Chef Manage

[edit on GitHub]

_images/chef_automate_full.png

Danger

This documentation covers an outdated version of Chef Automate. See the Chef Automate site for current documentation. The new Chef Automate includes newer out-of-the-box compliance profiles, an improved compliance scanner with total cloud scanning functionality, better visualizations, role-based access control and many other features.

The Chef management console enables the management of nodes, data bags, roles, environments, and cookbooks by using a web user interface. In addition, access to nodes, data bags, roles, environments, and cookbooks is configurable using role-based access control (RBAC).

Note

This feature is included as part of the Chef Automate license agreement and is available via subscription.

Nodes

A node is any machine—physical, virtual, cloud, network device, etc.—that is under management by Chef.

The Chef management console provides ways for users to delete nodes and reset their private keys, edit node attributes, manage the run-lists, configure user and group permissions, and manage tags.

_images/step_manage_webui_nodes.png

Reports

Use Reporting to keep track of what happens during the execution of chef-client runs across all of the machines that are under management by Chef. Reports can be generated for the entire organization and they can be generated for specific nodes.

Note

The Reports tab requires the Chef Reporting add-on.

Reporting data is collected during the chef-client run, and the results are posted to the Chef server at the end of the chef-client run, at the same time the node object is uploaded to the Chef server.

The Chef management console provides ways for users to configure the timeframe around which a report is built, and then to review the reports that are available for that timeframe.

_images/step_manage_webui_reports.png

Policy

Policy maps business and operational requirements, process, and workflow to settings and objects stored on the Chef server:

  • Roles define server types, such as “web server” or “database server”
  • Environments define process, such as “dev”, “staging”, or “production”
  • Certain types of data—passwords, user account data, and other sensitive items—can be placed in data bags, which are located in a secure sub-area on the Chef server that can only be accessed by nodes that authenticate to the Chef server with the correct SSL certificates
  • The cookbooks (and cookbook versions) in which organization-specific configuration policies are maintained

The Chef management console provides ways for users to manage data bags, environments, roles, cookbooks, clients, and managing tags.

_images/step_manage_webui_policy.png

Admin

Organizations, users, and groups can be managed from the Chef management console, including role-based access control for any user and group to any of the objects saved to the Chef server.

The Chef server uses role-based access control (RBAC) to restrict access to objects—nodes, environments, roles, data bags, cookbooks, and so on. This ensures that only authorized user and/or chef-client requests to the Chef server are allowed. Access to objects on the Chef server is fine-grained, allowing access to be defined by object type, object, group, user, and organization. The Chef server uses permissions to define how a user may interact with an object, after they have been authorized to do so.

_images/step_manage_webui_admin.png

Install Chef Manage

The install subcommand downloads packages from https://packages.chef.io/ by default. For systems that are not behind a firewall (and have connectivity to https://packages.chef.io/), these packages can be installed as described below.

Feature Command
Chef Manage

Use Chef management console to manage data bags, attributes, run-lists, roles, environments, and cookbooks from a web user interface.

On the Chef server, run:

$ sudo chef-server-ctl install chef-manage

then:

$ sudo chef-server-ctl reconfigure

and then:

$ sudo chef-manage-ctl reconfigure

Note

Starting with the Chef management console 2.3.0, the Chef MLSA must be accepted when reconfiguring the product. If the Chef MLSA has not already been accepted, the reconfigure process will prompt for a yes to accept it. Or run chef-manage-ctl reconfigure --accept-license to automatically accept the license.

Chef Manage Local Installation

The install subcommand downloads packages from https://packages.chef.io/ by default. For systems that are behind a firewall (and may not have connectivity to packages.chef.io), these packages can be downloaded from https://downloads.chef.io/chef-manage/, and then installed manually. First download the package that is appropriate for the platform, save it to a local path, and then run the install command using the --path option to specify the directory in which the package is located:

$ sudo chef-server-ctl install PACKAGE_NAME --path /path/to/package/directory

For example:

$ sudo chef-server-ctl install chef-manage --path /root/packages

The chef-server-ctl command will install the first chef-manage package found in the /root/packages directory.