knife-windows 0.8.6 → 1.0.0.rc.0

data/RELEASE_NOTES.md

@@ -6,14 +6,67 @@ Example Note:
 ## Example Heading
 Details about the thing that changed that needs to get included in the Release Notes in markdown.
 -->
-# knife-windows 0.8.6 release notes
-This release of knife-windows updates winrm-s to version 0.3.0 and em-winrm to version 0.7.
+# knife-windows 1.0.0.rc.0 release notes:
+This release of knife-windows includes new features to improve authentication,
+simplify use of the WinRM SSL transport, and addresses compatibility issues with Chef Client 12.0.
 
-## Features added in knife-windows 0.8.6
-None.
+You can install the new features using the `gem` command:
 
-## Issues fixed in knife-windows 0.8.6
-[knife-windows #218](https://github.com/chef/knife-windows/issues/218) winrm bootstrap with --winrm-authentication-protocol negotiate gives HTTP 400
+    gem install knife-windows --pre
+
+## Reporting issues and contributing
+
+`knife-windows` issues like those addressed in this release should be reported in the ticketing system at https://github.com/chef/knife-windows/issues. You can learn more about how to contribute features and bug fixes to `knife-windows` in the [Chef Contributions document](http://docs.chef.io/community_contributions.html).
+
+## Breaking changes
+
+### Negotiate as the default authentication protocol
+With this release, the default authentication protocol for WinRM
+communication is negotiate, which is the same as that for tools built-in to
+the Windows operating system. Prior to this release, the protocol depended
+on the format of the `--winrm-user` option -- the basic authentication
+protocol would be assumed unless that option had the format `domain\user`.
+
+To revert to the behavior of previous releases or otherwise force `knife-windows` to use a specific authentication protocol such as
+basic, use the `--winrm-authentication-protocol` option.
+
+### Default WinRM port depends on the transport
+The default port for WinRM communication is now **5986** when the SSL transport is used (the transport is
+configured by the `winrm_transport` option), otherwise it is **5985**. In
+previous releases, if the port was not specified, it was always 5985.
+
+To override this behavior, explicitly specify the desired port using the
+`winrm_port` (`-p`) option.
+
+### Kerberos Keytab short option is now -T
+The short option flag for --keytab-file is now -T to fix a conflict with the --identity-file option.
+
+## Features added in knife-windows 1.0.0.rc.0
+* New `--winrm-authentication-protocol` option for explicit control of WinRM authentication
+* `knife windows cert generate` subcommand:
+  Generates a certificate and related public key file for use in configuring a WinRM listener and validating communication involving it.
+* `knife windows cert install` subcommand:
+  Installs a certificate such as one generated by the `cert generate`
+  subcommand into the Windows certificate store's LocalMachine personal store
+  so that it can be used as part of the configuration for a WinRM SSL listener
+* `knife windows listener create` subcommand:
+  Creates a WinRM SSL listener on a Windows system
+* Added `--hint` option for creating Ohai hints on bootstrap
+* Validatorless bootstrapping is now supported
+* New `--install-as-service` option will have Chef Client be installed as a service on bootstrap
+* Added `--msi_url` option for providing an alternate URL to the Chef Client installation package
+* `knife wsman test` subcommaned:
+  Verifies winrm functionality on a remote system, e.g. `knife wsman test 192.168.1.10 -m --winrm-transport ssl`
+  
+## Issues fixed in knife-windows 1.0.0.rc.0
+* [knife-windows #159](https://github.com/chef/knife-windows/issues/159) `winrm_port` option should default to 5986 if `winrm_transport` option is `ssl`
+* [knife-windows #139](https://github.com/chef/knife-windows/issues/139) Force dev dependency on Chef 11 for test scenarios to avoid Ohai 8 conflict on Ruby 1.9.x
+* [knife-windows #133](https://github.com/chef/knife-windows/issues/133) Bootstrap failure -- unable to validate SSL chef server endpoints
+* [knife-windows #125](https://github.com/chef/knife-windows/issues/125) knife-windows should use PowerShell first before cscript to download the  Chef Client msi
+* [knife-windows #92](https://github.com/chef/knife-windows/issues/92) EventMachine issue: knife bootstrap windows winrm error
+* [knife-windows #94](https://github.com/chef/knife-windows/issues/94) Remove Eventmachine dependency
+* [knife-windows #213](https://github.com/chef/knife-windows/pull/213) Search possibilities of HOME for bootstrap templates
+* [knife-windows #227](https://github.com/chef/knife-windows/issues/227) Exception: NoMethodError: undefined method 'gsub' for false:FalseClass
 
 ## knife-windows on RubyGems and Github
 https://rubygems.org/gems/knife-windows

data/appveyor.yml

@@ -0,0 +1,42 @@
+version: "master-{build}"
+
+os: Windows Server 2012
+platform:
+  - x64
+
+environment:
+  bundle_gemfile: ci.gemfile
+
+  matrix:
+    - ruby_version: "193"
+      chef_version: "< 12"
+
+    - ruby_version: "200"
+      chef_version: "< 12"
+
+    - ruby_version: "200"
+      chef_version: "~> 12.0"
+
+    - ruby_version: "200"
+      chef_version: "master"
+
+clone_folder: c:\projects\knife-windows
+clone_depth: 1
+branches:
+  only:
+    - master
+
+install:
+  - winrm quickconfig -q
+  - SET PATH=C:\Ruby%ruby_version%\bin;%PATH%
+  - echo %PATH%
+  - ruby --version
+  - gem --version
+  - gem install bundler --quiet --no-ri --no-rdoc
+  - bundler --version
+
+build_script:
+  - bundle install || bundle install || bundle install
+
+test_script:
+  - bundle exec rake spec

data/ci.gemfile

@@ -0,0 +1,15 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in knife-windows.gemspec
+gemspec
+
+if ENV['CHEF_VERSION'] == 'master'
+  gem 'chef', github: 'chef/chef'
+else
+  gem 'chef', ENV['CHEF_VERSION']
+end
+
+gem "rspec", '~> 3.0'
+gem "ruby-wmi"
+gem "httpclient"
+gem 'rake'

data/knife-windows.gemspec

@@ -14,8 +14,9 @@ Gem::Specification.new do |s|
   s.description = s.summary
 
   s.required_ruby_version	= ">= 1.9.1"
-  s.add_dependency "winrm-s", "~> 0.3.1"
-  s.add_dependency "em-winrm", "~> 0.7"
+  s.add_dependency "winrm", "~> 1.3"
+  s.add_dependency "winrm-s", "~> 0.3.0.dev.0"
+  s.add_dependency "nokogiri"
 
   s.add_development_dependency 'pry'
 
@@ -24,3 +25,4 @@ Gem::Specification.new do |s|
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
 end
+

data/lib/chef/knife/bootstrap/windows-chef-client-msi.erb

@@ -107,12 +107,8 @@ goto install
 :install
 @rem Install Chef using chef-client MSI installer
 
-<% url="https://www.opscode.com/chef/download?p=windows&pv=%MACHINE_OS%&m=%MACHINE_ARCH%" -%>
-<% url += latest_current_windows_chef_version_query -%>
-@set "REMOTE_SOURCE_MSI_URL=<%= url %>"
 @set "LOCAL_DESTINATION_MSI_PATH=<%= local_download_path %>"
 @set "CHEF_CLIENT_MSI_LOG_PATH=%TEMP%\chef-client-msi%RANDOM%.log"
-@set "FALLBACK_QUERY_STRING=&DownloadContext=PowerShell"
 
 @rem Clear any pre-existing downloads
 @echo Checking for existing downloaded package at "%LOCAL_DESTINATION_MSI_PATH%"
@@ -129,15 +125,16 @@ goto install
 @rem If there is somehow a name collision, remove pre-existing log
 @if EXIST "%CHEF_CLIENT_MSI_LOG_PATH%" del /f /q "%CHEF_CLIENT_MSI_LOG_PATH%"
 
-@echo Attempting to download client package using cscript...
-cscript /nologo <%= bootstrap_directory %>\wget.vbs /url:"%REMOTE_SOURCE_MSI_URL%" /path:"%LOCAL_DESTINATION_MSI_PATH%"
+@echo Attempting to download client package using PowerShell if available...
+@set "REMOTE_SOURCE_MSI_URL=<%= msi_url('%MACHINE_OS%', '%MACHINE_ARCH%', 'PowerShell') %>"
+@set powershell_download=powershell.exe -ExecutionPolicy Unrestricted -NoProfile -NonInteractive -File  <%= bootstrap_directory %>\wget.ps1 "%REMOTE_SOURCE_MSI_URL%" "%LOCAL_DESTINATION_MSI_PATH%"
+@echo !powershell_download!
+@call !powershell_download!
 
-@rem Work around issues found in Windows Server 2012 around job objects not respecting WSMAN memory quotas
-@rem that cause the MSI download process to exceed the quota even when it is increased by administrators.
-@rem Retry the download using a more memory-efficient mechanism that only works if PowerShell is available.
 @set DOWNLOAD_ERROR_STATUS=!ERRORLEVEL!
+
 @if ERRORLEVEL 1 (
-    @echo Failed cscript download with status code !DOWNLOAD_ERROR_STATUS! > "&2"
+    @echo Failed PowerShell download with status code !DOWNLOAD_ERROR_STATUS! > "&2"
     @if !DOWNLOAD_ERROR_STATUS!==0 set DOWNLOAD_ERROR_STATUS=2
 ) else (
     @rem Sometimes the error level is not set even when the download failed,
@@ -146,21 +143,29 @@ cscript /nologo <%= bootstrap_directory %>\wget.vbs /url:"%REMOTE_SOURCE_MSI_URL
         echo Failed download: download completed, but downloaded file not found > "&2"
         set DOWNLOAD_ERROR_STATUS=2
     ) else (
-        echo Download via cscript succeeded.
+        echo Download via PowerShell succeeded.
     )
 )
 
 @if NOT %DOWNLOAD_ERROR_STATUS%==0 (
     @echo Warning: Failed to download "%REMOTE_SOURCE_MSI_URL%" to "%LOCAL_DESTINATION_MSI_PATH%"
-    @echo Warning: Retrying download with PowerShell if available...
+    @echo Warning: Retrying download with cscript ...
 
     @if EXIST "%LOCAL_DESTINATION_MSI_PATH%" del /f /q "%LOCAL_DESTINATION_MSI_PATH%"
 
-    @set powershell_download=powershell.exe -ExecutionPolicy Unrestricted -NoProfile -NonInteractive -File  <%= bootstrap_directory %>\wget.ps1 "%REMOTE_SOURCE_MSI_URL%%FALLBACK_QUERY_STRING%" "%LOCAL_DESTINATION_MSI_PATH%"
-    @echo !powershell_download!
-    @call !powershell_download!
+    @set "REMOTE_SOURCE_MSI_URL=<%= msi_url('%MACHINE_OS%', '%MACHINE_ARCH%') %>"
+    cscript /nologo <%= bootstrap_directory %>\wget.vbs /url:"%REMOTE_SOURCE_MSI_URL%" /path:"%LOCAL_DESTINATION_MSI_PATH%"
+
     @if NOT ERRORLEVEL 1 (
-        echo Download via PowerShell succeeded.
+        @rem Sometimes the error level is not set even when the download failed,
+        @rem so check for the file to be sure it is there.
+        @if NOT EXIST "%LOCAL_DESTINATION_MSI_PATH%" (
+            echo Failed download: download completed, but downloaded file not found > "&2"
+            echo Exiting without bootstrapping due to download failure. > "&2"
+            exit /b 1
+        ) else (
+            echo Download via cscript succeeded.
+        )
     ) else (
         echo Failed to download "%REMOTE_SOURCE_MSI_URL%" with status code !ERRORLEVEL!. > "&2"
         echo Exiting without bootstrapping due to download failure. > "&2"
@@ -183,24 +188,33 @@ cscript /nologo <%= bootstrap_directory %>\wget.vbs /url:"%REMOTE_SOURCE_MSI_URL
 @endlocal
 
 @echo off
+
+<% if client_pem -%>
+> <%= bootstrap_directory %>\client.pem (
+ <%= escape_and_echo(::File.read(::File.expand_path(client_pem))) %>
+)
+<% end -%>
+
 echo Writing validation key...
 
+<% if validation_key -%>
 > <%= bootstrap_directory %>\validation.pem (
- <%= validation_key %>
+ <%= escape_and_echo(validation_key) %>
 )
+<% end -%>
 
 echo Validation key written.
 @echo on
 
-<% if @config[:encrypted_data_bag_secret] -%>
+<% if @config[:secret] -%>
 > <%= bootstrap_directory %>\encrypted_data_bag_secret (
- <%= encrypted_data_bag_secret %>
+ <%= secret %>
 )
 <% end -%>
 
-<% unless trusted_certs.empty? -%>
+<% unless trusted_certs_script.empty? -%>
 mkdir <%= bootstrap_directory %>\trusted_certs
-<%= trusted_certs %>
+<%= trusted_certs_script %>
 <% end -%>
 
 <%# Generate Ohai Hints -%>

data/lib/chef/knife/bootstrap_windows_base.rb

@@ -20,6 +20,8 @@ require 'chef/knife'
 require 'chef/knife/bootstrap'
 require 'chef/encrypted_data_bag_item'
 require 'chef/knife/core/windows_bootstrap_context'
+# Chef 11 PathHelper doesn't have #home
+#require 'chef/util/path_helper'
 
 class Chef
   class Knife
@@ -60,16 +62,28 @@ class Chef
             :description => "Avoid a proxy server for the given addresses",
             :proc => Proc.new { |np| Chef::Config[:knife][:bootstrap_no_proxy] = np }
 
+          # DEPR: Remove this option in Chef 13
           option :distro,
             :short => "-d DISTRO",
             :long => "--distro DISTRO",
-            :description => "Bootstrap a distro using a template",
-            :default => "windows-chef-client-msi"
+            :description => "Bootstrap a distro using a template. [DEPRECATED] Use --bootstrap-template option instead.",
+            :proc        => Proc.new { |v|
+              Chef::Log.warn("[DEPRECATED] -d / --distro option is deprecated. Use --bootstrap-template option instead.")
+              v
+            }
+
+          option :bootstrap_template,
+            :long => "--bootstrap-template TEMPLATE",
+            :description => "Bootstrap Chef using a built-in or custom template. Set to the full path of an erb template or use one of the built-in templates."
 
+          # DEPR: Remove this option in Chef 13
           option :template_file,
             :long => "--template-file TEMPLATE",
-            :description => "Full path to location of template to use",
-            :default => false
+            :description => "Full path to location of template to use. [DEPRECATED] Use --bootstrap-template option instead.",
+            :proc        => Proc.new { |v|
+              Chef::Log.warn("[DEPRECATED] --template-file option is deprecated. Use --bootstrap-template option instead.")
+              v
+            }
 
           option :run_list,
             :short => "-r RUN_LIST",
@@ -78,6 +92,15 @@ class Chef
             :proc => lambda { |o| o.split(",") },
             :default => []
 
+          option :hint,
+            :long => "--hint HINT_NAME[=HINT_FILE]",
+            :description => "Specify Ohai Hint to be set on the bootstrap target.  Use multiple --hint options to specify multiple hints.",
+            :proc => Proc.new { |h|
+              Chef::Config[:knife][:hints] ||= Hash.new
+              name, path = h.split("=")
+              Chef::Config[:knife][:hints][name] = path ? Chef::JSONCompat.parse(::File.read(path)) : Hash.new
+            }
+        
           option :first_boot_attributes,
             :short => "-j JSON_ATTRIBS",
             :long => "--json-attributes",
@@ -85,12 +108,14 @@ class Chef
             :proc => lambda { |o| JSON.parse(o) },
             :default => {}
 
+          # Mismatch between option 'encrypted_data_bag_secret' and it's long value '--secret' is by design for compatibility
           option :encrypted_data_bag_secret,
             :short => "-s SECRET",
             :long  => "--secret ",
             :description => "The secret key to use to decrypt data bag item values.  Will be rendered on the node at c:/chef/encrypted_data_bag_secret and set in the rendered client config.",
             :default => false
 
+          # Mismatch between option 'encrypted_data_bag_secret_file' and it's long value '--secret-file' is by design for compatibility
           option :encrypted_data_bag_secret_file,
             :long => "--secret-file SECRET_FILE",
             :description => "A file containing the secret key to use to encrypt data bag item values. Will be rendered on the node at c:/chef/encrypted_data_bag_secret and set in the rendered client config."
@@ -114,23 +139,51 @@ class Chef
             :long        => "--[no-]node-verify-api-cert",
             :description => "Verify the SSL cert for HTTPS requests to the Chef server API.",
             :boolean     => true
+
+          option :msi_url,
+            :short => "-u URL",
+            :long => "--msi_url URL",
+            :description => "Location of the Chef Client MSI. The default templates will prefer to download from this location. The MSI will be downloaded from chef.io if not provided.",
+            :default => ''
+
+          option :install_as_service,
+            :long => "--install-as-service",
+            :description => "Install chef-client as service in windows machine",
+            :default => false
         end
       end
 
-      # TODO: This should go away when CHEF-2193 is fixed
+      def default_bootstrap_template
+        "windows-chef-client-msi"
+      end
+
+      def bootstrap_template
+        # The order here is important. We want to check if we have the new Chef 12 option is set first.
+        # Knife cloud plugins unfortunately all set a default option for the :distro so it should be at
+        # the end.
+        config[:bootstrap_template] || config[:template_file] || config[:distro] || default_bootstrap_template
+      end
+
+       # TODO: This should go away when CHEF-2193 is fixed
       def load_template(template=nil)
         # Are we bootstrapping using an already shipped template?
-        if config[:template_file]
-          bootstrap_files = config[:template_file]
-        else
-          bootstrap_files = []
-          bootstrap_files << File.join(File.dirname(__FILE__), 'bootstrap', "#{config[:distro]}.erb")
-          bootstrap_files << File.join(Dir.pwd, ".chef", "bootstrap", "#{config[:distro]}.erb")
-          bootstrap_files << File.join(ENV['HOME'], '.chef', 'bootstrap', "#{config[:distro]}.erb")
-          bootstrap_files << Gem.find_files(File.join("chef","knife","bootstrap","#{config[:distro]}.erb"))
-          bootstrap_files.flatten!
+
+        template = bootstrap_template
+
+        # Use the template directly if it's a path to an actual file
+        if File.exists?(template)
+          Chef::Log.debug("Using the specified bootstrap template: #{File.dirname(template)}")
+          return IO.read(template).chomp
         end
 
+        # Otherwise search the template directories until we find the right one
+        bootstrap_files = []
+        bootstrap_files << File.join(File.dirname(__FILE__), 'bootstrap/templates', "#{template}.erb")
+        bootstrap_files << File.join(Knife.chef_config_dir, "bootstrap", "#{template}.erb") if Chef::Knife.chef_config_dir
+        ::Knife::Windows::PathHelper.all_homes('.chef', 'bootstrap', "#{template}.erb") { |p| bootstrap_files << p }
+        bootstrap_files << Gem.find_files(File.join("chef","knife","bootstrap","#{template}.erb"))
+        bootstrap_files.flatten!
+
         template = Array(bootstrap_files).find do |bootstrap_template|
           Chef::Log.debug("Looking for bootstrap template in #{File.dirname(bootstrap_template)}")
           ::File.exists?(bootstrap_template)
@@ -146,15 +199,24 @@ class Chef
         IO.read(template).chomp
       end
 
+      def bootstrap_context
+        @bootstrap_context ||= Knife::Core::WindowsBootstrapContext.new(config, config[:run_list], Chef::Config)
+      end
+
       def render_template(template=nil)
-        if config[:encrypted_data_bag_secret_file]
-          config[:encrypted_data_bag_secret] = Chef::EncryptedDataBagItem.load_secret(config[:encrypted_data_bag_secret_file])
+        if config[:secret_file]
+          config[:secret] = Chef::EncryptedDataBagItem.load_secret(config[:secret_file])
         end
-        context = Knife::Core::WindowsBootstrapContext.new(config, config[:run_list], Chef::Config)
-        Erubis::Eruby.new(template).evaluate(context)
+        Erubis::Eruby.new(template).evaluate(bootstrap_context)
       end
 
       def bootstrap(proto=nil)
+        if Chef::Config[:knife][:encrypted_data_bag_secret_file] || Chef::Config[:knife][:encrypted_data_bag_secret]
+          warn_chef_config_secret_key
+          config[:secret_file] ||= Chef::Config[:knife][:encrypted_data_bag_secret_file]
+          config[:secret] ||= Chef::Config[:knife][:encrypted_data_bag_secret]
+        end
+
         validate_name_args!
 
         @node_name = Array(@name_args).first
@@ -163,13 +225,32 @@ class Chef
 
         STDOUT.sync = STDERR.sync = true
 
+        if (Chef::Config[:validation_key] && !File.exist?(File.expand_path(Chef::Config[:validation_key])))
+          if Chef::VERSION.split('.').first.to_i == 11
+            ui.error("Unable to find validation key. Please verify your configuration file for validation_key config value.")
+            exit 1
+          end
+
+          unless locate_config_value(:chef_node_name)
+            ui.error("You must pass a node name with -N when bootstrapping with user credentials")
+            exit 1
+          end
+
+          client_builder.run
+          bootstrap_context.client_pem = client_builder.client_path
+        else
+          ui.info("Doing old-style registration with the validation key at #{Chef::Config[:validation_key]}...")
+          ui.info("Delete your validation key in order to use your user credentials instead")
+          ui.info("")
+        end
+
         wait_for_remote_response( config[:auth_timeout].to_i )
         ui.info("Bootstrapping Chef on #{ui.color(@node_name, :bold)}")
         # create a bootstrap.bat file on the node
         # we have to run the remote commands in 2047 char chunks
-        create_bootstrap_bat_command do |command_chunk, chunk_num|
+        create_bootstrap_bat_command do |command_chunk|
           begin
-            render_command_result = run_command(%Q!cmd.exe /C echo "Rendering #{bootstrap_bat_file} chunk #{chunk_num}" && #{command_chunk}!)
+            render_command_result = run_command(command_chunk)
             ui.error("Batch render command returned #{render_command_result}") if render_command_result != 0
             render_command_result
           rescue SystemExit => e
@@ -180,6 +261,7 @@ class Chef
         # execute the bootstrap.bat file
         bootstrap_command_result = run_command(bootstrap_command)
         ui.error("Bootstrap command returned #{bootstrap_command_result}") if bootstrap_command_result != 0
+
         bootstrap_command_result
       end
 
@@ -193,20 +275,48 @@ class Chef
         @bootstrap_command ||= "cmd.exe /C #{bootstrap_bat_file}"
       end
 
-      def create_bootstrap_bat_command(&block)
-        bootstrap_bat = []
+      def bootstrap_render_banner_command(chunk_num)
+        "cmd.exe /C echo Rendering #{bootstrap_bat_file} chunk #{chunk_num}"
+      end
+
+      def escape_windows_batch_characters(line)
+        # TODO: The commands are going to get redirected - do we need to escape &?
+        line.gsub!(/[(<|>)^]/).each{|m| "^#{m}"}
+      end
+
+      def create_bootstrap_bat_command()
         chunk_num = 0
+        bootstrap_bat = ""
+        banner = bootstrap_render_banner_command(chunk_num += 1)
         render_template(load_template(config[:bootstrap_template])).each_line do |line|
-          # escape WIN BATCH special chars
-          line.gsub!(/[(<|>)^]/).each{|m| "^#{m}"}
-          # windows commands are limited to 2047 characters
-          if((bootstrap_bat + [line]).join(" && ").size > 2047 )
-            yield bootstrap_bat.join(" && "), chunk_num += 1
-            bootstrap_bat = []
+          escape_windows_batch_characters(line)
+          # We are guaranteed to have a prefix "banner" command that echo's chunk number.  We can
+          # confidently prefix every actual command with &&.
+          # TODO: Why does ^\n&& work directly through the commandline but not through SOAP?
+          render_line = " && >> #{bootstrap_bat_file} (echo.#{line.chomp.strip})"
+          # Windows commands are limited to 8191 characters for machines running XP or higher but
+          # this includes the length of environment variables after they have been expanded.
+          # Since we don't actually know how long %TEMP% (and it's used twice - once in the banner
+          # and once in every command redirection), we simply guess and set the max to 5000.
+          # TODO: When a more accurate method is available, fix this.
+          if bootstrap_bat.length + render_line.length + banner.length > 5000
+            # Can't fit it into this chunk? - flush (if necessary) and then try.
+            # Do this first because banner.length might change (e.g. due to an extra digit) and
+            # prevent a fit.
+            unless bootstrap_bat.empty?
+              yield banner + bootstrap_bat
+              bootstrap_bat = ""
+              banner = bootstrap_render_banner_command(chunk_num += 1)
+            end
+            # Will this ever fit?
+            if render_line.length + banner.length > 5000
+              raise "Command in bootstrap template too long by #{render_line.length + banner.length - 5000} characters : #{line}"
+            end
           end
-          bootstrap_bat << ">> #{bootstrap_bat_file} (echo.#{line.chomp.strip})"
+          bootstrap_bat << render_line
         end
-        yield bootstrap_bat.join(" && "), chunk_num += 1
+        raise "Bootstrap template was empty!  Check #{config[:bootstrap_template]}" if bootstrap_bat.empty?
+        yield banner + bootstrap_bat
       end
 
       def bootstrap_bat_file
@@ -215,7 +325,21 @@ class Chef
 
       def locate_config_value(key)
         key = key.to_sym
-        Chef::Config[:knife][key] || config[key]
+        config[key] || Chef::Config[:knife][key]
+      end
+
+      def warn_chef_config_secret_key
+        ui.info "* " * 40
+        ui.warn(<<-WARNING)
+\nSpecifying the encrypted data bag secret key using an 'encrypted_data_bag_secret'
+entry in 'knife.rb' is deprecated. Please use the '--secret' or '--secret-file'
+options of this command instead.
+
+#{ui.color('IMPORTANT:', :red, :bold)} In a future version of Chef, this
+behavior will be removed and any 'encrypted_data_bag_secret' entries in
+'knife.rb' will be ignored completely.
+        WARNING
+        ui.info "* " * 40
       end
     end
   end