Reset Pivotal User in CHEF

These are low level commands in chef, please backup and make sure you can restore before running these commands

if you see the following error message in chef like I did:

chef-server-ctl user-list
 ERROR: Failed to authenticate to http://127.0.0.1:80 as pivotal with key /tmp/latovip20191029-14643-1na6z6n
 Response:  Invalid signature for user or client 'pivotal'

These commands may help you solve the problem:

  • Create public key for pivotal user
openssl rsa -in /etc/opscode/pivotal.pem -pubout > /var/opt/opscode/postgresql/9.2/data/pivotal.pub
  • Get pivotal authz id
echo "SELECT authz_id FROM auth_actor WHERE id = 1" | su -l opscode-pgsql -c 'psql bifrost -tA' | tr -d '\n' > /var/opt/opscode/postgresql/9.2/data/pivotal.authz_id
  • Delete pivotal user from postgresdb
echo "DELETE FROM users WHERE authz_id = pg_read_file('pivotal.authz_id');" | su -l opscode-pgsql -c 'psql opscode_chef'
  • Insert new pivotal user to postgresdb
echo "INSERT INTO users (id, authz_id, username, email, pubkey_version, public_key, serialized_object, last_updated_by, created_at, updated_at) VALUES (md5(random()::text), pg_read_file('pivotal.authz_id'), 'pivotal', '[email protected]', 0, pg_read_file('pivotal.pub'), '{\"first_name\":\"Clark\",\"last_name\":\"Kent\",\"display_name\":\"Clark Kent\"}', pg_read_file('pivotal.authz_id'), LOCALTIMESTAMP, LOCALTIMESTAMP);" | su -l opscode-pgsql -c 'psql opscode_chef'

I took the commands from the following issue: https://github.com/chef/chef-server/issues/544

Run Chef Server Behind Nginx

  • vi /etc/opscode/chef-server.rb
server_name = "chef.example.com" 
api_fqdn server_name
bookshelf['vip'] = server_name
nginx['url'] = "https://#{server_name}"
nginx['server_name'] = server_name
nginx['client_max_body_size'] = "1000m"
nginx['enable_non_ssl']=true
  • run chef server reconfigure
chef-server-ctl reconfigure
  • Configure nginx like any virtual server with regular http traffic
  • done

How to install chef-server inside docker container

  • Create volumes for chef logs and data
docker volume create chef-log
docker volume create chef-data
  • Run centos/systemd container with privileged permissions and ipv6 disabled
docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --privileged --name chef-server-core -d -v chef-data:/var/opt/opscode -v chef-log:/var/log/opscode -p 80:80 -p 443:443 centos/systemd
  • Connect to your new container
docker exec -it chef-server-core bash
  • Download and install chef
curl https://packages.chef.io/files/stable/chef-server/13.0.17/el/7/chef-server-core-13.0.17-1.el7.x86_64.rpm -o chef-server-core.rpm
rpm -Uvh chef-server-core.rpm
yum install rsync crontabs which net-tools less -y
systemctl enable crond
systemctl start crond
chef-server-ctl reconfigure
  • Note: if you want to restore from a backup run the following command:
chef-server-ctl restore -t 60000 /tmp/chef-backup-date.tgz
  • Note: When I install it I got the following error after running chef-server-ctl reconfigure:
================================================================================
Recipe Compile Error in /var/opt/opscode/local-mode-cache/cookbooks/private-chef/attributes/default.rb
================================================================================

NoMethodError
-------------
undefined method `[]' for nil:NilClass

Cookbook Trace:
---------------
  /var/opt/opscode/local-mode-cache/cookbooks/private-chef/attributes/default.rb:616:in `from_file'

Relevant File Content:
----------------------
/var/opt/opscode/local-mode-cache/cookbooks/private-chef/attributes/default.rb:

609:  default['private_chef']['postgresql']['db_superuser'] = 'opscode-pgsql'
610:  default['private_chef']['postgresql']['shell'] = "/bin/sh"
611:  default['private_chef']['postgresql']['home'] = "/var/opt/opscode/postgresql"
612:  default['private_chef']['postgresql']['user_path'] = "/opt/opscode/embedded/bin:/opt/opscode/bin:$PATH"
613:  default['private_chef']['postgresql']['vip'] = "127.0.0.1"
614:  default['private_chef']['postgresql']['port'] = 5432
615:  # We want to listen on all the loopback addresses, because we can't control which one localhost resolves to.
616>> default['private_chef']['postgresql']['listen_address'] = node['network']['interfaces']['lo']['addresses'].keys.join(',')
617:  default['private_chef']['postgresql']['max_connections'] = 350
618:  default['private_chef']['postgresql']['keepalives_idle'] = 60
619:  default['private_chef']['postgresql']['keepalives_interval'] = 15
620:  default['private_chef']['postgresql']['keepalives_count'] = 2
621:  default['private_chef']['postgresql']['md5_auth_cidr_addresses'] = [ '127.0.0.1/32', '::1/128' ]
622:  default['private_chef']['postgresql']['wal_level'] = "minimal"
623:  default['private_chef']['postgresql']['archive_mode'] = "off" # "cannot be enabled when wal_level is set to minimal"
624:  default['private_chef']['postgresql']['archive_command'] = ""
625:  default['private_chef']['postgresql']['archive_timeout'] = 0 # 0 is disabled.

System Info:
------------
chef_version=15.0.300
platform=centos
platform_version=7.6.1810
ruby=ruby 2.5.5p157 (2019-03-15 revision 67260) [x86_64-linux]
program_name=/opt/opscode/embedded/bin/chef-client
executable=/opt/opscode/embedded/bin/chef-client


Running handlers:
Running handlers complete
Chef Infra Client failed. 0 resources updated in 03 seconds
[2019-08-08T05:39:53+00:00] FATAL: Stacktrace dumped to /var/opt/opscode/local-mode-cache/chef-stacktrace.out
[2019-08-08T05:39:53+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2019-08-08T05:39:53+00:00] FATAL: NoMethodError: undefined method `[]' for nil:NilClass
  • If you get the same error you need to configureĀ default[‘private_chef’][‘postgresql’][‘listen_address’]
vi /opt/opscode/embedded/cookbooks/private-chef/attributes/default.rb
...
default['private_chef']['postgresql']['listen_address'] = "localhost"
...

chef-server-ctl reconfigure
  • Note: In chef-server-core 12.15.7 I got the following error:
-----------------------------------------------------------------------
Your system has IPv6 enabled but its loopback interface has no IPv6
address.

You must either pass `ipv6.disable=1` to your kernel command line,
to completely disable IPv6, or ensure the loopback interface has an
`::1` address by running

    sysctl net.ipv6.conf.lo.disable_ipv6=0
-----------------------------------------------------------------------
  • To fix this you need to run the following
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
chef-server-ctl reconfigure
  • Install chef-manage
chef-server-ctl install chef-manage
chef-server-ctl reconfigure
chef-manage-ctl reconfigure --accept-license
  • Creat chef admin
chef-server-ctl user-create USER_NAME FIRST_NAME LAST_NAME EMAIL 'PASSWORD' --filename FILE_NAME
  • Create organization
chef-server-ctl org-create short_name 'full_organization_name' --association_user user_name --filename ORGANIZATION-validator.pem
  • you can browse to your server ip address to see chef-manage. https://server_ip

Create data bag for certificate

It is not secure and you should use something like vault but if you still want to migrate certificate file to data bag you can use the following:

  1. Replace new lines with /n
    cat fullchain.pem | tr '\n' '#' | sed 's/#/\\n/g'
  2. Do the same thing for your key file
    cat key.pem | tr '\n' '#' | sed 's/#/\\n/g'
  3. Insert the data to the data bag