chef - [chef] problems retaining the chef-validator public RSA key

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] problems retaining the chef-validator public RSA key

From:
To: chef < >
Subject: [chef] problems retaining the chef-validator public RSA key
Date: Tue, 21 Feb 2012 16:04:12 -0800

hiya,

i'm having problems retaining the chef-validator public RSA key
across chef server builds. i want to retain this key, along with its
counterpart validation.pem which all my clients have registered
themselves with.

i'm building a server which can take the place of my primary chef
server in the event the primary dies. if the primary dies, i would
load the latest configs and couchdb dump onto the new one. but after
i load the couchdb dump, the resulting chef-validator public RSA key
on the new server does not match what i know to be the correct one.
(as seen with "knife client show chef-validator").

i show my steps below. am i doing something wrong?

also, i'll note that i've repeated these steps below multiple times.
usually the resulting chef-validator key is wrong, but *sometimes* after
it bakes, the key is *right*. so i'm seeing inconsistent behavior.

dump couchdb on primary chef server:
  /usr/bin/couchdb-dump http://127.0.0.1:5984/chef ;| gzip -9c >
$BACKUPDIR/chef_couchdb.$STAMP.gz

new, pristine chef server installed with opscode debs:

  /etc/init.d/chef-server stop

this removes /var/lib/couchdb/1.0.1/chef.couch:
  curl -XDELETE http://127.0.0.1:5984/chef

at this point, if i try to load the couchdb dump, it won't load, throwing
errors like "Error: ('not_found', 'no_db_file')". i guess it needs
some kind of baseline /var/lib/couchdb/1.0.1/chef.couch. to provide
that, i start chef-server again. a new /var/lib/couchdb/1.0.1/chef.couch
is created, and with that, new RSA keypairs generated, which i ultimately
want to replace with my current established set from the priamry
chef-server.

  /etc/init.d/chef-server start
  /etc/init.d/chef-server stop

now there's have /var/lib/couchdb/1.0.1/chef.couch. but this also
provided a *new* chef-validator RSA keypair, which i don't want. but
maybe the couchdb-load will overwrite it? let's see..

  couchdb-load --input=chef_couchdb.latest http://127.0.0.1:5984/chef ;
--ignore-errors 1>couchdb-load.stdout 2>couchdb-load.stderr

copy into place the pems from the primary chef server:

  cp /etc/chef/webui.pem.backup /etc/chef/webui.pem
  cp /etc/chef/validation.pem.backup /etc/chef/validation.pem

fire it up:

  /etc/init.d/chef-server start

  knife client show chef-validator
... usually the key is wrong, sometimes right

tia,
kallen

[chef] problems retaining the chef-validator public RSA key, kallen, 02/21/2012
- [chef] Re: problems retaining the chef-validator public RSA key, AJ Christensen, 02/21/2012
  - [chef] Re: Re: problems retaining the chef-validator public RSA key, kallen, 02/21/2012
    - [chef] Re: Re: Re: problems retaining the chef-validator public RSA key, AJ Christensen, 02/21/2012
      - [chef] Re: Re: Re: Re: problems retaining the chef-validator public RSA key, kallen, 02/21/2012
        
        [chef] Re: Re: Re: Re: Re: problems retaining the chef-validator public RSA key, AJ Christensen, 02/21/2012