Here is an example to deploy a basic Chef environment, including the Chef Server, the Chef workstation and nodes provisioned with wargames cookbooks
Use the chef-environment pentestrc resource file to spawn the environment:
> PENTESTRC=examples/chef-environment.pentestrc vagrant status
Current machine states:
chef-server not created (virtualbox)
chef-workstation not created (virtualbox)
cs-dvwa not created (virtualbox)
cs-webgoat not created (virtualbox)
cs-gruyere not created (virtualbox)
cs-vicnum not created (virtualbox)
cs-bricks not created (virtualbox)
This environment represents multiple VMs. The VMs are all listed
above with their current state. For more information about a specific
VM, run `vagrant status NAME`.
First, we create and provision the Chef server, then the workstation:
> export PENTESTRC=examples/chef-environment.pentestrc
> vagrant up chef-server
...
> vagrant up chef-workstation
The Chef Server is provisioned with chef-solo
, the workstation with chef-solo
to bootstrap the server and configure the workstation, then chef-client
to register the node to the server.
The workstation will throw a 403 Forbidden
when trying to update the Chef node on the Chef server. This is because the created client doesn't have sufficient permission to update the node. We will fix that for all nodes at the end of provisioning with knife-acl
Once both server & workstation are provisioned, we can deploy wargames nodes, provisioned with chef-client
:
> vagrant up cs-dvwa
> vagrant up cs-webgoat
> vagrant up cs-gruyere
> vagrant up cs-vicnum
> vagrant up cs-bricks
All machines will fails with the 403 Forbidden
error
To fix the permission issue, connect to the workstation and setup acl on the server:
> vagrant ssh chef-workstation
$ sudo su
# for n in workstation dvwa webgoat gruyere vicnum bricks; do knife acl add client $n nodes $n read,update; done
This way, each clients can update their node's attribute on the server at the and of converge.
Leave the workstation and provision machines to ensure permissions are set:
> vagrant provision chef-workstation
> vagrant provision cs-dvwa
> vagrant provision cs-webgoat
> vagrant provision cs-gruyere
> vagrant provision cs-vicnum
> vagrant provision cs-bricks
This should run without errors, check on the workstation the environment status:
> vagrant ssh chef-workstation -- sudo knife status
3 minutes ago, workstation, debian 9.0.
2 minutes ago, dvwa, ubuntu 14.04.
2 minutes ago, webgoat, ubuntu 14.04.
1 minute ago, gruyere, ubuntu 14.04.
1 minute ago, vicnum, ubuntu 14.04.
1 minute ago, bricks, ubuntu 14.04.