knife-windows 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b8379925d2d838d0a7aa4eb8272d76b552b79959
4
- data.tar.gz: 5a49c146219b795d55dffeda41fa81b79942bcb6
3
+ metadata.gz: 81d9379be8e11c9b0cb2bf4fa2d47271a6f135b1
4
+ data.tar.gz: aa5ea98e4e3b3c76df720bffeff00a520e0256a0
5
5
  SHA512:
6
- metadata.gz: 78319d369c8c9cdb1c5f87e3010d6468ff17c898b71e1c2a6d75930ce539fce5f44541293113f26a34b0cf8dd960372f5cbe22db1157aefc191e0ba012c3ef73
7
- data.tar.gz: aeda179f22c1036fc9f90a8e9cfdbdfebeb72e466b9c5713de574bdc0b48394b8c92306e875b16026d1d689b45a8b16cac91910ff34f7be7534fbcba91106c9a
6
+ metadata.gz: 781cf47a85296df881f58a66190f01b8bdf8076914d162f116a01d93a194fc27b1e7c9967580773a4d5bd7c59c30af667fc7199489bd883afe014f2a777b2f83
7
+ data.tar.gz: 4144ac2c72d6a64ad36afed9fffdca77eb8ef2dc04e39a3a4a6caa7796874ac91660c9972b89fd829c70a9055dd3833e0cad2e0928e91844362d5c5d02d88145
data/CHANGELOG.md CHANGED
@@ -1,5 +1,11 @@
1
1
  # knife-windows Change Log
2
2
 
3
+ ## Release 1.1.0
4
+ * [https://github.com/chef/knife-windows/pull/302](Address regression caused by chef client 12.5 environment argument)
5
+ * [https://github.com/chef/knife-windows/issues/295](Bootstrap missing policy_group, policy_name feature from Chef Client 12.5)
6
+ * [https://github.com/chef/knife-windows/issues/296](Installing knife-windows produces warning for _all_ knife commands in Mac OS X with ChefDK 0.8.0)
7
+ * [https://github.com/chef/knife-windows/pull/297](use configured proxy settings for all winrm sessions)
8
+
3
9
  ## Release 1.0.0
4
10
 
5
11
  * [knife-windows #281](https://github.com/chef/knife-windows/pull/281) Prevent unencrypted negotiate auth, automatically prefix local usernames with '.' for negotiate
data/DOC_CHANGES.md CHANGED
@@ -5,335 +5,16 @@ Example Doc Change:
5
5
  ### Headline for the required change
6
6
  Description of the required change.
7
7
  -->
8
- # knife-windows 1.0.0 doc changes
8
+ # knife-windows 1.1.0 doc changes
9
9
 
10
- ### New bootstrap download and installation options
11
- The following commands enable alternate ways to download and install
12
- Chef Client during bootstrap:
10
+ ### Support for `http_proxy` setting for `winrm` and `bootstrap windows winrm` subcommands
13
11
 
14
- * `--msi-url URL`: Optional. Used to override the location from which Chef
15
- Client is downloaded. If not specified, Chef Client is downloaded
16
- from the Internet -- this option allows downloading from a private network
17
- location for instance.
18
- * `--install-as-service`: Optional. Install chef-client as a Windows service
19
- * `--bootstrap-install-command`: Optional. Instead of downloading Chef
20
- Client and installing it using a default installation command,
21
- bootstrap will invoke this command. If an image already has
22
- Chef Client installed, this command can be specified as empty
23
- (`''`), in which case no installation will be done and the rest of
24
- bootstrap will proceed as if it's already installed.
12
+ Both the `knife winrm` and `knife bootstrap windows winrm` subcommands
13
+ will honor the `http_proxy` configuration in the `knife.rb`
14
+ configuration file.
25
15
 
26
- ### WinRM default port default change
27
- The `winrm_port` option specifies the TCP port on the remote system to which
28
- to connect for WinRM communication for `knife-windows` commands that use
29
- WinRM. The default value of this option is **5986** if the WinRM transport
30
- (configured by the `winrm_transport` option) is SSL, otherwise it is **5985**.
31
- These defaults correspond to the port assignment conventions for the WinRM
32
- protocol, which is also honored by WinRM tools built-in to Windows such as the
33
- `winrs` tool.
16
+ When this setting is configured, the `WinRM` traffic between the
17
+ workstation executing `knife` and the remote node will flow through
18
+ the proxy server configured with `http_proxy`. See the specific
19
+ documentation for `http_proxy` for additional details.
34
20
 
35
- In previous releases, the default port was always 5985, regardless of the
36
- transport being used. To override the default, specify the `winrm_port`
37
- (`-p`) option and specify the desired port as the option's value.
38
-
39
- ### WinRM authentication protocol defaults to `negotiate` regardless of name formats
40
- Unless explicitly overridden using the new `winrm_authentication_protocol`
41
- option, `knife-windows` subcommands that use WinRM will authenticate using the
42
- negotiate protocol, just as the tools built-in to the Windows operating
43
- system would do.
44
-
45
- Previously, `knife-windows` would use basic authentication, unless the
46
- username specified to the `winrm_user` option had the format `domain\user`,
47
- and in that case `knife-windows` would use negotiate authentication.
48
-
49
- To override the new behavior, specify the `winrm_authentication_protocol`
50
- option with a value of either the `basic` or `kerberos` to choose a different
51
- authentication protocol.
52
-
53
- ### New `:winrm_authentication_protocol` option
54
-
55
- This option allows the authentication protocol used for WinRM communication to
56
- be explicitly specified. The supported protocol values are `kerberos`, `negotiate`,
57
- and `basic`, each of which directs `knife-windows` to use the respective authentication protocols.
58
-
59
- If the option is not specified, `knife-windows` treats this as a default value
60
- of `negotiate` and the tool uses negotiate authentication for WinRM.
61
-
62
- ### New `:winrm_ssl_verify_mode` option
63
- When running the `winrm` and `bootstrap windows` subcommands with the
64
- `winrm_transport` option set to `ssl` to communicate with a remote Windows system using
65
- the WinRM protocol via the SSL transport, you may disable `knife`'s verification of
66
- the remote system's SSL certificate. This is useful for testing or
67
- troubleshooting SSL connectivity before you've verified the certificate of the remote system's SSL WinRM listener.
68
-
69
- The option that controls whether the server is validated is the
70
- `knife[:winrm_verify_ssl_mode]` option, which has the same values as Chef's
71
- [`:ssl_verify_mode`](https://docs.getchef.com/config_rb_client.html#settings) option. By default, the option is set to `:verify_peer`,
72
- which means that SSL communication must be verified using a certificate file
73
- specified by the `:ca_trust_file` option. To avoid the need to have this file available
74
- during testing, you can specify the `knife[:winrm_ssl_verify_mode]` option in
75
- `knife.rb` OR specify it directly on the `knife` command line as
76
- `--winrm-ssl-verify-mode` and set its value to `:verify_none`, which will
77
- override the default behavior and skip the verification of the remote system
78
- -- there is no need to specify the `:ca_trust_file` option in this case.
79
-
80
- Here's an example that disables peer verification:
81
-
82
- knife winrm -m 192.168.0.6 -x 'mydomain\myuser' -P "$PASSWORDVAR" -t ssl --winrm-ssl-verify-mode verify_none ipconfig
83
-
84
- This option should be used carefully since disabling the verification of the
85
- remote system's certificate can subject knife commands to spoofing attacks.
86
-
87
- ### New subcommands to automate WinRM SSL listener configuration
88
- The WinRM protocol may be encapsulated by SSL, but the configuration of such
89
- connections can be difficult, particularly when the WinRM client is a
90
- non-Windows system. Three new knife subcommands have been implemented in
91
- knife-windows 1.0.0.rc.0 to simplify and automate this configuration:
92
-
93
- * `knife windows cert generate` subcommand:
94
- Generates certificates in formats useful for creating WinRM SSL listeners.
95
- It also generates a related public key file in .pem format to validating
96
- communication involving listeners configured with the generated certificate.
97
- * `knife windows cert install` subcommand:
98
- Installs a certificate such as one generated by the `cert generate`
99
- subcommand into the Windows certificate store so that it can be used as the
100
- SSL certificate for a WinRM listener. This command will only function on the
101
- Windows operating system. Certificates are always installed in the
102
- computer's personal store, i.e. the store that can be viewed via the
103
- PowerShell command `ls Cert:\LocalMachine\My`.
104
- * `knife windows listener create` subcommand:
105
- Creates a WinRM listener on a Windows system. This command functions only on
106
- the Windows operating system.
107
-
108
- #### Example WinRM listener configuration workflows
109
-
110
- The subcommands are used in the following scenarios
111
-
112
- ##### Creation of a new listener with a new SSL certificate
113
-
114
- This workflow assumes that WinRM is enabled on the system, which can be
115
- accomplished with the command
116
-
117
- winrm quickconfig
118
-
119
- If you're creating a listener and don't already have an SSL certificate with
120
- which to configure it, you can quickly create an enabled listener with a short
121
- sequence of commands. The example below assumes that the `knife-windows`
122
- plugin is being executed on a Windows system via the PowerShell command shell,
123
- and that the system is registered with the relevant DNS with the name
124
- `mysystem.myorg.org` and that this is the name with which the user would like
125
- to remotely access this system.
126
-
127
- This sequence of commands creates a listener -- it assumes the existence of the directory `winrmcerts`
128
- under the user's profile directory:
129
-
130
- knife windows cert generate --domain myorg.org --output-file $env:userprofile/winrmcerts/winrm-ssl
131
- knife windows listener create --hostname *.myorg.org --cert-install $env:userprofile/winrmcerts/winrm-ssl.pfx
132
-
133
- The first command, `cert generate`, may be executed on any computer (even one not running the
134
- Windows operating system) and produces three files. The first two are certificates containing
135
- private keys that should be stored securely. The 3rd is a `.pem` file
136
- containing the public key required to validate the server. This file may be
137
- shared. The command also outputs the thumbprint of the generated certificate,
138
- which is useful for finding the certificate in a certificate store or using
139
- with other commands that require the thumbprint.
140
-
141
- The next command, `listener create`, creates the SSL listener -- if it is executed on a different
142
- system than that which generated the certificates, the required certificate
143
- file **must** be transferred securely to the system on which the listener will
144
- be created. It requires a PKCS12 `.pfx` file for the `--cert-install` argument
145
- which is one of the files generated by the previous `cert generate` command.
146
-
147
- After these commands are executed, an SSL listener will be created listening
148
- on TCP port 5986, the default WinRM SSL port. Using PowerShell, the following
149
- command will show this and other listeners on the system:
150
-
151
- ls wsman:\localhost\listener
152
-
153
- As an alternative to the command sequence above, the `cert install` command could be used to install the
154
- certificate in a separate step, i which case the `--cert-install` option must
155
- be replaced with the `--cert-thumbprint` option to use the generated
156
- certificate's thumbprint to identify the certificate with which the listener
157
- should be configured:
158
-
159
- knife windows cert generate --domain myorg.org --output-file $env:userprofile/winrmcerts/winrm-ssl
160
- knife windows cert install $env:userprofile/winrmcerts/winrm-ssl
161
- knife windows listener create --hostname *.myorg.org --cert-thumbprint 1F3A70E2601FA1576BC4850ED2D7EF6587076423
162
-
163
- The system would then be in the same state as that after the original shorter
164
- command sequence.
165
-
166
- Note that the `cert install` command could be skipped if the certificate
167
- already exists in the personal certificate store of the computer. To view that store and
168
- see the thumbprints of certificates that could be used with the `listener
169
- create` command to create an SSL listener, the following PowerShell command
170
- may be executed:
171
-
172
- ls Cert:\LocalMachine\My
173
-
174
- ##### Connecting to a configured SSL listeners
175
-
176
- In order to connect securely to the configured SSL listener via the `knife
177
- winrm` or `knife bootstrap windows winrm` subcommands, the workstation running
178
- `knife` must have a `.pem` file that contains the listener's public key, such
179
- as the one generated by `knife windows cert generate`. If the file was
180
- generated from a different system than the one initiating the connection with
181
- the listener, it must be transferred securely to the initiating system.
182
-
183
- For example, assume the file `./winrmcerts/myserver.pem` was securely
184
- copied from another system on which the `cert generate` command originally
185
- produced the file. Now it can be used against a system with the appropriately
186
- configured listener as follows:
187
-
188
- knife winrm -f ./winrmcerts/myserver.pem -m myserver.myorg.com -t ssl ipconfig -x 'my_ad_domain\myuser' -P "$PASSWORDVAR"
189
-
190
- This will send the output of the Windows command `ipconfig` on the remote
191
- system. The argument to the `-f` option is the public key for the listener so
192
- that the listener's authenticity can be validated. The specified key
193
- can simply be a copy of the `.pem` file generated by the `cert generate` subcommand if
194
- that was used to create the certificates for the listener. The user
195
- `my_ad_domain\myuser` in the example is a user in the Windows Active Directory
196
- domain `my_ad_domain`.
197
-
198
- Alternatively, the [`knife ssl fetch`](https://docs.chef.io/knife_ssl_fetch.html) command can be used to retrieve the
199
- public key for the listener by simply reading it from the listener, though this command *must* be executed under
200
- conditions where the connection to the server is considered secure:
201
-
202
- knife ssl fetch https://myserver.myorg.org:5986/wsman
203
- knife winrm -f ./.chef/trusted_certs/wildcard_myorg_org.crt -m myserver.myorg.com -t ssl ipconfig -x 'my_ad_domain\myuser' -P "$PASSWORDVAR"
204
-
205
- In the `fetch` subcommand, the URL specified for testing WinRM connectivity to
206
- a given server SERVER on port PORT takes the form `https://SERVER:PORT/wsman`,
207
- hence the url specified above to retrieve the key for `myserver.myorg.org`.
208
- The command also outputs the location to which the key was retrieved, which
209
- can then be used as input to a subsequent `knife winrm` command.
210
-
211
- For that `knife winrm` command in the example, the argument to the `-f` option is again the public key -- this time its value
212
- of `./.chef/trusted_certs/wildcard_myorg_org.crt` is the file system location to which
213
- `knife ssl fetch` retrieved the public key.
214
-
215
- #### Testing WinRM SSL configuration
216
-
217
- The techniques below are useful for validating a WinRM listener's configuration -- all
218
- examples below assume there is a WinRM SSL listener configured on a remote Windows
219
- system `winserver.myoffice.com` on the default WinRM port of 5986 and this is
220
- the server being tested.
221
-
222
- ##### PowerShell's `test-wsman` cmdlet
223
- If you have access to a workstation running
224
- the Windows 8 or Windows Server 2012 or later versions of the Windows
225
- operating systems, you can use the `test-wsman` command to validate the
226
- configuration of a listener on a remote system `winserver.myoffice.com`:
227
-
228
- 1. On the Windows workstation client (not the system with the listener),
229
- install the .pfx public key certificate for the listener using
230
- certmgr.msc. This should be installed in the personal store under *"Trusted
231
- Root Certification Authorities"*.
232
- 2. Start PowerShell, and use it to run this command:
233
- `test-wsman -ComputerName winserver.myoffice.com -UseSSL`
234
-
235
- If the command executes without error, the ssl configuration is correct.
236
-
237
- ##### End to end SSL testing with `knife winrm`
238
-
239
- To validate that SSL is enabled for the listener without validating the
240
- server's certificate, the `--winrm-ssl-verify-mode` option of the `winrm`
241
- subcommand can be used:
242
-
243
- knife winrm -m winserver.myoffice.com -t ssl --winrm-ssl-verify-mode verify_none ipconfig -x 'my_ad_domain\myuser' -P "$PASSWORDVAR"
244
-
245
- If this succeeds, then any failures to execute the command when correctly
246
- validating the server, i.e. when specifying the `-f` parameter, are due to
247
- certificate configuration issues, not other connectivity or authentication
248
- problems.
249
-
250
- ##### The winrs tool
251
-
252
- The `winrs` tool is built into Windows, so if a Windows system is available,
253
- `winrs` may be used to troubleshoot. It takes parameters analogous to those of
254
- `knife winrm` and differences in success and failure between the two tools may
255
- indicate areas to investigate.
256
-
257
- Visit Microsoft's documentation for [`winrs`](https://technet.microsoft.com/en-us/library/hh875630.aspx) to learn more about the tool.
258
-
259
- ### Troubleshooting WinRM authentication issues
260
-
261
- Authentication issues can be debugged by loosening the authentication
262
- requirements on the server and explicitly using
263
- `--winrm-authentication-protocol` option for `knife winrm` to attempt to
264
- connect. As an example, the following PowerShell commands on the server will allow basic authentication
265
- and unencrypted communication:
266
-
267
- si wsman:\localhost\service\allowunencrypted $true
268
- # Don't set the following if attempting domain authentication
269
- si wsman:\localhost\service\auth\basic $true
270
-
271
- From the client, `knife winrm` can be instructed to explicitly allow basic
272
- authentication when validating authentication using a non-domain (i.e. local)
273
- account:
274
-
275
- # For testing a local account
276
- knife winrm -m winserver.myoffice.com --winrm-authentication-protocol basic ipconfig -x 'localuser' -P "$PASSWORDVAR" -VV
277
-
278
- # For testing a domain account
279
- knife winrm -m winserver.myoffice.com --winrm-authentication-protocol negotiate ipconfig -x 'localuser' -P "$PASSWORDVAR" -VV
280
-
281
- If the listener is an SSL listener, the additional arguments `-t ssl
282
- --winrm-ssl-verify-mode verify_none` should be supplied to enable SSL
283
- communication and disable peer verification for testing. The specification of
284
- `-VV` enables additional detailed debug output that can provide clues to the
285
- root cause of any failures.
286
-
287
- If the command fails, there is either a connectivity issue or a problem with
288
- an incorrect or expired password or disabled account.
289
-
290
- If the command succeeds, try the following
291
-
292
- si wsman:\localhost\service\allowunencrypted $false
293
-
294
- Then retry the earlier `knife winrm` command. If it fails, this may indicate
295
- an issue with your operating system's ability to encrypt traffic, particularly
296
- when using the `plaintext` transport, i.e. when not using the `SSL` transport.
297
- In that case, the Windows platform supports encryption of plaintext traffic
298
- through native Windows authentication protocols, but such support is often incomplete on other platforms.
299
-
300
- If the command succeeds, then there may be a more subtle issue with negotiate
301
- authentication. It may be necessary to explicitly specify a domain in the user
302
- name parameter (e.g. `mydomain\myuser` rather than just `user`) for instance,
303
- or a specified domain may actually be incorrect and something that should be omitted.
304
-
305
- ### Platform WinRM authentication support
306
-
307
- `knife-windows` supports `Kerberos`, `Negotiate`, and `Basic` authentication
308
- for WinRM communication. However, some of these protocols
309
- may not work with `knife-windows` on non-Windows systems because
310
- `knife-windows` relies on operating system libraries such as GSSAPI to implement
311
- Windows authentication, and some versions of these libraries do not
312
- fully implement the protocols.
313
-
314
- The following table shows the authentication protocols that can be used with
315
- `knife-windows` depending on whether the knife workstation is a Windows
316
- system, the transport, and whether or not the target user is a domain user or
317
- local to the target Windows system.
318
-
319
- | Workstation OS / Account Scope | SSL | Plaintext |
320
- |--------------------------------|------------------------------|----------------------------|
321
- | Windows / Local | Kerberos, Negotiate* , Basic | Kerberos, Negotiate, Basic |
322
- | Windows / Domain | Kerberos, Negotiate | Kerberos, Negotiate |
323
- | Non-Windows / Local | Kerberos, [Negotiate*](https://github.com/chef/knife-windows/issues/176) Basic | Kerberos, Basic |
324
- | Non-Windows / Domain | Kerberos, Negotiate | Kerberos |
325
-
326
- > \* There is a known defect in the `knife winrm` and `knife bootstrap windows
327
- > winrm` subcommands invoked on any OS platform when authenticating with the Negotiate protocol over
328
- > the SSL transport. The defect is tracked by
329
- > [knife-windows issue #176](https://github.com/chef/knife-windows/issues/176): If the remote system is
330
- > domain-joined, local accounts may not be used to authenticate via Negotiate
331
- > over SSL -- only domain accounts will work. Local accounts will only
332
- > successfully authenticate if the system is not joined to a domain.
333
- >
334
- > This is generally not an issue for bootstrap scenarios, where the
335
- > system has yet to be joined to any domain, but can be a problem for remote
336
- > management cases after the system is domain joined. Workarounds include using
337
- > a domain account instead, or enabling Basic authentication on the remote
338
- > system (unencrypted communication **does not** need to be enabled to make
339
- > Basic authentication function over SSL).
data/RELEASE_NOTES.md CHANGED
@@ -6,74 +6,26 @@ Example Note:
6
6
  ## Example Heading
7
7
  Details about the thing that changed that needs to get included in the Release Notes in markdown.
8
8
  -->
9
- # knife-windows 1.0.0 release notes:
10
- This release of knife-windows includes new features to improve authentication,
11
- simplify use of the WinRM SSL transport, install and download Chef
12
- Client during bootstrap, and addresses compatibility issues with Chef Client 12.0.
9
+ # knife-windows 1.1.0 release notes:
10
+ This release of knife-windows includes an important fix for an
11
+ incompatibility issue with Chef Client 12.5 during bootstrap. If you
12
+ are running knife-windows 1.0.0, please upgrade to this version. See
13
+ the following issue for details: https://github.com/chef/knife-windows/pull/302
13
14
 
14
- You can install the new features using the `gem` command:
15
+ You can install this version using the `gem` command:
15
16
 
16
17
  gem install knife-windows
17
18
 
18
- Due to dependency conflicts, to use knife-windows 1.0.0+ with ChefDK
19
- 0.6.2, you must also upgrade chef-provisioning to 1.2.0+ and update
20
- the line referencing chef-provisioning in
21
- `c:\opscode\chefdk\bin\chef`. To avoid this, use ChefDk 0.7.0 or later
22
- with this version of `knife-windows`.
23
-
24
- chef gem install knife-windows
25
- chef gem install chef-provisioning
26
-
27
19
  ## Reporting issues and contributing
28
-
29
20
  `knife-windows` issues like those addressed in this release should be reported in the ticketing system at https://github.com/chef/knife-windows/issues. You can learn more about how to contribute features and bug fixes to `knife-windows` in the [Chef Contributions document](http://docs.chef.io/community_contributions.html).
30
21
 
31
- ## Breaking changes
32
-
33
- ### Negotiate as the default authentication protocol
34
- With this release, the default authentication protocol for WinRM
35
- communication is negotiate, which is the same as that for tools built-in to
36
- the Windows operating system. Prior to this release, the protocol depended
37
- on the format of the `--winrm-user` option -- the basic authentication
38
- protocol would be assumed unless that option had the format `domain\user`.
39
-
40
- To revert to the behavior of previous releases or otherwise force `knife-windows` to use a specific authentication protocol such as
41
- basic, use the `--winrm-authentication-protocol` option.
42
-
43
- ### Default WinRM port depends on the transport
44
- The default port for WinRM communication is now **5986** when the SSL transport is used (the transport is
45
- configured by the `winrm_transport` option), otherwise it is **5985**. In
46
- previous releases, if the port was not specified, it was always 5985.
47
-
48
- To override this behavior, explicitly specify the desired port using the
49
- `winrm_port` (`-p`) option.
50
-
51
- ### Kerberos Keytab short option is now -T
52
- The short option flag for --keytab-file is now -T to fix a conflict with the --identity-file option.
53
-
54
- ## Features added in knife-windows 1.0.0
55
- * New `--winrm-authentication-protocol` option for explicit control of WinRM authentication
56
- * `knife windows cert generate` subcommand:
57
- Generates a certificate and related public key file for use in configuring a WinRM listener and validating communication involving it.
58
- * `knife windows cert install` subcommand:
59
- Installs a certificate such as one generated by the `cert generate`
60
- subcommand into the Windows certificate store's LocalMachine personal store
61
- so that it can be used as part of the configuration for a WinRM SSL listener
62
- * `knife windows listener create` subcommand:
63
- Creates a WinRM SSL listener on a Windows system
64
- * Added `--hint` option for creating Ohai hints on bootstrap
65
- * Validatorless bootstrapping is now supported
66
- * New `--bootstrap-install-command` option allows an alternate command
67
- to be used to install Chef Client
68
- * New `--install-as-service` option will have Chef Client be installed
69
- as a Windows service on bootstrap
70
- * Added `--msi_url` option for providing an alternate URL to the Chef Client installation package
71
- * `knife wsman test` subcommand:
72
- Verifies winrm functionality on a remote system, e.g. `knife wsman
73
- test 192.168.1.10 -m --winrm-transport ssl`
22
+ ## New features -- proxy support for WinRM
23
+ The `winrm` and `bootstrap windows winrm` subcommands now honor the
24
+ proxy server configured via the `http_proxy` setting in `knife.rb` for
25
+ WinRM traffic.
74
26
 
75
- ## Issues fixed in knife-windows 1.0.0
76
- See the [knife-windows 1.0.0 CHANGELOG](https://github.com/chef/knife-windows/blob/1.0.0/CHANGELOG.md)
27
+ ## Issues fixed in knife-windows 1.1.0
28
+ See the [knife-windows 1.1.0 CHANGELOG](https://github.com/chef/knife-windows/blob/1.1.0/CHANGELOG.md)
77
29
  for the list of issues fixed in this release.
78
30
 
79
31
  ## knife-windows on RubyGems and Github
@@ -179,6 +179,16 @@ class Chef
179
179
  Chef::Config[:knife][:bootstrap_vault_item]
180
180
  }
181
181
 
182
+ option :policy_name,
183
+ :long => "--policy-name POLICY_NAME",
184
+ :description => "Policyfile name to use (--policy-group must also be given)",
185
+ :default => nil
186
+
187
+ option :policy_group,
188
+ :long => "--policy-group POLICY_GROUP",
189
+ :description => "Policy group name to use (--policy-name must also be given)",
190
+ :default => nil
191
+
182
192
  option :tags,
183
193
  :long => "--tags TAGS",
184
194
  :description => "Comma separated list of tags to apply to the node",
@@ -264,6 +274,9 @@ class Chef
264
274
 
265
275
  validate_name_args!
266
276
 
277
+ # adding respond_to? so this works with pre 12.4 chef clients
278
+ validate_options! if respond_to?(:validate_options!)
279
+
267
280
  @node_name = Array(@name_args).first
268
281
  # back compat--templates may use this setting:
269
282
  config[:server_name] = @node_name
@@ -47,7 +47,7 @@ class Chef
47
47
  end
48
48
  end
49
49
 
50
- validate_options!
50
+ validate_winrm_options!
51
51
  resolve_session_options
52
52
  @session_opts[:host] = server_name
53
53
  @session = Chef::Knife::WinrmSession.new(@session_opts)
@@ -140,8 +140,9 @@ CONFIG
140
140
  end
141
141
 
142
142
  def start_chef
143
+ bootstrap_environment_option = bootstrap_environment.nil? ? '' : " -E #{bootstrap_environment}"
143
144
  start_chef = "SET \"PATH=%PATH%;C:\\ruby\\bin;C:\\opscode\\chef\\bin;C:\\opscode\\chef\\embedded\\bin\"\n"
144
- start_chef << "chef-client -c c:/chef/client.rb -j c:/chef/first-boot.json -E #{bootstrap_environment}\n"
145
+ start_chef << "chef-client -c c:/chef/client.rb -j c:/chef/first-boot.json#{bootstrap_environment_option}\n"
145
146
  end
146
147
 
147
148
  def latest_current_windows_chef_version_query
@@ -34,7 +34,7 @@ class Chef
34
34
  include Chef::Knife::WinrmSharedOptions
35
35
  include Chef::Knife::KnifeWindowsBase
36
36
 
37
- def validate_options!
37
+ def validate_winrm_options!
38
38
  winrm_auth_protocol = locate_config_value(:winrm_authentication_protocol)
39
39
 
40
40
  if ! Chef::Knife::WinrmBase::WINRM_AUTH_PROTOCOL_LIST.include?(winrm_auth_protocol)
@@ -60,7 +60,7 @@ class Chef
60
60
  #Overrides Chef::Knife#configure_session, as that code is tied to the SSH implementation
61
61
  #Tracked by Issue # 3042 / https://github.com/chef/chef/issues/3042
62
62
  def configure_session
63
- validate_options!
63
+ validate_winrm_options!
64
64
  resolve_session_options
65
65
  resolve_target_nodes
66
66
  session_from_list
@@ -16,6 +16,7 @@
16
16
  # limitations under the License.
17
17
  #
18
18
 
19
+ require 'chef/application'
19
20
  require 'winrm'
20
21
 
21
22
  class Chef
@@ -24,6 +25,7 @@ class Chef
24
25
  attr_reader :host, :endpoint, :port, :output, :error, :exit_code
25
26
 
26
27
  def initialize(options)
28
+ Chef::Application.new.configure_proxy_environment_variables
27
29
  @host = options[:host]
28
30
  @port = options[:port]
29
31
  url = "#{options[:host]}:#{options[:port]}/wsman"
@@ -17,11 +17,9 @@
17
17
  #
18
18
 
19
19
  require 'httpclient'
20
- require 'nokogiri'
21
20
  require 'chef/knife'
22
21
  require 'chef/knife/winrm_knife_base'
23
22
  require 'chef/knife/wsman_endpoint'
24
- require 'pry'
25
23
 
26
24
  class Chef
27
25
  class Knife
@@ -66,6 +64,7 @@ class Chef
66
64
  if response.nil? || output_object.response_status_code != 200
67
65
  error_message = "No valid WSMan endoint listening at #{item.endpoint}."
68
66
  else
67
+ require 'nokogiri'
69
68
  doc = Nokogiri::XML response.body
70
69
  namespace = 'http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd'
71
70
  output_object.protocol_version = doc.xpath('//wsmid:ProtocolVersion', 'wsmid' => namespace).text
@@ -1,6 +1,6 @@
1
1
  module Knife
2
2
  module Windows
3
- VERSION = "1.0.0"
3
+ VERSION = "1.1.0"
4
4
  MAJOR, MINOR, TINY = VERSION.split('.')
5
5
  end
6
6
  end
@@ -0,0 +1,217 @@
1
+ @rem
2
+ @rem Author:: Seth Chisamore (<schisamo@opscode.com>)
3
+ @rem Copyright:: Copyright (c) 2011 Opscode, Inc.
4
+ @rem License:: Apache License, Version 2.0
5
+ @rem
6
+ @rem Licensed under the Apache License, Version 2.0 (the "License");
7
+ @rem you may not use this file except in compliance with the License.
8
+ @rem You may obtain a copy of the License at
9
+ @rem
10
+ @rem http://www.apache.org/licenses/LICENSE-2.0
11
+ @rem
12
+ @rem Unless required by applicable law or agreed to in writing, software
13
+ @rem distributed under the License is distributed on an "AS IS" BASIS,
14
+ @rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15
+ @rem See the License for the specific language governing permissions and
16
+ @rem limitations under the License.
17
+ @rem
18
+
19
+ @rem Use delayed environment expansion so that ERRORLEVEL can be evaluated with the
20
+ @rem !ERRORLEVEL! syntax which evaluates at execution of the line of script, not when
21
+ @rem the line is read. See help for the /E switch from cmd.exe /? .
22
+ @setlocal ENABLEDELAYEDEXPANSION
23
+
24
+
25
+
26
+ @set BOOTSTRAP_DIRECTORY=C:\chef
27
+ @echo Checking for existing directory "%BOOTSTRAP_DIRECTORY%"...
28
+ @if NOT EXIST %BOOTSTRAP_DIRECTORY% (
29
+ @echo Existing directory not found, creating.
30
+ @mkdir %BOOTSTRAP_DIRECTORY%
31
+ ) else (
32
+ @echo Existing directory found, skipping creation.
33
+ )
34
+
35
+ > C:\chef\wget.vbs (
36
+ echo.url = WScript.Arguments.Named^("url"^)
37
+ echo.path = WScript.Arguments.Named^("path"^)
38
+ echo.proxy = null
39
+ echo.'* Vaguely attempt to handle file:// scheme urls by url unescaping and switching all
40
+ echo.'* / into . Also assume that file:/// is a local absolute path and that file://^<foo^>
41
+ echo.'* is possibly a network file path.
42
+ echo.If InStr^(url, "file://"^) = 1 Then
43
+ echo.url = Unescape^(url^)
44
+ echo.If InStr^(url, "file:///"^) = 1 Then
45
+ echo.sourcePath = Mid^(url, Len^("file:///"^) + 1^)
46
+ echo.Else
47
+ echo.sourcePath = Mid^(url, Len^("file:"^) + 1^)
48
+ echo.End If
49
+ echo.sourcePath = Replace^(sourcePath, "/", "\"^)
50
+ echo.
51
+ echo.Set objFSO = CreateObject^("Scripting.FileSystemObject"^)
52
+ echo.If objFSO.Fileexists^(path^) Then objFSO.DeleteFile path
53
+ echo.objFSO.CopyFile sourcePath, path, true
54
+ echo.Set objFSO = Nothing
55
+ echo.
56
+ echo.Else
57
+ echo.Set objXMLHTTP = CreateObject^("MSXML2.ServerXMLHTTP"^)
58
+ echo.Set wshShell = CreateObject^( "WScript.Shell" ^)
59
+ echo.Set objUserVariables = wshShell.Environment^("USER"^)
60
+ echo.
61
+ echo.rem http proxy is optional
62
+ echo.rem attempt to read from HTTP_PROXY env var first
63
+ echo.On Error Resume Next
64
+ echo.
65
+ echo.If NOT ^(objUserVariables^("HTTP_PROXY"^) = ""^) Then
66
+ echo.proxy = objUserVariables^("HTTP_PROXY"^)
67
+ echo.
68
+ echo.rem fall back to named arg
69
+ echo.ElseIf NOT ^(WScript.Arguments.Named^("proxy"^) = ""^) Then
70
+ echo.proxy = WScript.Arguments.Named^("proxy"^)
71
+ echo.End If
72
+ echo.
73
+ echo.If NOT isNull^(proxy^) Then
74
+ echo.rem setProxy method is only available on ServerXMLHTTP 6.0+
75
+ echo.Set objXMLHTTP = CreateObject^("MSXML2.ServerXMLHTTP.6.0"^)
76
+ echo.objXMLHTTP.setProxy 2, proxy
77
+ echo.End If
78
+ echo.
79
+ echo.On Error Goto 0
80
+ echo.
81
+ echo.objXMLHTTP.open "GET", url, false
82
+ echo.objXMLHTTP.send^(^)
83
+ echo.If objXMLHTTP.Status = 200 Then
84
+ echo.Set objADOStream = CreateObject^("ADODB.Stream"^)
85
+ echo.objADOStream.Open
86
+ echo.objADOStream.Type = 1
87
+ echo.objADOStream.Write objXMLHTTP.ResponseBody
88
+ echo.objADOStream.Position = 0
89
+ echo.Set objFSO = Createobject^("Scripting.FileSystemObject"^)
90
+ echo.If objFSO.Fileexists^(path^) Then objFSO.DeleteFile path
91
+ echo.Set objFSO = Nothing
92
+ echo.objADOStream.SaveToFile path
93
+ echo.objADOStream.Close
94
+ echo.Set objADOStream = Nothing
95
+ echo.End If
96
+ echo.Set objXMLHTTP = Nothing
97
+ echo.End If
98
+
99
+ )
100
+
101
+ > C:\chef\wget.ps1 (
102
+ echo.param^(
103
+ echo. [String] $remoteUrl,
104
+ echo. [String] $localPath
105
+ echo.^)
106
+ echo.
107
+ echo.$webClient = new-object System.Net.WebClient;
108
+ echo.
109
+ echo.$webClient.DownloadFile^($remoteUrl, $localPath^);
110
+
111
+ )
112
+
113
+ @rem Determine the version and the architecture
114
+
115
+ @FOR /F "usebackq tokens=1-8 delims=.[] " %%A IN (`ver`) DO (
116
+ @set WinMajor=%%D
117
+ @set WinMinor=%%E
118
+ @set WinBuild=%%F
119
+ )
120
+
121
+ @echo Detected Windows Version %WinMajor%.%WinMinor% Build %WinBuild%
122
+
123
+ @set LATEST_OS_VERSION_MAJOR=6
124
+ @set LATEST_OS_VERSION_MINOR=3
125
+
126
+ @if /i %WinMajor% GTR %LATEST_OS_VERSION_MAJOR% goto VersionUnknown
127
+ @if /i %WinMajor% EQU %LATEST_OS_VERSION_MAJOR% (
128
+ @if /i %WinMinor% GTR %LATEST_OS_VERSION_MINOR% goto VersionUnknown
129
+ )
130
+
131
+ goto Version%WinMajor%.%WinMinor%
132
+
133
+ :VersionUnknown
134
+ @rem If this is an unknown version of windows set the default
135
+ @set MACHINE_OS=2008r2
136
+ @echo Warning: Unknown version of Windows, assuming default of Windows %MACHINE_OS%
137
+ goto architecture_select
138
+
139
+ :Version6.0
140
+ @set MACHINE_OS=2008
141
+ goto architecture_select
142
+
143
+ :Version5.2
144
+ @set MACHINE_OS=2003r2
145
+ goto architecture_select
146
+
147
+ :Version6.1
148
+ @set MACHINE_OS=2008r2
149
+ goto architecture_select
150
+
151
+ :Version6.2
152
+ @set MACHINE_OS=2012
153
+ goto architecture_select
154
+
155
+ @rem Currently Windows Server 2012 R2 is treated as equivalent to Windows Server 2012
156
+ :Version6.3
157
+ goto Version6.2
158
+
159
+ :architecture_select
160
+ goto Architecture%PROCESSOR_ARCHITEW6432%
161
+
162
+ :Architecture
163
+ goto Architecture%PROCESSOR_ARCHITECTURE%
164
+
165
+ @rem If this is an unknown architecture set the default
166
+ @set MACHINE_ARCH=i686
167
+ goto install
168
+
169
+ :Architecturex86
170
+ @set MACHINE_ARCH=i686
171
+ goto install
172
+
173
+ :Architectureamd64
174
+ @set MACHINE_ARCH=x86_64
175
+ goto install
176
+
177
+ :install
178
+ @rem If user has provided the custom installation command for chef-client then execute it
179
+ chef-client -o recipe[cbk1::rec2]
180
+
181
+ @endlocal
182
+
183
+ @echo off
184
+
185
+
186
+ echo Writing validation key...
187
+
188
+
189
+ echo Validation key written.
190
+ @echo on
191
+
192
+
193
+
194
+
195
+ > C:\chef\client.rb (
196
+ echo.log_level :info
197
+ echo.log_location STDOUT
198
+ echo.
199
+ echo.chef_server_url "https://localhost:443"
200
+ echo.validation_client_name "chef-validator"
201
+ echo.
202
+ echo.file_cache_path "c:/chef/cache"
203
+ echo.file_backup_path "c:/chef/backup"
204
+ echo.cache_options ^({:path =^> "c:/chef/cache/checksums", :skip_expires =^> true}^)
205
+ echo.
206
+ echo.# Using default node name ^(fqdn^)
207
+
208
+ )
209
+
210
+ > C:\chef\first-boot.json (
211
+ echo.{"run_list":null}
212
+ )
213
+
214
+ @echo Starting chef to bootstrap the node...
215
+ SET "PATH=%PATH%;C:\ruby\bin;C:\opscode\chef\bin;C:\opscode\chef\embedded\bin"
216
+ chef-client -c c:/chef/client.rb -j c:/chef/first-boot.json
217
+
@@ -0,0 +1,329 @@
1
+ @rem
2
+ @rem Author:: Seth Chisamore (<schisamo@opscode.com>)
3
+ @rem Copyright:: Copyright (c) 2011 Opscode, Inc.
4
+ @rem License:: Apache License, Version 2.0
5
+ @rem
6
+ @rem Licensed under the Apache License, Version 2.0 (the "License");
7
+ @rem you may not use this file except in compliance with the License.
8
+ @rem You may obtain a copy of the License at
9
+ @rem
10
+ @rem http://www.apache.org/licenses/LICENSE-2.0
11
+ @rem
12
+ @rem Unless required by applicable law or agreed to in writing, software
13
+ @rem distributed under the License is distributed on an "AS IS" BASIS,
14
+ @rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15
+ @rem See the License for the specific language governing permissions and
16
+ @rem limitations under the License.
17
+ @rem
18
+
19
+ @rem Use delayed environment expansion so that ERRORLEVEL can be evaluated with the
20
+ @rem !ERRORLEVEL! syntax which evaluates at execution of the line of script, not when
21
+ @rem the line is read. See help for the /E switch from cmd.exe /? .
22
+ @setlocal ENABLEDELAYEDEXPANSION
23
+
24
+
25
+
26
+ @set BOOTSTRAP_DIRECTORY=C:\chef
27
+ @echo Checking for existing directory "%BOOTSTRAP_DIRECTORY%"...
28
+ @if NOT EXIST %BOOTSTRAP_DIRECTORY% (
29
+ @echo Existing directory not found, creating.
30
+ @mkdir %BOOTSTRAP_DIRECTORY%
31
+ ) else (
32
+ @echo Existing directory found, skipping creation.
33
+ )
34
+
35
+ > C:\chef\wget.vbs (
36
+ echo.url = WScript.Arguments.Named^("url"^)
37
+ echo.path = WScript.Arguments.Named^("path"^)
38
+ echo.proxy = null
39
+ echo.'* Vaguely attempt to handle file:// scheme urls by url unescaping and switching all
40
+ echo.'* / into . Also assume that file:/// is a local absolute path and that file://^<foo^>
41
+ echo.'* is possibly a network file path.
42
+ echo.If InStr^(url, "file://"^) = 1 Then
43
+ echo.url = Unescape^(url^)
44
+ echo.If InStr^(url, "file:///"^) = 1 Then
45
+ echo.sourcePath = Mid^(url, Len^("file:///"^) + 1^)
46
+ echo.Else
47
+ echo.sourcePath = Mid^(url, Len^("file:"^) + 1^)
48
+ echo.End If
49
+ echo.sourcePath = Replace^(sourcePath, "/", "\"^)
50
+ echo.
51
+ echo.Set objFSO = CreateObject^("Scripting.FileSystemObject"^)
52
+ echo.If objFSO.Fileexists^(path^) Then objFSO.DeleteFile path
53
+ echo.objFSO.CopyFile sourcePath, path, true
54
+ echo.Set objFSO = Nothing
55
+ echo.
56
+ echo.Else
57
+ echo.Set objXMLHTTP = CreateObject^("MSXML2.ServerXMLHTTP"^)
58
+ echo.Set wshShell = CreateObject^( "WScript.Shell" ^)
59
+ echo.Set objUserVariables = wshShell.Environment^("USER"^)
60
+ echo.
61
+ echo.rem http proxy is optional
62
+ echo.rem attempt to read from HTTP_PROXY env var first
63
+ echo.On Error Resume Next
64
+ echo.
65
+ echo.If NOT ^(objUserVariables^("HTTP_PROXY"^) = ""^) Then
66
+ echo.proxy = objUserVariables^("HTTP_PROXY"^)
67
+ echo.
68
+ echo.rem fall back to named arg
69
+ echo.ElseIf NOT ^(WScript.Arguments.Named^("proxy"^) = ""^) Then
70
+ echo.proxy = WScript.Arguments.Named^("proxy"^)
71
+ echo.End If
72
+ echo.
73
+ echo.If NOT isNull^(proxy^) Then
74
+ echo.rem setProxy method is only available on ServerXMLHTTP 6.0+
75
+ echo.Set objXMLHTTP = CreateObject^("MSXML2.ServerXMLHTTP.6.0"^)
76
+ echo.objXMLHTTP.setProxy 2, proxy
77
+ echo.End If
78
+ echo.
79
+ echo.On Error Goto 0
80
+ echo.
81
+ echo.objXMLHTTP.open "GET", url, false
82
+ echo.objXMLHTTP.send^(^)
83
+ echo.If objXMLHTTP.Status = 200 Then
84
+ echo.Set objADOStream = CreateObject^("ADODB.Stream"^)
85
+ echo.objADOStream.Open
86
+ echo.objADOStream.Type = 1
87
+ echo.objADOStream.Write objXMLHTTP.ResponseBody
88
+ echo.objADOStream.Position = 0
89
+ echo.Set objFSO = Createobject^("Scripting.FileSystemObject"^)
90
+ echo.If objFSO.Fileexists^(path^) Then objFSO.DeleteFile path
91
+ echo.Set objFSO = Nothing
92
+ echo.objADOStream.SaveToFile path
93
+ echo.objADOStream.Close
94
+ echo.Set objADOStream = Nothing
95
+ echo.End If
96
+ echo.Set objXMLHTTP = Nothing
97
+ echo.End If
98
+
99
+ )
100
+
101
+ > C:\chef\wget.ps1 (
102
+ echo.param^(
103
+ echo. [String] $remoteUrl,
104
+ echo. [String] $localPath
105
+ echo.^)
106
+ echo.
107
+ echo.$webClient = new-object System.Net.WebClient;
108
+ echo.
109
+ echo.$webClient.DownloadFile^($remoteUrl, $localPath^);
110
+
111
+ )
112
+
113
+ @rem Determine the version and the architecture
114
+
115
+ @FOR /F "usebackq tokens=1-8 delims=.[] " %%A IN (`ver`) DO (
116
+ @set WinMajor=%%D
117
+ @set WinMinor=%%E
118
+ @set WinBuild=%%F
119
+ )
120
+
121
+ @echo Detected Windows Version %WinMajor%.%WinMinor% Build %WinBuild%
122
+
123
+ @set LATEST_OS_VERSION_MAJOR=6
124
+ @set LATEST_OS_VERSION_MINOR=3
125
+
126
+ @if /i %WinMajor% GTR %LATEST_OS_VERSION_MAJOR% goto VersionUnknown
127
+ @if /i %WinMajor% EQU %LATEST_OS_VERSION_MAJOR% (
128
+ @if /i %WinMinor% GTR %LATEST_OS_VERSION_MINOR% goto VersionUnknown
129
+ )
130
+
131
+ goto Version%WinMajor%.%WinMinor%
132
+
133
+ :VersionUnknown
134
+ @rem If this is an unknown version of windows set the default
135
+ @set MACHINE_OS=2008r2
136
+ @echo Warning: Unknown version of Windows, assuming default of Windows %MACHINE_OS%
137
+ goto architecture_select
138
+
139
+ :Version6.0
140
+ @set MACHINE_OS=2008
141
+ goto architecture_select
142
+
143
+ :Version5.2
144
+ @set MACHINE_OS=2003r2
145
+ goto architecture_select
146
+
147
+ :Version6.1
148
+ @set MACHINE_OS=2008r2
149
+ goto architecture_select
150
+
151
+ :Version6.2
152
+ @set MACHINE_OS=2012
153
+ goto architecture_select
154
+
155
+ @rem Currently Windows Server 2012 R2 is treated as equivalent to Windows Server 2012
156
+ :Version6.3
157
+ goto Version6.2
158
+
159
+ :architecture_select
160
+ goto Architecture%PROCESSOR_ARCHITEW6432%
161
+
162
+ :Architecture
163
+ goto Architecture%PROCESSOR_ARCHITECTURE%
164
+
165
+ @rem If this is an unknown architecture set the default
166
+ @set MACHINE_ARCH=i686
167
+ goto install
168
+
169
+ :Architecturex86
170
+ @set MACHINE_ARCH=i686
171
+ goto install
172
+
173
+ :Architectureamd64
174
+ @set MACHINE_ARCH=x86_64
175
+ goto install
176
+
177
+ :install
178
+ @rem If user has provided the custom installation command for chef-client then execute it
179
+ @rem Install Chef using chef-client MSI installer
180
+
181
+ @set "LOCAL_DESTINATION_MSI_PATH=%TEMP%\chef-client-latest.msi"
182
+ @set "CHEF_CLIENT_MSI_LOG_PATH=%TEMP%\chef-client-msi%RANDOM%.log"
183
+
184
+ @rem Clear any pre-existing downloads
185
+ @echo Checking for existing downloaded package at "%LOCAL_DESTINATION_MSI_PATH%"
186
+ @if EXIST "%LOCAL_DESTINATION_MSI_PATH%" (
187
+ @echo Found existing downloaded package, deleting.
188
+ @del /f /q "%LOCAL_DESTINATION_MSI_PATH%"
189
+ @if ERRORLEVEL 1 (
190
+ echo Warning: Failed to delete pre-existing package with status code !ERRORLEVEL! > "&2"
191
+ )
192
+ ) else (
193
+ echo No existing downloaded packages to delete.
194
+ )
195
+
196
+ @rem If there is somehow a name collision, remove pre-existing log
197
+ @if EXIST "%CHEF_CLIENT_MSI_LOG_PATH%" del /f /q "%CHEF_CLIENT_MSI_LOG_PATH%"
198
+
199
+ @echo Attempting to download client package using PowerShell if available...
200
+ @set "REMOTE_SOURCE_MSI_URL=https://www.chef.io/chef/download?p=windows&pv=%MACHINE_OS%&m=%MACHINE_ARCH%&DownloadContext=PowerShell&v=12"
201
+ @set powershell_download=powershell.exe -ExecutionPolicy Unrestricted -NoProfile -NonInteractive -File C:\chef\wget.ps1 "%REMOTE_SOURCE_MSI_URL%" "%LOCAL_DESTINATION_MSI_PATH%"
202
+ @echo !powershell_download!
203
+ @call !powershell_download!
204
+
205
+ @set DOWNLOAD_ERROR_STATUS=!ERRORLEVEL!
206
+
207
+ @if ERRORLEVEL 1 (
208
+ @echo Failed PowerShell download with status code !DOWNLOAD_ERROR_STATUS! > "&2"
209
+ @if !DOWNLOAD_ERROR_STATUS!==0 set DOWNLOAD_ERROR_STATUS=2
210
+ ) else (
211
+ @rem Sometimes the error level is not set even when the download failed,
212
+ @rem so check for the file to be sure it is there -- if it is not, we will retry
213
+ @if NOT EXIST "%LOCAL_DESTINATION_MSI_PATH%" (
214
+ echo Failed download: download completed, but downloaded file not found > "&2"
215
+ set DOWNLOAD_ERROR_STATUS=2
216
+ ) else (
217
+ echo Download via PowerShell succeeded.
218
+ )
219
+ )
220
+
221
+ @if NOT %DOWNLOAD_ERROR_STATUS%==0 (
222
+ @echo Warning: Failed to download "%REMOTE_SOURCE_MSI_URL%" to "%LOCAL_DESTINATION_MSI_PATH%"
223
+ @echo Warning: Retrying download with cscript ...
224
+
225
+ @if EXIST "%LOCAL_DESTINATION_MSI_PATH%" del /f /q "%LOCAL_DESTINATION_MSI_PATH%"
226
+
227
+ @set "REMOTE_SOURCE_MSI_URL=https://www.chef.io/chef/download?p=windows&pv=%MACHINE_OS%&m=%MACHINE_ARCH%&v=12"
228
+ cscript /nologo C:\chef\wget.vbs /url:"%REMOTE_SOURCE_MSI_URL%" /path:"%LOCAL_DESTINATION_MSI_PATH%"
229
+
230
+ @if NOT ERRORLEVEL 1 (
231
+ @rem Sometimes the error level is not set even when the download failed,
232
+ @rem so check for the file to be sure it is there.
233
+ @if NOT EXIST "%LOCAL_DESTINATION_MSI_PATH%" (
234
+ echo Failed download: download completed, but downloaded file not found > "&2"
235
+ echo Exiting without bootstrapping due to download failure. > "&2"
236
+ exit /b 1
237
+ ) else (
238
+ echo Download via cscript succeeded.
239
+ )
240
+ ) else (
241
+ echo Failed to download "%REMOTE_SOURCE_MSI_URL%" with status code !ERRORLEVEL!. > "&2"
242
+ echo Exiting without bootstrapping due to download failure. > "&2"
243
+ exit /b 1
244
+ )
245
+ )
246
+
247
+ @echo Installing downloaded client package...
248
+
249
+ msiexec /qn /log "%CHEF_CLIENT_MSI_LOG_PATH%" /i "%LOCAL_DESTINATION_MSI_PATH%"
250
+ @set MSIERRORCODE=!ERRORLEVEL!
251
+ @if ERRORLEVEL 1 (
252
+ @echo WARNING: Failed to install Chef Client MSI package in remote context with status code !MSIERRORCODE!.
253
+ @echo WARNING: This may be due to a defect in operating system update KB2918614: http://support.microsoft.com/kb/2918614
254
+ @set OLDLOGLOCATION="%CHEF_CLIENT_MSI_LOG_PATH%-fail.log"
255
+ @move "%CHEF_CLIENT_MSI_LOG_PATH%" "!OLDLOGLOCATION!" > NUL
256
+ @echo WARNING: Saving installation log of failure at !OLDLOGLOCATION!
257
+ @echo WARNING: Retrying installation with local context...
258
+ @schtasks /create /f /sc once /st 00:00:00 /tn chefclientbootstraptask /ru SYSTEM /rl HIGHEST /tr "cmd /c msiexec /qn /log '%CHEF_CLIENT_MSI_LOG_PATH%' /i '%LOCAL_DESTINATION_MSI_PATH%' & sleep 2 & waitfor /s %computername% /si chefclientinstalldone"
259
+
260
+ @if ERRORLEVEL 1 (
261
+ @echo ERROR: Failed to create Chef Client installation scheduled task with status code !ERRORLEVEL! > "&2"
262
+ ) else (
263
+ @echo Successfully created scheduled task to install Chef Client.
264
+ @schtasks /run /tn chefclientbootstraptask
265
+ @if ERRORLEVEL 1 (
266
+ @echo ERROR: Failed to execut Chef Client installation scheduled task with status code !ERRORLEVEL!. > "&2"
267
+ ) else (
268
+ @echo Successfully started Chef Client installation scheduled task.
269
+ @echo Waiting for installation to complete -- this may take a few minutes...
270
+ waitfor chefclientinstalldone /t 600
271
+ if ERRORLEVEL 1 (
272
+ @echo ERROR: Timed out waiting for Chef Client package to install
273
+ ) else (
274
+ @echo Finished waiting for Chef Client package to install.
275
+ )
276
+ @schtasks /delete /f /tn chefclientbootstraptask > NUL
277
+ )
278
+ )
279
+ ) else (
280
+ @echo Successfully installed Chef Client package.
281
+ )
282
+
283
+
284
+ @if ERRORLEVEL 1 (
285
+ echo Chef-client package failed to install with status code !ERRORLEVEL!. > "&2"
286
+ echo See installation log for additional detail: %CHEF_CLIENT_MSI_LOG_PATH%. > "&2"
287
+ ) else (
288
+ @echo Installation completed successfully
289
+ del /f /q "%CHEF_CLIENT_MSI_LOG_PATH%"
290
+ )
291
+
292
+
293
+ @endlocal
294
+
295
+ @echo off
296
+
297
+
298
+ echo Writing validation key...
299
+
300
+
301
+ echo Validation key written.
302
+ @echo on
303
+
304
+
305
+
306
+
307
+ > C:\chef\client.rb (
308
+ echo.log_level :info
309
+ echo.log_location STDOUT
310
+ echo.
311
+ echo.chef_server_url "https://localhost:443"
312
+ echo.validation_client_name "chef-validator"
313
+ echo.
314
+ echo.file_cache_path "c:/chef/cache"
315
+ echo.file_backup_path "c:/chef/backup"
316
+ echo.cache_options ^({:path =^> "c:/chef/cache/checksums", :skip_expires =^> true}^)
317
+ echo.
318
+ echo.# Using default node name ^(fqdn^)
319
+
320
+ )
321
+
322
+ > C:\chef\first-boot.json (
323
+ echo.{"run_list":null}
324
+ )
325
+
326
+ @echo Starting chef to bootstrap the node...
327
+ SET "PATH=%PATH%;C:\ruby\bin;C:\opscode\chef\bin;C:\opscode\chef\embedded\bin"
328
+ chef-client -c c:/chef/client.rb -j c:/chef/first-boot.json
329
+
@@ -133,8 +133,9 @@ describe 'Knife::Windows::Core msi download functionality for knife Windows winr
133
133
  end
134
134
 
135
135
  allow(winrm_bootstrapper).to receive(:wait_for_remote_response)
136
+ allow(winrm_bootstrapper).to receive(:validate_options!)
136
137
  winrm_bootstrapper.config[:template_file] = @template_file_path
137
-
138
+ winrm_bootstrapper.config[:run_list] = []
138
139
  # Execute the commands locally that would normally be executed via WinRM
139
140
  allow(winrm_bootstrapper).to receive(:run_command) do |command|
140
141
  system(command)
@@ -147,7 +148,7 @@ describe 'Knife::Windows::Core msi download functionality for knife Windows winr
147
148
  end
148
149
  end
149
150
 
150
- describe "bootstrap_install_command functionality through WinRM protocol", :if_chef_11 => true, :chef_lt_12_5_only => true do
151
+ describe "bootstrap_install_command functionality through WinRM protocol", :if_chef_11 => true do
151
152
  context "bootstrap_install_command option is not specified" do
152
153
  let(:bootstrap) { Chef::Knife::BootstrapWindowsWinrm.new([]) }
153
154
  before do
@@ -155,10 +156,18 @@ describe "bootstrap_install_command functionality through WinRM protocol", :if_c
155
156
  @template_output = sample_data('win_template_rendered_without_bootstrap_install_command.txt')
156
157
  end
157
158
 
158
- it "bootstrap_install_command option is not rendered in the windows-chef-client-msi.erb template as its value is nil" do
159
+ it "bootstrap_install_command option is not rendered in the windows-chef-client-msi.erb template as its value is nil", :chef_lt_12_5_only => true do
159
160
  expect(bootstrap.send(:render_template,@template_input)).to eq(
160
161
  @template_output)
161
162
  end
163
+
164
+ context "when running chef-client 12.5.0 or greater", :chef_gte_12_5_only => true do
165
+ let(:template_12_5_output) { sample_data('win_template_rendered_without_bootstrap_install_command_on_12_5_client.txt') }
166
+ it "bootstrap_install_command option is not rendered in the windows-chef-client-msi.erb template as its value is nil" do
167
+ expect(bootstrap.send(:render_template,@template_input)).to eq(
168
+ template_12_5_output)
169
+ end
170
+ end
162
171
  end
163
172
 
164
173
  context "bootstrap_install_command option is specified" do
@@ -169,11 +178,19 @@ describe "bootstrap_install_command functionality through WinRM protocol", :if_c
169
178
  @template_output = sample_data('win_template_rendered_with_bootstrap_install_command.txt')
170
179
  end
171
180
 
172
- it "bootstrap_install_command option is rendered in the windows-chef-client-msi.erb template" do
181
+ it "bootstrap_install_command option is rendered in the windows-chef-client-msi.erb template", :chef_lt_12_5_only => true do
173
182
  expect(bootstrap.send(:render_template,@template_input)).to eq(
174
183
  @template_output)
175
184
  end
176
185
 
186
+ context "when running chef-client 12.5.0 or greater", :chef_gte_12_5_only => true do
187
+ let(:template_12_5_output) { sample_data('win_template_rendered_with_bootstrap_install_command_on_12_5_client.txt') }
188
+ it "bootstrap_install_command option is rendered in the windows-chef-client-msi.erb template" do
189
+ expect(bootstrap.send(:render_template,@template_input)).to eq(
190
+ template_12_5_output)
191
+ end
192
+ end
193
+
177
194
  after do
178
195
  bootstrap.config.delete(:bootstrap_install_command)
179
196
  Chef::Config[:knife].delete(:bootstrap_install_command)
@@ -94,8 +94,6 @@ expected: #{expected}
94
94
  :use_sudo,
95
95
  :use_sudo_password,
96
96
  :encrypt, # irrelevant during bootstrap
97
- :policy_name, # NYI, issue https://github.com/chef/knife-windows/issues/295
98
- :policy_group, #https://github.com/chef/knife-windows/issues/295
99
97
  ]}
100
98
 
101
99
  # win_ignore: Options in windows that aren't relevant to core.
@@ -134,8 +132,6 @@ expected: #{expected}
134
132
  :use_sudo,
135
133
  :use_sudo_password,
136
134
  :encrypt, # irrelevant during bootstrap
137
- :policy_name, # NYI, issue https://github.com/chef/knife-windows/issues/295
138
- :policy_group, #https://github.com/chef/knife-windows/issues/295
139
135
  ]}
140
136
  # win_ignore: Options in windows that aren't relevant to core.
141
137
  let(:win_ignore) { [
@@ -26,6 +26,8 @@ describe Chef::Knife::BootstrapWindowsWinrm do
26
26
  end
27
27
 
28
28
  before do
29
+ bootstrap.config[:run_list] = []
30
+ allow(bootstrap).to receive(:validate_options!).and_return(nil)
29
31
  # Kernel.stub(:sleep).and_return 10
30
32
  allow(bootstrap).to receive(:sleep).and_return(10)
31
33
  allow(File).to receive(:exist?).with(File.expand_path(Chef::Config[:validation_key])).and_return(true)
@@ -173,6 +175,7 @@ describe Chef::Knife::BootstrapWindowsWinrm do
173
175
  allow(bootstrap).to receive(:create_bootstrap_bat_command).and_raise(SystemExit)
174
176
  expect(bootstrap).to receive(:wait_for_remote_response).with(2)
175
177
  allow(bootstrap).to receive(:validate_name_args!).and_return(nil)
178
+
176
179
  allow(bootstrap.ui).to receive(:info)
177
180
  bootstrap.config[:auth_timeout] = bootstrap.options[:auth_timeout][:default]
178
181
  expect { bootstrap.bootstrap }.to raise_error(SystemExit)
@@ -26,10 +26,15 @@ describe Chef::Knife::WinrmSession do
26
26
  let(:options) { { transport: :plaintext } }
27
27
 
28
28
  before do
29
+ @original_config = Chef::Config.hash_dup
29
30
  allow(WinRM::WinRMWebService).to receive(:new).and_return(winrm_service)
30
31
  allow(winrm_service).to receive(:set_timeout)
31
32
  end
32
33
 
34
+ after do
35
+ Chef::Config.configuration = @original_config
36
+ end
37
+
33
38
  subject { Chef::Knife::WinrmSession.new(options) }
34
39
 
35
40
  describe "#initialize" do
@@ -41,6 +46,19 @@ describe Chef::Knife::WinrmSession do
41
46
  subject
42
47
  end
43
48
  end
49
+
50
+ context "when a proxy is configured" do
51
+ let(:proxy_uri) { 'blah.com' }
52
+
53
+ before do
54
+ Chef::Config[:http_proxy] = proxy_uri
55
+ end
56
+
57
+ it "sets the http_proxy to the configured proxy" do
58
+ subject
59
+ expect(ENV['HTTP_PROXY']).to eq("http://#{proxy_uri}")
60
+ end
61
+ end
44
62
  end
45
63
 
46
64
  describe "#relay_command" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: knife-windows
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Seth Chisamore
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-10-01 00:00:00.000000000 Z
11
+ date: 2015-10-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: winrm
@@ -109,7 +109,9 @@ files:
109
109
  - lib/knife-windows/path_helper.rb
110
110
  - lib/knife-windows/version.rb
111
111
  - spec/assets/win_template_rendered_with_bootstrap_install_command.txt
112
+ - spec/assets/win_template_rendered_with_bootstrap_install_command_on_12_5_client.txt
112
113
  - spec/assets/win_template_rendered_without_bootstrap_install_command.txt
114
+ - spec/assets/win_template_rendered_without_bootstrap_install_command_on_12_5_client.txt
113
115
  - spec/assets/win_template_unrendered.txt
114
116
  - spec/functional/bootstrap_download_spec.rb
115
117
  - spec/spec_helper.rb
@@ -152,7 +154,9 @@ test_files:
152
154
  - features/knife_help.feature
153
155
  - features/support/env.rb
154
156
  - spec/assets/win_template_rendered_with_bootstrap_install_command.txt
157
+ - spec/assets/win_template_rendered_with_bootstrap_install_command_on_12_5_client.txt
155
158
  - spec/assets/win_template_rendered_without_bootstrap_install_command.txt
159
+ - spec/assets/win_template_rendered_without_bootstrap_install_command_on_12_5_client.txt
156
160
  - spec/assets/win_template_unrendered.txt
157
161
  - spec/functional/bootstrap_download_spec.rb
158
162
  - spec/spec_helper.rb