This gets to some details about how the Chef ACL system works. Basically when a new object is created, the client creating it gets special permissions so the creator can write even if the default ACL would be read-only. This is how a client can write to its own node object but not any others. When you leave the existing node object, the new client only kind of gets those new permissions. Parts of it should work since it should have the same name as the old one, but there have been persistent issues like this due to old and inconsistent code in places.
On Jan 4, 2015, at 2:57 PM, Mark Selby < " target="_blank"> > wrote:
> I have recently upgraded from Chef open source server 11 to Chef Server 12
>
> We rebuild many of our hosts regularly.
>
> In the past we simply run a 'knife client delete <name>' and let the validator recreate the client upon bootstrap. We leave the node intact and it converges as per it's saved run_list.
>
> Under chef 12 when we try and do the same thing we get
>
> [2015-01-04T13:51:00-08:00] ERROR: 403 "Forbidden"
> [2015-01-04T13:51:00-08:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
>
> It appears that the server does not like the new client key in the sense that it is not associated with the old node.
>
> Any ideas how to get around this issue or suggestions for further debugging.
Short version: delete both the client and the node and use the -j option when you re-bootstrap to pass in the old data.
--Noah
Archive powered by MHonArc 2.6.16.