We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How To Manage Your Cluster with Chef and Knife on Ubuntu

Posted Oct 31, 2014 20.2k views Chef Configuration Management DigitalOcean Ubuntu


Chef is a configuration management system – it's designed to give you a repeatable set of recipes for building your infrastructure, allowing you to automate, version, and test your infrastructure in much the same way as your application code.

This is the sixth tutorial in the Getting Started Managing Your Infrastructure Using Chef series. In this guide, we'll assume that you've completed the other five tutorials, and so you've got a Chef server, workstation, and one or more nodes up and running.

Our Goal

knife is a command line tool packaged with Chef. You've likely already used knife to create and manage Chef cookbooks, data bags, or roles. When you issue a command with knife, you usually type something along the lines of:

knife cookbook create

The example command above uses the cookbook knife subcommand. This guide will introduce you to some new knife subcommands for issuing commands and getting information about your Chef cluster.

We'll cover:

  • knife status
  • knife ssh
  • knife node


This tutorial assumes you've followed along until the fifth guide, How To Use the DigitalOcean Plugin for Knife to Manage Droplets in Chef, in the Getting Started Managing Your Infrastructure Using Chef series.

Create Example Roles and Servers

If you don't have an established Chef cluster, or you'd like to follow this guide closely and see the same output, we can set up some example roles and servers.

First, on your workstation, change to your chef-repo directory:

cd ~/chef-repo

We're going to add a backend role to our existing web_server role. For now it'll be blank, but later on you could turn this into a database or application server.

nano roles/backend.rb

Add this content to the backend.rb file:

name "backend"
description "Backend for application servers"

Then upload the new role to your Chef server.

knife role from file roles/backend.rb

Once you've done that, we can create some sample nodes using the DigitalOcean Knife plugin.

(Note: This plugin became unmaintained as of October 2014. It's up to you whether you want to start using it.)

knife digital_ocean droplet create --server-name frontend01 --image 6918990 --location 4 --size 63 --ssh-keys 22222 --bootstrap --run-list "role[web_server]"

knife digital_ocean droplet create --server-name frontend02 --image 6918990 --location 4 --size 63 --ssh-keys 22222 --bootstrap --run-list "role[web_server]"

knife digital_ocean droplet create --server-name backend01 --image 6918990 --location 4 --size 63 --ssh-keys 22222 --bootstrap --run-list "role[backend]"

knife digital_ocean droplet create --server-name backend02 --image 6918990 --location 4 --size 63 --ssh-keys 22222 --bootstrap --run-list "role[backend]"

Note: If your domain names for the various hosts in your Chef cluster don't resolve externally, and you're making them connect to each other with edited /etc/hosts files, the provisioning will not work, as the new server instance will be given the default /etc/hosts file.

You may still have some nodes active that you've created during the Chef tutorial series. That means some of the commands we'll run during this tutorial will have extra lines or information. If you'd like to follow along extactly, you can always remove these nodes by clicking Nodes > Delete from your Chef server's web interface.

Showing Status with knife status

The status subcommand is designed to show status information about your nodes. To use knife status, just change to your chef-repo directory and type:

knife status

You'll see a list of the nodes your Chef server knows about, including the times of their last chef-client runs, node names, fully-qualified domain names, IP addresses, and platforms.

3 minutes ago, frontend01, fe1.yourdomain.com,, ubuntu 14.04.
3 minutes ago, frontend02, fe2.yourdomain.com,, ubuntu 14.04.
20 hours ago,  backend01, be1.yourdomain.com, 333.333.333.333, ubuntu 14.04.
3 minutes ago, backend02, be2.youdomain.com, 333.333.333.333, ubuntu 14.04.

We can immediately see from this that we need to take a closer look at backend01 - it hasn't succesfully run chef-client ("checked in" in Chef parlance) in about 20 hours.

If you've got a node in a similar situation, check your chef-client error logs, or use Reports > Run History from Chef server's web interface.

Issuing Commands with knife ssh

We can use knife ssh to issue commands to our nodes (or some subset of nodes) at once. For example, we can use knife ssh to restart Nginx on all our nodes with the role frontend.

You'll need a user authorized to SSH into the server (i.e., you can run ssh yourusername@fe1.yourdomain.com and get a shell). If you don't have SSH keys set up, you can use the -P option to prompt for a password.

knife ssh "role:web_server" "service nginx restart" -x yourusername -a ipaddress

You should get output that looks like:  * Restarting nginx nginx      [ OK ]  * Restarting nginx nginx      [ OK ] 

We just ran a command on all our frontend servers by issuing a single knife command. Let's pull apart the arguments and learn a bit more about how knife ssh works.

knife ssh "web_server" "service nginx restart" -x yourusername -a ipaddress

The first argument to knife ssh is a Chef search query - usually you'll want something like role:YOUR_ROLE_NAME, but you can also search via many other attributes (and combine them with Boolean operators). For instance, to run a command on only nodes with ubuntu in their platform attribute, you could run:

knife ssh "platform:ubuntu*" "service nginx restart" -x yourusername -a ipaddress

The * in the above is a wildcard character. It will match zero or more characters in the attribute value. In this case, it will allow us to match the value ubuntu 14.04 as displayed in the knife status output we looked at earlier.

knife ssh "role:web_server" "service nginx restart" -x yourusername -a ipaddress

The second argument to knife ssh is the command that you want to run on the servers (that match the search query). It can be almost anything you would type into a shell. You can even join commands with a semicolon (;).

knife ssh "role:web_server" "uptime;date" -x yourusername -a ipaddress

Which would output something like:  12:53:36 up 2 days, 15:25,  1 user,  load average: 0.08, 0.03, 0.05 Wed Oct 22 12:53:36 UTC 2014  12:53:30 up 2 days, 15:21,  1 user,  load average: 0.00, 0.01, 0.05 Wed Oct 22 12:53:30 UTC 2014

The -x argument we've already covered - it's the SSH username to use for logging in.

The -a argument specifies which node attribute to use to as the address for SSH. By default, it's the FQDN of your node (remember, you can find this with the knife status command shown earlier), so if you can resolve your servers by visiting http://fe1.yourdomain.com, then you can omit the -a option.

Interactive knife ssh

knife ssh also has the ability to put you into an interactive shell, where you can issue a series of commands and see the results very quickly. You can start an interactive knife ssh shell by using interactive in place of your SSH command.

knife ssh "role:web_server" interactive -x yourusername -a ipaddress

This will show us:

Connected to and

To run a command on a list of servers, do:
  Example: on latte foamy; echo foobar

To exit interactive mode, use 'quit!'


You can issue commands to all servers in your search result by simply typing the command and pressing Enter.

knife-ssh> uptime  18:43:55 up 2 days, 21:16,  1 user,  load average: 0.01, 0.03, 0.05  18:43:49 up 2 days, 21:11,  1 user,  load average: 0.00, 0.01, 0.05

If you'd like to refine your server list further, just use on, as the help message suggests. Note that you should replaceSERVER1 in the example command with the attribute you've used as -a; for us, this is the node's IP address.

knife-ssh> on; echo hello digitalocean hello digitalocean

One really cool use of interactive knife ssh is using it to tail server logs. For instance, if your access log for Nginx is in the default location (/var/log/nginx/access.log), you can tail the logs with the -f (follow) option, and the results will continually print to your console.

knife-ssh> tail -f /var/log/nginx/access.log

(Depending on how Nginx is set up, you may have to use sudo in front of this command.)

If you visit the IP address for one of your nodes in a web browser, you'll see an entry appear in the Nginx access log, without having to do anything!

Managing Nodes with knife node

If you've followed the How To Create Simple Chef Cookbooks to Manage Infrastructure on Ubuntu guide, then you've already used knife node to list all nodes on your Chef server, and to edit node attributes.

knife node list
knife node edit frontend01

You can also use knife node to delete nodes.

knife node delete frontend01

Or, show more detailed node attributes:

knife node show frontend01
Node Name:   frontend01
Environment: _default
FQDN:        fe01.yourdomain.com
Run List:    role[frontend]
Roles:       web_server
Recipes:     apt, nginx, apt::default, nginx::default
Platform:    ubuntu 14.04

You can get a full listing of your node's attributes using the -l option:

knife node show -l frontend01

This will return a very long list of attributes, most of them populated automatically by Ohai, which is a Chef tool that passes attributes automatically to chef-client each time it's run.

A long printed list of attributes is not neccessarily very useful to us. However, knife has us covered there too. We can specify the --format option in order to get a JSON or YAML representation of a Node's attributes.

knife node show frontend01 --format json

  "name": "frontend01",
  "chef_environment": "_default",
  "run_list": [
  "normal": {
    "tags": [


You can also retrieve a single node attribute with -a.

knife node show frontend01 --format json -a ipaddress
  "frontend01": {
    "ipaddress": ""

JSON or YAML output might be very useful if we wanted to build more complex scripts that involved knife, or even for displaying dashboards and metrics.


knife is a powerful tool, not just for creating and updating the various objects in your Chef cluster, but also for viewing and managing the state of your cluster.

With knife ssh you can write one command and have it run on many nodes simultaneously – a very powerful tool for any devops engineer.


Creative Commons License