Beginning to configure Chef
Setup
First, you can signup for the free hosting service for 5 servers, which eliminates the need to screw around setting up the server infrastructure:
https://cookbooks.opscode.com/users/new
Second, go through the five step tutorial here:
http://help.opscode.com/faqs/start/how-to-get-started
Configuring ~/.chef
The opscode instructions have you create ~/chef-repo/.chef and put your knife.rb and
I prefer to move those files into ~/.chef so that I don’t have to cd ~/chef-repo in order to use knife. You can also push out thse config files in ~/.chef just like ~/.bashrc files so that you can use knife on different nodes. Of course a hacker who gains root on one of the servers where your knife credentials are can impersonate you to the chef server, so it may be wise to restrict your knife config to a set of bastion servers. Obviously, chef can help you manage this config.
My ~/.chef/knife.rb looks like:
log_level :info
log_location STDOUT
node_name "USERNAME"
client_key "#{ENV['HOME']}/.chef/USERNAME.pem"
validation_client_name "ORGANIZATION-validator"
validation_key "#{ENV['HOME']}/.chef/ORGANIZATION-validator.pem"
chef_server_url "https://api.opscode.com/organizations/ORGANIZATION"
cache_type 'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path ["#{ENV['HOME']}/chef-repo/site-cookbooks"]
Here, USERNAME and ORGANIZATION should be replaced by your chef username and your organization’s name. You will also need to put your credentials in ~/.chef/USERNAME.pem (replace USERNAME by your username).
You have now configured knife to know who you are, where your credentials are, and configured some paths in your environment.
You should now be able to run comands like knife node list in any directory on the host that you have configured.
I’ve also setup my cookbook_path to ~/chef-repo/site-cookbooks so that from any directory, knife can find my cookbooks in order to upload them — you should modify that to wherever you have your site’s cookbooks.
Adding New Nodes
Now, when you’re done with that, to add a new node, you can deploy these two files to the new node:
/etc/chef/client.rb
- this points chef at the server
/etc/chef/validation.pem
- your organization key to authenticate first time to the server
Then become root and run your chef-client to add the node to the server and create the client.pem
Now you can run knife node list to see the newly added node.
You should protect /etc/chef by making it mode 0700 or something similar. Once the /etc/chef/client.pem file has been bootstrapped down from the server, you (or a chef recipe) can delete the /etc/chef/validation.pem file.
Summary
So, now you should have setup an account at opscode, successfully setup your organization, configured knife to be easy to use on your host, and bootstrapped a few hosts to use chef. Now you can move on to getting chef to do useful things.
