Skip to main content

Standalone Chef Server / Workstation / Client Setup on CentOS 6

The standalone installation of Chef server creates a working installation on a single server. This installation is also useful when you are installing Chef server in a virtual machine, for proof-of-concept deployments, or as a part of a development or testing loop.

Before we start.

In our environment we will be creating the below nodes.
192.168.30.132  chefserver.ahmed.com    
192.168.30.142  chefworkstation.ahmed.com    
192.168.30.141  chefnode.ahmed.com 
Setup the /etc/hosts file on all the nodes.
127.0.0.1   localhost
192.168.30.132  chefserver.ahmed.com    chefserver
192.168.30.142  chefworkstation.ahmed.com    chefworkstation
192.168.30.141  chefnode.ahmed.com    chefnode
Install crontabs (if not already installed)
yum install crontabs
Flush all the iptables rules and save them on all Nodes.
iptables -F
service iptables save
Command output.
[root@chefnode Downloads]# iptables -F
[root@chefnode Downloads]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@chefnode Downloads]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@chefnode Downloads]#
Set selinux to Permissive mode on all nodes.
setenforce Permissive
getenforce
Command output.
[root@chefnode Downloads]# setenforce Permissive
[root@chefnode Downloads]# getenforce
Permissive
[root@chefnode Downloads]#
Download the package from http://downloads.chef.io/chef-server/.
[root@chefnode Downloads]# ls -l
total 656944
-rwxr--r--. 1 root root  52338858 Jun  8 01:45 chef-12.10.24-1.el6.x86_64.rpm
-rwxr--r--. 1 root root 142488123 Jun  8 01:45 chefdk-0.14.25-1.el6.x86_64.rpm
-rwxr--r--. 1 root root 477870942 Jun  8 01:45 chef-server-core-12.6.0-1.el6.x86_64.rpm
[root@chefnode Downloads]#

Creating chef-server.

Install the package as below.
rpm -ivh chef-server-core-12.6.0-1.el6.x86_64.rpm
First thing we need to do is to reconfigure the server.
chef-server-ctl reconfigure

NOTE : If you get the below error.
Problem
[2015-09-23T16:46:46+00:00] ERROR: Exception handlers complete
  Chef Client failed. 1 resources updated in 10.379691033 seconds
[2015-09-23T16:46:46+00:00] FATAL: Stacktrace dumped to /opt/opscode/embedded/cookbooks/cache/chef-stacktrace.out
[2015-09-23T16:46:47+00:00] FATAL: Chef::Exceptions::ValidationFailed: common_name is required
Solution
  • Make sure you have the hostname in the /etc/hosts, hostname should resolve to an IP address does not matter if it is loopback as well.
  • Change the hostname, sudo hostname chefserver, here chefserver is the new hostname.
  • Also change the hostname in the file /etc/sysconfig/network so that the name persists after a restart. Change HOSTNAME=chefserver in the file.
  • Added the host name sudo echo "127.0.0.1 localhost chefserver" >> /etc/hosts.
Problem
[2016-02-10T22:09:53+00:00] FATAL:

-----------------------------------------------------------------------
BOOT007: The secrets file (/etc/opscode/private-chef-secrets.json) is present
         but the file /etc/opscode/pivotal.pem is missing.

         Ensure that private-chef-secrets.json is copied into /etc/opscode from the
         first Chef Server node that you brought online, then run
         'chef-server-ctl reconfigure' again.
-----------------------------------------------------------------------
Solution
  • Rename /etc/opscode/private-chef-secrets.json to /etc/opscode/private-chef-secrets.json.org and try if the problem still persists then try the next option.
---OR---(if the above solution does not work)---
  • For /etc/opscode/pivotal.pem is missing error.
Use below command.
cp /opt/opscode/embedded/service/omnibus-ctl/spec/fixtures/pivotal.pem /etc/opscode/

Create a user for the server.
chef-server-ctl user-create USER_NAME FIRST_NAME LAST_NAME EMAIL 'PASSWORD' --filename PATH_TO_FILE_NAME
Command.
chef-server-ctl user-create ahmed Zubair AHMED zubayr.a@gmail.com 'ahmed@123' --filename /etc/chef/ahmed.pem 
Create an organization.
chef-server-ctl org-create short_name 'full_organization_name' --association_user user_name --filename ORGANIZATION-validator.pem 
Command.
chef-server-ctl org-create ahmedinc 'Ahmed, Inc.' --association_user ahmed --filename /etc/chef/ahmed-validator.pem
Setting up and installing chef-manage.
chef-server-ctl install chef-manage
chef-server-ctl reconfigure
chef-manage-ctl reconfigure
Check server status using below command.
chef-server-ctl status
we see all the services running fine.
[root@chefserver Downloads]# chef-server-ctl status
run: bookshelf: (pid 6081) 4002s; run: log: (pid 6121) 4001s
run: nginx: (pid 8725) 2724s; run: log: (pid 6245) 3995s
run: oc_bifrost: (pid 5924) 4008s; run: log: (pid 5959) 4008s
run: oc_id: (pid 5976) 4006s; run: log: (pid 5984) 4006s
run: opscode-erchef: (pid 6192) 3999s; run: log: (pid 6160) 4001s
run: opscode-expander: (pid 6046) 4002s; run: log: (pid 6064) 4002s
run: opscode-solr4: (pid 6007) 4004s; run: log: (pid 6036) 4003s
run: postgresql: (pid 5901) 4009s; run: log: (pid 5914) 4009s
run: rabbitmq: (pid 5814) 4010s; run: log: (pid 5807) 4010s
run: redis_lb: (pid 8133) 2805s; run: log: (pid 6241) 3996s
[root@chefserver Downloads]#
Now we can go the the browser and check our installation.
NOTE : if you see an certificate error, then added the server to the exceptions, this is as we are using https and we dont have a valid certificate.
https://chefserver.ahmed.com/
Login on to the server.
login to the server
Nodes on the server - First Screen.
Nodes on the server
Current configured users.
Users on the server
Next we will setup the workstation node.

Installing chefdk on workstation node.

More information here

Install chefdk-0.14.25-1.el6.x86_64.rpm on the node.

[root@chefworkstation Downloads]# rpm -ivh chefdk-0.14.25-1.el6.x86_64.rpm
warning: chefdk-0.14.25-1.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID
Preparing...                ########################################### [100%]
   1:chefdk                 ########################################### [100% ]
Thank you for installing Chef Development Kit!
Check for selinux.
[root@chefworkstation Downloads]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
Set selinux to Permissive .
[root@chefworkstation Downloads]# setenforce Permissive
[root@chefworkstation Downloads]# getenforce
Permissive
Check installation using chef verify.
[root@chefworkstation chefdk]# chef verify
Running verification for component 'berkshelf'
Running verification for component 'test-kitchen'
Running verification for component 'tk-policyfile-provisioner'
Running verification for component 'chef-client'
Running verification for component 'chef-dk'
Running verification for component 'chef-provisioning'
Running verification for component 'chefspec'
Running verification for component 'generated-cookbooks-pass-chefspec'
Running verification for component 'rubocop'
Running verification for component 'fauxhai'
Running verification for component 'knife-spork'
Running verification for component 'kitchen-vagrant'
Running verification for component 'package installation'
Running verification for component 'openssl'
Running verification for component 'inspec'
Running verification for component 'delivery-cli'
Running verification for component 'git'
Running verification for component 'opscode-pushy-client'
Running verification for component 'chef-sugar'
Running verification for component 'knife-supermarket'
..............................................
---------------------------------------------
Verification of component 'fauxhai' succeeded.
Verification of component 'kitchen-vagrant' succeeded.
Verification of component 'openssl' succeeded.
Verification of component 'delivery-cli' succeeded.
Verification of component 'test-kitchen' succeeded.
Verification of component 'rubocop' succeeded.
Verification of component 'inspec' succeeded.
Verification of component 'opscode-pushy-client' succeeded.
Verification of component 'knife-supermarket' succeeded.
Verification of component 'berkshelf' succeeded.
Verification of component 'knife-spork' succeeded.
Verification of component 'git' succeeded.
Verification of component 'tk-policyfile-provisioner' succeeded.
Verification of component 'chefspec' succeeded.
Verification of component 'chef-sugar' succeeded.
Verification of component 'chef-client' succeeded.
Verification of component 'chef-dk' succeeded.
Verification of component 'package installation' succeeded.
Verification of component 'chef-provisioning' succeeded.
Verification of component 'generated-cookbooks-pass-chefspec' succeeded.
Setting up ruby.
[root@chefworkstation ahmed]# eval "$(chef shell-init bash)"
[root@chefworkstation ahmed]# which ruby
/opt/chefdk/embedded/bin/ruby
[root@chefworkstation ahmed]#
To make these changes persist, execute below command to update .bash_profile.
echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile

Getting the starter kit.

Goto the chef-server > Administration Tab > Select organization > Click Starter Kit on the left pane.
Admin Tab
files
Select starter-kit
files
Reset keys and download
files
Copy the starter kit (chef-repo) from the server and unzip and save it in the home directory on WORKSTATION NODE.
[root@chefworkstation ahmed]# pwd
/home/ahmed
[root@chefworkstation ahmed]# ls -l
total 40
drwxr-xr-x. 5 root  root  4096 Jun  8 03:27 chef-repo
drwxr-xr-x. 2 ahmed ahmed 4096 May  7  2015 Desktop
drwxr-xr-x. 2 ahmed ahmed 4096 May  7  2015 Documents
drwxr-xr-x. 2 ahmed ahmed 4096 Jun  8 02:55 Downloads
drwxrwxr-x. 6 ahmed ahmed 4096 Feb  3 01:39 github
drwxr-xr-x. 2 ahmed ahmed 4096 May  7  2015 Music
drwxr-xr-x. 2 ahmed ahmed 4096 May  7  2015 Pictures
drwxr-xr-x. 2 ahmed ahmed 4096 May  7  2015 Public
drwxr-xr-x. 2 ahmed ahmed 4096 May  7  2015 Templates
drwxr-xr-x. 2 ahmed ahmed 4096 May  7  2015 Videos
[root@chefworkstation ahmed]# tree chef-repo/
chef-repo/
├── cookbooks
│   ├── chefignore
│   ├── cm_setup
│   │   ├── Berksfile
│   │   ├── Berksfile.lock
│   │   ├── chefignore
│   │   ├── metadata.rb
│   │   ├── README.md
│   │   ├── recipes
│   │   │   └── default.rb
│   │   ├── spec
│   │   │   ├── spec_helper.rb
│   │   │   └── unit
│   │   │       └── recipes
│   │   │           └── default_spec.rb
│   │   ├── templates
│   │   │   └── default
│   │   │       ├── cloudera_manager.repo.erb
│   │   │       ├── my.cnf.erb
│   │   │       └── sysctl.conf.erb
│   │   └── test
│   │       └── integration
│   │           ├── default
│   │           │   └── serverspec
│   │           │       └── default_spec.rb
│   │           └── helpers
│   │               └── serverspec
│   │                   └── spec_helper.rb
│   └── starter
│       ├── attributes
│       │   └── default.rb
│       ├── files
│       │   └── default
│       │       └── sample.txt
│       ├── metadata.rb
│       ├── recipes
│       │   └── default.rb
│       └── templates
│           └── default
│               └── sample.erb
├── README.md
└── roles
    └── starter.rb

22 directories, 21 files
[root@chefworkstation ahmed]#

Fetching the SSL key from the chef-server.

[root@chefworkstation chef-repo]# knife ssl fetch
WARNING: Certificates from chefserver.ahmed.com will be fetched and placed in your trusted_cert
directory (/home/ahmed/chef-repo/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for chefserver.ahmed.com in /home/ahmed/chef-repo/.chef/trusted_certs/chefserver_ahmed_com.crt
Check client currently available. Currently we see only the work station.
[root@chefworkstation chef-repo]# knife client list
ahmedinc-validator

Bootstrapping a Node.

More information here.

Setting up a client using the knife bootstrap command.

[root@chefworkstation chef-repo]#  knife bootstrap chefnode.ahmed.com -x ahmed -P ahmed --sudo
Doing old-style registration with the validation key at /home/ahmed/chef-repo/.chef/ahmedinc-validator.pem...
Delete your validation key in order to use your user credentials instead

Connecting to chefnode.ahmed.com
chefnode.ahmed.com This is BASH 4.1     - DISPLAY on
chefnode.ahmed.com
chefnode.ahmed.com Wed Jun  8 03:05:01 PDT 2016
chefnode.ahmed.com -----> Existing Chef installation detected
chefnode.ahmed.com Starting the first Chef Client run...
chefnode.ahmed.com Starting Chef Client, version 12.10.24
chefnode.ahmed.com Creating a new client identity for chefnode.ahmed.com using the validator key.
chefnode.ahmed.com resolving cookbooks for run list: []
chefnode.ahmed.com Synchronizing Cookbooks:
chefnode.ahmed.com Installing Cookbook Gems:
chefnode.ahmed.com Compiling Cookbooks...
chefnode.ahmed.com [2016-06-08T03:05:08-07:00] WARN: Node chefnode.ahmed.com has an empty run list.
chefnode.ahmed.com Converging 0 resources
chefnode.ahmed.com
chefnode.ahmed.com Running handlers:
chefnode.ahmed.com Running handlers complete
chefnode.ahmed.com Chef Client finished, 0/0 resources updated in 05 seconds
chefnode.ahmed.com Hasta la vista, baby
We can check the node using the below command.
[root@chefworkstation chef-repo]# knife client list                          
ahmedinc-validator
chefnode.ahmed.com
Here is how we can see the new node on the chef-server.
cookbook on chef-server
Lets update the starter cookbook and upload to server and add the cookbook to the node.
Update /home/ahmed/chef-repo/cookbooks/starter/recipes/default.rb with below contents.
log "Welcome to Chef, #{node["starter_name"]}!" do
  level :info
end

file '/etc/my_first_file' do
        content 'This is my first file creation using chef server'
end

file '/etc/my_second_file' do
        content 'My Second file'
end
Here is the contents from the command output.
[root@chefworkstation chef-repo]# pwd                                         
/home/ahmed/chef-repo
[root@chefworkstation chef-repo]# cat cookbooks/starter/recipes/default.rb
# This is a Chef recipe file. It can be used to specify resources which will
# apply configuration to a server.

log "Welcome to Chef, #{node["starter_name"]}!" do
  level :info
end

file '/etc/my_first_file' do
        content 'This is my first file creation using chef server'
end

file '/etc/my_second_file' do
        content 'My Second file'
end
Now lets upload the cookbook to the server.
[root@chefworkstation chef-repo]# knife upload cookbooks/starter
Created cookbooks/starter
[root@chefworkstation chef-repo]#
Starter cookbook on the chef-server
cookbook on chef-server
Contents of starter Cookbook
cookbook on chef-server
Now lets configure the node to get the cookbook assigned.
Edit Node Configuration
files
Select the cookbook and add to Current Run List
files
files

Sync client with server using chef-client command.

Once we have assigned we can logon to the ched-node and execute chef-client. This will communicate to the chef-server and get the cookbook and syncronize the server.
[root@chefnode Downloads]# chef-client
Starting Chef Client, version 12.10.24
resolving cookbooks for run list: ["starter"]
Synchronizing Cookbooks:
  - starter (1.0.0)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 2 resources
Recipe: starter::default
  * log[Welcome to Chef, Sam Doe!] action write

  * file[/etc/my_first_file] action create
    - create new file /etc/my_first_file
    - update content in file /etc/my_first_file from none to ad169c
    --- /etc/my_first_file      2016-06-08 03:37:02.461008058 -0700
    +++ /etc/.chef-my_first_file20160608-3200-18m1pty   2016-06-08 03:37:02.460008058 -0700
    @@ -1 +1,2 @@
    +This is my first file creation using chef server
    - restore selinux security context

Running handlers:
Running handlers complete
Chef Client finished, 2/2 resources updated in 05 seconds

Getting repo from git and sync with chef-server.

On the workstation node.
[root@chefworkstation cookbooks]# pwd
/home/ahmed/chef-repo/cookbooks
Get repo from git and upload to chef server.
[root@chefworkstation cookbooks]# git clone https://github.com/zubayr/cm_setup
Initialized empty Git repository in /home/ahmed/chef-repo/cookbooks/cm_setup/.git/
remote: Counting objects: 62, done.
remote: Compressing objects: 100% (35/35), done.
remote: Total 62 (delta 5), reused 61 (delta 4), pack-reused 0
Unpacking objects: 100% (62/62), done.
[root@chefworkstation cookbooks]# cd ..
[root@chefworkstation chef-repo]# ls
cookbooks  README.md  roles
Upload to server.
[root@chefworkstation chef-repo]# knife upload cookbooks/cm_setup
Created cookbooks/cm_setup
[root@chefworkstation chef-repo]#
As seen on the server.
files

Comments

Post a Comment

Popular posts from this blog

Zabbix History Table Clean Up

Zabbix history table gets really big, and if you are in a situation where you want to clean it up. Then we can do so, using the below steps. Stop zabbix server. Take table backup - just in case. Create a temporary table. Update the temporary table with data required, upto a specific date using epoch . Move old table to a different table name. Move updated (new temporary) table to original table which needs to be cleaned-up. Drop the old table. (Optional) Restart Zabbix Since this is not offical procedure, but it has worked for me so use it at your own risk. Here is another post which will help is reducing the size of history tables - http://zabbixzone.com/zabbix/history-and-trends/ Zabbix Version : Zabbix v2.4 Make sure MySql 5.1 is set with InnoDB as innodb_file_per_table=ON Step 1 Stop the Zabbix server sudo service zabbix-server stop Script. echo "------------------------------------------" echo " 1. Stopping Zabbix Server ...

Installing Zabbix Version 2.4 Offline (Zabbix Server without Internet).

There might be situations where you have a remote/zabbix server which does not have internet connectivity, due to security or other reasons. So we create a custom repo on the remote/zabbix server so that we can install zabbix using rpms Here is how we are planning to do this. Download all the dependency rpms on a machine which has internet connection, using yum-downloadonly or repotrack . Transfer all the rpms to the remote server. Create a repo on the remote server. Update yum configuration. Install. NOTE: This method can be used to install any application, but here we have used zabbix as we had this requirement for a zabbix server. Download dependent rpms . On a machine which has internet connection install the package below. And download all the rpms . Make sure the system are similar (not required to be identical - At-least the OS should be of same version) mkdir /zabbix_rpms yum install yum-downloadonly Downloading all the rpms to location /zabbix_rpms/ ,...

Access Filter in SSSD `ldap_access_filter` [SSSD Access denied / Permission denied ]

Access Filter Setup with SSSD ldap_access_filter (string) If using access_provider = ldap , this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If access_provider = ldap and this option is not set, it will result in all users being denied access. Use access_provider = allow to change this default behaviour. Example: access_provider = ldap ldap_access_filter = memberOf=cn=allowed_user_groups,ou=Groups,dc=example,dc=com Prerequisites yum install sssd Single LDAP Group Under domain/default in /etc/sssd/sssd.conf add: access_provider = ldap ldap_access_filter = memberOf=cn=Group Name,ou=Groups,dc=example,dc=com Multiple LDAP Groups Under domain/default in /etc/sssd/sssd.conf add: access_provider = ldap ldap_access_filter = (|(memberOf=cn=System Adminstrators,ou=Groups,dc=example,dc=com)(memberOf=cn=Database Users,ou=Groups,dc=example,dc=com)) ldap_access_filter accepts standa...