How we use Chef automation without Root

Chef is a popular open source development tool with great features. But it is also designed to be run using a root user by default. Running as root makes the chef process invincible and the process will be able to follow any given instruction with ease. Including the system admin’s famous nightmare rm -rf /*

Even if you run command chef-client with sudo the process will run as a root process with all privileges. Infrastructure managers who are more concerned about keeping the systems up and running without a questionable downtime might not like to give chef a such power.

So do we have a choice? We found a way of doing it in just three steps.

If you run command chef-client as a non root user you will get an error because your user has no right to write to file in /etc/chef (default location) and it need to write the client.pem node certificate.

Chef encountered an error attempting to create the client “chef-enode”

First you will have to fix that. The best way to do that is to create a group and assign permission on the folder to that group. Then just add the users to the group then they will be able to run the command without an error.

Second concern is that you might want to use more than user inside a cookbook to do the given tasks. Normally chef will handle the situation with root privileges and you only have to mention the username and group along with the command in recipe. If you want to achieve that without root you have to create a user with sudo access to run command runuser. You can find a guide on how to that here.

Finally write the recipes separating the user activities without having two user’s activities in a single recipe. Then write the default recipe including executes for other recipes while changing users to run as below.

sudo runuser -l user1 -c “chef-client -r recipe[cookbook::recipe1]”
sudo runuser -l user2 -c “chef-client -r recipe[cookbook::recipe2]”

Since this method is running a chef-client inside a chef-client you cannot use the same user to run both, keep a separate user with elevated permissions to run command chef-client on the node with sudo runuser. Use other users inside the default recipe.

If you get any permission errors during the default recipe execution it must be with the initial sudo user permission. If you get permission error during other recipes it must be because you have assigned a wrong task to that user.

Dumindu

  • Bio
  • Latest Posts