CHEF - Server , Workstation and Node Installation
Chef Server Installation
1. Install the chef-server-core package on your machine and reconfigure & check the status.
# rpm -ivh chef-server-core-12.6.0-1.el7.x86_64.rpm
# chef-server-ctl reconfigure
2. Create an administrator account user-name first lastname
|
#chef-server-ctl user-create admin admin user admin@cserver.hcl.com 'admin1' --filename admin.pem
3. create an organization:
# chef-server-ctl org-create hcl 'hcl tech' --association_user admin --filename validation.pem
4. Login to server
5. Enable Additional features
I. Install the chef management console package to get chef
Console.
# rpm -ivh chef-manage-2.3.0-1.el7.x86_64.rpm
Or
# chef-server-ctl reconfigure
# chef-manage-ctl reconfigure --accept-license
6. Now you can access the chef console and login with admin account
Workstation Installation
1. Install the chefdk package on workstation machine.
# rpm -ivh chefdk-0.14.25-1.el7.x86_64.rpm
2. Verify the components of the development kit:
# chef verify
3. Create chef-repo directory in logged in user home directory.
# chef generate repo chef-repo
4. Switch into chef-repo directory and create .chef directory and Copy the admin.pem and validation.pem from chef server to workstation machine.
[root@cworkstation ~]# cd chef-repo/
[root@cworkstation chef-repo]# mkdir .chef
[root@cworkstation chef-repo]# cd .chef/
[root@cworkstation .chef]# scp -r cserver:/etc/chef-server/admin.pem .
root@cserver's password:
admin.pem 100% 1674 1.6KB/s 00:00
[root@cworkstation .chef]# scp -r cserver:/etc/chef-server/validation.pem .
root@cserver's password:
validation.pem 100% 1678 1.6KB/s 00:00
5. Create knife.rb
[root@cworkstation .chef]# vim knife.rb
log_level :info
log_location STDOUT
node_name 'admin'
client_key '/root/chef-repo/.chef/admin.pem'
validation_client_name 'chef-validator'
validation_key '/root/chef-repo/.chef/validation.pem'
chef_server_url 'https://cserver.hcl.com:443/organizations/hcl'
syntax_check_cache_path '/root/chef-repo/.chef/syntax_check_cache'
6. Now fetch & check server certificate
# # knife ssl fetch
# knife ssl check
7. Check user and client list .
# knife user list
# knife client list
Node Installation
1. Use the below command to configure your node on workstation machine.
# knife bootstrap 192.168.122.1 -x root -P redhat -N cnode
2. Now from workstation machine check registered nodes
# knife node list
# knife node show cnode
3. Now login into chef server console and check the registered
Node detail
RHEL7 registration
RHEL6.5 node Registration
Register the workstation from starter kit
Login chef server console
Click on organization (hcl)
Click on manage organizations
Click on starter kit
Download starter kit
Click on proceed to download it
After download extract this file in user home directory
[root@chef-workstation ~]# yum install unzip
Now register a node
Now check the registered node from GUI
Windows bootstrap
1. Make sure hostname set properly
2. Apply firewall for winrm
permits inbound traffic on port 5985 (WinRM) for any remote address
Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 5985 } | Get-NetFirewallRule | ?{ $_.Direction -eq "Inbound" -and $_.Profile -eq "Public" -and $_.Action -eq "Allow"} | Set-NetFirewallRule -RemoteAddress "Any"
3. Verify the configuration from workstation machine
[root@chef-workstation cookbooks]# knife wsman test 10.35.150.242 --manual-list
4. Now bootstrap windows machine
[root@chef-workstation cookbooks]# knife bootstrap windows winrm 10.35.150.242 -x Administrator -P India@123 -N node3
Install cookbook from GitHub
1. On workstation node, Clone chef book from GitHub
[root@chef-workstation ~]# cd /root/chef-repo/cookbooks
[root@chef-workstation cookbooks]# git clone https://github.com/learn-chef/learn_chef_iis.git
[root@chef-workstation cookbooks]# knife cookbook upload learn_chef_iis
[root@chef-workstation cookbooks]# knife cookbook list
2. Assign cookbook to a machine
[root@chef-workstation templates]# knife cookbook list
[root@chef-workstation templates]# knife node list
[root@chef-workstation templates]# knife node run_list add node3 learn_chef_iis
[root@chef-workstation templates]# knife node show node3 -r
[root@chef-workstation templates]# knife node show node3 -m
[root@chef-workstation templates]# knife node show node3 -a fqdn
3. Pull this cookbook from windows machine
PS C:\Users\Administrator> chef-client.bat
Use Case
1. Create motd cook book on workstation, upload to server and then install on registered node
# knife cookbook create motd
After creating this file test it
# knife cookbook test motd
Upload this cookbook to chef server
Now Login to chef server and assign the cookbook to registered node
Drag and drop motd cookbook for node.
Now on chef node run the command “chef-client”
# chef-client
2. Create Ntp server cookbook
# knife cookbook create ntp
# vim /var/chef/cookbooks/ntp/recipes/default.rb
package "ntp" do
action [:install]
end
service node[:ntp][:service] do
service_name node[:ntp][:service]
action [:enable,:start,:restart]
end
template "/etc/ntp.conf" do
source "ntp.conf.erb"
owner "root"
group "root"
mode 0644
notifies :restart, resources(:service => node[:ntp][:service])
end
]# vim /var/chef/cookbooks/ntp/attributes/default.rb
default[:ntp][:servers] = ["0.pool.ntp.org", "1.pool.ntp.org", "2.pool.ntp.org", "3.pool.ntp.org"]
case platform
when "redhat","centos","fedora","scientific"
default[:ntp][:service] = "ntpd"
when "ubuntu","debian"
default[:ntp][:service] = "ntp"
else
default[:ntp][:service] = "ntpd"
end
# vim /var/chef/cookbooks/ntp/templates/default/ntp.conf.erb
restrict -6 ::1
#server <%= @ntp_server %>
<% node[:ntp][:servers].each do |ntpsrv| -%>
server <%= ntpsrv %> iburst
restrict <%= ntpsrv %> nomodify notrap noquery
<% end -%>
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
server 127.127.1.0 # local clock
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
Check the cookbook
]# knife cookbook test ntp
WARNING: DEPRECATED: Please use ChefSpec or Rubocop to syntax-check cookbooks.
checking ntp
Running syntax check on ntp
Validating ruby files
Validating templates
Validating ruby files
Validating templates
Upload the cookbook
# knife cookbook upload ntp
List the cookbook
[root@cworkstation ~]# knife cookbook list
motd 0.1.0
ntp 0.1.0
Now login to chef server and drag and drop this cookbook for a node & then run chef-client command on chef node machine.
And now check on chef node
3. Apache Cookbook
1. Create apache cookbook
[root@cworkstation cookbooks]# cd
[root@cworkstation ~]# clear
[root@cworkstation ~]# cd chef-repo/cookbooks/
[root@cworkstation cookbooks]# chef generate cookbook httpd
We can declare apache recipe in httpd/recipes/default.rb file.
2. Now create the template
[root@cworkstation cookbooks]# chef generate template httpd index.html
The file index.html.erb gets created under httpd/templates/default.
Now add the website content in httpd/template/default/index.html.erb file.
[root@cworkstation cookbooks]# vim httpd/templates/default/index.html.erb
<html>
<body>
<h1> WebServer Running</h1>
</body>
</html>
3. Update the recipe to reference the HTML template
[root@cworkstation cookbooks]# vim httpd/recipes/default.rb
package 'httpd'
service 'httpd' do
action [:enable, :start]
end
template '/var/www/html/index.html' do
source 'index.html.erb'
end
4. Run the cookbook locally
[root@cworkstation cookbooks]# chef-client --local-mode --runlist 'recipe[httpd]'
Check apache server is running and configured
[root@cworkstation cookbooks]# firefox http://cworkstation.hcl.com
Upload the cookbook to Chef server
[root@cworkstation cookbooks]# knife cookbook upload httpd
[root@cworkstation cookbooks]# knife cookbook list
httpd 0.1.0
Now assign the new cookbook to chef node
[root@cworkstation ~]# knife node run_list add cnode httpd
cnode:
run_list:
recipe[motd]
recipe[ntp]
recipe[httpd]
[root@cworkstation ~]# knife node show cnode –r
[root@cworkstation ~]# knife node show -l cnode
[root@cworkstation ~]# knife node show cnode -a fqdn
To run this cook book on chef node use chef-client command
[root@coelinux2 ~] #chef-client
To get the detail of a chef node
Kitchen – Test cookbook with kitchen tool
[root@cworkstation cookbooks]# chef generate cookbook motd-rhel
CHEF-COMPLIANCE Server Installation
1. Download the package from http://downloads.chef.io/compliance/.
2. Install the chef-compliance package
[root@cnode7 ~]# rpm -ivh chef-compliance-1.3.1-1.el7.x86_64.rpm
3. Run the following command to start all of the services
[root@cnode7 ~]# chef-compliance-ctl reconfigure
Or
run chef-compliance-ctl reconfigure --accept-license to automatically accept the license.
4. Check the status of services
[root@cnode7 ~]# chef-compliance-ctl status
5. Run through the setup wizard, and then log in to Chef Compliance webui https://<fqdn>.
Click on I understand the Risks
Add the Exception
Click on Get Certificate
Click on confirm security exception
Click on Setup Chef Compliance
Scroll down and accept the license
Create the compliance admin user
Click on configure to continue
After completing the setup click on dashboard to get chef compliance dashboard
Accept the license
Login with chef compliance admin account as you created in previous step
Configure SSL
The Chef Compliance server can be configured to use SSL certificates by adding the following settings in the server configuration file located at /etc/chef-compliance/chef-compliance.rb:
Setting
Description
ssl['certificate']
The SSL certificate used to verify communication over HTTPS.
ssl['certificate_key']
The certificate key used for SSL communication.
and then setting their values to define the paths to the certificate and key.
For example:
ssl['certificate'] = "/etc/pki/tls/certs/your-host.crt"
ssl['certificate_key'] = "/etc/pki/tls/private/your-host.key"
Save the file, and then run the following command:
$ sudo chef-compliance-ctl reconfigure
Logging
The default directory where Chef Compliance is saving logs is: /var/log/chef-compliance/. It contains a directory for each service, but you can follow all the logs with this command:
sudo chef-compliance-ctl tail
This command can also be run for an individual service by specifying the name of the service in the command. For example:
sudo chef-compliance-ctl tail core
Add your node to Chef Compliance
1. Create an SSH Key pair to connect to your node (perform this part from your workstation and your node.)
I. First create an SSH key pair. Then, you copy the public part of your key to your node. Finally, you create a test connection to your node to verify connectivity
a. Switch to .ssh directoy & Generate ssh key pair with node name
cd $HOME/.ssh/ ssh-keygen -t rsa
b. Copy public key to node
scp -r cnode6.pub cnode6:/root/.ssh/
c. ssh to node and append the public key into $HOME/.ssh/authorized_keys file
ssh cnode6
cat $HOME/.ssh/cnode6.pub >> $HOME/.ssh/ authorized_keys
d. Remove public key
rm cnode6.pub
e. Now logout from node
logout
f. Set the permission on private key so only the owner can read write permission.
chmod 600 cnode6
g. Test the communication with node from workstation machine
ssh -i cnode6 cnode6
Repeat the same steps on node machine
2. Configure your node for non-interactive sessions
Modify the configuration file under /etc/sudoers.d for the account you want Chef Compliance to connect through.
cat /etc/sudoers.d/root
root ALL=(root) NOPASSWD:ALL
Defaults:root !requiretty
3. Provide your SSH private key to Chef Compliance
[root@cworkstation ~]#cd .ssh/
[root@cworkstation .ssh]# cat cnode6
4. Next, from the web interface, navigate to the Settings menu and click Add Private Key.
Fill in the Name field. You can use a name other than node1 if you'd like. Then paste the RSA private key that you retrieved in the previous step into the Private Key field.
5. Add your node to Chef Compliance
Now you add your node to Chef Compliance.
From the Dashboard menu, click Add or Add Nodes.
6. Enter your node's hostname or IP address. Leave the Add to environment field empty. Chef Compliance creates a default environment for you.
Under Access configuration, enter the account Chef Compliance will connect through and specify your private key.
Leave the fields under Sudo Configuration at their default values & Click the Add 1 node button.
You're taken back to the dashboard.
7. Create a test connection to your node
You've already manually verified that your node is connectable from your workstation over SSH using key-based authentication. But let's verify that Chef Compliance is also properly set up to use your key pair.
From the dashboard, select your node and click the Connectivity button
Chef Compliance creates a test connection over SSH. You see this in the connectivity report.
\
Scan your Node for compliance
Chef Compliance comes with pre-configured profiles, or collections of compliance rules.
1. Scan your node against the CIS Benchmarks
2. Review the scan results
3. As an optional step, clean up your environment
Scan your node against the CIS Benchmarks
From the dashboard in the web interface, select your node and click Scan.
Integrate Compliance with Chef Server
Prepare Chef Compliance
1. From a command shell, run the following command:
[root@cnode7 ~]# chef-compliance-ctl connect chef-server
When promoted, either confirm the default values (recommended) or provide custom values.
2. Copy the command delimited by ---, and then run:
#chef-compliance-ctl reconfigure
This will create a file under /opt/chef-compliance/sv/core/env/CHEF_GATE_COMPLIANCE_SECRET
3. Restart the Chef Compliance core service now:
[root@cnode7 ~]# chef-compliance-ctl restart core
Configure the Chef Server
1. As the output provided by the previous command run the last command on chef server machine
CHEF_APP_ID="compliance_server" AUTH_ID="Chef Server" COMPLIANCE_URL="https://cnode7.hcl.com" INSECURE_SSL="true" CHEF_GATE_COMPLIANCE_SECRET="1409423e984775cd694b50dda83aa24d685a607f938cd79f10227154d0b0680b0edceb590a9773ad096f51687d98d91b7e22" CHEF_GATE_OIDC_CLIENT_ID="Wm5XM6GLldm8jq01v6z9W2HnFMcRCzq61uCCvJjEggc=@cnode7.hcl.com" bash <( curl -k https://cnode7.hcl.com/static/chef-gate.sh )
This will install a chef-gate service on the Chef server that enables the Chef server to act as an OpenID Connect (OIDC) resource server, plus enables the chef-client to request Chef Compliance profiles, and then report back to Chef Compliance the results of profile scans.
Copy this line. It will be used in the next section.
Configure Chef Compliance
1. From the Chef Compliance shell, run the command that was printed at the end of the output while configuring the Chef server
[root@cnode7 ~]# chef-compliance-ctl auth add --client-id "50bbd3f7712dd93b2bcac5aa8bee6f1bfe6b9c4b609cb7400b29ebed43307078" --client-secret "f33a18f3b3101367a74b8e826c79867e222d28cbb5cc07a04245be7be2187036" --id "Chef Server" --type ocid --chef-url https://cserver.hcl.com --insecure true
Successfully updated configuration
Run 'chef-compliance-ctl reconfigure' to reload the configuration
2. When finished, reconfigure Chef Compliance:
[root@cnode7 ~]# chef-compliance-ctl reconfigure
Test Integration
Go to the Chef Compliance web interface and click the Use a different provider link. The default provider is Compliance Server. Switch it to Chef Server, and then accept the authorization request. Only nodes under management by Chef that successfully run audit::default will show up in Chef Compliance.
UPDATE
[root@cworkstation ~]# knife bootstrap 192.168.122.171 –N rhel7-1
[root@cworkstation ~]# knife node list
[root@cworkstation ~]# knife cookbook create httpd-update
Open default.rb file.
[root@cworkstation ~]# vim /var/chef/cookbooks/httpd-update/recipes/default.rb
package "httpd" do
action [:update]
end
service "httpd" do
action [:restart]
end
[root@cworkstation .chef]# knife node run_list add rhel7-1 httpd-update
Chef Automate Installation
Installation Prerequisites: https://docs.chef.io/install_chef_automate.html#set-up-a-build-node-runner-optional
Minimum two machines are required
Chef-server
Chef automate
1. Create a user and organization on chef-server for automate server installation
# chef-server-ctl user-create delivery delivery user delivery@chef-server.hcl.com 'delivery' --filename AUTOMATE_CHEF_USER_KEY
# chef-server-ctl org-create automate_chef_org 'org description' --filename ~/AUTOMATE_CHEF_ORG-validator.pem -a delivery
# wget -cv https://packages.chef.io/files/stable/opscode-push-jobs-server/2.2.6/el/7/opscode-push-jobs-server-2.2.6-1.el7.x86_64.rpm
# chef-server-ctl install opscode-push-jobs-server --path /opscode-push-jobs-server-2.2.6-1.el7.x86_64.rpm
# opscode-push-jobs-server-ctl reconfigure
# chef-server-ctl reconfigure
2. Copy the user and organization key to automate server
scp –r AUTOMATE_CHEF_USER_KEY AUTOMATE_CHEF_ORG-validator.pem root@automate-server
3. Dowload the automate rpm package form https://downloads.chef.io
4. Install the automate server (Before installation check these things
I. enable ntp server
II. Disable IPv6
# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap ipv6.disable=1 rhgb quiet"
GRUB_DISABLE_RECOVERY="true"
# grub2-mkconfig -o /boot/grub2/grub.cfg
III. Enable kernel parameters
cat /etc/sysctl.conf
vm.swappiness=1
vm.max_map_count=256000
vm.dirty_expire_centisecs=30000
net.ipv4.ip_local_port_range='35000 65000'
kernel.shmmax = 17179869184
kernel.shmall = 4194304
:wq
sysctl -w
chmod +x /etc/rc.d/rc.local
vi /etc/rc.d/rc.local
sysctl -w net.ipv4.ip_local_port_range='35000 65000'
echo 'never' | sudo tee /sys/kernel/mm/transparent_hugepage/enabled
echo 'never' | sudo tee /sys/kernel/mm/transparent_hugepage/defrag
:wq
systemctl start rc-local.service
systemctl enable rc-local.service
Now install automate server
[root@chef-automate ~]# rpm -ivh automate-1.7.114-1.el7.x86_64.rpm
[root@chef-automate ~]# automate-ctl preflight-check
[root@chef-automate ~]# automate-ctl setup --license /root/automate.license --key /root/AUTOMATE_CHEF_USER_KEY --server-url https://chef-server.hcl.local/organizations/automate_chef_org --fqdn chef-automate.hcl.local --enterprise cautomate
Login to Chef Automate dash board
Click on advance
Click on Proceed to chef-automate and login with admin user
Configure Data Collection
Automatic Node Run Data Collection with Chef Server
Note
Requires Chef Client 12.16.42 or greater, and Chef server 12.11.0 or greater.
Nodes can send their run data to Chef Automate through the Chef server automatically. To enable this functionality, you must perform the following steps:
Configure a Data Collector token in Chef Automate
Configure your Chef server to point to Chef Automate
Multiple Chef servers can send data to a single Chef Automate server.
1. Configure a Data Collector token in Chef Automat
All messages sent to Chef Automate are performed over HTTP and are authenticated with a pre-shared key called a token. Every Chef Automate installation configures a token by default, but we strongly recommend that you create your own.
To set your own token, add the following to your /etc/delivery/delivery.rb file:
data_collector['token'] = '93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506'
# Save and close the file
To apply the changes, run:
sudo automate-ctl reconfigure
Step 2: Configure your Chef server to point to Chef Automate
In addition to forwarding Chef run data to Automate, Chef server will send messages to Chef Automate whenever an action is taken on a Chef server object, such as when a cookbook is uploaded to the Chef server or when a user edits a role.
Channel the token setting through the veil secrets library because the token is considered a secret, and cannot appear in /etc/opscode/chef-server.rb:
[root@chef-server ~]# chef-server-ctl set-secret data_collector token '93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506'
[root@chef-server ~]# chef-server-ctl restart nginx
[root@chef-server ~]# chef-server-ctl restart opscode-erchef
Then add the following setting to /etc/opscode/chef-server.rb on the Chef server:
data_collector['root_url'] = 'https://my-automate-server.mycompany.com/data-collector/v0/'
# Add for compliance scanning
profiles['root_url'] = 'https://my-automate-server.mycompany.com'
# Save and close the file
To apply the changes, run:
chef-server-ctl reconfigure
Setting up data collection on Chef server versions 12.13 and lower¶
On versions 12.13 and prior, simply add the 'root_url' and token values in /etc/opscode/chef-server.rb:
data_collector['root_url'] = 'https://my-automate-server.mycompany.com/data-collector/v0/'
data_collector['token'] = 'TOKEN'
# Add for compliance scanning
profiles['root_url'] = 'https://my-automate-server.mycompany.com'
# Save and close the file
To apply the changes, run:
chef-server-ctl reconfigure
Enable compliance profile
Login to automate server
Click on available profiles
Search desired profile
Click on get option
Now we added two profiles
Using the Audit Cookbook
Generate the wrapper cookbook:
chef generate cookbook mycompany_audit
Place the following in mycompany_audit/metadata.rb:
depends 'audit'
Add the following in mycompany_audit/recipes/default.rb:
include_recipe 'audit::default'
Generate the default attributes file:
cd mycompany_audit/
chef generate attribute default
Configure the audit cookbook reporter to send scan data to Automate in the
mycompany_audit/attributes/default.rb file
default['audit']['reporter'] = 'chef-server-automate'
case node['os']
when 'linux'
default['audit']['profiles'] = [
{
'name': 'DevSec Linux Security Baseline',
'compliance': 'admin/linux-baseline'
}
]
when 'windows'
default['audit']['profiles'] = [
{
'name': 'DevSec Windows Security Baseline',
'compliance': 'admin/windows-baseline'
}
]
end
Use Berkshelf to install cookbook dependencies and upload it to all Chef Servers.
cd /root/chef-repo/cookbooks/mycompany_audit
berks install && berks upload
Collect Compliance Scan Data
[root@chef-workstation cookbooks]# knife bootstrap 10.35.150.142 --ssh-user root --sudo --identity-file ~/.ssh/id_ecdsa --run-list 'recipe[mycompany_audit::default]' -N worker2
Windows
[root@chef-workstation cookbooks]# knife bootstrap windows winrm 10.35.150.242 -x Administrator -P India@123 --run-list 'recipe[mycompany_audit::default]' -N cnode3
Now Cross check from Automate UI
NOTE
The audit cookbook uses the InSpec gem. It will check for an installed version of InSpec and install it upon finding none. The latest version of InSpec will be installed by default unless otherwise specified with node['audit']['inspec_version'].
Error
Resolution: check DNS resolution
Error
Resolution: check ssh-agent
Comments
Post a Comment