Chef installation & Configuration

 

It’s the first post of, i hope, a very long series about Chef.

Chef is a powerful tool which brings all you need in order to automate the configuration of all your systems. At first it was developed for Linux platforms, but you can also automate the management of your Windows systems. It’s a client-server software written in Ruby, a very popular language. Ruby, is cross-platform so the support for Windows-based systems is a straightforward, since 2011 it’s possible with the knife-windows gem.

I know what, you said: What the hell he’s blogging about these stuff! Because, it’s easy: Because you can create DSC recipes and apply them to Windows Hosts!

 

Overview of Chef concepts

Like any technology, Chef has its own terms. Let me explain them to you.

  • Bootstrap: This is the process of configuration a node with a Chef client.
  • Recipe: Written in Ruby, a recipe provide lines to achieve a task: Install a package, Start a service, etc.
  • Cookbook: This is a bunch of recipes. Typically, a cookbook is created to achieve the full installation, configuration of a task (i.e.: Install & Configure IIS)
  • Role: A role is a structure which will permit to build a full architecture (i.e.: an Active Directory, a PKI server, a file server and a MSSQL Node). A role is associated to a node by the Chef administrator
  • Run list: This list is composed of recipes applied in a wanted order.

Chef infrastructure is built of 3 “Keys”:

  • Chef Service: It stores the recipes and configuration
  • Workstation: This is where knife is installed and the administrator work from here. In this tutorial, we won’t do that, but you should 🙂
  • Node(s): The nodes managed by Chef. It can be servers, routers, desktop, etc…

Chef Service can use http(s) to interact with Chef-client. It use a Ruby script to do that, it download the run list configured for the node with cookbooks and data to the Chef-client which will execute everything in the correct order.

 

Chef Service installation

First of all, we need a Chef Service in our lab.

In order to do this I choose an Ubuntu 12.04 server (I use one in Azure, remember Microsoft Loves Linux! :)). You should be able to do this alone, so I won’t talk about it. But now we need few yummy things. The first is to install Ruby 2.0.0 on our server. I’ve faced many issue, and finally achieve this goal with the few lines below.

Yes, you have compiled and installed Ruby from sources!

Now we can start the installation!

Ok now the Cher service is installed, but as i said previously, we will install as well the knife tools on the server, remember this is a lab. Not something to use in production… So, let’s install the chef gem. A gem is a rucky packaged application/script which use RubyGems to be installed.

Chef cookbooks are hosted on github, so let’s install git on our system, clone the chef-repo and configure knife for the first use. What is knife ? “knife is a command-line tool that provides an interface between a local chef-repo and the Chef server”

You will be asked for few things, I’ve let everything to the default value.

As I use self-signed certificates, the command below will permit to trust the certificate 🙂

The next thing to do is the installation of knife-windows in order to do some WinRM things! This is done by the following few lines.

The well know knife-windows is now installed and I can bootstrap the client on my target.

 

Bootstrap Windows Chef-client

The first thing to do is to ensure that WinRM is correctly configured to enable the Chef Service to connect. My node is already connected to my domain and this is how I’ve configured my WinRM service.

WinRM

I know you can use Kerberos authentication with the Ruby WinRM plugin, but I’ve never success.. So IF SOMEONE KNOWS HOW, PLEASE COMMENT IN THIS POST ! Note that CredSSP isn’t needed here, it’s here in order to double hop in Desired State Configuration scripts.

Now, let’s get back to our Chef Server. It’s very easy to bootstrap a client, use the following line.

It’ll create and execute a powershell script in order to download the last msi (I need to figure out, how force it to download a specific msi in my IIS) and will install it. In addition to that, it’ll generate the certificate for the Chef server and put it in the trusted_certs folder. Once everything is finished, le configuration to the chef-client is launched, in order to register the node in the Chef Service.

The last lines look like this.

As you see, few warnings are present, it’s ok, it’s just because we haven’t done any recipes or cookbooks for this node.

This is all for this post. Next time we’ll talk about executing PowerShell scripts in our recipes.

Please feel free to comment, if you think some part(s) is(are) wrong or if i miss something.