search

chef-boneyard / knife-container

DEPRECATED: Container support for Chef's Knife Command
Apache License 2.0
57 stars 11 forks source link

Container's node_name doesn't match .node_name at docker run #43

Open metafour opened 9 years ago

metafour commented 9 years ago

I'm trying to get a basic understanding of how knife-container can help me migrate my existing infrastructure over to using containers and freely admit that I may have missed something in the documentation somewhere regarding this. I can do a knife container docker init and a knife container docker build using just my base recipe without issues as far as I can tell but when I do a docker run on the resulting image the initial chef-client run fails due to the node not existing on the chef server. Indeed no node gets created as a result of the knife container commands and the container id is being used for the node_name instead of the name in the .node_name file within the node's chef directory during this chef-client run when the container is initializing.

sudo docker run -v /etc/chef:/etc/chef/secure:ro metafour/sample-app-db-master
[2014-10-08T03:45:33+00:00] INFO: Starting Supervisor...
[2014-10-08T03:45:33+00:00] INFO: Supervisor pid: 15
[2014-10-08T03:45:38+00:00] INFO: Starting chef-client run...
[2014-10-08T03:45:38+00:00] INFO: Forking chef instance to converge...
[2014-10-08T03:45:39+00:00] INFO: *** Chef 11.16.2 ***
[2014-10-08T03:45:39+00:00] INFO: Chef-client pid: 22
[2014-10-08T03:45:40+00:00] INFO: HTTP Request Returned 401 Unauthorized: error

================================================================================
Chef encountered an error attempting to load the node data for "030f65a73f43"
================================================================================

Authentication Error:
---------------------
Failed to authenticate to the chef server (http 401).

Server Response:
----------------
Failed to authenticate as '030f65a73f43'. Ensure that your node_name and client key are correct.

Relevant Config Settings:
-------------------------
chef_server_url   "https://***.***.***.net"
node_name         "030f65a73f43"
client_key        "/etc/chef/secure/client.pem"

If these settings are correct, your client_key may be invalid, or
you may have a chef user with the same client name as this node.

I'm pulling my hair out trying to figure out what is happening and would appreciate any direction you could provide to helping me resolve this issue.

I'm using knife-container version 0.2.4 installed as a Ruby gem with chef-server version 11.16.2.

Thanks!

tduffield commented 9 years ago

So there are two things at play here. First is the .node_name file gets stripped out of the image when you finish your knife container docker build. This is done because otherwise each of your node would share the same name. If you wish to specify a node name when you run your Docker container, you can specify it by providing the CHEF_NODE_NAME environment variable.

Second, for security reasons, the validation key is stripped out of your image. This means that you either need to a) explicitly say that you want to keep the validation key in your directory or b) mount in a directory that contains your secure credentials into /etc/chef/secure. You can read more here: http://docs.getchef.com/containers.html#credential-management

metafour commented 9 years ago

What's the recommended workflow when working with containers and not including the credentials inside the container?

It seems like the initial container boot needs to create the client.pem file but the Credential Management section of the Chef Container docs has an example of mounting the credential directory as read-only. And if there are multiple containers running on the host should the client.pem files be explicitly renamed to match the host's name or should there be a directory for each node that contains the credentials?

Do you know If I move right to using chef-metal-docker does it handle these issues automatically?

tduffield commented 9 years ago

The recommended workflow for you to manage Chef credentials are outlined in the document I gave you. The idea is that the volume you would mount on to the running container would create the validation.pem, allowing the container to generate its own client.pem.

chef-metal-docker does not (as of yet) integrate with chef-container. You can use chef-metal-docker to run chef-client inside of a docker container but it doesn't have any integration with chef-init.