Monday 18 December 2017

How to Configure Chef CentOS/Redhat


We shall see how to deploy and configure chef on the local machine..


Chef Components


Chef consist of a Chef server, one or more workstations, and a node where the chef-client is installed.​​


Chef Server: This is the central hub server that stores the cookbooks and recipes uploaded from workstations, which is then accessed by chef-client for configuration deployment.

​​
Chef Workstations: This where recipes, cookbooks, and other chef configuration details are created or edited. All these are then pushed to the Chef server from the workstation, where they will be available to deploy to chef-client nodes.
​​
Chef Client: This the target node where the configurations are deployed in which the chef-client is installed. A node can be any machine (physical, virtual, cloud, network device, etc..)

Below are the prerequisites which I would leave for the reader to pre-configure..


DNS resolution should work between ChefServer, ChefWorkstation, ChefClient or else add in /etc/hosts. I am using CentOS 7 for this setup.


Hostnames​(Roles)​


cen1.localhost.com ​(ChefServer)

cen02.localhost.com (ChefClient​)​
fedora.localhost.com ​(ChefWorkstation​)​

Chef Server:


Download latest version of chef core.

​​
# wget https://packages.chef.io/files/stable/chef-server/12.17.5/el/7/chef-server-core-12.17.5-1.el7.x86_64.rpm
# rpm -ivh chef-server-core-12.17.5-1.el7.x86_64.rpm

Once the installation is complete, you must reconfigure the chef server components to make up the server to work together

​​#chef-server-ctl reconfigure
#

check the status of the server components using the following command...


​​# chef-server-ctl status​

run: bookshelf: (pid 1167) 64163s; run: log: (pid 1163) 64163s
run: nginx: (pid 10259) 63407s; run: log: (pid 1144) 64163s
run: oc_bifrost: (pid 1170) 64163s; run: log: (pid 1166) 64163s
run: oc_id: (pid 1168) 64163s; run: log: (pid 10087) 63510s
run: opscode-erchef: (pid 6741) 63791s; run: log: (pid 1192) 64163s
run: opscode-expander: (pid 1162) 64163s; run: log: (pid 1161) 64163s
run: opscode-solr4: (pid 1169) 64163s; run: log: (pid 1165) 64163s
run: postgresql: (pid 1160) 64163s; run: log: (pid 1159) 64163s
run: rabbitmq: (pid 1146) 64163s; run: log: (pid 1145) 64163s
run: redis_lb: (pid 7752) 63535s; run: log: (pid 1152) 64163s
#

We need to create an admin user. This user will have access to make changes to the infrastructure components in the organization we will be creating. Below command will generate the RSA private key automatically and should be saved to some location​

​​
# chef-server-ctl user-create admin admin admin admin@localhost.com password -f /etc/chef/admin.pem
ERROR: Error connecting to https://127.0.0.1/users/, retry 1/5
ERROR: Error connecting to https://127.0.0.1/users/, retry 2/5
ERROR: Error connecting to https://127.0.0.1/users/, retry 3/5

If you receive any error ERROR: Error connecting to https://127.0.0.1/users/, retry 1/5


which means there is another application which is already running on port 80 or 443. After, I had shutdown service it worked.​


​#chef-server-ctl user-create admin admin admin admin@localhost.com admin1 --filename /etc/chef/admin.pem


where,

  chef-server-ctl user-create -h will help you to understand above command.
<USERNAME FIRST_NAME [MIDDLE_NAME] LAST_NAME EMAIL PASSWORD>

Now, create an ORG name to hold the configurations.


#chef-server-ctl org-create localhost "localhost, Chef Server" --association_user admin --filename /etc/chef/localhost-validator.pem


where,

   chef-server-ctl org-create -h will help you to understand above command.

Make sure you have your firewall ports being opened for http, https.

​​
Chef Workstation:

Download the latest version of chefdk

​​
# wget https://packages.chef.io/files/stable/chefdk/2.4.17/el/7/chefdk-2.4.17-1.el7.x86_64.rpm
# rpm -ivh chefdk-2.4.17-1.el7.x86_64.rpm
# chef verify

Verification of component 'fauxhai' succeeded.

Verification of component 'kitchen-vagrant' succeeded.
Verification of component 'openssl' succeeded.
Verification of component 'delivery-cli' succeeded.
Verification of component 'git' succeeded.
Verification of component 'berkshelf' succeeded.
Verification of component 'tk-policyfile-provisioner' succeeded.
Verification of component 'opscode-pushy-client' succeeded.
Verification of component 'test-kitchen' succeeded.
Verification of component 'chefspec' succeeded.
Verification of component 'knife-spork' succeeded.
Verification of component 'inspec' succeeded.
Verification of component 'chef-dk' succeeded.
Verification of component 'chef-sugar' succeeded.
Verification of component 'chef-client' succeeded.
Verification of component 'chef-provisioning' succeeded.
Verification of component 'generated-cookbooks-pass-chefspec' succeeded.
Verification of component 'package installation' succeeded.

Install the git and generate chef repository.

​​
# yum install git -y
# chef generate repo chef-repo
# ls
chefignore  cookbooks  data_bags  environments  LICENSE  README.md  roles
#

You can add this directory to version control.

​​
# git config --global user.name "username"
# git config --global user.email "xyz@domainname.com"

Now, let's create a hidden directory called ".chef" under the chef-repo directory. This hidden directory will hold the RSA keys that we created on the Chef server.


# vim .gitignore

.chef
.gitignore
#

Commit all the existing changes

​​# git add .
# git commit -m "Initial Commit"

The RSA keys (.pem) generated when setting up the Chef Server will now need to be placed on the workstation. Place it under "~/chef-repo/.chef" directory.

​​
# scp -pr root@cen01.localhost.com:/etc/chef/admin.pem chef-repo/.chef
# scp -pr root@cen01.localhost.com:/etc/chef/localhost-validator.pem chef-repo/.chef

Knife is a command line interface for between a local chef-repo and the Chef server. To make the knife to work with your chef environment, we need to configure it by creating knife.rb in the "~/chef-repo/.chef/" directory.


Now, create and edit the knife.rb file


# cat knife.rb

current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                "admin"
client_key               "#{current_dir}/admin.pem"
validation_client_name   "localhost-validator"
validation_key           "#{current_dir}/localhost-validator.pem"
chef_server_url          "https://cen01.localhost.com/organizations/localhost"
syntax_check_cache_path  "#{ENV['HOME']}/.chef/syntaxcache"
cookbook_path            ["#{current_dir}/../cookbooks"]

node_name: This the username with permission to authenticate to the Chef server. Username should match with the user that we created on the Chef server.


client_key: The location of the file that contains user key that we copied over from the Chef server.


validation_client_name: This should be your organization's short name followed by -validator.


validation_key: The location of the file that contains validation key that we copied over from the Chef server. This key is used when a chef-client is registered with the Chef server.

chef_server_url: The URL of the Chef server. It should begin with https://, followed by IP addressor FQDN of Chef server, organization name at the end just after /organizations/.
{current_dir} represents ~/chef-repo/.chef/ directory, assuming that knife.rb file is in ~/chef-repo/.chef/. So you don't have to write the fully qualified path.

we must be fetching chef Serve​r​ SSL certificate on our workstation


​​# knife ssl fetch

WARNING: Certificates from cen01.localhost.com will be fetched and placed in your trusted_cert
​directory (/home/sunlnx/Documents/chef-repo/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should
​verify the authenticity of these certificates after downloading.
Adding certificate for cen01_localhost_com in /home/sunlnx/Documents/chef-repo/.chef/trusted_certs/cen01_localhost_com.crt
#

​#​knife client list

localhost-validator
#

​Bootstrapping


Bootstrapping a node is a process of installing chef-client on a target machine so that it can run as a chef-client node and communicate with the chef server


​#knife bootstrap cen02.localhost.com -x root -P ​<yourpassword> --sudo

Doing old-style registration with the validation key at /home/sunlnx/Documents/chef-repo/.chef/localhost-validator.pem...
Delete your validation key in order to use your user credentials instead
Connecting to cen02.localhost.com
cen02.localhost.com -----> Installing Chef Omnibus (-v 13)
cen02.localhost.com downloading https://omnitruck-direct.chef.io/chef/install.sh
cen02.localhost.com   to file /tmp/install.sh.4190/install.sh
cen02.localhost.com trying wget...
cen02.localhost.com el 7 x86_64
cen02.localhost.com Getting information for chef stable 13 for el...
cen02.localhost.com downloading https://omnitruck-direct.chef.io/stable/chef/metadata?v=13&p=el&pv=7&m=x86_64
cen02.localhost.com   to file /tmp/install.sh.4195/metadata.txt
​.
.
cen02.localhost.com Running handlers:
cen02.localhost.com Running handlers complete
cen02.localhost.com Chef Client finished, 0/0 resources updated in 05 seconds
​#

Once the bootstrapping is complete, list down the nodes using the following command.


​#knife node list
cen02.localhost.com
​#​


Thank you