[chef] Re: Re: Question about Chef running as root


Chronological Thread 
  • From: Lunixer < >
  • To:
  • Subject: [chef] Re: Re: Question about Chef running as root
  • Date: Fri, 10 May 2013 09:53:11 -0700

In all docs I've read, the assumption is that one is working with Ubuntu. But that is not always the case.

There are slight differences when using, say, CentOS; the "--sudo" part didn't work for me. I had to use root to bootstrap a node.

Also, in CentOS 6.4, I had to disable selinux and stop iptables so I could access HTTPS from a remote web client. Don't know whether that's an issue in Ubuntu.         

-lun


On Wed, May 8, 2013 at 1:50 PM, Nguyen, Dang < " target="_blank"> > wrote:
Just to clarify a couple of things I read in your email that could be part of the confusion:

  • when you run "knife bootstrap" against a target node, you can/should login as yourself and use the "--sudo" option. This option opens a SSH session under your login and then runs the rest of the bootstrap under the "sudo" environment that you specified. This is entirely do-able with EC2 where you'll ssh into the EC2 instance as the "ubuntu" user, for example, if you're running Ubuntu instances.
  • On the target node, there is an agent that runs, called the chef-client, that normally runs as root. Even if your node doesn't allow direct login as root, your chef-client can still run as root, and in most cases, for the tasks that the chef-client needs to do, this is almost a requirement. In theory, you can run the chef-client as another user, but you will need to work out the cascading permissions issues that will surely crop up. The chef-client runs under a pull model, where it will reach out to the chef server to get its set of instructions and other data that it'll need for the chef run (aka cookbooks, recipes, attributes, etc). Once it gets all that data from the server, it runs independently of the server and uploads some data back at the end of the run that reports on the new state of the node. The chef-client will need to access HTTPS 443 port to reach the server, so make sure your firewalls are playing nicely.
HTH,
Dang Nguyen



Hello all,

I'm fairly new to Chef. I stepped through some parts of the documentation to understand what Chef is all about, and I have a rough idea.

So I am working on a project now that already uses Chef to deploy to servers. I kind of jumped into the middle of it (it was al written by someone else). The way it currently works from what I can see, is the when the scripts are run, it logs into the server as root, and then does what it needs to do based on json files. This has worked well so far, but now I am facing an issue with deploying to Amazon EC2 instances.

With Amazon EC2, we can't log in as root by default, only whatever user that is assigned (i.e. "ubuntu for Ubuntu instances, "ec2-user" for RHEL etc.). I cannot change that at the moment, so I have to find another way to do it.

My question is: does Chef always run as root? Is there a way to bypass the root user altogether, and use another user with all the privileges? How would you recommend that I tackle this?

As I said, I'm very new to this so kindly bear with me.

Thank you!







Archive powered by MHonArc 2.6.16.

§