On 09/22/2011 10:29 PM, Maven User wrote:
"
type="cite">Never mind - I can see everything is running as root.
I've updated the pem files again from the master server but now
it's choking on the client.rb file:
[Thu, 22 Sep 2011 14:11:48 -0400] WARN:
*****************************************
[Thu, 22 Sep 2011 14:11:48 -0400] WARN: Can not find config file:
/etc/chef/client.rb, using defaults.
[Thu, 22 Sep 2011 14:11:48 -0400] WARN: Permission denied -
/etc/chef/client.rb
[Thu, 22 Sep 2011 14:11:48 -0400] WARN:
*****************************************
[Thu, 22 Sep 2011 14:11:48 -0400] INFO: *** Chef 0.10.4 ***
[Thu, 22 Sep 2011 14:11:49 -0400] WARN: Failed to read the private
key /etc/chef/client.pem: #<Errno::EACCES: Permission denied -
/etc/chef/client.pem>
/usr/lib/ruby/vendor_ruby/chef/mixin/create_path.rb:49:in `mkdir':
Permission denied - /var/chef (Errno::EACCES)
It says it can't find it (I can see it there) then it complains
about permission denied but it's owned by root.
On the master server, I can see that the *.pem and rb files are
owned by chef/chef - what did we do wrong with the chef-client?
Don't know what you mean - master server. The chef-client is always
run as root thus the pem files should owned by root user. They
should be root/root with 0600 permissions and it's the common
practice for private key files.
However pem files for knife (those in your ~/.knife directory) can
be owned by the user you are working under...
"
type="cite">
On Thu, Sep 22, 2011 at 2:13 PM, Maven
User <
">
>
wrote:
I _think_ I see the issue - all the files
on the node (which is ubuntu) are owned by root.
I think I have two choices, change them to chef/chef or use
the "sudo" option.
?
Yeah, exactly. The best choice is to use sudo. Use knife ssh with -x
option and grant privileges to the specified user on the ubuntu
node.
With sudo you can delegate fine grained access to the command
execution, so I personally prefer the sudo way.
Denis
"
type="cite">
On Thu, Sep 22, 2011 at 11:28 AM, Aaron Abramson <
"
target="_blank">
>
wrote:
C:\chef>knife ssh
"role:<role I want to do something with>"
"sudo chef-client" -P <password>
<chefclient> knife sudo password:
Enter your password:
<chefclient>
<chefclient> [Thu, 22 Sep 2011 10:23:14
-0400] INFO: *** Chef 0.10.4 ***
<chefclient> [Thu, 22 Sep 2011 10:23:15
-0400] INFO: HTTP Request Returned 401
Unauthorized: Failed to authenticate. Ensure
that your client key is valid.
<chefclient> [Thu, 22 Sep 2011 10:23:15
-0400] FATAL: Stacktrace dumped to
/var/cache/chef/chef-stacktrace.out
<chefclient> [Thu, 22 Sep 2011 10:23:15
-0400] FATAL: Net::HTTPServerException: 401
"Unauthorized"
knife ssh "role:<my role>" "sudo chef-client"
-P <mypass>
As Denis said, you're successfully connecting
to the server with your users password. And you
can see that it executed "sudo chef-client", and
then was waiting for input for the "sudo
password".
Update your sudoers file to grant passwordless
sudo access for your user.
But, since you're not defining a username for
knife ssh (ie -x ubuntu, or -x admin), knife is
SSH'ing as root. So your command really should
be:
knife ssh "role:<my role>" "chef-client"
-P <mypass>
Since you're already the root user on the
remote machine, and have no need to "sudo" to gain
superuser privileges again.
On Sep 22, 2011, at 10:02 AM, Denis
Barishev wrote:
Hello Maven,
On 09/22/2011 06:26 PM, Maven User
wrote:
Jessica - thank
you so much!
The learning curve has felt very
steep, these types of exchanges have
helped me out a ton.
The final thread/step in this process
is getting around having to specify my
password when running knife.
So when I do something like:
C:\chef>knife ssh "role:<role I
want to do something with>" "sudo
chef-client"
WARNING: Failed to connect to
node[<chefclient>] --
Net::SSH::AuthenticationFailed:
<username>@<chefclient>
But when I do this:
C:\chef>knife ssh "role:<role I
want to do something with>" "sudo
chef-client" -P <password>
<chefclient> knife sudo
password:
Enter your password:
<chefclient>
<chefclient> [Thu, 22 Sep 2011
10:23:14 -0400] INFO: *** Chef 0.10.4
***
<chefclient> [Thu, 22 Sep 2011
10:23:15 -0400] INFO: HTTP Request
Returned 401 Unauthorized: Failed to
authenticate. Ensure that your client
key is valid.
<chefclient> [Thu, 22 Sep 2011
10:23:15 -0400] FATAL: Stacktrace
dumped to
/var/cache/chef/chef-stacktrace.out
<chefclient> [Thu, 22 Sep 2011
10:23:15 -0400] FATAL:
Net::HTTPServerException: 401
"Unauthorized"
Isn't the authorization handled via
the pem files or do I need to set up
ssh keys as well?
As I can see you have successfully run a
knife ssh command by suppling the right
password. You mus provide knife ssh with
either a password or pem key path (-i
option). Here you can see that knife ssh
has sshed into the node and tried to run
chef-client there but it failed. The
reason is probably that you haven't
configured chef-client there. Make sure
you have the right chef configuration
directory with client.rb and
validation/client key on the remote
machine.
Denis
On Wed, Sep
21, 2011 at 4:41 PM, Jessica Bourne
<
"
target="_blank">
>
wrote:
Hi Maven,
I completely agree, we've
been working
on separating instructions based
on OS as well as type of install
(client vs workstation). This
should make it clearer what is
needed to run both. Client has
chef-client configured so they
can run recipes, and
workstations have knife
configured so they can manage
the nodes. It isn't necessary to
run both on a node unless you
want to run recipes on it and
manage other nodes from it. The
directions currently explain how
to set the node up with both,
but it may not be needed
depending on what you want to do
with your install.
The instructions on the
Installation on Windows page
will guide you through almost
everything you need for a
workstation, except for SSH
and bootstrapping new nodes from
it. I'd recommend installing the
gems on the knife page, you
will definitely need at least
the net-ssh packages to use SSH.
Afterwards you can confirm you
can SSH, and then follow the
knife windows bootstrap guide to
bootstrap new nodes with knife
if needed. The gems really
should be included on the
Installation on Windows page to
make this clearer.
The knife windows bootstrap
page is separate because not
everyone who installs Windows
will need to bootstrap new
Windows nodes. This page can be
used on Mac or Linux as well, to
bootstrap new Windows nodes from
that workstation instead. If you
do decide to bootstrap new nodes
from this machine you will need
1.9.X, but otherwise you can use
Ruby 1.8.7 without issues. It
really just depends on how you'd
like to have your nodes
managed.
If you have a Mac or Linux
machine available, you could
always just try setting it up as
the workstation instead and then
using the knife-windows
bootstrap plugin to bootstrap
new nodes as clients from it as
there is a bit more
documentation on those OSes
right now. If you did it this
way no configuration should be
needed on the Windows machine
except for SSH or WinRM access,
and the bootstrap plugin would
install ruby, gems, and
chef-client. It would not
configure knife though, so you'd
need to manage the nodes from
the Linux/Mac workstation in
this type of setup.
If you're still getting
errors after installing those
gems on Windows, feel free
to update this thread with some
more information on the errors
you are getting.
Thanks,
Jessica
On
Wed, Sep 21, 2011 at 10:15
AM, Maven User <
" target="_blank">
>
wrote:
By the way - this page:
http://wiki.opscode.com/display/chef/Installation+on+Windows
Suggests ruby 1.8.7, but
then this one:
Requires 1.9.X+
:-/
On
Wed, Sep 21, 2011
at 9:44 AM, Maven
User <
"
target="_blank">
>
wrote:
Cool - I'd love
to help out in
any way to
document this
process (it's
been pretty
painful).
FWIW - it'd be
HUGELY helpful
if all
instructions for
each platform
were organized
by platform.
Right now, there
are "how to
setup chef on
windows", a
"knife-windows"
and then finally
a generalized
"knife" pages.
All of which
have little bits
needed to get
things working
successfully on
windows
(something I
_still_ haven't
managed).
Just so I'm
clear - I can
jump right to
the link below
to set up knife
on windows?
Then I have to
go to the
generalized
Knife page and
also install
those gems?
On Tue, Sep
20, 2011 at
6:35 PM,
Jessica Bourne
<
" target="_blank">
>
wrote:
Hi
Maven,
We've
actually been
working on
updating our
installation
instructions,
including the
documentation
on Windows.
They won't be
completed for
a few more
weeks, but
I'll be sure
to review this
thread once
they are in
draft so we
can be sure
your concerns
are addressed.
The gems
listed on the
knife doc
are necessary,
some of them
are what
enable you to
ssh from that
node. If
you're still
getting errors
after
installing the
gems on the
knife page,
feel free to
respond to
this thread
with the
command you
are using and
the error you
are getting,
as well as the
Windows
version.
Without
specific
errors it can
be difficult
to figure out
why knife ssh
is failing on
that node.
Thanks,
Jessica
On
Tue, Sep 20,
2011 at 11:18
AM, Maven User
<
"
target="_blank">
>
wrote:
It gets even
more
confusing.
So it starts
there but
talks about
knife-windows
(is that
absolutely
necessary?)
then if you
click into the
standard
"knife"
documentation,
there's a big
blue box that
states "Knife
requires some
extra gems!" -
are those
required if
you don't plan
on doing any
cloud work?
I've noticed
on windows, I
can't do
"knife ssh"
without errors
but I'm done
flailing and
don't want to
just run off
and start
installing
gems.
On
Tue, Sep 20,
2011 at 1:19
PM, Maven User
<
"
target="_blank">
>
wrote:
http://wiki.opscode.com/display/chef/Installation+on+Windows
??
On Tue, Sep
20, 2011 at
12:28 PM,
Daniel DeLeo <
" target="_blank">
>
wrote:
On
Monday,
September 19,
2011 at 10:37
AM, Maven User
wrote:
> Thanks
again for all
the tips up
until this
point - the
documentation
for knife
usage on
windows is
really
confusing.
>
> It just
skips from
running the
client
install/setup
to running
knife commands
- nothing
about the
"knife
configure -i"
step.
>
> I'm also
not sure if
this is
expected
behavior but
the windows
guide talks
about
C:\chef\.chef
yet knife
creates a lot
of things in
~/.chef (in
windows).
>
> Do things
need to be
replicated
between these
two areas or
did I make a
mistake?
>
What
documentation
are you using?
--
Dan DeLeo
|