Chef-Server Installation can't find chef service - linux

I am installing chef-server on this VPS that my friend let me borrow.
I was able to install chef and run chef-server-ctl reconfigure successfully.
I ran into problems because I need to change the iptable rules and I discovered that I cannot find chef-server running on any port or as a service.
When I run chef-server-ctl it seems to pass all the tests, so I know its API is working.
Where can I find that chef is running?
I need to change my iptables so that I can use knife to communicate with chef-server.

First off it sounds like you installed Chef Server, not Chef, important distinction :) Second, there is no specific process called chef-server. The frontend routing is handled by nginx which binds on port 443 and 80 (80 is just a redirector to 443 and can be blocked or disabled if desired). Internally we have a bunch of different smaller services like oc_erchef, bifrost, oc_id, etc. These all listen on localhost and are reached via Nginx.

You have installed Chef server and have reconfigured the server, you can't find a chef-server.
you can run below commands to check all the services that are running chef server
$ chef-server-ctl service-list
bookshelf*
nginx*
oc_bifrost*
oc_id*
opscode-chef-mover*
opscode-erchef*
opscode-expander*
opscode-solr4*
rabbitmq*
redis_lb*
postgresql*
To update the port number you need to update
/etc/chef-server/chef-server.rb - in Chef 11
/etcopscode/chef-server.rb - in Chef 12
nginx['non_ssl_port'] = portnumber
And also how are using knife command? Do you want ssl check to be passed then you need to add a line in knife.rb file
ssl_verify_mode: verify_none
'

Related

Go, sudo, and apache port 80

I am using gorilla/mux package in golang, but there are some problems. The first is I have no permissions to use port 80 on my application becuase I cannot run the application from sudo as the $GOPATH is not set when using sudo.
Here is the error I get from my program:
$ go run app.go
2014/06/28 00:34:12 Listening...
2014/06/28 00:34:12 ListenAndServe: listen tcp :80: bind: permission denied
exit status 1
I am unsure if it will even work when I fix the sudo problem, because apache is already using port 80 and I am not sure if both my app and apache can "play nice" together.
Any advice on how to solve this would be great. Thank you.
Quoting elithar's comment,
You have two options: either turn off Apache (because only one service
can bind to a port), or (better!) use Apache's ProxyPass to proxy any
incoming requests to a specific Hostname to your Go server running on
port (e.g.) 8000. The second method is very popular, robust, and you
can use Apache to handle request logging and SSL for you.
Reverse Proxying
Using Apache on port 80 in this way is called a reverse proxy. It receives all incoming connections on port 80 (and/or port 443 for https) and passes them on, usually unencrypted, via internal localhost connections only, to your Go program running on whatever port you choose. 8000 and 8080 are often used. The traffic between Apache and your server is itself HTTP traffic.
Because your Go program does not run as root, it is unable to alter critical functions on the server. Therefore it gives an extra degree of security, should your program ever contain security flaws, because any attacker would gain only limited access.
FastCGI
You can improve the overall performance of the reverse proxying by not using HTTP for the connection from Apache to the Go server. This is done via the FastCGI protocol, originally developed for shell, Perl and PHP scripts, but working well with Go too. To use this, you have to modify your Go server to listen using the fcgi API. Apache FastCGI is also required. The traffic from Apache to your server uses a more compact format (not HTTP) and this puts less load on each end.
The choice of socket type is also open: instead of the usual TCP sockets, it is possible to use Unix sockets, which reduce the processing load even further. I haven't done this in Go myself, but the API supports the necessary bits (see a related question).
Nginx
Whilst all the above describes using Apache, there are other server products that can provide a reverse proxy too. The most notable is Nginx (Nginx reverse proxy example), which will give you small but useful performance and scalability advantages. If you have this option on your servers, it is worth the effort to learn and deploy.
Based on this previous answer about environment variables, I was able to solve the sudo problem easily.
https://stackoverflow.com/a/8636711/2576956
sudo visudo
added these lines:
Defaults env_keep +="GOPATH"
Defaults env_keep +="GOROOT"
Using ubuntu 12.04 by the way. I think the previous answer about the proxy for using port 80 is the correct choice, because after fixing the sudo issue I was given this error about port 80 instead:
$ sudo go run app.go
2014/06/28 01:26:30 Listening...
2014/06/28 01:26:30 ListenAndServe: listen tcp :80: bind: address already in use
exit status 1
Meaning the sudo command was fixed but the proxy binding would not work with another service already using port 80 (apache).

Can't access tomcat web page from lan

I installed a tomcat7 server on a ubuntu 12.04 box. I simply used "apt-get install tomcat7". I did not install apache2. I can access the default page from localhost:8080, 127.0.0.1:8080, and 192.168.1.201:8080, where the latter is the IP address from my LAN. my end goal is to be able to access the web server from outside the LAN with port forwarding. For now, however, I can't even access it inside the LAN.
Problem:
I can't access the web page from any other computer (windows 7, iPad) on the same LAN! I
get the "connection has timed out" error from the browser.
Question: Can I run tomcat on it's own without installing Apache2 first? This is the current setup and I can access pages hosted on tomcat on the same server, but not over the LAN.
Other information:
I can ping the ubuntu computer from other machines
The ubuntu firewall is disabled (checked via the firewall GUI interface).
I also tried "sudo ufw disable"
I tried: "sudo service iptables stop" and got the message: "iptables: unrecognized service"
I also tried disabling the appArmor firewall:
sudo /etc/init.d/apparmor stop
sudo /etc/init.d/apparmor teardown
sudo update-rc.d -f apparmor remove
I set the router firewall policy to minimum: inbound: accept all; outbount: accept all.
All computers (including ubuntu server) are connected to LAN via wireless
The ubuntu server IP address is static, not DHCP
I checked the SELinux folder and it's empty. I removed it.
Thank you for your help,
Omar
EDIT:
I can connect from within the LAN using ssh (I installed OpenSSH on ubuntu).
ANSWER:
I found the solution to this problem. It turned out there was a firewall active that was blocking the port. The firewall is called "firestarter". Not sure how this was installed, but it can be downloaded from the ubuntu software center. The default inboud policy blocks all ports except for SSH (22). I opened port 8080 and everything worked just fine. The other firewalls (ufw and SELinux) were disabled.
Thank you all again for your help.
Omar
First of all make sure all of the IP addresses are topologically correct, then ping to the your apache server system, If all this succeeds your network is fine.
Now the question are you using the Ubuntu Server edition? if this is the case i believe you can setup apache out of the box.
In case of the Desktop edition you could install it using command line or just install something like XAMP from apache friends.
Make sure your apache Server is started
If you do not already have Apache installed, you can do so now by issuing the following commands:
sudo apt-get update
sudo apt-get install apache2
This is all that is necessary to have a working web server.
I think, "apt-get install tomcat7" doesnt works in Ubuntu. You have to manually download the TAR file & then you can install it with the scripts. Please check whether it is properly installed or not. it should show a Apache Tomcat Homepage # localhost:8080
Also if it is installed properly, check whether it is running on the port 8080, or any other port.
If everything is fine, then disable the firewall of the Server, where you have installed the Tomcat. check for the server IP.
Now from other machine, access that server using http://server_ip:port
This should work fine. No issues should be there.
The other thing, you have metioned in your question, UBUNTU BOX. May be this issue arises due to UBUNTU BOX. If possible, make a clean install of Ubuntu.

CHECK_NRPE: Error - Could not complete SSL handshake

I have NRPE daemon process running under xinetd on amazon ec2 instance and nagios server on my local machine.
The check_nrpe -H [amazon public IP] gives this error:
CHECK_NRPE: Error - Could not complete SSL handshake.
Both Nrpe are same versions. Both are compiled with this option:
./configure --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/i386-linux-gnu/
"allowed host" entry contains my local IP address.
What could be the possible reason of this error now??
If you are running nrpe as a service, make sure you have this line in your nrpe.cfg on the client side:
# example 192. IP, yours will probably differ
allowed_hosts=127.0.0.1,192.168.1.100
You say that is done, however, if you are running nrpe under xinetd, make sure to edit the only_from directive in the file /etc/xinetd.d/nrpe.
Don't forget to restart the xinetd service:
service xinetd restart
To check if you have access to it at all attempt a simple telnet on the address:port, a ping or traceroute to see where it is blocking.
telnet IP port
ping IP
traceroute -p $port IP
Also check on the target server that the nrpe daemon is working properly.
netstat -at | grep nrpe
You also need to check the versions of OpenSSL installed on both servers, as I have seen this break checks on occasion with the SSL handshake!
check your /var/sys/system.log . In my case, it turned out my monitored IP was set to something else than the one I set in nrpe.cfg file. I don't know the cause of this change, though.
#jgritty was right.
you should edit nrpe.cfg and nrpe config files to allow your master nagios server's access:
vim /usr/local/nagios/etc/nrpe.cf
allowed_hosts=127.0.0.1,172.16.16.150
and
vim /etc/xinetd.d/nrpe
only_from= 127.0.0.1 172.16.16.150
That's somewhat of a catch-all error message for NRPE. Check your firewall rules and make sure that port is open. Also try disabling SELinux and seeing if that lets the connection through. It's likely not an SSL issue, but just an issue with the connection being refused.
It looks like you are running your Nagios server in a virtual machine on a host-only network. If this is so, this would stop any external access. Ensure that you have a NAT or Bridged Network available.
So many answers, none of them hit the reason why I ran into this issue.
It turns out that nagios has terrible cross-version support and this was caused by me having a version 2 "client" (machine being monitored) and a version 3 "server" (monitoring machine).
Once I upgraded the client to version 3, the problem went away and I could do a check_nrpe -H [client IP] without issues.
Note that I am not sure if client/server are the right terms with nagios, as in the case of an NRPE call, the server is really the machine being called, but I digress.
Make sure that you have restarted the Nagios Client Plugin as well.
I'm running nrpe using the xinetd service.
Make sure also (in addition to the above basic steps) that your nagios user is authenticating properly. In my case:
Jun 6 15:05:52 gse2 xinetd[33237]: **Unknown user: nagios**<br>[file=/etc/xinetd.d/nrpe] [line=9]
Jun 6 15:05:52 gse2 xinetd[33237]: Error parsing attribute user - DISABLING
SERVICE [file=/etc/xinetd.d/nrpe] [line=9]
Jun 6 15:05:52 gse2 xinetd[33237]: **Unknown group: nagios**<br>[file=/etc/xinetd.d/nrpe] [line=10]
Jun 6 15:05:52 gse2 xinetd[33237]: Error parsing attribute group - DISABLING
SERVICE [file=/etc/xinetd.d/nrpe] [line=10]
Jun 6 15:05:52 gse2 xinetd[33237]: Service nrpe missing attribute user - DISABLING
Was showing in the /var/log messages.
It escaped me at first, but then I did a check on ypbind service and found it was not started.
After starting ypbind, nagios user and group was authenticating properly, the error went away.
some edge cases restarting nagios-nrpe-server doesn't help, due to the fact that process was not killed or it was not properly restarted.
just kill it manually then, and start.
SSL handshake error msg.Beside the allow_host you should assign.
your nagios server is in a local lan with C type ip address such as 192.168.xxxx
when the target monitored server feedback the ssl msg to your local nagios server,the message should first comes to your public IP of your line,the message cannot across the public IP into your nagios server which ip is an internal one.
you need NAT to guide the SSL message from target server to inner nagios server.
Or you better use "GET" method which just get monitor message from the nagios client side,such as SNMP to fulfill the remote monitor of local resource of linux servers.
SSL need feedback in double direction.
Best Regards
For me setting the following in /etc/nagios/nrpe.cfg on Client worked:
dont_blame_nrpe=1
It's and ubuntu 16.04 machine.
For other possible problems, I recommend looking at nrpe logs. Here is good article for configuring logs.
If you are running Debian 9 then there is a known issue regarding this problem, caused by OpenSSL dropping support for the method NRPE uses to initiate anonymous SSL connections.
The issue seems to be fixed but the fix hasn't made it into the official packages, yet.
Currently there seems to be no secure work-around.
check configuration in /etc/xinetd.d/nrpe and verify the server IP. If it is showing only_from = 127.0.0.1 change it with Server IP .

403 Forbidden after successfully installing Ghost

I have been spending days figuring out how to install the viral Ghost platform, and experienced numerous errors. Luckily, I have managed to install it - Ghost gives me a positive Ghost is running... message in SSH after I've done npm start --production. However, when I browse to my website - http://nick-s.se - Apache displays its default page and when I go to the ghost login area - /ghost, the site returns a 403 Forbidden.
P.S. I have specifically installed Ghost on a different port than the one Apache is running on. I don't know what's going on...
Update - I have found out that I can access my Ghost installation by adding the port number 2368 which I've configured in the config.js. Now, however my problem is - how can I run Ghost without using such ports?...
tell your browser you want to connect to the port Ghost is running on: http://nick-s.se:2368
So a few things, based on visiting:
1) It seems Apache isn't proxying the request onward to Ghost. Are you sure that you've configured it properly?
2) It also looks like Apache doesn't have access to the directory that you set as root. This shouldn't be necessary anyway if proxying is set up correctly, but could become an issue later if you wanted to use apache to serve things like the static assets.
If you are open to nginx instead of Apache, I have written a how to on this: link. You can skip the section on configuring Nginx. Otherwise, still might be useful if you figure out the conversion of rules from Nginx to Apache.
If you don't have any other sites running on your VPS you can just turn apache off and not have to deal with apache proxying the request to port 2368 and have Ghost run on port 80. If your VPS is running CentOS you can check out this how to on disabling apache and running Ghost on port 80.

authbind equivalent for centos / amazon linux / rhel

I would like to run a node.js TCP server on port 80 on an Amazon EC2 instance of Amazon Linux. I have added 80 to the security group, but the problem is letting node.js bind to port 80, which normally requires root permission.
The easiest solution seems to be using authbind, but it isn't accessible from the EC2 yum repo. Is there an equivalent utility for Amazon Linux? Or some other workaround for this distro ? Or is it actually a bad idea to use authbind?
I ended up binding to a higher port and then using iptables to forward port 80 traffic to that port. Another option was to use an AWS load-balancer from incoming port 80 to a higher port on the ec2 instance.
It's a little tedious, but if you install gcc you can compile it from source. You can go here to get the 2.1.1 release. Click the link that says "Snapshot" to get a tar.gz file. I couldn't seem to download it directly using wget (had to download from web browser and then upload), YMMV.
If using systemd, you can use AmbientCapabilities to allow a service to bind to a lower port.
This is done through your service configuration file in the /etc/systemd/system directory:
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
...

Resources