Tuesday, 3 January 2017

Appendix B. Hosted Enterprise Chef

Hosted Enterprise Chef is the cloud-based version of Chef Server. You can sign up for Hosted Enterprise Chef at no cost to you to manage up to five nodes, more than enough for getting started with Chef Server.
Go to https://manage.opscode.com/signup to sign up for a Hosted Enterprise Chef account. Complete the required fields.
Upon submitting the form, you will be redirected to a page with helpful links and documentation. Click on the Download Starter Kit button as shown in Figure B-1. This will download a ZIP file containing all your authentication keys, as well as a pre-populated Chef repo.
Extract the archive and move the chef-repo folder into your home directory. The chef-repo directory should resemble the following:
chef-repo/
├── .chef
│   ├── <username>.pem
│   ├── <organization>-validator.pem
│   └── knife.rb
├── .gitignore
├── README.md
├── Vagrantfile
├── cookbooks
└── roles
Hosted Enterprise Chef post-signup page
Figure B-1. Hosted Enterprise Chef post-signup page

NOTE

If you do not see a .chef directory, you might need to enable the display of system files in your file manager. Because the .chef directory starts with a dot, some operating systems will hide its presence.
The .chef directory contains three important files:
  • <username>.pem
  • <organization>-validator.pem
  • knife.rb
<username> is the username you used when you signed up for your Hosted Chef Server account.<organization> is the name of the company or organization you used when signing up for Hosted Chef Server. If you registered with the username “seth” and the organization “houseofbacon”, your .chef directory would contain:
  • seth.pem
  • houseofbacon.pem
  • knife.rb
The <username>.pem file is a unique identifier used to authenticate you against Chef Server. This should be treated like a password; do not share it with anyone, and do not alter the contents of the file.
The <organization>.pem file is a unique identifier used to authenticate your organization against Chef Server. This should be treated like a password, but it must also be shared among all your Chef developers. Anyone needing access to your Chef organization will also need a copy of this file. Do not alter the contents of this file, either.
Unlike the .pem files, the knife.rb file is meant to be edited, altered, and customized. The knife.rb file is recognized as Ruby and read by Chef when it issues commands:
current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                "<username>"
client_key               "#{current_dir}/<username>.pem"
validation_client_name   "<organization>-validator"
validation_key           "#{current_dir}/<organization>-validator.pem"
chef_server_url          "https://api.opscode.com/organizations/<organization>"
cache_type               'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path            ["#{current_dir}/../cookbooks"]
As you can see, the knife.rb file sets some default configuration values, such as the log level, caching options, and cookbook paths. Additionally, the knife.rb configures the files client_keyvalidation_client_name, and validation_key. These values were automatically configured when you downloaded your starter kit. The chef_server_url configures the endpoint for Chef Server. Because we are using Hosted Enterprise Chef, this points to Opscode’s Chef API. If you were using Enterprise Chef or Open Source Chef Server, the URL would point to your Chef Server installation.
You can add other values to the knife.rb, such as EC2 credentials, proxy information, and encrypted data bag settings. Although certain pieces of the knife.rb will be common across your team, the contents of the file generally should be unique to you and your machine. However, unless you have access keys and passwords in your knife.rb, you do not need to treat it like a password.

Testing the Connection

You should run the following commands from inside the Chef repo. Open your terminal or command prompt, and make chef-repo the current working directory. If you placed your Chef repo in a different location, use that instead:
$ cd ~/chef-repo
Now you can use knife, the command-line tool for Chef Server, to test your connection and authentication against Chef Server. At the time of this writing, Chef does not provide a “connection test” command. However, asking Chef Server to list the clients will verify:
  • Your network can connect to Chef Server.
  • The authentication files are in the correct location.
  • The authentication files can be read by Chef.
  • The response from Chef Server is received by your workstation.
Issue the knife client list command on your terminal:
$ knife client list
Depending on the speed of your Internet connection, it might take a few seconds to get a response, but you should see the following:
$ knife client list
<organization>-validator
For example, if I named my Chef organization houseofbacon, the output would be:
$ knife client list
houseofbacon-validator
If you get an error, check the following:
  1. You can access https://api.opscode.com from a web browser.
  2. You are running commands from inside the chef-repo.
  3. The .chef directory contains two .pem files and a knife.rb.
  4. Your authentication files have the correct file permissions.
If you have confirmed the preceding steps and are still unable to connect to Chef Server, please consult the Chef online documentation.

1 comment: