Now that Chef is installed on your system, we're going to be sneaky and use chef-solo to configure the system itself. During the planning stage, you should have determined which system would be your Chef Server. All other systems (including the server) will be Chef Clients. Documentation here is out of date The following instructions apply for chef 0.7.x and prior. Deprecated soon, use bootstrap or new chef cookbooks These instructions will be considered deprecated soon. Please start using the bootstrap cookbook for configuring RubyGems installations. Package installations should use the Opscode Chef Cookbook instructions for configuring Chef after installation. RHEL / CentOS users: the RPMs will be updated soon so the package installation handles configuration rather than the bootstrap method. Tested platforms These instructions are best tested on: Ubuntu 8.04+ Debian 5 CentOS 5.3 Other platforms probably won't work without modification to these cookbooks. You can read more about how the cookbooks configure Chef to learn more about the internals. Enable Universe On Ubuntu On Ubuntu, runit is located in the Universe repository, so make sure you enable Universe. These instructions are for you if: You're already using one of the best tested platforms listed above. You want to get up and running as quickly as possible. You want to simplify the chef-server setup by running it under Passenger+Apache. If you're using the Ubuntu 9.10 (Karmic) packages for Chef, stop here. The packages handle what you'll need, though you'll need to adjust the config files for your environment. You may also wish to set up an Apache proxy for the server|How to Proxy Chef Server with Apache].

Table of Contents Chef Server Create Solo Config Create JSON Data Run chef-solo Chef Server Login CouchDB Chef Clients Create Solo Config Create JSON Data Run chef-solo Validate Chef Clients Next Steps

Chef Server

Opscode provides a cookbook for configuring Chef itself. As of Chef version 0.6.0+, it will set up the chef-server merb application as a Passenger application under Apache2, to simplify deployment and provide SSL encryption.

Create Solo Config

We need to configure chef-solo's file and cookbook locations, so create solo.rb in your home directory (~/solo.rb).

Create JSON Data

We will tell Chef how to configure the system with a JSON data file. Create chef.json in your home directory (~/chef.json).

This will set up the Chef Server with the default fully qualified domain name of 'hostname.domain' as detected by Ohai using the "hostname -f" command. It will also create a generic SSL certificate. You can adjust both these settings by adding these optional attributes to the JSON file. Make sure the CN value in the server_ssl_req correctly matches the Chef server FQDN or you may have SSL certificate issues.

Seriously, read this warning! One of the most common errors is that the Fully Qualified Domain Name for the Chef Server is not set correctly. See this FAQ answer for more information.

Run chef-solo

Now that we told it how to behave, run chef-solo, and tell it to fetch a remote tarball of cookbooks from a URL in Amazon's S3.

This command will bring up the Chef Server environment, by doing the following:

• Install chef-server and chef-server-slice gems.
• Install Runit (for chef-indexer, stompserver)
• Install Stompserver via RubyGem and start as a runit_service.
• Install CouchDB (see below)
• Install and configure Apache for 'hostname.domain' vhost, on port 443.
• Generate self-signed SSL certificates for the Apache vhost.
• Install Phusion's Passenger to run Chef as a Rack app.
• chef-server will log to /var/log/chef/server.log.

SSL Certificates This recipe will generate SSL certificates based on the chef[:server_ssl_req] attribute. If you have purchased SSL certificates from a CA, you'll need to replace the certificate created in /etc/chef/certificates.

Seriously, Read This Warning too! This is the equivalent of downloading executable code and running it as root. It is very convenient, but certainly dangerous. You are welcome to install these by hand, or look at the code and verify what you are doing. You can check out the Chef recipes by downloading the tarball from S3, or view the cookbooks source on GitHub. We encourage you to review the recipes anyway, so you understand how they're put together. We use the apache2, runit, couchdb, stompserver, chef, passenger, ruby cookbooks.

Chef Server Login

When chef-solo finishes running you should be able to access your Chef Server web front end via https and get something similar to the below example.

You will need an OpenID to login to the chef server. You can see if you already have one or how to get one from OpenID.net.

To login you must use the full openid provider, for example if your openid is from MyOpenId.com you would use yourusename.myopenid.com and then follow the prompts to authenticate and be redirected back to your Chef server.

You will certainly want to review how to secure the Chef Server to restrict OpenIDs.

Security Warning The current bootstrap method does not configure the "authorized_openid_identifiers" variable at all; if you would like to lock down your Chef Web-UI and limit which 'openid' accounts can login to the web ui. If you would like to change this behavior on your install edit /etc/chef/server.rb and it should look something like, authorized_openid_identifiers [ "sysadmin.myopenid.com", "sysadmin1.myopenid.com", "sysadmin2.myopenid.com" ]

CouchDB

Optional method when installing CouchDB by hand if no distro package is available

The chef-server itself requires CouchDB to store node data. Ubuntu (8.10 - 9.04) and Debian 5.0.x have CouchDB available as a native package. Other platforms may not have a CouchDB package available and the bootstrap recipes used above will fail when the package is not found. (Note that Red Hat/Fedora EPEL just added CouchDB, see CentOS installation for more).

If you would still like to use these recipes to configure your chef-server under Passenger, you can remove 'include_recipe "couchdb"' from /tmp/chef-solo/cookbooks/chef/recipes/default.rb. Then run the solo command again without the -r and s3 URL, after CouchDB is installed.

Chef Clients

Once the server is up and running, you can connect to it with a chef-client, but first we need to tell the client how to do so. We'll use the instructions above with a slight change. The server already sets up itself as a client too, so you don't need to repeat these steps on the server.

Create Solo Config

Create the solo.rb file as before.

Create JSON Data

This time, the JSON file uses the client recipe. You'll need to specify the server hostname, or the client won't be able to connect to the right server and you'll see "500 server error" messages when the chef-client runs.

Or, you can use the server_fqdn. If your host does not have a domain explicitly configured (hostname -f returns 'hostname' rather than 'hostname.domain'), you will need to configure both the server_fqdn and the server_ssl_req:

Run chef-solo

The chef-solo command is the same as for the server.

Again, you can replace 'latest' with the version, eg 0.7.4.

The Chef Clients will be configured for the following:

• Run the chef-client program under runit.
• Connect to the chef-server named "chef.your_domain".

Validate Chef Clients

Before you can apply any cookbooks you will need to validate client nodes in the Chef Server webui.

Next Steps

After running the chef-solo commands above, your Chef Server and Chef Clients will be ready to rock.

We recommend building yourself a new Chef Repository.