Previously we setup and configured chef-server, and configured a user and client with knife. Now we want to add a node. This again is just localhost on the chef-server as an example, but typically you would replace localhost with an FQDN of the node you’re preparing.
We can use knife to install, configure and create a new node in chef.
# replace localhost with an FQDN of the node you wish to bootstrap
knife bootstrap localhost
# see additional configuration options
knife bootstrap --help
When bootstrapping, you will need to enter the root ssh password of the host you’re bootstrapping. If you have root login disabled for ssh, you can use a user with sudo privileges, more information on doing that can be found by looking at knife bootstrap –help.
You will probably see a warning that looks like this, because in this case we’re using a self-signed cert.
localhost SSL validation of HTTPS requests is disabled. HTTPS connections are still localhost encrypted, but chef is not able to detect forged replies or man in the middle localhost attacks.
To squelch this warning, we need to copy the chef-server crt into /etc/chef/trusted_certs. Ours will be called localhost, but this will be whatever the FQDN of the server is.
mkdir /etc/chef/trusted_certs; cp /var/opt/chef-server/nginx/ca/localhost.crt /etc/chef/trusted_certs/
Now we should be able to pass the ssl check.
[root@localhost ~]# knife ssl check -c /etc/chef/client.rb
Connecting to host localhost:443
Successfully verified certificates from `localhost'
We still see another error, that can be squelched by adding ssl_verify_mode :verify_peer to the client.rb conf.
echo "ssl_verify_mode :verify_peer" >> /etc/chef/client.rb
After the bootstrap completes, it’ll run chef on the new node, however since we don’t have any cookbooks or recipes at this point, it won’t actually do anything on the server. We will however now see our node listed when running knife node list.
[root@localhost ~]# knife node list(Comments)