knife-windows 1.1.0 → 1.1.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (52) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +5 -5
  3. data/.travis.yml +20 -20
  4. data/CHANGELOG.md +87 -83
  5. data/DOC_CHANGES.md +20 -20
  6. data/Gemfile +12 -12
  7. data/LICENSE +201 -201
  8. data/README.md +396 -396
  9. data/RELEASE_NOTES.md +34 -34
  10. data/Rakefile +21 -21
  11. data/appveyor.yml +42 -42
  12. data/ci.gemfile +15 -15
  13. data/features/knife_help.feature +20 -20
  14. data/features/support/env.rb +5 -5
  15. data/knife-windows.gemspec +28 -28
  16. data/lib/chef/knife/bootstrap/windows-chef-client-msi.erb +247 -247
  17. data/lib/chef/knife/bootstrap_windows_base.rb +407 -401
  18. data/lib/chef/knife/bootstrap_windows_ssh.rb +110 -110
  19. data/lib/chef/knife/bootstrap_windows_winrm.rb +95 -102
  20. data/lib/chef/knife/core/windows_bootstrap_context.rb +362 -362
  21. data/lib/chef/knife/knife_windows_base.rb +33 -33
  22. data/lib/chef/knife/windows_cert_generate.rb +155 -155
  23. data/lib/chef/knife/windows_cert_install.rb +68 -68
  24. data/lib/chef/knife/windows_helper.rb +36 -36
  25. data/lib/chef/knife/windows_listener_create.rb +107 -107
  26. data/lib/chef/knife/winrm.rb +122 -212
  27. data/lib/chef/knife/winrm_base.rb +118 -118
  28. data/lib/chef/knife/winrm_knife_base.rb +309 -218
  29. data/lib/chef/knife/winrm_session.rb +82 -82
  30. data/lib/chef/knife/winrm_shared_options.rb +47 -47
  31. data/lib/chef/knife/wsman_endpoint.rb +44 -44
  32. data/lib/chef/knife/wsman_test.rb +95 -95
  33. data/lib/knife-windows/path_helper.rb +234 -234
  34. data/lib/knife-windows/version.rb +6 -6
  35. data/spec/assets/win_template_rendered_with_bootstrap_install_command.txt +217 -217
  36. data/spec/assets/win_template_rendered_with_bootstrap_install_command_on_12_5_client.txt +217 -217
  37. data/spec/assets/win_template_rendered_without_bootstrap_install_command.txt +329 -329
  38. data/spec/assets/win_template_rendered_without_bootstrap_install_command_on_12_5_client.txt +329 -329
  39. data/spec/assets/win_template_unrendered.txt +246 -246
  40. data/spec/functional/bootstrap_download_spec.rb +234 -233
  41. data/spec/spec_helper.rb +88 -88
  42. data/spec/unit/knife/bootstrap_options_spec.rb +148 -146
  43. data/spec/unit/knife/bootstrap_template_spec.rb +92 -92
  44. data/spec/unit/knife/bootstrap_windows_winrm_spec.rb +259 -243
  45. data/spec/unit/knife/core/windows_bootstrap_context_spec.rb +151 -151
  46. data/spec/unit/knife/windows_cert_generate_spec.rb +90 -90
  47. data/spec/unit/knife/windows_cert_install_spec.rb +51 -51
  48. data/spec/unit/knife/windows_listener_create_spec.rb +76 -76
  49. data/spec/unit/knife/winrm_session_spec.rb +73 -73
  50. data/spec/unit/knife/winrm_spec.rb +551 -504
  51. data/spec/unit/knife/wsman_test_spec.rb +178 -175
  52. metadata +3 -23
data/README.md CHANGED
@@ -1,396 +1,396 @@
1
- Knife Windows Plugin
2
- ====================
3
- [![Build Status Master](https://travis-ci.org/chef/knife-windows.svg?branch=master)](https://travis-ci.org/chef/knife-windows)
4
- [![Build Status Master](https://ci.appveyor.com/api/projects/status/github/chef/knife-windows?branch=master&svg=true&passingText=master%20-%20Ok&pendingText=master%20-%20Pending&failingText=master%20-%20Failing)](https://ci.appveyor.com/project/Chef/knife-windows/branch/master)
5
-
6
- This plugin adds additional functionality to the Chef Knife CLI tool for
7
- configuring / interacting with nodes running Microsoft Windows:
8
-
9
- * Bootstrap of nodes via the [Windows Remote Management (WinRM)](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx) or SSH protocols
10
- * Remote command execution using the WinRM protocol
11
- * Utilities to configure WinRM SSL endpoints on managed nodes
12
-
13
- ## Subcommands
14
-
15
- This plugin provides the following Knife subcommands. Specific command options can be found by invoking the subcommand with a `--help` flag
16
-
17
- ### knife winrm
18
-
19
- The `winrm` subcommand allows you to invoke commands in parallel on a subset of the nodes in your infrastructure. The `winrm` subcommand uses the same syntax as the [search subcommand](https://docs.chef.io/knife_search.html); you could could find the uptime of all your web servers using the command:
20
-
21
- knife winrm "role:web" "net stats srv" -x Administrator -P 'super_secret_password'
22
-
23
- Or force a chef run:
24
-
25
- knife winrm "myserver.myorganization.net" "chef-client -c c:/chef/client.rb" -m -x Administrator -P "super_secret_password"
26
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:49 +0000] INFO: Starting Chef Run (Version 0.9.12)
27
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:50 +0000] WARN: Node ip-0A502FFB has an empty run list.
28
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Chef Run complete in 4.383966 seconds
29
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: cleaning the checksum cache
30
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Running report handlers
31
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Report handlers complete
32
-
33
- This subcommand operates in a manner similar to [knife ssh](https://docs.chef.io/knife_ssh.html)...just leveraging the WinRM protocol for communication. It also includes `knife ssh`'s "[interactive session mode](https://docs.chef.io/knife_ssh.html#options)"
34
-
35
- ### knife bootstrap windows winrm
36
-
37
- Performs a Chef Bootstrap (via the WinRM protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
38
-
39
- This subcommand operates in a manner similar to [knife bootstrap](https://docs.chef.io/knife_bootstrap.html)...just leveraging the WinRM protocol for communication. An initial run_list for the node can also be passed to the subcommand. Example usage:
40
-
41
- knife bootstrap windows winrm myserver.myorganization.net -r 'role[webserver],role[production]' -x Administrator -P 'super_secret_password'
42
-
43
- #### Tip: Use SSL for WinRM communication
44
-
45
- By default, the `knife winrm` and `knife bootstrap windows winrm` subcommands use a plaintext transport,
46
- but they support an option `--winrm-transport` (or `-t`) with the argument
47
- `ssl` that allows the SSL to secure the WinRM payload. Here's an example:
48
-
49
- knife winrm -t ssl "role:web" "net stats srv" -x Administrator -P "super_secret_password" -f ~/server_public_cert.crt
50
-
51
- Use of SSL is strongly recommended, particularly when invoking `knife-windows` on non-Windows platforms, since
52
- without SSL there are limited options for ensuring the privacy of the
53
- plaintext transport. See the section on [Platform authentication
54
- support](#platform-winrm-authentication-support).
55
-
56
- SSL will become the default transport in future revisions of
57
- `knife-windows`.
58
-
59
- ### knife wsman test
60
-
61
- Connects to the remote WSMan/WinRM endpoint and verifies the remote node is listening. This is the equivalent of running Test-Wsman from PowerShell. Endpoints to test can be specified manually, or be driven by search and use many of the same connection options as knife winrm.
62
- To test a single node using the default WinRM port (5985)
63
-
64
- knife wsman test 192.168.1.10 -m
65
-
66
- or to test a single node with SSL enabled on the default port (5986)
67
-
68
- knife wsman test 192.168.1.10 -m --winrm-transport ssl
69
-
70
- or to test all windows nodes registered with your Chef Server organization
71
-
72
- knife wsman test platform:windows
73
-
74
- ### knife bootstrap windows ssh
75
-
76
- Performs a Chef Bootstrap (via the SSH protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
77
-
78
- This subcommand assumes the SSH session will use the Windows native cmd.exe command shell vs a bash shell through an emulated cygwin layer. Most popular Windows based SSHd daemons like [freeSSHd](http://www.freesshd.com/) and [WinSSHD](http://www.bitvise.com/winsshd) behave this way.
79
-
80
- An initial run_list for the node can also be passed to the subcommand. Example usage:
81
-
82
- knife bootstrap windows ssh myserver.myorganization.net -r "role[webserver],role[production]" -x Administrator -i ~/.ssh/id_rsa
83
-
84
- ### knife windows cert generate
85
-
86
- Generates a certificate(x509) containing a public / private key pair for WinRM 'SSL' communication.
87
- The certificate will be generated in three different formats *.pfx, *.b64 and *.pem.
88
- The PKCS12(i.e *.pfx) contains both the public and private keys, usually used on the server. This will be added to WinRM Server's Certificate Store.
89
- The *.b64 is Base64 PKCS12 key pair. Contains both the public and private keys, for upload to the Cloud REST API. e.g. Azure.
90
- The *.pem is Base64 encoded public certificate only. Required by the client to connect to the server.
91
- This command also displays the thumbprint of the generated certificate.
92
-
93
- knife windows cert generate --cert-passphrase "strong_passphrase" --hostname "myserver.myorganization.net" --output-file "~/server_cert.pfx"
94
- # This command will generate certificates in the user's home directory with names server_cert.b64, server_cert.pfx and server_cert.pem.
95
-
96
- ### knife windows cert install
97
-
98
- This command only functions on Windows. It adds the specified certificate to its certificate store. This command must include a valid PKCS12(i.e *.pfx) certificate file path.
99
-
100
- knife windows cert install "~/server_cert.pfx" --cert-passphrase "strong_passphrase"
101
-
102
- ### knife windows listener create
103
- This command only functions on Windows. It creates the winrm listener for SSL communication(i.e HTTPS).
104
- This command can also install certificate which is specified using --cert-install option and use the installed certificate thumbprint to create winrm listener.
105
- --hostname option is optional. Default value for hostname is *.
106
-
107
- knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-install "~/server_cert.pfx"
108
-
109
- The command also allows you to use existing certificates from local store to create winrm listener. Use --cert-thumbprint option to specify the certificate thumbprint.
110
-
111
- knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-thumbprint "bf0fef0bb41be40ceb66a3b38813ca489fe99746"
112
-
113
- You can get the thumbprint for existing certificates in the local store using the following PowerShell command:
114
-
115
- ls cert:\LocalMachine\My
116
-
117
- ## Bootstrap template
118
-
119
- This gem provides the bootstrap template `windows-chef-client-msi`,
120
- which does the following:
121
-
122
- * Installs the latest version of Chef Client (and all dependencies) using the `chef-client` msi.
123
- * Writes the validation.pem per the local knife configuration.
124
- * Writes a default config file for Chef (`C:\chef\client.rb`) using values from the `knife.rb`.
125
- * Creates a JSON attributes file containing the specified run list and run Chef.
126
-
127
- This template is used by both `knife windows bootstrap winrm` and `knife windows bootstrap ssh` subcommands.
128
-
129
- ## Requirements / setup
130
-
131
- ### Ruby
132
-
133
- Ruby 1.9.3+ is required.
134
-
135
- ### Chef version
136
-
137
- This knife plugins requires >= Chef 11.0.0. More details about Knife plugins can be
138
- [found in the Chef documentation](https://docs.chef.io/plugin_knife.html).
139
-
140
- ## Nodes
141
-
142
- ### WinRM versions
143
-
144
- The node must be running Windows Remote Management (WinRM) 2.0+. WinRM
145
- allows you to call native objects in Windows. This includes, but is not
146
- limited to, running PowerShell scripts, batch scripts, and fetching WMI
147
- data. For more information on WinRM, please visit
148
- [Microsoft's WinRM site](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx).
149
-
150
- WinRM is built into Windows 7 and Windows Server 2008+. It can also [be installed](https://support.microsoft.com/en-us/kb/968929) on older version of Windows, including:
151
-
152
- * Windows Server 2003
153
- * Windows Vista
154
-
155
- ### WinRM configuration
156
-
157
- **NOTE**: Before any WinRM related knife subcommands will function
158
- a node's WinRM installation must be configured correctly.
159
- The settings below must be added to your base server image or passed
160
- in using some sort of user-data mechanism provided by your cloud
161
- provider. Some cloud providers will set up the required WinRM
162
- configuration through the cloud API for creating instances -- see
163
- the documentation for the provider.
164
-
165
- A server running WinRM must also be configured properly to allow
166
- outside connections for the entire network path from the knife workstation to the server. The easiest way to accomplish this is to use [WinRM's quick configuration option](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx#quick_default_configuration):
167
-
168
- winrm quickconfig -q
169
-
170
- This will set up an WinRM listener using the HTTP (plaintext)
171
- transport -- WinRM also supports the SSL transport for improved
172
- robustness against information disclosure and other threats.
173
-
174
- The chef-client installation and bootstrap may take more
175
- memory than the default 150MB WinRM allocates per shell on older versions of
176
- Windows (prior to Windows Server 2012) -- this can slow down
177
- bootstrap or cause it to fail. The memory limit was increased to 1GB with Windows Management Framework 3
178
- (and Server 2012). However, there is a bug in Windows Management Framework 3
179
- (and Server 2012) which requires a [hotfix from Microsoft](https://support.microsoft.com/en-us/kb/2842230/en-us).
180
- You can increase the memory limit to 1GB with the following PowerShell
181
- command:
182
-
183
- ```powershell
184
- set-item wsman:\localhost\shell\maxmemorypershellmb 1024
185
- ```
186
-
187
- Bootstrap commands can take longer than the WinRM default 60 seconds to
188
- complete, optionally increase to 30 minutes if bootstrap terminates a command prematurely:
189
-
190
- ```powershell
191
- set-item wsman:\localhost\MaxTimeoutms 300000
192
- ```
193
-
194
- Note that the `winrm` command itself supports the same configuration
195
- capabilities as the PowerShell commands given above -- if you need to
196
- configure WinRM without using PowerShell, use `winrm -?` to get help.
197
-
198
- WinRM supports both the HTTP and HTTPS (SSL) transports and the following
199
- authentication schemes: Kerberos, Digest, Certificate and Basic. The details
200
- of these authentication transports are outside of the scope of this
201
- README but details can be found on the
202
- [WinRM configuration guide](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx).
203
-
204
- #### Configure SSL on a Windows node
205
-
206
- WinRM supports use of SSL to provide privacy and integrity of
207
- communication using the protocol and to prevent spoofing attacks.
208
-
209
- ##### Configure SSL using `knife`
210
-
211
- `knife-windows` includes three commands to assist with SSL
212
- configuration -- these commands support all versions of Windows and do
213
- not rely on PowerShell:
214
-
215
- * `knife windows cert generate`: creates a certificate that may be used
216
- to configure an SSL WinRM listener
217
-
218
- * `knife windows cert install`: Installs a certificate into the
219
- Windows certificate store so it can be used to configure an SSL
220
- WinRM listener.
221
-
222
- * `knife windows listener create`: Creates a WinRM listener on a
223
- Windows node -- it can use either a certificate already installed in
224
- the Windows certificate store, or one created by other tools
225
- including the `knife windows cert generate` command.
226
-
227
- Here is an example that configures a listener on the node on which the
228
- commands are executed:
229
-
230
- knife windows cert generate --domain myorg.org --output-file $env:userprofile/winrmcerts/winrm-ssl
231
- knife windows listener create --hostname *.myorg.org --cert-install $env:userprofile/winrmcerts/winrm-ssl.pfx
232
-
233
- Note that the first command which generates the certificate for the
234
- listener could be executed from any system that can run `knife` as
235
- long as the certificate it generates is made available at a path at
236
- which the second command can access it.
237
-
238
- See previous sections for additional details of the `windows cert generate`, `windows cert install` and `windows listener create` subcommands.
239
-
240
- ##### Configure SSL using *Windows Server 2012 or later*
241
- The following PowerShell commands may be used to create an SSL WinRM
242
- listener with a self-signed certificate on Windows 2012R2 or later systems:
243
-
244
- ```powershell
245
- $cert = New-SelfSignedCertificate -DnsName 'myserver.mydomain.org' -CertStoreLocation Cert:\LocalMachine\My
246
- new-item -address * -force -path wsman:\localhost\listener -port 5986 -hostname ($cert.subject -split '=')[1] -transport https -certificatethumbprint $cert.Thumbprint
247
- # Open the firewall for 5986, the default WinRM SSL port
248
- netsh advfirewall firewall set rule name="Windows Remote Management (HTTPS-In)" profile=public protocol=tcp localport=5986 remoteip=localsubnet new remoteip=any
249
-
250
- ```
251
-
252
- Note that the first command which uses the `New-SelfSignedCertificate`
253
- cmdlet is available only in PowerShell version 4.0 and later.
254
-
255
- ##### Configure SSL using `winrm quickconfig`
256
-
257
- The following command can configure an SSL WinRM listener if the
258
- Windows certificate store's Local Machine store contains a certificate
259
- that meets certain criteria that are most likely to be met if the
260
- system is joined to a Windows Active Directory domain:
261
-
262
- winrm quickconfig -transport:https -q
263
-
264
- If the criteria are not met, an error message will follow with
265
- guidance on the certificate requirements; you may need to obtain a
266
- certificate from the appropriate source or use the PowerShell or
267
- `knife` techniques given above to create the listener instead.
268
-
269
- ##### Disabling peer verification
270
- In the SSL examples above, the `-f` parameter was used to supply a
271
- certificate that could validate the identity of the remote server.
272
- For debugging purposes, this validation may be skipped if you have not
273
- obtained a public certificate that can validate the server. Here is an
274
- example:
275
-
276
- knife winrm -m 192.168.0.6 -x "mydomain\myuser" -P $PASSWD -t ssl --winrm-ssl-verify-mode verify_none ipconfig
277
-
278
- This option should be used carefully since disabling the verification of the
279
- remote system's certificate can subject knife commands to spoofing attacks.
280
-
281
- ## WinRM authentication
282
-
283
- The default authentication protocol for `knife-windows` subcommands that use
284
- WinRM is the Negotiate protocol. The following commands when executed on a
285
- Windows system show authentication for domain and local accounts respectively:
286
-
287
- knife bootstrap windows winrm web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password"
288
- knife bootstrap windows winrm db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password"
289
-
290
- The commands above are using the default plaintext transport for WinRM --
291
- the default of Negotiate authentication may not be fully supported on
292
- non-Windows systems using the plaintext transport. To work around this, the
293
- remote system can be configured with an SSL WinRM listener instead of a
294
- plaintext listener. Then the above commands should be modified to use the SSL
295
- transport as follows using the `-t` (or `--winrm-transport`) option with the
296
- `ssl` argument:
297
-
298
- knife bootstrap windows winrm -t ssl web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password" -f ~/mycert.crt
299
- knife bootstrap windows winrm -t ssl db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password" ~/mycert.crt
300
-
301
- The commands using SSL above will work from any operating system, not
302
- just Windows.
303
-
304
- ### Troubleshooting authentication
305
-
306
- For development and testing purposes, unencrypted traffic with Basic
307
- authentication can make it easier to test connectivity. The configuration for
308
- the remote system may be accomplished with the following PowerShell commands:
309
-
310
- ```powershell
311
- set-item wsman:\localhost\service\allowunencrypted $true
312
- set-item wsman:\localhost\service\auth\basic $true
313
- ```
314
- To test connectivity via `knife-windows` from another system, the default
315
- authentication protocol of Negotiate must be overridden using the
316
- `--winrm-authentication-protocol` option with the desired protocol, in this
317
- case Basic:
318
-
319
- knife winrm -m web1.cloudapp.net --winrm-authentication-protocol basic ipconfig -x localadmin -P "super_secret_password"
320
-
321
- Note that when using Basic authentication, domain accounts may not be used for
322
- authentication; an account local to the remote system must be used.
323
-
324
- ### Platform WinRM authentication support
325
-
326
- `knife-windows` supports `Kerberos`, `Negotiate`, and `Basic` authentication
327
- for WinRM communication. However, some of these protocols
328
- may not work with `knife-windows` on non-Windows systems because
329
- `knife-windows` relies on operating system libraries such as GSSAPI to implement
330
- Windows authentication, and some versions of these libraries do not
331
- fully implement the protocols.
332
-
333
- The following table shows the authentication protocols that can be used with
334
- `knife-windows` depending on whether the knife workstation is a Windows
335
- system, the transport, and whether or not the target user is a domain user or
336
- local to the target Windows system.
337
-
338
- | Workstation OS / Account Scope | SSL | Plaintext |
339
- |--------------------------------|------------------------------|----------------------------|
340
- | Windows / Local | Kerberos, Negotiate* , Basic | Kerberos, Negotiate, Basic |
341
- | Windows / Domain | Kerberos, Negotiate | Kerberos, Negotiate |
342
- | Non-Windows / Local | Kerberos, [Negotiate*](https://github.com/chef/knife-windows/issues/176) Basic | Kerberos, Basic |
343
- | Non-Windows / Domain | Kerberos, Negotiate | Kerberos |
344
-
345
- > \* There is a known defect in the `knife winrm` and `knife bootstrap windows
346
- > winrm` subcommands invoked on any OS platform when authenticating with the Negotiate protocol over
347
- > the SSL transport. The defect is tracked by
348
- > [knife-windows issue #176](https://github.com/chef/knife-windows/issues/176): If the remote system is
349
- > domain-joined, local accounts may not be used to authenticate via Negotiate
350
- > over SSL -- only domain accounts will work. Local accounts will only
351
- > successfully authenticate if the system is not joined to a domain.
352
- >
353
- > This is generally not an issue for bootstrap scenarios, where the
354
- > system has yet to be joined to any domain, but can be a problem for remote
355
- > management cases after the system is domain joined. Workarounds include using
356
- > a domain account instead, or enabling Basic authentication on the remote
357
- > system (unencrypted communication **does not** need to be enabled to make
358
- > Basic authentication function over SSL).
359
-
360
- ## General troubleshooting
361
-
362
- * Windows 2008R2 and earlier versions require an extra configuration
363
- for MaxTimeoutms to avoid WinRM::WinRMHTTPTransportError: Bad HTTP
364
- response error while bootstrapping. It should be at least 300000.
365
-
366
- `set-item wsman:\\localhost\\MaxTimeoutms 300000`
367
-
368
- * When I run the winrm command I get: "Error: Invalid use of command line. Type "winrm -?" for help."
369
- You're running the winrm command from PowerShell and you need to put the key/value pair in single quotes. For example:
370
-
371
- `winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'`
372
-
373
-
374
- ## CONTRIBUTING:
375
-
376
- Please file bugs against the KNIFE_WINDOWS project at https://github.com/chef/knife-windows/issues.
377
-
378
- More information on the contribution process for Chef projects can be found in the [Chef Contributions document](http://docs.chef.io/community_contributions.html).
379
-
380
- # LICENSE:
381
-
382
- Author:: Seth Chisamore (<schisamo@chef.io>)
383
- Copyright:: Copyright (c) 2015 Chef Software, Inc.
384
- License:: Apache License, Version 2.0
385
-
386
- Licensed under the Apache License, Version 2.0 (the "License");
387
- you may not use this file except in compliance with the License.
388
- You may obtain a copy of the License at
389
-
390
- http://www.apache.org/licenses/LICENSE-2.0
391
-
392
- Unless required by applicable law or agreed to in writing, software
393
- distributed under the License is distributed on an "AS IS" BASIS,
394
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
395
- See the License for the specific language governing permissions and
396
- limitations under the License.
1
+ Knife Windows Plugin
2
+ ====================
3
+ [![Build Status Master](https://travis-ci.org/chef/knife-windows.svg?branch=master)](https://travis-ci.org/chef/knife-windows)
4
+ [![Build Status Master](https://ci.appveyor.com/api/projects/status/github/chef/knife-windows?branch=master&svg=true&passingText=master%20-%20Ok&pendingText=master%20-%20Pending&failingText=master%20-%20Failing)](https://ci.appveyor.com/project/Chef/knife-windows/branch/master)
5
+
6
+ This plugin adds additional functionality to the Chef Knife CLI tool for
7
+ configuring / interacting with nodes running Microsoft Windows:
8
+
9
+ * Bootstrap of nodes via the [Windows Remote Management (WinRM)](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx) or SSH protocols
10
+ * Remote command execution using the WinRM protocol
11
+ * Utilities to configure WinRM SSL endpoints on managed nodes
12
+
13
+ ## Subcommands
14
+
15
+ This plugin provides the following Knife subcommands. Specific command options can be found by invoking the subcommand with a `--help` flag
16
+
17
+ ### knife winrm
18
+
19
+ The `winrm` subcommand allows you to invoke commands in parallel on a subset of the nodes in your infrastructure. The `winrm` subcommand uses the same syntax as the [search subcommand](https://docs.chef.io/knife_search.html); you could could find the uptime of all your web servers using the command:
20
+
21
+ knife winrm "role:web" "net stats srv" -x Administrator -P 'super_secret_password'
22
+
23
+ Or force a chef run:
24
+
25
+ knife winrm "myserver.myorganization.net" "chef-client -c c:/chef/client.rb" -m -x Administrator -P "super_secret_password"
26
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:49 +0000] INFO: Starting Chef Run (Version 0.9.12)
27
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:50 +0000] WARN: Node ip-0A502FFB has an empty run list.
28
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Chef Run complete in 4.383966 seconds
29
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: cleaning the checksum cache
30
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Running report handlers
31
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Report handlers complete
32
+
33
+ This subcommand operates in a manner similar to [knife ssh](https://docs.chef.io/knife_ssh.html)...just leveraging the WinRM protocol for communication. It also includes `knife ssh`'s "[interactive session mode](https://docs.chef.io/knife_ssh.html#options)"
34
+
35
+ ### knife bootstrap windows winrm
36
+
37
+ Performs a Chef Bootstrap (via the WinRM protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
38
+
39
+ This subcommand operates in a manner similar to [knife bootstrap](https://docs.chef.io/knife_bootstrap.html)...just leveraging the WinRM protocol for communication. An initial run_list for the node can also be passed to the subcommand. Example usage:
40
+
41
+ knife bootstrap windows winrm myserver.myorganization.net -r 'role[webserver],role[production]' -x Administrator -P 'super_secret_password'
42
+
43
+ #### Tip: Use SSL for WinRM communication
44
+
45
+ By default, the `knife winrm` and `knife bootstrap windows winrm` subcommands use a plaintext transport,
46
+ but they support an option `--winrm-transport` (or `-t`) with the argument
47
+ `ssl` that allows the SSL to secure the WinRM payload. Here's an example:
48
+
49
+ knife winrm -t ssl "role:web" "net stats srv" -x Administrator -P "super_secret_password" -f ~/server_public_cert.crt
50
+
51
+ Use of SSL is strongly recommended, particularly when invoking `knife-windows` on non-Windows platforms, since
52
+ without SSL there are limited options for ensuring the privacy of the
53
+ plaintext transport. See the section on [Platform authentication
54
+ support](#platform-winrm-authentication-support).
55
+
56
+ SSL will become the default transport in future revisions of
57
+ `knife-windows`.
58
+
59
+ ### knife wsman test
60
+
61
+ Connects to the remote WSMan/WinRM endpoint and verifies the remote node is listening. This is the equivalent of running Test-Wsman from PowerShell. Endpoints to test can be specified manually, or be driven by search and use many of the same connection options as knife winrm.
62
+ To test a single node using the default WinRM port (5985)
63
+
64
+ knife wsman test 192.168.1.10 -m
65
+
66
+ or to test a single node with SSL enabled on the default port (5986)
67
+
68
+ knife wsman test 192.168.1.10 -m --winrm-transport ssl
69
+
70
+ or to test all windows nodes registered with your Chef Server organization
71
+
72
+ knife wsman test platform:windows
73
+
74
+ ### knife bootstrap windows ssh
75
+
76
+ Performs a Chef Bootstrap (via the SSH protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
77
+
78
+ This subcommand assumes the SSH session will use the Windows native cmd.exe command shell vs a bash shell through an emulated cygwin layer. Most popular Windows based SSHd daemons like [freeSSHd](http://www.freesshd.com/) and [WinSSHD](http://www.bitvise.com/winsshd) behave this way.
79
+
80
+ An initial run_list for the node can also be passed to the subcommand. Example usage:
81
+
82
+ knife bootstrap windows ssh myserver.myorganization.net -r "role[webserver],role[production]" -x Administrator -i ~/.ssh/id_rsa
83
+
84
+ ### knife windows cert generate
85
+
86
+ Generates a certificate(x509) containing a public / private key pair for WinRM 'SSL' communication.
87
+ The certificate will be generated in three different formats *.pfx, *.b64 and *.pem.
88
+ The PKCS12(i.e *.pfx) contains both the public and private keys, usually used on the server. This will be added to WinRM Server's Certificate Store.
89
+ The *.b64 is Base64 PKCS12 key pair. Contains both the public and private keys, for upload to the Cloud REST API. e.g. Azure.
90
+ The *.pem is Base64 encoded public certificate only. Required by the client to connect to the server.
91
+ This command also displays the thumbprint of the generated certificate.
92
+
93
+ knife windows cert generate --cert-passphrase "strong_passphrase" --hostname "myserver.myorganization.net" --output-file "~/server_cert.pfx"
94
+ # This command will generate certificates in the user's home directory with names server_cert.b64, server_cert.pfx and server_cert.pem.
95
+
96
+ ### knife windows cert install
97
+
98
+ This command only functions on Windows. It adds the specified certificate to its certificate store. This command must include a valid PKCS12(i.e *.pfx) certificate file path.
99
+
100
+ knife windows cert install "~/server_cert.pfx" --cert-passphrase "strong_passphrase"
101
+
102
+ ### knife windows listener create
103
+ This command only functions on Windows. It creates the winrm listener for SSL communication(i.e HTTPS).
104
+ This command can also install certificate which is specified using --cert-install option and use the installed certificate thumbprint to create winrm listener.
105
+ --hostname option is optional. Default value for hostname is *.
106
+
107
+ knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-install "~/server_cert.pfx"
108
+
109
+ The command also allows you to use existing certificates from local store to create winrm listener. Use --cert-thumbprint option to specify the certificate thumbprint.
110
+
111
+ knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-thumbprint "bf0fef0bb41be40ceb66a3b38813ca489fe99746"
112
+
113
+ You can get the thumbprint for existing certificates in the local store using the following PowerShell command:
114
+
115
+ ls cert:\LocalMachine\My
116
+
117
+ ## Bootstrap template
118
+
119
+ This gem provides the bootstrap template `windows-chef-client-msi`,
120
+ which does the following:
121
+
122
+ * Installs the latest version of Chef Client (and all dependencies) using the `chef-client` msi.
123
+ * Writes the validation.pem per the local knife configuration.
124
+ * Writes a default config file for Chef (`C:\chef\client.rb`) using values from the `knife.rb`.
125
+ * Creates a JSON attributes file containing the specified run list and run Chef.
126
+
127
+ This template is used by both `knife windows bootstrap winrm` and `knife windows bootstrap ssh` subcommands.
128
+
129
+ ## Requirements / setup
130
+
131
+ ### Ruby
132
+
133
+ Ruby 1.9.3+ is required.
134
+
135
+ ### Chef version
136
+
137
+ This knife plugins requires >= Chef 11.0.0. More details about Knife plugins can be
138
+ [found in the Chef documentation](https://docs.chef.io/plugin_knife.html).
139
+
140
+ ## Nodes
141
+
142
+ ### WinRM versions
143
+
144
+ The node must be running Windows Remote Management (WinRM) 2.0+. WinRM
145
+ allows you to call native objects in Windows. This includes, but is not
146
+ limited to, running PowerShell scripts, batch scripts, and fetching WMI
147
+ data. For more information on WinRM, please visit
148
+ [Microsoft's WinRM site](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx).
149
+
150
+ WinRM is built into Windows 7 and Windows Server 2008+. It can also [be installed](https://support.microsoft.com/en-us/kb/968929) on older version of Windows, including:
151
+
152
+ * Windows Server 2003
153
+ * Windows Vista
154
+
155
+ ### WinRM configuration
156
+
157
+ **NOTE**: Before any WinRM related knife subcommands will function
158
+ a node's WinRM installation must be configured correctly.
159
+ The settings below must be added to your base server image or passed
160
+ in using some sort of user-data mechanism provided by your cloud
161
+ provider. Some cloud providers will set up the required WinRM
162
+ configuration through the cloud API for creating instances -- see
163
+ the documentation for the provider.
164
+
165
+ A server running WinRM must also be configured properly to allow
166
+ outside connections for the entire network path from the knife workstation to the server. The easiest way to accomplish this is to use [WinRM's quick configuration option](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx#quick_default_configuration):
167
+
168
+ winrm quickconfig -q
169
+
170
+ This will set up an WinRM listener using the HTTP (plaintext)
171
+ transport -- WinRM also supports the SSL transport for improved
172
+ robustness against information disclosure and other threats.
173
+
174
+ The chef-client installation and bootstrap may take more
175
+ memory than the default 150MB WinRM allocates per shell on older versions of
176
+ Windows (prior to Windows Server 2012) -- this can slow down
177
+ bootstrap or cause it to fail. The memory limit was increased to 1GB with Windows Management Framework 3
178
+ (and Server 2012). However, there is a bug in Windows Management Framework 3
179
+ (and Server 2012) which requires a [hotfix from Microsoft](https://support.microsoft.com/en-us/kb/2842230/en-us).
180
+ You can increase the memory limit to 1GB with the following PowerShell
181
+ command:
182
+
183
+ ```powershell
184
+ set-item wsman:\localhost\shell\maxmemorypershellmb 1024
185
+ ```
186
+
187
+ Bootstrap commands can take longer than the WinRM default 60 seconds to
188
+ complete, optionally increase to 30 minutes if bootstrap terminates a command prematurely:
189
+
190
+ ```powershell
191
+ set-item wsman:\localhost\MaxTimeoutms 300000
192
+ ```
193
+
194
+ Note that the `winrm` command itself supports the same configuration
195
+ capabilities as the PowerShell commands given above -- if you need to
196
+ configure WinRM without using PowerShell, use `winrm -?` to get help.
197
+
198
+ WinRM supports both the HTTP and HTTPS (SSL) transports and the following
199
+ authentication schemes: Kerberos, Digest, Certificate and Basic. The details
200
+ of these authentication transports are outside of the scope of this
201
+ README but details can be found on the
202
+ [WinRM configuration guide](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx).
203
+
204
+ #### Configure SSL on a Windows node
205
+
206
+ WinRM supports use of SSL to provide privacy and integrity of
207
+ communication using the protocol and to prevent spoofing attacks.
208
+
209
+ ##### Configure SSL using `knife`
210
+
211
+ `knife-windows` includes three commands to assist with SSL
212
+ configuration -- these commands support all versions of Windows and do
213
+ not rely on PowerShell:
214
+
215
+ * `knife windows cert generate`: creates a certificate that may be used
216
+ to configure an SSL WinRM listener
217
+
218
+ * `knife windows cert install`: Installs a certificate into the
219
+ Windows certificate store so it can be used to configure an SSL
220
+ WinRM listener.
221
+
222
+ * `knife windows listener create`: Creates a WinRM listener on a
223
+ Windows node -- it can use either a certificate already installed in
224
+ the Windows certificate store, or one created by other tools
225
+ including the `knife windows cert generate` command.
226
+
227
+ Here is an example that configures a listener on the node on which the
228
+ commands are executed:
229
+
230
+ knife windows cert generate --domain myorg.org --output-file $env:userprofile/winrmcerts/winrm-ssl
231
+ knife windows listener create --hostname *.myorg.org --cert-install $env:userprofile/winrmcerts/winrm-ssl.pfx
232
+
233
+ Note that the first command which generates the certificate for the
234
+ listener could be executed from any system that can run `knife` as
235
+ long as the certificate it generates is made available at a path at
236
+ which the second command can access it.
237
+
238
+ See previous sections for additional details of the `windows cert generate`, `windows cert install` and `windows listener create` subcommands.
239
+
240
+ ##### Configure SSL using *Windows Server 2012 or later*
241
+ The following PowerShell commands may be used to create an SSL WinRM
242
+ listener with a self-signed certificate on Windows 2012R2 or later systems:
243
+
244
+ ```powershell
245
+ $cert = New-SelfSignedCertificate -DnsName 'myserver.mydomain.org' -CertStoreLocation Cert:\LocalMachine\My
246
+ new-item -address * -force -path wsman:\localhost\listener -port 5986 -hostname ($cert.subject -split '=')[1] -transport https -certificatethumbprint $cert.Thumbprint
247
+ # Open the firewall for 5986, the default WinRM SSL port
248
+ netsh advfirewall firewall set rule name="Windows Remote Management (HTTPS-In)" profile=public protocol=tcp localport=5986 remoteip=localsubnet new remoteip=any
249
+
250
+ ```
251
+
252
+ Note that the first command which uses the `New-SelfSignedCertificate`
253
+ cmdlet is available only in PowerShell version 4.0 and later.
254
+
255
+ ##### Configure SSL using `winrm quickconfig`
256
+
257
+ The following command can configure an SSL WinRM listener if the
258
+ Windows certificate store's Local Machine store contains a certificate
259
+ that meets certain criteria that are most likely to be met if the
260
+ system is joined to a Windows Active Directory domain:
261
+
262
+ winrm quickconfig -transport:https -q
263
+
264
+ If the criteria are not met, an error message will follow with
265
+ guidance on the certificate requirements; you may need to obtain a
266
+ certificate from the appropriate source or use the PowerShell or
267
+ `knife` techniques given above to create the listener instead.
268
+
269
+ ##### Disabling peer verification
270
+ In the SSL examples above, the `-f` parameter was used to supply a
271
+ certificate that could validate the identity of the remote server.
272
+ For debugging purposes, this validation may be skipped if you have not
273
+ obtained a public certificate that can validate the server. Here is an
274
+ example:
275
+
276
+ knife winrm -m 192.168.0.6 -x "mydomain\myuser" -P $PASSWD -t ssl --winrm-ssl-verify-mode verify_none ipconfig
277
+
278
+ This option should be used carefully since disabling the verification of the
279
+ remote system's certificate can subject knife commands to spoofing attacks.
280
+
281
+ ## WinRM authentication
282
+
283
+ The default authentication protocol for `knife-windows` subcommands that use
284
+ WinRM is the Negotiate protocol. The following commands when executed on a
285
+ Windows system show authentication for domain and local accounts respectively:
286
+
287
+ knife bootstrap windows winrm web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password"
288
+ knife bootstrap windows winrm db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password"
289
+
290
+ The commands above are using the default plaintext transport for WinRM --
291
+ the default of Negotiate authentication may not be fully supported on
292
+ non-Windows systems using the plaintext transport. To work around this, the
293
+ remote system can be configured with an SSL WinRM listener instead of a
294
+ plaintext listener. Then the above commands should be modified to use the SSL
295
+ transport as follows using the `-t` (or `--winrm-transport`) option with the
296
+ `ssl` argument:
297
+
298
+ knife bootstrap windows winrm -t ssl web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password" -f ~/mycert.crt
299
+ knife bootstrap windows winrm -t ssl db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password" ~/mycert.crt
300
+
301
+ The commands using SSL above will work from any operating system, not
302
+ just Windows.
303
+
304
+ ### Troubleshooting authentication
305
+
306
+ For development and testing purposes, unencrypted traffic with Basic
307
+ authentication can make it easier to test connectivity. The configuration for
308
+ the remote system may be accomplished with the following PowerShell commands:
309
+
310
+ ```powershell
311
+ set-item wsman:\localhost\service\allowunencrypted $true
312
+ set-item wsman:\localhost\service\auth\basic $true
313
+ ```
314
+ To test connectivity via `knife-windows` from another system, the default
315
+ authentication protocol of Negotiate must be overridden using the
316
+ `--winrm-authentication-protocol` option with the desired protocol, in this
317
+ case Basic:
318
+
319
+ knife winrm -m web1.cloudapp.net --winrm-authentication-protocol basic ipconfig -x localadmin -P "super_secret_password"
320
+
321
+ Note that when using Basic authentication, domain accounts may not be used for
322
+ authentication; an account local to the remote system must be used.
323
+
324
+ ### Platform WinRM authentication support
325
+
326
+ `knife-windows` supports `Kerberos`, `Negotiate`, and `Basic` authentication
327
+ for WinRM communication. However, some of these protocols
328
+ may not work with `knife-windows` on non-Windows systems because
329
+ `knife-windows` relies on operating system libraries such as GSSAPI to implement
330
+ Windows authentication, and some versions of these libraries do not
331
+ fully implement the protocols.
332
+
333
+ The following table shows the authentication protocols that can be used with
334
+ `knife-windows` depending on whether the knife workstation is a Windows
335
+ system, the transport, and whether or not the target user is a domain user or
336
+ local to the target Windows system.
337
+
338
+ | Workstation OS / Account Scope | SSL | Plaintext |
339
+ |--------------------------------|------------------------------|----------------------------|
340
+ | Windows / Local | Kerberos, Negotiate* , Basic | Kerberos, Negotiate, Basic |
341
+ | Windows / Domain | Kerberos, Negotiate | Kerberos, Negotiate |
342
+ | Non-Windows / Local | Kerberos, [Negotiate*](https://github.com/chef/knife-windows/issues/176) Basic | Kerberos, Basic |
343
+ | Non-Windows / Domain | Kerberos, Negotiate | Kerberos |
344
+
345
+ > \* There is a known defect in the `knife winrm` and `knife bootstrap windows
346
+ > winrm` subcommands invoked on any OS platform when authenticating with the Negotiate protocol over
347
+ > the SSL transport. The defect is tracked by
348
+ > [knife-windows issue #176](https://github.com/chef/knife-windows/issues/176): If the remote system is
349
+ > domain-joined, local accounts may not be used to authenticate via Negotiate
350
+ > over SSL -- only domain accounts will work. Local accounts will only
351
+ > successfully authenticate if the system is not joined to a domain.
352
+ >
353
+ > This is generally not an issue for bootstrap scenarios, where the
354
+ > system has yet to be joined to any domain, but can be a problem for remote
355
+ > management cases after the system is domain joined. Workarounds include using
356
+ > a domain account instead, or enabling Basic authentication on the remote
357
+ > system (unencrypted communication **does not** need to be enabled to make
358
+ > Basic authentication function over SSL).
359
+
360
+ ## General troubleshooting
361
+
362
+ * Windows 2008R2 and earlier versions require an extra configuration
363
+ for MaxTimeoutms to avoid WinRM::WinRMHTTPTransportError: Bad HTTP
364
+ response error while bootstrapping. It should be at least 300000.
365
+
366
+ `set-item wsman:\\localhost\\MaxTimeoutms 300000`
367
+
368
+ * When I run the winrm command I get: "Error: Invalid use of command line. Type "winrm -?" for help."
369
+ You're running the winrm command from PowerShell and you need to put the key/value pair in single quotes. For example:
370
+
371
+ `winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'`
372
+
373
+
374
+ ## CONTRIBUTING:
375
+
376
+ Please file bugs against the KNIFE_WINDOWS project at https://github.com/chef/knife-windows/issues.
377
+
378
+ More information on the contribution process for Chef projects can be found in the [Chef Contributions document](http://docs.chef.io/community_contributions.html).
379
+
380
+ # LICENSE:
381
+
382
+ Author:: Seth Chisamore (<schisamo@chef.io>)
383
+ Copyright:: Copyright (c) 2015 Chef Software, Inc.
384
+ License:: Apache License, Version 2.0
385
+
386
+ Licensed under the Apache License, Version 2.0 (the "License");
387
+ you may not use this file except in compliance with the License.
388
+ You may obtain a copy of the License at
389
+
390
+ http://www.apache.org/licenses/LICENSE-2.0
391
+
392
+ Unless required by applicable law or agreed to in writing, software
393
+ distributed under the License is distributed on an "AS IS" BASIS,
394
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
395
+ See the License for the specific language governing permissions and
396
+ limitations under the License.