knife-windows 1.9.6 → 3.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/chef/knife/bootstrap_windows_base.rb +1 -259
- data/lib/chef/knife/bootstrap_windows_ssh.rb +10 -29
- data/lib/chef/knife/bootstrap_windows_winrm.rb +10 -56
- data/lib/chef/knife/windows_helper.rb +0 -1
- data/lib/knife-windows/version.rb +1 -1
- data/spec/assets/{win_template_rendered_with_bootstrap_install_command_on_12_5_client.txt → win_template_rendered_with_bootstrap_install_command_on_13_client.txt} +0 -0
- data/spec/spec_helper.rb +1 -27
- metadata +20 -26
- data/CHANGELOG.md +0 -176
- data/Gemfile +0 -13
- data/README.md +0 -431
- data/Rakefile +0 -21
- data/ci.gemfile +0 -16
- data/knife-windows.gemspec +0 -26
- data/lib/chef/knife/bootstrap/windows-chef-client-msi.erb +0 -259
- data/lib/chef/knife/core/windows_bootstrap_context.rb +0 -417
- data/lib/knife-windows/path_helper.rb +0 -242
- data/spec/functional/bootstrap_download_spec.rb +0 -239
- data/spec/unit/knife/bootstrap_options_spec.rb +0 -172
- data/spec/unit/knife/bootstrap_template_spec.rb +0 -139
- data/spec/unit/knife/bootstrap_windows_winrm_spec.rb +0 -410
- data/spec/unit/knife/core/windows_bootstrap_context_spec.rb +0 -292
File without changes
|
data/spec/spec_helper.rb
CHANGED
@@ -21,9 +21,7 @@ def windows?
|
|
21
21
|
!!(RUBY_PLATFORM =~ /mswin|mingw|windows/)
|
22
22
|
end
|
23
23
|
|
24
|
-
require_relative '../lib/chef/knife/
|
25
|
-
require_relative '../lib/chef/knife/bootstrap_windows_winrm'
|
26
|
-
require_relative '../lib/chef/knife/bootstrap_windows_ssh'
|
24
|
+
require_relative '../lib/chef/knife/winrm'
|
27
25
|
require_relative '../lib/chef/knife/wsman_test'
|
28
26
|
|
29
27
|
if windows?
|
@@ -80,30 +78,10 @@ def windows2016?
|
|
80
78
|
is_win2k16
|
81
79
|
end
|
82
80
|
|
83
|
-
def chef_lt_12_5?
|
84
|
-
Gem::Version.new(Chef::VERSION) < Gem::Version.new('12.5')
|
85
|
-
end
|
86
|
-
|
87
|
-
def chef_gte_12?
|
88
|
-
Chef::VERSION.split('.').first.to_i >= 12
|
89
|
-
end
|
90
|
-
|
91
|
-
def chef_gte_12_5?
|
92
|
-
Gem::Version.new(Chef::VERSION) >= Gem::Version.new('12.5')
|
93
|
-
end
|
94
|
-
|
95
|
-
def chef_gte_12_7?
|
96
|
-
Gem::Version.new(Chef::VERSION) >= Gem::Version.new('12.7')
|
97
|
-
end
|
98
|
-
|
99
81
|
def chef_gte_13?
|
100
82
|
Gem::Version.new(Chef::VERSION) >= Gem::Version.new('13')
|
101
83
|
end
|
102
84
|
|
103
|
-
def chef_lt_13?
|
104
|
-
Gem::Version.new(Chef::VERSION) < Gem::Version.new('13')
|
105
|
-
end
|
106
|
-
|
107
85
|
def chef_lt_14?
|
108
86
|
Gem::Version.new(Chef::VERSION) < Gem::Version.new('14')
|
109
87
|
end
|
@@ -122,11 +100,7 @@ RSpec.configure do |config|
|
|
122
100
|
config.filter_run :focus => true
|
123
101
|
config.filter_run_excluding :windows_only => true unless windows?
|
124
102
|
config.filter_run_excluding :windows_2012_only => true unless windows2012?
|
125
|
-
config.filter_run_excluding :chef_gte_12_5_only => true unless chef_gte_12_5?
|
126
|
-
config.filter_run_excluding :chef_gte_12_7_only => true unless chef_gte_12_7?
|
127
103
|
config.filter_run_excluding :chef_gte_13_only => true unless chef_gte_13?
|
128
|
-
config.filter_run_excluding :chef_lt_12_5_only => true unless chef_lt_12_5?
|
129
|
-
config.filter_run_excluding :chef_lt_13_only => true unless chef_lt_13?
|
130
104
|
config.filter_run_excluding :chef_lt_14_only => true unless chef_lt_14?
|
131
105
|
config.filter_run_excluding :chef_gte_14_only => true unless chef_gte_14?
|
132
106
|
end
|
metadata
CHANGED
@@ -1,15 +1,29 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: knife-windows
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 3.0.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Seth Chisamore
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2019-05-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: chef
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ">="
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '15.0'
|
20
|
+
type: :runtime
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - ">="
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '15.0'
|
13
27
|
- !ruby/object:Gem::Dependency
|
14
28
|
name: winrm
|
15
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -60,18 +74,10 @@ executables: []
|
|
60
74
|
extensions: []
|
61
75
|
extra_rdoc_files: []
|
62
76
|
files:
|
63
|
-
- CHANGELOG.md
|
64
|
-
- Gemfile
|
65
77
|
- LICENSE
|
66
|
-
- README.md
|
67
|
-
- Rakefile
|
68
|
-
- ci.gemfile
|
69
|
-
- knife-windows.gemspec
|
70
|
-
- lib/chef/knife/bootstrap/windows-chef-client-msi.erb
|
71
78
|
- lib/chef/knife/bootstrap_windows_base.rb
|
72
79
|
- lib/chef/knife/bootstrap_windows_ssh.rb
|
73
80
|
- lib/chef/knife/bootstrap_windows_winrm.rb
|
74
|
-
- lib/chef/knife/core/windows_bootstrap_context.rb
|
75
81
|
- lib/chef/knife/knife_windows_base.rb
|
76
82
|
- lib/chef/knife/windows_cert_generate.rb
|
77
83
|
- lib/chef/knife/windows_cert_install.rb
|
@@ -84,14 +90,13 @@ files:
|
|
84
90
|
- lib/chef/knife/winrm_shared_options.rb
|
85
91
|
- lib/chef/knife/wsman_endpoint.rb
|
86
92
|
- lib/chef/knife/wsman_test.rb
|
87
|
-
- lib/knife-windows/path_helper.rb
|
88
93
|
- lib/knife-windows/version.rb
|
89
94
|
- spec/assets/fake_trusted_certs/excluded.txt
|
90
95
|
- spec/assets/fake_trusted_certs/github.pem
|
91
96
|
- spec/assets/fake_trusted_certs/google.crt
|
92
97
|
- spec/assets/win_fake_trusted_cert_script.txt
|
93
98
|
- spec/assets/win_template_rendered_with_bootstrap_install_command.txt
|
94
|
-
- spec/assets/
|
99
|
+
- spec/assets/win_template_rendered_with_bootstrap_install_command_on_13_client.txt
|
95
100
|
- spec/assets/win_template_rendered_without_bootstrap_install_command.txt
|
96
101
|
- spec/assets/win_template_rendered_without_bootstrap_install_command_on_12_5_client.txt
|
97
102
|
- spec/assets/win_template_rendered_without_bootstrap_install_command_on_13_client.txt
|
@@ -100,12 +105,7 @@ files:
|
|
100
105
|
- spec/data/client.d_00/foo/bar.rb
|
101
106
|
- spec/data/client.d_01/foo/bar.rb
|
102
107
|
- spec/dummy_winrm_connection.rb
|
103
|
-
- spec/functional/bootstrap_download_spec.rb
|
104
108
|
- spec/spec_helper.rb
|
105
|
-
- spec/unit/knife/bootstrap_options_spec.rb
|
106
|
-
- spec/unit/knife/bootstrap_template_spec.rb
|
107
|
-
- spec/unit/knife/bootstrap_windows_winrm_spec.rb
|
108
|
-
- spec/unit/knife/core/windows_bootstrap_context_spec.rb
|
109
109
|
- spec/unit/knife/windows_cert_generate_spec.rb
|
110
110
|
- spec/unit/knife/windows_cert_install_spec.rb
|
111
111
|
- spec/unit/knife/windows_listener_create_spec.rb
|
@@ -124,15 +124,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
124
124
|
requirements:
|
125
125
|
- - ">="
|
126
126
|
- !ruby/object:Gem::Version
|
127
|
-
version:
|
127
|
+
version: 2.5.0
|
128
128
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
129
129
|
requirements:
|
130
130
|
- - ">="
|
131
131
|
- !ruby/object:Gem::Version
|
132
132
|
version: '0'
|
133
133
|
requirements: []
|
134
|
-
|
135
|
-
rubygems_version: 2.7.6
|
134
|
+
rubygems_version: 3.0.3
|
136
135
|
signing_key:
|
137
136
|
specification_version: 4
|
138
137
|
summary: Plugin that adds functionality to Chef's Knife CLI for configuring/interacting
|
@@ -143,7 +142,7 @@ test_files:
|
|
143
142
|
- spec/assets/fake_trusted_certs/google.crt
|
144
143
|
- spec/assets/win_fake_trusted_cert_script.txt
|
145
144
|
- spec/assets/win_template_rendered_with_bootstrap_install_command.txt
|
146
|
-
- spec/assets/
|
145
|
+
- spec/assets/win_template_rendered_with_bootstrap_install_command_on_13_client.txt
|
147
146
|
- spec/assets/win_template_rendered_without_bootstrap_install_command.txt
|
148
147
|
- spec/assets/win_template_rendered_without_bootstrap_install_command_on_12_5_client.txt
|
149
148
|
- spec/assets/win_template_rendered_without_bootstrap_install_command_on_13_client.txt
|
@@ -152,12 +151,7 @@ test_files:
|
|
152
151
|
- spec/data/client.d_00/foo/bar.rb
|
153
152
|
- spec/data/client.d_01/foo/bar.rb
|
154
153
|
- spec/dummy_winrm_connection.rb
|
155
|
-
- spec/functional/bootstrap_download_spec.rb
|
156
154
|
- spec/spec_helper.rb
|
157
|
-
- spec/unit/knife/bootstrap_options_spec.rb
|
158
|
-
- spec/unit/knife/bootstrap_template_spec.rb
|
159
|
-
- spec/unit/knife/bootstrap_windows_winrm_spec.rb
|
160
|
-
- spec/unit/knife/core/windows_bootstrap_context_spec.rb
|
161
155
|
- spec/unit/knife/windows_cert_generate_spec.rb
|
162
156
|
- spec/unit/knife/windows_cert_install_spec.rb
|
163
157
|
- spec/unit/knife/windows_listener_create_spec.rb
|
data/CHANGELOG.md
DELETED
@@ -1,176 +0,0 @@
|
|
1
|
-
# knife-windows Change Log
|
2
|
-
|
3
|
-
Note: this log contains only changes from knife-windows release 0.6.0 and later
|
4
|
-
-- it does not contain the changes from prior releases. To view change history
|
5
|
-
prior to release 0.6.0, please visit the [source repository](https://github.com/chef/knife-windows/commits).
|
6
|
-
|
7
|
-
<!-- latest_release 1.9.6 -->
|
8
|
-
## [v1.9.6](https://github.com/chef/knife-windows/tree/v1.9.6) (2018-10-23)
|
9
|
-
|
10
|
-
#### Merged Pull Requests
|
11
|
-
- Slim down the size of the install and the gem [#462](https://github.com/chef/knife-windows/pull/462) ([tas50](https://github.com/tas50))
|
12
|
-
<!-- latest_release -->
|
13
|
-
|
14
|
-
<!-- release_rollup since=1.9.1 -->
|
15
|
-
### Changes since 1.9.1 release
|
16
|
-
|
17
|
-
#### Merged Pull Requests
|
18
|
-
- Slim down the size of the install and the gem [#462](https://github.com/chef/knife-windows/pull/462) ([tas50](https://github.com/tas50)) <!-- 1.9.6 -->
|
19
|
-
- Adds client_d support to knife-windows [#461](https://github.com/chef/knife-windows/pull/461) ([btm](https://github.com/btm)) <!-- 1.9.5 -->
|
20
|
-
- MSYS-831 : Fixed windows detection code for windows 2016, windows 2012r2 [#455](https://github.com/chef/knife-windows/pull/455) ([piyushawasthi](https://github.com/piyushawasthi)) <!-- 1.9.4 -->
|
21
|
-
- [MSYS-841]fix bootstrap template short name [#457](https://github.com/chef/knife-windows/pull/457) ([dheerajd-msys](https://github.com/dheerajd-msys)) <!-- 1.9.3 -->
|
22
|
-
- [MSYS-850] enable expeditor [#458](https://github.com/chef/knife-windows/pull/458) ([dheerajd-msys](https://github.com/dheerajd-msys)) <!-- 1.9.2 -->
|
23
|
-
<!-- release_rollup -->
|
24
|
-
|
25
|
-
<!-- latest_stable_release -->
|
26
|
-
<!-- latest_stable_release -->
|
27
|
-
|
28
|
-
## Release 1.9.1 (2018-03-07)
|
29
|
-
|
30
|
-
* [knife-windows #444](https://github.com/chef/knife-windows/pull/444) Fixes issue when bootstrapping windows systems failing with the message: The input line is too long.
|
31
|
-
|
32
|
-
## Release 1.9.0
|
33
|
-
|
34
|
-
* [knife-windows #416](https://github.com/chef/knife-windows/pull/416) Add concurrency support via the `--concurrency` flag
|
35
|
-
|
36
|
-
## Release 1.8.0
|
37
|
-
|
38
|
-
* [knife-windows #407](https://github.com/chef/knife-windows/pull/407) Added value for config_log_level and config_log_location
|
39
|
-
|
40
|
-
## Release 1.7.1
|
41
|
-
|
42
|
-
* [knife-windows #409](https://github.com/chef/knife-windows/pull/409) Fix trusted_cert copy script generation on windows
|
43
|
-
|
44
|
-
## Release 1.7.0
|
45
|
-
|
46
|
-
* [knife-windows #400](https://github.com/chef/knife-windows/pull/400) Allow a custom codepage to be specified and passed to the cmd shell
|
47
|
-
|
48
|
-
## Release 1.6.0
|
49
|
-
|
50
|
-
* [knife-windows #393](https://github.com/chef/knife-windows/pull/393) Add documentation of the --msi-url option
|
51
|
-
* [knife-windows #392](https://github.com/chef/knife-windows/pull/392) Use winrm v2 and allow users to pass a shell
|
52
|
-
* [knife-windows #388](https://github.com/chef/knife-windows/pull/388) fix #386 swallowing node_ssl_verify_mode value
|
53
|
-
* [knife-windows #385](https://github.com/chef/knife-windows/pull/385) Fixed win 2008 64bit ssh bootstrap command hanging
|
54
|
-
* [knife-windows #384](https://github.com/chef/knife-windows/pull/384) Fix for architechture detection issue for 64 bit
|
55
|
-
* [knife-windows #381](https://github.com/chef/knife-windows/pull/381) Add validation for FQDN value
|
56
|
-
* [knife-windows #380](https://github.com/chef/knife-windows/pull/380) Fixing bootstrap via ssh regression
|
57
|
-
|
58
|
-
## Release 1.5.0
|
59
|
-
|
60
|
-
* [knife-windows #377](https://github.com/chef/knife-windows/pull/377) Added code and corresponding RSpecs to read the json attributes from the --json-attributes-file option.
|
61
|
-
|
62
|
-
## Release 1.4.1
|
63
|
-
|
64
|
-
* [knife-windows #362](https://github.com/chef/knife-windows/pull/362) Fix `knife windows bootstrap` chef client downloads over a proxy
|
65
|
-
* [knife-windows #367](https://github.com/chef/knife-windows/pull/367) Honor chef's ssl_policy when making winrm calls
|
66
|
-
|
67
|
-
## Release 1.4.0
|
68
|
-
|
69
|
-
* [knife-windows #354](https://github.com/chef/knife-windows/pull/354) Allows the user to specify the architecture they want to install on the target system during `knife bootstrap windows`. In your knife config specify `knife[:bootstrap_architecture]`. Valid values are `:i386` for 32 bit or `:x86_64` for 64 bit. By default the architecture will be whatever the target system is. If you try to install a 64 bit package on a 32 bit system you will receive an error.
|
70
|
-
* [knife-windows #352](https://github.com/chef/knife-windows/pull/352) Have client.rb verify that FIPS mode can be enforced
|
71
|
-
|
72
|
-
## Release 1.3.0
|
73
|
-
* [knife-windows #349](https://github.com/chef/knife-windows/pull/349) Pulls in Winrm 1.7.0 which now consumes rubyntlm 0.6.0 to support Extended Protection for Authentication (aka channel binding) for NTLM over TLS
|
74
|
-
* [knife-windows #350](https://github.com/chef/knife-windows/pull/350) Adding a `--ssl-peer-fingerprint` option as an alternative to `--winrm-ssl-verify-mode verify_none` in self signed scenarios
|
75
|
-
|
76
|
-
## Release 1.2.1
|
77
|
-
* [knife-windows #341](https://github.com/chef/knife-windows/pull/341) Removes nokogiri dependency and adds UX fixes for `knife wsman test` when probing a SSL endpoint configured with a self signed certificate
|
78
|
-
|
79
|
-
## Release 1.2.0
|
80
|
-
* [knife-windows #334](https://github.com/chef/knife-windows/pull/334) Uses Negotiate authentication via winrm 1.6 on both windows and linux and drops winrm-s dependency
|
81
|
-
|
82
|
-
## Release 1.1.4
|
83
|
-
* Bumps winrm-s and winrm dependencies to address a winrm-s incompatibility bug with winrm 1.5
|
84
|
-
|
85
|
-
## Release 1.1.3
|
86
|
-
* [knife-windows #329](https://github.com/chef/knife-windows/pull/329) Pin to a minimum winrm-s of 0.3.2 addressing encoding issues in 0.3.1
|
87
|
-
|
88
|
-
## Release 1.1.2
|
89
|
-
* [knife-windows #317](https://github.com/chef/knife-windows/pull/317) Update Vault after client is created
|
90
|
-
* [knife-windows #325](https://github.com/chef/knife-windows/pull/325) Fix proxy configuration to work with chef client 12.6.0
|
91
|
-
* [knife-windows #326](https://github.com/chef/knife-windows/pull/326) Support new `ssh_identity_file` bootstrap argument
|
92
|
-
|
93
|
-
## Release 1.1.1
|
94
|
-
* [knife-windows #307](https://github.com/chef/knife-windows/pull/307) Ensure prompted password is passed to winrm session
|
95
|
-
* [knife-windows #311](https://github.com/chef/knife-windows/issues/311) WinRM bootstrap silently fails
|
96
|
-
|
97
|
-
## Release 1.1.0
|
98
|
-
* [knife-windows #302](https://github.com/chef/knife-windows/pull/302) Address regression caused by chef client 12.5 environment argument
|
99
|
-
* [knife-windows #295](https://github.com/chef/knife-windows/issues/295) Bootstrap missing policy_group, policy_name feature from Chef Client 12.5
|
100
|
-
* [knife-windows #296](https://github.com/chef/knife-windows/issues/296) Installing knife-windows produces warning for _all_ knife commands in Mac OS X with ChefDK 0.8.0
|
101
|
-
* [knife-windows #297](https://github.com/chef/knife-windows/pull/297) use configured proxy settings for all winrm sessions
|
102
|
-
|
103
|
-
## Release 1.0.0
|
104
|
-
|
105
|
-
* [knife-windows #281](https://github.com/chef/knife-windows/pull/281) Prevent unencrypted negotiate auth, automatically prefix local usernames with '.' for negotiate
|
106
|
-
* [knife-windows #275](https://github.com/chef/knife-windows/pull/275) Added bootstrap\_install\_command option in parity with knife bootstrap
|
107
|
-
* [knife-windows #240](https://github.com/chef/knife-windows/pull/240) Change kerberos keytab short option to -T to resolve conflict
|
108
|
-
* [knife-windows #232](https://github.com/chef/knife-windows/pull/232) Adding --hint option to bootstrap
|
109
|
-
* [knife-windows #227](https://github.com/chef/knife-windows/issues/227) Exception: NoMethodError: undefined method 'gsub' for false:FalseClass
|
110
|
-
* [knife-windows #222](https://github.com/chef/knife-windows/issues/222) Validatorless bootstrap support
|
111
|
-
* [knife-windows #202](https://github.com/chef/knife-windows/issues/202) knife bootstrap windows should support enabling the service
|
112
|
-
* [knife-windows #213](https://github.com/chef/knife-windows/pull/213) Search possibilities of HOME for bootstrap templates
|
113
|
-
* [knife-windows #206](https://github.com/chef/knife-windows/pull/206) Add a flag msi_url that allows one to fetch the Chef client msi from a non-chef.io path
|
114
|
-
* [knife-windows #192](https://github.com/chef/knife-windows/issues/192) deprecate knife bootstrap --distro
|
115
|
-
* [knife-windows #159](https://github.com/chef/knife-windows/issues/159) `winrm_port` option should default to 5986 if `winrm_transport` option is `ssl`
|
116
|
-
* [knife-windows #149](https://github.com/chef/knife-windows/pull/149) Adding knife wsman test to validate WSMAN/WinRM availability
|
117
|
-
* [knife-windows #139](https://github.com/chef/knife-windows/issues/139) Force dev dependency on Chef 11 for test scenarios to avoid Ohai 8 conflict on Ruby 1.9.x
|
118
|
-
* [knife-windows #126](https://github.com/chef/knife-windows/pull/126) Allow disabling of SSL peer verification in knife-windows for testing
|
119
|
-
* [knife-windows #154](https://github.com/chef/knife-windows/issues/154) Unreleased regression in master: NameError: undefined local variable or method `path_separator
|
120
|
-
* [knife-windows #143](https://github.com/chef/knife-windows/issues/143) Unreleased regression in master: WinRM::WinRMHTTPTransportError: Bad HTTP response returned from server (503) in the middle of bootstrap
|
121
|
-
* [knife-windows #133](https://github.com/chef/knife-windows/issues/133) Bootstrap failure -- unable to validate SSL chef server endpoints
|
122
|
-
* [knife-windows #132](https://github.com/chef/knife-windows/issues/132) New subcommands for WinRM: windows listener create, cert generate, and cert install
|
123
|
-
* [knife-windows #129](https://github.com/chef/knife-windows/issues/129) New --winrm-authentication-protocol option for explicit control of authentication
|
124
|
-
* [knife-windows #125](https://github.com/chef/knife-windows/issues/125) knife-windows should use PowerShell first before cscript to download the Chef Client msi
|
125
|
-
* [knife-windows #92](https://github.com/chef/knife-windows/issues/92) EventMachine issue: knife bootstrap windows winrm error
|
126
|
-
* [knife-windows #94](https://github.com/chef/knife-windows/issues/94) Remove Eventmachine dependency
|
127
|
-
* [knife-windows #252](https://github.com/chef/knife-windows/pull/252) Fail early on ECONNREFUSED, Closes #244.
|
128
|
-
* [knife-windows #260](https://github.com/chef/knife-windows/pull/260) Fail quickly on invalid option combinations, Closes #259
|
129
|
-
|
130
|
-
## Release: 0.8.5
|
131
|
-
* [knife-windows #228](https://github.com/chef/knife-windows/pull/228) make winrm-s dep more strict on knife-windows 0.8.x
|
132
|
-
|
133
|
-
## Release: 0.8.4
|
134
|
-
* [knife-windows #133](https://github.com/chef/knife-windows/issues/133) Bootstrap failure -- unable to validate SSL chef server endpoints
|
135
|
-
|
136
|
-
## Release: 0.8.3
|
137
|
-
* [knife-windows #131](https://github.com/chef/knife-windows/issues/108) Issue #131: Windows should be bootstrapped using latest Chef Client version compatible with knife's version just like non-Windows systems
|
138
|
-
* [knife-windows #139](https://github.com/chef/knife-windows/issues/139) Force dev dependency on Chef 11 for test scenarios to avoid Ohai 8 conflict on Ruby 1.9.x
|
139
|
-
|
140
|
-
## Release: 0.8.2
|
141
|
-
* [knife-windows #108](https://github.com/chef/knife-windows/issues/108) Error: Unencrypted communication not supported if remote server does not require encryption
|
142
|
-
|
143
|
-
## Release: 0.8.0
|
144
|
-
* [knife-windows #98](https://github.com/chef/knife-windows/issues/98) Get winrm command exit code if it is not expected
|
145
|
-
* [knife-windows #96](https://github.com/chef/knife-windows/issues/96) Fix break from OS patch KB2918614
|
146
|
-
* Remove the 'instance data' method of creating EC2 servers
|
147
|
-
* Update winrm-s dependency along with em-winrm and winrm dependencies
|
148
|
-
* Return failure codes from knife winrm even when `returns` is not set
|
149
|
-
* Support Windows negotiate authentication protocol when running knife on Windows
|
150
|
-
|
151
|
-
## Release: 0.6.0 (05/08/2014)
|
152
|
-
|
153
|
-
* [KNIFE-386](https://tickets.opscode.com/browse/KNIFE-386) Wait for a valid command response before bootstrapping over WinRM
|
154
|
-
* [KNIFE-394](https://tickets.opscode.com/browse/KNIFE-394) Update em-winrm dependency
|
155
|
-
* [KNIFE-450](https://tickets.opscode.com/browse/KNIFE-450) Set knife winrm command exit status on exception and command failure
|
156
|
-
|
157
|
-
**See source control commit history for earlier changes.**
|
158
|
-
|
159
|
-
## Selected release notes
|
160
|
-
These are release notes from very early releases of the plugin. For recent
|
161
|
-
releases (2014 and later), see the RELEASE_NOTES.md file of each tagged release branch.
|
162
|
-
|
163
|
-
Release Notes - Knife Windows Plugin - Version 0.5.6
|
164
|
-
|
165
|
-
** New Feature
|
166
|
-
* new default bootstrap template that installs Chef using official chef-client MSI installer
|
167
|
-
|
168
|
-
Release Notes - Knife Windows Plugin - Version 0.5.4
|
169
|
-
|
170
|
-
** Bug
|
171
|
-
* [KNIFE\_WINDOWS-7] - Exception: NoMethodError: undefined method `env_namespace' for Savon:Module
|
172
|
-
* [KNIFE\_WINDOWS-8] - winrm based bootstrap fails with 'Bad HTTP response returned from server (500)'
|
173
|
-
|
174
|
-
|
175
|
-
** New Feature
|
176
|
-
* [KNIFE\_WINDOWS-6] - default bootstrap template should support encrypted\_data\_bag\_secret
|
data/Gemfile
DELETED
data/README.md
DELETED
@@ -1,431 +0,0 @@
|
|
1
|
-
Knife Windows Plugin
|
2
|
-
====================
|
3
|
-
[![Build Status Master](https://travis-ci.org/chef/knife-windows.svg?branch=master)](https://travis-ci.org/chef/knife-windows)
|
4
|
-
[![Build Status Master](https://ci.appveyor.com/api/projects/status/github/chef/knife-windows?branch=master&svg=true&passingText=master%20-%20Ok&pendingText=master%20-%20Pending&failingText=master%20-%20Failing)](https://ci.appveyor.com/project/Chef/knife-windows/branch/master)
|
5
|
-
[![Gem Version](https://badge.fury.io/rb/knife-windows.svg)](https://badge.fury.io/rb/knife-windows)
|
6
|
-
|
7
|
-
This plugin adds additional functionality to the Chef Knife CLI tool for
|
8
|
-
configuring / interacting with nodes running Microsoft Windows:
|
9
|
-
|
10
|
-
* Bootstrap of nodes via the [Windows Remote Management (WinRM)](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx) or SSH protocols
|
11
|
-
* Remote command execution using the WinRM protocol
|
12
|
-
* Utilities to configure WinRM SSL endpoints on managed nodes
|
13
|
-
|
14
|
-
## Subcommands
|
15
|
-
|
16
|
-
This plugin provides the following Knife subcommands. Specific command options can be found by invoking the subcommand with a `--help` flag
|
17
|
-
|
18
|
-
### knife winrm
|
19
|
-
|
20
|
-
The `winrm` subcommand allows you to invoke commands in parallel on a subset of the nodes in your infrastructure. The `winrm` subcommand uses the same syntax as the [search subcommand](https://docs.chef.io/knife_search.html); you could find the uptime of all your web servers using the command:
|
21
|
-
|
22
|
-
knife winrm "role:web" "net stats srv" -x Administrator -P 'super_secret_password'
|
23
|
-
|
24
|
-
_Please note that to run a single command against multiple nodes, each node must share the same username and password._
|
25
|
-
|
26
|
-
Or force a chef run:
|
27
|
-
|
28
|
-
knife winrm "myserver.myorganization.net" "chef-client -c c:/chef/client.rb" -m -x Administrator -P "super_secret_password"
|
29
|
-
myserver.myorganization.net [Fri, 04 Mar 2011 22:00:49 +0000] INFO: Starting Chef Run (Version 0.9.12)
|
30
|
-
myserver.myorganization.net [Fri, 04 Mar 2011 22:00:50 +0000] WARN: Node ip-0A502FFB has an empty run list.
|
31
|
-
myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Chef Run complete in 4.383966 seconds
|
32
|
-
myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: cleaning the checksum cache
|
33
|
-
myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Running report handlers
|
34
|
-
myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Report handlers complete
|
35
|
-
|
36
|
-
This subcommand operates in a manner similar to [knife ssh](https://docs.chef.io/knife_ssh.html)...just leveraging the WinRM protocol for communication. It also includes `knife ssh`'s "[interactive session mode](https://docs.chef.io/knife_ssh.html#options)"
|
37
|
-
|
38
|
-
#### winrm-shell
|
39
|
-
|
40
|
-
By default, `knife winrm` runs in a `cmd.exe` shell. You can use the `--winrm-shell` argument to change the shell to `powershell` or `elevated`. An elevated shell is similar to the `powershell` shell but the powershell command is executed from a scheduled task using a local identity. This may be desirable for some operations such as running `chef-client` to converge recipes that work with windows updates, install sql server, etc.
|
41
|
-
|
42
|
-
### knife bootstrap windows winrm
|
43
|
-
|
44
|
-
Performs a Chef Bootstrap (via the WinRM protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
|
45
|
-
|
46
|
-
This subcommand operates in a manner similar to [knife bootstrap](https://docs.chef.io/knife_bootstrap.html)...just leveraging the WinRM protocol for communication. An initial run_list for the node can also be passed to the subcommand. Example usage:
|
47
|
-
|
48
|
-
knife bootstrap windows winrm myserver.myorganization.net -r 'role[webserver],role[production]' -x Administrator -P 'super_secret_password'
|
49
|
-
|
50
|
-
#### Tip: Use SSL for WinRM communication
|
51
|
-
|
52
|
-
By default, the `knife winrm` and `knife bootstrap windows winrm` subcommands use a plaintext transport,
|
53
|
-
but they support an option `--winrm-transport` (or `-t`) with the argument
|
54
|
-
`ssl` that allows the SSL to secure the WinRM payload. Here's an example:
|
55
|
-
|
56
|
-
knife winrm -t ssl "role:web" "net stats srv" -x Administrator -P "super_secret_password" -f ~/server_public_cert.crt
|
57
|
-
|
58
|
-
Use of SSL is strongly recommended, particularly when invoking `knife-windows` on non-Windows platforms, since
|
59
|
-
without SSL there are limited options for ensuring the privacy of the
|
60
|
-
plaintext transport. See the section on [Platform authentication
|
61
|
-
support](#platform-winrm-authentication-support).
|
62
|
-
|
63
|
-
SSL will become the default transport in future revisions of
|
64
|
-
`knife-windows`.
|
65
|
-
|
66
|
-
#### Specifying the package architecture
|
67
|
-
|
68
|
-
You can configure which package architecture (32 bit or 64 bit) to install on the bootstrapped system. In your knife config specify `knife[:bootstrap_architecture]`. Valid values are `:i386` for 32 bit or `:x86_64` for 64 bit. By default the architecture will be whatever the target system is. If you try to install a 64 bit package on a 32 bit system you will receive an error, but installing a 32 bit package on a 64 bit system is supported.
|
69
|
-
|
70
|
-
Currently (March 2016) the `stable` channel of omnibus (where downloads using the install script fetch) only has 32 bit packages but this will be updated soon to include both 32 and 64 bit packages. Until then you will need to access the `current` channel by specifying `--prerelease` in your `knife bootstrap windows` if you want 64 bit packages.
|
71
|
-
|
72
|
-
#### Using a custom install URL
|
73
|
-
|
74
|
-
By default, the bootstrap command tries to download the latest `chef-client` installer from the Internet. This may be a problem in the enterprise, for example if your node is behind a proxy or firewall. In that case, you can specify a custom install URL with the `--msi-url` option.
|
75
|
-
|
76
|
-
### knife wsman test
|
77
|
-
|
78
|
-
Connects to the remote WSMan/WinRM endpoint and verifies the remote node is listening. This is the equivalent of running Test-Wsman from PowerShell. Endpoints to test can be specified manually, or be driven by search and use many of the same connection options as knife winrm.
|
79
|
-
To test a single node using the default WinRM port (5985)
|
80
|
-
|
81
|
-
knife wsman test 192.168.1.10 -m
|
82
|
-
|
83
|
-
or to test a single node with SSL enabled on the default port (5986)
|
84
|
-
|
85
|
-
knife wsman test 192.168.1.10 -m --winrm-transport ssl
|
86
|
-
|
87
|
-
or to test all windows nodes registered with your Chef Server organization
|
88
|
-
|
89
|
-
knife wsman test platform:windows
|
90
|
-
|
91
|
-
### knife bootstrap windows ssh
|
92
|
-
|
93
|
-
Performs a Chef Bootstrap (via the SSH protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
|
94
|
-
|
95
|
-
This subcommand assumes the SSH session will use the Windows native cmd.exe command shell vs a bash shell through an emulated cygwin layer. Most popular Windows based SSHd daemons like [freeSSHd](http://www.freesshd.com/) and [WinSSHD](http://www.bitvise.com/winsshd) behave this way.
|
96
|
-
|
97
|
-
An initial run_list for the node can also be passed to the subcommand. Example usage:
|
98
|
-
|
99
|
-
knife bootstrap windows ssh myserver.myorganization.net -r "role[webserver],role[production]" -x Administrator -i ~/.ssh/id_rsa
|
100
|
-
|
101
|
-
### knife windows cert generate
|
102
|
-
|
103
|
-
Generates a certificate(x509) containing a public / private key pair for WinRM 'SSL' communication.
|
104
|
-
The certificate will be generated in three different formats:
|
105
|
-
* **.pem** - The *.pem is Base64 encoded public certificate only. One can use this file with the `-f` argument on `knife bootstrap windows winrm` and `knife winrm` commands.
|
106
|
-
* **.pfx** - The PKCS12(i.e .pfx) contains both the public and private keys, usually used on the server. This can be added to a WinRM Server's Certificate Store using `knife windows cert install` (see command description below). **Note:** Do not use the *.pfx file with the `-f` argument on the `knife bootstrap windows winrm` and `knife winrm` commands. Use the *.pem file instead.
|
107
|
-
* **.b64** - The *.b64 is Base64 PKCS12 key pair. Contains both the public and private keys, for upload to the Cloud REST API. e.g. Azure.
|
108
|
-
|
109
|
-
This command also displays the thumbprint of the generated certificate.
|
110
|
-
|
111
|
-
knife windows cert generate --cert-passphrase "strong_passphrase" --hostname "myserver.myorganization.net" --output-file "~/server_cert.pfx"
|
112
|
-
# This command will generate certificates in the user's home directory with names server_cert.b64, server_cert.pfx and server_cert.pem.
|
113
|
-
|
114
|
-
### knife windows cert install
|
115
|
-
|
116
|
-
This command only functions on Windows and is intended to be run on a chef node. It adds the specified certificate to its certificate store. This command must include a valid PKCS12(i.e *.pfx) certificate file path such as the *.pfx file generated by `knife windows cert generate` described above.
|
117
|
-
|
118
|
-
knife windows cert install "~/server_cert.pfx" --cert-passphrase "strong_passphrase"
|
119
|
-
|
120
|
-
### knife windows listener create
|
121
|
-
This command only functions on Windows and is intended to be run on a chef node. It creates the winrm listener for SSL communication(i.e HTTPS).
|
122
|
-
This command can also install certificate which is specified using --cert-install option and use the installed certificate thumbprint to create winrm listener.
|
123
|
-
--hostname option is optional. Default value for hostname is *.
|
124
|
-
|
125
|
-
knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-install "~/server_cert.pfx"
|
126
|
-
|
127
|
-
The command also allows you to use existing certificates from local store to create winrm listener. Use --cert-thumbprint option to specify the certificate thumbprint.
|
128
|
-
|
129
|
-
knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-thumbprint "bf0fef0bb41be40ceb66a3b38813ca489fe99746"
|
130
|
-
|
131
|
-
You can get the thumbprint for existing certificates in the local store using the following PowerShell command:
|
132
|
-
|
133
|
-
ls cert:\LocalMachine\My
|
134
|
-
|
135
|
-
## Bootstrap template
|
136
|
-
|
137
|
-
This gem provides the bootstrap template `windows-chef-client-msi`,
|
138
|
-
which does the following:
|
139
|
-
|
140
|
-
* Installs the latest version of Chef Client (and all dependencies) using the `chef-client` msi.
|
141
|
-
* Writes the validation.pem per the local knife configuration.
|
142
|
-
* Writes a default config file for Chef (`C:\chef\client.rb`) using values from the `knife.rb`.
|
143
|
-
* Creates a JSON attributes file containing the specified run list and run Chef.
|
144
|
-
|
145
|
-
This template is used by both `knife bootstrap windows winrm` and `knife bootstrap windows ssh` subcommands.
|
146
|
-
|
147
|
-
## Requirements / setup
|
148
|
-
|
149
|
-
### Ruby
|
150
|
-
|
151
|
-
Ruby 1.9.3+ is required.
|
152
|
-
|
153
|
-
### Chef version
|
154
|
-
|
155
|
-
This knife plugins requires >= Chef 11.0.0. More details about Knife plugins can be
|
156
|
-
[found in the Chef documentation](https://docs.chef.io/plugin_knife.html).
|
157
|
-
|
158
|
-
## Nodes
|
159
|
-
|
160
|
-
### WinRM versions
|
161
|
-
|
162
|
-
The node must be running Windows Remote Management (WinRM) 2.0+. WinRM
|
163
|
-
allows you to call native objects in Windows. This includes, but is not
|
164
|
-
limited to, running PowerShell scripts, batch scripts, and fetching WMI
|
165
|
-
data. For more information on WinRM, please visit
|
166
|
-
[Microsoft's WinRM site](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx).
|
167
|
-
|
168
|
-
WinRM is built into Windows 7 and Windows Server 2008+. It can also [be installed](https://support.microsoft.com/en-us/kb/968929) on older version of Windows, including:
|
169
|
-
|
170
|
-
* Windows Server 2003
|
171
|
-
* Windows Vista
|
172
|
-
|
173
|
-
### WinRM configuration
|
174
|
-
|
175
|
-
**NOTE**: Before any WinRM related knife subcommands will function
|
176
|
-
a node's WinRM installation must be configured correctly.
|
177
|
-
The settings below must be added to your base server image or passed
|
178
|
-
in using some sort of user-data mechanism provided by your cloud
|
179
|
-
provider. Some cloud providers will set up the required WinRM
|
180
|
-
configuration through the cloud API for creating instances -- see
|
181
|
-
the documentation for the provider.
|
182
|
-
|
183
|
-
A server running WinRM must also be configured properly to allow
|
184
|
-
outside connections for the entire network path from the knife workstation to the server. The easiest way to accomplish this is to use [WinRM's quick configuration option](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx#quick_default_configuration):
|
185
|
-
|
186
|
-
winrm quickconfig -q
|
187
|
-
|
188
|
-
This will set up an WinRM listener using the HTTP (plaintext)
|
189
|
-
transport -- WinRM also supports the SSL transport for improved
|
190
|
-
robustness against information disclosure and other threats.
|
191
|
-
|
192
|
-
The chef-client installation and bootstrap may take more
|
193
|
-
memory than the default 150MB WinRM allocates per shell on older versions of
|
194
|
-
Windows (prior to Windows Server 2012) -- this can slow down
|
195
|
-
bootstrap or cause it to fail. The memory limit was increased to 1GB with Windows Management Framework 3
|
196
|
-
(and Server 2012). However, there is a bug in Windows Management Framework 3
|
197
|
-
(and Server 2012) which requires a [hotfix from Microsoft](https://support.microsoft.com/en-us/kb/2842230/en-us).
|
198
|
-
You can increase the memory limit to 1GB with the following PowerShell
|
199
|
-
command:
|
200
|
-
|
201
|
-
```powershell
|
202
|
-
set-item wsman:\localhost\shell\maxmemorypershellmb 1024
|
203
|
-
```
|
204
|
-
|
205
|
-
Bootstrap commands can take longer than the WinRM default 60 seconds to
|
206
|
-
complete, optionally increase to 30 minutes if bootstrap terminates a command prematurely:
|
207
|
-
|
208
|
-
```powershell
|
209
|
-
set-item wsman:\localhost\MaxTimeoutms 300000
|
210
|
-
```
|
211
|
-
|
212
|
-
Note that the `winrm` command itself supports the same configuration
|
213
|
-
capabilities as the PowerShell commands given above -- if you need to
|
214
|
-
configure WinRM without using PowerShell, use `winrm -?` to get help.
|
215
|
-
|
216
|
-
WinRM supports both the HTTP and HTTPS (SSL) transports and the following
|
217
|
-
authentication schemes: Kerberos, Digest, Certificate and Basic. The details
|
218
|
-
of these authentication transports are outside of the scope of this
|
219
|
-
README but details can be found on the
|
220
|
-
[WinRM configuration guide](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx).
|
221
|
-
|
222
|
-
### Working with legacy Windows versions
|
223
|
-
|
224
|
-
If you are attempting to use `knife winrm` or `knife bootstrap windows winrm` with a version of windows that is older than server 2008 R2 or older than Windows 7 then you may need to alter the default UTF-8 codepage (65001) using the `--winrm-codepage` argument. You can use the codepage native to your locale but `437` is a safe codepage for older Windows versions.
|
225
|
-
|
226
|
-
#### Configure SSL on a Windows node
|
227
|
-
|
228
|
-
WinRM supports use of SSL to provide privacy and integrity of
|
229
|
-
communication using the protocol and to prevent spoofing attacks.
|
230
|
-
|
231
|
-
##### Configure SSL using `knife`
|
232
|
-
|
233
|
-
`knife-windows` includes three commands to assist with SSL
|
234
|
-
configuration -- these commands support all versions of Windows and do
|
235
|
-
not rely on PowerShell:
|
236
|
-
|
237
|
-
* `knife windows cert generate`: creates a certificate that may be used
|
238
|
-
to configure an SSL WinRM listener
|
239
|
-
|
240
|
-
* `knife windows cert install`: Installs a certificate into the
|
241
|
-
Windows certificate store so it can be used to configure an SSL
|
242
|
-
WinRM listener.
|
243
|
-
|
244
|
-
* `knife windows listener create`: Creates a WinRM listener on a
|
245
|
-
Windows node -- it can use either a certificate already installed in
|
246
|
-
the Windows certificate store, or one created by other tools
|
247
|
-
including the `knife windows cert generate` command.
|
248
|
-
|
249
|
-
Here is an example that configures a listener on the node on which the
|
250
|
-
commands are executed:
|
251
|
-
|
252
|
-
knife windows cert generate --domain myorg.org --output-file $env:userprofile/winrmcerts/winrm-ssl
|
253
|
-
knife windows listener create --hostname *.myorg.org --cert-install $env:userprofile/winrmcerts/winrm-ssl.pfx
|
254
|
-
|
255
|
-
Note that the first command which generates the certificate for the
|
256
|
-
listener could be executed from any system that can run `knife` as
|
257
|
-
long as the certificate it generates is made available at a path at
|
258
|
-
which the second command can access it.
|
259
|
-
|
260
|
-
See previous sections for additional details of the `windows cert generate`, `windows cert install` and `windows listener create` subcommands.
|
261
|
-
|
262
|
-
##### Configure SSL using *Windows Server 2012 or later*
|
263
|
-
The following PowerShell commands may be used to create an SSL WinRM
|
264
|
-
listener with a self-signed certificate on Windows 2012R2 or later systems:
|
265
|
-
|
266
|
-
```powershell
|
267
|
-
$cert = New-SelfSignedCertificate -DnsName 'myserver.mydomain.org' -CertStoreLocation Cert:\LocalMachine\My
|
268
|
-
new-item -address * -force -path wsman:\localhost\listener -port 5986 -hostname ($cert.subject -split '=')[1] -transport https -certificatethumbprint $cert.Thumbprint
|
269
|
-
# Open the firewall for 5986, the default WinRM SSL port
|
270
|
-
netsh advfirewall firewall set rule name="Windows Remote Management (HTTPS-In)" profile=public protocol=tcp localport=5986 remoteip=localsubnet new remoteip=any
|
271
|
-
|
272
|
-
```
|
273
|
-
|
274
|
-
Note that the first command which uses the `New-SelfSignedCertificate`
|
275
|
-
cmdlet is available only in PowerShell version 4.0 and later.
|
276
|
-
|
277
|
-
##### Configure SSL using `winrm quickconfig`
|
278
|
-
|
279
|
-
The following command can configure an SSL WinRM listener if the
|
280
|
-
Windows certificate store's Local Machine store contains a certificate
|
281
|
-
that meets certain criteria that are most likely to be met if the
|
282
|
-
system is joined to a Windows Active Directory domain:
|
283
|
-
|
284
|
-
winrm quickconfig -transport:https -q
|
285
|
-
|
286
|
-
If the criteria are not met, an error message will follow with
|
287
|
-
guidance on the certificate requirements; you may need to obtain a
|
288
|
-
certificate from the appropriate source or use the PowerShell or
|
289
|
-
`knife` techniques given above to create the listener instead.
|
290
|
-
|
291
|
-
##### Disabling peer verification
|
292
|
-
In the SSL examples above, the `-f` parameter was used to supply a
|
293
|
-
certificate that could validate the identity of the remote server.
|
294
|
-
For debugging purposes, this validation may be skipped if you have not
|
295
|
-
obtained a public certificate that can validate the server. Here is an
|
296
|
-
example:
|
297
|
-
|
298
|
-
knife winrm -m 192.168.0.6 -x "mydomain\myuser" -P $PASSWD -t ssl --winrm-ssl-verify-mode verify_none ipconfig
|
299
|
-
|
300
|
-
This option should be used carefully since disabling the verification of the
|
301
|
-
remote system's certificate can subject knife commands to spoofing attacks.
|
302
|
-
|
303
|
-
##### Connecting securely to self-signed certs
|
304
|
-
If you generate a self-signed cert, the fqdn and ip may not match which will result in a certificate validation failure. In order to securely connect and reduce the risk of a "Man In The Middle" attack, you may use the certificate's fingerprint to precisely identify the known certificate on the WinRM endpoint.
|
305
|
-
|
306
|
-
The fingerprint can be supplied to ```--ssl-peer-fingerprint``` and instead of using a certificate chain and comparing the CommonName, it will only verify that the fingerprint matches:
|
307
|
-
|
308
|
-
knife winrm --ssl-peer-fingerprint 89255929FB4B5E1BFABF7E7F01AFAFC5E7003C3F \
|
309
|
-
-m $IP -x Administrator -P $PASSWD-t ssl --winrm-port 5986 hostname
|
310
|
-
10.113.4.54 ip-0A710436
|
311
|
-
|
312
|
-
## WinRM authentication
|
313
|
-
|
314
|
-
The default authentication protocol for `knife-windows` subcommands that use
|
315
|
-
WinRM is the Negotiate protocol. The following commands show authentication for domain and local accounts respectively:
|
316
|
-
|
317
|
-
knife bootstrap windows winrm web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password"
|
318
|
-
knife bootstrap windows winrm db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password"
|
319
|
-
|
320
|
-
The remote system may also be configured with an SSL WinRM listener instead of a
|
321
|
-
plaintext listener. Then the above commands should be modified to use the SSL
|
322
|
-
transport as follows using the `-t` (or `--winrm-transport`) option with the
|
323
|
-
`ssl` argument:
|
324
|
-
|
325
|
-
knife bootstrap windows winrm -t ssl web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password" -f ~/mycert.crt
|
326
|
-
knife bootstrap windows winrm -t ssl db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password" ~/mycert.crt
|
327
|
-
|
328
|
-
### Troubleshooting authentication
|
329
|
-
|
330
|
-
Unencrypted traffic with Basic authentication should only be used for low level wire protocol debugging. The configuration for plain text connectivity to
|
331
|
-
the remote system may be accomplished with the following PowerShell commands:
|
332
|
-
|
333
|
-
```powershell
|
334
|
-
set-item wsman:\localhost\service\allowunencrypted $true
|
335
|
-
set-item wsman:\localhost\service\auth\basic $true
|
336
|
-
```
|
337
|
-
To use basic authentication connectivity via `knife-windows`, the default
|
338
|
-
authentication protocol of Negotiate must be overridden using the
|
339
|
-
`--winrm-authentication-protocol` option with the desired protocol, in this
|
340
|
-
case Basic:
|
341
|
-
|
342
|
-
knife winrm -m web1.cloudapp.net --winrm-authentication-protocol basic ipconfig -x localadmin -P "super_secret_password"
|
343
|
-
|
344
|
-
Note that when using Basic authentication, domain accounts may not be used for
|
345
|
-
authentication; an account local to the remote system must be used.
|
346
|
-
|
347
|
-
### Platform WinRM authentication support
|
348
|
-
|
349
|
-
`knife-windows` supports `Kerberos`, `Negotiate`, and `Basic` authentication
|
350
|
-
for WinRM communication.
|
351
|
-
|
352
|
-
The following table shows the authentication protocols that can be used with
|
353
|
-
`knife-windows` depending on whether the knife workstation is a Windows
|
354
|
-
system, the transport, and whether or not the target user is a domain user or
|
355
|
-
local to the target Windows system.
|
356
|
-
|
357
|
-
> \* There is a known defect in the `knife winrm` and `knife bootstrap windows
|
358
|
-
> winrm` subcommands invoked on any OS platform when authenticating with the Negotiate protocol over
|
359
|
-
> the SSL transport. The defect is tracked by
|
360
|
-
> [knife-windows issue #176](https://github.com/chef/knife-windows/issues/176): If the remote system is
|
361
|
-
> domain-joined, local accounts may not be used to authenticate via Negotiate
|
362
|
-
> over SSL -- only domain accounts will work. Local accounts will only
|
363
|
-
> successfully authenticate if the system is not joined to a domain.
|
364
|
-
>
|
365
|
-
> This is generally not an issue for bootstrap scenarios, where the
|
366
|
-
> system has yet to be joined to any domain, but can be a problem for remote
|
367
|
-
> management cases after the system is domain joined. Workarounds include using
|
368
|
-
> a domain account instead or bypassing SSL and using Negotiate authentication.
|
369
|
-
|
370
|
-
## General troubleshooting
|
371
|
-
|
372
|
-
* Windows 2008R2 and earlier versions require an extra configuration
|
373
|
-
for MaxTimeoutms to avoid WinRM::WinRMHTTPTransportError: Bad HTTP
|
374
|
-
response error while bootstrapping. It should be at least 300000.
|
375
|
-
|
376
|
-
`set-item wsman:\\localhost\\MaxTimeoutms 300000`
|
377
|
-
|
378
|
-
* When I run the winrm command I get: "Error: Invalid use of command line. Type "winrm -?" for help."
|
379
|
-
You're running the winrm command from PowerShell and you need to put the key/value pair in single quotes. For example:
|
380
|
-
|
381
|
-
`winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'`
|
382
|
-
|
383
|
-
* If you receive a timeout when trying to connect to your instance for the first time, make sure your Firewall setting
|
384
|
-
is permissive enough.
|
385
|
-
|
386
|
-
`netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" profile=public protocol=tcp localport=5985 remoteip=localsubnet new remoteip=any`
|
387
|
-
|
388
|
-
### AWS User Data
|
389
|
-
|
390
|
-
If you are spinning up AWS instances to test against, you can use the following user data when spinning up your instances:
|
391
|
-
|
392
|
-
```
|
393
|
-
<powershell>
|
394
|
-
$logfile="C:\\Program Files\\Amazon\\Ec2ConfigService\\Logs\\kitchen-ec2.log"
|
395
|
-
# Allow script execution
|
396
|
-
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
|
397
|
-
# PS Remoting and & winrm.cmd basic config
|
398
|
-
Enable-PSRemoting -Force -SkipNetworkProfileCheck
|
399
|
-
& winrm.cmd set winrm/config '@{MaxTimeoutms="1800000"}' >> $logfile
|
400
|
-
& winrm.cmd set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}' >> $logfile
|
401
|
-
& winrm.cmd set winrm/config/winrs '@{MaxShellsPerUser="50"}' >> $logfile
|
402
|
-
#Server settings - support username/password login
|
403
|
-
& winrm.cmd set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}' >> $logfile
|
404
|
-
# Firewall Config
|
405
|
-
& netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" profile=public protocol=tcp localport=5985 remoteip=localsubnet new remoteip=any >> $logfile
|
406
|
-
</powershell>
|
407
|
-
```
|
408
|
-
|
409
|
-
## CONTRIBUTING:
|
410
|
-
|
411
|
-
Please file bugs against the KNIFE_WINDOWS project at https://github.com/chef/knife-windows/issues.
|
412
|
-
|
413
|
-
More information on the contribution process for Chef projects can be found in the [Chef Contributions document](http://docs.chef.io/community_contributions.html).
|
414
|
-
|
415
|
-
# LICENSE:
|
416
|
-
|
417
|
-
Author:: Seth Chisamore (<schisamo@chef.io>)
|
418
|
-
Copyright:: Copyright (c) 2015-2016 Chef Software, Inc.
|
419
|
-
License:: Apache License, Version 2.0
|
420
|
-
|
421
|
-
Licensed under the Apache License, Version 2.0 (the "License");
|
422
|
-
you may not use this file except in compliance with the License.
|
423
|
-
You may obtain a copy of the License at
|
424
|
-
|
425
|
-
http://www.apache.org/licenses/LICENSE-2.0
|
426
|
-
|
427
|
-
Unless required by applicable law or agreed to in writing, software
|
428
|
-
distributed under the License is distributed on an "AS IS" BASIS,
|
429
|
-
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
430
|
-
See the License for the specific language governing permissions and
|
431
|
-
limitations under the License.
|