Opscode
Home     Introduction to Chef     Cookbooks     Blog     GitHub     Tickets 

Nodes

Nodes in Chef are the thing that recipes are applied to. In practice, that most often means a single system (a computer, a switch, a router, etc.) But there is not an explicit mapping of a node to a single system: a single system could execute the recipes for multiple nodes.

Components of a Node

A node is made up of two prime components: a list of Recipes to run (in the order you want them run) and Attributes. Recipes are the fundamental building block of Chef - they define the resources you want managed, in the order you want them managed. Attributes are data about your node - things like the network interfaces, file systems, or how many clients your Apache server can accept.

Lifecycle of a Node

When you start Chef Client or Chef Solo, the first thing we do is create a Node object. We then load up Ohai, which detects information about the operating system ("Ohai speaks for the operating system"). This also gives us access to this hosts fully qualified domain name and hostname, which we use to grab the last known state of the Node from the Chef Server (assuming we are using Chef Client). Once there, we update all the Ohai attributes to their latest value, and add any extra attributes specified via JSON on the command line. Finally, we will run all of the Attribute files in all of the cookbooks in your Chef repository.

From here, the Node is available within Recipes, Definitions, and Resources.
Table of Contents

Authentication

Chef uses Signed Header Authentication for each request. Node data is separate from the identity used to authenticate requests to the Chef Server, which is managed by an API client. Each API client has a public/private key pair. The public half of the key is stored in the database on the server, and the private half is kept locally by the client. On a node running the Chef Client, the private key is generally stored in /etc/chef/client.pem. Each request to the Chef server includes a request signature in the HTTP headers. The request signature is computed from the hash of the request content and encrypted with the client's private key to verify the identity of the user or machine making the request and prevent attempts to tamper with the content.

When a node runs chef-client for the first time, it generally does not yet have an API client identity, and so cannot make authenticated requests to the server. This is where the validation client—named "chef-validator" by default comes in. When the chef-client runs, it checks if it has a client key. If the client key does not exist, it then attempts to "borrow" the validation client's identity to register itself with the server. In order to do that, the validation client's private key needs to be copied to the host and placed in /etc/chef/validation.pem. Once the client machine has registered itself with the chef server, it no longer uses the validation client for anything. It is recommended that you delete the validation client's private key from the host after the host has registered.

For more information about the authentication mechanism, refer to the Authentication documentation.

Managing Nodes

You can manage the recipes list and the attributes of your node in several ways:

Managing Nodes via Knife

Knife is Chef's command line tool, and can be used to create, edit, view, list, and delete nodes. For more information about Knife, refer to the Knife documentation.

Creating a node with Knife

1. set EDITOR environment variable, for example:

2. create a new node, for example:

3. enter the content of the node in JSON, for example:

4. Save it. If there isn't an existing node, you will see a warning message about that, which is normal. For example:

Editing a node with Knife

1. set EDITOR environment variable, for example:

2. edit a node, for example:

3. Update the JSON in the editor.
4. Save it.

Viewing a node with Knife

Viewing all data in a node:
Viewing the run list of a node

Listing the nodes

Deleting a node with Knife

Managing Nodes via the Management Console

The Management Console is Chef's web interface. Nodes can be managed in the Management Console. For more information, refer to the Management Console documentation.

Creating a node with the Management Console

1. Log in to the Management Console using your Management Console User or Open ID (if already associated to your Management Console User). The default Management Console User is "admin".
2. Click Nodes.
3. Click Create.
4. Fill in Name, drag roles and recipes from the left side lists to the Run List. Add attributes if necessary in the JSON editor.
5. Click Create Node.

Editing a node with the Management Console

1. Log in to the Management Console.
2. Click Nodes.
3. Click the Edit link for the Node you want to edit in the list of nodes.
4. Click and drag a recipe from the "Available Roles" and "Available Recipes" lists into the Run List. Make sure you place the "recipe rectangle" into the white section at the top of the "Run List" area. You arrange multiple recipes in order of execution.

5. Scroll Down and click Save.

On your next Chef run, the new recipe will be applied.

Viewing a node with the Management Console

1. Log in to the Management Console.
2. Click Nodes.
3. Click on the node you want to view.

Listing the nodes with the Management Console

1. Log in to the Management Console.
2. Click Nodes.

Deleting a node with the Management Console

1. Log in to the Management Console.
2. Click Nodes.
3. Next to the name of the node you want to delete, click the Delete link.

Managing Nodes through JSON at the command line

Both Chef Client and Chef Solo allow you to write JSON to a file and read it in through the command line. The file should contain a hash, the elements of which will be added as attributes on your Node.

We have two special entries that can be used to set which cookbooks/recipes will be applied during run-time.

  • run_list - specify roles and/or recipes to add to the node.
  • recipes - add only recipes to the node. This should not be used, please always use run_list in this purpose.
For all you AWS users

This is an awesome way to use per-instance metadata. You can just stick some JSON in, and have it written to a file on disk, which you read with the Chef Client or Chef Solo to configure your nodes. Easy peasy!

Managing Nodes via a Cookbooks Attribute or Recipe file

You can also ensure that an attribute or is set via an Attribute or Recipe file.

Nodes FAQ

How do I run more than one node on a system?

You can use the -N option to chef-client or chef-solo to set the node name manually.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (2)

 

  1. Aug 11, 2009

    Michael Marano says:

    It's probably worth noting that the chef client has the following default in /et...

    It's probably worth noting that the chef client has the following default in /etc/chef/client.rb:

    If for some crazy reason, you have any firewall or iptables rules setup between your chef server and clients, you're probably going to want to open port 444 for your clients to successfully connect for validating registration.  I've got some restrictive default iptables rules on my servers, and this caught me.

  2. Mar 03

    Robert J. Berger says:

    You can get the authoritative name of a node (the name that can be used as a han...

    You can get the authoritative name of a node (the name that can be used as a handle for editing or deleting the node) with

    It may or may not be the same as

    or sometimes


Copyright © 2009 Opscode, Inc. All Rights Reserved.