问题
I'm trying to understand the concept of Chef clients and validators, and their relationship to the bootstrapping process.
According to this article, the chef-client will use the /etc/chef/validation.pem
private key to authenticate itself for the initial run, because /etc/chef/client.pem
doesn't exist yet. This initial run will, somehow, produce that client.pem
, which is then used for all subsequent client requests.
My questions:
- What process places the
/etc/chef/validation.pem
file on the chef-client node in the first place? The bootstrap? Can someone provide an example of a knife command that would do this? - Same question, but for the
/etc/chef/client.pem
file. - What dictates the names of the chef-client and its chef-validator?
回答1:
Answering your updated questions
1) Validation.Pem (and client.rb) would be created after the bootstrap process. you need to run the command(knife configure client) shown below in order to create those file. once those files are created in the ~/.chef directory you need to move them to /etc/chef
knife configure client ~/.chef
sudo su
mkdir -p /etc/chef
cp ~/.chef/client.rb /etc/chef
cp ~/.chef/validation.pem /etc/chef
and the output would be
Creating client configuration Writing client.rb Writing validation.pem
2) Client.pem will be created during the first chef-client run. Excerpts from the Chef Documenation
"During the first chef-client run, this(client.pem) private key does not exist. Instead, the chef-client will attempt to use the private key assigned to the chef-validator, located in /etc/chef/validation.pem. (If, for any reason, the chef-validator is unable to make an authenticated request to the Chef server, the initial chef-client run will fail.)"
For instance, I generally do it in the following manner. once the client is set up(for the first time) and I run the chef recipe on that node using chef-client command as below then it would automatically create client.pem
chef-client -o Cookbook_name::Recipe_Name
3) MAKE SURE YOUR HOSTNAME IS UNIQUE/CORRECT BEFORE DOING THIS. On Centos, change the /etc/sysconfig/network file and use /etc/init.d/network restart to rebind everything.
My answer to first question is the solution here. After running the command(generally this command is run after bootstrap)
knife configure client ~/.chef
the hostname of the client node would be automatically created in the chef-server.
Answers to your first and second questions(before editing the question)
1) Everything you see in the following link http://mychefserver.example.com/clients are the sent of nodes(physical machines) that are registered with that particular Chef-Server. Chef-Client is an agent that would be running on each of every node that is registered with the chef-server. Chef-client is used to run the recipes on the corresponding nodes. Below is the way to run the chef recipe on a node using chef client.
chef-client -o Cookbook_name::Recipe_Name
Putting all together clients are the set of nodes which are connected to chef-server chef-client is an agent running in all the nodes and is used to register the node with the chef-server in order to bring the node to the desired state. There are many other uses of chef-client. For details visit [Chef-Client][1] the documentation page.
2) A bootstrap is a process that installs the chef-client on a target system so that it can run as a chef-client and communicate with a Chef server.
To put in another way bootstrap process is the way to install chef-client on a node(hardware machine) and make that node as one of the client for that chef-server. only once the bootstrap process is completed that particular node will be visible in the clients list in your
http://mychefserver.example.com/clients
来源:https://stackoverflow.com/questions/24788920/chef-clients-and-validators