Unable to accept the Chef License Acceptance

[zedtux]

The issue

I'm new to knife solo and I'm trying to run the following command on a fresh Debian 9 VPS :

$ knife solo bootstrap root@<IP ADDRESS> --yes --node-name <NODE NAME>
/Users/zedtux/.rvm/gems/ruby-2.6.3/gems/chef-15.0.300/lib/chef/knife/bootstrap.rb:31: warning: already initialized constant Chef::Knife::Bootstrap::SUPPORTED_CONNECTION_PROTOCOLS
/Users/zedtux/.rvm/gems/ruby-2.6.3/gems/chef-15.0.300/lib/chef/knife/bootstrap.rb:31: warning: previous definition of SUPPORTED_CONNECTION_PROTOCOLS was here
/Users/zedtux/.rvm/gems/ruby-2.6.3/gems/chef-15.0.300/lib/chef/knife/bootstrap.rb:32: warning: already initialized constant Chef::Knife::Bootstrap::WINRM_AUTH_PROTOCOL_LIST
/Users/zedtux/.rvm/gems/ruby-2.6.3/gems/chef-15.0.300/lib/chef/knife/bootstrap.rb:32: warning: previous definition of WINRM_AUTH_PROTOCOL_LIST was here
/Users/zedtux/.rvm/gems/ruby-2.6.3/gems/chef-15.0.300/lib/chef/knife/bootstrap.rb:350: warning: already initialized constant Chef::Knife::Bootstrap::DEPRECATED_FLAGS
/Users/zedtux/.rvm/gems/ruby-2.6.3/gems/chef-15.0.300/lib/chef/knife/bootstrap.rb:350: warning: previous definition of DEPRECATED_FLAGS was here
Bootstrapping Chef...
root@XXX.XX.XXX.XX's password:
root@XXX.XX.XXX.XX's password:
--2019-05-21 06:29:35--  https://www.opscode.com/chef/install.sh
Resolving www.opscode.com (www.opscode.com)... 54.68.236.48, 34.210.222.75, 52.35.251.85
Connecting to www.opscode.com (www.opscode.com)|54.68.236.48|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23110 (23K) [application/x-sh]
Saving to: ‘install.sh’

install.sh          100%[===================>]  22.57K   138KB/s    in 0.2s

2019-05-21 06:29:36 (138 KB/s) - ‘install.sh’ saved [23110/23110]

debian 9 x86_64
Getting information for chef stable 15.0.300 for debian...
downloading https://omnitruck-direct.chef.io/stable/chef/metadata?v=15.0.300&p=debian&pv=9&m=x86_64
  to file /tmp/install.sh.11708/metadata.txt
trying wget...
sha1    572057f9eba8c84664d4d66279e581849ce42445
sha256  5178ce5e5d43ea85647754034f61747796b7cc69579e9f2027a504e646a1a459
url https://packages.chef.io/files/stable/chef/15.0.300/debian/9/chef_15.0.300-1_amd64.deb
version 15.0.300
downloaded metadata file looks valid...
downloading https://packages.chef.io/files/stable/chef/15.0.300/debian/9/chef_15.0.300-1_amd64.deb
  to file /tmp/install.sh.11708/chef_15.0.300-1_amd64.deb
trying wget...
Comparing checksum with sha256sum...
Installing chef 15.0.300
installing with dpkg...
(Reading database ... 33370 files and directories currently installed.)
Preparing to unpack .../chef_15.0.300-1_amd64.deb ...
removing /opt/chef...
Unpacking chef (15.0.300-1) over (15.0.300-1) ...
Setting up chef (15.0.300-1) ...
Thank you for installing Chef Infra Client! For help getting started visit https://learn.chef.io
Generating node config 'nodes/<NODE NAME>.json'...
Running Chef on XXX.XX.XXX.XX...
Uploading the kitchen...
root@XXX.XX.XXX.XX's password:
root@XXX.XX.XXX.XX's password:
root@XXX.XX.XXX.XX's password:
root@XXX.XX.XXX.XX's password:
root@XXX.XX.XXX.XX's password:
root@XXX.XX.XXX.XX's password:
root@XXX.XX.XXX.XX's password:
root@XXX.XX.XXX.XX's password:
root@XXX.XX.XXX.XX's password:
root@XXX.XX.XXX.XX's password:
Permission denied, please try again.
root@XXX.XX.XXX.XX's password:
Generating solo config...
root@XXX.XX.XXX.XX's password:
Running Chef: sudo chef-solo -c ~/chef-solo/solo.rb -j ~/chef-solo/dna.json -N <NODE NAME>
+---------------------------------------------+
            Chef License Acceptance

Before you can continue, 2 product licenses
must be accepted. View the license at
https://www.chef.io/end-user-license-agreement/

Licenses that need accepting:
  * Chef Infra Client
  * Chef InSpec

Do you accept the 2 product licenses (yes/no)?

> y
Prompt timed out. Use non-interactive flags or enter an answer within 60 seconds.

If you do not accept this license you will
not be able to use Chef products.

Do you accept the 2 product licenses (yes/no)?

> yes
Prompt timed out. Use non-interactive flags or enter an answer within 60 seconds.
+---------------------------------------------+
Chef Infra Client cannot execute without accepting the license
ERROR: RuntimeError: chef-solo failed. See output above.

Here I'm running the bootstrap with the --yes flag, but it didn't change anything

First point is I have to enter my root password many times. Second point and the main point of this issue is that I can't accept the licence agreement even typing y or yes.

I'm using zsh 5.7.1 on a up-to-date macOS machine, with ssh -V outputting OpenSSH_7.9p1, LibreSSL 2.7.3.

A start of investigation

Now connecting to the node, running manually the chef-client command prints the same thing :

root@xxxxxxxxxx:~# chef-client
[2019-05-21T06:50:12+02:00] WARN: *****************************************
[2019-05-21T06:50:12+02:00] WARN: Did not find config file: /etc/chef/client.rb. Using command line options instead.
[2019-05-21T06:50:12+02:00] WARN: *****************************************
+---------------------------------------------+
            Chef License Acceptance

Before you can continue, 2 product licenses
must be accepted. View the license at
https://www.chef.io/end-user-license-agreement/

Licenses that need accepting:
  * Chef Infra Client
  * Chef InSpec

Do you accept the 2 product licenses (yes/no)?

Looking in the Chef documentation I found the --chef-license flag which solve the issue :

> root@ xxxxxxxxxx:~# chef-client --chef-license accept
[2019-05-21T06:50:33+02:00] WARN: *****************************************
[2019-05-21T06:50:33+02:00] WARN: Did not find config file: /etc/chef/client.rb. Using command line options instead.
[2019-05-21T06:50:33+02:00] WARN: *****************************************
+---------------------------------------------+
✔ 2 product licenses accepted.
+---------------------------------------------+
Starting Chef Infra Client, version 15.0.300
Creating a new client identity for xxxxxxxxxx.domain.net using the validator key.
[2019-05-21T06:50:34+02:00] WARN: Failed to read the private key /etc/chef/validation.pem: #<Errno::ENOENT: No such file or directory @ rb_sysopen - /etc/chef/validation.pem>

================================================================================
Chef encountered an error attempting to create the client "xxxxxxxxxx.domain.net"
================================================================================

Private Key Not Found:
----------------------
Your private key could not be loaded. If the key file exists, ensure that it is
readable by chef-client.

Relevant Config Settings:
-------------------------
validation_key "/etc/chef/validation.pem"

System Info:
------------
chef_version=15.0.300
ruby=ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-linux]
program_name=/usr/bin/chef-client
executable=/opt/chef/bin/chef-client

Running handlers:
[2019-05-21T06:50:34+02:00] ERROR: Running exception handlers
Running handlers complete
[2019-05-21T06:50:34+02:00] ERROR: Exception handlers complete
Chef Infra Client failed. 0 resources updated in 01 seconds
[2019-05-21T06:50:34+02:00] WARN: Failed to read the private key /etc/chef/client.pem: #<Errno::ENOENT: No such file or directory @ rb_sysopen - /etc/chef/client.pem>
[2019-05-21T06:50:34+02:00] FATAL: Chef::Exceptions::PrivateKeyMissing: I cannot read /etc/chef/client.pem, which you told me to use to sign requests!

[matschaffer]

The intent on passwords it is for people to configure key based authentication (https://www.ssh.com/ssh/key/)

The code mostly tries to keep ssh sessions to a minimum but doesn't get too crazy.

As for the license, I really can't tell you much. I haven't used chef in nearly 10 years at this point. Probably time to deprecate the gem entirely.

[matschaffer]

Gonna call this the last straw

I've updated the readme to indicate the deprecation. knife-zero looks somewhat more maintained so might hold an answer for you regarding the licensing.

If not, hopefully someone from Chef proper can point you in the right direction.

[zedtux]

Probably time to deprecate the gem entirely.

😨

What are you using instead, and why aren't you using Chef/Knife solo anymore?

[matschaffer]

At my day job I mostly use ansible.

For personal stuff I tend toward https://aws.amazon.com/elasticbeanstalk/ or if I need to run outside AWS I'd probably be looking at a hosted kubernetes option, or ansible for raw hosts.

[matschaffer]

Also hope you don't take my response as critical here.

Please know I appreciate the github issue report. But you've brought my attention to this new licensing flow in chef.

This has made it quite clear knife-solo has drifted too far away from current chef workflows over the last decade since I've stopped actively using it. Gotta know when to fold 'em.

[zedtux]

Well I'm using Chef to provision the nodes with Kubernetes actually.

So I guess you're using Ansible to provision k8s?

We chose Chef because of its flexibility thanks to the Ruby code and for all the available cookbooks. Ansible looks great, but seemed like the YAML format was limiting the flexibility, does it?

[matschaffer]

Not k8s, but our internal scheduler. Probably k8s soon ;)

I wouldn't say the YAML's particularly limiting and I find I often just drop to bash+cli tooling anyway (both today in ansible and when I was doing chef).

My only real complaints with ansible have been:

• it's oddly slow to do certain tasks (e.g., copy from workstation, user/group management) - so we often just shell what we need to do

• it's quite chatty so latency between workstation & host compounds total run time - we drive via rundeck to help avoid this.

• if a few hosts out of the fleet are slow to converge, it can be hard to figure out which one and why - but knife-solo is single host anyway, so no comparison there.