Chef and Openstack Part 2B – Install a Chef (Version 12) Server, Workstation and Client

Things change. Technology changes fast. Here is an updated installation guide for Chef version 12. There are two notable differences in this post compared to a previous guide for Chef version 11, Install a Chef (Version 11) Server, Workstation and Client. First, this installation is all done via command line whereas we used the user interface in the previous post. Second, version 12 defaults to using authentication keys to communicate between a Chef Workstation and a Chef Server. There are also a number of other changes, such as the new Chef Development Kit. Note that this guide uses Enterprise Linux 6.5 instead of Ubuntu 12.04. This guide will also provide instructions on how to setup Chef when the environment is behind a http proxy.

Install a Chef Server

Begin by deploying an instance of Enterprise Linux. There are a number of ways to do this depending on the specific cloud one is using. For example, one could use the OpenStack compute command-line-interface. The earlier post, “Chef and OpenStack Part 2A – Install a Chef Server, Workstation and Client”, shows the “nova boot” command to deploy an instance. Once the instance is deployed, login to it (e.g. via ssh) and run through the following sequence to install the Chef Server.

– IF using an environment behind a proxy, setup variables required to use a proxy server to fetch URLs and use commands like wget and yum.

export http_proxy=http://myproxy.domain.com:80

– Download the installation package

wget http://web-dl.packagecloud.io/chef/stable/packages/el/6/chef-server-core-12.0.8-1.el6.x86_64.rpm -O chefserver.rpm

– Install the installation package

sudo rpm -Uhv chefserver.rpm

– Configure the Chef client

sudo chef-server-ctl reconfigure

– Test the Chef Server to make sure it’s running correctly

sudo chef-server-ctl test

– Create a user. This is the username that will have access to make changes to the organization that will be created. Here is the syntax of the command.

chef-server-ctl user-create USERNAME FIRST_NAME LAST_NAME EMAIL PASSWORD –f PRIVATE_KEY

The command in this example will create a user with first name “admin”, last name “admin”, e-mail of “admin@mycloud.com”, password “password”, and private key called “admin.pem”. Note, for this example, “opc” is the user name associated with the cloud instance.

sudo chef-server-ctl user-create admin admin admin admin@mycloud.com mypassword -f /home/opc/admin.pem

– Create an organization. We can create an organization after creating a user. Here is the syntax for the command.

chef-server-ctl org-create SHORTNAME LONGNAME --association_user USERNAME –f PRIVATE_KEY

– In this example, the short name is “nebula”, the long name is “nebula_cloud”, the organziation’s administrative user is “admin”, and the private key file is “/home/opc/nebula.pem”

sudo chef-server-ctl org-create nebula nebula_cloud --association_user admin --filename /home/opc/nebula.pem

Install a Chef Workstation – Chef, Knife, GIT, Ruby

– Deploy another instance of Enterprise Linux 6.5. Once the instance is deployed, login to it (e.g. via ssh) and run through the following sequence. For help, refer to “Chef and OpenStack Part 2A – Install a Chef Server, Workstation and Client”, which shows the “nova boot” command to deploy an instance. Once the instance is deployed, login to it (e.g. via ssh) and run through the following sequence to install the Chef Workstation.

– Update the package index

sudo yum update

– IF using an environment behind a proxy, setup variables required to use a proxy server to fetch URLs and use commands like wget and yum.

export http_proxy=http://myproxy.domain.com:80

– Download the Chef Development Kit. The Chef Development Kit is new with version 12 and includes both the knife command-line-interface (CLI) and a new “chef” CLI.

wget http://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chefdk-0.6.0-1.el6.x86_64.rpm

– Install the Chef Development Kit

sudo rpm -Uhv chefdk-0.6.0-1.el6.x86_64.rpm

– Verify the installation using the new “chef” command-line-interface

chef verify

– Change the default version of Ruby to the one installed with ChefDK

echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile
. .bash_profile

– Verify the Ruby installation is correct

which ruby

– That should return the following:

/opt/chefdk/embedded/bin/ruby

Note: Skip the above steps if you want to manage Ruby versions independently.

– Install GIT. See https://help.github.com/articles/set-up-git/ for additional information.

sudo yum install git

– To set up the workstation for new commits, set the name and e-mail to tag commits that are made.

git config --global user.name "Your Name"
git config --global user.e-mail "username@domain.com"

– IF there is a Firewall blocks git (port 9418), then issue the following command to rewrite URLs

git config --global url."https://".insteadOf git://

– Setup the Chef repo

git clone git://github.com/chef/chef-repo.git

– Tell git to ignore any information contained within the ~/chef-repo/.chef directory.

echo ".chef" >> ~/chef-repo/.gitignore

– Download Authentication Keys. Version 12 introduces authentication keys to secure communications between the workstation and Chef Server. In this example, the keys that were setup when creating the Chef Server must be copied over to the Chef Workstation. The following steps provide sample syntax of how to download the authentication keys. In this example, “opc” is the user name used to login to the Chef Server Linux instance. The two authentication keys that had been created are “admin.pem” and “nebula.pem”.

scp opc@<chefserver name or IP>:/home/opc/admin.pem ~/chef-repo/.chef
scp opc@<chefserver name or IP>:/home/opc/nebula.pem ~/chef-repo/.chef

– Configure the Knife CLI.  Authentication files are required as input into the configuration file for knife. Create the knife configuration file.

vi ~/chef-repo/.chef/knife.rb

Here is a template.

current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                "node_name"
client_key               "#{current_dir}/USER.pem"
validation_client_name   "chef-validator"
validation_key           "#{current_dir}/ORGANIZATION-validator.pem"
chef_server_url          "https://api.chef.io/organizations/ORG_NAME"
cache_type               'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path            ["#{current_dir}/../cookbooks"]

– Here is a completed example.

current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                "admin"
client_key               "#{current_dir}/admin.pem"
validation_client_name   "nebula-validator"
validation_key           "#{current_dir}/nebula.pem"
chef_server_url          "https://<chef server name or IP>/organizations/nebula"
cache_type               'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path            ["#{current_dir}/../cookbooks"]

– Now try the Knife CLI tool.

cd ~/chef-repo
knife client list

Expect the command to fail with the following error:

ERROR: SSL Validation failure connecting to host: server_domain_or_IP - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed ERROR: Could not establish a secure connection to the server. Use `knife ssl check` to troubleshoot your SSL configuration. If your Chef Server uses a self-signed certificate, you can use `knife ssl fetch` to make knife trust the server's certificates.
Original Exception: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

– The error occurs because Chef version 12 requires that the workstation has the Chef Server’s SSL certificate. Get the SSL certificate using the following command, which should add the Chef server’s certificate file to ~/chef-repo/.chef

knife ssl fetch

– IF the http_proxy environment variable was set before, unset it.

unset http_proxy

– Now test the knife CLI again using the command

knife client list

– That’s it. Now one can bootstrap a client node using knife. See Chef and OpenStack Part 2A – Install a Chef Server, Workstation and Client for information on how to bootstrap a client node.

Post in this Blog Series

1. CHEF AND OPENSTACK PART 1 – KEY CONCEPTS

2. CHEF AND OPENSTACK PART 2A – INSTALL A (Version 11) CHEF SERVER, WORKSTATION AND CLIENT

3. CHEF AND OPENSTACK PART 3 – CREATE A COOKBOOK

4. CHEF AND OPENSTACK PART 2B – INSTALL A (Version 12) CHEF SERVER, WORKSTATION AND CLIENT

3 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s