On Fri, 06 Dec 2013 18:00:45 +0400 Vladimir SkubrievThere may be only two alternatives:
< >
wrote:
I read a doc http://docs.opscode.com/chef_private_keys.htmlYou don't. You simply don't. Secret/private keys are only functional
> Each node stores its private key locally.
agrees
>This private key is generated as part of the bootstrap process that
initially installs the chef-client on the node.
How I can understand:
During bootstrap process server generate ONLY two keys.
One saved only on client - private key (private key never save on the
server and saved only on the client.) = /etc/chef/client.pem
Other saved only on server - public key(and we can see this key via
web interface tab clients).
OK ?
>The first time chef-client runs on that node, it uses the
chef-validator to authenticate, but then on each subsequent run it
uses the private key generated for that client by the server.
How I can understand - Now I have nodes private keys only on my nodes
in /etc/chef/client.pem?
How I can automate assembly of this keys and put them to the
chef-repo/.chef folder, to backup them ?
when only the owner has them. In case of the client-keys for chef, only
the machine owning that key should have it. If someone else gets access
to that machines key, it can do all funny things with that machine.
And you don't actually need a backup of that private key, its only used
for that concrete machine to contact the chef server. If that machine
has to be re-installed, you just delete that client (not the node, onyl
the client!) from the chef-server and during the first run of
chef-client one the freshly installed machine, it uses the
validation-key to re-register the client and create a new private key.
If the node-name didn't change, it will pick up the runlist and state
stored in chef and re-create everything.
Of course, if you deleted the validation key from the nodes in between
(which you should do), you also have to place the validation-key on the
node during install again.
Have fun,
Arnold
Archive powered by MHonArc 2.6.16.