The CHEF automation company has been in existence since 2008, bringing together developers and system administrators. CHET Infa is an open-source IaC(Infrastructure as Code) tool that eases administration, configuration, and allocation of resources across a network. Ever since its first release, the CHEF fan base has immensely grown, with companies like Cheezburger, Facebook, Indiegogo, Etsy adopting it.
CHEF infra, written in Ruby and Erlang languages has a simple architecture consisting of the following:
- Workstation – This is a computer where you write the Chef cookbooks and administer to your nodes. All configurations are developed here.
- Chef server – acts as the hub for all nodes and cookbooks. All configurations are uploaded here for post development
- Nodes – These are client machines managed by the Chef server. Normally they have Chef client installed on them.
- Cookbooks – These are have values and data about the desired state of a node. They contain resources, recipes, attributes, templates, libraries, metadata and everything that supports in conceiving a functioning system.
Below is a diagram to aid understand the CHEF Architecture.
The CHEF Infa is preferred in automation because:
- High availability – the Chef Infa server is highly available with fault tolerance, immediate and consistent search results, and accurate real-time data about your infrastructure.
- Graphical management console for the Chef Infra Server which eases administration.
- Compliance – Chef Automate creates customizable reports that identify compliance issues, security risks, and outdated software.
- Inbuilt taxonomy for all the basic resources required on a system as well as a defined mechanism to extend this taxonomy using the Ruby language
By following this guide to the end, you will gain the required knowledge on how to install Chef Infra Server, Workstation, and client on Debian 11 / Debian 10.
Getting Started
For this guide, ensure you have the following:
- Sudo access to your server.
- A hostname configured on your system
- 3 Debian 11 / Debian 10 servers
The 3 servers will serve the below tasks:
Server | IP Address | Hostname |
Chef Server | 192.168.205.4 | chef-server.geeksforgeeks.org |
Chef Workstation | 192.168.205.14 | workstation.geeksforgeeks.org |
Chef Client | 192.168.205.24 | chef-client. geeksforgeeks.org |
Configure the hostname on your Server as below.
##On Chef Server
sudo hostnamectl set-hostname chef-server.geeksforgeeks.org --static
If you do not have a valid domain name, add it to the list of known hosts as below.
- On all the 3 servers
$ sudo vi /etc/hosts
192.168.205.4 chef-server.geeksforgeeks.org chefserver
Now install the required dependencies.
sudo apt -y install git vim wget curl bash-completion
sudo apt update && sudo apt upgrade
sudo reboot
Step 1 – Configure NTP Time synchronization
Chef Infa server is sensitive to clock drifts and requires us to connect our Debian system to Network Time Protocol (NTP)
Begin by installing the Chrony package.
sudo apt -y install chrony
Set your local TimeZone.
sudo timedatectl set-timezone Africa/Nairobi
Now configure the pool list. For example for Kenya, use:
$ sudo vim /etc/chrony/chrony.conf
# pool 2.pool.ntp.org iburst //Comment out this line
server 0.ke.pool.ntp.org
server 1.africa.pool.ntp.org
server 3.africa.pool.ntp.org
# Allow NTP client access from local network.
allow 192.168.205.0/24
Get more pools from the NTP Pool project page
Set NTP synchronization.
sudo timedatectl set-ntp true
Apply the changes made.
sudo systemctl restart chrony
You will be required to allow NTP through the firewall.
sudo ufw allow ntp
Restart the chronyd service.
sudo systemctl restart chronyd
Step 2 – Install Chef Infra Server on Debian 11 / Debian 10
Download the latest Chef Infra Server package from the Chef Infra Server downloads page. Also using the download link, you can pull the package as below.
VERSION="14.12.21"
wget https://packages.chef.io/files/stable/chef-server/${VERSION}/ubuntu/20.04/chef-server-core_${VERSION}-1_amd64.deb
Install the downloaded package.
sudo apt install ./chef-server-core_${VERSION}-1_amd64.deb
Sample output:
Selecting previously unselected package chef-server-core.
(Reading database ... 142930 files and directories currently installed.)
Preparing to unpack chef-server-core_14.11.36-1_amd64.deb ...
Unpacking chef-server-core (14.11.36-1) ...
Setting up chef-server-core (14.11.36-1) ...
Thank you for installing Chef Infra Server!
Run 'chef-server-ctl reconfigure' to configure your Chef Infra Server
For more information on getting started see https://docs.chef.io/server/
Once the installation is complete, reconfigure your Chef server.
sudo chef-server-ctl reconfigure
Proceed as below.
Documentation: https://docs.chef.io/server/
Patents: https://www.chef.io/patents
+---------------------------------------------+
Chef License Acceptance
Before you can continue, 3 product licenses
must be accepted. View the license at
https://www.chef.io/end-user-license-agreement/
Licenses that need accepting:
* Chef Infra Server
* Chef Infra Client
* Chef InSpec
Do you accept the 3 product licenses (yes/no)?
> yes
......
Running handlers:
Running handlers complete
Chef Infra Client finished, 409/858 resources updated in 04 minutes 00 seconds
Chef Infra Server Reconfigured!
Now check the status of the Chef Server components.
$ sudo chef-server-ctl status
run: bookshelf: (pid 19850) 32s; run: log: (pid 19358) 184s
run: elasticsearch: (pid 19817) 33s; run: log: (pid 19169) 220s
run: nginx: (pid 19803) 33s; run: log: (pid 19626) 41s
run: oc_bifrost: (pid 19707) 34s; run: log: (pid 19059) 237s
run: oc_id: (pid 19800) 33s; run: log: (pid 19097) 226s
run: opscode-erchef: (pid 19934) 32s; run: log: (pid 19502) 179s
run: postgresql: (pid 19696) 34s; run: log: (pid 18554) 253s
run: redis_lb: (pid 19649) 35s; run: log: (pid 20085) 31s
If you have UFW enabled, allow HTTP and HTTPS through the firewall.
sudo ufw allow http
sudo ufw allow https
Step 3 – Create an Administrator account and Organization
The admin account ensures communication between the server, workstations, and nodes. The syntax used is as below:
chef-server-ctl user create USERNAME FIRST_NAME [MIDDLE_NAME] LAST_NAME EMAIL PASSWORD
WE will export the variables first.
USERNAME="chefadmin"
FIRST_NAME="Chef"
LAST_NAME="Administrator"
EMAIL="[email protected]"
PASSWORD="Passw0rd"
KEY_PATH="/root/chefadmin.pem"
Now run the below command to create an admin user.
sudo chef-server-ctl user-create ${USERNAME} ${FIRST_NAME} ${LAST_NAME} ${EMAIL} ${PASSWORD} -f ${KEY_PATH}
Verify the user creation.
$ sudo chef-server-ctl user-list
chefadmin
pivotal
Proceed and create an organization to add the above user.
Normally the syntax below is used to create an organization.
chef-server-ctl org-create ORG_NAME "ORG_FULL_NAME" --association_user USERNAME --filename ORGANIZATION-validator.pem (options)
In the command above remember:
- The name must begin with a lower-case letter or digit
- The full name must begin with a non-white space character
- The –association_user option will associate the user with the admins security group on the Chef server.
- The –filename option saves the RSA private key to the specified path.
- An RSA private key will be generated automatically. This is the chef-validator key and should be saved in a safe location.
For this case, my command will be as below.
sudo chef-server-ctl org-create neveropen 'neveropen, Inc.' \
--association_user chefadmin \
--filename /root/neveropen-validator.pem
View the organization list.
$ sudo chef-server-ctl org-list
neveropen
You can as well verify if the RSA keys for the user and organization are available.
$ sudo find /root -name "*.pem"
/root/chefadmin.pem
/root/neveropen-validator.pem
Step 4 – Install and Configure the Chef Workstation.
The Chef Workstation is used to develop configurations and then push them to the Chef server.
It is installed by first downloading the latest package from the Chef Workstation downloads page.
Alternatively, identify the latest version and download it with Wget.
#On Debian 11
VERSION="22.1.745"
wget https://packages.chef.io/files/stable/chef-workstation/${VERSION}/debian/11/chef-workstation_${VERSION}-1_amd64.deb
#On Debian 10
VERSION="22.1.745"
wget https://packages.chef.io/files/stable/chef-workstation/${VERSION}/debian/10/chef-workstation_${VERSION}-1_amd64.deb
Install the package using the command:
sudo dpkg -i chef-workstation_${VERSION}-1_amd64.deb
Sample Output:
Selecting previously unselected package chef-workstation.
(Reading database ... 141880 files and directories currently installed.)
Preparing to unpack chef-workstation_22.1.745-1_amd64.deb ...
Unpacking chef-workstation (22.1.745-1) ...
Setting up chef-workstation (22.1.745-1) ...
The Chef Workstation App is available.
Launch the App by running 'chef-workstation-app'.
The App will then be available in the system tray.
Thank you for installing Chef Workstation!
You can find some tips on getting started at https://docs.chef.io/workstation/getting_started/
Verify the installation.
$ chef --version
Chef Workstation version: 22.1.745
Chef InSpec version: 4.52.9
Chef CLI version: 5.5.0
Chef Habitat version: 1.6.420
Test Kitchen version: 3.2.2
Cookstyle version: 7.26.1
Chef Infra Client version: 17.9.26
The knife is also installed.
$ knife --version
Chef Infra Client: 17.9.26
Now generate a Chef repo as below.
$ chef generate repo chef-repo
+---------------------------------------------+
Chef License Acceptance
Before you can continue, 3 product licenses
must be accepted. View the license at
https://www.chef.io/end-user-license-agreement/
Licenses that need accepting:
* Chef Workstation
* Chef Infra Client
* Chef InSpec
Do you accept the 3 product licenses (yes/no)?
> yes
Persisting 3 product licenses...
✔ 3 product licenses persisted.
+---------------------------------------------+
Generating Chef Infra repo chef-repo
Loading Chef InSpec profile files:
Loading Chef InSpec input files:
Loading Chef InSpec waiver files:
- Ensuring correct Chef Infra repo file content
Your new Chef Infra repo is ready! Type `cd chef-repo` to enter it.
Proceed and create a directory to store Knife configurations:
mkdir ~/chef-repo/.chef
cd chef-repo
Create a pair of RSA keys.
$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/thor/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/thor/.ssh/id_rsa
Your public key has been saved in /home/thor/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:wv055J+g9F6BTODc53tS9P+OBvC4KGCDJa9pNla0PVQ thor@debian
The key's randomart image is:
+---[RSA 4096]----+
| . |
| oEo |
| .o o . . |
| . o... o.+ . . |
| * +o S ++o . .|
| . B o. +..o+ .|
| = o ...*.+.. .|
| B ...o.= +...|
| + . ...o o...o|
+----[SHA256]-----+
Send the keys to your Chef server. Ensure root login is allowed.
$ ssh-copy-id root@192.168.205.4
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/thor/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
Copy the .pem files from the Chef Server
scp [email protected]:/root/*.pem ~/chef-repo/.chef/
View the copied keys.
$ ls ~/chef-repo/.chef
chefadmin.pem neveropen-validator.pem
Generated a Chef Cookbook.
$ chef generate cookbook chef-first-cookbook
Hyphens are discouraged in cookbook names as they may cause problems with custom resources. See https://docs.chef.io/workstation/ctl_chef/#chef-generate-cookbook for more information.
Generating cookbook chef-first-cookbook
Loading Chef InSpec profile files:
Loading Chef InSpec input files:
Loading Chef InSpec waiver files:
- Ensuring correct cookbook content
..........
Why not start by writing an InSpec test? Tests for the default recipe are stored at:
test/integration/default/default_test.rb
If you'd prefer to dive right in, the default recipe can be found at:
recipes/default.rb
Step 5 – Configure Knife and Bootstrap a Client Node.
Bootstrapping a client node entails installing the Chef Infra Client on the client system so that communication between it and the Chef server can happen.
There are two ways one can use to bootstrap a client Node.
- Unattended install – bootstrap from the node without SSH or WinRM connectivity required
- knife bootstrap – from the Chef workstation
This guide demonstrates how to bootstrap a client node using the Knife bootstrap method.
Now on the Workstation node, create a config.rb file as below.
vim ~/chef-repo/.chef/config.rb
Add the below content replacing appropriately.
current_dir = File.dirname(__FILE__)
log_level :info
log_location STDOUT
node_name 'chefadmin'
client_key "chefadmin.pem"
validation_client_name 'neveropen-validator'
validation_key "neveropen-validator.pem"
chef_server_url 'https://chef-server.geeksforgeeks.org/organizations/neveropen'
cache_type 'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path ["#{current_dir}/../cookbooks"]
Remember to replace your Chef server and organization details appropriately. Save the file, then proceed to copy the SSL certificates.
$ cd ~/chef-repo
$ knife ssl fetch
WARNING: Certificates from chef-server.geeksforgeeks.org will be fetched and placed in your trusted_cert
directory (/home/thor/chef-repo/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
Adding certificate for chef-server_neveropen_com in /home/thor/chef-repo/.chef/trusted_certs/chef-server_neveropen_com.crt
Verify if the config.rb is set up.
$ knife client list
neveropen-validator
Now bootstrap your Chef Client node, for this case, the IP address is 192.168.205.24, so proceed as below.
cd ~/chef-repo/.chef
knife bootstrap 192.168.205.24 -x root -P ***** --node-name chef-client-node1
Remember, the root user is used for elevated privileges required. Ensure root login is allowed on your Chef Client Node.
Proceed as shown.
$ knife bootstrap 192.168.205.24 -x root -P ***** --node-name chef-client-node1
-x/--winrm-user: This flag is deprecated. Use -U/--connection-user instead.
Connecting to 192.168.205.24 using ssh
The authenticity of host '192.168.205.24 ()' can't be established.
fingerprint is SHA256:5iGXeB0Fr2zfznkmmGv8ZDIL5SdHk6nXGKt7vSf1Ufg.
Are you sure you want to continue connecting
? (Y/N) y
The bootstrap process happens as below:
Once complete, verify if the node has been added.
$ knife node list
chef-client-node1
You can also view more information about the node as below.
knife node show chef-client-node1
Sample Output:
Step 6 – (Optional) Install Chef Manage.
Chef manage offers a Web interface where you can manage Chef server tasks. It is installed as below.
On the Chef server, download the Chef manage package from the Chef manage downloads page
VER="3.2.43"
wget https://packages.chef.io/files/stable/chef-manage/${VER}/ubuntu/20.04/chef-manage_${VER}-1_amd64.deb
Install the package as below:
$ sudo dpkg -i chef-manage_${VER}-1_amd64.deb
Selecting previously unselected package chef-manage.
(Reading database ... 199475 files and directories currently installed.)
Preparing to unpack chef-manage_3.2.35-1_amd64.deb ...
Unpacking chef-manage (3.2.35-1) ...
Setting up chef-manage (3.2.35-1) ...
Thank you for installing the Chef Management Console add-on!
The next step in the process is to run:
chef-manage-ctl reconfigure
Reconfigure the Chef server and addons as below
sudo chef-server-ctl reconfigure
sudo chef-manage-ctl reconfigure
Once complete, access the Web UI using the URL https://serverip/login. On the login page, provide the credentials for the Admin user created in step 3.
You should be able to see the Chef dashboard with the client node added as below.
Conclusion.
This guide has provided you with the basic knowledge to get started with Chef Infa. I hope you found this guide on how to install Chef Infra Server on Debian 11 / Debian 10 thrilling.
See more:
- Install Chef Server & Workstation on Ubuntu
- How To Install Chef Workstation on CentOS 8 / RHEL 8
- How To Setup Chef Infra Server on CentOS 8 / RHEL 8
- Best Books To Learn Puppet and Chef Automation