knife-windows 1.5.0 → 1.6.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (48) hide show
  1. checksums.yaml +4 -4
  2. data/.travis.yml +26 -26
  3. data/CHANGELOG.md +131 -121
  4. data/DOC_CHANGES.md +22 -14
  5. data/Gemfile +14 -13
  6. data/README.md +400 -392
  7. data/RELEASE_NOTES.md +2 -26
  8. data/appveyor.yml +39 -39
  9. data/ci.gemfile +16 -16
  10. data/knife-windows.gemspec +25 -25
  11. data/lib/chef/knife/bootstrap/windows-chef-client-msi.erb +246 -233
  12. data/lib/chef/knife/bootstrap_windows_base.rb +443 -454
  13. data/lib/chef/knife/bootstrap_windows_ssh.rb +116 -115
  14. data/lib/chef/knife/bootstrap_windows_winrm.rb +102 -95
  15. data/lib/chef/knife/core/windows_bootstrap_context.rb +378 -378
  16. data/lib/chef/knife/knife_windows_base.rb +33 -33
  17. data/lib/chef/knife/windows_cert_generate.rb +155 -155
  18. data/lib/chef/knife/windows_cert_install.rb +68 -68
  19. data/lib/chef/knife/windows_helper.rb +36 -36
  20. data/lib/chef/knife/windows_listener_create.rb +107 -107
  21. data/lib/chef/knife/winrm.rb +122 -122
  22. data/lib/chef/knife/winrm_base.rb +123 -117
  23. data/lib/chef/knife/winrm_knife_base.rb +306 -305
  24. data/lib/chef/knife/winrm_session.rb +97 -91
  25. data/lib/chef/knife/winrm_shared_options.rb +47 -47
  26. data/lib/chef/knife/wsman_endpoint.rb +44 -44
  27. data/lib/chef/knife/wsman_test.rb +118 -118
  28. data/lib/knife-windows/path_helper.rb +234 -234
  29. data/lib/knife-windows/version.rb +6 -6
  30. data/spec/assets/win_template_rendered_with_bootstrap_install_command.txt +223 -223
  31. data/spec/assets/win_template_rendered_with_bootstrap_install_command_on_12_5_client.txt +223 -223
  32. data/spec/assets/win_template_rendered_without_bootstrap_install_command.txt +335 -335
  33. data/spec/assets/win_template_rendered_without_bootstrap_install_command_on_12_5_client.txt +335 -335
  34. data/spec/dummy_winrm_connection.rb +21 -0
  35. data/spec/functional/bootstrap_download_spec.rb +236 -241
  36. data/spec/spec_helper.rb +94 -94
  37. data/spec/unit/knife/bootstrap_options_spec.rb +157 -155
  38. data/spec/unit/knife/bootstrap_template_spec.rb +98 -98
  39. data/spec/unit/knife/bootstrap_windows_winrm_spec.rb +423 -426
  40. data/spec/unit/knife/core/windows_bootstrap_context_spec.rb +177 -177
  41. data/spec/unit/knife/windows_cert_generate_spec.rb +90 -90
  42. data/spec/unit/knife/windows_cert_install_spec.rb +51 -51
  43. data/spec/unit/knife/windows_listener_create_spec.rb +76 -76
  44. data/spec/unit/knife/winrm_session_spec.rb +71 -76
  45. data/spec/unit/knife/winrm_spec.rb +500 -508
  46. data/spec/unit/knife/wsman_test_spec.rb +209 -209
  47. metadata +16 -17
  48. data/spec/dummy_winrm_service.rb +0 -24
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 2626d5fa8eb4c9f59c5fa6d78548a75da2f13191
4
- data.tar.gz: c368fddf73e2377cde52ec84ca97d0bc6173d0fa
3
+ metadata.gz: ecb337e248b812ce32f26edcf172c27d14f3b65c
4
+ data.tar.gz: 743d0ff57967c01fbd00be60c31ad4bc3aa7bb0c
5
5
  SHA512:
6
- metadata.gz: e428bb9f8143cb39f06c00c9f668de98a53d7fb561927a3a96068472888f50b905335cc10b10a2822c7c7fe2a6402deb0fbb0324b9a468781cc9461c2e1b1464
7
- data.tar.gz: 765c2b04b88c9f30ff13f7e1d865d836f9562223f6a189f53d563db23be793a31ca496ccced45783f70415fa21bfc92e4772c934494b5f7f9184d344f7b0b8cd
6
+ metadata.gz: 3265ed321b53251c71fc81239b67903016eed4f19a8ee743e116ddf50aae225b257ca2ff9adaa80a9c0dfeb2d94a8dd8af75c35c371cf3bf590bd98938bb6571
7
+ data.tar.gz: c67d95887c01fc68e71f743a49ca35ac450a0b1228ac1062721d8dc1b72fd0f7efcc81019748872ab633d4be03af5e41e66d8edc6d67e972bf332d75dd785df4
@@ -1,26 +1,26 @@
1
- language: ruby
2
-
3
- rvm:
4
- - 2.1
5
- - 2.2
6
-
7
- before_install:
8
- - gem install bundler
9
-
10
- gemfile: ci.gemfile
11
-
12
- env:
13
- - CHEF_VERSION="master"
14
- - CHEF_VERSION="~> 12.0"
15
- - CHEF_VERSION="< 12"
16
-
17
- matrix:
18
- exclude:
19
- - rvm: 2.1
20
- env: CHEF_VERSION="master"
21
- - rvm: 2.1
22
- env: CHEF_VERSION="~> 12.0"
23
-
24
- branches:
25
- only:
26
- - master
1
+ language: ruby
2
+
3
+ rvm:
4
+ - 2.1
5
+ - 2.2
6
+
7
+ before_install:
8
+ - gem install bundler
9
+
10
+ gemfile: ci.gemfile
11
+
12
+ env:
13
+ - CHEF_VERSION="master"
14
+ - CHEF_VERSION="~> 12.0"
15
+ - CHEF_VERSION="< 12"
16
+
17
+ matrix:
18
+ exclude:
19
+ - rvm: 2.1
20
+ env: CHEF_VERSION="master"
21
+ - rvm: 2.1
22
+ env: CHEF_VERSION="~> 12.0"
23
+
24
+ branches:
25
+ only:
26
+ - master
@@ -1,121 +1,131 @@
1
- # knife-windows Change Log
2
-
3
- ## Release 1.5.0
4
-
5
- * [knife-windows #377](https://github.com/chef/knife-windows/pull/377) Added code and corresponding RSpecs to read the json attributes from the --json-attributes-file option.
6
-
7
- ## Release 1.4.1
8
-
9
- * [knife-windows #362](https://github.com/chef/knife-windows/pull/362) Fix `knife windows bootstrap` chef client downloads over a proxy
10
- * [knife-windows #367](https://github.com/chef/knife-windows/pull/367) Honor chef's ssl_policy when making winrm calls
11
-
12
- ## Release 1.4.0
13
-
14
- * [knife-windows #354](https://github.com/chef/knife-windows/pull/354) Allows the user to specify the architecture they want to install on the target system during `knife bootstrap windows`. In your knife config specify `knife[:bootstrap_architecture]`. Valid values are `:i386` for 32 bit or `:x86_64` for 64 bit. By default the architecture will be whatever the target system is. If you try to install a 64 bit package on a 32 bit system you will receive an error.
15
- * [knife-windows #352](https://github.com/chef/knife-windows/pull/352) Have client.rb verify that FIPS mode can be enforced
16
-
17
- ## Release 1.3.0
18
- * [knife-windows #349](https://github.com/chef/knife-windows/pull/349) Pulls in Winrm 1.7.0 which now consumes rubyntlm 0.6.0 to support Extended Protection for Authentication (aka channel binding) for NTLM over TLS
19
- * [knife-windows #350](https://github.com/chef/knife-windows/pull/350) Adding a `--ssl-peer-fingerprint` option as an alternative to `--winrm-ssl-verify-mode verify_none` in self signed scenarios
20
-
21
- ## Release 1.2.1
22
- * [knife-windows #341](https://github.com/chef/knife-windows/pull/341) Removes nokogiri dependency and adds UX fixes for `knife wsman test` when probing a SSL endpoint configured with a self signed certificate
23
-
24
- ## Release 1.2.0
25
- * [knife-windows #334](https://github.com/chef/knife-windows/pull/334) Uses Negotiate authentication via winrm 1.6 on both windows and linux and drops winrm-s dependency
26
-
27
- ## Release 1.1.4
28
- * Bumps winrm-s and winrm dependencies to address a winrm-s incompatibility bug with winrm 1.5
29
-
30
- ## Release 1.1.3
31
- * [knife-windows #329](https://github.com/chef/knife-windows/pull/329) Pin to a minimum winrm-s of 0.3.2 addressing encoding issues in 0.3.1
32
-
33
- ## Release 1.1.2
34
- * [knife-windows #317](https://github.com/chef/knife-windows/pull/317) Update Vault after client is created
35
- * [knife-windows #325](https://github.com/chef/knife-windows/pull/325) Fix proxy configuration to work with chef client 12.6.0
36
- * [knife-windows #326](https://github.com/chef/knife-windows/pull/326) Support new `ssh_identity_file` bootstrap argument
37
-
38
- ## Release 1.1.1
39
- * [knife-windows #307](https://github.com/chef/knife-windows/pull/307) Ensure prompted password is passed to winrm session
40
- * [knife-windows #311](https://github.com/chef/knife-windows/issues/311) WinRM bootstrap silently fails
41
-
42
- ## Release 1.1.0
43
- * [knife-windows #302](https://github.com/chef/knife-windows/pull/302) Address regression caused by chef client 12.5 environment argument
44
- * [knife-windows #295](https://github.com/chef/knife-windows/issues/295) Bootstrap missing policy_group, policy_name feature from Chef Client 12.5
45
- * [knife-windows #296](https://github.com/chef/knife-windows/issues/296) Installing knife-windows produces warning for _all_ knife commands in Mac OS X with ChefDK 0.8.0
46
- * [knife-windows #297](https://github.com/chef/knife-windows/pull/297) use configured proxy settings for all winrm sessions
47
-
48
- ## Release 1.0.0
49
-
50
- * [knife-windows #281](https://github.com/chef/knife-windows/pull/281) Prevent unencrypted negotiate auth, automatically prefix local usernames with '.' for negotiate
51
- * [knife-windows #275](https://github.com/chef/knife-windows/pull/275) Added bootstrap\_install\_command option in parity with knife bootstrap
52
- * [knife-windows #240](https://github.com/chef/knife-windows/pull/240) Change kerberos keytab short option to -T to resolve conflict
53
- * [knife-windows #232](https://github.com/chef/knife-windows/pull/232) Adding --hint option to bootstrap
54
- * [knife-windows #227](https://github.com/chef/knife-windows/issues/227) Exception: NoMethodError: undefined method 'gsub' for false:FalseClass
55
- * [knife-windows #222](https://github.com/chef/knife-windows/issues/222) Validatorless bootstrap support
56
- * [knife-windows #202](https://github.com/chef/knife-windows/issues/202) knife bootstrap windows should support enabling the service
57
- * [knife-windows #213](https://github.com/chef/knife-windows/pull/213) Search possibilities of HOME for bootstrap templates
58
- * [knife-windows #206](https://github.com/chef/knife-windows/pull/206) Add a flag msi_url that allows one to fetch the Chef client msi from a non-chef.io path
59
- * [knife-windows #192](https://github.com/chef/knife-windows/issues/192) deprecate knife bootstrap --distro
60
- * [knife-windows #159](https://github.com/opscode/knife-windows/issues/159) `winrm_port` option should default to 5986 if `winrm_transport` option is `ssl`
61
- * [knife-windows #149](https://github.com/chef/knife-windows/pull/149) Adding knife wsman test to validate WSMAN/WinRM availability
62
- * [knife-windows #139](https://github.com/opscode/knife-windows/issues/139) Force dev dependency on Chef 11 for test scenarios to avoid Ohai 8 conflict on Ruby 1.9.x
63
- * [knife-windows #126](https://github.com/opscode/knife-windows/pull/126) Allow disabling of SSL peer verification in knife-windows for testing
64
- * [knife-windows #154](https://github.com/opscode/knife-windows/issues/154) Unreleased regression in master: NameError: undefined local variable or method `path_separator
65
- * [knife-windows #143](https://github.com/opscode/knife-windows/issues/143) Unreleased regression in master: WinRM::WinRMHTTPTransportError: Bad HTTP response returned from server (503) in the middle of bootstrap
66
- * [knife-windows #133](https://github.com/opscode/knife-windows/issues/133) Bootstrap failure -- unable to validate SSL chef server endpoints
67
- * [knife-windows #132](https://github.com/opscode/knife-windows/issues/132) New subcommands for WinRM: windows listener create, cert generate, and cert install
68
- * [knife-windows #129](https://github.com/opscode/knife-windows/issues/129) New --winrm-authentication-protocol option for explicit control of authentication
69
- * [knife-windows #125](https://github.com/opscode/knife-windows/issues/125) knife-windows should use PowerShell first before cscript to download the Chef Client msi
70
- * [knife-windows #92](https://github.com/opscode/knife-windows/issues/92) EventMachine issue: knife bootstrap windows winrm error
71
- * [knife-windows #94](https://github.com/opscode/knife-windows/issues/94) Remove Eventmachine dependency
72
- * [knife-windows #252](https://github.com/chef/knife-windows/pull/252) Fail early on ECONNREFUSED, Closes #244.
73
- * [knife-windows #260](https://github.com/chef/knife-windows/pull/260) Fail quickly on invalid option combinations, Closes #259
74
-
75
- ## Release: 0.8.5
76
- * [knife-windows #228](https://github.com/chef/knife-windows/pull/228) make winrm-s dep more strict on knife-windows 0.8.x
77
-
78
- ## Release: 0.8.4
79
- * [knife-windows #133](https://github.com/opscode/knife-windows/issues/133) Bootstrap failure -- unable to validate SSL chef server endpoints
80
-
81
- ## Release: 0.8.3
82
- * [knife-windows #131](https://github.com/opscode/knife-windows/issues/108) Issue #131: Windows should be bootstrapped using latest Chef Client version compatible with knife's version just like non-Windows systems
83
- * [knife-windows #139](https://github.com/opscode/knife-windows/issues/139) Force dev dependency on Chef 11 for test scenarios to avoid Ohai 8 conflict on Ruby 1.9.x
84
-
85
- ## Release: 0.8.2
86
- * [knife-windows #108](https://github.com/opscode/knife-windows/issues/108) Error: Unencrypted communication not supported if remote server does not require encryption
87
-
88
- ## Release: 0.8.0
89
- * [knife-windows #98](https://github.com/opscode/knife-windows/issues/98) Get winrm command exit code if it is not expected
90
- * [knife-windows #96](https://github.com/opscode/knife-windows/issues/96) Fix break from OS patch KB2918614
91
- * Remove the 'instance data' method of creating EC2 servers
92
- * Update winrm-s dependency along with em-winrm and winrm dependencies
93
- * Return failure codes from knife winrm even when `returns` is not set
94
- * Support Windows negotiate authentication protocol when running knife on Windows
95
-
96
- ## Release: 0.6.0 (05/08/2014)
97
-
98
- * [KNIFE-386](https://tickets.opscode.com/browse/KNIFE-386) Wait for a valid command response before bootstrapping over WinRM
99
- * [KNIFE-394](https://tickets.opscode.com/browse/KNIFE-394) Update em-winrm dependency
100
- * [KNIFE-450](https://tickets.opscode.com/browse/KNIFE-450) Set knife winrm command exit status on exception and command failure
101
-
102
- **See source control commit history for earlier changes.**
103
-
104
- ## Selected release notes
105
- These are release notes from very early releases of the plugin. For recent
106
- releases (2014 and later), see the RELEASE_NOTES.md file of each tagged release branch.
107
-
108
- Release Notes - Knife Windows Plugin - Version 0.5.6
109
-
110
- ** New Feature
111
- * new default bootstrap template that installs Chef using official chef-client MSI installer
112
-
113
- Release Notes - Knife Windows Plugin - Version 0.5.4
114
-
115
- ** Bug
116
- * [KNIFE\_WINDOWS-7] - Exception: NoMethodError: undefined method `env_namespace' for Savon:Module
117
- * [KNIFE\_WINDOWS-8] - winrm based bootstrap fails with 'Bad HTTP response returned from server (500)'
118
-
119
-
120
- ** New Feature
121
- * [KNIFE\_WINDOWS-6] - default bootstrap template should support encrypted\_data\_bag\_secret
1
+ # knife-windows Change Log
2
+
3
+ ## Release 1.6.0
4
+
5
+ * [knife-windows #393](https://github.com/chef/knife-windows/pull/393) Add documentation of the --msi-url option
6
+ * [knife-windows #392](https://github.com/chef/knife-windows/pull/392) Use winrm v2 and allow users to pass a shell
7
+ * [knife-windows #388](https://github.com/chef/knife-windows/pull/388) fix #386 swallowing node_ssl_verify_mode value
8
+ * [knife-windows #385](https://github.com/chef/knife-windows/pull/385) Fixed win 2008 64bit ssh bootstrap command hanging
9
+ * [knife-windows #384](https://github.com/chef/knife-windows/pull/384) Fix for architechture detection issue for 64 bit
10
+ * [knife-windows #381](https://github.com/chef/knife-windows/pull/381) Add validation for FQDN value
11
+ * [knife-windows #380](https://github.com/chef/knife-windows/pull/380) Fixing bootstrap via ssh regression
12
+
13
+ ## Release 1.5.0
14
+
15
+ * [knife-windows #377](https://github.com/chef/knife-windows/pull/377) Added code and corresponding RSpecs to read the json attributes from the --json-attributes-file option.
16
+
17
+ ## Release 1.4.1
18
+
19
+ * [knife-windows #362](https://github.com/chef/knife-windows/pull/362) Fix `knife windows bootstrap` chef client downloads over a proxy
20
+ * [knife-windows #367](https://github.com/chef/knife-windows/pull/367) Honor chef's ssl_policy when making winrm calls
21
+
22
+ ## Release 1.4.0
23
+
24
+ * [knife-windows #354](https://github.com/chef/knife-windows/pull/354) Allows the user to specify the architecture they want to install on the target system during `knife bootstrap windows`. In your knife config specify `knife[:bootstrap_architecture]`. Valid values are `:i386` for 32 bit or `:x86_64` for 64 bit. By default the architecture will be whatever the target system is. If you try to install a 64 bit package on a 32 bit system you will receive an error.
25
+ * [knife-windows #352](https://github.com/chef/knife-windows/pull/352) Have client.rb verify that FIPS mode can be enforced
26
+
27
+ ## Release 1.3.0
28
+ * [knife-windows #349](https://github.com/chef/knife-windows/pull/349) Pulls in Winrm 1.7.0 which now consumes rubyntlm 0.6.0 to support Extended Protection for Authentication (aka channel binding) for NTLM over TLS
29
+ * [knife-windows #350](https://github.com/chef/knife-windows/pull/350) Adding a `--ssl-peer-fingerprint` option as an alternative to `--winrm-ssl-verify-mode verify_none` in self signed scenarios
30
+
31
+ ## Release 1.2.1
32
+ * [knife-windows #341](https://github.com/chef/knife-windows/pull/341) Removes nokogiri dependency and adds UX fixes for `knife wsman test` when probing a SSL endpoint configured with a self signed certificate
33
+
34
+ ## Release 1.2.0
35
+ * [knife-windows #334](https://github.com/chef/knife-windows/pull/334) Uses Negotiate authentication via winrm 1.6 on both windows and linux and drops winrm-s dependency
36
+
37
+ ## Release 1.1.4
38
+ * Bumps winrm-s and winrm dependencies to address a winrm-s incompatibility bug with winrm 1.5
39
+
40
+ ## Release 1.1.3
41
+ * [knife-windows #329](https://github.com/chef/knife-windows/pull/329) Pin to a minimum winrm-s of 0.3.2 addressing encoding issues in 0.3.1
42
+
43
+ ## Release 1.1.2
44
+ * [knife-windows #317](https://github.com/chef/knife-windows/pull/317) Update Vault after client is created
45
+ * [knife-windows #325](https://github.com/chef/knife-windows/pull/325) Fix proxy configuration to work with chef client 12.6.0
46
+ * [knife-windows #326](https://github.com/chef/knife-windows/pull/326) Support new `ssh_identity_file` bootstrap argument
47
+
48
+ ## Release 1.1.1
49
+ * [knife-windows #307](https://github.com/chef/knife-windows/pull/307) Ensure prompted password is passed to winrm session
50
+ * [knife-windows #311](https://github.com/chef/knife-windows/issues/311) WinRM bootstrap silently fails
51
+
52
+ ## Release 1.1.0
53
+ * [knife-windows #302](https://github.com/chef/knife-windows/pull/302) Address regression caused by chef client 12.5 environment argument
54
+ * [knife-windows #295](https://github.com/chef/knife-windows/issues/295) Bootstrap missing policy_group, policy_name feature from Chef Client 12.5
55
+ * [knife-windows #296](https://github.com/chef/knife-windows/issues/296) Installing knife-windows produces warning for _all_ knife commands in Mac OS X with ChefDK 0.8.0
56
+ * [knife-windows #297](https://github.com/chef/knife-windows/pull/297) use configured proxy settings for all winrm sessions
57
+
58
+ ## Release 1.0.0
59
+
60
+ * [knife-windows #281](https://github.com/chef/knife-windows/pull/281) Prevent unencrypted negotiate auth, automatically prefix local usernames with '.' for negotiate
61
+ * [knife-windows #275](https://github.com/chef/knife-windows/pull/275) Added bootstrap\_install\_command option in parity with knife bootstrap
62
+ * [knife-windows #240](https://github.com/chef/knife-windows/pull/240) Change kerberos keytab short option to -T to resolve conflict
63
+ * [knife-windows #232](https://github.com/chef/knife-windows/pull/232) Adding --hint option to bootstrap
64
+ * [knife-windows #227](https://github.com/chef/knife-windows/issues/227) Exception: NoMethodError: undefined method 'gsub' for false:FalseClass
65
+ * [knife-windows #222](https://github.com/chef/knife-windows/issues/222) Validatorless bootstrap support
66
+ * [knife-windows #202](https://github.com/chef/knife-windows/issues/202) knife bootstrap windows should support enabling the service
67
+ * [knife-windows #213](https://github.com/chef/knife-windows/pull/213) Search possibilities of HOME for bootstrap templates
68
+ * [knife-windows #206](https://github.com/chef/knife-windows/pull/206) Add a flag msi_url that allows one to fetch the Chef client msi from a non-chef.io path
69
+ * [knife-windows #192](https://github.com/chef/knife-windows/issues/192) deprecate knife bootstrap --distro
70
+ * [knife-windows #159](https://github.com/opscode/knife-windows/issues/159) `winrm_port` option should default to 5986 if `winrm_transport` option is `ssl`
71
+ * [knife-windows #149](https://github.com/chef/knife-windows/pull/149) Adding knife wsman test to validate WSMAN/WinRM availability
72
+ * [knife-windows #139](https://github.com/opscode/knife-windows/issues/139) Force dev dependency on Chef 11 for test scenarios to avoid Ohai 8 conflict on Ruby 1.9.x
73
+ * [knife-windows #126](https://github.com/opscode/knife-windows/pull/126) Allow disabling of SSL peer verification in knife-windows for testing
74
+ * [knife-windows #154](https://github.com/opscode/knife-windows/issues/154) Unreleased regression in master: NameError: undefined local variable or method `path_separator
75
+ * [knife-windows #143](https://github.com/opscode/knife-windows/issues/143) Unreleased regression in master: WinRM::WinRMHTTPTransportError: Bad HTTP response returned from server (503) in the middle of bootstrap
76
+ * [knife-windows #133](https://github.com/opscode/knife-windows/issues/133) Bootstrap failure -- unable to validate SSL chef server endpoints
77
+ * [knife-windows #132](https://github.com/opscode/knife-windows/issues/132) New subcommands for WinRM: windows listener create, cert generate, and cert install
78
+ * [knife-windows #129](https://github.com/opscode/knife-windows/issues/129) New --winrm-authentication-protocol option for explicit control of authentication
79
+ * [knife-windows #125](https://github.com/opscode/knife-windows/issues/125) knife-windows should use PowerShell first before cscript to download the Chef Client msi
80
+ * [knife-windows #92](https://github.com/opscode/knife-windows/issues/92) EventMachine issue: knife bootstrap windows winrm error
81
+ * [knife-windows #94](https://github.com/opscode/knife-windows/issues/94) Remove Eventmachine dependency
82
+ * [knife-windows #252](https://github.com/chef/knife-windows/pull/252) Fail early on ECONNREFUSED, Closes #244.
83
+ * [knife-windows #260](https://github.com/chef/knife-windows/pull/260) Fail quickly on invalid option combinations, Closes #259
84
+
85
+ ## Release: 0.8.5
86
+ * [knife-windows #228](https://github.com/chef/knife-windows/pull/228) make winrm-s dep more strict on knife-windows 0.8.x
87
+
88
+ ## Release: 0.8.4
89
+ * [knife-windows #133](https://github.com/opscode/knife-windows/issues/133) Bootstrap failure -- unable to validate SSL chef server endpoints
90
+
91
+ ## Release: 0.8.3
92
+ * [knife-windows #131](https://github.com/opscode/knife-windows/issues/108) Issue #131: Windows should be bootstrapped using latest Chef Client version compatible with knife's version just like non-Windows systems
93
+ * [knife-windows #139](https://github.com/opscode/knife-windows/issues/139) Force dev dependency on Chef 11 for test scenarios to avoid Ohai 8 conflict on Ruby 1.9.x
94
+
95
+ ## Release: 0.8.2
96
+ * [knife-windows #108](https://github.com/opscode/knife-windows/issues/108) Error: Unencrypted communication not supported if remote server does not require encryption
97
+
98
+ ## Release: 0.8.0
99
+ * [knife-windows #98](https://github.com/opscode/knife-windows/issues/98) Get winrm command exit code if it is not expected
100
+ * [knife-windows #96](https://github.com/opscode/knife-windows/issues/96) Fix break from OS patch KB2918614
101
+ * Remove the 'instance data' method of creating EC2 servers
102
+ * Update winrm-s dependency along with em-winrm and winrm dependencies
103
+ * Return failure codes from knife winrm even when `returns` is not set
104
+ * Support Windows negotiate authentication protocol when running knife on Windows
105
+
106
+ ## Release: 0.6.0 (05/08/2014)
107
+
108
+ * [KNIFE-386](https://tickets.opscode.com/browse/KNIFE-386) Wait for a valid command response before bootstrapping over WinRM
109
+ * [KNIFE-394](https://tickets.opscode.com/browse/KNIFE-394) Update em-winrm dependency
110
+ * [KNIFE-450](https://tickets.opscode.com/browse/KNIFE-450) Set knife winrm command exit status on exception and command failure
111
+
112
+ **See source control commit history for earlier changes.**
113
+
114
+ ## Selected release notes
115
+ These are release notes from very early releases of the plugin. For recent
116
+ releases (2014 and later), see the RELEASE_NOTES.md file of each tagged release branch.
117
+
118
+ Release Notes - Knife Windows Plugin - Version 0.5.6
119
+
120
+ ** New Feature
121
+ * new default bootstrap template that installs Chef using official chef-client MSI installer
122
+
123
+ Release Notes - Knife Windows Plugin - Version 0.5.4
124
+
125
+ ** Bug
126
+ * [KNIFE\_WINDOWS-7] - Exception: NoMethodError: undefined method `env_namespace' for Savon:Module
127
+ * [KNIFE\_WINDOWS-8] - winrm based bootstrap fails with 'Bad HTTP response returned from server (500)'
128
+
129
+
130
+ ** New Feature
131
+ * [KNIFE\_WINDOWS-6] - default bootstrap template should support encrypted\_data\_bag\_secret
@@ -1,14 +1,22 @@
1
- <!---
2
- This file is reset every time a new release is done. This file describes changes that have not yet been released.
3
-
4
- Example Doc Change:
5
- ### Headline for the required change
6
- Description of the required change.
7
- -->
8
- # knife-windows 1.2.0 doc changes
9
-
10
- ### Support for NTLM/Negotiate on both windows and linux
11
-
12
- This release makes no changes to the command line interface, but users should now be aware that Negotiate authentication and encryption over plaintext HTTP now works on linux in addition to windows.
13
-
14
- Users who use knife-windows to bootstrap nodes over plaintext HTTP should also be aware that they no longer need, and in fact should not, configure base images enabling `basic_auth` or enabling `AllowUnencrypted` in their winrm configuration.
1
+ <!---
2
+ This file is reset every time a new release is done. This file describes changes that have not yet been released.
3
+
4
+ Example Doc Change:
5
+ ### Headline for the required change
6
+ Description of the required change.
7
+ -->
8
+ # knife-windows 1.6.0 doc changes
9
+
10
+ ### Choosing a winrm shell
11
+
12
+ <!---
13
+ This file is reset every time a new release is done. The contents of this file are for the currently unreleased version.
14
+
15
+ Example Note:
16
+
17
+ ## Example Heading
18
+ Details about the thing that changed that needs to get included in the Release Notes in markdown.
19
+ -->
20
+ # knife-windows 1.6.0 release notes:
21
+
22
+ This release adds a `--winrm-shell` argument to `knife winrm`. This accepts one of three possible values: `cmd`, `powershell` or `elevated`. The default value is `cmd`. The `elevated` shell is similar to the `powershell` shell but runs the powershell command from a scheduled task.
data/Gemfile CHANGED
@@ -1,13 +1,14 @@
1
- source "https://rubygems.org"
2
-
3
- # Specify your gem's dependencies in knife-windows.gemspec
4
- gemspec
5
-
6
- group :test do
7
- gem "chef"
8
- gem "rspec", '~> 3.0'
9
- gem "ruby-wmi"
10
- gem "httpclient"
11
- gem 'rake'
12
- gem "rack", "< 2.0" # 2.0 requires Ruby 2.2+
13
- end
1
+ source "https://rubygems.org"
2
+
3
+ # Specify your gem's dependencies in knife-windows.gemspec
4
+ gemspec
5
+
6
+ gem 'rb-readline'
7
+ group :test do
8
+ gem "chef"
9
+ gem "rspec", '~> 3.0'
10
+ gem "ruby-wmi"
11
+ gem "httpclient"
12
+ gem 'rake'
13
+ gem "rack", "< 2.0" # 2.0 requires Ruby 2.2+
14
+ end
data/README.md CHANGED
@@ -1,392 +1,400 @@
1
- Knife Windows Plugin
2
- ====================
3
- [![Build Status Master](https://travis-ci.org/chef/knife-windows.svg?branch=master)](https://travis-ci.org/chef/knife-windows)
4
- [![Build Status Master](https://ci.appveyor.com/api/projects/status/github/chef/knife-windows?branch=master&svg=true&passingText=master%20-%20Ok&pendingText=master%20-%20Pending&failingText=master%20-%20Failing)](https://ci.appveyor.com/project/Chef/knife-windows/branch/master)
5
- [![Gem Version](https://badge.fury.io/rb/knife-windows.svg)](https://badge.fury.io/rb/knife-windows)
6
-
7
- This plugin adds additional functionality to the Chef Knife CLI tool for
8
- configuring / interacting with nodes running Microsoft Windows:
9
-
10
- * Bootstrap of nodes via the [Windows Remote Management (WinRM)](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx) or SSH protocols
11
- * Remote command execution using the WinRM protocol
12
- * Utilities to configure WinRM SSL endpoints on managed nodes
13
-
14
- ## Subcommands
15
-
16
- This plugin provides the following Knife subcommands. Specific command options can be found by invoking the subcommand with a `--help` flag
17
-
18
- ### knife winrm
19
-
20
- The `winrm` subcommand allows you to invoke commands in parallel on a subset of the nodes in your infrastructure. The `winrm` subcommand uses the same syntax as the [search subcommand](https://docs.chef.io/knife_search.html); you could could find the uptime of all your web servers using the command:
21
-
22
- knife winrm "role:web" "net stats srv" -x Administrator -P 'super_secret_password'
23
-
24
- Or force a chef run:
25
-
26
- knife winrm "myserver.myorganization.net" "chef-client -c c:/chef/client.rb" -m -x Administrator -P "super_secret_password"
27
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:49 +0000] INFO: Starting Chef Run (Version 0.9.12)
28
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:50 +0000] WARN: Node ip-0A502FFB has an empty run list.
29
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Chef Run complete in 4.383966 seconds
30
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: cleaning the checksum cache
31
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Running report handlers
32
- myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Report handlers complete
33
-
34
- This subcommand operates in a manner similar to [knife ssh](https://docs.chef.io/knife_ssh.html)...just leveraging the WinRM protocol for communication. It also includes `knife ssh`'s "[interactive session mode](https://docs.chef.io/knife_ssh.html#options)"
35
-
36
- ### knife bootstrap windows winrm
37
-
38
- Performs a Chef Bootstrap (via the WinRM protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
39
-
40
- This subcommand operates in a manner similar to [knife bootstrap](https://docs.chef.io/knife_bootstrap.html)...just leveraging the WinRM protocol for communication. An initial run_list for the node can also be passed to the subcommand. Example usage:
41
-
42
- knife bootstrap windows winrm myserver.myorganization.net -r 'role[webserver],role[production]' -x Administrator -P 'super_secret_password'
43
-
44
- #### Tip: Use SSL for WinRM communication
45
-
46
- By default, the `knife winrm` and `knife bootstrap windows winrm` subcommands use a plaintext transport,
47
- but they support an option `--winrm-transport` (or `-t`) with the argument
48
- `ssl` that allows the SSL to secure the WinRM payload. Here's an example:
49
-
50
- knife winrm -t ssl "role:web" "net stats srv" -x Administrator -P "super_secret_password" -f ~/server_public_cert.crt
51
-
52
- Use of SSL is strongly recommended, particularly when invoking `knife-windows` on non-Windows platforms, since
53
- without SSL there are limited options for ensuring the privacy of the
54
- plaintext transport. See the section on [Platform authentication
55
- support](#platform-winrm-authentication-support).
56
-
57
- SSL will become the default transport in future revisions of
58
- `knife-windows`.
59
-
60
- #### Specifying the package architecture
61
-
62
- You can configure which package architecture (32 bit or 64 bit) to install on the bootstrapped system. In your knife config specify `knife[:bootstrap_architecture]`. Valid values are `:i386` for 32 bit or `:x86_64` for 64 bit. By default the architecture will be whatever the target system is. If you try to install a 64 bit package on a 32 bit system you will receive an error, but installing a 32 bit package on a 64 bit system is supported.
63
-
64
- Currently (March 2016) the `stable` channel of omnibus (where downloads using the install script fetch) only has 32 bit packages but this will be updated soon to include both 32 and 64 bit packages. Until then you will need to access the `current` channel by specifying `--prerelease` in your `knife bootstrap windows` if you want 64 bit packages.
65
-
66
- ### knife wsman test
67
-
68
- Connects to the remote WSMan/WinRM endpoint and verifies the remote node is listening. This is the equivalent of running Test-Wsman from PowerShell. Endpoints to test can be specified manually, or be driven by search and use many of the same connection options as knife winrm.
69
- To test a single node using the default WinRM port (5985)
70
-
71
- knife wsman test 192.168.1.10 -m
72
-
73
- or to test a single node with SSL enabled on the default port (5986)
74
-
75
- knife wsman test 192.168.1.10 -m --winrm-transport ssl
76
-
77
- or to test all windows nodes registered with your Chef Server organization
78
-
79
- knife wsman test platform:windows
80
-
81
- ### knife bootstrap windows ssh
82
-
83
- Performs a Chef Bootstrap (via the SSH protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
84
-
85
- This subcommand assumes the SSH session will use the Windows native cmd.exe command shell vs a bash shell through an emulated cygwin layer. Most popular Windows based SSHd daemons like [freeSSHd](http://www.freesshd.com/) and [WinSSHD](http://www.bitvise.com/winsshd) behave this way.
86
-
87
- An initial run_list for the node can also be passed to the subcommand. Example usage:
88
-
89
- knife bootstrap windows ssh myserver.myorganization.net -r "role[webserver],role[production]" -x Administrator -i ~/.ssh/id_rsa
90
-
91
- ### knife windows cert generate
92
-
93
- Generates a certificate(x509) containing a public / private key pair for WinRM 'SSL' communication.
94
- The certificate will be generated in three different formats:
95
- * **.pem** - The *.pem is Base64 encoded public certificate only. One can use this file with the `-f` argument on `knife bootstrap windows winrm` and `knife winrm` commands.
96
- * **.pfx** - The PKCS12(i.e .pfx) contains both the public and private keys, usually used on the server. This can be added to a WinRM Server's Certificate Store using `knife windows cert install` (see command description below). **Note:** Do not use the *.pfx file with the `-f` argument on the `knife bootstrap windows winrm` and `knife winrm` commands. Use the *.pem file instead.
97
- * **.b64** - The *.b64 is Base64 PKCS12 key pair. Contains both the public and private keys, for upload to the Cloud REST API. e.g. Azure.
98
-
99
- This command also displays the thumbprint of the generated certificate.
100
-
101
- knife windows cert generate --cert-passphrase "strong_passphrase" --hostname "myserver.myorganization.net" --output-file "~/server_cert.pfx"
102
- # This command will generate certificates in the user's home directory with names server_cert.b64, server_cert.pfx and server_cert.pem.
103
-
104
- ### knife windows cert install
105
-
106
- This command only functions on Windows and is intended to be run on a chef node. It adds the specified certificate to its certificate store. This command must include a valid PKCS12(i.e *.pfx) certificate file path such as the *.pfx file generated by `knife windows cert generate` described above.
107
-
108
- knife windows cert install "~/server_cert.pfx" --cert-passphrase "strong_passphrase"
109
-
110
- ### knife windows listener create
111
- This command only functions on Windows and is intended to be run on a chef node. It creates the winrm listener for SSL communication(i.e HTTPS).
112
- This command can also install certificate which is specified using --cert-install option and use the installed certificate thumbprint to create winrm listener.
113
- --hostname option is optional. Default value for hostname is *.
114
-
115
- knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-install "~/server_cert.pfx"
116
-
117
- The command also allows you to use existing certificates from local store to create winrm listener. Use --cert-thumbprint option to specify the certificate thumbprint.
118
-
119
- knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-thumbprint "bf0fef0bb41be40ceb66a3b38813ca489fe99746"
120
-
121
- You can get the thumbprint for existing certificates in the local store using the following PowerShell command:
122
-
123
- ls cert:\LocalMachine\My
124
-
125
- ## Bootstrap template
126
-
127
- This gem provides the bootstrap template `windows-chef-client-msi`,
128
- which does the following:
129
-
130
- * Installs the latest version of Chef Client (and all dependencies) using the `chef-client` msi.
131
- * Writes the validation.pem per the local knife configuration.
132
- * Writes a default config file for Chef (`C:\chef\client.rb`) using values from the `knife.rb`.
133
- * Creates a JSON attributes file containing the specified run list and run Chef.
134
-
135
- This template is used by both `knife bootstrap windows winrm` and `knife bootstrap windows ssh` subcommands.
136
-
137
- ## Requirements / setup
138
-
139
- ### Ruby
140
-
141
- Ruby 1.9.3+ is required.
142
-
143
- ### Chef version
144
-
145
- This knife plugins requires >= Chef 11.0.0. More details about Knife plugins can be
146
- [found in the Chef documentation](https://docs.chef.io/plugin_knife.html).
147
-
148
- ## Nodes
149
-
150
- ### WinRM versions
151
-
152
- The node must be running Windows Remote Management (WinRM) 2.0+. WinRM
153
- allows you to call native objects in Windows. This includes, but is not
154
- limited to, running PowerShell scripts, batch scripts, and fetching WMI
155
- data. For more information on WinRM, please visit
156
- [Microsoft's WinRM site](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx).
157
-
158
- WinRM is built into Windows 7 and Windows Server 2008+. It can also [be installed](https://support.microsoft.com/en-us/kb/968929) on older version of Windows, including:
159
-
160
- * Windows Server 2003
161
- * Windows Vista
162
-
163
- ### WinRM configuration
164
-
165
- **NOTE**: Before any WinRM related knife subcommands will function
166
- a node's WinRM installation must be configured correctly.
167
- The settings below must be added to your base server image or passed
168
- in using some sort of user-data mechanism provided by your cloud
169
- provider. Some cloud providers will set up the required WinRM
170
- configuration through the cloud API for creating instances -- see
171
- the documentation for the provider.
172
-
173
- A server running WinRM must also be configured properly to allow
174
- outside connections for the entire network path from the knife workstation to the server. The easiest way to accomplish this is to use [WinRM's quick configuration option](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx#quick_default_configuration):
175
-
176
- winrm quickconfig -q
177
-
178
- This will set up an WinRM listener using the HTTP (plaintext)
179
- transport -- WinRM also supports the SSL transport for improved
180
- robustness against information disclosure and other threats.
181
-
182
- The chef-client installation and bootstrap may take more
183
- memory than the default 150MB WinRM allocates per shell on older versions of
184
- Windows (prior to Windows Server 2012) -- this can slow down
185
- bootstrap or cause it to fail. The memory limit was increased to 1GB with Windows Management Framework 3
186
- (and Server 2012). However, there is a bug in Windows Management Framework 3
187
- (and Server 2012) which requires a [hotfix from Microsoft](https://support.microsoft.com/en-us/kb/2842230/en-us).
188
- You can increase the memory limit to 1GB with the following PowerShell
189
- command:
190
-
191
- ```powershell
192
- set-item wsman:\localhost\shell\maxmemorypershellmb 1024
193
- ```
194
-
195
- Bootstrap commands can take longer than the WinRM default 60 seconds to
196
- complete, optionally increase to 30 minutes if bootstrap terminates a command prematurely:
197
-
198
- ```powershell
199
- set-item wsman:\localhost\MaxTimeoutms 300000
200
- ```
201
-
202
- Note that the `winrm` command itself supports the same configuration
203
- capabilities as the PowerShell commands given above -- if you need to
204
- configure WinRM without using PowerShell, use `winrm -?` to get help.
205
-
206
- WinRM supports both the HTTP and HTTPS (SSL) transports and the following
207
- authentication schemes: Kerberos, Digest, Certificate and Basic. The details
208
- of these authentication transports are outside of the scope of this
209
- README but details can be found on the
210
- [WinRM configuration guide](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx).
211
-
212
- #### Configure SSL on a Windows node
213
-
214
- WinRM supports use of SSL to provide privacy and integrity of
215
- communication using the protocol and to prevent spoofing attacks.
216
-
217
- ##### Configure SSL using `knife`
218
-
219
- `knife-windows` includes three commands to assist with SSL
220
- configuration -- these commands support all versions of Windows and do
221
- not rely on PowerShell:
222
-
223
- * `knife windows cert generate`: creates a certificate that may be used
224
- to configure an SSL WinRM listener
225
-
226
- * `knife windows cert install`: Installs a certificate into the
227
- Windows certificate store so it can be used to configure an SSL
228
- WinRM listener.
229
-
230
- * `knife windows listener create`: Creates a WinRM listener on a
231
- Windows node -- it can use either a certificate already installed in
232
- the Windows certificate store, or one created by other tools
233
- including the `knife windows cert generate` command.
234
-
235
- Here is an example that configures a listener on the node on which the
236
- commands are executed:
237
-
238
- knife windows cert generate --domain myorg.org --output-file $env:userprofile/winrmcerts/winrm-ssl
239
- knife windows listener create --hostname *.myorg.org --cert-install $env:userprofile/winrmcerts/winrm-ssl.pfx
240
-
241
- Note that the first command which generates the certificate for the
242
- listener could be executed from any system that can run `knife` as
243
- long as the certificate it generates is made available at a path at
244
- which the second command can access it.
245
-
246
- See previous sections for additional details of the `windows cert generate`, `windows cert install` and `windows listener create` subcommands.
247
-
248
- ##### Configure SSL using *Windows Server 2012 or later*
249
- The following PowerShell commands may be used to create an SSL WinRM
250
- listener with a self-signed certificate on Windows 2012R2 or later systems:
251
-
252
- ```powershell
253
- $cert = New-SelfSignedCertificate -DnsName 'myserver.mydomain.org' -CertStoreLocation Cert:\LocalMachine\My
254
- new-item -address * -force -path wsman:\localhost\listener -port 5986 -hostname ($cert.subject -split '=')[1] -transport https -certificatethumbprint $cert.Thumbprint
255
- # Open the firewall for 5986, the default WinRM SSL port
256
- netsh advfirewall firewall set rule name="Windows Remote Management (HTTPS-In)" profile=public protocol=tcp localport=5986 remoteip=localsubnet new remoteip=any
257
-
258
- ```
259
-
260
- Note that the first command which uses the `New-SelfSignedCertificate`
261
- cmdlet is available only in PowerShell version 4.0 and later.
262
-
263
- ##### Configure SSL using `winrm quickconfig`
264
-
265
- The following command can configure an SSL WinRM listener if the
266
- Windows certificate store's Local Machine store contains a certificate
267
- that meets certain criteria that are most likely to be met if the
268
- system is joined to a Windows Active Directory domain:
269
-
270
- winrm quickconfig -transport:https -q
271
-
272
- If the criteria are not met, an error message will follow with
273
- guidance on the certificate requirements; you may need to obtain a
274
- certificate from the appropriate source or use the PowerShell or
275
- `knife` techniques given above to create the listener instead.
276
-
277
- ##### Disabling peer verification
278
- In the SSL examples above, the `-f` parameter was used to supply a
279
- certificate that could validate the identity of the remote server.
280
- For debugging purposes, this validation may be skipped if you have not
281
- obtained a public certificate that can validate the server. Here is an
282
- example:
283
-
284
- knife winrm -m 192.168.0.6 -x "mydomain\myuser" -P $PASSWD -t ssl --winrm-ssl-verify-mode verify_none ipconfig
285
-
286
- This option should be used carefully since disabling the verification of the
287
- remote system's certificate can subject knife commands to spoofing attacks.
288
-
289
- ##### Connecting securely to self-signed certs
290
- If you generate a self-signed cert, the fqdn and ip may not match which will result in a certificate validation failure. In order to securely connect and reduce the risk of a "Man In The Middle" attack, you may use the certificate's fingerprint to precisely identify the known certificate on the WinRM endpoint.
291
-
292
- The fingerprint can be supplied to ```--ssl-peer-fingerprint``` and instead of using a certificate chain and comparing the CommonName, it will only verify that the fingerprint matches:
293
-
294
- knife winrm --ssl-peer-fingerprint 89255929FB4B5E1BFABF7E7F01AFAFC5E7003C3F \
295
- -m $IP -x Administrator -P $PASSWD-t ssl --winrm-port 5986 hostname
296
- 10.113.4.54 ip-0A710436
297
-
298
- ## WinRM authentication
299
-
300
- The default authentication protocol for `knife-windows` subcommands that use
301
- WinRM is the Negotiate protocol. The following commands show authentication for domain and local accounts respectively:
302
-
303
- knife bootstrap windows winrm web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password"
304
- knife bootstrap windows winrm db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password"
305
-
306
- The remote system may also be configured with an SSL WinRM listener instead of a
307
- plaintext listener. Then the above commands should be modified to use the SSL
308
- transport as follows using the `-t` (or `--winrm-transport`) option with the
309
- `ssl` argument:
310
-
311
- knife bootstrap windows winrm -t ssl web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password" -f ~/mycert.crt
312
- knife bootstrap windows winrm -t ssl db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password" ~/mycert.crt
313
-
314
- ### Troubleshooting authentication
315
-
316
- Unencrypted traffic with Basic authentication should only be used for low level wire protocol debugging. The configuration for plain text connectivity to
317
- the remote system may be accomplished with the following PowerShell commands:
318
-
319
- ```powershell
320
- set-item wsman:\localhost\service\allowunencrypted $true
321
- set-item wsman:\localhost\service\auth\basic $true
322
- ```
323
- To use basic authentication connectivity via `knife-windows`, the default
324
- authentication protocol of Negotiate must be overridden using the
325
- `--winrm-authentication-protocol` option with the desired protocol, in this
326
- case Basic:
327
-
328
- knife winrm -m web1.cloudapp.net --winrm-authentication-protocol basic ipconfig -x localadmin -P "super_secret_password"
329
-
330
- Note that when using Basic authentication, domain accounts may not be used for
331
- authentication; an account local to the remote system must be used.
332
-
333
- ### Platform WinRM authentication support
334
-
335
- `knife-windows` supports `Kerberos`, `Negotiate`, and `Basic` authentication
336
- for WinRM communication.
337
-
338
- The following table shows the authentication protocols that can be used with
339
- `knife-windows` depending on whether the knife workstation is a Windows
340
- system, the transport, and whether or not the target user is a domain user or
341
- local to the target Windows system.
342
-
343
- > \* There is a known defect in the `knife winrm` and `knife bootstrap windows
344
- > winrm` subcommands invoked on any OS platform when authenticating with the Negotiate protocol over
345
- > the SSL transport. The defect is tracked by
346
- > [knife-windows issue #176](https://github.com/chef/knife-windows/issues/176): If the remote system is
347
- > domain-joined, local accounts may not be used to authenticate via Negotiate
348
- > over SSL -- only domain accounts will work. Local accounts will only
349
- > successfully authenticate if the system is not joined to a domain.
350
- >
351
- > This is generally not an issue for bootstrap scenarios, where the
352
- > system has yet to be joined to any domain, but can be a problem for remote
353
- > management cases after the system is domain joined. Workarounds include using
354
- > a domain account instead or bypassing SSL and using Negotiate authentication.
355
-
356
- ## General troubleshooting
357
-
358
- * Windows 2008R2 and earlier versions require an extra configuration
359
- for MaxTimeoutms to avoid WinRM::WinRMHTTPTransportError: Bad HTTP
360
- response error while bootstrapping. It should be at least 300000.
361
-
362
- `set-item wsman:\\localhost\\MaxTimeoutms 300000`
363
-
364
- * When I run the winrm command I get: "Error: Invalid use of command line. Type "winrm -?" for help."
365
- You're running the winrm command from PowerShell and you need to put the key/value pair in single quotes. For example:
366
-
367
- `winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'`
368
-
369
-
370
- ## CONTRIBUTING:
371
-
372
- Please file bugs against the KNIFE_WINDOWS project at https://github.com/chef/knife-windows/issues.
373
-
374
- More information on the contribution process for Chef projects can be found in the [Chef Contributions document](http://docs.chef.io/community_contributions.html).
375
-
376
- # LICENSE:
377
-
378
- Author:: Seth Chisamore (<schisamo@chef.io>)
379
- Copyright:: Copyright (c) 2015-2016 Chef Software, Inc.
380
- License:: Apache License, Version 2.0
381
-
382
- Licensed under the Apache License, Version 2.0 (the "License");
383
- you may not use this file except in compliance with the License.
384
- You may obtain a copy of the License at
385
-
386
- http://www.apache.org/licenses/LICENSE-2.0
387
-
388
- Unless required by applicable law or agreed to in writing, software
389
- distributed under the License is distributed on an "AS IS" BASIS,
390
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
391
- See the License for the specific language governing permissions and
392
- limitations under the License.
1
+ Knife Windows Plugin
2
+ ====================
3
+ [![Build Status Master](https://travis-ci.org/chef/knife-windows.svg?branch=master)](https://travis-ci.org/chef/knife-windows)
4
+ [![Build Status Master](https://ci.appveyor.com/api/projects/status/github/chef/knife-windows?branch=master&svg=true&passingText=master%20-%20Ok&pendingText=master%20-%20Pending&failingText=master%20-%20Failing)](https://ci.appveyor.com/project/Chef/knife-windows/branch/master)
5
+ [![Gem Version](https://badge.fury.io/rb/knife-windows.svg)](https://badge.fury.io/rb/knife-windows)
6
+
7
+ This plugin adds additional functionality to the Chef Knife CLI tool for
8
+ configuring / interacting with nodes running Microsoft Windows:
9
+
10
+ * Bootstrap of nodes via the [Windows Remote Management (WinRM)](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx) or SSH protocols
11
+ * Remote command execution using the WinRM protocol
12
+ * Utilities to configure WinRM SSL endpoints on managed nodes
13
+
14
+ ## Subcommands
15
+
16
+ This plugin provides the following Knife subcommands. Specific command options can be found by invoking the subcommand with a `--help` flag
17
+
18
+ ### knife winrm
19
+
20
+ The `winrm` subcommand allows you to invoke commands in parallel on a subset of the nodes in your infrastructure. The `winrm` subcommand uses the same syntax as the [search subcommand](https://docs.chef.io/knife_search.html); you could could find the uptime of all your web servers using the command:
21
+
22
+ knife winrm "role:web" "net stats srv" -x Administrator -P 'super_secret_password'
23
+
24
+ Or force a chef run:
25
+
26
+ knife winrm "myserver.myorganization.net" "chef-client -c c:/chef/client.rb" -m -x Administrator -P "super_secret_password"
27
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:49 +0000] INFO: Starting Chef Run (Version 0.9.12)
28
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:50 +0000] WARN: Node ip-0A502FFB has an empty run list.
29
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Chef Run complete in 4.383966 seconds
30
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: cleaning the checksum cache
31
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Running report handlers
32
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Report handlers complete
33
+
34
+ This subcommand operates in a manner similar to [knife ssh](https://docs.chef.io/knife_ssh.html)...just leveraging the WinRM protocol for communication. It also includes `knife ssh`'s "[interactive session mode](https://docs.chef.io/knife_ssh.html#options)"
35
+
36
+ #### winrm-shell
37
+
38
+ By default, `knife winrm` runs in a `cmd.exe` shell. You can use the `--winrm-shell` argument to change the shell to `powershell` or `elevated`. An elevated shell is similar to the `powershell` shell but the powershell command is executed from a scheduled task using a local identity. This may be desirable for some operations such as running `chef-client` to converge recipes that work with windows updates, install sql server, etc.
39
+
40
+ ### knife bootstrap windows winrm
41
+
42
+ Performs a Chef Bootstrap (via the WinRM protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
43
+
44
+ This subcommand operates in a manner similar to [knife bootstrap](https://docs.chef.io/knife_bootstrap.html)...just leveraging the WinRM protocol for communication. An initial run_list for the node can also be passed to the subcommand. Example usage:
45
+
46
+ knife bootstrap windows winrm myserver.myorganization.net -r 'role[webserver],role[production]' -x Administrator -P 'super_secret_password'
47
+
48
+ #### Tip: Use SSL for WinRM communication
49
+
50
+ By default, the `knife winrm` and `knife bootstrap windows winrm` subcommands use a plaintext transport,
51
+ but they support an option `--winrm-transport` (or `-t`) with the argument
52
+ `ssl` that allows the SSL to secure the WinRM payload. Here's an example:
53
+
54
+ knife winrm -t ssl "role:web" "net stats srv" -x Administrator -P "super_secret_password" -f ~/server_public_cert.crt
55
+
56
+ Use of SSL is strongly recommended, particularly when invoking `knife-windows` on non-Windows platforms, since
57
+ without SSL there are limited options for ensuring the privacy of the
58
+ plaintext transport. See the section on [Platform authentication
59
+ support](#platform-winrm-authentication-support).
60
+
61
+ SSL will become the default transport in future revisions of
62
+ `knife-windows`.
63
+
64
+ #### Specifying the package architecture
65
+
66
+ You can configure which package architecture (32 bit or 64 bit) to install on the bootstrapped system. In your knife config specify `knife[:bootstrap_architecture]`. Valid values are `:i386` for 32 bit or `:x86_64` for 64 bit. By default the architecture will be whatever the target system is. If you try to install a 64 bit package on a 32 bit system you will receive an error, but installing a 32 bit package on a 64 bit system is supported.
67
+
68
+ Currently (March 2016) the `stable` channel of omnibus (where downloads using the install script fetch) only has 32 bit packages but this will be updated soon to include both 32 and 64 bit packages. Until then you will need to access the `current` channel by specifying `--prerelease` in your `knife bootstrap windows` if you want 64 bit packages.
69
+
70
+ #### Using a custom install URL
71
+
72
+ By default, the bootstrap command tries to download the latest `chef-client` installer from the Internet. This may be a problem in the enterprise, for example if your node is behind a proxy or firewall. In that case, you can specify a custom install URL with the `--msi-url` option.
73
+
74
+ ### knife wsman test
75
+
76
+ Connects to the remote WSMan/WinRM endpoint and verifies the remote node is listening. This is the equivalent of running Test-Wsman from PowerShell. Endpoints to test can be specified manually, or be driven by search and use many of the same connection options as knife winrm.
77
+ To test a single node using the default WinRM port (5985)
78
+
79
+ knife wsman test 192.168.1.10 -m
80
+
81
+ or to test a single node with SSL enabled on the default port (5986)
82
+
83
+ knife wsman test 192.168.1.10 -m --winrm-transport ssl
84
+
85
+ or to test all windows nodes registered with your Chef Server organization
86
+
87
+ knife wsman test platform:windows
88
+
89
+ ### knife bootstrap windows ssh
90
+
91
+ Performs a Chef Bootstrap (via the SSH protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
92
+
93
+ This subcommand assumes the SSH session will use the Windows native cmd.exe command shell vs a bash shell through an emulated cygwin layer. Most popular Windows based SSHd daemons like [freeSSHd](http://www.freesshd.com/) and [WinSSHD](http://www.bitvise.com/winsshd) behave this way.
94
+
95
+ An initial run_list for the node can also be passed to the subcommand. Example usage:
96
+
97
+ knife bootstrap windows ssh myserver.myorganization.net -r "role[webserver],role[production]" -x Administrator -i ~/.ssh/id_rsa
98
+
99
+ ### knife windows cert generate
100
+
101
+ Generates a certificate(x509) containing a public / private key pair for WinRM 'SSL' communication.
102
+ The certificate will be generated in three different formats:
103
+ * **.pem** - The *.pem is Base64 encoded public certificate only. One can use this file with the `-f` argument on `knife bootstrap windows winrm` and `knife winrm` commands.
104
+ * **.pfx** - The PKCS12(i.e .pfx) contains both the public and private keys, usually used on the server. This can be added to a WinRM Server's Certificate Store using `knife windows cert install` (see command description below). **Note:** Do not use the *.pfx file with the `-f` argument on the `knife bootstrap windows winrm` and `knife winrm` commands. Use the *.pem file instead.
105
+ * **.b64** - The *.b64 is Base64 PKCS12 key pair. Contains both the public and private keys, for upload to the Cloud REST API. e.g. Azure.
106
+
107
+ This command also displays the thumbprint of the generated certificate.
108
+
109
+ knife windows cert generate --cert-passphrase "strong_passphrase" --hostname "myserver.myorganization.net" --output-file "~/server_cert.pfx"
110
+ # This command will generate certificates in the user's home directory with names server_cert.b64, server_cert.pfx and server_cert.pem.
111
+
112
+ ### knife windows cert install
113
+
114
+ This command only functions on Windows and is intended to be run on a chef node. It adds the specified certificate to its certificate store. This command must include a valid PKCS12(i.e *.pfx) certificate file path such as the *.pfx file generated by `knife windows cert generate` described above.
115
+
116
+ knife windows cert install "~/server_cert.pfx" --cert-passphrase "strong_passphrase"
117
+
118
+ ### knife windows listener create
119
+ This command only functions on Windows and is intended to be run on a chef node. It creates the winrm listener for SSL communication(i.e HTTPS).
120
+ This command can also install certificate which is specified using --cert-install option and use the installed certificate thumbprint to create winrm listener.
121
+ --hostname option is optional. Default value for hostname is *.
122
+
123
+ knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-install "~/server_cert.pfx"
124
+
125
+ The command also allows you to use existing certificates from local store to create winrm listener. Use --cert-thumbprint option to specify the certificate thumbprint.
126
+
127
+ knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-thumbprint "bf0fef0bb41be40ceb66a3b38813ca489fe99746"
128
+
129
+ You can get the thumbprint for existing certificates in the local store using the following PowerShell command:
130
+
131
+ ls cert:\LocalMachine\My
132
+
133
+ ## Bootstrap template
134
+
135
+ This gem provides the bootstrap template `windows-chef-client-msi`,
136
+ which does the following:
137
+
138
+ * Installs the latest version of Chef Client (and all dependencies) using the `chef-client` msi.
139
+ * Writes the validation.pem per the local knife configuration.
140
+ * Writes a default config file for Chef (`C:\chef\client.rb`) using values from the `knife.rb`.
141
+ * Creates a JSON attributes file containing the specified run list and run Chef.
142
+
143
+ This template is used by both `knife bootstrap windows winrm` and `knife bootstrap windows ssh` subcommands.
144
+
145
+ ## Requirements / setup
146
+
147
+ ### Ruby
148
+
149
+ Ruby 1.9.3+ is required.
150
+
151
+ ### Chef version
152
+
153
+ This knife plugins requires >= Chef 11.0.0. More details about Knife plugins can be
154
+ [found in the Chef documentation](https://docs.chef.io/plugin_knife.html).
155
+
156
+ ## Nodes
157
+
158
+ ### WinRM versions
159
+
160
+ The node must be running Windows Remote Management (WinRM) 2.0+. WinRM
161
+ allows you to call native objects in Windows. This includes, but is not
162
+ limited to, running PowerShell scripts, batch scripts, and fetching WMI
163
+ data. For more information on WinRM, please visit
164
+ [Microsoft's WinRM site](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx).
165
+
166
+ WinRM is built into Windows 7 and Windows Server 2008+. It can also [be installed](https://support.microsoft.com/en-us/kb/968929) on older version of Windows, including:
167
+
168
+ * Windows Server 2003
169
+ * Windows Vista
170
+
171
+ ### WinRM configuration
172
+
173
+ **NOTE**: Before any WinRM related knife subcommands will function
174
+ a node's WinRM installation must be configured correctly.
175
+ The settings below must be added to your base server image or passed
176
+ in using some sort of user-data mechanism provided by your cloud
177
+ provider. Some cloud providers will set up the required WinRM
178
+ configuration through the cloud API for creating instances -- see
179
+ the documentation for the provider.
180
+
181
+ A server running WinRM must also be configured properly to allow
182
+ outside connections for the entire network path from the knife workstation to the server. The easiest way to accomplish this is to use [WinRM's quick configuration option](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx#quick_default_configuration):
183
+
184
+ winrm quickconfig -q
185
+
186
+ This will set up an WinRM listener using the HTTP (plaintext)
187
+ transport -- WinRM also supports the SSL transport for improved
188
+ robustness against information disclosure and other threats.
189
+
190
+ The chef-client installation and bootstrap may take more
191
+ memory than the default 150MB WinRM allocates per shell on older versions of
192
+ Windows (prior to Windows Server 2012) -- this can slow down
193
+ bootstrap or cause it to fail. The memory limit was increased to 1GB with Windows Management Framework 3
194
+ (and Server 2012). However, there is a bug in Windows Management Framework 3
195
+ (and Server 2012) which requires a [hotfix from Microsoft](https://support.microsoft.com/en-us/kb/2842230/en-us).
196
+ You can increase the memory limit to 1GB with the following PowerShell
197
+ command:
198
+
199
+ ```powershell
200
+ set-item wsman:\localhost\shell\maxmemorypershellmb 1024
201
+ ```
202
+
203
+ Bootstrap commands can take longer than the WinRM default 60 seconds to
204
+ complete, optionally increase to 30 minutes if bootstrap terminates a command prematurely:
205
+
206
+ ```powershell
207
+ set-item wsman:\localhost\MaxTimeoutms 300000
208
+ ```
209
+
210
+ Note that the `winrm` command itself supports the same configuration
211
+ capabilities as the PowerShell commands given above -- if you need to
212
+ configure WinRM without using PowerShell, use `winrm -?` to get help.
213
+
214
+ WinRM supports both the HTTP and HTTPS (SSL) transports and the following
215
+ authentication schemes: Kerberos, Digest, Certificate and Basic. The details
216
+ of these authentication transports are outside of the scope of this
217
+ README but details can be found on the
218
+ [WinRM configuration guide](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx).
219
+
220
+ #### Configure SSL on a Windows node
221
+
222
+ WinRM supports use of SSL to provide privacy and integrity of
223
+ communication using the protocol and to prevent spoofing attacks.
224
+
225
+ ##### Configure SSL using `knife`
226
+
227
+ `knife-windows` includes three commands to assist with SSL
228
+ configuration -- these commands support all versions of Windows and do
229
+ not rely on PowerShell:
230
+
231
+ * `knife windows cert generate`: creates a certificate that may be used
232
+ to configure an SSL WinRM listener
233
+
234
+ * `knife windows cert install`: Installs a certificate into the
235
+ Windows certificate store so it can be used to configure an SSL
236
+ WinRM listener.
237
+
238
+ * `knife windows listener create`: Creates a WinRM listener on a
239
+ Windows node -- it can use either a certificate already installed in
240
+ the Windows certificate store, or one created by other tools
241
+ including the `knife windows cert generate` command.
242
+
243
+ Here is an example that configures a listener on the node on which the
244
+ commands are executed:
245
+
246
+ knife windows cert generate --domain myorg.org --output-file $env:userprofile/winrmcerts/winrm-ssl
247
+ knife windows listener create --hostname *.myorg.org --cert-install $env:userprofile/winrmcerts/winrm-ssl.pfx
248
+
249
+ Note that the first command which generates the certificate for the
250
+ listener could be executed from any system that can run `knife` as
251
+ long as the certificate it generates is made available at a path at
252
+ which the second command can access it.
253
+
254
+ See previous sections for additional details of the `windows cert generate`, `windows cert install` and `windows listener create` subcommands.
255
+
256
+ ##### Configure SSL using *Windows Server 2012 or later*
257
+ The following PowerShell commands may be used to create an SSL WinRM
258
+ listener with a self-signed certificate on Windows 2012R2 or later systems:
259
+
260
+ ```powershell
261
+ $cert = New-SelfSignedCertificate -DnsName 'myserver.mydomain.org' -CertStoreLocation Cert:\LocalMachine\My
262
+ new-item -address * -force -path wsman:\localhost\listener -port 5986 -hostname ($cert.subject -split '=')[1] -transport https -certificatethumbprint $cert.Thumbprint
263
+ # Open the firewall for 5986, the default WinRM SSL port
264
+ netsh advfirewall firewall set rule name="Windows Remote Management (HTTPS-In)" profile=public protocol=tcp localport=5986 remoteip=localsubnet new remoteip=any
265
+
266
+ ```
267
+
268
+ Note that the first command which uses the `New-SelfSignedCertificate`
269
+ cmdlet is available only in PowerShell version 4.0 and later.
270
+
271
+ ##### Configure SSL using `winrm quickconfig`
272
+
273
+ The following command can configure an SSL WinRM listener if the
274
+ Windows certificate store's Local Machine store contains a certificate
275
+ that meets certain criteria that are most likely to be met if the
276
+ system is joined to a Windows Active Directory domain:
277
+
278
+ winrm quickconfig -transport:https -q
279
+
280
+ If the criteria are not met, an error message will follow with
281
+ guidance on the certificate requirements; you may need to obtain a
282
+ certificate from the appropriate source or use the PowerShell or
283
+ `knife` techniques given above to create the listener instead.
284
+
285
+ ##### Disabling peer verification
286
+ In the SSL examples above, the `-f` parameter was used to supply a
287
+ certificate that could validate the identity of the remote server.
288
+ For debugging purposes, this validation may be skipped if you have not
289
+ obtained a public certificate that can validate the server. Here is an
290
+ example:
291
+
292
+ knife winrm -m 192.168.0.6 -x "mydomain\myuser" -P $PASSWD -t ssl --winrm-ssl-verify-mode verify_none ipconfig
293
+
294
+ This option should be used carefully since disabling the verification of the
295
+ remote system's certificate can subject knife commands to spoofing attacks.
296
+
297
+ ##### Connecting securely to self-signed certs
298
+ If you generate a self-signed cert, the fqdn and ip may not match which will result in a certificate validation failure. In order to securely connect and reduce the risk of a "Man In The Middle" attack, you may use the certificate's fingerprint to precisely identify the known certificate on the WinRM endpoint.
299
+
300
+ The fingerprint can be supplied to ```--ssl-peer-fingerprint``` and instead of using a certificate chain and comparing the CommonName, it will only verify that the fingerprint matches:
301
+
302
+ knife winrm --ssl-peer-fingerprint 89255929FB4B5E1BFABF7E7F01AFAFC5E7003C3F \
303
+ -m $IP -x Administrator -P $PASSWD-t ssl --winrm-port 5986 hostname
304
+ 10.113.4.54 ip-0A710436
305
+
306
+ ## WinRM authentication
307
+
308
+ The default authentication protocol for `knife-windows` subcommands that use
309
+ WinRM is the Negotiate protocol. The following commands show authentication for domain and local accounts respectively:
310
+
311
+ knife bootstrap windows winrm web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password"
312
+ knife bootstrap windows winrm db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password"
313
+
314
+ The remote system may also be configured with an SSL WinRM listener instead of a
315
+ plaintext listener. Then the above commands should be modified to use the SSL
316
+ transport as follows using the `-t` (or `--winrm-transport`) option with the
317
+ `ssl` argument:
318
+
319
+ knife bootstrap windows winrm -t ssl web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password" -f ~/mycert.crt
320
+ knife bootstrap windows winrm -t ssl db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password" ~/mycert.crt
321
+
322
+ ### Troubleshooting authentication
323
+
324
+ Unencrypted traffic with Basic authentication should only be used for low level wire protocol debugging. The configuration for plain text connectivity to
325
+ the remote system may be accomplished with the following PowerShell commands:
326
+
327
+ ```powershell
328
+ set-item wsman:\localhost\service\allowunencrypted $true
329
+ set-item wsman:\localhost\service\auth\basic $true
330
+ ```
331
+ To use basic authentication connectivity via `knife-windows`, the default
332
+ authentication protocol of Negotiate must be overridden using the
333
+ `--winrm-authentication-protocol` option with the desired protocol, in this
334
+ case Basic:
335
+
336
+ knife winrm -m web1.cloudapp.net --winrm-authentication-protocol basic ipconfig -x localadmin -P "super_secret_password"
337
+
338
+ Note that when using Basic authentication, domain accounts may not be used for
339
+ authentication; an account local to the remote system must be used.
340
+
341
+ ### Platform WinRM authentication support
342
+
343
+ `knife-windows` supports `Kerberos`, `Negotiate`, and `Basic` authentication
344
+ for WinRM communication.
345
+
346
+ The following table shows the authentication protocols that can be used with
347
+ `knife-windows` depending on whether the knife workstation is a Windows
348
+ system, the transport, and whether or not the target user is a domain user or
349
+ local to the target Windows system.
350
+
351
+ > \* There is a known defect in the `knife winrm` and `knife bootstrap windows
352
+ > winrm` subcommands invoked on any OS platform when authenticating with the Negotiate protocol over
353
+ > the SSL transport. The defect is tracked by
354
+ > [knife-windows issue #176](https://github.com/chef/knife-windows/issues/176): If the remote system is
355
+ > domain-joined, local accounts may not be used to authenticate via Negotiate
356
+ > over SSL -- only domain accounts will work. Local accounts will only
357
+ > successfully authenticate if the system is not joined to a domain.
358
+ >
359
+ > This is generally not an issue for bootstrap scenarios, where the
360
+ > system has yet to be joined to any domain, but can be a problem for remote
361
+ > management cases after the system is domain joined. Workarounds include using
362
+ > a domain account instead or bypassing SSL and using Negotiate authentication.
363
+
364
+ ## General troubleshooting
365
+
366
+ * Windows 2008R2 and earlier versions require an extra configuration
367
+ for MaxTimeoutms to avoid WinRM::WinRMHTTPTransportError: Bad HTTP
368
+ response error while bootstrapping. It should be at least 300000.
369
+
370
+ `set-item wsman:\\localhost\\MaxTimeoutms 300000`
371
+
372
+ * When I run the winrm command I get: "Error: Invalid use of command line. Type "winrm -?" for help."
373
+ You're running the winrm command from PowerShell and you need to put the key/value pair in single quotes. For example:
374
+
375
+ `winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'`
376
+
377
+
378
+ ## CONTRIBUTING:
379
+
380
+ Please file bugs against the KNIFE_WINDOWS project at https://github.com/chef/knife-windows/issues.
381
+
382
+ More information on the contribution process for Chef projects can be found in the [Chef Contributions document](http://docs.chef.io/community_contributions.html).
383
+
384
+ # LICENSE:
385
+
386
+ Author:: Seth Chisamore (<schisamo@chef.io>)
387
+ Copyright:: Copyright (c) 2015-2016 Chef Software, Inc.
388
+ License:: Apache License, Version 2.0
389
+
390
+ Licensed under the Apache License, Version 2.0 (the "License");
391
+ you may not use this file except in compliance with the License.
392
+ You may obtain a copy of the License at
393
+
394
+ http://www.apache.org/licenses/LICENSE-2.0
395
+
396
+ Unless required by applicable law or agreed to in writing, software
397
+ distributed under the License is distributed on an "AS IS" BASIS,
398
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
399
+ See the License for the specific language governing permissions and
400
+ limitations under the License.