Chef chef-validator.pem security
This was one of the items discussed at a recent Foodfight episode on managing "secrets" in chef. Highly recommended watching:
- http://foodfightshow.org/2013/07/secret-chef.html
The knife bootstrap operation uploads this key when initializing new chef clients. Possession of this key enables the client to register itself against your chef server. That is actually its only function, once the client is up and running the validation key is no longer needed.
But it can be abused.... As @cbl has pointed out, if an unauthorized 3rd party gets access to this key they can create new clients that can see everything on your chef server that normal clients can see. It can theoretically be used to create a Denial of Service attack on your chef server, by flooding it with registration requests.
The foodfight panel recommend a simple solution. Enable the chef-client cookbook on all nodes. It contains a "delete_validation" recipe that will remove the validation key and reduce your risk exposure.
Preventing Chef client from accessing all data on server
That's unfortunately only possible with Enterprise Chef - the commercial version.
Chef clients and validators
Answering your updated questions
1) Validation.Pem (and client.rb) would be created after the bootstrap process. you need to run the command(knife configure client) shown below in order to create those file. once those files are created in the ~/.chef directory you need to move them to /etc/chef
knife configure client ~/.chef
sudo su
mkdir -p /etc/chef
cp ~/.chef/client.rb /etc/chef
cp ~/.chef/validation.pem /etc/chef
and the output would be
Creating client configuration
Writing client.rb
Writing validation.pem
2) Client.pem will be created during the first chef-client run. Excerpts from the Chef Documenation
"During the first chef-client run, this(client.pem) private key does not exist. Instead, the chef-client will attempt to use the private key assigned to the chef-validator, located in /etc/chef/validation.pem. (If, for any reason, the chef-validator is unable to make an authenticated request to the Chef server, the initial chef-client run will fail.)"
For instance, I generally do it in the following manner. once the client is set up(for the first time) and I run the chef recipe on that node using chef-client command as below then it would automatically create client.pem
chef-client -o Cookbook_name::Recipe_Name
3) MAKE SURE YOUR HOSTNAME IS UNIQUE/CORRECT BEFORE DOING THIS. On Centos, change the /etc/sysconfig/network file and use /etc/init.d/network restart to rebind everything.
My answer to first question is the solution here. After running the command(generally this command is run after bootstrap)
knife configure client ~/.chef
the hostname of the client node would be automatically created in the chef-server.
Answers to your first and second questions(before editing the question)
1) Everything you see in the following link http://mychefserver.example.com/clients are the sent of nodes(physical machines) that are registered with that particular Chef-Server. Chef-Client is an agent that would be running on each of every node that is registered with the chef-server. Chef-client is used to run the recipes on the corresponding nodes. Below is the way to run the chef recipe on a node using chef client.
chef-client -o Cookbook_name::Recipe_Name
Putting all together clients are the set of nodes which are connected to chef-server chef-client is an agent running in all the nodes and is used to register the node with the chef-server in order to bring the node to the desired state. There are many other uses of chef-client. For details visit [Chef-Client][1] the documentation page.
2) A bootstrap is a process that installs the chef-client on a target system so that it can run as a chef-client and communicate with a Chef server.
To put in another way bootstrap process is the way to install chef-client on a node(hardware machine) and make that node as one of the client for that chef-server. only once the bootstrap process is completed that particular node will be visible in the clients list in your
http://mychefserver.example.com/clients
chef-client failed to register to chef-server
You need to additionally configure your chef client with the trusted SSL certs as described in the following document:
https://docs.chef.io/chef_client_security.html
Alternatively disable SSL verification, by adding the following to your client.rb file:
ssl_verify_mode :verify_none
PS
- Have you considered using "knife bootstrap" to setup chef on new nodes? A lot easier and will do most of this hard work for you.
OpsWorks for Chef Automate and Chef validator-key
You can retrieve the key (Chef Server never stores the private half of keys for security) but you should be able to reset the key or create a new validator client using knife client
commands. The only thing special about the validator client is it has create permissions on the client container (which you can set up using knife-acl
).
Chef encountered an error attempting to create the client
You have the validation client name set to learnchef
, which would be very unusual. It's usually $orgname-validator
or $orgname-validation
depending on the version of Chef Server. If you have knife
working locally, you can check with knife client list
.
Related Topics
How to Find the Particular Text Stored in the File "Data.Txt" and It Occurs Only Once
Configure Options for Building Mingw-64 on Linux-64 for Linux-64 (Ultimately Targetting Windows-64)
How to Prevent Tar from Overwriting an Existing Archive
Linux: Instantiate from User-Space:Eeprom New_Device
Automake Subdir-Objects Is Disabled
How to Change Alignment of Code Segment in Elf
Get Yesterday's Date in Solaris
How to Search for Invisible Control Characters
Sed Is Printing a Substituted Line Twice
Use Sed to Delete Certain Lines Using an Index with the Line Numbers to Delete
Sed Error:Bad Option in Substitution Expression
Sudoers Nopasswd: Sudo: No Tty Present and No Askpass Program Specified
How to Grep While Avoiding 'Too Many Arguments'
Bluetooth Error: Native Library Bluecove_Arm Not Available
How to Install the Specific Version of Postgres
How to Copy a File with '$' in Name in Linux