How Chef node and Chef Server Works?
What is Chef Client?
A chef-client(executable) is an agent that runs locally on every node. When a chef-client is run, it will perform all of the steps that are required to bring the node into the expected state, including:
- Step 0 - Get configuration data - The chef-client gets process configuration data from the client.rb file on the node, and then gets node configuration data from Ohai.
- Step 1 - Registering and authenticating the node with the Chef server, RSA public key-pairs are used to authenticate the chef-client with the Chef server every time a chef-client needs access to data that is stored on the Chef server. If this is the first chef-client run for a node, the chef-validator will be used to generate the RSA private key.
- Step 2 - Building the node object
- Step 3 - Synchronizing cookbooks
- Step 4 - Compiling the resource collection by loading each of the required cookbooks, including recipes, attributes, and all other dependencies
- Step 5 - Taking the appropriate and required actions to configure the node
What is Client.pem?
What is Validation.pem?
What is Validation.pem
When a node runs the chef-client for the first time, it does not yet have an API client identity, and therefore can’t send authenticated requests to the server. This is where the validation client — known as the chef-validator — comes in. When the chef-client runs, it checks if it has a “client_key”; and if the client key does not exist, it tries to borrow the chef-validator identity to register itself with the server (“validation_key”).
What is Client.rb?
A client.rb file is used to specify the configuration details for the chef-client.This file is loaded every time this executable is run
On UNIX- and Linux-based machines, the default location for this file is /etc/chef/client.rb; on Microsoft Windows machines, the default location for this file is C:\chef\client.rb; use the --config option from the command line to change this location
This file is not created by default
When a client.rb file is present in the default location, the settings contained within that client.rb file will override the default configuration settings
What is Chef Certificates?
By default, Chef Server uses a self-signed certificate. This is fine for small testing purposes, but this becomes a significant problem in production, especially when using other Ruby tools or modules that require SSL verification.Starting from Chef server version 12, when you perform a simple command like knife client list, it will display the SSL validation failure error message, as the workstation don’t have the server’s SSL certificate for verification.
# knife client list
ERROR: SSL Validation failure connecting to host: datadb - SSL_connect returned=1 errno=0 state=error: certificate verify failed
ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
`knife ssl fetch` to make knife trust the server's certificates.
Original Exception: OpenSSL::SSL::SSLError: SSL Error connecting to https://datadb/organizations/thegeekstuff/clients - SSL_connect returned=1 errno=0 state=error: certificate verify failed
Even the chef-client that runs on the individual nodes will need the SSL certificate.
To avoid this SSL error, we should download the self-signed SSL certificate that is generated by the Chef server and store it in the trusted store on the chef client machines including the workstations and individual nodes.
On the Chef workstation when the SSL certificate is installed properly, it will not display the SSL error message when executing knife command. Trying follwing commands....
# knife ssl check
# knife ssl fetch