Chef is a configuration management tool, similar in concept to Puppet. As I test out various configuration management tools and methods, I wanted to try my hands at Chef to see what the process would be like.
I find that Chef’s documentation is a bit ambiguous, so I’ve recreated it here to show the steps I used to get something working.
The server / workstation setup was all done in a CentOS 6.6 VM.
The client configuration is done on an OS X Yosemite 10.10.2 VM.
In these instructions, “ssh” refers to the short name for my organization “Schools of the Sacred Heart SF”.
Follow the instructions for Installing Chef Server:
- Download the Chef server for Enterprise Linux 6 – as of writing, that’s chef-server-core-12.0.4-1.el6.x86_64.rpm.
- Install the rpm:
sudo rpm -Uvh chef-server-core-12.0.4-1.el6.x86_64.rpm
- If the hostname for the machine does not have an FQDN, that needs to be done first:
sudo chef-server-ctl reconfigure
mkdir -p /etc/chef-server/
- Create your first user account:
sudo chef-server-ctl user-create --filename /etc/chef-server/nick.pem nick Nick McSpadden firstname.lastname@example.org password
- Create your first organization:
sudo chef-server-ctl org-create ssh SacredSF --association_user nick --filename /etc/chef-server/ssh.pem
This “ssh.pem” file is the private key for my organization, with short name “ssh”. If you create an organization called “test” you can name the private key “test.pem” and use that wherever you see “ssh.pem” in these instructions.
Now, set up the Chef Workstation where you can get things done. This can be on the same computer, and in my case is in the same VM – the Server and Workstation are the same virtual machine. Follow instructions for Installing Chef Workstation:
- Download the Chef Workstation for Enterprise Linux 6 – as of writing, that’s chefdk-0.4.0-1.x86_64.rpm.
- Install the rpm:
sudo rpm -Uvh chefdk-0.4.0-1.x86_64.rpm
- Do the initial setup:
knife configure initial
Answer the following questions:
Overwrite /home/nmcspadden/.chef/knife.rb? (Y/N) Y Please enter the chef server URL: [https://chef:443] https://chef.domain.com:443/organizations/ssh Please enter an existing username or clientname for the API: [admin] nick Please enter the validation clientname: [chef-validator] ssh-validator Please enter the location of the validation key: [/etc/chef-server/chef-validator.pem] /etc/chef-server/ssh.pem Please enter the path to a chef repository (or leave blank):
Set up the Chef Repo:
git clone git://github.com/chef/chef-repo.git(I cloned this into my home directory, at ~/chef-repo/)
mkdir -p chef-repo/.chef
echo '.chef' >> ~/chef-repo/.gitignore
- Copy the two .pem files you created earlier into .chef:
cp /etc/chef-server/*.pem ~/chef-repo/.chef/
- Write the file ~/chef-repo/.chef/knife.rb:
log_level :info log_location STDOUT node_name 'nick' client_key '/home/nmcspadden/.chef/nick.pem' validation_client_name 'ssh-validator' validation_key '/etc/chef-server/ssh.pem' chef_server_url 'https://chef:443/organizations/ssh' syntax_check_cache_path '/home/nmcspadden/.chef/syntax_check_cache' cookbook_path '/home/nmcspadden/chef-repo/cookbooks' knife[:editor]=/usr/bin/nano
knife ssl fetchto trust the server’s self-signed cert.
knife client listshould now show you the name of your validator, which in this case is:
- Setup the proper Ruby paths and other services with Chef’s shell-initialization script:
echo 'eval "$(chef shell-init bash"' >> ~/.bash_profile && source ~/.bash_profile
Verify that ruby is correct using
The “node” refers to an end client that is receiving Chef configurations. In this example, I’m using an OS X 10.10.2 VM as my client node.
- Add your Chef VM to /etc/hosts, if it doesn’t already exist in DNS.
- Install the Xcode Command Line Tools on the client machine first.
- Install the latest Chef client for OS X 10.10 – as of writing, that’s chef-12.0.3-1.dmg.
- Copy the ssh.pem created earlier to
/etc/chef/validation.pemon the client (name is important).
- You need to copy the trusted certs from your chef-repo (
~/chef-repo/.chef/trusted_certs/) to the client as well, into
/etc/chef/trusted_certs/. If you don’t have these trusted certs on the chef server, use this command to generate them:
knife ssl fetch
- Write a file client.rb to
sudo chef-clientto trigger the initial chef run.
You now have a working Chef client install with a working Chef server!