If you’re working with infrastructure its good practice to describe it using code so that it is reproducible and consistent across servers and development environments. I’ve used Chef for quite some time and feel it is a pretty natural way to represent the source of truth for your servers, the packages installed on them, and their configuration. Chef can also be used as a provisioning tool, to bring your servers to life configured exactly to your specifications. You can use it with services like AWS or tools like Docker.
I started out using chef local mode to test my provisioning recipes, but also wanted to get things working with chef-client running as a daemon. But because of ACL’s in place when Chef is run this way, you need to grant permissions to the right groups to make sure they can do things such as create nodes.
This is hinted at with an error that looks like:
This error: Net::HTTPServerException: 403 "Forbidden"
or if you go digging with debug mode on (chef-client -l debug), you might see something analogous to this buried in a ton of output:
[2016-03-21T10:13:05-04:00] DEBUG: ---- HTTP Response Body ----
[2016-03-21T10:13:05-04:00] DEBUG: {"error":["missing update permission"]}
The default Chef ACL’s don’t allow nodes’ API clients to modify other nodes, and so we have to create a group with such permissions that your provisioning node (the one that kicks off the new instance/machine to be provisioned) can create the machines’ nodes and clients. This is similarly explained in this slightly outdated post here but unfortunately the commands aren’t quite right, so here it is using the most current version of the tooling.
Setting up Permissions
First things first install the ACL gem (assuming you’re using chef development kit)
chef gem install knife-acl
We can then create a group to give access to the permissions we need:
knife group create provisioners
Now, if you’re setting up a new node to be your provisioner, you would create the client key and node object:
knife client create -d chefconf-provisioner > ~/.chef/chefconf-provisioner.pem knife node create -d chefconf-provisioner
Or you may already have a client that you run chef-client from. Lets say that is called chefconf-provisioner as it is the client we created above, so we’ll go with that, but your client can be named anything. Note, its usually the hostname of the node you’re running from. Add your client to the group we just created like so:
knife group add client chefconf-provisioner provisioners
Chef server uses role-based access control (RBAC) to restrict access to objects—nodes, environments, roles, data bags, cookbooks, and so on. This ensures that only authorized user and/or chef-client requests to the Chef server are allowed.
In this case we need to grant read/create/update/grant/delete permissions for clients and nodes so that our provisioning node can create the new instance/machine:
for permission in read create update grant delete do knife acl add group provisioners containers clients $permission done
for permission in read create update grant delete do knife acl add group provisioners containers nodes $permission done
And now you should have the permissions to be able to provision new nodes using Chef!