directory structure:

+- opscode-omnibus-packages.s3.amazonaws.com
+- el
+- 6
+- x86_64
+- chef-12.3.0-1.el6.x86_64.rpm

Apache on my laptop has the following configuration:

Listen 1080

<VirtualHost *:1080>
DocumentRoot "/var/mirror"

<Directory "/var/mirror">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all

RewriteEngine on
RewriteCond /var/mirror/%{HTTP_HOST} -d
RewriteRule .* /%{HTTP_HOST}%{REQUEST_FILENAME} [L]

RewriteRule .* - [R=502,L]

On my vagrant boxes, in /etc/chef/client.rb I set:

http_proxy 'http://10.0.2.2:1080'

When chef runs, all “external” http requests are routed to and serviced by apache running on my laptop.

When the request for http://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-12.3.0-1.el6.x86_64.rpm comes in, apache will check for the existence of /var/mirror/opscode-omnibus-packages.s3.amazonaws.com If that does not exist, a 502 (Bad Gateway) is returned. Otherwise apache will try to serve /var/mirror/opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-12.3.0-1.el6.x86_64.rpm If that path does not exist, a 404 is returned. For my own benefit, I like to differentiate between a host I have not mirrored (502) and a path that has not been mirrored (404).

As long as the requests are http, this scheme works nicely. For https endpoints, I mirror them with wget as well but I use chef-rewind to change the protocol to http.

I’ve just this method for RPMs, jenkins plugins, gems, and github release tar balls.

This method should work within an isolated environment as well.

Joe

On May 19, 2015, at 7:18 PM, Tim Leicy tleicy@gmail.com wrote:

Does anyone know if there is a way to have chef pre-download cookbook dependencies from remote urls into a "cache".
I have a lot of computers that have no internet access but would like to use chef and community cookbooks to manage them. It is a real pain to manually download the remote files and override the file locations in the cookbooks. I have looked around but really haven't found a good way to manage this, but maybe I missed something. Any suggestions? If there is currently no capability for this, any suggestions on how I should modify chef to incorporate this functionality?

Thanks!
Tim