Migrate Chef Server Data

Jeremiah Snapp -

This is a tested procedure for migrating data from one Chef Server organization to another.

This procedure serves as an alternative to using the knife-ec-backup tool which sometimes hits issues resulting in a difficult migration.

You can repeat this procedure with modified values if you have multiple organizations.

One thing to notice in the knife config files mentioned below is the "versioned_cookbooks true" setting. This allows the "knife download/upload" commands to download and upload all versions of each cookbook.

Download data from current Chef Server

All of the following commands can be run from your Chef workstation.

mkdir -p ~/migration/.chef
cd ~/migration

# copy your USERNAME.pem file into ~/migration/.chef

# Create a knife-export.rb file and modify settings appropriately
cat <<EOF > ~/migration/.chef/knife-export.rb
username = "USERNAME"
orgname = "ORGNAME"

current_dir = File.dirname(__FILE__)

chef_server_url "https://OLDHOSTNAME/organizations/#{orgname}"

node_name username
client_key "#{current_dir}/#{username}.pem"

cookbook_path Dir.pwd + "/cookbooks"
knife[:chef_repo_path] = Dir.pwd

ssl_verify_mode :verify_none

versioned_cookbooks true
EOF

# download everything from the old Chef organization
knife download / -c .chef/knife-export.rb

Install new Chef Server

Install your new Chef Server.

Create a user and an organization. Make the user an admin of the organization.

Upload data to new Chef Server

All of the following commands can be run from your Chef workstation.

cd ~/migration

# copy your new USERNAME.pem file into ~/migration/.chef but name it "new-USERNAME.pem" so it doesn't overwrite the old user’s file

# Create a knife-import.rb file and modify settings appropriately
cat <<EOF > ~/migration/.chef/knife-import.rb
username = "USERNAME"
orgname = "ORGNAME"

current_dir = File.dirname(__FILE__)

chef_server_url "https://NEWHOSTNAME/organizations/#{orgname}"

node_name username
client_key "#{current_dir}/new-#{username}.pem"

cookbook_path Dir.pwd + "/cookbooks"
knife[:chef_repo_path] = Dir.pwd

ssl_verify_mode :verify_none

versioned_cookbooks true
EOF

# upload all of the data objects to the new Chef Server
knife upload /clients -c .chef/knife-import.rb
knife upload /cookbook_artifacts -c .chef/knife-import.rb
knife upload /cookbooks -c .chef/knife-import.rb
knife upload /data_bags -c .chef/knife-import.rb
knife upload /environments -c .chef/knife-import.rb
knife upload /nodes -c .chef/knife-import.rb
knife upload /policies -c .chef/knife-import.rb
knife upload /policy_groups -c .chef/knife-import.rb
knife upload /roles -c .chef/knife-import.rb

Fix node permissions

Copy the contents of the fix_permissions.knife file linked below to a file named "~/migration/fix_permissions.rb" on your Chef workstation.

https://github.com/chef/chef-server/blob/master/omnibus/files/private-chef-ctl-commands/knife/fix_permissions.knife

Run the following command to fix the permissions for the node objects so they can be updated by their corresponding clients.

knife exec -V -c .chef/knife-import.rb fix_permissions.rb

Configure nodes for new Chef Server

At this point you should just need to change the "chef_server_url" in each node's "client.rb" file to point to the new Chef Server and make sure you either have "ssl_verify_mode :verify_none" set in the client.rb on the nodes or that you've put the Chef Server's SSL certificate in the nodes' "trusted_certs" directory.

Then see if the chef-client run works.

The node authenticates to the Chef Server as the client associated with that node, using the private client key specified by its "client.rb".  The public half of this key is saved on the client object on the server, so since the clients have already been uploaded in the previous steps, the node will be able to authenticate to the new server with its original key.

Were you using custom permissions on the old Chef Server?

If you are just using the default permissions and groups in the old Chef org then you can skip this part.

If you created your own groups and/or customized permissions in the old Chef org then you should consider importing the acls (permissions) for each object that you already imported as well as the groups. You want to make sure you run the following commands after importing the objects. Trying to set permissions on objects that don't already exist just won't work. You also want to make sure that the new Chef org has the same list of users as the old Chef org. If the list of users don't match up you might have trouble with some of the permissions when they are applied.

knife upload /groups -c ../chef-repo/.chef/knife-import.rb
knife upload /acls -c ../chef-repo/.chef/knife-import.rb
Have more questions? Submit a request

Comments

Powered by Zendesk