Validatorless + Unattended = not supported?

skohrs · November 4, 2016, 4:10pm

Is it possible to use a USER.PEM when performing an unattended install?

From https://docs.chef.io/install_bootstrap.html:

Starting with chef-client version 12.1, it is possible to bootstrap a
node using the USER.pem file instead of the ORGANIZATION-validator.pem
file. This is known as a “validatorless bootstrap”.

Within the Chef Server UI, the build_user has been added to a group which can create nodes.

$ cat client.rb
node_name "chef-test-node"
chef_server_url "https://chef.example.com/organizations/esm"
validation_client_name "build_user"
validation_key "/home/build_user/.chef/build_user.pem"
ssl_ca_file "/etc/pki/tls/certs/ca-bundle.crt"
log_level :warn
cache_path "/home/build_user/.chef"
client_key "/home/build_user/.chef/client.pem"

I receive 403 "Forbidden" errors with the USER.PEM.

$ /bin/chef-client -c /home/build_user/.chef/client.rb
Starting Chef Client, version 12.14.89
Creating a new client identity for chef-test-node using the validator key.

================================================================================
Chef encountered an error attempting to create the client "chef-test-node"
================================================================================

Authorization Error:
--------------------
Your validation client is not authorized to create the client for this node (HTTP 403).

Possible Causes:
----------------
* There may already be a client named "chef-test-node"
* Your validation client (build_user) may have misconfigured authorization permissions.

Platform:
---------
x86_64-linux


Running handlers:
[2016-11-04T15:45:03+00:00] ERROR: Running exception handlers
Running handlers complete
[2016-11-04T15:45:03+00:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 02 seconds
[2016-11-04T15:45:03+00:00] FATAL: Stacktrace dumped to /home/build_user/.chef/cache/chef-stacktrace.out
[2016-11-04T15:45:03+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-11-04T15:45:03+00:00] ERROR: 403 "Forbidden"
[2016-11-04T15:45:03+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

kallistec · November 4, 2016, 5:54pm

You should use the validator for unattended installs, it is designed exactly for this use case and has the bare minimum of permissions needed to bootstrap a node. If you’re having issues with multiple people sharing the validator key and reseting it, you can either come up with a meatspace solution for that, or use the multi-key functionality (knife client key create and etc.) to have multiple keys for the same validator.

The validatorless bootstrap is designed for a human using knife to bootstrap nodes via the cloud plugins or whatever. The default permissions require the account to be an admin on the given org. It’s best to avoid baking an admin key into your images.

skohrs · November 4, 2016, 6:20pm

Thank you for the clarification.

Topic		Replies	Views
Chef-client manual install Chef Infra (archive)	2	847	March 7, 2019
Unattended Client Install Chef Infra (archive)	0	449	February 29, 2016
Unattended Windows bootstrap, SSL issue Chef Infra (archive)	2	1363	March 25, 2016
Installing client on Windows without bootstrapping Chef Infra (archive)	2	692	October 17, 2016
401 error while doing validatorless bootstrap Chef Infra (archive)	1	770	January 9, 2018

Validatorless + Unattended = not supported?

Related topics