chef - [chef] Re: Re: question about data bags

First login ?
Lost password ?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: question about data bags - best practice

From: Vladimir Skubriev < >
To:
Subject: [chef] Re: Re: question about data bags - best practice
Date: Tue, 06 Aug 2013 19:17:03 +0400

On 06.08.2013 18:37, Moser, Kevin wrote:

Take a look at chef-vault (https://github.com/nordstrom/chef-vault) Keeps
the data encrypted using the private key of the client itself.

This is a very interesting idea of crypt/decrypt with an existing private key.
I understand that you proposed to use chef private key - /etc/chef/client.pem

Maybe just use ecsdsa ssh private key?
I think that ecdsa is more than enough.
While the relationship with key chef server too very good idea of course.

You are right however that setting the value into a node attribute persists
that data, in a chef-client run, back to the chef server at the end of a
successful run.

I.e. when chef run my code node attributes should be setupped right way. And I don't need to run this code in all recipes. Only in the first recipe.
How long this attributes are still stored on the chef-server?

You don't want to decrypt your passwords and then put them in an attribute.

Stop. How will I be able to set the attributes for the cookbook mysql. for example

['mysql']['server_root_password']
'mysql']['server_repl_password']
['mysql']['server_debian_password']

I think that define this attribute in a role is no good idea. May be I don't
right. Because only node has access to its attributes?

How is the procedure for obtaining the attributes associated host and the
private key is stored on the client in the folder / etc / chef / client.pem?

I think that between them there is a connection. But now I find it difficult
to understand this

You want to decrypt and use that value to define a resource at compile
time.

May be yes, may be not. I can't understand how is right.

At the end of convergence that resource leaves memory and your decrypted
values go away.

On the client after chef run will be nothing ?

What else cleans chef-client at the end of the run?

Kevin

Thank you very much for answers.
I am a newbie in chef. And want to understand it mush more.
I have language barriers - excusme for bad english.

--
Best regards,

CVision Lab System Administrator
Vladmir Skubriev

[chef] question about data bags - best practice, Vladimir Skubriev, 08/06/2013
- [chef] Re: question about data bags - best practice, Moser, Kevin, 08/06/2013
  - [chef] Re: Re: question about data bags - best practice, Daniel DeLeo, 08/06/2013
    - [chef] Re: Re: Re: question about data bags - best practice, Vladimir Skubriev, 08/06/2013
      - [chef] Re: Re: Re: Re: question about data bags - best practice, Daniel DeLeo, 08/06/2013
        
        [chef] Re: Re: Re: Re: Re: question about data bags - best practice, Vladimir Skubriev, 08/06/2013
        
        [chef] Re: Re: Re: Re: Re: question about data bags - best practice, Vladimir Skubriev, 08/06/2013
        
        [chef] Re: Re: Re: Re: Re: Re: question about data bags - best practice, steve ., 08/07/2013
      - [chef] Re: Re: Re: Re: question about data bags - best practice, Kevin Christen, 08/10/2013
  - [chef] Re: Re: question about data bags - best practice, Vladimir Skubriev, 08/06/2013