validation_key in client.rb should be filepath not actual validation key content

Bug #1568940 reported by Philip Oliva on 2016-04-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Medium
Unassigned

Bug Description

The chef example shows that you need to pass validation key content in user data (http://cloudinit.readthedocs.org/en/latest/topics/examples.html#install-and-run-chef-recipes) which will populate /etc/chef/validation.pem. This populates /etc/chef/validation.pem correctly on your vm but unfortunately puts this content as the value of validation_key in /etc/chef/client.rb. This value should be a file path as per documentation: https://docs.chef.io/config_rb_client.html.

validation_key
The location of the file that contains the key used when a chef-client is registered with a Chef server. A validation key is signed using the validation_client_name for authentication. Default value: /etc/chef/validation.pem.

When you try to run chef-client on this node you will get the following error:

Creating a new client identity for poliva-bescloud-admin.poliva.dev.altus.bblabs using the validator key.

================================================================================
Chef encountered an error attempting to create the client "poliva-bescloud-admin.poliva.dev.altus.bblabs"
================================================================================

Private Key Not Found:
----------------------
Your private key could not be loaded. If the key file exists, ensure that it is
readable by chef-client.

Relevant Config Settings:
-------------------------
validation_key "-----BEGIN RSA PRIVATE KEY-----
<key content>
-----END RSA PRIVATE KEY-----"

I have noticed that when running chef-client as daemon though you do not hit this problem (not sure why). But in my case I didn't want to run in daemon mode.

Related branches

Scott Moser (smoser) on 2016-04-12
Changed in cloud-init:
status: New → Triaged
importance: Undecided → Medium
Scott Moser (smoser) wrote :

Hi, could you test the provided patch and give some feedback as to if it works for you?
Also any example on how to easily actually test cloud-init chef config connecting to an existing chef woudl be wonderful. Whenever I have to test this I dont really have a clue.

Philip Oliva (philoliva8) wrote :
Download full text (7.0 KiB)

Hi Scott,

Sorry for very delayed response. I didn't notice you actually provided a patch until today.

Unfortunately this patch is not working for me right now. The format of /etc/chef/validation.pem is not correct as it is getting created with spaces instead of newlines.

ie) -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAlvMoKKLUHLScqx90eRES6QqhWTln4SYGxcubAV+bF0tKktLi kC8WVHpeC3bycIr8Do2DSKi/psSoKz4sRuJWZ9aEWwJRbJ3Wt8yyokeUmHPFYTEw mFbXxdUuiOZ/hdg1GOwhTh7x+x8T9nIUNkpfXlL9+7Qb3pAoA0N/kdp9rQowCiu4 /3uy/kXwj289XtiR6tfnIQ7RvI3t0ts37VtTbTBuqKLMZI2Tk2bRJfpb60Vou9aI MtWPH/d9WNfsazkFl+D/y0v1dVhleQfsroNFXpwlWeQ7yjLro1iWXiqlwy9ut8GJ onyjDE9W7Vw4MArRJW7QkIxUg5TP7ZK9noKYdQIDAQABAoIBAHgs/jvb5qMz58cV M9VvEm8WV36BhYJqk9nFT5K4WvEgsC5UVqwT0ONQyK639CxFeobbgznFn09WIczL otSMPd5NmvIZ1llzEA8kmNM5ycPV576JOvcNrJuELZgwajZU+3DsDVf0qxISnAII sK7IZ0ThLfPGYKnAexqeEmI8YPHxgVUqMIb7/R7Tvq9k0i0/pMlKncDLVTGR6lK7 K2uyaEP2M+9B124/KNcezHNcilyM0JfF7txPIAOM5QP7Ja01/G/VXg0Rw5dzqIoU iCuKaRCMoRxhK8me65Ohr1TiEAixT4cmm4iUKLe5P7k2q2IOMfc2DrnY/uIbfROZ 54jT2gECgYEAyT8Ih+XXhaLomNi97LTWc6uxhnRQLi+m7tlxBekwfx0Rknrk3O+z /N+TnoCCjgBrl1Pr9Y6q9jDdNzisHrMZrw/Lq8xmeKioy56LvyXan2n5iU2t+8J2 8EmMqkEqbBD60NTqC82UEr1mLHT5veussXy2WhDWXCqxcL1U8VYGzB0CgYEAwATw Iva5bnY1ZYPOHkEyd2ICJyd6yE4kpDOPGeHLHTYktYc1JkBglHk5UDtJf5rSD2a0 7B/Rv9vOUalQ42x3XyNu1R89pMqH4NTs+fTnCTVzf9IbrQTG8mOLYLy/q92wnKrC mK8SPiKgCuZWNWBsyLqok3eWSlQ0oIICAI2W3jkCgYBMYyytyMRh6VA4lCyjKJEu HsGns4arwVKv3sFT6QuLdFEzNIqiginjlknGJClqFSbBrg0mjBzAjhOp3k0W6gyZ snkwoMlUi1Bm2atZxtiRIfyh7WZY5ZuX4ZMPHOUpV9icY/Tivgmyg0nBHjWdrVND m37r+PAk09++V19iq7Cw0QKBgClOZqH+1TDv+NiXm/ViLQsFaFUn5v/D35n7BWOZ 8OmdxhPOvB44Zw5JbYzW1B7BHUL24yCQT7yn+iAS/jWOFbe/lY3/JHGYp9Yzt66l gjW269upRQ7ZIjruMwNiVxEPpXhuO2JA9vmq1SbDGfRtg7lCfhUK+qeOqauFjAy2 aKfxAoGBAKeIH6qSC5EQ77kbl/AGzdSkit7fBs9/gFKF2FN8rlzQBZRibNvADpwl IDqbmYGCYw0CVZ6lgh4hwinBrtMhWErPe2/EDEtpEbIAVZATTC34pARASsYooS/0 OoBziCpnLT+XTeZDLJ0/EUskgrN2PDKo7bKMBGqFD7NLO7HpBcQ3 -----END RSA PRIVATE KEY-----

The format of validation_cert looks good in /var/lib/cloud/instance/user-data.txt:

#cloud-config
---
... <other sections content> ...
... <other sections content> ...
chef:
  install_type: packages
  force_install: false
  server_url: https://front12.chef.fake.fake.fake.fake.fake/organizations/mandolin
  node_name: poliva-bescloud-admin.fake.fake.fake.fake
  environment: admin-poliva-Mandolin-thor
  validation_name: mandolin-validator
  validation_cert: "-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAlvMoKKLUHLScqx90eRES6QqhWTln4SYGxcubAV+bF0tKktLi
kC8WVHpeC3bycIr8Do2DSKi/psSoKz4sRuJWZ9aEWwJRbJ3Wt8yyokeUmHPFYTEw
mFbXxdUuiOZ/hdg1GOwhTh7x+x8T9nIUNkpfXlL9+7Qb3pAoA0N/kdp9rQowCiu4
/3uy/kXwj289XtiR6tfnIQ7RvI3t0ts37VtTbTBuqKLMZI2Tk2bRJfpb60Vou9aI
MtWPH/d9WNfsazkFl+D/y0v1dVhleQfsroNFXpwlWeQ7yjLro1iWXiqlwy9ut8GJ
onyjDE9W7Vw4MArRJW7QkIxUg5TP7ZK9noKYdQIDAQABAoIBAHgs/jvb5qMz58cV
M9VvEm8WV36BhYJqk9nFT5K4WvEgsC5UVqwT0ONQyK639CxFeobbgznFn09WIczL
otSMPd5NmvIZ1llzEA8kmNM5ycPV576JOvcNrJuELZgwajZU+3DsDVf0qxISnAII
sK7IZ0ThLfPGYKnAexqeEmI8YPHxgVUqMIb7/R7Tvq9k0i0/pMlKncDLVTGR6lK7
K2uyaEP2M+9B124/KNcezHNcilyM0JfF7txPIAOM5QP7Ja01/G/VXg0Rw5dzqIoU
iCuKaRCMoRxhK8me65Ohr1TiEAixT4cmm4iUKLe5P7k2q2IOMfc2DrnY/uIbfROZ
54jT2gECgYEAyT8Ih+XXhaLomNi97LTWc6uxh...

Read more...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers