Hey all,
I was wondering if the Chef Smart Proxy configuration settings are only
supported on RHEL?
I downloaded the foreman-proxy package using apt on an Ubuntu server, but
the options to configure Chef was not in the setting.yml.
Thanks,
Jordan
Hello Jordan,
it's definitely not RHEL only. I was using it on Ubuntu environment. We were
missing some commented documentation in that config file but in new modularized
proxy it's already part of it. Sorry for inconvenience.
These are options you are probably interested in:
enable Chef management
:chefproxy: true
:chef_authenticate_nodes: true
:chef_server_url: https://chef.example.com
smart-proxy client node needs to have some admin right on chef-server
in order to retrive all nodes public keys
:chef_smartproxy_clientname: chefproxy
:chef_smartproxy_privatekey: /etc/chef/chefproxy.pem
:foreman_url: https://foreman.example.com/foreman
···
-- MarekOn Tuesday 26 of August 2014 13:30:08 Jordan Lin wrote:
Hey all,
I was wondering if the Chef Smart Proxy configuration settings are only
supported on RHEL?I downloaded the foreman-proxy package using apt on an Ubuntu server, but
the options to configure Chef was not in the setting.yml.Thanks,
Jordan
Maybe I should add the error I see in /var/log/foreman/production.log:
Started POST "/api/reports" for 10.100.80.5 at 2014-09-11 10:58:13 -0700
Processing by Api::V2::ReportsController#create as JSON
Parameters: {"report"=>"[FILTERED]", "apiv"=>"v2"}
No SSL cert with CN supplied - request from 10.100.80.5,
Rendered api/v2/errors/access_denied.json.rabl within
api/v2/layouts/error_layout (0.5ms)
Filter chain halted as :require_puppetmaster_or_login rendered or
redirected
Completed 403 Forbidden in 2.8ms (Views: 1.2ms | ActiveRecord: 0.0ms)
And when I run chef-client on the chef-smart-proxy/foreman server host, it
sends to STDOUT:
Starting Chef Client, version 11.14.6
resolving cookbooks for run list: []
Synchronizing Cookbooks:
Compiling Cookbooks…
Converging 0 resources
Running handlers:
- ChefHandlerForeman::ForemanFacts
Running handlers complete
Chef Client finished, 0/0 resources updated in 4.23382299 seconds
···
On Tuesday, August 26, 2014 1:30:08 PM UTC-7, Jordan Lin wrote: > > Hey all, > > I was wondering if the Chef Smart Proxy configuration settings are only > supported on RHEL? > > I downloaded the foreman-proxy package using apt on an Ubuntu server, but > the options to configure Chef was not in the setting.yml. > > Thanks, > > Jordan >>
> Thanks Mark!
It's all up and running now. Do you know of a way to check if the chef
proxy is working though? If it's reporting facts to the Foreman server?
Thanks,
Jordan
Slight update, it does have the sending resource report in the logs.
Thanks,
Jordan
···
On Thursday, September 11, 2014 11:02:21 AM UTC-7, Jordan Lin wrote: > > Maybe I should add the error I see in /var/log/foreman/production.log: > Started POST "/api/reports" for 10.100.80.5 at 2014-09-11 10:58:13 > -0700 > Processing by Api::V2::ReportsController#create as JSON > Parameters: {"report"=>"[FILTERED]", "apiv"=>"v2"} > No SSL cert with CN supplied - request from 10.100.80.5, > Rendered api/v2/errors/access_denied.json.rabl within > api/v2/layouts/error_layout (0.5ms) > Filter chain halted as :require_puppetmaster_or_login rendered or > redirected > Completed 403 Forbidden in 2.8ms (Views: 1.2ms | ActiveRecord: 0.0ms) > > And when I run chef-client on the chef-smart-proxy/foreman server host, it > sends to STDOUT: > Starting Chef Client, version 11.14.6 > resolving cookbooks for run list: [] > Synchronizing Cookbooks: > Compiling Cookbooks... > Converging 0 resources > > Running handlers: > - ChefHandlerForeman::ForemanFacts > Running handlers complete > Chef Client finished, 0/0 resources updated in 4.23382299 seconds > > > > On Tuesday, August 26, 2014 1:30:08 PM UTC-7, Jordan Lin wrote: >> >> Hey all, >> >> I was wondering if the Chef Smart Proxy configuration settings are only >> supported on RHEL? >> >> I downloaded the foreman-proxy package using apt on an Ubuntu server, but >> the options to configure Chef was not in the setting.yml. >> >> Thanks, >> >> Jordan >> >Hello Jordan,
you can run chef client and after it had finished you can check whether
something appeared in UI in foreman. If not you can try checking
/var/log/foreman/production.log to see whether something reached foreman. If
you don't see anything like that, you can check proxy logs at
/var/log/foreman-proxy/proxy.log (you may want to adjust log level to debug
first).
I hope you can see facts in UI so you don't have to debug 
···
-- MarekOn Tuesday 02 of September 2014 15:23:55 Jordan Lin wrote:
Thanks Mark!
It’s all up and running now. Do you know of a way to check if the chef
proxy is working though? If it’s reporting facts to the Foreman server?Thanks,
Jordan
Hi Marek,
Actually the chef-proxy issue has been resolved. So it seems like I just
had to turn off the require_ssl_puppetmasters and restrict_registered_puppetmasters
settings located in settings->auth.
Thanks for all your help!
Jordan
···
On Thursday, September 11, 2014 2:06:07 PM UTC-7, Jordan Lin wrote: > > Slight update, it does have the sending resource report in the logs. > > Thanks, > > Jordan > > On Thursday, September 11, 2014 11:02:21 AM UTC-7, Jordan Lin wrote: >> >> Maybe I should add the error I see in /var/log/foreman/production.log: >> Started POST "/api/reports" for 10.100.80.5 at 2014-09-11 10:58:13 >> -0700 >> Processing by Api::V2::ReportsController#create as JSON >> Parameters: {"report"=>"[FILTERED]", "apiv"=>"v2"} >> No SSL cert with CN supplied - request from 10.100.80.5, >> Rendered api/v2/errors/access_denied.json.rabl within >> api/v2/layouts/error_layout (0.5ms) >> Filter chain halted as :require_puppetmaster_or_login rendered or >> redirected >> Completed 403 Forbidden in 2.8ms (Views: 1.2ms | ActiveRecord: 0.0ms) >> >> And when I run chef-client on the chef-smart-proxy/foreman server host, >> it sends to STDOUT: >> Starting Chef Client, version 11.14.6 >> resolving cookbooks for run list: [] >> Synchronizing Cookbooks: >> Compiling Cookbooks... >> Converging 0 resources >> >> Running handlers: >> - ChefHandlerForeman::ForemanFacts >> Running handlers complete >> Chef Client finished, 0/0 resources updated in 4.23382299 seconds >> >> >> >> On Tuesday, August 26, 2014 1:30:08 PM UTC-7, Jordan Lin wrote: >>> >>> Hey all, >>> >>> I was wondering if the Chef Smart Proxy configuration settings are only >>> supported on RHEL? >>> >>> I downloaded the foreman-proxy package using apt on an Ubuntu server, >>> but the options to configure Chef was not in the setting.yml. >>> >>> Thanks, >>> >>> Jordan >>> >>Hey Marek,
When I run chef-client (with the chef foreman handler gem configured) on a
chef client not currently on the foreman server,
nothing happens. I went to check the /var/log/foreman/production.log and
it seems to be an error with puppet and ssl. I keep receiving a 403
forbidden error because it doesn't have the right certs.
Is there a way to do without puppet? Also I set the proxy logs to debug
and I don't see anything regarding chef-proxy within
/var/log/foreman-proxy/proxy.log.
It may be because the client can't even reach the server in the first place?
Thanks,
Jordan
···
On Tuesday, September 2, 2014 11:45:20 PM UTC-7, Marek Hulan wrote: > > Hello Jordan, > > you can run chef client and after it had finished you can check whether > something appeared in UI in foreman. If not you can try checking > /var/log/foreman/production.log to see whether something reached foreman. > If > you don't see anything like that, you can check proxy logs at > /var/log/foreman-proxy/proxy.log (you may want to adjust log level to > debug > first). > > I hope you can see facts in UI so you don't have to debug :-) > > -- > Marek > > On Tuesday 02 of September 2014 15:23:55 Jordan Lin wrote: > > > Thanks Mark! > > > > It's all up and running now. Do you know of a way to check if the chef > > proxy is working though? If it's reporting facts to the Foreman server? > > > > Thanks, > > > > Jordan > >Hello Jordan
I'm glad that you solved the issue. I'd be curious if you could manage to
replace certs by some not provided by puppetca (I guess you should be able to
do so). Also I think that since your proxy and foreman are on same host, it's
OK to not require ssl. But we should improve the authentication setup between
smart proxy and foreman or at least document it for chef users. Added to my
chef todo list.
Thanks for sharing all the information.
···
-- MarekOn Thursday 11 of September 2014 14:48:00 Jordan Lin wrote:
Hi Marek,
Actually the chef-proxy issue has been resolved. So it seems like I just
had to turn off the require_ssl_puppetmasters and
restrict_registered_puppetmasters settings located in settings->auth.Thanks for all your help!
Jordan
On Thursday, September 11, 2014 2:06:07 PM UTC-7, Jordan Lin wrote:
Slight update, it does have the sending resource report in the logs.
Thanks,
Jordan
On Thursday, September 11, 2014 11:02:21 AM UTC-7, Jordan Lin wrote:
Maybe I should add the error I see in /var/log/foreman/production.log:
Started POST “/api/reports” for 10.100.80.5 at 2014-09-11 10:58:13-0700
Processing by Api::V2::ReportsController#create as JSON Parameters: {"report"=>"[FILTERED]", "apiv"=>"v2"} No SSL cert with CN supplied - request from 10.100.80.5, Rendered api/v2/errors/access_denied.json.rabl withinapi/v2/layouts/error_layout (0.5ms)
Filter chain halted as :require_puppetmaster_or_login rendered orredirected
Completed 403 Forbidden in 2.8ms (Views: 1.2ms | ActiveRecord: 0.0ms)And when I run chef-client on the chef-smart-proxy/foreman server host,
it sends to STDOUT:
Starting Chef Client, version 11.14.6
resolving cookbooks for run list: []
Synchronizing Cookbooks:
Compiling Cookbooks…
Converging 0 resourcesRunning handlers: - ChefHandlerForeman::ForemanFacts Running handlers complete Chef Client finished, 0/0 resources updated in 4.23382299 secondsOn Tuesday, August 26, 2014 1:30:08 PM UTC-7, Jordan Lin wrote:
Hey all,
I was wondering if the Chef Smart Proxy configuration settings are only
supported on RHEL?I downloaded the foreman-proxy package using apt on an Ubuntu server,
but the options to configure Chef was not in the setting.yml.Thanks,
Jordan
–
Marek
Hi Jordan
it can definitely work without puppet. It just may need some tweaks around
foreman - foreman_proxy authentication. Could you describe your setup a bit?
Is foreman and foreman-proxy and chef-server each on separate host? Can you
send you chef client config and foreman proxy config? Info about versions of
foreman-proxy, chef-handler-foreman, chef and foreman-chef could help.
First to check is your chef client. If you have reporting enabled and log
level set to info (or debug), you should be able to find 'Sending resource
update report to foreman' message in /var/log/chef.log. If it's not there you
don't have chef-handler-foreman configured correctly. If you find it, we'll
continue with debugging
Thanks for update
···
-- MarekOn Tuesday 09 of September 2014 21:43:39 Jordan Lin wrote:
Hey Marek,
When I run chef-client (with the chef foreman handler gem configured) on a
chef client not currently on the foreman server,
nothing happens. I went to check the /var/log/foreman/production.log and
it seems to be an error with puppet and ssl. I keep receiving a 403
forbidden error because it doesn’t have the right certs.
Is there a way to do without puppet? Also I set the proxy logs to debug
and I don’t see anything regarding chef-proxy within
/var/log/foreman-proxy/proxy.log.
It may be because the client can’t even reach the server in the first place?Thanks,
Jordan
On Tuesday, September 2, 2014 11:45:20 PM UTC-7, Marek Hulan wrote:
Hello Jordan,
you can run chef client and after it had finished you can check whether
something appeared in UI in foreman. If not you can try checking
/var/log/foreman/production.log to see whether something reached foreman.
If
you don’t see anything like that, you can check proxy logs at
/var/log/foreman-proxy/proxy.log (you may want to adjust log level to
debug
first).I hope you can see facts in UI so you don’t have to debug
On Tuesday 02 of September 2014 15:23:55 Jordan Lin wrote:
Thanks Mark!
It’s all up and running now. Do you know of a way to check if the chef
proxy is working though? If it’s reporting facts to the Foreman server?Thanks,
Jordan
Hey Marek,
Thanks for the quick replies.
Currently I have the foreman server and the chef-smart-proxy on the same
host, and the chef-server on a separate host.
I'm also using chef-client (11.14.6), chef-server (11.xx.x?),
chef_handler_foreman (0.0.7), foreman_chef (0.0.4).
So my chef server url: https://chef.mydomain.com
foreman server url: https://foreman.mydomain.com
The chef-client I'm using to test is on the foreman server, and the
client.rb looks like:
require 'chef_handler_foreman'
log_location "/var/log/chef.log"
foreman_server_options :url => 'https://foreman.mydomain.com'
foreman_facts_upload true
foreman_reports_upload true
reports_log_level "debug"
chef_server_url "https://chef.mydomain.com:443"
validation_client_name "chef-validator"
The configuration on the chef-smart-proxy which is also on the foreman
server is:
:chefproxy: true
:chef_authenticate_nodes: true
:chef_server_url: "https://chef.mydomain.com"
:chef_smartproxy_clientname: 'foreman.mydomain.com'
:chef_smartproxy_privatekey: '/etc/chef/client.pem'
:foreman_url: "https://foreman.mydomain.ibm.com"
When I run chef-client, I don't see the "'Sending resource
update report to foreman" message in /var/log/chef.log. The foreman
smartproxy clientname also has admin privileges.
Also, I used the foreman-installer to install the foreman server, and smart
proxy. So there the SSL configurations already set up in the smart proxy
settings.yml file.
For the foreman - smart_proxy authentication, do I still go about using
SSL? It seems like the certs are managed by puppet.
Thanks again,
Jordan