Information Technology Reference
In-Depth Information
Chef Server performs a validation of a signature using the
validator.pem
similar to the one it
performs with the
client.pem
. During the bootstrap process, the
validator.pem
is created with
the name
/etc/chef/validation.pem
on the node.
Although the
/etc/chef/validation.pem
is secured with root privileges, it's a good idea to de-
lete it once the node has a proper client key to run
chef-client
. Anyone who obtains the
/etc/chef/validation.pem
file can create new nodes. Once the node has a client key, it no
longer needs the
/etc/chef/validation.pem
. It's a good idea to leave the
/etc/chef/valida-
tion.pem
key on the node only during the time it actually needs to create a client public/
private key pair for itself and send its client public key to Chef Server.
You can verify that the
validation.pem
file is still present on the node you bootstrapped in
ory by running one of the following commands. If the parent of your
chef-repo
tree is not
$HOME, change the command to reflect the correct parent.
Linux/Mac OS X:
$
cd $HOME/chef-repo/cookbooks/node
Windows Command Prompt:
>
cd %USERPROFILE%\chef-repo\cookbooks\node
Windows PowerShell:
>
cd $HOME\chef-repo\cookbooks\node
Use
kitchen login
to ssh into the node, as follows. Check the contents of the directory
with
/etc/chef/validation.pem
. Note that it is still there. Then make sure you exit back out to
your host prompt:
$
kitchen login
Last login: Thu Aug 14 20:14:59 2014 from 192.168.33.1
Welcome to your Packer-built virtual machine.
[vagrant@default-centos65 ~]$
ls /etc/chef
client.pem client.rb first-boot.json validation.pem
[vagrant@default-centos65 ~]$
exit