Single-node enrollment

With single-node enrollment, you define the credentials and enrollment settings for a node and then Chef 360 Platform uses those settings to connect to and enroll the node with a node cohort.

Single-node enrollment fully enrolls nodes.

Requirements

Connection requirements:

• Nodes must be accessible with SSH or WinRM.
• Nodes must have a public DNS or public IP address.
• A node IP address can’t be localhost (127.0.0.1)
• A node CIDR address can’t be in the same range as the Chef 360 Platform services. The default CIDR range for Chef 360 Platform services is 10.244.0.0/16 or 10.96.0.0/12.
• The node’s ports for RabbitMQ and the nginx API gateway must be open to Chef 360 Platform. Additionally, the Chef 360 Platform should allow inbound connections to these ports from the node.

Nodes connected to with SSH have the following requirements:

• Port 22 must be open.
• The user must have sudo privileges.
• The user must connect with an ed25519 or RSA(2048) login key without a passphrase.

Nodes connected to with WinRM have the following requirements:

• Ports 5985–5986 must be open.

• Configure WinRM by running the following:

  winrm quickconfig   # select Yes
  winrm set winrm/config/service/Auth '@{Basic="true"}'
  winrm set winrm/config/service '@{AllowUnencrypted="true"}'
  netsh advfirewall firewall add rule name="WinRM-HTTP" dir=in localport=5985 protocol=TCP action=allow
  

Enroll nodes

Enroll Linux nodes

You can enroll Linux nodes using a YAML or JSON file.

JSON file enrollment

1. Create a file name enroll-linux.json with the following payload:

   {
       "cohortId": "<COHORT_ID>",
       "url": "<NODE_DNS_OR_PUBLIC_IP>",
       "sshCredentials": {
           "username": "<SSH_USER_NAME>",
           "key": "<SSH_KEY>",
           "port": <SSH_PORT>
       }
   }
   

   Replace the following:

   • <COHORT_ID> with the cohort ID returned by chef-node-management-cli when you created the node cohort
   • <NODE_DNS_OR_PUBLIC_IP> with a public domain name or IP address
   • <SSH_USERNAME> with the SSH username to authenticate with the node
   • <SSH_KEY> with the SSH key used to authenticate with the node
   • <SSH_PORT> with the SSH port. Default is 22.

   Note

   SSH keys in a JSON payload must formatted as a single-line string. To add a multiline key, replace new lines with the newline character \n.

   You can use the following command to replace new lines in a PEM file:

   awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' <FILENAME.pem>
   

2. Enroll the node:

   chef-node-management-cli enrollment enroll-node --body-file enroll-linux.json --profile <NODE_MANAGER_PROFILE_NAME>
   

   The response is similar to the following:

   {
       "item": {
           "id": "36c570b1-798a-4530-ada5-2661dfeb3fac",
           "nodeId": "e4b1b524-4e77-4448-b1a9-01b80288c898"
       }
   }
   

YAML file enrollment

1. Create a file name enroll-linux.yaml with the following payload:

   cohortId: <COHORT_ID>
   url: <NODE_DNS_OR_PUBLIC_IP>
   sshCredentials:
     username: <SSH_USERNAME>
     key: |
       <SSH_KEY>    
     port: <SSH_PORT>
   

   Replace the following:

   • <COHORT_ID> with the cohortId by chef-node-management-cli when you created the node cohort
   • <NODE_DNS_OR_PUBLIC_IP> with a public domain name or IP address
   • <SSH_USERNAME> with the SSH username to authenticate with the node
   • <SSH_KEY> with the SSH key used to authenticate with the node
   • <SSH_PORT> with the SSH port. Default is 22.

2. Enroll the node:

   chef-node-management-cli enrollment enroll-node --body-file enroll-linux.yaml --profile <NODE_MANAGER_PROFILE_NAME>
   

   The response is similar to the following:

   {
       "item": {
           "id": "36c570b1-798a-4530-ada5-2661dfeb3fac",
           "nodeId": "e4b1b524-4e77-4448-b1a9-01b80288c898"
       }
   }
   

Enroll Windows nodes

JSON file enrollment

1. Create a JSON file with WinRM credentials:

   {
       "cohortId": "<COHORT_ID>",
       "url": "<NODE_DNS_OR_PUBLIC_IP>",
       "winRMCredentials": {
           "username": "<WINDOWS_USERNAME>",
           "password": "<WINDOWS_PASSWORD>",
           "port": <PORT_NUMBER>
       }
   }
   

   Replace the following:

   • <COHORT_ID> with the cohortId returned by chef-node-management-cli when you created the node cohort
   • <NODE_DNS_OR_PUBLIC_IP> with a public domain name or IP address
   • <WINDOWS_USERNAME> with the Windows username to authenticate with the node
   • <WINDOWS_PASSWORD> with the Windows password used to authenticate with the node
   • <PORT_NUMBER> with the WinRM port number. Default is 5985-5986.

2. Enroll the node:

   chef-node-management-cli enrollment enroll-node --body-file enroll-windows.json --profile <NODE_MANAGER_PROFILE_NAME>
   

   The response is similar to the following:

   {
       "item": {
           "id": "36c570b1-798a-4530-ada5-2661dfeb3fac",
           "nodeId": "e4b1b524-4e77-4448-b1a9-01b80288c898"
       }
   }
   

YAML file enrollment

1. Create a YAML file with WinRM credentials:

   cohortId: <COHORT_ID>
   url: <NODE_DNS_OR_PUBLIC_IP>
   winRMCredentials:
     username: <WINDOWS_USERNAME>
     password: <WINDOWS_PASSWORD>
   

   Replace the following:

   • <COHORT_ID> with the cohortId returned by chef-node-management-cli when you created the node cohort
   • <NODE_DNS_OR_PUBLIC_IP> with a public domain name or IP address
   • <WINDOWS_USERNAME> with the Windows username to authenticate with the node
   • <WINDOWS_PASSWORD> with the Windows password used to authenticate with the node
   • <PORT_NUMBER> with the WinRM port number. Default is 5985-5986.

2. Enroll the node:

   chef-node-management-cli enrollment enroll-node --body-file <FILENAME.yaml> --profile <NODE_MANAGER_PROFILE_NAME>
   

   The response is similar to the following:

   {
       "item": {
           "id": "36c570b1-798a-4530-ada5-2661dfeb3fac",
           "nodeId": "e4b1b524-4e77-4448-b1a9-01b80288c898"
       }
   }
   

Get node enrollment status

Nodes have the following enrollment levels:

Admitted

A node’s credentials and IP address are provided for enrollment and a node ID is assigned.

Enrolled

The node is successfully enrolled with Chef 360 Platform.

Get the enrollment status of a single node

You can get the node enrollment level of a node using the node ID and the management node find-one-node subcommand:

chef-node-management-cli management node find-one-node --nodeId <NODE_ID> --profile <NODE_MANAGER_PROFILE_NAME>

Once a node is successfully enrolled, the enrollment level is set to enrolled, otherwise it remains at admitted.

"enrollmentLevel": "enrolled"

You can also check the enrollment status for the individual steps:

chef-node-management-cli status get-status --nodeId <NODE_ID> --profile <NODE_MANAGER_PROFILE_NAME>

Each step should have a success status.

"status": "Success"

Get the enrollment status using the enrollment ID

You can get the node enrollment status and node IDs using an enrollment ID and the status get-enrollmentId-status subcommand:

chef-node-management-cli status get-enrollmentId-status --enrollmentId <ENROLLMENT_ID> --profile <NODE_MANAGER_PROFILE_NAME>

The response is similar to:

{
  "item":{
    "id":"ebff692a-ca22-4841-afc9-b334b9e2256a",
    "items":[
      {
        "nodeId":"4a85f9bc-db17-4cc9-a253-f6e1fb57f000",
        "status":"Enrollment"
      },
      {
        "nodeId":"bc7976cb-70b3-41bb-b82f-c7209a8e3364",
        "status":"Enrollment"
      }
    ]
  }
}