By default, chef-solo
reads its configuration from /etc/chef/solo.rb
. The command-line parameters correspond to config values that can be set in this file. This is done using the mixlib-config library.
option :config_file,
:short => "-c CONFIG",
:long => "--config CONFIG",
:default => "/etc/chef/solo.rb",
:description => "The configuration file to use"
option :json_attribs,
:short => "-j JSON_ATTRIBS",
:long => "--json-attributes JSON_ATTRIBS",
:description => "Load attributes from a JSON file or URL",
:proc => nil
option :recipe_url,
:short => "-r RECIPE_URL",
:long => "--recipe-url RECIPE_URL",
:description => "Pull down a remote gzipped tarball of recipes and untar it to the cookbook ca
che.",
:proc => nil
The 'option' is the config file value.
The actual config file, /etc/chef/solo.rb
would look like:
file_cache_path "/tmp/chef-solo"
cookbook_path "/tmp/chef-solo/cookbooks"
role_path "/tmp/chef-solo/roles"
json_attribs "/tmp/chef-solo/node.json"
recipe_url "http://www.example.com/chef-solo.tar.gz"
Also note that the JSON file can be a remote URL, too.
json_attribs "http://www.example.com/node.json"
You can use Ohai as a library within the config file as well, to detect the platform or other attributes to specify what JSON file to use.
require 'rubygems'
require 'ohai'
o = Ohai::System.new
o.all_plugins
file_cache_path "/tmp/chef-solo"
cookbook_path "/tmp/chef-solo/cookbooks"
role_path "/tmp/chef-solo/roles"
json_attribs "/tmp/chef-solo/#{o[:platform]}.json"
recipe_url "http://www.example.com/chef-solo.tar.gz"
And then you'd have "platform" specific JSON files, for example. Or you could use o[:hostname]
, o[:domain]
or o[:fqdn]
to use JSON files based on the hostname, domain or fqdn. But once you start having the scaffolding of servers to support this kind of dynamic configuration, you might look at running a Chef Server :-).
Best Answer
It's not quite as insecure as that. The validation key can only be used for a couple of operations required to add a node.
For example if I try to delete a node using the Chef validator key:
Best practice is to delete the validation.pem file after the node has joined the Chef server.
To actually answer the question, you can create client keys using the
knife client create
command, but it's up to you to distribute these keys to the clients.Secure key distribution is a hard problem.