What is a Chef Workstation?

If you are using Chef to manage virtuals (or physical servers), you will need an area on some other machine (e.g. a desktop or laptop) where you can create and modify the configurations.  The conventional terminology for this is a "Chef Workstation".  A Chef Workstation typically has the following:

  • a checkout of the "chef-repo" with a working copy of the configurations,
  • an installation of the relevant Chef tools; e.g. "knife", relevant "knife" plugins, and other more advanced tools to support your dev / test workflows, and
  • credentials that allow you to push changes to your "chef-repo" master, and your Chef Server infrastructure.

It is not mandatory to set up a Chef Workstation, but there are some definite advantages.  By doing your Chef work on a separate machine, you:

  • reduce the risk / worry that your experiments will damage the "real" system / systems you are managing,
  • reduce the risk that you will loose your "master" copy of the configurations by accidentally wiping or "bricking" a system, and
  • reduce the risk that your work and someone else's might interfere.

(It is advisable to put the master "chef-repo" repository somewhere else; i.e. on a separate machine or service that this properly backed up.  A public or private Git repository on a reputable external Git hosting service is a simple option ... modulo the potential security issues of storing "secrets" on 3rd-party providers.)

Configuring a Chef Workstation for Chef Solo

The steps for configuring a Chef Workstation for Chef Solo workflows are described here (Berkshelf) or here (vanilla Chef).

If you are building the Chef Workstation for individual use, then I recommend that you put the workstation directory in your home directory rather than "/var/chef-solo".  You could also modify the "berks install" step to leave out the "--path" option.  This will result in the external cookbooks being written to "~/.berkshelf".

Configuring a Chef Workstation for Chef Server

To configure a Chef Workstation for Chef Server workflows, start with a Chef Solo Workstation as described above.  Then do the following:

  1. Create a ".chef" directory in the root directory of your "chef-repo" tree.  This should be added to ".gitignore" to prevent it being checked in!
  2. Login to the machine on which your Chef Server runs (for example "vm-xx-xx-xx-xx.qld.rc.nectar.org.au") and locate the "/etc/chef-server" directory.
  3. Copy the "chef-validator.pem" and "admin.pem" files from that directory to the ".chef" directory you created in your "chef-repo".  (Use scp or equivalent, or carefully cut-and-paste the respective file contents.)
  4. Change directory to your "chef-repo", and "configure" Chef Server access by running:

    knife configure --initial

    and answering the questions; for example:

    WARNING: No knife configuration file found
    Where should I put the config file? [/Users/kilroy/.chef/knife.rb] 
      .chef/knife.rb
    Please enter the chef server URL: [https://your.workstation:443] 
      https://vm-xx-xx-xx-xx.qld.rc.nectar.org.au
    Please enter a name for the new user: [kilroy] 
      kilroy-at-work
    Please enter the existing admin name: [admin] 
     <accept the default>
    Please enter the location of the existing admin's private key: [/etc/chef-server/admin.pem] 
      .chef/admin.pem
    Please enter the validation clientname: [chef-validator]
     <accept the default>
    Please enter the location of the validation key: [/etc/chef-server/chef-validator.pem] 
      .chef/chef-validator.pem
    Please enter the path to a chef repository (or leave blank): 
      /Users/kilroy/Projects/Ocean/chef-repo
    Creating initial API user...
    Please enter a password for the new user: 
      <enter your desired password here>
    Created user[kilroy-at-work]
    Configuration file written to /Users/kilroy/Projects/Ocean/chef-repo/.chef/knife.rb
  5. Check that your client is working by running:

    knife node list