Chef server installation

I wrote this study notes in the point of view of a system administrator on what to expect and any issues that can trip up your installation.
The original standallone installation instruction can be found at

Server checks and preparations.


First thing to check is the if the ports http (80) and https (443) are open.
If not then enable the ports for access.

[root@centos7 chef]# firewall-cmd --list-ports
[root@centos7 chef]# firewall-cmd  --permanent --add-port=80/tcp
[root@centos7 chef]# firewall-cmd ---permanent -add-port=443/tcp
[root@centos7 ~chef]# firewall-cmd --reload
[root@centos7 chef]# firewall-cmd --list-ports
80/tcp 443/tcp

Another issue that you might run into if the apache web server is already running you will need to disable this since uses the nginx web server.

[root@centos7 chef]# systemctl disable httpd
[root@centos7 chef]# systemctl stop httpd

Make sure the NTP daemon is running, if not you will need to configure and start it.
This is a critical step that can stop the client from authenticating. You might see some 401 errors later if the system clocks are not in sync.
[root@centos7 chef]# systemctl status ntpd.service


Chef server standalone installation

Now you are ready to start the chef standalone installation.

Download the package from

[root@centos7 chef]# wget
[root@centos7 chef]# rpm -ivh chef-server-core-12.17.33-1.el7.x86_64.rpm
[root@centos7 chef]# chef-server-ctl reconfigure

The ouput of the reconfigure command is very long and will  take a considerable amount ot time to complete.
It's very verbose on what package is being installed and how it is configured.

[root@centos7 chef]# lsof -i :80
nginx   26104    root   13u  IPv4 215177      0t0  TCP *:http (LISTEN)
nginx   26109 opscode   13u  IPv4 215177      0t0  TCP *:http (LISTEN)
nginx   26110 opscode   13u  IPv4 215177      0t0  TCP *:http (LISTEN)
[root@centos7 chef]# lsof -i :443
nginx   26104    root   14u  IPv4 215178      0t0  TCP *:https (LISTEN)
nginx   26109 opscode   14u  IPv4 215178      0t0  TCP *:https (LISTEN)
nginx   26110 opscode   14u  IPv4 215178      0t0  TCP *:https (LISTEN)

This is just a check if the nginx servers is running.
You should check with a browser and point to the host on which you are installing the chef server,
You will see the following page.


[root@centos7 chef]# chef-server-ctl user-create chef_admin Chef Admin 'Chef123' --filename=/root/chef/chef_admin.pem
[root@centos7 chef]# chef-server-ctl org-create  unixguide "Unix Guide Net" --association chef_admin --filename=/root/chef/unixguide-validator.pem
[root@centos7 chef]# ls
chef_admin.pem  chef-server-core-12.17.33-1.el7.x86_64.rpm  unixguide-validator.pem

The two previous commands created the account and organization. It will also create the two PEM files.
You will need the validator pem file later for your clients.

Next thing is to install chef-manage package.

[root@centos7 chef]# chef-server-ctl install chef-manage
Starting Chef Client, version 12.21.31
resolving cookbooks for run list: ["private-chef::add_ons_wrapper"]
Synchronizing Cookbooks:
  - private-chef (0.1.1)
  - openssl (8.1.2)
  - enterprise (0.11.0)
  - runit (4.0.4)
  - packagecloud (0.3.0)
  - yum-epel (2.1.2)
  - compat_resource (12.19.1)
Installing Cookbook Gems:
Compiling Cookbooks...
/var/opt/opscode/local-mode-cache/cookbooks/packagecloud/resources/repo.rb:10: warning: constant ::Fixnum is deprecated
Converging 4 resources
Recipe: private-chef::add_ons_wrapper
  * ruby_block[addon_install_notification_chef-manage] action nothing (skipped due to action :nothing)
  * remote_file[/var/opt/opscode/local-mode-cache/chef-manage-2.5.16-1.el7.x86_64.rpm] action create
    - create new file /var/opt/opscode/local-mode-cache/chef-manage-2.5.16-1.el7.x86_64.rpm
    - update content in file /var/opt/opscode/local-mode-cache/chef-manage-2.5.16-1.el7.x86_64.rpm from none to 8b14a7
    (file sizes exceed 10000000 bytes, diff output suppressed)
  * ruby_block[locate_addon_package_chef-manage] action run
    - execute the ruby block locate_addon_package_chef-manage
  * yum_package[chef-manage] action install
    - install version 2.5.16-1.el7 of package chef-manage
  * ruby_block[addon_install_notification_chef-manage] action create
    - execute the ruby block addon_install_notification_chef-manage

Running handlers:
-- Installed Add-On Package: chef-manage
  - #<Class:0x00000000017e0328>::AddonInstallHandler
Running handlers complete

Deprecated features used!
  Property `state` of resource `openssl_x509` overwrites an existing method. Please use a different property name. This will raise an exception in Chef 13. at 1 location:
    - /var/opt/opscode/local-mode-cache/cookbooks/openssl/resources/x509.rb:12:in `class_from_file'
   See for further details.

Chef Client finished, 4/5 resources updated in 54 seconds

You should see the the chef-manage package was installed.

[root@centos7 chef]# rpm -qa | grep chef

[root@centos7 chef]# chef-server-ctl reconfigure
[root@centos7 chef]# chef-manage-ctl reconfigure
At this point you can check the web server with your browset and you see the following page.
The main difference here is the Chef logo now has the "manage" text underneath and it should redirect you to the login page.


The following commands installs and configures the packages opcodes-push-jobs and opscode-reporting.

[root@centos7 chef]#  chef-server-ctl reconfigure --accept-license
[root@centos7 chef]# chef-server-ctl install opscode-push-jobs-server

[root@centos7 chef]# rpm -qa opscode-push-jobs-server

[root@centos7 chef]# opscode-push-jobs-server-ctl reconfigure
[root@centos7 chef]# chef-server-ctl install opscode-reporting

[root@centos7 chef]# rpm -q opscode-reporting

[root@centos7 chef]# chef-server-ctl reconfigure
[root@centos7 chef]# opscode-reporting-ctl reconfigure
To use this software, you must agree to the terms of the software license agreement.
Press any key to continue.
Type 'yes' to accept the software license agreement, or anything else to cancel.

To get to the point where you can type  "yes" to accept the license agreement you have to press space and then the letter q.

At this point you chef server installation is done and you can login  using the account you created earlier.

The following two services chef-manage-runsvdir-start.service and private_chef-runsvdir-start.service should be running.

[root@centos7 chef]# systemctl status chef-manage-runsvdir-start.service
â chef-manage-runsvdir-start.service - chef-manage Runit Process Supervisor
   Loaded: loaded (/etc/systemd/system/chef-manage-runsvdir-start.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2018-08-19 02:13:20 EDT; 5h 35min left
 Main PID: 1081 (runsvdir)
    Tasks: 54
   Memory: 581.0M
   CGroup: /system.slice/chef-manage-runsvdir-start.service
          1081 runsvdir -P /opt/chef-manage/service log: ...........................................................
          1131 runsv redis
          1140 runsv web
          1141 runsv worker
          1142 /opt/chef-manage/embedded/bin/svlogd -tt /var/log/chef-manage/redis
          1143 redis-server
          1144 /opt/chef-manage/embedded/bin/svlogd -tt /var/log/chef-manage/web
          1149 unicorn master -E production -c /var/opt/chef-manage/etc/unicorn.rb /opt/chef-manage/embedded/serv...
          1151 /opt/chef-manage/embedded/bin/svlogd -tt /var/log/chef-manage/worker
          1154 sidekiq 2.5.2 chef-manage [0 of 25 busy]
          2861 unicorn worker[0] -E production -c /var/opt/chef-manage/etc/unicorn.rb /opt/chef-manage/embedded/s...
          2864 unicorn worker[1] -E production -c /var/opt/chef-manage/etc/unicorn.rb /opt/chef-manage/embedded/s...

Aug 19 02:13:20 centos7 systemd[1]: Started chef-manage Runit Process Supervisor.
Aug 19 02:13:20 centos7 systemd[1]: Starting chef-manage Runit Process Supervisor...

[root@centos7 chef]# systemctl status private_chef-runsvdir-start.service
â private_chef-runsvdir-start.service - private_chef Runit Process Supervisor
   Loaded: loaded (/etc/systemd/system/private_chef-runsvdir-start.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2018-08-19 02:13:20 EDT; 5h 35min left
 Main PID: 1080 (runsvdir)
    Tasks: 357
   Memory: 1.4G
   CGroup: /system.slice/private_chef-runsvdir-start.service
          1080 runsvdir -P /opt/opscode/service log: ...............................................................
          1145 runsv postgresql
          1146 runsv oc_bifrost
          1147 runsv oc_id
          1148 runsv opscode-solr4
          1150 runsv opscode-expander
          1152 runsv bookshelf
          1153 svlogd -tt /var/log/opscode/oc_bifrost
          1155 runsv opscode-erchef
          1156 runsv opscode-chef-mover
          1157 runsv redis_lb
          1158 svlogd -tt /var/log/opscode/bookshelf
          1159 /opt/opscode/embedded/lib/erlang/erts-7.3/bin/beam.smp -Bd -K true -P 524288 -A 10 -- -root /opt/o...
          1160 runsv nginx
          1161 runsv rabbitmq
          1162 svlogd -tt /var/log/opscode/opscode-expander
          1163 /opt/opscode/embedded/service/opscode-expander/bin/opscode-expander-cluster -n 2 -c /var/opt/opsco...
          1164 runsv opscode-pushy-server
          1165 svlogd -tt /var/log/opscode/opscode-chef-mover
          1166 /opt/opscode/embedded/lib/erlang/erts-7.3/bin/beam.smp -Bd -K true -A 5 -- -root /opt/opscode/embe...
          1167 svlogd -tt /var/log/opscode/redis_lb
          1168 /opt/opscode/embedded/bin/redis-server
          1169 runsv opscode-reporting
          1170 /opt/opscode/embedded/lib/erlang/erts-7.3/bin/beam.smp -Bd -K true -A 10 -P 262144 -- -root /opt/o...
          1171 svlogd -tt /var/log/opscode/oc_id
          1172 svlogd -tt /var/log/opscode/opscode-solr4
          1173 svlogd -tt /var/log/opscode/opscode-reporting
          1174 rails master -p 9090 -b
          1175 svlogd -tt /var/log/opscode/rabbitmq
          1176 java -Xmx987M -Xms987M -XX:NewSize=61M -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -Xloggc:/var/log/o...
          1177 /opt/opscode-reporting/embedded/service/opscode-reporting/erts-7.3/bin/beam.smp -Bd -- -root /opt/...
          1178 /opt/opscode/embedded/lib/erlang/erts-7.3/bin/beam.smp -W w -A 64 -P 1048576 -t 5000000 -stbt db -...
          1179 svlogd -tt /var/log/opscode/nginx
          1180 nginx: master process /opt/opscode/embedded/sbin/nginx -c /var/opt/opscode/nginx/etc/nginx.conf
          1182 svlogd -tt /var/log/opscode/opscode-erchef
          1183 /opt/opscode/embedded/lib/erlang/erts-7.3/bin/beam.smp -Bd -K true -A 5 -- -root /opt/opscode/embe...
          1192 svlogd -tt /var/log/opscode/opscode-pushy-server
          1193 /opt/opscode-push-jobs-server/embedded/service/opscode-pushy-server/erts-7.3/bin/beam.smp -Bd -K t...
          1194 svlogd -tt /var/log/opscode/postgresql/9.6
          1195 /opt/opscode/embedded/bin/postgres -D /var/opt/opscode/postgresql/9.6/data
          1468 /opt/opscode/embedded/lib/erlang/erts-7.3/bin/epmd -daemon
          1576 postgres: checkpointer process
          1577 postgres: writer process
          1578 postgres: wal writer process
          1579 postgres: autovacuum launcher process
          1580 postgres: stats collector process
          2446 nginx: worker process
          2447 nginx: worker process
          2448 nginx: cache manager process
          2475 inet_gethost 4
          2476 inet_gethost 4
          2576 inet_gethost 4
          2577 inet_gethost 4
          2582 postgres: bifrost bifrost idle
          2587 postgres: bifrost bifrost idle
          2588 postgres: bifrost bifrost idle
          2589 postgres: bifrost bifrost idle
          2590 postgres: bifrost bifrost idle
          2591 postgres: bifrost bifrost idle
          2592 postgres: bifrost bifrost idle
          2593 postgres: bifrost bifrost idle
          2594 postgres: bifrost bifrost idle
          2595 postgres: bifrost bifrost idle
          2596 postgres: bifrost bifrost idle
          2597 postgres: bifrost bifrost idle
          2598 postgres: bifrost bifrost idle
          2599 postgres: bifrost bifrost idle
          2600 postgres: bifrost bifrost idle
          2601 postgres: bifrost bifrost idle
          2602 postgres: bifrost bifrost idle
          2603 postgres: bifrost bifrost idle
          2604 postgres: bifrost bifrost idle
          2605 inet_gethost 4
          2606 inet_gethost 4
          2607 postgres: opscode_reporting opscode_reporting idle
          2608 postgres: opscode_reporting opscode_reporting idle
          2609 postgres: opscode_reporting opscode_reporting idle
          2610 postgres: opscode_reporting opscode_reporting idle
          2611 postgres: opscode_reporting opscode_reporting idle
          2612 postgres: opscode_reporting opscode_reporting idle
          2613 postgres: opscode_reporting opscode_reporting idle
          2614 postgres: opscode_reporting opscode_reporting idle
          2615 postgres: opscode_reporting opscode_reporting idle
          2616 postgres: opscode_reporting opscode_reporting idle
          2617 postgres: opscode_reporting opscode_reporting idle
          2618 postgres: opscode_reporting opscode_reporting idle
          2619 postgres: opscode_reporting opscode_reporting idle
          2620 postgres: opscode_reporting opscode_reporting idle
          2621 postgres: opscode_reporting opscode_reporting idle
          2622 postgres: opscode_reporting opscode_reporting idle
          2623 postgres: opscode_reporting opscode_reporting idle
          2624 postgres: opscode_reporting opscode_reporting idle
          2625 postgres: opscode_reporting opscode_reporting idle
          2626 postgres: opscode_reporting opscode_reporting idle
          2627 postgres: opscode_reporting opscode_reporting idle
          2628 postgres: opscode_reporting opscode_reporting idle
          2629 postgres: opscode_reporting opscode_reporting idle
          2630 postgres: opscode_reporting opscode_reporting idle
          2631 postgres: opscode_reporting opscode_reporting idle
          2637 inet_gethost 4
          2638 inet_gethost 4
          2639 postgres: opscode_chef opscode_chef idle
          2641 postgres: opscode_chef opscode_chef idle
          2642 postgres: opscode_chef opscode_chef idle
          2643 postgres: opscode_chef opscode_chef idle
          2644 postgres: opscode_chef opscode_chef idle
          2655 inet_gethost 4
          2656 inet_gethost 4
          2657 postgres: opscode_chef opscode_chef idle
          2658 postgres: opscode_chef opscode_chef idle
          2659 postgres: opscode_chef opscode_chef idle
          2660 postgres: opscode_chef opscode_chef idle
          2661 postgres: opscode_chef opscode_chef idle
          2662 postgres: opscode_chef opscode_chef idle
          2663 postgres: opscode_chef opscode_chef idle
          2664 postgres: opscode_chef opscode_chef idle
          2665 postgres: opscode_chef opscode_chef idle
          2666 postgres: opscode_chef opscode_chef idle
          2667 postgres: opscode_chef opscode_chef idle
          2668 postgres: opscode_chef opscode_chef idle
          2669 postgres: opscode_chef opscode_chef idle
          2680 postgres: opscode_chef opscode_chef idle
          2681 postgres: opscode_chef opscode_chef idle
          2682 postgres: opscode_chef opscode_chef idle
          2683 postgres: opscode_chef opscode_chef idle
          2684 postgres: opscode_chef opscode_chef idle
          2685 postgres: opscode_chef opscode_chef idle
          2686 postgres: opscode_chef opscode_chef idle
          2687 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.17.29/priv/depselector_rb/de...
          2688 inet_gethost 4
          2690 inet_gethost 4
          2691 postgres: opscode_pushy opscode_pushy idle
          2692 opscode-expander worker #1 (vnodes 0-511)
          2695 opscode-expander worker #2 (vnodes 512-1023)
          2702 postgres: opscode_pushy opscode_pushy idle
          2703 postgres: opscode_pushy opscode_pushy idle
          2704 postgres: opscode_pushy opscode_pushy idle
          2705 postgres: opscode_pushy opscode_pushy idle
          2706 postgres: opscode_pushy opscode_pushy idle
          2707 postgres: opscode_pushy opscode_pushy idle
          2708 postgres: opscode_pushy opscode_pushy idle
          2709 postgres: opscode_pushy opscode_pushy idle
          2710 postgres: opscode_pushy opscode_pushy idle
          2711 postgres: opscode_pushy opscode_pushy idle
          2712 postgres: opscode_pushy opscode_pushy idle
          2713 postgres: opscode_pushy opscode_pushy idle
          2714 postgres: opscode_pushy opscode_pushy idle
          2715 postgres: opscode_pushy opscode_pushy idle
          2716 postgres: opscode_pushy opscode_pushy idle
          2717 postgres: opscode_pushy opscode_pushy idle
          2718 postgres: opscode_pushy opscode_pushy idle
          2719 postgres: opscode_pushy opscode_pushy idle
          2720 postgres: opscode_pushy opscode_pushy idle
          2736 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.17.29/priv/depselector_rb/de...
          2738 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.17.29/priv/depselector_rb/de...
          2740 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.17.29/priv/depselector_rb/de...
          2742 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.17.29/priv/depselector_rb/de...
          2829 rails worker[0] -p 9090 -b

Aug 19 02:13:20 centos7 systemd[1]: Started private_chef Runit Process Supervisor.
Aug 19 02:13:20 centos7 systemd[1]: Starting private_chef Runit Process Supervisor...

Chef Client installation.

Now you are ready to install the chef client.
The omnitruck installer basically downloads and installs the chef package.

[root@guest2 chef]# curl -L | sudo bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 23075  100 23075    0     0   162k      0 --:--:-- --:--:-- --:--:--  163k
el 7 x86_64
Getting information for chef stable  for el...
  to file /tmp/
trying curl...
sha1    3229e44c1136741be7df65d1441732bae55a2a02
sha256  1807c453c5a16fd2cb0941f98847a0031c3812ccb9e3a628b2f8fba8335f485c
version 14.3.37
downloaded metadata file looks valid...
  to file /tmp/
trying curl...
Comparing checksum with sha256sum...


You are installing an omnibus package without a version pin.  If you are installing
on production servers via an automated process this is DANGEROUS and you will
be upgraded without warning on new releases, even to new major releases.
Letting the version float is only appropriate in desktop, test, development or
CI/CD environments.


Installing chef
installing with rpm...
warning: /tmp/ Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:chef-14.3.37-1.el7               ################################# [100%]
Thank you for installing Chef!

[root@guest2 chef]# rpm -q chef

You should create these 3 configuration files under the directory /etc/chef.

client.rb  first-boot.json  unixguide-validator.pem

You should replace the organization (unixguide) with your own organization.

[root@guest2 chef]# cat client.rb
log_level               :info
log_location            STDOUT
chef_server_url         ''
validation_client_name  'unixguide-validator'
validation_key          '/etc/chef/unixguide-validator.pem'
ssl_verify_mode         :verify_none
verify_api_cert         false
node_name               "guest2"


Next create a role and named it as base, by clicking on the Policy, role and then create.

[root@guest2 chef]# cat first-boot.json
        "run_list" :[

This validator file was created earlier and was copied to the client.
If you are missing this file, you can reset the validator key by clicking on the Administration tab and then the organization.
The reset validation key is on the left hand Organizations menu.

[root@guest2 chef]# cat unixguide-validator.pem


[root@guest2 chef]# chef-client  -j /etc/chef/first-boot.json
Starting Chef Client, version 14.3.37
[2018-08-17T21:36:39-07:00] INFO: *** Chef 14.3.37 ***
[2018-08-17T21:36:39-07:00] INFO: Platform: x86_64-linux
[2018-08-17T21:36:39-07:00] INFO: Chef-client pid: 11737
[2018-08-17T21:36:39-07:00] INFO: The plugin path /etc/chef/ohai/plugins does not exist. Skipping...
Creating a new client identity for guest2 using the validator key.
[2018-08-17T21:36:40-07:00] INFO: Client key /etc/chef/client.pem is not present - registering
[2018-08-17T21:36:41-07:00] INFO: Setting the run_list to ["role[base]"] from CLI options
[2018-08-17T21:36:41-07:00] INFO: Run List is [role[base]]
[2018-08-17T21:36:41-07:00] INFO: Run List expands to []
[2018-08-17T21:36:41-07:00] INFO: Starting Chef Run for guest2
[2018-08-17T21:36:41-07:00] INFO: Running start handlers
[2018-08-17T21:36:41-07:00] INFO: Start handlers complete.
[2018-08-17T21:36:41-07:00] INFO: Error while reporting run start to Data Collector. URL: Exception: 404 -- 404 "Not Found"  (This is normal if you do not have Chef Automate)
resolving cookbooks for run list: []
[2018-08-17T21:36:41-07:00] INFO: Loading cookbooks []
Synchronizing Cookbooks:
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 0 resources
[2018-08-17T21:36:41-07:00] INFO: Chef Run complete in 0.297053758 seconds

Running handlers:
[2018-08-17T21:36:41-07:00] INFO: Running report handlers
Running handlers complete
[2018-08-17T21:36:41-07:00] INFO: Report handlers complete
Chef Client finished, 0/0 resources updated in 02 seconds
[2018-08-17T21:36:41-07:00] INFO: Sending resource update report (run-id: 013cccc2-a79d-4c77-ac54-e963fc0275da)

At this point you have added a node named guest2.
The node should not be visible in the chef dashboard.