C2B2 logo icon

Setting Up a Chef Server on EC2

Senior Consultant Navin Surtani demonstrates how to set up your workstation to use a Chef server on EC2

A few weeks ago in the office, I was instructed to start working on some Chef cookbooks for some of our internal purposes. Since we do a lot of our work on EC2, I decided that it’d be best to start by setting up a Chef server on EC2.

Simple, right? Yes and no. It is indeed straightforward to set up a server, spin it up and then be able to browse to the web-app. Great. There is an issue about actually using the server using knife however. The rest of this blog covers how to go about being able to set your workstation (or laptop) up to be able to use a Chef server running on EC2.

For this demo, I set up an m4.xlarge EC2 instance running Ubuntu 14.04. Since this is a demo, it doesn’t really matter too much the size of the VM that you choose or the OS, what I chose were merely arbitrary. It is important however, to ensure you enable a public IP address on the VM, so that you can access the web-app using your browser. As of the time of writing, the latest version of the Chef server available is 12.2.0 - so we will be using that for this demo.
 

Installing the Chef server

Let’s start with the easy part, ssh onto the VM, then download the Chef server binaries. Once we have pulled the installer down, we can then install it using:

sudo dpkg -i chef-server-core_12.2.0-1_amd64.deb

Now that it has been installed, we would typically run a reconfigure on the chef-server.

sudo chef-server-ctl reconfigure sudo chef-server-ctl install opscode-manage sudo opscode-manage-ctl reconfigure


Adding a user and an organisation

Once this is complete, we can add a user, an organisation and then add that user to the organisation. In this case, I’m adding the password as simply 'password' - but this is just for demo purposes.

sudo chef-server-ctl user-create nsurtani Navin Surtani nsurtani@c2b2.co.uk password -f nsurtani.pemsudo chef-server-ctl org-create c2b2 "C2B2 Consulting" -f c2b2.pem# 

This line adds my user to the organisation and makes me an adminsudo chef-server-ctl org-user-add c2b2 nsurtani --admin
 

Rename SSL certificate

This is where things get problematic, we would usually have to copy over the SSL certificate from the server and put it into the trusted_certs directory within ~/.chef.

If we look at where the certificate file is on the Chef server ('/var/opt/opscode/nginx/ca'), we notice that the SSL certificate has been created with the internal EC2 hostname. That makes things problematic when we are going to use knife to run commands against the server, so it requires a little bit of manual configuration in order to fix this problem.

On the Chef server, we can override the name that the certificates are created with by modifying the 'chef-server.rb' file in '/etc/opscode'.

By default, that file is empty, so we can change it to:

<in this case, my public IP is 52.18.46.229. Change it to whatever yours would be>.server_name = "52.18.46.229"api_fqdn = server_namenginx['url'] = "https://#{server_name}"nginx['server_name'] = server_namelb['fqdn'] = server_namebookshelf['vip'] = server_name

We would have to run a reconfigure now again, for this change to be realised; however, that process is fast enough anyway.

sudo chef-server-ctl reconfigure

Now you will notice that there will be a certificate with the file-name of your public IP address located within the directory '/var/opt/opscode/nginx/ca'. This can also be verified by looking at the file '/etc/opscode/chef-server-running.json'.

Copy SSH key

Now if we copy over our SSH keys to our workstation, along with the newly generated SSL certificate and appropriately configure knife.rb' in '~/.chef - that should do it.

knife ssl check
Connecting to host 52.18.46.229:443
Successfully verified certificates from '52.18.46.229'