ericcalabretta

Using chef zero with policyfile archive

Prep Steps:

1. Create the archive to share. This includes all the cookbooks, dependencies and config needed to run Chef-Client in a local mode. It's also versioned so you can track what exactly you ran.

git clone the desired cookbook 
move into directory
chef install
chef export -a path_to_cookbook_destination

ericcalabretta

Bootstrap chef client

To bootstrap a node we need to install install Chef-Client and configure Chef-Client to talk to Chef-Server. We can either use knife bootstrap or the validator bootstrap methods each with different stregths.

Knife Bootstrap

Requires SSH or winrm access to the node & access.

The nodes also need access to download.chef.io to download the chef-client.

ericcalabretta

Bootstrap chef client with Validator Bootstrap Option

To bootstrap a node we need to install install Chef-Client and configure Chef-Client to talk to Chef-Server.

The validator bootstrap option has the client bootstrap itself, and is commonly used with another tool like vRA, Terraform or SCCM to perform the initial fleet bootstrap.

Steps:

1. Download appropriate chef-client from https://downloads.chef.io/

ericcalabretta

Step 1: Configure your workstation to talk to chef-server

First you'll need to install Chef-Workstation on your laptop. This includes all the tools you need to use Chef.

https://downloads.chef.io/chef-workstation/0.17.5

Test your chef-workstation install with chef --version command.

Chef Workstation version: 0.7.4

ericcalabretta

wget http://34.221.48.134:8081/artifactory/example-repo-local/chef-15.8.23-1.el7.x86_64.rpm -O /tmp/chef-15.8.23-1.el7.x86_64.rpm
sudo rpm -ivh /tmp/chef-15.8.23-1.el7.x86_64.rpm

ericcalabretta

driver:
  name: vagrant
  # Air-gap settings to pull box from internal repo
  box: centoss-7-v202002.04.0
  box_url: http://34.223.67.135:8081/artifactory/example-repo-local/centoss-7-v202002.04.0.box
  box_download_insecure: True

provisioner:
  name: chef_zero
  # Air-gap settings to pull chef-client from internal repo

ericcalabretta

include_recipe 'audit::default'

node.default['audit']['reporter'] = 'chef-server-automate'
node.default['audit']['fetcher'] = 'chef-server'

case node['platform']
when 'centos'
  node.default['audit']['profiles']['cis-centos7-level1-server'] = {
    'compliance': 'admin/cis-centos7-level1-server',
    'version': '2.2.0-14'

ericcalabretta

Step 1: Set up Chef Automate & Chef Server

Downloads the automate deployment cli curl https://packages.chef.io/files/current/latest/chef-automate-cli/chef-automate_linux_amd64.zip | gunzip - > chef-automate && chmod +x chef-automate

Generate a config file:

sudo ./chef-automate init-config

Make sure fqdn = "yourFQDN" It'll pull this from the system hostname by default

ericcalabretta

driver:
  name: vagrant
  # Air-gap settings to pull box from internal repo
  box: linux-box-name
  box_url: http://URL_to-linux-virtual-box.box
  box_download_insecure: True

provisioner:
  name: chef_zero
  # Air-gap settings to pull chef-client from internal repo

ericcalabretta

driver:
  name: vagrant
  # box: windows-box-name
  # box_url: http://FQDN_to-windows-virtual-box.box
  # box_download_insecure: True
  boot_timeout: 1200
  gui: false

provisioner:
  name: chef_zero