While setting up a node to use Foreman Chef Smart Proxy to proxy the
requests to chef-server, I may facing some issues:
Here is my /etc/chef/client.rb
···
-----------------------------------------
require 'chef_handler_foreman'
log_level :auto
log_location STDOUT
#chef_server_url "https://chef-aws.example.com/organizations/example"
#chef_server_url
"https://foreman-aws.example.com:8443/organizations/example"
chef_server_url "https://foreman-aws.example.com:8443"
node_name "vboxcentos7"
client_key "/etc/chef/client.pem"
# Using default node name (fqdn)
ssl_verify_mode :verify_none
foreman_server_options :url => 'https://foreman-aws.example.com:8443’
foreman_facts_upload true
foreman_reports_upload true
reports_log_level “notice”
foreman_facts_whitelist [‘lsb’,‘network’,‘cpu’]
The direct communication from node to chef server is working fine.
Here are the proxy variables :
[root@foreman-aws log]# cat /etc/foreman-proxy/settings.d/chef.yml
:enabled: true
:chef_authenticate_nodes: true
:chef_server_url: https://foreman-aws.example.com
smart-proxy client node needs to have some admin right on chef-server
in order to retrive all nodes public keys
:chef_smartproxy_clientname: foreman-aws.example.com
:chef_smartproxy_privatekey: /etc/chef/client.pem
:chef_ssl_verify: true
Please suggest
Anyone elase who has faced the same issue ?
···
On Friday, July 29, 2016 at 4:30:19 PM UTC+5:30, Rajnesh Kumar Siwal wrote:
>
> While setting up a node to use Foreman Chef Smart Proxy to proxy the
> requests to chef-server, I may facing some issues:
> Here is my /etc/chef/client.rb
> -----------------------------------------
> require 'chef_handler_foreman'
> log_level :auto
> log_location STDOUT
> #chef_server_url "https://chef-aws.example.com/organizations/example"
> #chef_server_url "
> https://foreman-aws.example.com:8443/organizations/example"
> chef_server_url "https://foreman-aws.example.com:8443"
> node_name "vboxcentos7"
> client_key "/etc/chef/client.pem"
> # Using default node name (fqdn)
> ssl_verify_mode :verify_none
>
> foreman_server_options :url => 'https://foreman-aws.example.com:8443'
> foreman_facts_upload true
> foreman_reports_upload true
> reports_log_level "notice"
>
> foreman_facts_whitelist ['lsb','network','cpu']
> ---------------------------------------------------------------
>
> The direct communication from node to chef server is working fine.
>
> Here are the proxy variables :
> ----------------------------------------------------
> [root@foreman-aws log]# cat /etc/foreman-proxy/settings.d/chef.yml
> ---
> :enabled: true
> :chef_authenticate_nodes: true
> :chef_server_url: https://foreman-aws.example.com
> # smart-proxy client node needs to have some admin right on chef-server
> # in order to retrive all nodes public keys
> # e.g. 'host.example.net'
> :chef_smartproxy_clientname: foreman-aws.example.com
> :chef_smartproxy_privatekey: /etc/chef/client.pem
> :chef_ssl_verify: true
>
> ----------------------------------------------------
>
>
> Please suggest
>
I don't think the Chef plugin can act as a proxy for the Chef server. I don't believe that would be possible ( or very secure ).
This diagram in the official manual will give you an idea:https://theforeman.org/plugins/foreman_chef/0.3/chef.svg
Foreman simply receives the results of a Chef run Through the handler and verifies this information with the chef server. The communication between the chef client and server remains unchanged.
You are correct. The Foreman chef plugin originally worked as endpoint for the
client handler but it ignores authentication completely so you should always
configure it to communicate through smart proxy (with smart proxy chef plugin).
Rajnesh, what exactly does not work for you? You don't mention any error
message.
···
On Wednesday 03 of August 2016 02:22:29 Abir wrote:
> I don't think the Chef plugin can act as a proxy for the Chef server. I
> don't believe that would be possible ( or very secure ).
>
> This diagram in the official manual will give you an
> idea:https://theforeman.org/plugins/foreman_chef/0.3/chef.svg
>
> Foreman simply receives the results of a Chef run Through the handler and
> verifies this information with the chef server. The communication between
> the chef client and server remains unchanged.
–
Marek
I am not able to send the facts and reports to the Foreman.
Please suggest the working configuration for chef-client. My configuration
is:
···
########################################
[root@vboxcentos7 ~]# cat /etc/chef/client.rb
log_level :info
log_location STDOUT
chef_server_url
"https://chef-aws.example.com:443/organizations/example" # Chef Server
URL
validation_client_name "example-validator"
file_backup_path "/var/lib/chef"
file_cache_path "/var/cache/chef"
pid_file "/var/run/chef/client.pid"
require 'chef_handler_foreman’
foreman_server_options :url =>
“https://foreman-aws.example.com:8443” #Foreman Proxy
foreman_facts_upload true
foreman_reports_upload true
############################
Part of logs of the chef-client responsible for sending the reports to
foreman :
#######################################
Running handlers:
[2016-08-05T11:19:32+00:00] INFO: Running report handlers
[2016-08-05T11:19:36+00:00] INFO: Sending attributes to foreman
- ChefHandlerForeman::ForemanFacts
Running handlers complete
[2016-08-05T11:19:39+00:00] INFO: Report handlers complete
Deprecated features used!
"method access to node attributes (node.foo.bar) is deprecated and will
be removed in Chef 13, please use bracket syntax (node[“foo”][“bar”]) at 3
locations:
- /var/cache/chef/cookbooks/java/attributes/default.rb:22:in from_file' - /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef_handler_foreman-0.1.1/lib/chef_handler_foreman/foreman_facts.rb:40:inprepare_facts’
-
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef_handler_foreman-0.1.1/lib/chef_handler_foreman/foreman_facts.rb:41:in
prepare_facts' Cloning resource attributes for user[activemq] from prior resource (CHEF-3694) Previous user[activemq]: /var/cache/chef/cookbooks/activemq/recipes/user.rb:8:infrom_file’
Current user[activemq]:
/var/cache/chef/cookbooks/activemq/recipes/user.rb:19:in from_file' at 1 location: - /var/cache/chef/cookbooks/activemq/recipes/user.rb:19:infrom_file’
Cloning resource attributes for directory[/opt] from prior resource
(CHEF-3694)
Previous directory[/opt]:
/var/cache/chef/cookbooks/activemq/recipes/default.rb:27:in from_file' Current directory[/opt]: /var/cache/chef/cookbooks/activemq/recipes/default.rb:32:infrom_file’ at
1 location:
- /var/cache/chef/cookbooks/activemq/recipes/default.rb:32:in
`from_file’
Chef Client finished, 3/19 resources updated in 17 seconds
[2016-08-05T11:19:39+00:00] INFO: Sending resource update report to foreman
(run-id: )
[2016-08-05T11:19:41+00:00] INFO: Sending resource update report (run-id:
799ece5d-5f88-4ae4-9b92-203a06003a93)
#######################################
On Thursday, August 4, 2016 at 4:45:50 PM UTC+5:30, Marek Hulán wrote:
On Wednesday 03 of August 2016 02:22:29 Abir wrote:
I don’t think the Chef plugin can act as a proxy for the Chef server. I
don’t believe that would be possible ( or very secure ).
This diagram in the official manual will give you an
idea:https://theforeman.org/plugins/foreman_chef/0.3/chef.svg
Foreman simply receives the results of a Chef run Through the handler
and
verifies this information with the chef server. The communication
between
the chef client and server remains unchanged.
You are correct. The Foreman chef plugin originally worked as endpoint for
the
client handler but it ignores authentication completely so you should
always
configure it to communicate through smart proxy (with smart proxy chef
plugin).
Rajnesh, what exactly does not work for you? You don’t mention any error
message.
–
Marek
Any update on this, I too am running into this with Foreman. I've got the
smart proxy configured and all the certs straightened out but all my fact
and report uploads say sent but nothing Foreman. (almost verbatim messages
as Rajnesh)
···
On Friday, August 5, 2016 at 8:23:06 AM UTC-5, Rajnesh Kumar Siwal wrote:
>
> I am not able to send the facts and reports to the Foreman.
> Please suggest the working configuration for chef-client. My configuration
> is:
> ########################################
> [root@vboxcentos7 ~]# cat /etc/chef/client.rb
> log_level :info
> log_location STDOUT
> chef_server_url "https://chef-aws.example.com:443/organizations/example"
> # Chef Server URL
> validation_client_name "example-validator"
> file_backup_path "/var/lib/chef"
> file_cache_path "/var/cache/chef"
> pid_file "/var/run/chef/client.pid"
>
> require 'chef_handler_foreman'
> foreman_server_options :url => "https://foreman-aws.example.com:8443"
> #Foreman Proxy
> foreman_facts_upload true
> foreman_reports_upload true
> ############################
> Part of logs of the chef-client responsible for sending the reports to
> foreman :
> #######################################
> Running handlers:
> [2016-08-05T11:19:32+00:00] INFO: Running report handlers
> [2016-08-05T11:19:36+00:00] INFO: Sending attributes to foreman
> - ChefHandlerForeman::ForemanFacts
> Running handlers complete
> [2016-08-05T11:19:39+00:00] INFO: Report handlers complete
>
> Deprecated features used!
> "method access to node attributes (node.foo.bar) is deprecated and will
> be removed in Chef 13, please use bracket syntax (node["foo"]["bar"]) at 3
> locations:
> - /var/cache/chef/cookbooks/java/attributes/default.rb:22:in
> `from_file'
> -
> /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef_handler_foreman-0.1.1/lib/chef_handler_foreman/foreman_facts.rb:40:in
> `prepare_facts'
> -
> /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef_handler_foreman-0.1.1/lib/chef_handler_foreman/foreman_facts.rb:41:in
> `prepare_facts'
> Cloning resource attributes for user[activemq] from prior resource
> (CHEF-3694)
> Previous user[activemq]:
> /var/cache/chef/cookbooks/activemq/recipes/user.rb:8:in `from_file'
> Current user[activemq]:
> /var/cache/chef/cookbooks/activemq/recipes/user.rb:19:in `from_file' at 1
> location:
> - /var/cache/chef/cookbooks/activemq/recipes/user.rb:19:in `from_file'
> Cloning resource attributes for directory[/opt] from prior resource
> (CHEF-3694)
> Previous directory[/opt]:
> /var/cache/chef/cookbooks/activemq/recipes/default.rb:27:in `from_file'
> Current directory[/opt]:
> /var/cache/chef/cookbooks/activemq/recipes/default.rb:32:in `from_file' at
> 1 location:
> - /var/cache/chef/cookbooks/activemq/recipes/default.rb:32:in
> `from_file'
>
> Chef Client finished, 3/19 resources updated in 17 seconds
> [2016-08-05T11:19:39+00:00] INFO: Sending resource update report to
> foreman (run-id: )
> [2016-08-05T11:19:41+00:00] INFO: Sending resource update report (run-id:
> 799ece5d-5f88-4ae4-9b92-203a06003a93)
> #######################################
>
> On Thursday, August 4, 2016 at 4:45:50 PM UTC+5:30, Marek Hulán wrote:
>>
>> On Wednesday 03 of August 2016 02:22:29 Abir wrote:
>> > I don't think the Chef plugin can act as a proxy for the Chef server. I
>> > don't believe that would be possible ( or very secure ).
>> >
>> > This diagram in the official manual will give you an
>> > idea:https://theforeman.org/plugins/foreman_chef/0.3/chef.svg
>> >
>> > Foreman simply receives the results of a Chef run Through the handler
>> and
>> > verifies this information with the chef server. The communication
>> between
>> > the chef client and server remains unchanged.
>>
>> You are correct. The Foreman chef plugin originally worked as endpoint
>> for the
>> client handler but it ignores authentication completely so you should
>> always
>> configure it to communicate through smart proxy (with smart proxy chef
>> plugin).
>>
>> Rajnesh, what exactly does not work for you? You don't mention any error
>> message.
>>
>> --
>> Marek
>>
>
We have found ourselves at the same place with a similar error. Was this
ever resolved? If so what was the solution?
