knife-windows 1.2.1 → 1.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (52) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +5 -5
  3. data/.travis.yml +26 -23
  4. data/CHANGELOG.md +108 -104
  5. data/DOC_CHANGES.md +14 -14
  6. data/Gemfile +12 -12
  7. data/LICENSE +201 -201
  8. data/README.md +385 -376
  9. data/RELEASE_NOTES.md +34 -34
  10. data/Rakefile +21 -21
  11. data/appveyor.yml +42 -42
  12. data/ci.gemfile +15 -15
  13. data/features/knife_help.feature +20 -20
  14. data/features/support/env.rb +5 -5
  15. data/knife-windows.gemspec +25 -25
  16. data/lib/chef/knife/bootstrap/windows-chef-client-msi.erb +247 -247
  17. data/lib/chef/knife/bootstrap_windows_base.rb +415 -415
  18. data/lib/chef/knife/bootstrap_windows_ssh.rb +115 -115
  19. data/lib/chef/knife/bootstrap_windows_winrm.rb +95 -95
  20. data/lib/chef/knife/core/windows_bootstrap_context.rb +366 -366
  21. data/lib/chef/knife/knife_windows_base.rb +33 -33
  22. data/lib/chef/knife/windows_cert_generate.rb +155 -155
  23. data/lib/chef/knife/windows_cert_install.rb +68 -68
  24. data/lib/chef/knife/windows_helper.rb +36 -36
  25. data/lib/chef/knife/windows_listener_create.rb +107 -107
  26. data/lib/chef/knife/winrm.rb +122 -122
  27. data/lib/chef/knife/winrm_base.rb +117 -113
  28. data/lib/chef/knife/winrm_knife_base.rb +303 -298
  29. data/lib/chef/knife/winrm_session.rb +86 -86
  30. data/lib/chef/knife/winrm_shared_options.rb +47 -47
  31. data/lib/chef/knife/wsman_endpoint.rb +44 -44
  32. data/lib/chef/knife/wsman_test.rb +117 -117
  33. data/lib/knife-windows/path_helper.rb +234 -234
  34. data/lib/knife-windows/version.rb +6 -6
  35. data/spec/assets/win_template_rendered_with_bootstrap_install_command.txt +217 -217
  36. data/spec/assets/win_template_rendered_with_bootstrap_install_command_on_12_5_client.txt +217 -217
  37. data/spec/assets/win_template_rendered_without_bootstrap_install_command.txt +329 -329
  38. data/spec/assets/win_template_rendered_without_bootstrap_install_command_on_12_5_client.txt +329 -329
  39. data/spec/assets/win_template_unrendered.txt +246 -246
  40. data/spec/functional/bootstrap_download_spec.rb +234 -234
  41. data/spec/spec_helper.rb +93 -93
  42. data/spec/unit/knife/bootstrap_options_spec.rb +155 -154
  43. data/spec/unit/knife/bootstrap_template_spec.rb +92 -92
  44. data/spec/unit/knife/bootstrap_windows_winrm_spec.rb +295 -295
  45. data/spec/unit/knife/core/windows_bootstrap_context_spec.rb +177 -177
  46. data/spec/unit/knife/windows_cert_generate_spec.rb +90 -90
  47. data/spec/unit/knife/windows_cert_install_spec.rb +51 -51
  48. data/spec/unit/knife/windows_listener_create_spec.rb +76 -76
  49. data/spec/unit/knife/winrm_session_spec.rb +64 -64
  50. data/spec/unit/knife/winrm_spec.rb +516 -516
  51. data/spec/unit/knife/wsman_test_spec.rb +201 -201
  52. metadata +4 -4
data/README.md CHANGED
@@ -1,376 +1,385 @@
1
- Knife Windows Plugin
2
- ====================
3
- [![Build Status Master](https://travis-ci.org/chef/knife-windows.svg?branch=master)](https://travis-ci.org/chef/knife-windows)
4
- [![Build Status Master](https://ci.appveyor.com/api/projects/status/github/chef/knife-windows?branch=master&svg=true&passingText=master%20-%20Ok&pendingText=master%20-%20Pending&failingText=master%20-%20Failing)](https://ci.appveyor.com/project/Chef/knife-windows/branch/master)
5
-
6
- This plugin adds additional functionality to the Chef Knife CLI tool for
7
- configuring / interacting with nodes running Microsoft Windows:
8
-
9
- * Bootstrap of nodes via the [Windows Remote Management (WinRM)](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx) or SSH protocols
10
- * Remote command execution using the WinRM protocol
11
- * Utilities to configure WinRM SSL endpoints on managed nodes
12
-
13
- ## Subcommands
14
-
15
- This plugin provides the following Knife subcommands. Specific command options can be found by invoking the subcommand with a `--help` flag
16
-
17
- ### knife winrm
18
-
19
- The `winrm` subcommand allows you to invoke commands in parallel on a subset of the nodes in your infrastructure. The `winrm` subcommand uses the same syntax as the [search subcommand](https://docs.chef.io/knife_search.html); you could could find the uptime of all your web servers using the command:
20
-
21
- knife winrm "role:web" "net stats srv" -x Administrator -P 'super_secret_password'
22
-
23
- Or force a chef run:
24
-
25
- knife winrm "myserver.myorganization.net" "chef-client -c c:/chef/client.rb" -m -x Administrator -P "super_secret_password"
26
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:49 +0000] INFO: Starting Chef Run (Version 0.9.12)
27
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:50 +0000] WARN: Node ip-0A502FFB has an empty run list.
28
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Chef Run complete in 4.383966 seconds
29
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: cleaning the checksum cache
30
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Running report handlers
31
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Report handlers complete
32
-
33
- This subcommand operates in a manner similar to [knife ssh](https://docs.chef.io/knife_ssh.html)...just leveraging the WinRM protocol for communication. It also includes `knife ssh`'s "[interactive session mode](https://docs.chef.io/knife_ssh.html#options)"
34
-
35
- ### knife bootstrap windows winrm
36
-
37
- Performs a Chef Bootstrap (via the WinRM protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
38
-
39
- This subcommand operates in a manner similar to [knife bootstrap](https://docs.chef.io/knife_bootstrap.html)...just leveraging the WinRM protocol for communication. An initial run_list for the node can also be passed to the subcommand. Example usage:
40
-
41
- knife bootstrap windows winrm myserver.myorganization.net -r 'role[webserver],role[production]' -x Administrator -P 'super_secret_password'
42
-
43
- #### Tip: Use SSL for WinRM communication
44
-
45
- By default, the `knife winrm` and `knife bootstrap windows winrm` subcommands use a plaintext transport,
46
- but they support an option `--winrm-transport` (or `-t`) with the argument
47
- `ssl` that allows the SSL to secure the WinRM payload. Here's an example:
48
-
49
- knife winrm -t ssl "role:web" "net stats srv" -x Administrator -P "super_secret_password" -f ~/server_public_cert.crt
50
-
51
- Use of SSL is strongly recommended, particularly when invoking `knife-windows` on non-Windows platforms, since
52
- without SSL there are limited options for ensuring the privacy of the
53
- plaintext transport. See the section on [Platform authentication
54
- support](#platform-winrm-authentication-support).
55
-
56
- SSL will become the default transport in future revisions of
57
- `knife-windows`.
58
-
59
- ### knife wsman test
60
-
61
- Connects to the remote WSMan/WinRM endpoint and verifies the remote node is listening. This is the equivalent of running Test-Wsman from PowerShell. Endpoints to test can be specified manually, or be driven by search and use many of the same connection options as knife winrm.
62
- To test a single node using the default WinRM port (5985)
63
-
64
- knife wsman test 192.168.1.10 -m
65
-
66
- or to test a single node with SSL enabled on the default port (5986)
67
-
68
- knife wsman test 192.168.1.10 -m --winrm-transport ssl
69
-
70
- or to test all windows nodes registered with your Chef Server organization
71
-
72
- knife wsman test platform:windows
73
-
74
- ### knife bootstrap windows ssh
75
-
76
- Performs a Chef Bootstrap (via the SSH protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
77
-
78
- This subcommand assumes the SSH session will use the Windows native cmd.exe command shell vs a bash shell through an emulated cygwin layer. Most popular Windows based SSHd daemons like [freeSSHd](http://www.freesshd.com/) and [WinSSHD](http://www.bitvise.com/winsshd) behave this way.
79
-
80
- An initial run_list for the node can also be passed to the subcommand. Example usage:
81
-
82
- knife bootstrap windows ssh myserver.myorganization.net -r "role[webserver],role[production]" -x Administrator -i ~/.ssh/id_rsa
83
-
84
- ### knife windows cert generate
85
-
86
- Generates a certificate(x509) containing a public / private key pair for WinRM 'SSL' communication.
87
- The certificate will be generated in three different formats:
88
- * **.pem** - The *.pem is Base64 encoded public certificate only. One can use this file with the `-f` argument on `knife bootstrap windows winrm` and `knife winrm` commands.
89
- * **.pfx** - The PKCS12(i.e .pfx) contains both the public and private keys, usually used on the server. This can be added to a WinRM Server's Certificate Store using `knife windows cert install` (see command description below). **Note:** Do not use the *.pfx file with the `-f` argument on the `knife bootstrap windows winrm` and `knife winrm` commands. Use the *.pem file instead.
90
- * **.b64** - The *.b64 is Base64 PKCS12 key pair. Contains both the public and private keys, for upload to the Cloud REST API. e.g. Azure.
91
-
92
- This command also displays the thumbprint of the generated certificate.
93
-
94
- knife windows cert generate --cert-passphrase "strong_passphrase" --hostname "myserver.myorganization.net" --output-file "~/server_cert.pfx"
95
- # This command will generate certificates in the user's home directory with names server_cert.b64, server_cert.pfx and server_cert.pem.
96
-
97
- ### knife windows cert install
98
-
99
- This command only functions on Windows and is intended to be run on a chef node. It adds the specified certificate to its certificate store. This command must include a valid PKCS12(i.e *.pfx) certificate file path such as the *.pfx file generated by `knife windows cert generate` described above.
100
-
101
- knife windows cert install "~/server_cert.pfx" --cert-passphrase "strong_passphrase"
102
-
103
- ### knife windows listener create
104
- This command only functions on Windows and is intended to be run on a chef node. It creates the winrm listener for SSL communication(i.e HTTPS).
105
- This command can also install certificate which is specified using --cert-install option and use the installed certificate thumbprint to create winrm listener.
106
- --hostname option is optional. Default value for hostname is *.
107
-
108
- knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-install "~/server_cert.pfx"
109
-
110
- The command also allows you to use existing certificates from local store to create winrm listener. Use --cert-thumbprint option to specify the certificate thumbprint.
111
-
112
- knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-thumbprint "bf0fef0bb41be40ceb66a3b38813ca489fe99746"
113
-
114
- You can get the thumbprint for existing certificates in the local store using the following PowerShell command:
115
-
116
- ls cert:\LocalMachine\My
117
-
118
- ## Bootstrap template
119
-
120
- This gem provides the bootstrap template `windows-chef-client-msi`,
121
- which does the following:
122
-
123
- * Installs the latest version of Chef Client (and all dependencies) using the `chef-client` msi.
124
- * Writes the validation.pem per the local knife configuration.
125
- * Writes a default config file for Chef (`C:\chef\client.rb`) using values from the `knife.rb`.
126
- * Creates a JSON attributes file containing the specified run list and run Chef.
127
-
128
- This template is used by both `knife windows bootstrap winrm` and `knife windows bootstrap ssh` subcommands.
129
-
130
- ## Requirements / setup
131
-
132
- ### Ruby
133
-
134
- Ruby 1.9.3+ is required.
135
-
136
- ### Chef version
137
-
138
- This knife plugins requires >= Chef 11.0.0. More details about Knife plugins can be
139
- [found in the Chef documentation](https://docs.chef.io/plugin_knife.html).
140
-
141
- ## Nodes
142
-
143
- ### WinRM versions
144
-
145
- The node must be running Windows Remote Management (WinRM) 2.0+. WinRM
146
- allows you to call native objects in Windows. This includes, but is not
147
- limited to, running PowerShell scripts, batch scripts, and fetching WMI
148
- data. For more information on WinRM, please visit
149
- [Microsoft's WinRM site](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx).
150
-
151
- WinRM is built into Windows 7 and Windows Server 2008+. It can also [be installed](https://support.microsoft.com/en-us/kb/968929) on older version of Windows, including:
152
-
153
- * Windows Server 2003
154
- * Windows Vista
155
-
156
- ### WinRM configuration
157
-
158
- **NOTE**: Before any WinRM related knife subcommands will function
159
- a node's WinRM installation must be configured correctly.
160
- The settings below must be added to your base server image or passed
161
- in using some sort of user-data mechanism provided by your cloud
162
- provider. Some cloud providers will set up the required WinRM
163
- configuration through the cloud API for creating instances -- see
164
- the documentation for the provider.
165
-
166
- A server running WinRM must also be configured properly to allow
167
- outside connections for the entire network path from the knife workstation to the server. The easiest way to accomplish this is to use [WinRM's quick configuration option](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx#quick_default_configuration):
168
-
169
- winrm quickconfig -q
170
-
171
- This will set up an WinRM listener using the HTTP (plaintext)
172
- transport -- WinRM also supports the SSL transport for improved
173
- robustness against information disclosure and other threats.
174
-
175
- The chef-client installation and bootstrap may take more
176
- memory than the default 150MB WinRM allocates per shell on older versions of
177
- Windows (prior to Windows Server 2012) -- this can slow down
178
- bootstrap or cause it to fail. The memory limit was increased to 1GB with Windows Management Framework 3
179
- (and Server 2012). However, there is a bug in Windows Management Framework 3
180
- (and Server 2012) which requires a [hotfix from Microsoft](https://support.microsoft.com/en-us/kb/2842230/en-us).
181
- You can increase the memory limit to 1GB with the following PowerShell
182
- command:
183
-
184
- ```powershell
185
- set-item wsman:\localhost\shell\maxmemorypershellmb 1024
186
- ```
187
-
188
- Bootstrap commands can take longer than the WinRM default 60 seconds to
189
- complete, optionally increase to 30 minutes if bootstrap terminates a command prematurely:
190
-
191
- ```powershell
192
- set-item wsman:\localhost\MaxTimeoutms 300000
193
- ```
194
-
195
- Note that the `winrm` command itself supports the same configuration
196
- capabilities as the PowerShell commands given above -- if you need to
197
- configure WinRM without using PowerShell, use `winrm -?` to get help.
198
-
199
- WinRM supports both the HTTP and HTTPS (SSL) transports and the following
200
- authentication schemes: Kerberos, Digest, Certificate and Basic. The details
201
- of these authentication transports are outside of the scope of this
202
- README but details can be found on the
203
- [WinRM configuration guide](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx).
204
-
205
- #### Configure SSL on a Windows node
206
-
207
- WinRM supports use of SSL to provide privacy and integrity of
208
- communication using the protocol and to prevent spoofing attacks.
209
-
210
- ##### Configure SSL using `knife`
211
-
212
- `knife-windows` includes three commands to assist with SSL
213
- configuration -- these commands support all versions of Windows and do
214
- not rely on PowerShell:
215
-
216
- * `knife windows cert generate`: creates a certificate that may be used
217
- to configure an SSL WinRM listener
218
-
219
- * `knife windows cert install`: Installs a certificate into the
220
- Windows certificate store so it can be used to configure an SSL
221
- WinRM listener.
222
-
223
- * `knife windows listener create`: Creates a WinRM listener on a
224
- Windows node -- it can use either a certificate already installed in
225
- the Windows certificate store, or one created by other tools
226
- including the `knife windows cert generate` command.
227
-
228
- Here is an example that configures a listener on the node on which the
229
- commands are executed:
230
-
231
- knife windows cert generate --domain myorg.org --output-file $env:userprofile/winrmcerts/winrm-ssl
232
- knife windows listener create --hostname *.myorg.org --cert-install $env:userprofile/winrmcerts/winrm-ssl.pfx
233
-
234
- Note that the first command which generates the certificate for the
235
- listener could be executed from any system that can run `knife` as
236
- long as the certificate it generates is made available at a path at
237
- which the second command can access it.
238
-
239
- See previous sections for additional details of the `windows cert generate`, `windows cert install` and `windows listener create` subcommands.
240
-
241
- ##### Configure SSL using *Windows Server 2012 or later*
242
- The following PowerShell commands may be used to create an SSL WinRM
243
- listener with a self-signed certificate on Windows 2012R2 or later systems:
244
-
245
- ```powershell
246
- $cert = New-SelfSignedCertificate -DnsName 'myserver.mydomain.org' -CertStoreLocation Cert:\LocalMachine\My
247
- new-item -address * -force -path wsman:\localhost\listener -port 5986 -hostname ($cert.subject -split '=')[1] -transport https -certificatethumbprint $cert.Thumbprint
248
- # Open the firewall for 5986, the default WinRM SSL port
249
- netsh advfirewall firewall set rule name="Windows Remote Management (HTTPS-In)" profile=public protocol=tcp localport=5986 remoteip=localsubnet new remoteip=any
250
-
251
- ```
252
-
253
- Note that the first command which uses the `New-SelfSignedCertificate`
254
- cmdlet is available only in PowerShell version 4.0 and later.
255
-
256
- ##### Configure SSL using `winrm quickconfig`
257
-
258
- The following command can configure an SSL WinRM listener if the
259
- Windows certificate store's Local Machine store contains a certificate
260
- that meets certain criteria that are most likely to be met if the
261
- system is joined to a Windows Active Directory domain:
262
-
263
- winrm quickconfig -transport:https -q
264
-
265
- If the criteria are not met, an error message will follow with
266
- guidance on the certificate requirements; you may need to obtain a
267
- certificate from the appropriate source or use the PowerShell or
268
- `knife` techniques given above to create the listener instead.
269
-
270
- ##### Disabling peer verification
271
- In the SSL examples above, the `-f` parameter was used to supply a
272
- certificate that could validate the identity of the remote server.
273
- For debugging purposes, this validation may be skipped if you have not
274
- obtained a public certificate that can validate the server. Here is an
275
- example:
276
-
277
- knife winrm -m 192.168.0.6 -x "mydomain\myuser" -P $PASSWD -t ssl --winrm-ssl-verify-mode verify_none ipconfig
278
-
279
- This option should be used carefully since disabling the verification of the
280
- remote system's certificate can subject knife commands to spoofing attacks.
281
-
282
- ## WinRM authentication
283
-
284
- The default authentication protocol for `knife-windows` subcommands that use
285
- WinRM is the Negotiate protocol. The following commands show authentication for domain and local accounts respectively:
286
-
287
- knife bootstrap windows winrm web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password"
288
- knife bootstrap windows winrm db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password"
289
-
290
- The remote system may also be configured with an SSL WinRM listener instead of a
291
- plaintext listener. Then the above commands should be modified to use the SSL
292
- transport as follows using the `-t` (or `--winrm-transport`) option with the
293
- `ssl` argument:
294
-
295
- knife bootstrap windows winrm -t ssl web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password" -f ~/mycert.crt
296
- knife bootstrap windows winrm -t ssl db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password" ~/mycert.crt
297
-
298
- ### Troubleshooting authentication
299
-
300
- Unencrypted traffic with Basic authentication should only be used for low level wire protocol debugging. The configuration for plain text connectivity to
301
- the remote system may be accomplished with the following PowerShell commands:
302
-
303
- ```powershell
304
- set-item wsman:\localhost\service\allowunencrypted $true
305
- set-item wsman:\localhost\service\auth\basic $true
306
- ```
307
- To use basic authentication connectivity via `knife-windows`, the default
308
- authentication protocol of Negotiate must be overridden using the
309
- `--winrm-authentication-protocol` option with the desired protocol, in this
310
- case Basic:
311
-
312
- knife winrm -m web1.cloudapp.net --winrm-authentication-protocol basic ipconfig -x localadmin -P "super_secret_password"
313
-
314
- Note that when using Basic authentication, domain accounts may not be used for
315
- authentication; an account local to the remote system must be used.
316
-
317
- ### Platform WinRM authentication support
318
-
319
- `knife-windows` supports `Kerberos`, `Negotiate`, and `Basic` authentication
320
- for WinRM communication.
321
-
322
- The following table shows the authentication protocols that can be used with
323
- `knife-windows` depending on whether the knife workstation is a Windows
324
- system, the transport, and whether or not the target user is a domain user or
325
- local to the target Windows system.
326
-
327
- > \* There is a known defect in the `knife winrm` and `knife bootstrap windows
328
- > winrm` subcommands invoked on any OS platform when authenticating with the Negotiate protocol over
329
- > the SSL transport. The defect is tracked by
330
- > [knife-windows issue #176](https://github.com/chef/knife-windows/issues/176): If the remote system is
331
- > domain-joined, local accounts may not be used to authenticate via Negotiate
332
- > over SSL -- only domain accounts will work. Local accounts will only
333
- > successfully authenticate if the system is not joined to a domain.
334
- >
335
- > This is generally not an issue for bootstrap scenarios, where the
336
- > system has yet to be joined to any domain, but can be a problem for remote
337
- > management cases after the system is domain joined. Workarounds include using
338
- > a domain account instead or bypassing SSL and using Negotiate authentication.
339
-
340
- ## General troubleshooting
341
-
342
- * Windows 2008R2 and earlier versions require an extra configuration
343
- for MaxTimeoutms to avoid WinRM::WinRMHTTPTransportError: Bad HTTP
344
- response error while bootstrapping. It should be at least 300000.
345
-
346
- `set-item wsman:\\localhost\\MaxTimeoutms 300000`
347
-
348
- * When I run the winrm command I get: "Error: Invalid use of command line. Type "winrm -?" for help."
349
- You're running the winrm command from PowerShell and you need to put the key/value pair in single quotes. For example:
350
-
351
- `winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'`
352
-
353
-
354
- ## CONTRIBUTING:
355
-
356
- Please file bugs against the KNIFE_WINDOWS project at https://github.com/chef/knife-windows/issues.
357
-
358
- More information on the contribution process for Chef projects can be found in the [Chef Contributions document](http://docs.chef.io/community_contributions.html).
359
-
360
- # LICENSE:
361
-
362
- Author:: Seth Chisamore (<schisamo@chef.io>)
363
- Copyright:: Copyright (c) 2015 Chef Software, Inc.
364
- License:: Apache License, Version 2.0
365
-
366
- Licensed under the Apache License, Version 2.0 (the "License");
367
- you may not use this file except in compliance with the License.
368
- You may obtain a copy of the License at
369
-
370
- http://www.apache.org/licenses/LICENSE-2.0
371
-
372
- Unless required by applicable law or agreed to in writing, software
373
- distributed under the License is distributed on an "AS IS" BASIS,
374
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
375
- See the License for the specific language governing permissions and
376
- limitations under the License.
1
+ Knife Windows Plugin
2
+ ====================
3
+ [![Build Status Master](https://travis-ci.org/chef/knife-windows.svg?branch=master)](https://travis-ci.org/chef/knife-windows)
4
+ [![Build Status Master](https://ci.appveyor.com/api/projects/status/github/chef/knife-windows?branch=master&svg=true&passingText=master%20-%20Ok&pendingText=master%20-%20Pending&failingText=master%20-%20Failing)](https://ci.appveyor.com/project/Chef/knife-windows/branch/master)
5
+
6
+ This plugin adds additional functionality to the Chef Knife CLI tool for
7
+ configuring / interacting with nodes running Microsoft Windows:
8
+
9
+ * Bootstrap of nodes via the [Windows Remote Management (WinRM)](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx) or SSH protocols
10
+ * Remote command execution using the WinRM protocol
11
+ * Utilities to configure WinRM SSL endpoints on managed nodes
12
+
13
+ ## Subcommands
14
+
15
+ This plugin provides the following Knife subcommands. Specific command options can be found by invoking the subcommand with a `--help` flag
16
+
17
+ ### knife winrm
18
+
19
+ The `winrm` subcommand allows you to invoke commands in parallel on a subset of the nodes in your infrastructure. The `winrm` subcommand uses the same syntax as the [search subcommand](https://docs.chef.io/knife_search.html); you could could find the uptime of all your web servers using the command:
20
+
21
+ knife winrm "role:web" "net stats srv" -x Administrator -P 'super_secret_password'
22
+
23
+ Or force a chef run:
24
+
25
+ knife winrm "myserver.myorganization.net" "chef-client -c c:/chef/client.rb" -m -x Administrator -P "super_secret_password"
26
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:49 +0000] INFO: Starting Chef Run (Version 0.9.12)
27
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:50 +0000] WARN: Node ip-0A502FFB has an empty run list.
28
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Chef Run complete in 4.383966 seconds
29
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: cleaning the checksum cache
30
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Running report handlers
31
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Report handlers complete
32
+
33
+ This subcommand operates in a manner similar to [knife ssh](https://docs.chef.io/knife_ssh.html)...just leveraging the WinRM protocol for communication. It also includes `knife ssh`'s "[interactive session mode](https://docs.chef.io/knife_ssh.html#options)"
34
+
35
+ ### knife bootstrap windows winrm
36
+
37
+ Performs a Chef Bootstrap (via the WinRM protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
38
+
39
+ This subcommand operates in a manner similar to [knife bootstrap](https://docs.chef.io/knife_bootstrap.html)...just leveraging the WinRM protocol for communication. An initial run_list for the node can also be passed to the subcommand. Example usage:
40
+
41
+ knife bootstrap windows winrm myserver.myorganization.net -r 'role[webserver],role[production]' -x Administrator -P 'super_secret_password'
42
+
43
+ #### Tip: Use SSL for WinRM communication
44
+
45
+ By default, the `knife winrm` and `knife bootstrap windows winrm` subcommands use a plaintext transport,
46
+ but they support an option `--winrm-transport` (or `-t`) with the argument
47
+ `ssl` that allows the SSL to secure the WinRM payload. Here's an example:
48
+
49
+ knife winrm -t ssl "role:web" "net stats srv" -x Administrator -P "super_secret_password" -f ~/server_public_cert.crt
50
+
51
+ Use of SSL is strongly recommended, particularly when invoking `knife-windows` on non-Windows platforms, since
52
+ without SSL there are limited options for ensuring the privacy of the
53
+ plaintext transport. See the section on [Platform authentication
54
+ support](#platform-winrm-authentication-support).
55
+
56
+ SSL will become the default transport in future revisions of
57
+ `knife-windows`.
58
+
59
+ ### knife wsman test
60
+
61
+ Connects to the remote WSMan/WinRM endpoint and verifies the remote node is listening. This is the equivalent of running Test-Wsman from PowerShell. Endpoints to test can be specified manually, or be driven by search and use many of the same connection options as knife winrm.
62
+ To test a single node using the default WinRM port (5985)
63
+
64
+ knife wsman test 192.168.1.10 -m
65
+
66
+ or to test a single node with SSL enabled on the default port (5986)
67
+
68
+ knife wsman test 192.168.1.10 -m --winrm-transport ssl
69
+
70
+ or to test all windows nodes registered with your Chef Server organization
71
+
72
+ knife wsman test platform:windows
73
+
74
+ ### knife bootstrap windows ssh
75
+
76
+ Performs a Chef Bootstrap (via the SSH protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
77
+
78
+ This subcommand assumes the SSH session will use the Windows native cmd.exe command shell vs a bash shell through an emulated cygwin layer. Most popular Windows based SSHd daemons like [freeSSHd](http://www.freesshd.com/) and [WinSSHD](http://www.bitvise.com/winsshd) behave this way.
79
+
80
+ An initial run_list for the node can also be passed to the subcommand. Example usage:
81
+
82
+ knife bootstrap windows ssh myserver.myorganization.net -r "role[webserver],role[production]" -x Administrator -i ~/.ssh/id_rsa
83
+
84
+ ### knife windows cert generate
85
+
86
+ Generates a certificate(x509) containing a public / private key pair for WinRM 'SSL' communication.
87
+ The certificate will be generated in three different formats:
88
+ * **.pem** - The *.pem is Base64 encoded public certificate only. One can use this file with the `-f` argument on `knife bootstrap windows winrm` and `knife winrm` commands.
89
+ * **.pfx** - The PKCS12(i.e .pfx) contains both the public and private keys, usually used on the server. This can be added to a WinRM Server's Certificate Store using `knife windows cert install` (see command description below). **Note:** Do not use the *.pfx file with the `-f` argument on the `knife bootstrap windows winrm` and `knife winrm` commands. Use the *.pem file instead.
90
+ * **.b64** - The *.b64 is Base64 PKCS12 key pair. Contains both the public and private keys, for upload to the Cloud REST API. e.g. Azure.
91
+
92
+ This command also displays the thumbprint of the generated certificate.
93
+
94
+ knife windows cert generate --cert-passphrase "strong_passphrase" --hostname "myserver.myorganization.net" --output-file "~/server_cert.pfx"
95
+ # This command will generate certificates in the user's home directory with names server_cert.b64, server_cert.pfx and server_cert.pem.
96
+
97
+ ### knife windows cert install
98
+
99
+ This command only functions on Windows and is intended to be run on a chef node. It adds the specified certificate to its certificate store. This command must include a valid PKCS12(i.e *.pfx) certificate file path such as the *.pfx file generated by `knife windows cert generate` described above.
100
+
101
+ knife windows cert install "~/server_cert.pfx" --cert-passphrase "strong_passphrase"
102
+
103
+ ### knife windows listener create
104
+ This command only functions on Windows and is intended to be run on a chef node. It creates the winrm listener for SSL communication(i.e HTTPS).
105
+ This command can also install certificate which is specified using --cert-install option and use the installed certificate thumbprint to create winrm listener.
106
+ --hostname option is optional. Default value for hostname is *.
107
+
108
+ knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-install "~/server_cert.pfx"
109
+
110
+ The command also allows you to use existing certificates from local store to create winrm listener. Use --cert-thumbprint option to specify the certificate thumbprint.
111
+
112
+ knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-thumbprint "bf0fef0bb41be40ceb66a3b38813ca489fe99746"
113
+
114
+ You can get the thumbprint for existing certificates in the local store using the following PowerShell command:
115
+
116
+ ls cert:\LocalMachine\My
117
+
118
+ ## Bootstrap template
119
+
120
+ This gem provides the bootstrap template `windows-chef-client-msi`,
121
+ which does the following:
122
+
123
+ * Installs the latest version of Chef Client (and all dependencies) using the `chef-client` msi.
124
+ * Writes the validation.pem per the local knife configuration.
125
+ * Writes a default config file for Chef (`C:\chef\client.rb`) using values from the `knife.rb`.
126
+ * Creates a JSON attributes file containing the specified run list and run Chef.
127
+
128
+ This template is used by both `knife windows bootstrap winrm` and `knife windows bootstrap ssh` subcommands.
129
+
130
+ ## Requirements / setup
131
+
132
+ ### Ruby
133
+
134
+ Ruby 1.9.3+ is required.
135
+
136
+ ### Chef version
137
+
138
+ This knife plugins requires >= Chef 11.0.0. More details about Knife plugins can be
139
+ [found in the Chef documentation](https://docs.chef.io/plugin_knife.html).
140
+
141
+ ## Nodes
142
+
143
+ ### WinRM versions
144
+
145
+ The node must be running Windows Remote Management (WinRM) 2.0+. WinRM
146
+ allows you to call native objects in Windows. This includes, but is not
147
+ limited to, running PowerShell scripts, batch scripts, and fetching WMI
148
+ data. For more information on WinRM, please visit
149
+ [Microsoft's WinRM site](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx).
150
+
151
+ WinRM is built into Windows 7 and Windows Server 2008+. It can also [be installed](https://support.microsoft.com/en-us/kb/968929) on older version of Windows, including:
152
+
153
+ * Windows Server 2003
154
+ * Windows Vista
155
+
156
+ ### WinRM configuration
157
+
158
+ **NOTE**: Before any WinRM related knife subcommands will function
159
+ a node's WinRM installation must be configured correctly.
160
+ The settings below must be added to your base server image or passed
161
+ in using some sort of user-data mechanism provided by your cloud
162
+ provider. Some cloud providers will set up the required WinRM
163
+ configuration through the cloud API for creating instances -- see
164
+ the documentation for the provider.
165
+
166
+ A server running WinRM must also be configured properly to allow
167
+ outside connections for the entire network path from the knife workstation to the server. The easiest way to accomplish this is to use [WinRM's quick configuration option](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx#quick_default_configuration):
168
+
169
+ winrm quickconfig -q
170
+
171
+ This will set up an WinRM listener using the HTTP (plaintext)
172
+ transport -- WinRM also supports the SSL transport for improved
173
+ robustness against information disclosure and other threats.
174
+
175
+ The chef-client installation and bootstrap may take more
176
+ memory than the default 150MB WinRM allocates per shell on older versions of
177
+ Windows (prior to Windows Server 2012) -- this can slow down
178
+ bootstrap or cause it to fail. The memory limit was increased to 1GB with Windows Management Framework 3
179
+ (and Server 2012). However, there is a bug in Windows Management Framework 3
180
+ (and Server 2012) which requires a [hotfix from Microsoft](https://support.microsoft.com/en-us/kb/2842230/en-us).
181
+ You can increase the memory limit to 1GB with the following PowerShell
182
+ command:
183
+
184
+ ```powershell
185
+ set-item wsman:\localhost\shell\maxmemorypershellmb 1024
186
+ ```
187
+
188
+ Bootstrap commands can take longer than the WinRM default 60 seconds to
189
+ complete, optionally increase to 30 minutes if bootstrap terminates a command prematurely:
190
+
191
+ ```powershell
192
+ set-item wsman:\localhost\MaxTimeoutms 300000
193
+ ```
194
+
195
+ Note that the `winrm` command itself supports the same configuration
196
+ capabilities as the PowerShell commands given above -- if you need to
197
+ configure WinRM without using PowerShell, use `winrm -?` to get help.
198
+
199
+ WinRM supports both the HTTP and HTTPS (SSL) transports and the following
200
+ authentication schemes: Kerberos, Digest, Certificate and Basic. The details
201
+ of these authentication transports are outside of the scope of this
202
+ README but details can be found on the
203
+ [WinRM configuration guide](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx).
204
+
205
+ #### Configure SSL on a Windows node
206
+
207
+ WinRM supports use of SSL to provide privacy and integrity of
208
+ communication using the protocol and to prevent spoofing attacks.
209
+
210
+ ##### Configure SSL using `knife`
211
+
212
+ `knife-windows` includes three commands to assist with SSL
213
+ configuration -- these commands support all versions of Windows and do
214
+ not rely on PowerShell:
215
+
216
+ * `knife windows cert generate`: creates a certificate that may be used
217
+ to configure an SSL WinRM listener
218
+
219
+ * `knife windows cert install`: Installs a certificate into the
220
+ Windows certificate store so it can be used to configure an SSL
221
+ WinRM listener.
222
+
223
+ * `knife windows listener create`: Creates a WinRM listener on a
224
+ Windows node -- it can use either a certificate already installed in
225
+ the Windows certificate store, or one created by other tools
226
+ including the `knife windows cert generate` command.
227
+
228
+ Here is an example that configures a listener on the node on which the
229
+ commands are executed:
230
+
231
+ knife windows cert generate --domain myorg.org --output-file $env:userprofile/winrmcerts/winrm-ssl
232
+ knife windows listener create --hostname *.myorg.org --cert-install $env:userprofile/winrmcerts/winrm-ssl.pfx
233
+
234
+ Note that the first command which generates the certificate for the
235
+ listener could be executed from any system that can run `knife` as
236
+ long as the certificate it generates is made available at a path at
237
+ which the second command can access it.
238
+
239
+ See previous sections for additional details of the `windows cert generate`, `windows cert install` and `windows listener create` subcommands.
240
+
241
+ ##### Configure SSL using *Windows Server 2012 or later*
242
+ The following PowerShell commands may be used to create an SSL WinRM
243
+ listener with a self-signed certificate on Windows 2012R2 or later systems:
244
+
245
+ ```powershell
246
+ $cert = New-SelfSignedCertificate -DnsName 'myserver.mydomain.org' -CertStoreLocation Cert:\LocalMachine\My
247
+ new-item -address * -force -path wsman:\localhost\listener -port 5986 -hostname ($cert.subject -split '=')[1] -transport https -certificatethumbprint $cert.Thumbprint
248
+ # Open the firewall for 5986, the default WinRM SSL port
249
+ netsh advfirewall firewall set rule name="Windows Remote Management (HTTPS-In)" profile=public protocol=tcp localport=5986 remoteip=localsubnet new remoteip=any
250
+
251
+ ```
252
+
253
+ Note that the first command which uses the `New-SelfSignedCertificate`
254
+ cmdlet is available only in PowerShell version 4.0 and later.
255
+
256
+ ##### Configure SSL using `winrm quickconfig`
257
+
258
+ The following command can configure an SSL WinRM listener if the
259
+ Windows certificate store's Local Machine store contains a certificate
260
+ that meets certain criteria that are most likely to be met if the
261
+ system is joined to a Windows Active Directory domain:
262
+
263
+ winrm quickconfig -transport:https -q
264
+
265
+ If the criteria are not met, an error message will follow with
266
+ guidance on the certificate requirements; you may need to obtain a
267
+ certificate from the appropriate source or use the PowerShell or
268
+ `knife` techniques given above to create the listener instead.
269
+
270
+ ##### Disabling peer verification
271
+ In the SSL examples above, the `-f` parameter was used to supply a
272
+ certificate that could validate the identity of the remote server.
273
+ For debugging purposes, this validation may be skipped if you have not
274
+ obtained a public certificate that can validate the server. Here is an
275
+ example:
276
+
277
+ knife winrm -m 192.168.0.6 -x "mydomain\myuser" -P $PASSWD -t ssl --winrm-ssl-verify-mode verify_none ipconfig
278
+
279
+ This option should be used carefully since disabling the verification of the
280
+ remote system's certificate can subject knife commands to spoofing attacks.
281
+
282
+ ##### Connecting securely to self-signed certs
283
+ If you generate a self-signed cert, the fqdn and ip may not match which will result in a certificate validation failure. In order to securely connect and reduce the risk of a "Man In The Middle" attack, you may use the certificate's fingerprint to precisely identify the known certificate on the WinRM endpoint.
284
+
285
+ The fingerprint can be supplied to ```--ssl-peer-fingerprint``` and instead of using a certificate chain and comparing the CommonName, it will only verify that the fingerprint matches:
286
+
287
+ knife winrm --ssl-peer-fingerprint 89255929FB4B5E1BFABF7E7F01AFAFC5E7003C3F \
288
+ -m $IP -x Administrator -P $PASSWD-t ssl --winrm-port 5986 hostname
289
+ 10.113.4.54 ip-0A710436
290
+
291
+ ## WinRM authentication
292
+
293
+ The default authentication protocol for `knife-windows` subcommands that use
294
+ WinRM is the Negotiate protocol. The following commands show authentication for domain and local accounts respectively:
295
+
296
+ knife bootstrap windows winrm web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password"
297
+ knife bootstrap windows winrm db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password"
298
+
299
+ The remote system may also be configured with an SSL WinRM listener instead of a
300
+ plaintext listener. Then the above commands should be modified to use the SSL
301
+ transport as follows using the `-t` (or `--winrm-transport`) option with the
302
+ `ssl` argument:
303
+
304
+ knife bootstrap windows winrm -t ssl web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password" -f ~/mycert.crt
305
+ knife bootstrap windows winrm -t ssl db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password" ~/mycert.crt
306
+
307
+ ### Troubleshooting authentication
308
+
309
+ Unencrypted traffic with Basic authentication should only be used for low level wire protocol debugging. The configuration for plain text connectivity to
310
+ the remote system may be accomplished with the following PowerShell commands:
311
+
312
+ ```powershell
313
+ set-item wsman:\localhost\service\allowunencrypted $true
314
+ set-item wsman:\localhost\service\auth\basic $true
315
+ ```
316
+ To use basic authentication connectivity via `knife-windows`, the default
317
+ authentication protocol of Negotiate must be overridden using the
318
+ `--winrm-authentication-protocol` option with the desired protocol, in this
319
+ case Basic:
320
+
321
+ knife winrm -m web1.cloudapp.net --winrm-authentication-protocol basic ipconfig -x localadmin -P "super_secret_password"
322
+
323
+ Note that when using Basic authentication, domain accounts may not be used for
324
+ authentication; an account local to the remote system must be used.
325
+
326
+ ### Platform WinRM authentication support
327
+
328
+ `knife-windows` supports `Kerberos`, `Negotiate`, and `Basic` authentication
329
+ for WinRM communication.
330
+
331
+ The following table shows the authentication protocols that can be used with
332
+ `knife-windows` depending on whether the knife workstation is a Windows
333
+ system, the transport, and whether or not the target user is a domain user or
334
+ local to the target Windows system.
335
+
336
+ > \* There is a known defect in the `knife winrm` and `knife bootstrap windows
337
+ > winrm` subcommands invoked on any OS platform when authenticating with the Negotiate protocol over
338
+ > the SSL transport. The defect is tracked by
339
+ > [knife-windows issue #176](https://github.com/chef/knife-windows/issues/176): If the remote system is
340
+ > domain-joined, local accounts may not be used to authenticate via Negotiate
341
+ > over SSL -- only domain accounts will work. Local accounts will only
342
+ > successfully authenticate if the system is not joined to a domain.
343
+ >
344
+ > This is generally not an issue for bootstrap scenarios, where the
345
+ > system has yet to be joined to any domain, but can be a problem for remote
346
+ > management cases after the system is domain joined. Workarounds include using
347
+ > a domain account instead or bypassing SSL and using Negotiate authentication.
348
+
349
+ ## General troubleshooting
350
+
351
+ * Windows 2008R2 and earlier versions require an extra configuration
352
+ for MaxTimeoutms to avoid WinRM::WinRMHTTPTransportError: Bad HTTP
353
+ response error while bootstrapping. It should be at least 300000.
354
+
355
+ `set-item wsman:\\localhost\\MaxTimeoutms 300000`
356
+
357
+ * When I run the winrm command I get: "Error: Invalid use of command line. Type "winrm -?" for help."
358
+ You're running the winrm command from PowerShell and you need to put the key/value pair in single quotes. For example:
359
+
360
+ `winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'`
361
+
362
+
363
+ ## CONTRIBUTING:
364
+
365
+ Please file bugs against the KNIFE_WINDOWS project at https://github.com/chef/knife-windows/issues.
366
+
367
+ More information on the contribution process for Chef projects can be found in the [Chef Contributions document](http://docs.chef.io/community_contributions.html).
368
+
369
+ # LICENSE:
370
+
371
+ Author:: Seth Chisamore (<schisamo@chef.io>)
372
+ Copyright:: Copyright (c) 2015 Chef Software, Inc.
373
+ License:: Apache License, Version 2.0
374
+
375
+ Licensed under the Apache License, Version 2.0 (the "License");
376
+ you may not use this file except in compliance with the License.
377
+ You may obtain a copy of the License at
378
+
379
+ http://www.apache.org/licenses/LICENSE-2.0
380
+
381
+ Unless required by applicable law or agreed to in writing, software
382
+ distributed under the License is distributed on an "AS IS" BASIS,
383
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
384
+ See the License for the specific language governing permissions and
385
+ limitations under the License.