Install Chef Server and Chef Client in Centos 6

There are three configuration scenarios for the Chef server:

Standalone (everything on a single machine)
High availability (machines configured for front-end and back-end, allowing for failover on the back-end and load-balancing on the front-end, as required)
Tiered (machines configured for front-end and back-end, with a single back-end and load-balancing on the front-end, as required)

Prerequisites

  • An x86_64 compatible system architecture; Red Hat Enterprise Linux and CentOS may require updates prior to installation
  • A resolvable hostname that is specified using a FQDN or an IP address
  • A connection to NTP to prevent clock drift
  • A local mail transfer agent that allows the Chef server to send email notifications
  • Using cron and the /etc/cron.d directory for periodic maintenance tasks
  • Disabling the Apache Qpid daemon on CentOS and Red Hat systems
  • A local user account under which services will run
  • A local user account for PostgreSQL
  • A group account under which services will run

 

Install Chef Server and Chef Client in Centos 6

We have tested chef server and chef client with centos 6 as well.

Chef server : 192.168.1.160
chef client : 192.168.1.161

Before proceed chef server installation, you should verify and do the following steps.

  • Disable selinux
  • Set FQDN name before running reconfigure. ( chef.example.com )

vi /etc/hosts

192.168.1.160 chef.example.com

Download chef server

https://www.chef.io/chef/install/

I have used 11.1.6-1 version of chef server.

Login your chef server

#wget https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.1.6-1.el6.x86_64.rpm
#chef-server-ctl reconfigure

It will take few minutes to complete this process.

Run these commands on your Chef server to install the management console.
#chef-server-ctl install chef-manage
#chef-server-ctl reconfigure
#chef-manage-ctl reconfigure

Run these commands to install the reporting feature.

#chef-server-ctl install opscode-reporting
#chef-server-ctl reconfigure
#opscode-reporting-ctl reconfigure

Once installation completed.
Installation Path

/opt/chef
Enable Chef Server Knife Access ports in your Firewall.

TCP Port 4000
Chef Server WebUI
TCP Port 80
TCP Port 443
TCP Port 9462
Run Test Suite

#chef-server-ctl test

Open Chef Server WebUI

https://chef.example.com
The default login information should be over on the right side of the screen:

username: admin
password : p@ssw0rd1

Set new admin password
Thats all..

Login your chef client 192.168.1.161 server.

Install chef client

check the chefclient installation various steps

#wget https://www.getchef.com/chef/install.sh
#./install.sh

Once installation completed, verify your version.

# chef-client -v
Chef: 12.2.1

Now we will start working to communicate with our chef server. To communicate with chef server follow the below steps.

Create a directory named chef inside the /etc directory.

#mkdir /etc/chef

We need to copy the chef-validator.pem file from our chef server. You can find this file in /etc/chef directory of the server. Issue the below command to copy it to our client machine.

#scp [email protected]:/etc/chef/chef-validator.pem /etc/chef/

Now we need a client.rb file in the client machine in which we have to mention about our chef server.

#vi /etc/chef/client.rb

Append the below code to the file

log_level :info
log_location STDOUT
chef_server_url 'https://chef.example.com/'
validation_key "/etc/chef/chef-validator.pem"
validation_client_name 'chef-validator'

or you can configure knife settings using knife command

#knife configure

example :

# cat /root/.chef/knife.rb
log_level :info
log_location STDOUT
node_name 'admin'
client_key '/root/.chef/admin.pem'
validation_client_name 'chef-validator'
validation_key '/etc/chef-server/chef-validator.pem'
chef_server_url 'https://chef.example.com:443'
syntax_check_cache_path '/root/.chef/syntax_check_cache'

client_key : I have copied admin.pem file from chef server ( /etc/chef-server/admin.pem) to chef client /root/.chef/admin.pem
validation_key : I have copied /etc/chef/chef-validator.pem from chef server to /etc/chef-server/chef-validator.pem

Finally we need to register the client with the chef server. Issue the below command to register the client in chef server.

#/usr/bin/chef-client

You are done!!

#knife client list

chef-validator
chef-webui
check your chef server node list

Errors :

[2015-04-01T08:17:12-04:00] INFO: Forking chef instance to converge…
Starting Chef Client, version 12.2.1
[2015-04-01T08:17:12-04:00] INFO: *** Chef 12.2.1 ***
[2015-04-01T08:17:12-04:00] INFO: Chef-client pid: 29241
Creating a new client identity for repos1.example.com using the validator key.
[2015-04-01T08:17:13-04:00] INFO: Client key /etc/chef/client.pem is not present – registering
[2015-04-01T08:17:13-04:00] ERROR: SSL Validation failure connecting to host: chef.example.com – SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

================================================================================
Chef encountered an error attempting to create the client “repos1.example.com”
================================================================================

[2015-04-01T08:17:13-04:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 1.226835116 seconds
[2015-04-01T08:17:13-04:00] ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
[2015-04-01T08:17:13-04:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server’s certificate.

By default, the certificate is stored in the following location on the host
where your chef-server runs:

/var/opt/chef-server/nginx/ca/chef.example.com.crt

Copy that file to your trusted_certs_dir (currently: /root/.chef/trusted_certs/)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server’s certificate is now trusted.

#knife ssl fetch

WARNING: Certificates from chef-server.example.com will be fetched and placed in your trusted_cert
directory ( /root/.chef/trusted_certs/).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for chef-server.example.com in /var/opt/chef-server/nginx/ca/chef.example.com.crt
The certificate should be verified that what was downloaded is in fact the same as the certificate on the Chef Server. For example, I compared SHA256 checksums:

#ssh [email protected] sha256sum /root/.chef/trusted_certs/chef_example_com.crt
#sha256sum /root/.chef/trusted_certs/chef_example_com.crt

Now check knife client list again.

# knife client list
chef-validator
chef-webui