- From: AJ Christensen <
>
- To:
- Subject: [chef] Re: problems retaining the chef-validator public RSA key
- Date: Wed, 22 Feb 2012 13:07:59 +1300
- Authentication-results: mr.google.com; spf=pass (google.com: domain of
designates 10.42.145.131 as permitted sender)
; dkim=pass
On 22 February 2012 13:04,
<
>
wrote:
>
>
hiya,
>
>
i'm having problems retaining the chef-validator public RSA key
>
across chef server builds. i want to retain this key, along with its
>
counterpart validation.pem which all my clients have registered
>
themselves with.
>
>
i'm building a server which can take the place of my primary chef
>
server in the event the primary dies. if the primary dies, i would
>
load the latest configs and couchdb dump onto the new one. but after
>
i load the couchdb dump, the resulting chef-validator public RSA key
>
on the new server does not match what i know to be the correct one.
>
(as seen with "knife client show chef-validator").
>
>
i show my steps below. am i doing something wrong?
>
>
also, i'll note that i've repeated these steps below multiple times.
>
usually the resulting chef-validator key is wrong, but *sometimes* after
>
it bakes, the key is *right*. so i'm seeing inconsistent behavior.
>
>
>
dump couchdb on primary chef server:
>
/usr/bin/couchdb-dump http://127.0.0.1:5984/chef ;| gzip -9c >
>
$BACKUPDIR/chef_couchdb.$STAMP.gz
>
>
new, pristine chef server installed with opscode debs:
>
>
/etc/init.d/chef-server stop
>
>
this removes /var/lib/couchdb/1.0.1/chef.couch:
>
curl -XDELETE http://127.0.0.1:5984/chef
>
>
at this point, if i try to load the couchdb dump, it won't load, throwing
>
errors like "Error: ('not_found', 'no_db_file')". i guess it needs
>
some kind of baseline /var/lib/couchdb/1.0.1/chef.couch. to provide
the problem is here where you start the Chef Server
Instead of doing that, do a
curl -XPUT
http://127.0.0.1:5984/chef/
Then load the couchdb dump. This will prevent the chef server from
initializing an empty database with a new validator and webui client
HTH
--AJ
>
that, i start chef-server again. a new /var/lib/couchdb/1.0.1/chef.couch
>
is created, and with that, new RSA keypairs generated, which i ultimately
>
want to replace with my current established set from the priamry
>
chef-server.
>
>
/etc/init.d/chef-server start
>
/etc/init.d/chef-server stop
>
>
now there's have /var/lib/couchdb/1.0.1/chef.couch. but this also
>
provided a *new* chef-validator RSA keypair, which i don't want. but
>
maybe the couchdb-load will overwrite it? let's see..
>
>
couchdb-load --input=chef_couchdb.latest http://127.0.0.1:5984/chef ;
>
--ignore-errors 1>couchdb-load.stdout 2>couchdb-load.stderr
>
>
copy into place the pems from the primary chef server:
>
>
cp /etc/chef/webui.pem.backup /etc/chef/webui.pem
>
cp /etc/chef/validation.pem.backup /etc/chef/validation.pem
>
>
>
fire it up:
>
>
/etc/init.d/chef-server start
>
>
knife client show chef-validator
>
... usually the key is wrong, sometimes right
>
>
>
tia,
>
kallen
>
Archive powered by MHonArc 2.6.16.