Chef and OpenStack Part 2A – Install a Chef (Version 11) Server, Workstation and Client

Whereas the last post introduced Chef and its key concepts, this post talks about how to install it. Afterall, perhaps the best way to learn a technology is to use it. So let’s take a look at how to install a Chef Server, Workstation and Clients. This guide also includes instructions on how to install the “knife-openstack” plugin. Note, this guide is for Chef version 11. See the post “Install a (Version 12) Chef Server, Workstation and Client” for a guide on installing Chef version 12.

Install a Chef Server

The Chef Server is central to communication to all components and is the first component to install. First, deploy an Ubuntu 12.04 instance using an OpenStack command line or graphical interface. The following example names the instance “chef”.

– Deploy an instance of Ubuntu 12.04 – see appendix 1 below if you need to create an Ubuntu 12.04 cloud image

nova boot --image  --flavor n1.small --key-name  --security-groups default chef

Warning – the FQDN (fully qualified domain name) of the Chef server should not exceed 64 characters when using OpenSSL. To check the length of the FQDN, run the following command and make sure the result is less than 64.

hostname -f | wc - c

Once the instance is deployed, login to it (e.g. via ssh) and run through the following sequence to install the Chef Server.

– update packages

sudo apt-get update

– download the installation package

wget https://opscode-omnibus-packages.s3.amazonaws.com/ubuntu/12.04/x86_64/chef-server_11.1.3-1_amd64.deb

– install the installation package

sudo dpkg -i chef-server*

– configure the Chef Server

sudo chef-server-ctl reconfigure

– test the Chef Server to make sure it’s running correctly

sudo chef-server-ctl test

After the configuration of the Chef Server, you can access the web interface with the URL https://{your_server_domain_or_IP}. Because the SSL certificate is signed by an authority not recognized by your browser, you will get a warning. Click on the “Proceed anyway” button. Ensure port 443 is open in the security group associated with the server.

Chef Server Login

The default login credentials are admin / p@ssw0rd1. Log in and change the password.

Install a Chef Workstation

The Chef Workstation is used to create and edit the recipes, cookbooks and policies that manage the infrastructure environments. Note that the Chef Workstation has a copy of the Chef repo and uploads those to the Chef Server. We will need to deploy another Ubuntu 12.04 instance for the workstation. The following example names the instance “chefw”.

– Deploy an instance of Ubuntu 12.04

nova boot --image  --flavor n1.small --key-name  --security-groups default chefw

Once the instance is deployed, login to it (e.g. via ssh) and run through the following sequence to install the Chef Workstation.

– update packages

sudo apt-get update

– install the git package

sudo apt-get install git

– Download and run the client installation script from the Chef website.

curl -L https://www.opscode.com/chef/install.sh | sudo bash

The Chef package is now installed. The next step is to clone the chef-repo skeleton directory. Note that the Chef Workstation has a copy of the Chef repo and uploads those to the Chef Server.

– clone the “chef-repo” directory structure into the home directory

cd ~
git clone https://github.com/opscode/chef-repo.git

The previous commands create a directory called chef-repo in the home directory. Next, we need two private keys for authentication, one for a chef “validator” and one for the chef admin. Create a configuration directory to save authentication and configuration files.

mkdir ~/chef-repo/.chef

Now, let’s get the chef validator key using the GUI. Login to the GUI using the admin user credentials. Click on the “Clients” tab in the top navigation bar. Then click the “Edit” button for the “chef-validator” client. Regenerate the private key by selecting that box and clicking “Save Client”.

Chef Validator

On the next screen, copy the private key (in the bottom field) and paste it into a file called “chef-validator.pem”.

– create chef-validator.pem

cd ~/chef-repo/.chef
 vi chef-validator.pem

Paste in the private key. Make sure there are no extra blank lines above or below the key.

Example of chef-validator.pem.

-----BEGIN RSA PRIVATE KEY-----
 MIIEpQIBAAKCAQEA5rKL/0yWBfmiUEz7o/g2tHW2YCD7ePvD337SCw6XWqB4mLdT
 ...
 ...
 ...
 hq2E25SxV/cf5SaQNRLshmGl8RR3/sodLm+7c5kIk629tKWe/phCswY=
 -----END RSA PRIVATE KEY-----

Repeat the same process to regenerate and save the admin key. This time, they key is for a user. So click on the “Users” tab at the top of the GUI.

Again, click on the “Edit” button associated with the admin user, check the “Regenerate Private Key” box and click the “Save User” button

Copy the private key again and save it in “admin.pem”.

– create admin.pem

cd ~/chef-repo/.chef
 vi admin.pem

Paste in the private key. Make sure there are no extra blank lines above or below the key.

Example of admin.pem

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAozMynOZ70Ab2NPsljtdXrs1w/fo4GJiAB5eOatWOiMs31KNe
 ...
 ...
 ...
 A5gsAH3p+3YUBAPosaQhws6yM2kIwz56R5xfFY9vFlI4nw3Qt9OCXg==
 -----END RSA PRIVATE KEY-----

Configure Knife

The next step is to configure the knife command. Use knife to manage recipes and cookbooks, provision resources and more. To configure knife, run the following command and respond to the questions. Here is an example.

– command to start knife configuration

ubuntu@chefw:~$ knife configure –initial

In this example, the config file location is changed from the default setting to ~/chef-repo/.chef/knife.rb.

WARNING: No knife configuration file found
Where should I put the config file? [/home/ubuntu/.chef/knife.rb] /home/ubuntu/chef-repo/.chef/knife.rb

Next, type the domain name or IP address used to access the Chef Server. This should begin with https:// and end with :443. The domain name used below is just an example.

Please enter the chef server URL: [https://chefw.compute.nebula.com:443] https://.nebula.com:443

The following question asks for the name of a new user, which in this example is “jgeorges”.

Please enter a name for the new user: [ubuntu] jgeorges

The configuration tool then asks for the admin name and key.

Please enter the existing admin name: [admin] admin
Please enter the location of the existing admin's private key: [/etc/chef-server/admin.pem] /home/ubuntu/chef-repo/.chef/admin.pem

A similar set of questions is asked about the validator.

Please enter the validation clientname: [chef-validator]
Please enter the location of the validation key: [/etc/chef-server/chef-validator.pem] /home/ubuntu/chef-repo/.chef/chef-validator.pem

Next, it asks for the path of the repository, which we had set earlier.

Please enter the path to a chef repository (or leave blank): /home/ubuntu/chef-repo

Finally, it asks for a password for the new user. Pick a password.

Creating initial API user...
Please enter a password for the new user:
This completes the knife configuration.
Created user[jgeorges]
Configuration file written to /home/ubuntu/chef-repo/.chef/knife.rb

You can now use the knife commands. For example, type “knife user list” from the chef-repo directory.

ubuntu@chefw:~/chef-repo$ knife user list

Install the Knife OpenStack Plugin

With OpenStack, an optional plugin that one may want to use is knife-openstack. Knife-openstack is an official plugin for OpenStack that gives knife the ability to create, bootstrap and manage OpenStack instances. Note that knife-openstack is not a requirement with OpenStack. One can manage OpenStack resources using a combination of knife and OpenStack commands.

To install the OpenStack plugin using RubyGems, run the following command. Note, “/opt/chef/embedded/bin” is the path to the location where the chef-client expects plugins to be located.

sudo /opt/chef/embedded/bin/gem install knife-openstack

Next, configure ~/chef-repo/.chef/knife.rb and add the OpenStack access credentials. For example:

Example knife.rb with additions for the OpenStack plugin

log_level               :info
log_location             STDOUT
node_name               'jgeorges'
client_key              '/home/ubuntu/chef-repo/.chef/jgeorges.pem'
validation_client_name   'chef-validator'
validation_key           '/home/ubuntu/chef-repo/.chef/chef-validator.pem'
chef_server_url         'https://ip-xx-yyy-zz-aaa. nebula.com:443'
syntax_check_cache_path '/home/ubuntu/chef-repo/.chef/syntax_check_cache'
cookbook_path [ '/home/ubuntu/chef-repo/cookbooks' ]

### Knife-OpenStack Access Credentials
knife[:openstack_username] = "admin"
knife[:openstack_password] = "openstackPassword"
knife[:openstack_tenant] = "projectName"
knife[:openstack_auth_url] ="https://nebula_auth_ip:8770/v2.0/tokens"

Note –When I tried knife-openstack, I learned that it requires an IP address as input and does not dynamically assign an IP address. When attempting to create an instance using knife-openstack,, I saw an error message “ERROR: No IP address available for bootstrapping.” It looks like this may be fixed – see https://tickets.opscode.com/browse/KNIFE-231.

Bootstrapping a Client Node using Knife

Bootstrapping is a process that installs the Chef-client on a target system so that it can communicate with a Chef server. Bootstrapping a node requires three pieces of information: (1) IP address or domain name, (2) username – accessible through SSH and with sudo privelages and (3) password.

First, deploy an instance that will be boot strapped. In this example, we deploy another instance of the Ubuntu 12.04 cloud image.

– Deploy an instance

nova boot --image  --flavor n1.small --key-name  --security-groups default myinstance

Once the instance is deployed, check the IP address and run the following command from the Chef Workstation to bootstrap the new instance.

– bootstrap the new instance, in this case, “ubuntu” is the user

ubuntu@chefw:~/chef-repo$ knife bootstrap  -x ubuntu -i ~/.ssh/<ssh key> myinstance --sudo

When the bootstrap process completes, you will see a message like this:

10.130.52.61 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 10.130.52.61
 10.130.52.61 Starting Chef Client, version 11.14.2
 10.130.52.61 Creating a new client identity for chef_bootstrap using the validator key.
 10.130.52.61 resolving cookbooks for run list: []
 10.130.52.61 Synchronizing Cookbooks:
 10.130.52.61 Compiling Cookbooks...
 10.130.52.61 [2014-08-06T00:38:26+00:00] WARN: Node chef_bootstrap has an empty run list.
 10.130.52.61 Converging 0 resources
 10.130.52.61
 10.130.52.61 Running handlers:
 10.130.52.61 Running handlers complete
 10.130.52.61 Chef Client finished, 0/0 resources updated in 3.009985596 seconds

Now the chef-client is installed on the new instance and it can receive instructions from the Chef Server.

Appendix 1 – Create an Ubuntu 12.04 cloud image

– Download an Ubuntu 12.04 cloud image

wget https://cloud-images.ubuntu.com/precise/20140805/precise-server-cloudimg-amd64-disk1.img

– Add the Ubuntu 12.04 cloud image to the OpenStack image library

glance image-create --name "Ubuntu 12.04 Cloud Image" --container-format bare --disk-format qcow 

Post in this Blog Series

1. CHEF AND OPENSTACK PART 1 – KEY CONCEPTS

2. CHEF AND OPENSTACK PART 2A – INSTALL A (Version 11) CHEF SERVER, WORKSTATION AND CLIENT

3. CHEF AND OPENSTACK PART 3 – CREATE A COOKBOOK

4. CHEF AND OPENSTACK PART 2B – INSTALL A (Version 12) CHEF SERVER, WORKSTATION AND CLIENT

5 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s