chef-solo stop asking server password multiple times - macos

when I run bootstrap command, it asks for password many times
Running Chef on 123.123.123.123...
Installing Librarian cookbooks...
Uploading the kitchen...
Enter the password for root#123.123.123.123:
root#123.123.123.123's password:
root#123.123.123.123's password:
root#123.123.123.123's password:
root#123.123.123.123's password:
root#123.123.123.123's password:
root#123.123.123.123's password:
root#123.123.123.123's password:
root#123.123.123.123's password:
Generating solo config...
root#123.123.123.123's password:
Running Chef...
Starting Chef Client, version 11.10.4
Is there some way to stop this and use password one single time?

Looking at the knife bootstrap -h documentation:
knife bootstrap FQDN (options)
--bootstrap-no-proxy [NO_PROXY_URL|NO_PROXY_IP]
Do not proxy locations for the node being bootstrapped; this option is used internally by Opscode
--bootstrap-proxy PROXY_URL The proxy server for the node being bootstrapped
--bootstrap-version VERSION The version of Chef to install
-N, --node-name NAME The Chef node name for your new node
--server-url URL Chef Server URL
--chef-zero-port PORT Port to start chef-zero on
-k, --key KEY API Client Key
--[no-]color Use colored output, defaults to false on Windows, true otherwise
-c, --config CONFIG The configuration file to use
--defaults Accept default values for all questions
--disable-editing Do not open EDITOR, just accept the data as is
-d, --distro DISTRO Bootstrap a distro using a template
-e, --editor EDITOR Set the editor to use for interactive commands
-E, --environment ENVIRONMENT Set the Chef environment
-j JSON_ATTRIBS, A JSON string to be added to the first run of chef-client
--json-attributes
-F, --format FORMAT Which format to use for output
-A, --forward-agent Enable SSH agent forwarding
--hint HINT_NAME[=HINT_FILE] Specify Ohai Hint to be set on the bootstrap target. Use multiple --hint options to specify multiple hints.
--[no-]host-key-verify Verify host key, enabled by default.
-i IDENTITY_FILE, The SSH identity file used for authentication
--identity-file
-z, --local-mode Point knife commands at local repository instead of server
-u, --user USER API Client Username
--prerelease Install the pre-release chef gems
--print-after Show the data after a destructive operation
-r, --run-list RUN_LIST Comma separated list of roles/recipes to apply
-s, --secret The secret key to use to encrypt data bag item values
--secret-file SECRET_FILE A file containing the secret key to use to encrypt data bag item values
-G, --ssh-gateway GATEWAY The ssh gateway
-P, --ssh-password PASSWORD The ssh password
-p, --ssh-port PORT The ssh port
-x, --ssh-user USERNAME The ssh username
--template-file TEMPLATE Full path to location of template to use
--sudo Execute the bootstrap via sudo
--use-sudo-password Execute the bootstrap via sudo with password
-V, --verbose More verbose output. Use twice for max verbosity
-v, --version Show chef version
-y, --yes Say yes to all prompts for confirmation
-h, --help Show this message
You can see there's the option to pass the --sudo, --use-sudo-password, and --ssh-password options. Without more information, I can't tell you which one to use, but one of those will let you specify the password during bootstrap.

Related

Can Cloudinit be used to automate complex configuration such as UFW and Apache

Cloudinit can handle basic configuration like creating users and groups, installing packages, mount storage points, and more (see Cloud Config Examples). But can it handle more complex tasks like the below, and if so, how? A minimal working example would be appreciated.
# KNOWN: Replicating the below user creation with sudo privelges and a home
# directory is possible through cloudinit
sudo adduser johnny
sudo usermod -aG sudo johnny
# KNOWN: Replicating the below public/private key creation is possible through
# cloudinit
ssh johny#10.0.0.1 "ssh-keygen -t rsa"
# UNKNOWN: Is it possible to update the firewall rules in cloudinit or should
# one simply SSH in afterwards like so
ssh johnny#10.0.0.1 "
sudo ufw enable
sudo ufw allow http
sudo ufw allow https"
# UNKNOWN: Is it possible to deploy LetsEncrypt cetrificates or should one
# simply SSH in afterwrds like so
ssh johnny#10.0.0.1 "
sudo service apache2 restart
sudo certbot --apache"
# UNKNOWN: Is it possible to clone and install git repositories or should one
# simply SSH in afterwards like so
ssh johnny#10.0.0.1 "
GIT_NAME=johnny
GIT_EMAIL=johnny.rico#citizen.federation
git confing --global user.name $GIT_NAME
git confing --global user.email $GIT_EMAIL
git clone git#github.com:Federation:clandathu.git
cd clandathu/install
make --kill-em-all
sudo make install"
If you're referring specifically to the cloud-config, then all of the unknowns that you have listed don't have specific modules for them. However, you can also run arbitrary shell scripts via the runcmd module, or by specifying a script as your user data instead of a cloud config. It just has to start with #! rather than #cloud-config. If you want both a cloud config and a custom shell script, you can build a mime multi part archive with a cloud-init helper command.

How to build Ansible Playbook without username/password

I am new to Ansible and started learning and working on Ansible Playboks especially on network automation. Part of our hosting infra, inorder to login to any device we have default script runs to ssh into the device, something like goto . Hence no need to give any username and password, it directly logs into the device.
How we can include this customization in Ansible playbook without using any username or password.
Ansible supports using ssh keys.
Confirm that you can connect using SSH to all the nodes in your inventory using the same username. If necessary, add your public SSH key to the authorized_keys file on those systems.
Refer to documentation here
Also, it is a good idea to read the 'getting started' page
You will still need to supply a Username, that the SSH Key belongs to:
Guide on Setting up an SSH key for a Linux User: Here
Once SSH Key is configured and Copied over to your Ansible Server:
Edit the Sudoers File on the Slave Node and set NOPASSWD for the user, that way your user won't be prompted for a password when you are duing Sudo Commands: Reference Here

Setting up Hadoop on a RHEL machine with a security policy

I have been playing around with a Hadoop installation on CentOS for a while but today when I shifted to RHEL I got pesky password prompts when trying to start the pseudo-distributed cluster. After hours of poking around I finally managed to get rid of them by removing the security policy I had selected during installation of RHEL.
Looks like some aspect of the security policy was not letting me set up password less SSH to allow the different servers to communicate.
Going forward I would like to be able to run a cluster on machines with security policy enabled. What are the changes that I need to make, or where should I start looking into, to get the right set of network configurations?
I got pesky password prompts when trying to start the pseudo-distributed cluster
That's a sign you did not correctly establish a passwordless SSH keypair. Perhaps you did type a password when you generated the key? Or you didn't add it correctly into the authorized keys file for an SSH session.
This should not prompt for a password
$ ssh localhost
And if it does, generate keys again without a password
$ ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
$ chmod 0600 ~/.ssh/authorized_keys
Also, RHEL systems need SELinux disabled. I believe Cloudera and Hortonworks install guides also have you turning the firewall off
If you want a secure cluster, you would install and configure MIT Kerberos or Active Directory

chef bootstraping clinet installing on plain AWS EC2 instances

I am trying to learn Chef and started installing its components. I have three micro EC2 RHEL7.X instances running on AWS. In those, one EC2 configured as chef-server, second Ec2 as workstation perfectly. But, when i try to bootstrap third EC2 from work station, i always get the following ERROR.
I used the bellow commands to install the client from workstation.
knife bootstrap -.-.-.- -x root -P password --node-name client ==> i do not have any password set for the client EC2 instance
Also tried
knife bootstrap -.-.-.- --ssh-user ec2-user --sudo -i ./some.pem --run-list webserver
knife bootstrap -.-.-.- --ssh-user ec2-user --sudo --identity-file ./some.pem --run-list webserver
Got Error
ERROR: Net::SSH::AuthenticationFailed: Authentication failed for user ec2-user#-.-.-.-#-.-.-.-
But never get this working. I know there are some AWS existing utilities around Chef but i want to use only with normal EC2 instances.
Any help on how can i do this in this scenario.
I created the SSL key for workstation and then added that key in client's “/home/ec2-user/.ssh/authorized_keys" and then ran the below command from workstation which got worked
knife bootstrap -.-.-.- --ssh-user ec2-user --sudo --identity-file /home/ec2-user/keyworkstation --node-name client

Getting some sort of authentication issue when deploying EC2 instances with Knife

I'm having some kind of authentication issue when trying to launch server instances in EC2 with the knife command.
I'm using a command like:
knife ec2 server create --availability-zone us-east-1d --node-name ES-test --flavor t1.micro --image ami-fd20ad94 --identity-file something-dev.pem --ssh-user ubuntu -r 'recipe[something-elasticsearch::default]'
And there are 2 points of failure. The first comes relatively early on.
Waiting for instance...........................
Subnet ID: subnet-61dfa849
Private IP Address: 10.0.0.43
done
Bootstrapping Chef on 10.0.0.43
Failed to authenticate ubuntu - trying password auth
Enter your password:
I should be able to authenticate as Ubuntu with no password here. In fact, if I allow the provisioning to continue and try to ssh to the generated instance with something like:
ssh -i something-dev.pem ubuntu#10.0.0.43
...it will work. So why is the knife command itself failing to authenticate?
I had the same problem as above and tried the ssh-add as suggested by Rico above. Although I still got the prompt for a password, hitting enter on a blank password then allowed the process to continue.
Failing that, the -V verbose output option may give you more insight.
I found this to work well for me.
bundle exec knife ec2 server create -r "role[websphere]" -I ami-cb94868e --flavor m1.small -G default --ssh-user ubuntu -N server01 -S whatever --identity-file .chef/whatever.pem
Also consider that when you download the .pem from AWS, you need to chmod 400 whatever.pem

Resources