There are three configuration scenarios for the Chef server:
Standalone (everything on a single machine)
High availability (machines configured for front-end and back-end, allowing for failover on the back-end and load-balancing on the front-end, as required)
Tiered (machines configured for front-end and back-end, with a single back-end and load-balancing on the front-end, as required)
Prerequisites
- An x86_64 compatible system architecture; Red Hat Enterprise Linux and CentOS may require updates prior to installation
- A resolvable hostname that is specified using a FQDN or an IP address
- A connection to NTP to prevent clock drift
- A local mail transfer agent that allows the Chef server to send email notifications
- Using cron and the /etc/cron.d directory for periodic maintenance tasks
- Disabling the Apache Qpid daemon on CentOS and Red Hat systems
- A local user account under which services will run
- A local user account for PostgreSQL
- A group account under which services will run
Install Chef Server and Chef Client in Centos 6
We have tested chef server and chef client with centos 6 as well.
Chef server : 192.168.1.160
chef client : 192.168.1.161
Before proceed chef server installation, you should verify and do the following steps.
- Disable selinux
- Set FQDN name before running reconfigure. ( chef.example.com )
vi /etc/hosts
192.168.1.160 chef.example.com
Download chef server
https://www.chef.io/chef/install/
I have used 11.1.6-1 version of chef server.
Login your chef server
#wget https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.1.6-1.el6.x86_64.rpm
#chef-server-ctl reconfigure
It will take few minutes to complete this process.
Run these commands on your Chef server to install the management console. #chef-server-ctl install chef-manage #chef-server-ctl reconfigure #chef-manage-ctl reconfigure
Run these commands to install the reporting feature.
#chef-server-ctl install opscode-reporting #chef-server-ctl reconfigure #opscode-reporting-ctl reconfigure
Once installation completed.
Installation Path
/opt/chef
Enable Chef Server Knife Access ports in your Firewall.
TCP Port 4000
Chef Server WebUI
TCP Port 80
TCP Port 443
TCP Port 9462
Run Test Suite
#chef-server-ctl test
Open Chef Server WebUI
https://chef.example.com
The default login information should be over on the right side of the screen:
username: admin password : p@ssw0rd1
Set new admin password
Thats all..
Login your chef client 192.168.1.161 server.
Install chef client
check the chefclient installation various steps
#wget https://www.getchef.com/chef/install.sh
#./install.sh
Once installation completed, verify your version.
# chef-client -v
Chef: 12.2.1
Now we will start working to communicate with our chef server. To communicate with chef server follow the below steps.
Create a directory named chef inside the /etc directory.
#mkdir /etc/chef
We need to copy the chef-validator.pem file from our chef server. You can find this file in /etc/chef directory of the server. Issue the below command to copy it to our client machine.
#scp root@chef.example.com:/etc/chef/chef-validator.pem /etc/chef/
Now we need a client.rb file in the client machine in which we have to mention about our chef server.
#vi /etc/chef/client.rb
Append the below code to the file
log_level :info log_location STDOUT chef_server_url 'https://chef.example.com/' validation_key "/etc/chef/chef-validator.pem" validation_client_name 'chef-validator'
or you can configure knife settings using knife command
#knife configure
example :
# cat /root/.chef/knife.rb log_level :info log_location STDOUT node_name 'admin' client_key '/root/.chef/admin.pem' validation_client_name 'chef-validator' validation_key '/etc/chef-server/chef-validator.pem' chef_server_url 'https://chef.example.com:443' syntax_check_cache_path '/root/.chef/syntax_check_cache'
client_key : I have copied admin.pem file from chef server ( /etc/chef-server/admin.pem) to chef client /root/.chef/admin.pem
validation_key : I have copied /etc/chef/chef-validator.pem from chef server to /etc/chef-server/chef-validator.pem
Finally we need to register the client with the chef server. Issue the below command to register the client in chef server.
#/usr/bin/chef-client
You are done!!
#knife client list
chef-validator
chef-webui
check your chef server node list
Errors :
[2015-04-01T08:17:12-04:00] INFO: Forking chef instance to converge…Starting Chef Client, version 12.2.1
[2015-04-01T08:17:12-04:00] INFO: *** Chef 12.2.1 ***
[2015-04-01T08:17:12-04:00] INFO: Chef-client pid: 29241
Creating a new client identity for repos1.example.com using the validator key.
[2015-04-01T08:17:13-04:00] INFO: Client key /etc/chef/client.pem is not present – registering
[2015-04-01T08:17:13-04:00] ERROR: SSL Validation failure connecting to host: chef.example.com – SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
================================================================================
Chef encountered an error attempting to create the client “repos1.example.com”
================================================================================
Chef Client failed. 0 resources updated in 1.226835116 seconds
[2015-04-01T08:17:13-04:00] ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
[2015-04-01T08:17:13-04:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
TO FIX THIS ERROR:
If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server’s certificate.
By default, the certificate is stored in the following location on the host
where your chef-server runs:
/var/opt/chef-server/nginx/ca/chef.example.com.crt
Copy that file to your trusted_certs_dir (currently: /root/.chef/trusted_certs/)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server’s certificate is now trusted.
#knife ssl fetch
WARNING: Certificates from chef-server.example.com will be fetched and placed in your trusted_cert
directory ( /root/.chef/trusted_certs/).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
Adding certificate for chef-server.example.com in /var/opt/chef-server/nginx/ca/chef.example.com.crt
The certificate should be verified that what was downloaded is in fact the same as the certificate on the Chef Server. For example, I compared SHA256 checksums:
#ssh root@chef.example.com sha256sum /root/.chef/trusted_certs/chef_example_com.crt
#sha256sum /root/.chef/trusted_certs/chef_example_com.crt
Now check knife client list again.
# knife client list chef-validator chef-webui