How Do You Install and Configure Chef Client on a Linux Server in AWS or Azure?

Updated 11/9/17

Problem scenario

In AWS or Azure you have Linux instances that you want to be configured to use a Chef Server.  How do you install Chef client and configure it to work with a Chef server?

Solution
These directions have been tested in Azure (with an Ubuntu 16.x server as either the Chef client node or the Chef server) and AWS (with a Red Hat Enterprise Linux 7.x server as the Chef client node or the Chef server). This solution will install Chef InSpec on RHEL 8.x

Prerequisite:  This assumes you have access to the Chef Server and know where the organization permission file (e.g., orgname-validator.pem) is and user permission file (e.g., adminUser.pem) is.  To set up Chef server, see this posting.

Procedures
1.  From Chef client nodes you need the Chef server's URL to resolve without an IP address (i.e., you need an FQDN to route properly with TCP/IP operations).  For the chef client servers, do one of two things:

    a) Update the /etc/hosts file so the Chef server's FQDN maps to an IP address.  For AWS this would normally be the internal IP address of the Chef server.  

    b) If you do not want to configure the /etc/hosts file you may configure your Chef client machine (server or computer) to use a DNS server so the FQDN of the Chef server will resolve correctly.

2.    a)  On the Chef client, create the directory "/etc/chef" (with no quotes).

     b)  This substep only applies if your Chef server is in AWS.  (Your Chef client nodes could be on-premises or in Rackspace or Azure.)  Ensure that the AWS Security Group governing the Chef server allows TCP connections from the IP address of the Chef client server.  If the Chef client machine is also in AWS and will use an /etc/hosts file with the internal IP address of the Chef server, then the Security Group protecting the Chef server should allow for inbound connections from the internal IP address of the Chef client server.  If the Chef client machine in AWS will map the FQDN of the Chef server to its external IP address or if the Chef client machine is not in AWS, use the external IP address of the Chef client for the Security Group inbound rule.  Go directly to step 3 (and skip step 2.c).

       c)  This substep only applies if your Chef server is in Azure.  (Your Chef client nodes could be on-premises or in Rackspace or AWS.)  Ensure that the Network Security Group (NSG) for the Chef server allows TCP connections from the IP address of your workstation.  (Use ipchicken.com if you need to.)  You may be able to SSH into your Chef server, but by default the relevant NSG may restrict your ability to open a web UI connection from a web browser.  For non-Azure Chef client servers, you should also ensure that the NSG in Azure that controls and protects the Chef server allows for inbound connections from the Chef client servers' external IP addresses.

3.  From the server that will be configured as a Chef client, run this command:

sudo curl -L https://www.opscode.com/chef/install.sh | sudo bash

4.  From the Chef client machine, do the following.

    a) Create a client.rb file in /etc/chef/ with the following three lines:

chef_server_url  'https://<FQDN of Chef server>/organizations/contint'
validation_client_name 'contint-validator'
ssl_verify_mode :verify_none

    b) Replace <FQDN of Chef Server> with the FQDN of the Chef server.  Replace "contint" with your organization name.  Replace "contint-validator" with the name of your validator file.

5.    a) Open a web browser and go to the Chef server's URL or external IP address (e.g., http://<FQDN of Chef server>/organizations/nameOfOrganization).  (The browser must accept cookies from this Chef's web UI.)
    b) Go to Policy -> Clients.  
    c) Go to Create
    d) Enter the FQDN of the Chef client server.  (This can be found by using "hostname -f" on the Linux prompt of the Chef server.)
    e) Click "Create Client."
    f)  Copy the text in the window that pops up.  (Include "-----BEGIN RSA PRIVATE KEY-----" and everything beneath including the last line "----- END RSA PRIVATE KEY-----".)
    g) Go to the Chef client's command interface (e.g., Linux prompt). Go to /etc/chef/ and create a file named client.pem.  The contents should be the text from substep f above.

6.  Run a command like this (but substitute the <FQDN of Chef Server> appropriately, and substitute "contintnick" with your organization's nickname):

sudo chef-client -S https://<FQDN of Chef Server>/organizations/contintnick

# The "contintnick" would be whatever you used on the Chef server when you ran this command where "companynickname" is:

sudo chef-server-ctl org-create companynickname 'Continual Integration' --association_user contint --filename contint-validator.pem

Leave a comment

Your email address will not be published. Required fields are marked *