|
These instructions describe the steps required to upgrade Chef from 0.7.x to 0.8.x using RubyGems and the bootstrap cookbook provided by Opscode. Be familiar with [New Features in 0.8.x] before starting.
|
Table of Contents
|
Platform Requirements
See the Installation page for platform and system requirements for Chef 0.8.x. For ease of installation we recommend a distribution that has binary packages available.
Upgrade Chef Server
Chef 0.8.x requires that the server be upgraded first.
Stop Running Services
Stop the client.
Stop the indexer and stompserver. These are replaced in 0.8.
Stop the server. If using runit, we send the 'int' signal, or the merb workers may not be terminated properly by the master. If not using runit, use 'stop'. In either case, be sure the merb processes are stopped.
If the workers are still running, they can be killed.
Remove Replaced Services
We're going to replace the 0.7 chef-indexer and its required stompserver, so we need to remove the old versions' service startup. First, if using runit (default with RubyGems).
Common to both runit and init scripts.
Update RubyGems Itself
If you're running an older version of RubyGems, you are required to update to the latest version (1.3.6). If you're using a binary package (i.e., Debian/Ubuntu or Red Hat/CentOS), we recommend installing from source instead, as the gem update command may fail to work properly. Many distributions do not have rubygems 1.3.6 as of 2010-03-30.
Update Mixlibs
In order to install Chef 0.8 and use the bootstrap cookbook, we also need to update the mixlibs, as some improvements have been made.
Update Chef
Now we're ready to update chef itself.
Configure Bootstrap
Create a solo.rb and chef.json to configure the chef-solo bootstrap. This is similar to the bootstrap cookbook procedures. Be sure to understand the settings for paths from the README.
 | New in Chef 0.8.x In 0.8, the webui is separate from the API. It makes calls to the API directly, and is a separate gem. If you don't want to use the webui, you can skip it in the upgrade by specifying false for the attribute "webui_enabled". If enabled, the webui also creates an admin user with a default password as specified here. If a password is not set, Chef will generate one randomly and it will be rendered in /etc/chef/server.rb. Either way, the password can be changed in the webui itself. |
 | Merb Session Cookie If you receive an error when connecting to the webui and find the above error in the webui log, you need to delete the '_chef_server_session_id' cookie in your web browser. |
Upgrade Using Bootstrap
Now let's actually install the latest Chef gems and various dependencies using chef-solo and the bootstrap cookbook.
Once complete, we will have the following services running.
| Service | Port |
|---|---|
| chef-server-api | 4000 |
| chef-server-webui | 4040 |
| couchdb | 5984 |
| rabbitmq | 5672,4369,47762 |
| chef-solr | 8983 |
| New in Chef 0.8.x Note that the API runs on port 4000, and the webui now runs on port 4040. |
Authentication
In 0.8, Authentication is done with RSA certificates. The bootstrap will generate two certificates:
- /etc/chef/validation.pem - used to create and validate new clients that run chef-client.
- /etc/chef/webui.pem - used to create new API clients that interact with the API to configure Chef.
If you enabled the WebUI, the /etc/chef/webui.pem is used to authenticate with the API already. To enable command-line access to the API using Knife, you should create a user configuration. This is as easy as:
Make sure that the validation.pem is copied to ~/.chef/chef-validator.pem, so you can create clients with knife. Also, a private key will be presented, paste the contents into the client username PEM as indicated in the output.
| Sudo?? Sudo is used here because the certificate /etc/chef/webui.pem is created by the bootstrap with read only permission for root. |
Upgrade Clients
Clients can't talk to the server until they're upgraded as well. We use the bootstrap for this.
Update Mixlibs and Chef
As with the server, we'll update the mixlibs and the chef gems:
Configure Chef Solo
Again, configure chef solo. Be sure to point to the correct server_fqdn for your environment.
Run Chef Solo
Now run chef-solo to configure it to use the specified chef-server.
| New in Chef 0.8.x The client configuration file generated by this is smaller than in previous versions for most installations, as the client needs to talk to the right server and use the right validation certificate. /etc/chef/client.rb |
Create Client Certificate on first Chef Run
Copy the validation.pem certificate created by the server to the client, and put it in the directory that corresponds to your validation_key value in client.rb (this is usually /etc/chef/validation.pem). Assuming the validation.pem key can be read, and the clocks on your client and server aren't too far out of sync, when you run your first chef run, the server will create a new client.pem key and pass it to the newly upgraded client, for it to sign all future HTTP requests with. If you still have issues, check the documentation on Chef's authentication.
Remove the Validation Certificate from the client
Use Opscode's chef::delete_validation or similar to remove the validation certificate after the client is registered.
Chef Repository Workflow
You should familiarize yourself with Chef Repository for managing your infrastructure. If you weren't using this repository before, now is a good time to start, it makes a lot of tasks easier.