Upgrading to Chef 12

I recently decided to upgrade my open source chef-server from 11.x to 12.x… Here’s what happened.

The Painful Journey #

So, behind the scenes, running chef-server-ctl upgrade essentially does a knife backup from your old server, and then runs knife restore into your new server. That transfers all your nodes, clients, environments, users, etc over to the new DB. I personally experienced a few problems with this - the first time it transferred over all the objects, but left them empty. My attributes, run_lists, etc were all empty. So that wasn’t very useful. Looking back over the output of the upgrade, it looked like there were a bunch of errors during the migration.

Turns out there is some additional information besides what is on the upgrade page.

Instead of dealing with that, I decided to do a backup and restore it to the new chef server myself. I used knife cleanup to remove all my old cookbook versions that were not being used to make things go faster, and then I ran knife backup export. When that completed, I switched back over to Chef-Server 12, and ran knife backup restore. That got me where I wanted. I now had all my objects with all of their associated information in my new server instance…

Permissions. #

I didn’t have a user, just a client. Chef 12 wanted me to have a user… So I needed to make one. For that, I needed chef-server-ctl. chef-server-ctl user-create USER_NAME FIRST_NAME [MIDDLE_NAME] LAST_NAME EMAIL PASSWORD (options) gave me my user, and chef-server-ctl org-user-add ORG_NAME USER_NAME (options) added me to the right organization.

But now I had a different key than my client.. and that gave me problems with chef-vault. So, I used the key-rotation commands to remove my user key and replace it with the same key my client uses.

From there I thought I was good to go. I could query the server with knife from my local workstation! It wasn’t until a little bit later that I noticed I couldn’t upload cookbooks or save changes to objects. The chef documentation does mention the concept of permissions, but it doesn’t talk about how to manage them without the premium management webui. After a bit of research I saw that I could use the knife-acl plugin to edit permissions. chef-server-ctl had already gotten me in the admin group, but for some reason I didn’t have any of the permissions the admin group was entitled to. So, I used knife-acl to re-grant all permissions to the admin group.

And then all was good with the world. Except that I needed to fix SSL errors with all my clients… but that’s my fault for not using proper SSL.

 
22
Kudos
 
22
Kudos

Now read this

Require MFA, but not for programmatic access

If you are looking for a way to enforce MFA for users when they log in to the console without limiting their programmatic access, look no further! Attach this policy to users to cut off all their access until they have logged in with... Continue →