[chef] Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: knife on windows


Chronological Thread 
  • From: Maven User < >
  • To:
  • Subject: [chef] Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: knife on windows
  • Date: Thu, 29 Sep 2011 10:44:29 -0400

It's finding the /etc/var/client.pem file, just not the client.rb it seems.  All the various chef directories scattered around for logging/pid/etc are all owned by chef/chef.

Also, the documentation says to run chef-client without sudo.  If I do it without sudo, I get the "cannot find config file" message.  If I do with sudo, I get the unauthorized message:

Generated at Thu Sep 29 10:42:54 -0400 2011
Net::HTTPServerException: 401 "Unauthorized"
/usr/lib/ruby/1.8/net/http.rb:2105:in `error!'
/usr/lib/ruby/vendor_ruby/chef/rest.rb:237:in `api_request'
/usr/lib/ruby/vendor_ruby/chef/rest.rb:288:in `retriable_rest_request'
/usr/lib/ruby/vendor_ruby/chef/rest.rb:218:in `api_request'
/usr/lib/ruby/vendor_ruby/chef/rest.rb:114:in `get_rest'
/usr/lib/ruby/vendor_ruby/chef/node.rb:603:in `load'
/usr/lib/ruby/vendor_ruby/chef/node.rb:587:in `find_or_create'
/usr/lib/ruby/vendor_ruby/chef/client.rb:234:in `build_node'
/usr/lib/ruby/vendor_ruby/chef/client.rb:151:in `run'
/usr/lib/ruby/vendor_ruby/chef/application/client.rb:239:in `run_application'
/usr/lib/ruby/vendor_ruby/chef/application/client.rb:229:in `loop'
/usr/lib/ruby/vendor_ruby/chef/application/client.rb:229:in `run_application'
/usr/lib/ruby/vendor_ruby/chef/application.rb:67:in `run'
/usr/bin/chef-client:25

The validation.pem and client.pem files are freshly generated (the validation.pem file was copied back from the chef-server).  From the chef-server webui, I regenerated the client.pem file and copied the contents into the client.pem file.

Any more clues?


On Thu, Sep 29, 2011 at 10:27 AM, Maven User < "> > wrote:
I've got a sinking suspicion it's not the file it's questioning, it's one of the other files like the pid or log or something else...

Digging...


On Thu, Sep 29, 2011 at 10:12 AM, Maven User < " target="_blank"> > wrote:
[Thu, 29 Sep 2011 10:08:36 -0400] WARN: *****************************************
[Thu, 29 Sep 2011 10:08:36 -0400] WARN: Can not find config file: /etc/chef/client.rb, using defaults.
[Thu, 29 Sep 2011 10:08:36 -0400] WARN: Permission denied - /etc/chef/client.rb
[Thu, 29 Sep 2011 10:08:36 -0400] WARN: *****************************************


:/etc/chef$ ls -lart
total 32
-rw-r--r--   1 chef chef  1679 2011-09-22 14:11 webui.pem
drwxr-xr-x 135 root root 12288 2011-09-28 17:08 ..
-rw-r--r--   1 chef chef  1679 2011-09-28 17:24 client.pem
-rw-r-----   1 chef chef  3008 2011-09-28 17:57 client.rb
-rw-r--r--   1 chef chef  1675 2011-09-29 08:04 validation.pem
drwxr-xr-x   2 chef chef  4096 2011-09-29 09:22 .

I'm just typing "chef-client".  If I do "sudo chef-client", I get this - even with the new validation.pem file:

:/etc/chef$ sudo chef-client
[Thu, 29 Sep 2011 10:10:11 -0400] INFO: *** Chef 0.10.4 ***
[Thu, 29 Sep 2011 10:10:12 -0400] INFO: HTTP Request Returned 401 Unauthorized: Failed to authenticate. Ensure that your client key is valid.
[Thu, 29 Sep 2011 10:10:12 -0400] FATAL: Stacktrace dumped to /var/cache/chef/chef-stacktrace.out
[Thu, 29 Sep 2011 10:10:12 -0400] FATAL: Net::HTTPServerException: 401 "Unauthorized"

I regenerated the client.pem file and that didn't help either :-/

On Thu, Sep 29, 2011 at 9:50 AM, Steven Danna < " target="_blank"> > wrote:
Hi Maven,

> When I run "chef-client", it reports it can't find client.rb and then attempts to connect to the chef-server via localhost (which is wrong).

If you are getting this error but are sure that the file exists and that you have permission to read it, check the line right below the line which says "Can not find config file..." to see if there is another error related to the contents of the config. Currently, you get the "Can not find config file..." anytime there is an error parsing the config file. (http://tickets.opscode.com/browse/CHEF-2012)

Cheers,

Steven

-- 
Steven Danna
Sent with Sparrow

On Thursday, September 29, 2011 at 5:08 AM, Maven User wrote:

Ok, validation.pem regenerated and copied over to my chef-client.

When I run "chef-client", it reports it can't find client.rb and then attempts to connect to the chef-server via localhost (which is wrong).

Do I need to run chef-client directly from /etc/chef?

Just so it's all clear, I'm trying to work my way through this.

I'm going to get chef-server and chef-client (both ubuntu) working healthy again, then go to using knife on ubuntu and see if that still works then go on to knife on windows then finally, knife on windows executing stuff on a chef-client on windows.

I'm still (back) on step 1.

On Thu, Sep 29, 2011 at 7:27 AM, Maven User < " target="_blank"> > wrote:
For sure - I'll give this a whirl - but why would this happen in the first place?

BTW - this mailing list is fantastic!

I've posted a few tantrums and you all have provided some great feedback.

I really want the chance to return the favor with uptodate windows or other configuration options (and in the future some cookbooks).


On Wed, Sep 28, 2011 at 6:24 PM, Jessica Bourne < " target="_blank"> > wrote:
Hi Maven,

We recommend running chef-client with sudo, so it will have access to all of the files needed. As long as it's ran with sudo, it shouldn't really matter who owns the files but normally they are owned by root/root.

It sounds like you are running your own chef server, and the validation key needs to be regenerated on the server. You can do this by removing the validation key on the server, which is typically stored on the filesystem at /etc/chef/validation.pem and restarting the chef-server with these commands:

$ sudo rm /etc/chef/validation.pem
$ sudo /etc/init.d/chef-server restart

This will create a new key pair on both the disk and in the database, you can then copy it over to any clients that need to authenticate. Feel free to update this thread with some further updates if you continue to get errors afterwards.

Thanks,
Jessica


On Wed, Sep 28, 2011 at 2:53 PM, Maven User < " target="_blank"> > wrote:
When I try w/o sudo, I get this:

WARN: *****************************************

WARN: Can not find config file: /etc/chef/client.rb, using defaults.
WARN: Permission denied - /etc/chef/client.rb
WARN: *****************************************

When I try with sudo, I get this:


INFO: *** Chef 0.10.4 ***
INFO: HTTP Request Returned 401 Unauthorized: Failed to authenticate. Ensure that your client key is valid.
FATAL: Stacktrace dumped to /var/cache/chef/chef-stacktrace.out
FATAL: Net::HTTPServerException: 401 "Unauthorized"

I just regenerated the client.pem file, but it didn't help (it seems).

Any other suggestions?



On Thu, Sep 22, 2011 at 11:28 AM, Aaron Abramson < " target="_blank"> > wrote:
C:\chef>knife ssh "role:<role I want to do something with>" "sudo chef-client" -P <password>
<chefclient> knife sudo password:
Enter your password:
<chefclient>
<chefclient> [Thu, 22 Sep 2011 10:23:14 -0400] INFO: *** Chef 0.10.4 ***
<chefclient> [Thu, 22 Sep 2011 10:23:15 -0400] INFO: HTTP Request Returned 401 Unauthorized: Failed to authenticate. Ensure that your client key is valid.
<chefclient> [Thu, 22 Sep 2011 10:23:15 -0400] FATAL: Stacktrace dumped to /var/cache/chef/chef-stacktrace.out
<chefclient> [Thu, 22 Sep 2011 10:23:15 -0400] FATAL: Net::HTTPServerException: 401 "Unauthorized"


knife ssh "role:<my role>" "sudo chef-client" -P <mypass>

As Denis said, you're successfully connecting to the server with your users password.  And you can see that it executed "sudo chef-client", and then was waiting for input for the "sudo password".

Update your sudoers file to grant passwordless sudo access for your user.


But, since you're not defining a username for knife ssh (ie -x ubuntu, or -x admin), knife is SSH'ing as root.  So your command really should be:

knife ssh "role:<my role>" "chef-client" -P <mypass>

Since you're already the root user on the remote machine, and have no need to "sudo" to gain superuser privileges again.



On Sep 22, 2011, at 10:02 AM, Denis Barishev wrote:


Hello Maven,

On 09/22/2011 06:26 PM, Maven User wrote:
Jessica - thank you so much!

The learning curve has felt very steep, these types of exchanges have helped me out a ton.

The final thread/step in this process is getting around having to specify my password when running knife.

So when I do something like:

C:\chef>knife ssh "role:<role I want to do something with>" "sudo chef-client"
WARNING: Failed to connect to node[<chefclient>] -- Net::SSH::AuthenticationFailed: <username>@<chefclient>

But when I do this:

C:\chef>knife ssh "role:<role I want to do something with>" "sudo chef-client" -P <password>
<chefclient> knife sudo password:
Enter your password:
<chefclient>
<chefclient> [Thu, 22 Sep 2011 10:23:14 -0400] INFO: *** Chef 0.10.4 ***
<chefclient> [Thu, 22 Sep 2011 10:23:15 -0400] INFO: HTTP Request Returned 401 Unauthorized: Failed to authenticate. Ensure that your client key is valid.
<chefclient> [Thu, 22 Sep 2011 10:23:15 -0400] FATAL: Stacktrace dumped to /var/cache/chef/chef-stacktrace.out
<chefclient> [Thu, 22 Sep 2011 10:23:15 -0400] FATAL: Net::HTTPServerException: 401 "Unauthorized"

Isn't the authorization handled via the pem files or do I need to set up ssh keys as well?


As I can see you have successfully run a knife ssh command by suppling the right password. You mus provide knife ssh with either a password or pem key path (-i option). Here you can see that knife ssh has sshed into the node and tried to run chef-client there but it failed. The reason is probably that you haven't configured chef-client there. Make sure you have the right chef configuration directory with client.rb and validation/client key on the remote machine.

Denis


On Wed, Sep 21, 2011 at 4:41 PM, Jessica Bourne < " target="_blank"> > wrote:
Hi Maven,

I completely agree, we've been working on separating instructions based on OS as well as type of install (client vs workstation). This should make it clearer what is needed to run both. Client has chef-client configured so they can run recipes, and workstations have knife configured so they can manage the nodes. It isn't necessary to run both on a node unless you want to run recipes on it and manage other nodes from it. The directions currently explain how to set the node up with both, but it may not be needed depending on what you want to do with your install.

The instructions on the Installation on Windows page will guide you through almost everything you need for a workstation, except for SSH and bootstrapping new nodes from it. I'd recommend installing the gems on the knife page, you will definitely need at least the net-ssh packages to use SSH. Afterwards you can confirm you can SSH, and then follow the knife windows bootstrap guide to bootstrap new nodes with knife if needed. The gems really should be included on the Installation on Windows page to make this clearer.

The knife windows bootstrap page is separate because not everyone who installs Windows will need to bootstrap new Windows nodes. This page can be used on Mac or Linux as well, to bootstrap new Windows nodes from that workstation instead. If you do decide to bootstrap new nodes from this machine you will need 1.9.X, but otherwise you can use Ruby 1.8.7 without issues. It really just depends on how you'd like to have your nodes managed. 

If you have a Mac or Linux machine available, you could always just try setting it up as the workstation instead and then using the knife-windows bootstrap plugin to bootstrap new nodes as clients from it as there is a bit more documentation on those OSes right now. If you did it this way no configuration should be needed on the Windows machine except for SSH or WinRM access, and the bootstrap plugin would install ruby, gems, and chef-client. It would not configure knife though, so you'd need to manage the nodes from the Linux/Mac workstation in this type of setup.

If you're still getting errors after installing those gems on Windows, feel free to update this thread with some more information on the errors you are getting. 

Thanks,
Jessica


On Wed, Sep 21, 2011 at 10:15 AM, Maven User < " target="_blank"> > wrote:
By the way - this page:

http://wiki.opscode.com/display/chef/Installation+on+Windows

Suggests ruby 1.8.7, but then this one: Requires 1.9.X+

:-/


On Wed, Sep 21, 2011 at 9:44 AM, Maven User < " target="_blank"> > wrote:
Cool - I'd love to help out in any way to document this process (it's been pretty painful).

FWIW - it'd be HUGELY helpful if all instructions for each platform were organized by platform.

Right now, there are "how to setup chef on windows", a "knife-windows" and then finally a generalized "knife" pages.  All of which have little bits needed to get things working successfully on windows (something I _still_ haven't managed).

Just so I'm clear - I can jump right to the link below to set up knife on windows?  Then I have to go to the generalized Knife page and also install those gems?


On Tue, Sep 20, 2011 at 6:35 PM, Jessica Bourne < " target="_blank"> > wrote:
Hi Maven,

We've actually been working on updating our installation instructions, including the documentation on Windows. They won't be completed for a few more weeks, but I'll be sure to review this thread once they are in draft so we can be sure your concerns are addressed.

The gems listed on the knife doc are necessary, some of them are what enable you to ssh from that node. If you're still getting errors after installing the gems on the knife page, feel free to respond to this thread with the command you are using and the error you are getting, as well as the Windows version. Without specific errors it can be difficult to figure out why knife ssh is failing on that node.

Knife-windows is used to bootstrap new windows nodes, more information on it can be found on this wiki page: http://wiki.opscode.com/display/chef/Knife+Windows+Bootstrap

Thanks,
Jessica


On Tue, Sep 20, 2011 at 11:18 AM, Maven User < " target="_blank"> > wrote:
It gets even more confusing.

So it starts there but talks about knife-windows (is that absolutely necessary?) then if you click into the standard "knife" documentation, there's a big blue box that states "Knife requires some extra gems!" - are those required if you don't plan on doing any cloud work?  I've noticed on windows, I can't do "knife ssh" without errors but I'm done flailing and don't want to just run off and start installing gems.


On Tue, Sep 20, 2011 at 1:19 PM, Maven User < " target="_blank"> > wrote:
http://wiki.opscode.com/display/chef/Installation+on+Windows

??


On Tue, Sep 20, 2011 at 12:28 PM, Daniel DeLeo < " target="_blank"> > wrote:
On Monday, September 19, 2011 at 10:37 AM, Maven User wrote:
> Thanks again for all the tips up until this point - the documentation for knife usage on windows is really confusing.
>
> It just skips from running the client install/setup to running knife commands - nothing about the "knife configure -i" step.
>
> I'm also not sure if this is expected behavior but the windows guide talks about C:\chef\.chef yet knife creates a lot of things in ~/.chef (in windows).
>
> Do things need to be replicated between these two areas or did I make a mistake?
>
What documentation are you using?


--
Dan DeLeo






















Archive powered by MHonArc 2.6.16.

§