The CHEF automation company has been in existence since 2008, bringing together developers and system administrators. CHET Infa is an open-source IaC(Infrastructure as Code) tool that eases administration, configuration, and allocation of resources across a network. Ever since its first release, the CHEF fan base has immensely grown, with companies like Cheezburger, Facebook, Indiegogo, Etsy adopting it.
CHEF infra, written in Ruby and Erlang languages has a simple architecture consisting of the following:
- Workstation – This is a computer where you write the Chef cookbooks and administer to your nodes. All configurations are developed here.
- Chef server – acts as the hub for all nodes and cookbooks. All configurations are uploaded here for post development
- Nodes – These are client machines managed by the Chef server. Normally they have Chef client installed on them.
- Cookbooks – These are have values and data about the desired state of a node. They contain resources, recipes, attributes, templates, libraries, metadata and everything that supports in conceiving a functioning system.
Below is a diagram to aid understand the CHEF Architecture.
The CHEF Infa is preferred in automation because:
- High availability – the Chef Infa server is highly available with fault tolerance, immediate and consistent search results, and accurate real-time data about your infrastructure.
- Graphical management console for the Chef Infra Server which eases administration.
- Compliance – Chef Automate creates customizable reports that identify compliance issues, security risks, and outdated software.
- Inbuilt taxonomy for all the basic resources required on a system as well as a defined mechanism to extend this taxonomy using the Ruby language
By following this guide to the end, you will gain the required knowledge on how to install Chef Infra Server, Workstation, and client on Debian 11 / Debian 10.
For this guide, ensure you have the following:
- Sudo access to your server.
- A hostname configured on your system
- 3 Debian 11 / Debian 10 servers
The 3 servers will serve the below tasks:
|Chef Client||192.168.205.24||chef-client. computingpost.com|
Configure the hostname on your Server as below.
##On Chef Server sudo hostnamectl set-hostname chef-server.computingpost.com --static
If you do not have a valid domain name, add it to the list of known hosts as below.
- On all the 3 servers
$ sudo vi /etc/hosts 192.168.205.4 chef-server.computingpost.com chefserver
Now install the required dependencies.
sudo apt -y install git vim wget curl bash-completion sudo apt update && sudo apt upgrade sudo reboot
Step 1 – Configure NTP Time synchronization
Chef Infa server is sensitive to clock drifts and requires us to connect our Debian system to Network Time Protocol (NTP)
Begin by installing the Chrony package.
sudo apt -y install chrony
Set your local TimeZone.
sudo timedatectl set-timezone Africa/Nairobi
Now configure the pool list. For example for Kenya, use:
$ sudo vim /etc/chrony/chrony.conf # pool 2.pool.ntp.org iburst //Comment out this line server 0.ke.pool.ntp.org server 1.africa.pool.ntp.org server 3.africa.pool.ntp.org # Allow NTP client access from local network. allow 192.168.205.0/24
Get more pools from the NTP Pool project page
Set NTP synchronization.
sudo timedatectl set-ntp true
Apply the changes made.
sudo systemctl restart chrony
You will be required to allow NTP through the firewall.
sudo ufw allow ntp
Restart the chronyd service.
sudo systemctl restart chronyd
Step 2 – Install Chef Infra Server on Debian 11 / Debian 10
Download the latest Chef Infra Server package from the Chef Infra Server downloads page. Also using the download link, you can pull the package as below.
VERSION="14.12.21" wget https://packages.chef.io/files/stable/chef-server/$VERSION/ubuntu/20.04/chef-server-core_$VERSION-1_amd64.deb
Install the downloaded package.
sudo apt install ./chef-server-core_$VERSION-1_amd64.deb
Selecting previously unselected package chef-server-core. (Reading database ... 142930 files and directories currently installed.) Preparing to unpack chef-server-core_14.11.36-1_amd64.deb ... Unpacking chef-server-core (14.11.36-1) ... Setting up chef-server-core (14.11.36-1) ... Thank you for installing Chef Infra Server! Run 'chef-server-ctl reconfigure' to configure your Chef Infra Server For more information on getting started see https://docs.chef.io/server/
Once the installation is complete, reconfigure your Chef server.
sudo chef-server-ctl reconfigure
Proceed as below.
Documentation: https://docs.chef.io/server/ Patents: https://www.chef.io/patents +---------------------------------------------+ Chef License Acceptance Before you can continue, 3 product licenses must be accepted. View the license at https://www.chef.io/end-user-license-agreement/ Licenses that need accepting: * Chef Infra Server * Chef Infra Client * Chef InSpec Do you accept the 3 product licenses (yes/no)? > yes ...... Running handlers: Running handlers complete Chef Infra Client finished, 409/858 resources updated in 04 minutes 00 seconds Chef Infra Server Reconfigured!
Now check the status of the Chef Server components.
$ sudo chef-server-ctl status run: bookshelf: (pid 19850) 32s; run: log: (pid 19358) 184s run: elasticsearch: (pid 19817) 33s; run: log: (pid 19169) 220s run: nginx: (pid 19803) 33s; run: log: (pid 19626) 41s run: oc_bifrost: (pid 19707) 34s; run: log: (pid 19059) 237s run: oc_id: (pid 19800) 33s; run: log: (pid 19097) 226s run: opscode-erchef: (pid 19934) 32s; run: log: (pid 19502) 179s run: postgresql: (pid 19696) 34s; run: log: (pid 18554) 253s run: redis_lb: (pid 19649) 35s; run: log: (pid 20085) 31s
If you have UFW enabled, allow HTTP and HTTPS through the firewall.
sudo ufw allow http sudo ufw allow https
Step 3 – Create an Administrator account and Organization
The admin account ensures communication between the server, workstations, and nodes. The syntax used is as below:
chef-server-ctl user create USERNAME FIRST_NAME [MIDDLE_NAME] LAST_NAME EMAIL PASSWORD
WE will export the variables first.
USERNAME="chefadmin" FIRST_NAME="Chef" LAST_NAME="Administrator" EMAIL="[email protected]computingpost.com" PASSWORD="Passw0rd" KEY_PATH="/root/chefadmin.pem"
Now run the below command to create an admin user.
sudo chef-server-ctl user-create $USERNAME $FIRST_NAME $LAST_NAME $EMAIL $PASSWORD -f $KEY_PATH
Verify the user creation.
$ sudo chef-server-ctl user-list chefadmin pivotal
Proceed and create an organization to add the above user.
Normally the syntax below is used to create an organization.
chef-server-ctl org-create ORG_NAME "ORG_FULL_NAME" --association_user USERNAME --filename ORGANIZATION-validator.pem (options)
In the command above remember:
- The name must begin with a lower-case letter or digit
- The full name must begin with a non-white space character
- The –association_user option will associate the user with the admins security group on the Chef server.
- The –filename option saves the RSA private key to the specified path.
- An RSA private key will be generated automatically. This is the chef-validator key and should be saved in a safe location.
For this case, my command will be as below.
sudo chef-server-ctl org-create computingpost 'computingpost, Inc.' \ --association_user chefadmin \ --filename /root/computingpost-validator.pem
View the organization list.
$ sudo chef-server-ctl org-list computingpost
You can as well verify if the RSA keys for the user and organization are available.
$ sudo find /root -name "*.pem" /root/chefadmin.pem /root/computingpost-validator.pem
Step 4 – Install and Configure the Chef Workstation.
The Chef Workstation is used to develop configurations and then push them to the Chef server.
It is installed by first downloading the latest package from the Chef Workstation downloads page.
Alternatively, identify the latest version and download it with Wget.
#On Debian 11 VERSION="22.1.745" wget https://packages.chef.io/files/stable/chef-workstation/$VERSION/debian/11/chef-workstation_$VERSION-1_amd64.deb #On Debian 10 VERSION="22.1.745" wget https://packages.chef.io/files/stable/chef-workstation/$VERSION/debian/10/chef-workstation_$VERSION-1_amd64.deb
Install the package using the command:
sudo dpkg -i chef-workstation_$VERSION-1_amd64.deb
Selecting previously unselected package chef-workstation. (Reading database ... 141880 files and directories currently installed.) Preparing to unpack chef-workstation_22.1.745-1_amd64.deb ... Unpacking chef-workstation (22.1.745-1) ... Setting up chef-workstation (22.1.745-1) ... The Chef Workstation App is available. Launch the App by running 'chef-workstation-app'. The App will then be available in the system tray. Thank you for installing Chef Workstation! You can find some tips on getting started at https://docs.chef.io/workstation/getting_started/
Verify the installation.
$ chef --version Chef Workstation version: 22.1.745 Chef InSpec version: 4.52.9 Chef CLI version: 5.5.0 Chef Habitat version: 1.6.420 Test Kitchen version: 3.2.2 Cookstyle version: 7.26.1 Chef Infra Client version: 17.9.26
The knife is also installed.
$ knife --version Chef Infra Client: 17.9.26
Now generate a Chef repo as below.
$ chef generate repo chef-repo +---------------------------------------------+ Chef License Acceptance Before you can continue, 3 product licenses must be accepted. View the license at https://www.chef.io/end-user-license-agreement/ Licenses that need accepting: * Chef Workstation * Chef Infra Client * Chef InSpec Do you accept the 3 product licenses (yes/no)? > yes Persisting 3 product licenses... ✔ 3 product licenses persisted. +---------------------------------------------+ Generating Chef Infra repo chef-repo Loading Chef InSpec profile files: Loading Chef InSpec input files: Loading Chef InSpec waiver files: - Ensuring correct Chef Infra repo file content Your new Chef Infra repo is ready! Type `cd chef-repo` to enter it.
Proceed and create a directory to store Knife configurations:
mkdir ~/chef-repo/.chef cd chef-repo
Create a pair of RSA keys.
$ ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/thor/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/thor/.ssh/id_rsa Your public key has been saved in /home/thor/.ssh/id_rsa.pub The key fingerprint is: SHA256:wv055J+g9F6BTODc53tS9P+OBvC4KGCDJa9pNla0PVQ [email protected] The key's randomart image is: +---[RSA 4096]----+ | . | | oEo | | .o o . . | | . o... o.+ . . | | * +o S ++o . .| | . B o. +..o+ .| | = o ...*.+.. .| | B ...o.= +...| | + . ...o o...o| +----[SHA256]-----+
Send the keys to your Chef server. Ensure root login is allowed.
$ ssh-copy-id [email protected]192.168.205.4 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/thor/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]'" and check to make sure that only the key(s) you wanted were added.
Copy the .pem files from the Chef Server
scp [email protected]:/root/*.pem ~/chef-repo/.chef/
View the copied keys.
$ ls ~/chef-repo/.chef chefadmin.pem computingpost-validator.pem
Generated a Chef Cookbook.
$ chef generate cookbook chef-first-cookbook Hyphens are discouraged in cookbook names as they may cause problems with custom resources. See https://docs.chef.io/workstation/ctl_chef/#chef-generate-cookbook for more information. Generating cookbook chef-first-cookbook Loading Chef InSpec profile files: Loading Chef InSpec input files: Loading Chef InSpec waiver files: - Ensuring correct cookbook content .......... Why not start by writing an InSpec test? Tests for the default recipe are stored at: test/integration/default/default_test.rb If you'd prefer to dive right in, the default recipe can be found at: recipes/default.rb
Step 5 – Configure Knife and Bootstrap a Client Node.
Bootstrapping a client node entails installing the Chef Infra Client on the client system so that communication between it and the Chef server can happen.
There are two ways one can use to bootstrap a client Node.
- Unattended install – bootstrap from the node without SSH or WinRM connectivity required
- knife bootstrap – from the Chef workstation
This guide demonstrates how to bootstrap a client node using the Knife bootstrap method.
Now on the Workstation node, create a config.rb file as below.
Add the below content replacing appropriately.
current_dir = File.dirname(__FILE__) log_level :info log_location STDOUT node_name 'chefadmin' client_key "chefadmin.pem" validation_client_name 'computingpost-validator' validation_key "computingpost-validator.pem" chef_server_url 'https://chef-server.computingpost.com/organizations/computingpost' cache_type 'BasicFile' cache_options( :path => "#ENV['HOME']/.chef/checksums" ) cookbook_path ["#current_dir/../cookbooks"]
Remember to replace your Chef server and organization details appropriately. Save the file, then proceed to copy the SSL certificates.
$ cd ~/chef-repo $ knife ssl fetch WARNING: Certificates from chef-server.computingpost.com will be fetched and placed in your trusted_cert directory (/home/thor/chef-repo/.chef/trusted_certs). Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading. Adding certificate for chef-server_computingpost_com in /home/thor/chef-repo/.chef/trusted_certs/chef-server_computingpost_com.crt
Verify if the config.rb is set up.
$ knife client list computingpost-validator
Now bootstrap your Chef Client node, for this case, the IP address is 192.168.205.24, so proceed as below.
cd ~/chef-repo/.chef knife bootstrap 192.168.205.24 -x root -P ***** --node-name chef-client-node1
Remember, the root user is used for elevated privileges required. Ensure root login is allowed on your Chef Client Node.
Proceed as shown.
$ knife bootstrap 192.168.205.24 -x root -P ***** --node-name chef-client-node1 -x/--winrm-user: This flag is deprecated. Use -U/--connection-user instead. Connecting to 192.168.205.24 using ssh The authenticity of host '192.168.205.24 ()' can't be established. fingerprint is SHA256:5iGXeB0Fr2zfznkmmGv8ZDIL5SdHk6nXGKt7vSf1Ufg. Are you sure you want to continue connecting ? (Y/N) y
The bootstrap process happens as below:
Once complete, verify if the node has been added.
$ knife node list chef-client-node1
You can also view more information about the node as below.
knife node show chef-client-node1
Step 6 – (Optional) Install Chef Manage.
Chef manage offers a Web interface where you can manage Chef server tasks. It is installed as below.
On the Chef server, download the Chef manage package from the Chef manage downloads page
VER="3.2.43" wget https://packages.chef.io/files/stable/chef-manage/$VER/ubuntu/20.04/chef-manage_$VER-1_amd64.deb
Install the package as below:
$ sudo dpkg -i chef-manage_$VER-1_amd64.deb Selecting previously unselected package chef-manage. (Reading database ... 199475 files and directories currently installed.) Preparing to unpack chef-manage_3.2.35-1_amd64.deb ... Unpacking chef-manage (3.2.35-1) ... Setting up chef-manage (3.2.35-1) ... Thank you for installing the Chef Management Console add-on! The next step in the process is to run: chef-manage-ctl reconfigure
Reconfigure the Chef server and addons as below
sudo chef-server-ctl reconfigure sudo chef-manage-ctl reconfigure
Once complete, access the Web UI using the URL https://serverip/login. On the login page, provide the credentials for the Admin user created in step 3.
You should be able to see the Chef dashboard with the client node added as below.
This guide has provided you with the basic knowledge to get started with Chef Infa. I hope you found this guide on how to install Chef Infra Server on Debian 11 / Debian 10 thrilling.