knife-winops 2.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (54) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +5 -0
  3. data/.rspec +3 -0
  4. data/.travis.yml +30 -0
  5. data/CHANGELOG.md +147 -0
  6. data/DOC_CHANGES.md +22 -0
  7. data/Gemfile +13 -0
  8. data/LICENSE +201 -0
  9. data/README.md +430 -0
  10. data/RELEASE_NOTES.md +17 -0
  11. data/Rakefile +21 -0
  12. data/appveyor.yml +36 -0
  13. data/ci.gemfile +15 -0
  14. data/knife-winops.gemspec +26 -0
  15. data/lib/chef/knife/bootstrap/Chef_bootstrap.erb +44 -0
  16. data/lib/chef/knife/bootstrap/bootstrap.ps1 +134 -0
  17. data/lib/chef/knife/bootstrap/tail.cmd +15 -0
  18. data/lib/chef/knife/bootstrap/windows-chef-client-msi.erb +302 -0
  19. data/lib/chef/knife/bootstrap_windows_base.rb +473 -0
  20. data/lib/chef/knife/bootstrap_windows_ssh.rb +115 -0
  21. data/lib/chef/knife/bootstrap_windows_winrm.rb +102 -0
  22. data/lib/chef/knife/core/windows_bootstrap_context.rb +356 -0
  23. data/lib/chef/knife/knife_windows_base.rb +33 -0
  24. data/lib/chef/knife/windows_cert_generate.rb +155 -0
  25. data/lib/chef/knife/windows_cert_install.rb +68 -0
  26. data/lib/chef/knife/windows_helper.rb +36 -0
  27. data/lib/chef/knife/windows_listener_create.rb +107 -0
  28. data/lib/chef/knife/winrm.rb +127 -0
  29. data/lib/chef/knife/winrm_base.rb +128 -0
  30. data/lib/chef/knife/winrm_knife_base.rb +315 -0
  31. data/lib/chef/knife/winrm_session.rb +101 -0
  32. data/lib/chef/knife/winrm_shared_options.rb +54 -0
  33. data/lib/chef/knife/wsman_endpoint.rb +44 -0
  34. data/lib/chef/knife/wsman_test.rb +118 -0
  35. data/lib/knife-winops/path_helper.rb +242 -0
  36. data/lib/knife-winops/version.rb +6 -0
  37. data/spec/assets/fake_trusted_certs/excluded.txt +2 -0
  38. data/spec/assets/fake_trusted_certs/github.pem +42 -0
  39. data/spec/assets/fake_trusted_certs/google.crt +41 -0
  40. data/spec/assets/win_fake_trusted_cert_script.txt +89 -0
  41. data/spec/dummy_winrm_connection.rb +21 -0
  42. data/spec/functional/bootstrap_download_spec.rb +229 -0
  43. data/spec/spec_helper.rb +93 -0
  44. data/spec/unit/knife/bootstrap_options_spec.rb +164 -0
  45. data/spec/unit/knife/bootstrap_template_spec.rb +98 -0
  46. data/spec/unit/knife/bootstrap_windows_winrm_spec.rb +410 -0
  47. data/spec/unit/knife/core/windows_bootstrap_context_spec.rb +292 -0
  48. data/spec/unit/knife/windows_cert_generate_spec.rb +90 -0
  49. data/spec/unit/knife/windows_cert_install_spec.rb +51 -0
  50. data/spec/unit/knife/windows_listener_create_spec.rb +76 -0
  51. data/spec/unit/knife/winrm_session_spec.rb +101 -0
  52. data/spec/unit/knife/winrm_spec.rb +494 -0
  53. data/spec/unit/knife/wsman_test_spec.rb +209 -0
  54. metadata +157 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 648376fc535d37911fdea961d4f4758a81ddf710
4
+ data.tar.gz: a32ca4bc1c8d4e5b6a270aeee69ab6ce984e7339
5
+ SHA512:
6
+ metadata.gz: 706a95e9b891e3a4a106ba5ff3c679911401f64910908fb73de9675acb57a8e2c458cbcb3436b9916bb72b1360affb812f17d0b631af946ee5edcb68a2c6536c
7
+ data.tar.gz: 2dcd08392c81b238dc788ef989bb0c87d8205e3bed182448f88eedacb93305a5481cf09d044024ed4b398e1174e37bc35cfd2169d9a6b471ecf6b10aff75d029
data/.gitignore ADDED
@@ -0,0 +1,5 @@
1
+ *.gem
2
+ .bundle
3
+ Gemfile.lock
4
+ ci.gemfile.lock
5
+ pkg/*
data/.rspec ADDED
@@ -0,0 +1,3 @@
1
+ --color
2
+ -fdocumentation
3
+
data/.travis.yml ADDED
@@ -0,0 +1,30 @@
1
+ language: ruby
2
+ cache: bundler
3
+ dist: trusty
4
+ sudo: false
5
+
6
+ rvm:
7
+ - 2.2.7
8
+ - 2.3.4
9
+ - 2.4.1
10
+ - ruby-head
11
+
12
+ before_install:
13
+ - gem install bundler
14
+
15
+ gemfile: ci.gemfile
16
+
17
+ env:
18
+ - CHEF_VERSION="master"
19
+ - CHEF_VERSION="~> 12.0"
20
+
21
+ matrix:
22
+ exclude:
23
+ - rvm: 2.2.7
24
+ env: CHEF_VERSION="master"
25
+ allow_failures:
26
+ - rvm: ruby-head
27
+
28
+ branches:
29
+ only:
30
+ - master
data/CHANGELOG.md ADDED
@@ -0,0 +1,147 @@
1
+ # knife-winops Change Log
2
+
3
+ ## Release 1.9.0
4
+
5
+ * [knife-winops #416](https://github.com/chef/knife-winops/pull/416) Add concurrency support via the `--concurrency` flag
6
+
7
+ ## Release 1.8.0
8
+
9
+ * [knife-winops #407](https://github.com/chef/knife-winops/pull/407) Added value for config_log_level and config_log_location
10
+
11
+ ## Release 1.7.1
12
+
13
+ * [knife-winops #409](https://github.com/chef/knife-winops/pull/409) Fix trusted_cert copy script generation on windows
14
+
15
+ ## Release 1.7.0
16
+
17
+ * [knife-winops #400](https://github.com/chef/knife-winops/pull/400) Allow a custom codepage to be specified and passed to the cmd shell
18
+
19
+ ## Release 1.6.0
20
+
21
+ * [knife-winops #393](https://github.com/chef/knife-winops/pull/393) Add documentation of the --msi-url option
22
+ * [knife-winops #392](https://github.com/chef/knife-winops/pull/392) Use winrm v2 and allow users to pass a shell
23
+ * [knife-winops #388](https://github.com/chef/knife-winops/pull/388) fix #386 swallowing node_ssl_verify_mode value
24
+ * [knife-winops #385](https://github.com/chef/knife-winops/pull/385) Fixed win 2008 64bit ssh bootstrap command hanging
25
+ * [knife-winops #384](https://github.com/chef/knife-winops/pull/384) Fix for architechture detection issue for 64 bit
26
+ * [knife-winops #381](https://github.com/chef/knife-winops/pull/381) Add validation for FQDN value
27
+ * [knife-winops #380](https://github.com/chef/knife-winops/pull/380) Fixing bootstrap via ssh regression
28
+
29
+ ## Release 1.5.0
30
+
31
+ * [knife-winops #377](https://github.com/chef/knife-winops/pull/377) Added code and corresponding RSpecs to read the json attributes from the --json-attributes-file option.
32
+
33
+ ## Release 1.4.1
34
+
35
+ * [knife-winops #362](https://github.com/chef/knife-winops/pull/362) Fix `knife windows bootstrap` chef client downloads over a proxy
36
+ * [knife-winops #367](https://github.com/chef/knife-winops/pull/367) Honor chef's ssl_policy when making winrm calls
37
+
38
+ ## Release 1.4.0
39
+
40
+ * [knife-winops #354](https://github.com/chef/knife-winops/pull/354) Allows the user to specify the architecture they want to install on the target system during `knife bootstrap windows`. In your knife config specify `knife[:bootstrap_architecture]`. Valid values are `:i386` for 32 bit or `:x86_64` for 64 bit. By default the architecture will be whatever the target system is. If you try to install a 64 bit package on a 32 bit system you will receive an error.
41
+ * [knife-winops #352](https://github.com/chef/knife-winops/pull/352) Have client.rb verify that FIPS mode can be enforced
42
+
43
+ ## Release 1.3.0
44
+ * [knife-winops #349](https://github.com/chef/knife-winops/pull/349) Pulls in Winrm 1.7.0 which now consumes rubyntlm 0.6.0 to support Extended Protection for Authentication (aka channel binding) for NTLM over TLS
45
+ * [knife-winops #350](https://github.com/chef/knife-winops/pull/350) Adding a `--ssl-peer-fingerprint` option as an alternative to `--winrm-ssl-verify-mode verify_none` in self signed scenarios
46
+
47
+ ## Release 1.2.1
48
+ * [knife-winops #341](https://github.com/chef/knife-winops/pull/341) Removes nokogiri dependency and adds UX fixes for `knife wsman test` when probing a SSL endpoint configured with a self signed certificate
49
+
50
+ ## Release 1.2.0
51
+ * [knife-winops #334](https://github.com/chef/knife-winops/pull/334) Uses Negotiate authentication via winrm 1.6 on both windows and linux and drops winrm-s dependency
52
+
53
+ ## Release 1.1.4
54
+ * Bumps winrm-s and winrm dependencies to address a winrm-s incompatibility bug with winrm 1.5
55
+
56
+ ## Release 1.1.3
57
+ * [knife-winops #329](https://github.com/chef/knife-winops/pull/329) Pin to a minimum winrm-s of 0.3.2 addressing encoding issues in 0.3.1
58
+
59
+ ## Release 1.1.2
60
+ * [knife-winops #317](https://github.com/chef/knife-winops/pull/317) Update Vault after client is created
61
+ * [knife-winops #325](https://github.com/chef/knife-winops/pull/325) Fix proxy configuration to work with chef client 12.6.0
62
+ * [knife-winops #326](https://github.com/chef/knife-winops/pull/326) Support new `ssh_identity_file` bootstrap argument
63
+
64
+ ## Release 1.1.1
65
+ * [knife-winops #307](https://github.com/chef/knife-winops/pull/307) Ensure prompted password is passed to winrm session
66
+ * [knife-winops #311](https://github.com/chef/knife-winops/issues/311) WinRM bootstrap silently fails
67
+
68
+ ## Release 1.1.0
69
+ * [knife-winops #302](https://github.com/chef/knife-winops/pull/302) Address regression caused by chef client 12.5 environment argument
70
+ * [knife-winops #295](https://github.com/chef/knife-winops/issues/295) Bootstrap missing policy_group, policy_name feature from Chef Client 12.5
71
+ * [knife-winops #296](https://github.com/chef/knife-winops/issues/296) Installing knife-winops produces warning for _all_ knife commands in Mac OS X with ChefDK 0.8.0
72
+ * [knife-winops #297](https://github.com/chef/knife-winops/pull/297) use configured proxy settings for all winrm sessions
73
+
74
+ ## Release 1.0.0
75
+
76
+ * [knife-winops #281](https://github.com/chef/knife-winops/pull/281) Prevent unencrypted negotiate auth, automatically prefix local usernames with '.' for negotiate
77
+ * [knife-winops #275](https://github.com/chef/knife-winops/pull/275) Added bootstrap\_install\_command option in parity with knife bootstrap
78
+ * [knife-winops #240](https://github.com/chef/knife-winops/pull/240) Change kerberos keytab short option to -T to resolve conflict
79
+ * [knife-winops #232](https://github.com/chef/knife-winops/pull/232) Adding --hint option to bootstrap
80
+ * [knife-winops #227](https://github.com/chef/knife-winops/issues/227) Exception: NoMethodError: undefined method 'gsub' for false:FalseClass
81
+ * [knife-winops #222](https://github.com/chef/knife-winops/issues/222) Validatorless bootstrap support
82
+ * [knife-winops #202](https://github.com/chef/knife-winops/issues/202) knife bootstrap windows should support enabling the service
83
+ * [knife-winops #213](https://github.com/chef/knife-winops/pull/213) Search possibilities of HOME for bootstrap templates
84
+ * [knife-winops #206](https://github.com/chef/knife-winops/pull/206) Add a flag msi_url that allows one to fetch the Chef client msi from a non-chef.io path
85
+ * [knife-winops #192](https://github.com/chef/knife-winops/issues/192) deprecate knife bootstrap --distro
86
+ * [knife-winops #159](https://github.com/opscode/knife-winops/issues/159) `winrm_port` option should default to 5986 if `winrm_transport` option is `ssl`
87
+ * [knife-winops #149](https://github.com/chef/knife-winops/pull/149) Adding knife wsman test to validate WSMAN/WinRM availability
88
+ * [knife-winops #139](https://github.com/opscode/knife-winops/issues/139) Force dev dependency on Chef 11 for test scenarios to avoid Ohai 8 conflict on Ruby 1.9.x
89
+ * [knife-winops #126](https://github.com/opscode/knife-winops/pull/126) Allow disabling of SSL peer verification in knife-winops for testing
90
+ * [knife-winops #154](https://github.com/opscode/knife-winops/issues/154) Unreleased regression in master: NameError: undefined local variable or method `path_separator
91
+ * [knife-winops #143](https://github.com/opscode/knife-winops/issues/143) Unreleased regression in master: WinRM::WinRMHTTPTransportError: Bad HTTP response returned from server (503) in the middle of bootstrap
92
+ * [knife-winops #133](https://github.com/opscode/knife-winops/issues/133) Bootstrap failure -- unable to validate SSL chef server endpoints
93
+ * [knife-winops #132](https://github.com/opscode/knife-winops/issues/132) New subcommands for WinRM: windows listener create, cert generate, and cert install
94
+ * [knife-winops #129](https://github.com/opscode/knife-winops/issues/129) New --winrm-authentication-protocol option for explicit control of authentication
95
+ * [knife-winops #125](https://github.com/opscode/knife-winops/issues/125) knife-winops should use PowerShell first before cscript to download the Chef Client msi
96
+ * [knife-winops #92](https://github.com/opscode/knife-winops/issues/92) EventMachine issue: knife bootstrap windows winrm error
97
+ * [knife-winops #94](https://github.com/opscode/knife-winops/issues/94) Remove Eventmachine dependency
98
+ * [knife-winops #252](https://github.com/chef/knife-winops/pull/252) Fail early on ECONNREFUSED, Closes #244.
99
+ * [knife-winops #260](https://github.com/chef/knife-winops/pull/260) Fail quickly on invalid option combinations, Closes #259
100
+
101
+ ## Release: 0.8.5
102
+ * [knife-winops #228](https://github.com/chef/knife-winops/pull/228) make winrm-s dep more strict on knife-winops 0.8.x
103
+
104
+ ## Release: 0.8.4
105
+ * [knife-winops #133](https://github.com/opscode/knife-winops/issues/133) Bootstrap failure -- unable to validate SSL chef server endpoints
106
+
107
+ ## Release: 0.8.3
108
+ * [knife-winops #131](https://github.com/opscode/knife-winops/issues/108) Issue #131: Windows should be bootstrapped using latest Chef Client version compatible with knife's version just like non-Windows systems
109
+ * [knife-winops #139](https://github.com/opscode/knife-winops/issues/139) Force dev dependency on Chef 11 for test scenarios to avoid Ohai 8 conflict on Ruby 1.9.x
110
+
111
+ ## Release: 0.8.2
112
+ * [knife-winops #108](https://github.com/opscode/knife-winops/issues/108) Error: Unencrypted communication not supported if remote server does not require encryption
113
+
114
+ ## Release: 0.8.0
115
+ * [knife-winops #98](https://github.com/opscode/knife-winops/issues/98) Get winrm command exit code if it is not expected
116
+ * [knife-winops #96](https://github.com/opscode/knife-winops/issues/96) Fix break from OS patch KB2918614
117
+ * Remove the 'instance data' method of creating EC2 servers
118
+ * Update winrm-s dependency along with em-winrm and winrm dependencies
119
+ * Return failure codes from knife winrm even when `returns` is not set
120
+ * Support Windows negotiate authentication protocol when running knife on Windows
121
+
122
+ ## Release: 0.6.0 (05/08/2014)
123
+
124
+ * [KNIFE-386](https://tickets.opscode.com/browse/KNIFE-386) Wait for a valid command response before bootstrapping over WinRM
125
+ * [KNIFE-394](https://tickets.opscode.com/browse/KNIFE-394) Update em-winrm dependency
126
+ * [KNIFE-450](https://tickets.opscode.com/browse/KNIFE-450) Set knife winrm command exit status on exception and command failure
127
+
128
+ **See source control commit history for earlier changes.**
129
+
130
+ ## Selected release notes
131
+ These are release notes from very early releases of the plugin. For recent
132
+ releases (2014 and later), see the RELEASE_NOTES.md file of each tagged release branch.
133
+
134
+ Release Notes - Knife Windows Plugin - Version 0.5.6
135
+
136
+ ** New Feature
137
+ * new default bootstrap template that installs Chef using official chef-client MSI installer
138
+
139
+ Release Notes - Knife Windows Plugin - Version 0.5.4
140
+
141
+ ** Bug
142
+ * [KNIFE\_WINDOWS-7] - Exception: NoMethodError: undefined method `env_namespace' for Savon:Module
143
+ * [KNIFE\_WINDOWS-8] - winrm based bootstrap fails with 'Bad HTTP response returned from server (500)'
144
+
145
+
146
+ ** New Feature
147
+ * [KNIFE\_WINDOWS-6] - default bootstrap template should support encrypted\_data\_bag\_secret
data/DOC_CHANGES.md ADDED
@@ -0,0 +1,22 @@
1
+ <!---
2
+ This file is reset every time a new release is done. This file describes changes that have not yet been released.
3
+
4
+ Example Doc Change:
5
+ ### Headline for the required change
6
+ Description of the required change.
7
+ -->
8
+ # knife-winops 1.6.0 doc changes
9
+
10
+ ### Choosing a winrm shell
11
+
12
+ <!---
13
+ This file is reset every time a new release is done. The contents of this file are for the currently unreleased version.
14
+
15
+ Example Note:
16
+
17
+ ## Example Heading
18
+ Details about the thing that changed that needs to get included in the Release Notes in markdown.
19
+ -->
20
+ # knife-winops 1.6.0 release notes:
21
+
22
+ This release adds a `--winrm-shell` argument to `knife winrm`. This accepts one of three possible values: `cmd`, `powershell` or `elevated`. The default value is `cmd`. The `elevated` shell is similar to the `powershell` shell but runs the powershell command from a scheduled task.
data/Gemfile ADDED
@@ -0,0 +1,13 @@
1
+ source "https://rubygems.org"
2
+
3
+ # Specify your gem's dependencies in knife-winops.gemspec
4
+ gemspec
5
+
6
+ gem 'rb-readline'
7
+ group :test do
8
+ gem "chef"
9
+ gem "rspec", '~> 3.0'
10
+ gem "ruby-wmi"
11
+ gem "httpclient"
12
+ gem 'rake'
13
+ end
data/LICENSE ADDED
@@ -0,0 +1,201 @@
1
+ Apache License
2
+ Version 2.0, January 2004
3
+ http://www.apache.org/licenses/
4
+
5
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6
+
7
+ 1. Definitions.
8
+
9
+ "License" shall mean the terms and conditions for use, reproduction,
10
+ and distribution as defined by Sections 1 through 9 of this document.
11
+
12
+ "Licensor" shall mean the copyright owner or entity authorized by
13
+ the copyright owner that is granting the License.
14
+
15
+ "Legal Entity" shall mean the union of the acting entity and all
16
+ other entities that control, are controlled by, or are under common
17
+ control with that entity. For the purposes of this definition,
18
+ "control" means (i) the power, direct or indirect, to cause the
19
+ direction or management of such entity, whether by contract or
20
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
21
+ outstanding shares, or (iii) beneficial ownership of such entity.
22
+
23
+ "You" (or "Your") shall mean an individual or Legal Entity
24
+ exercising permissions granted by this License.
25
+
26
+ "Source" form shall mean the preferred form for making modifications,
27
+ including but not limited to software source code, documentation
28
+ source, and configuration files.
29
+
30
+ "Object" form shall mean any form resulting from mechanical
31
+ transformation or translation of a Source form, including but
32
+ not limited to compiled object code, generated documentation,
33
+ and conversions to other media types.
34
+
35
+ "Work" shall mean the work of authorship, whether in Source or
36
+ Object form, made available under the License, as indicated by a
37
+ copyright notice that is included in or attached to the work
38
+ (an example is provided in the Appendix below).
39
+
40
+ "Derivative Works" shall mean any work, whether in Source or Object
41
+ form, that is based on (or derived from) the Work and for which the
42
+ editorial revisions, annotations, elaborations, or other modifications
43
+ represent, as a whole, an original work of authorship. For the purposes
44
+ of this License, Derivative Works shall not include works that remain
45
+ separable from, or merely link (or bind by name) to the interfaces of,
46
+ the Work and Derivative Works thereof.
47
+
48
+ "Contribution" shall mean any work of authorship, including
49
+ the original version of the Work and any modifications or additions
50
+ to that Work or Derivative Works thereof, that is intentionally
51
+ submitted to Licensor for inclusion in the Work by the copyright owner
52
+ or by an individual or Legal Entity authorized to submit on behalf of
53
+ the copyright owner. For the purposes of this definition, "submitted"
54
+ means any form of electronic, verbal, or written communication sent
55
+ to the Licensor or its representatives, including but not limited to
56
+ communication on electronic mailing lists, source code control systems,
57
+ and issue tracking systems that are managed by, or on behalf of, the
58
+ Licensor for the purpose of discussing and improving the Work, but
59
+ excluding communication that is conspicuously marked or otherwise
60
+ designated in writing by the copyright owner as "Not a Contribution."
61
+
62
+ "Contributor" shall mean Licensor and any individual or Legal Entity
63
+ on behalf of whom a Contribution has been received by Licensor and
64
+ subsequently incorporated within the Work.
65
+
66
+ 2. Grant of Copyright License. Subject to the terms and conditions of
67
+ this License, each Contributor hereby grants to You a perpetual,
68
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69
+ copyright license to reproduce, prepare Derivative Works of,
70
+ publicly display, publicly perform, sublicense, and distribute the
71
+ Work and such Derivative Works in Source or Object form.
72
+
73
+ 3. Grant of Patent License. Subject to the terms and conditions of
74
+ this License, each Contributor hereby grants to You a perpetual,
75
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76
+ (except as stated in this section) patent license to make, have made,
77
+ use, offer to sell, sell, import, and otherwise transfer the Work,
78
+ where such license applies only to those patent claims licensable
79
+ by such Contributor that are necessarily infringed by their
80
+ Contribution(s) alone or by combination of their Contribution(s)
81
+ with the Work to which such Contribution(s) was submitted. If You
82
+ institute patent litigation against any entity (including a
83
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
84
+ or a Contribution incorporated within the Work constitutes direct
85
+ or contributory patent infringement, then any patent licenses
86
+ granted to You under this License for that Work shall terminate
87
+ as of the date such litigation is filed.
88
+
89
+ 4. Redistribution. You may reproduce and distribute copies of the
90
+ Work or Derivative Works thereof in any medium, with or without
91
+ modifications, and in Source or Object form, provided that You
92
+ meet the following conditions:
93
+
94
+ (a) You must give any other recipients of the Work or
95
+ Derivative Works a copy of this License; and
96
+
97
+ (b) You must cause any modified files to carry prominent notices
98
+ stating that You changed the files; and
99
+
100
+ (c) You must retain, in the Source form of any Derivative Works
101
+ that You distribute, all copyright, patent, trademark, and
102
+ attribution notices from the Source form of the Work,
103
+ excluding those notices that do not pertain to any part of
104
+ the Derivative Works; and
105
+
106
+ (d) If the Work includes a "NOTICE" text file as part of its
107
+ distribution, then any Derivative Works that You distribute must
108
+ include a readable copy of the attribution notices contained
109
+ within such NOTICE file, excluding those notices that do not
110
+ pertain to any part of the Derivative Works, in at least one
111
+ of the following places: within a NOTICE text file distributed
112
+ as part of the Derivative Works; within the Source form or
113
+ documentation, if provided along with the Derivative Works; or,
114
+ within a display generated by the Derivative Works, if and
115
+ wherever such third-party notices normally appear. The contents
116
+ of the NOTICE file are for informational purposes only and
117
+ do not modify the License. You may add Your own attribution
118
+ notices within Derivative Works that You distribute, alongside
119
+ or as an addendum to the NOTICE text from the Work, provided
120
+ that such additional attribution notices cannot be construed
121
+ as modifying the License.
122
+
123
+ You may add Your own copyright statement to Your modifications and
124
+ may provide additional or different license terms and conditions
125
+ for use, reproduction, or distribution of Your modifications, or
126
+ for any such Derivative Works as a whole, provided Your use,
127
+ reproduction, and distribution of the Work otherwise complies with
128
+ the conditions stated in this License.
129
+
130
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
131
+ any Contribution intentionally submitted for inclusion in the Work
132
+ by You to the Licensor shall be under the terms and conditions of
133
+ this License, without any additional terms or conditions.
134
+ Notwithstanding the above, nothing herein shall supersede or modify
135
+ the terms of any separate license agreement you may have executed
136
+ with Licensor regarding such Contributions.
137
+
138
+ 6. Trademarks. This License does not grant permission to use the trade
139
+ names, trademarks, service marks, or product names of the Licensor,
140
+ except as required for reasonable and customary use in describing the
141
+ origin of the Work and reproducing the content of the NOTICE file.
142
+
143
+ 7. Disclaimer of Warranty. Unless required by applicable law or
144
+ agreed to in writing, Licensor provides the Work (and each
145
+ Contributor provides its Contributions) on an "AS IS" BASIS,
146
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147
+ implied, including, without limitation, any warranties or conditions
148
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149
+ PARTICULAR PURPOSE. You are solely responsible for determining the
150
+ appropriateness of using or redistributing the Work and assume any
151
+ risks associated with Your exercise of permissions under this License.
152
+
153
+ 8. Limitation of Liability. In no event and under no legal theory,
154
+ whether in tort (including negligence), contract, or otherwise,
155
+ unless required by applicable law (such as deliberate and grossly
156
+ negligent acts) or agreed to in writing, shall any Contributor be
157
+ liable to You for damages, including any direct, indirect, special,
158
+ incidental, or consequential damages of any character arising as a
159
+ result of this License or out of the use or inability to use the
160
+ Work (including but not limited to damages for loss of goodwill,
161
+ work stoppage, computer failure or malfunction, or any and all
162
+ other commercial damages or losses), even if such Contributor
163
+ has been advised of the possibility of such damages.
164
+
165
+ 9. Accepting Warranty or Additional Liability. While redistributing
166
+ the Work or Derivative Works thereof, You may choose to offer,
167
+ and charge a fee for, acceptance of support, warranty, indemnity,
168
+ or other liability obligations and/or rights consistent with this
169
+ License. However, in accepting such obligations, You may act only
170
+ on Your own behalf and on Your sole responsibility, not on behalf
171
+ of any other Contributor, and only if You agree to indemnify,
172
+ defend, and hold each Contributor harmless for any liability
173
+ incurred by, or claims asserted against, such Contributor by reason
174
+ of your accepting any such warranty or additional liability.
175
+
176
+ END OF TERMS AND CONDITIONS
177
+
178
+ APPENDIX: How to apply the Apache License to your work.
179
+
180
+ To apply the Apache License to your work, attach the following
181
+ boilerplate notice, with the fields enclosed by brackets "[]"
182
+ replaced with your own identifying information. (Don't include
183
+ the brackets!) The text should be enclosed in the appropriate
184
+ comment syntax for the file format. We also recommend that a
185
+ file or class name and description of purpose be included on the
186
+ same "printed page" as the copyright notice for easier
187
+ identification within third-party archives.
188
+
189
+ Copyright [yyyy] [name of copyright owner]
190
+
191
+ Licensed under the Apache License, Version 2.0 (the "License");
192
+ you may not use this file except in compliance with the License.
193
+ You may obtain a copy of the License at
194
+
195
+ http://www.apache.org/licenses/LICENSE-2.0
196
+
197
+ Unless required by applicable law or agreed to in writing, software
198
+ distributed under the License is distributed on an "AS IS" BASIS,
199
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200
+ See the License for the specific language governing permissions and
201
+ limitations under the License.
data/README.md ADDED
@@ -0,0 +1,430 @@
1
+ Knife Windows Plugin
2
+ ====================
3
+ [![Build Status Master](https://travis-ci.org/chef/knife-winops.svg?branch=master)](https://travis-ci.org/chef/knife-winops)
4
+ [![Build Status Master](https://ci.appveyor.com/api/projects/status/github/chef/knife-winops?branch=master&svg=true&passingText=master%20-%20Ok&pendingText=master%20-%20Pending&failingText=master%20-%20Failing)](https://ci.appveyor.com/project/Chef/knife-winops/branch/master)
5
+ [![Gem Version](https://badge.fury.io/rb/knife-winops.svg)](https://badge.fury.io/rb/knife-winops)
6
+
7
+ This plugin adds additional functionality to the Chef Knife CLI tool for
8
+ configuring / interacting with nodes running Microsoft Windows:
9
+
10
+ * Bootstrap of nodes via the [Windows Remote Management (WinRM)](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx) or SSH protocols
11
+ * Remote command execution using the WinRM protocol
12
+ * Utilities to configure WinRM SSL endpoints on managed nodes
13
+
14
+ ## Subcommands
15
+
16
+ This plugin provides the following Knife subcommands. Specific command options can be found by invoking the subcommand with a `--help` flag
17
+
18
+ ### knife winrm
19
+
20
+ The `winrm` subcommand allows you to invoke commands in parallel on a subset of the nodes in your infrastructure. The `winrm` subcommand uses the same syntax as the [search subcommand](https://docs.chef.io/knife_search.html); you could find the uptime of all your web servers using the command:
21
+
22
+ knife winrm "role:web" "net stats srv" -x Administrator -P 'super_secret_password'
23
+
24
+ _Please note that to run a single command against multiple nodes, each node must share the same username and password._
25
+
26
+ Or force a chef run:
27
+
28
+ knife winrm "myserver.myorganization.net" "chef-client -c c:/chef/client.rb" -m -x Administrator -P "super_secret_password"
29
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:49 +0000] INFO: Starting Chef Run (Version 0.9.12)
30
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:50 +0000] WARN: Node ip-0A502FFB has an empty run list.
31
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Chef Run complete in 4.383966 seconds
32
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: cleaning the checksum cache
33
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Running report handlers
34
+ myserver.myorganization.net [Fri, 04 Mar 2011 22:00:53 +0000] INFO: Report handlers complete
35
+
36
+ This subcommand operates in a manner similar to [knife ssh](https://docs.chef.io/knife_ssh.html)...just leveraging the WinRM protocol for communication. It also includes `knife ssh`'s "[interactive session mode](https://docs.chef.io/knife_ssh.html#options)"
37
+
38
+ #### winrm-shell
39
+
40
+ By default, `knife winrm` runs in a `cmd.exe` shell. You can use the `--winrm-shell` argument to change the shell to `powershell` or `elevated`. An elevated shell is similar to the `powershell` shell but the powershell command is executed from a scheduled task using a local identity. This may be desirable for some operations such as running `chef-client` to converge recipes that work with windows updates, install sql server, etc.
41
+
42
+ ### knife bootstrap windows winrm
43
+
44
+ Performs a Chef Bootstrap (via the WinRM protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
45
+
46
+ This subcommand operates in a manner similar to [knife bootstrap](https://docs.chef.io/knife_bootstrap.html)...just leveraging the WinRM protocol for communication. An initial run_list for the node can also be passed to the subcommand. Example usage:
47
+
48
+ knife bootstrap windows winrm myserver.myorganization.net -r 'role[webserver],role[production]' -x Administrator -P 'super_secret_password'
49
+
50
+ #### Tip: Use SSL for WinRM communication
51
+
52
+ By default, the `knife winrm` and `knife bootstrap windows winrm` subcommands use a plaintext transport,
53
+ but they support an option `--winrm-transport` (or `-t`) with the argument
54
+ `ssl` that allows the SSL to secure the WinRM payload. Here's an example:
55
+
56
+ knife winrm -t ssl "role:web" "net stats srv" -x Administrator -P "super_secret_password" -f ~/server_public_cert.crt
57
+
58
+ Use of SSL is strongly recommended, particularly when invoking `knife-winops` on non-Windows platforms, since
59
+ without SSL there are limited options for ensuring the privacy of the
60
+ plaintext transport. See the section on [Platform authentication
61
+ support](#platform-winrm-authentication-support).
62
+
63
+ SSL will become the default transport in future revisions of
64
+ `knife-winops`.
65
+
66
+ #### Specifying the package architecture
67
+
68
+ You can configure which package architecture (32 bit or 64 bit) to install on the bootstrapped system. In your knife config specify `knife[:bootstrap_architecture]`. Valid values are `:i386` for 32 bit or `:x86_64` for 64 bit. By default the architecture will be whatever the target system is. If you try to install a 64 bit package on a 32 bit system you will receive an error, but installing a 32 bit package on a 64 bit system is supported.
69
+
70
+ Currently (March 2016) the `stable` channel of omnibus (where downloads using the install script fetch) only has 32 bit packages but this will be updated soon to include both 32 and 64 bit packages. Until then you will need to access the `current` channel by specifying `--prerelease` in your `knife bootstrap windows` if you want 64 bit packages.
71
+
72
+ #### Using a custom install URL
73
+
74
+ By default, the bootstrap command tries to download the latest `chef-client` installer from the Internet. This may be a problem in the enterprise, for example if your node is behind a proxy or firewall. In that case, you can specify a custom install URL with the `--msi-url` option.
75
+
76
+ ### knife wsman test
77
+
78
+ Connects to the remote WSMan/WinRM endpoint and verifies the remote node is listening. This is the equivalent of running Test-Wsman from PowerShell. Endpoints to test can be specified manually, or be driven by search and use many of the same connection options as knife winrm.
79
+ To test a single node using the default WinRM port (5985)
80
+
81
+ knife wsman test 192.168.1.10 -m
82
+
83
+ or to test a single node with SSL enabled on the default port (5986)
84
+
85
+ knife wsman test 192.168.1.10 -m --winrm-transport ssl
86
+
87
+ or to test all windows nodes registered with your Chef Server organization
88
+
89
+ knife wsman test platform:windows
90
+
91
+ ### knife bootstrap windows ssh
92
+
93
+ Performs a Chef Bootstrap (via the SSH protocol) on the target node. The goal of the bootstrap is to get Chef installed on the target system so it can run Chef Client with a Chef Server. The main assumption is a baseline OS installation exists. It is primarily intended for Chef Client systems that talk to a Chef server.
94
+
95
+ This subcommand assumes the SSH session will use the Windows native cmd.exe command shell vs a bash shell through an emulated cygwin layer. Most popular Windows based SSHd daemons like [freeSSHd](http://www.freesshd.com/) and [WinSSHD](http://www.bitvise.com/winsshd) behave this way.
96
+
97
+ An initial run_list for the node can also be passed to the subcommand. Example usage:
98
+
99
+ knife bootstrap windows ssh myserver.myorganization.net -r "role[webserver],role[production]" -x Administrator -i ~/.ssh/id_rsa
100
+
101
+ ### knife windows cert generate
102
+
103
+ Generates a certificate(x509) containing a public / private key pair for WinRM 'SSL' communication.
104
+ The certificate will be generated in three different formats:
105
+ * **.pem** - The *.pem is Base64 encoded public certificate only. One can use this file with the `-f` argument on `knife bootstrap windows winrm` and `knife winrm` commands.
106
+ * **.pfx** - The PKCS12(i.e .pfx) contains both the public and private keys, usually used on the server. This can be added to a WinRM Server's Certificate Store using `knife windows cert install` (see command description below). **Note:** Do not use the *.pfx file with the `-f` argument on the `knife bootstrap windows winrm` and `knife winrm` commands. Use the *.pem file instead.
107
+ * **.b64** - The *.b64 is Base64 PKCS12 key pair. Contains both the public and private keys, for upload to the Cloud REST API. e.g. Azure.
108
+
109
+ This command also displays the thumbprint of the generated certificate.
110
+
111
+ knife windows cert generate --cert-passphrase "strong_passphrase" --hostname "myserver.myorganization.net" --output-file "~/server_cert.pfx"
112
+ # This command will generate certificates in the user's home directory with names server_cert.b64, server_cert.pfx and server_cert.pem.
113
+
114
+ ### knife windows cert install
115
+
116
+ This command only functions on Windows and is intended to be run on a chef node. It adds the specified certificate to its certificate store. This command must include a valid PKCS12(i.e *.pfx) certificate file path such as the *.pfx file generated by `knife windows cert generate` described above.
117
+
118
+ knife windows cert install "~/server_cert.pfx" --cert-passphrase "strong_passphrase"
119
+
120
+ ### knife windows listener create
121
+ This command only functions on Windows and is intended to be run on a chef node. It creates the winrm listener for SSL communication(i.e HTTPS).
122
+ This command can also install certificate which is specified using --cert-install option and use the installed certificate thumbprint to create winrm listener.
123
+ --hostname option is optional. Default value for hostname is *.
124
+
125
+ knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-install "~/server_cert.pfx"
126
+
127
+ The command also allows you to use existing certificates from local store to create winrm listener. Use --cert-thumbprint option to specify the certificate thumbprint.
128
+
129
+ knife windows listener create --cert-passphrase "strong_passphrase" --hostname "myserver.mydomain.net" --cert-thumbprint "bf0fef0bb41be40ceb66a3b38813ca489fe99746"
130
+
131
+ You can get the thumbprint for existing certificates in the local store using the following PowerShell command:
132
+
133
+ ls cert:\LocalMachine\My
134
+
135
+ ## Bootstrap template
136
+
137
+ This gem provides the bootstrap template `windows-chef-client-msi`,
138
+ which does the following:
139
+
140
+ * Installs the latest version of Chef Client (and all dependencies) using the `chef-client` msi.
141
+ * Writes the validation.pem per the local knife configuration.
142
+ * Writes a default config file for Chef (`C:\chef\client.rb`) using values from the `knife.rb`.
143
+ * Creates a JSON attributes file containing the specified run list and run Chef.
144
+
145
+ This template is used by both `knife bootstrap windows winrm` and `knife bootstrap windows ssh` subcommands.
146
+
147
+ ## Requirements / setup
148
+
149
+ ### Ruby
150
+
151
+ Ruby 1.9.3+ is required.
152
+
153
+ ### Chef version
154
+
155
+ This knife plugins requires >= Chef 11.0.0. More details about Knife plugins can be
156
+ [found in the Chef documentation](https://docs.chef.io/plugin_knife.html).
157
+
158
+ ## Nodes
159
+
160
+ ### WinRM versions
161
+
162
+ The node must be running Windows Remote Management (WinRM) 2.0+. WinRM
163
+ allows you to call native objects in Windows. This includes, but is not
164
+ limited to, running PowerShell scripts, batch scripts, and fetching WMI
165
+ data. For more information on WinRM, please visit
166
+ [Microsoft's WinRM site](http://msdn.microsoft.com/en-us/library/aa384426\(v=VS.85\).aspx).
167
+
168
+ WinRM is built into Windows 7 and Windows Server 2008+. It can also [be installed](https://support.microsoft.com/en-us/kb/968929) on older version of Windows, including:
169
+
170
+ * Windows Server 2003
171
+ * Windows Vista
172
+
173
+ ### WinRM configuration
174
+
175
+ **NOTE**: Before any WinRM related knife subcommands will function
176
+ a node's WinRM installation must be configured correctly.
177
+ The settings below must be added to your base server image or passed
178
+ in using some sort of user-data mechanism provided by your cloud
179
+ provider. Some cloud providers will set up the required WinRM
180
+ configuration through the cloud API for creating instances -- see
181
+ the documentation for the provider.
182
+
183
+ A server running WinRM must also be configured properly to allow
184
+ outside connections for the entire network path from the knife workstation to the server. The easiest way to accomplish this is to use [WinRM's quick configuration option](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx#quick_default_configuration):
185
+
186
+ winrm quickconfig -q
187
+
188
+ This will set up an WinRM listener using the HTTP (plaintext)
189
+ transport -- WinRM also supports the SSL transport for improved
190
+ robustness against information disclosure and other threats.
191
+
192
+ The chef-client installation and bootstrap may take more
193
+ memory than the default 150MB WinRM allocates per shell on older versions of
194
+ Windows (prior to Windows Server 2012) -- this can slow down
195
+ bootstrap or cause it to fail. The memory limit was increased to 1GB with Windows Management Framework 3
196
+ (and Server 2012). However, there is a bug in Windows Management Framework 3
197
+ (and Server 2012) which requires a [hotfix from Microsoft](https://support.microsoft.com/en-us/kb/2842230/en-us).
198
+ You can increase the memory limit to 1GB with the following PowerShell
199
+ command:
200
+
201
+ ```powershell
202
+ set-item wsman:\localhost\shell\maxmemorypershellmb 1024
203
+ ```
204
+
205
+ Bootstrap commands can take longer than the WinRM default 60 seconds to
206
+ complete, optionally increase to 30 minutes if bootstrap terminates a command prematurely:
207
+
208
+ ```powershell
209
+ set-item wsman:\localhost\MaxTimeoutms 300000
210
+ ```
211
+
212
+ Note that the `winrm` command itself supports the same configuration
213
+ capabilities as the PowerShell commands given above -- if you need to
214
+ configure WinRM without using PowerShell, use `winrm -?` to get help.
215
+
216
+ WinRM supports both the HTTP and HTTPS (SSL) transports and the following
217
+ authentication schemes: Kerberos, Digest, Certificate and Basic. The details
218
+ of these authentication transports are outside of the scope of this
219
+ README but details can be found on the
220
+ [WinRM configuration guide](http://msdn.microsoft.com/en-us/library/aa384372\(v=vs.85\).aspx).
221
+
222
+ ### Working with legacy Windows versions
223
+
224
+ If you are attempting to use `knife winrm` or `knife bootstrap windows winrm` with a version of windows that is older than server 2008 R2 or older than Windows 7 then you may need to alter the default UTF-8 codepage (65001) using the `--winrm-codepage` argument. You can use the codepage native to your locale but `437` is a safe codepage for older Windows versions.
225
+
226
+ #### Configure SSL on a Windows node
227
+
228
+ WinRM supports use of SSL to provide privacy and integrity of
229
+ communication using the protocol and to prevent spoofing attacks.
230
+
231
+ ##### Configure SSL using `knife`
232
+
233
+ `knife-winops` includes three commands to assist with SSL
234
+ configuration -- these commands support all versions of Windows and do
235
+ not rely on PowerShell:
236
+
237
+ * `knife windows cert generate`: creates a certificate that may be used
238
+ to configure an SSL WinRM listener
239
+
240
+ * `knife windows cert install`: Installs a certificate into the
241
+ Windows certificate store so it can be used to configure an SSL
242
+ WinRM listener.
243
+
244
+ * `knife windows listener create`: Creates a WinRM listener on a
245
+ Windows node -- it can use either a certificate already installed in
246
+ the Windows certificate store, or one created by other tools
247
+ including the `knife windows cert generate` command.
248
+
249
+ Here is an example that configures a listener on the node on which the
250
+ commands are executed:
251
+
252
+ knife windows cert generate --domain myorg.org --output-file $env:userprofile/winrmcerts/winrm-ssl
253
+ knife windows listener create --hostname *.myorg.org --cert-install $env:userprofile/winrmcerts/winrm-ssl.pfx
254
+
255
+ Note that the first command which generates the certificate for the
256
+ listener could be executed from any system that can run `knife` as
257
+ long as the certificate it generates is made available at a path at
258
+ which the second command can access it.
259
+
260
+ See previous sections for additional details of the `windows cert generate`, `windows cert install` and `windows listener create` subcommands.
261
+
262
+ ##### Configure SSL using *Windows Server 2012 or later*
263
+ The following PowerShell commands may be used to create an SSL WinRM
264
+ listener with a self-signed certificate on Windows 2012R2 or later systems:
265
+
266
+ ```powershell
267
+ $cert = New-SelfSignedCertificate -DnsName 'myserver.mydomain.org' -CertStoreLocation Cert:\LocalMachine\My
268
+ new-item -address * -force -path wsman:\localhost\listener -port 5986 -hostname ($cert.subject -split '=')[1] -transport https -certificatethumbprint $cert.Thumbprint
269
+ # Open the firewall for 5986, the default WinRM SSL port
270
+ netsh advfirewall firewall set rule name="Windows Remote Management (HTTPS-In)" profile=public protocol=tcp localport=5986 remoteip=localsubnet new remoteip=any
271
+
272
+ ```
273
+
274
+ Note that the first command which uses the `New-SelfSignedCertificate`
275
+ cmdlet is available only in PowerShell version 4.0 and later.
276
+
277
+ ##### Configure SSL using `winrm quickconfig`
278
+
279
+ The following command can configure an SSL WinRM listener if the
280
+ Windows certificate store's Local Machine store contains a certificate
281
+ that meets certain criteria that are most likely to be met if the
282
+ system is joined to a Windows Active Directory domain:
283
+
284
+ winrm quickconfig -transport:https -q
285
+
286
+ If the criteria are not met, an error message will follow with
287
+ guidance on the certificate requirements; you may need to obtain a
288
+ certificate from the appropriate source or use the PowerShell or
289
+ `knife` techniques given above to create the listener instead.
290
+
291
+ ##### Disabling peer verification
292
+ In the SSL examples above, the `-f` parameter was used to supply a
293
+ certificate that could validate the identity of the remote server.
294
+ For debugging purposes, this validation may be skipped if you have not
295
+ obtained a public certificate that can validate the server. Here is an
296
+ example:
297
+
298
+ knife winrm -m 192.168.0.6 -x "mydomain\myuser" -P $PASSWD -t ssl --winrm-ssl-verify-mode verify_none ipconfig
299
+
300
+ This option should be used carefully since disabling the verification of the
301
+ remote system's certificate can subject knife commands to spoofing attacks.
302
+
303
+ ##### Connecting securely to self-signed certs
304
+ If you generate a self-signed cert, the fqdn and ip may not match which will result in a certificate validation failure. In order to securely connect and reduce the risk of a "Man In The Middle" attack, you may use the certificate's fingerprint to precisely identify the known certificate on the WinRM endpoint.
305
+
306
+ The fingerprint can be supplied to ```--ssl-peer-fingerprint``` and instead of using a certificate chain and comparing the CommonName, it will only verify that the fingerprint matches:
307
+
308
+ knife winrm --ssl-peer-fingerprint 89255929FB4B5E1BFABF7E7F01AFAFC5E7003C3F \
309
+ -m $IP -x Administrator -P $PASSWD-t ssl --winrm-port 5986 hostname
310
+ 10.113.4.54 ip-0A710436
311
+
312
+ ## WinRM authentication
313
+
314
+ The default authentication protocol for `knife-winops` subcommands that use
315
+ WinRM is the Negotiate protocol. The following commands show authentication for domain and local accounts respectively:
316
+
317
+ knife bootstrap windows winrm web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password"
318
+ knife bootstrap windows winrm db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password"
319
+
320
+ The remote system may also be configured with an SSL WinRM listener instead of a
321
+ plaintext listener. Then the above commands should be modified to use the SSL
322
+ transport as follows using the `-t` (or `--winrm-transport`) option with the
323
+ `ssl` argument:
324
+
325
+ knife bootstrap windows winrm -t ssl web1.cloudapp.net -r "server::web" -x "proddomain\webuser" -P "super_secret_password" -f ~/mycert.crt
326
+ knife bootstrap windows winrm -t ssl db1.cloudapp.net -r "server::db" -x "localadmin" -P "super_secret_password" ~/mycert.crt
327
+
328
+ ### Troubleshooting authentication
329
+
330
+ Unencrypted traffic with Basic authentication should only be used for low level wire protocol debugging. The configuration for plain text connectivity to
331
+ the remote system may be accomplished with the following PowerShell commands:
332
+
333
+ ```powershell
334
+ set-item wsman:\localhost\service\allowunencrypted $true
335
+ set-item wsman:\localhost\service\auth\basic $true
336
+ ```
337
+ To use basic authentication connectivity via `knife-winops`, the default
338
+ authentication protocol of Negotiate must be overridden using the
339
+ `--winrm-authentication-protocol` option with the desired protocol, in this
340
+ case Basic:
341
+
342
+ knife winrm -m web1.cloudapp.net --winrm-authentication-protocol basic ipconfig -x localadmin -P "super_secret_password"
343
+
344
+ Note that when using Basic authentication, domain accounts may not be used for
345
+ authentication; an account local to the remote system must be used.
346
+
347
+ ### Platform WinRM authentication support
348
+
349
+ `knife-winops` supports `Kerberos`, `Negotiate`, and `Basic` authentication
350
+ for WinRM communication.
351
+
352
+ The following table shows the authentication protocols that can be used with
353
+ `knife-winops` depending on whether the knife workstation is a Windows
354
+ system, the transport, and whether or not the target user is a domain user or
355
+ local to the target Windows system.
356
+
357
+ > \* There is a known defect in the `knife winrm` and `knife bootstrap windows
358
+ > winrm` subcommands invoked on any OS platform when authenticating with the Negotiate protocol over
359
+ > the SSL transport. The defect is tracked by
360
+ > [knife-winops issue #176](https://github.com/chef/knife-winops/issues/176): If the remote system is
361
+ > domain-joined, local accounts may not be used to authenticate via Negotiate
362
+ > over SSL -- only domain accounts will work. Local accounts will only
363
+ > successfully authenticate if the system is not joined to a domain.
364
+ >
365
+ > This is generally not an issue for bootstrap scenarios, where the
366
+ > system has yet to be joined to any domain, but can be a problem for remote
367
+ > management cases after the system is domain joined. Workarounds include using
368
+ > a domain account instead or bypassing SSL and using Negotiate authentication.
369
+
370
+ ## General troubleshooting
371
+
372
+ * Windows 2008R2 and earlier versions require an extra configuration
373
+ for MaxTimeoutms to avoid WinRM::WinRMHTTPTransportError: Bad HTTP
374
+ response error while bootstrapping. It should be at least 300000.
375
+
376
+ `set-item wsman:\\localhost\\MaxTimeoutms 300000`
377
+
378
+ * When I run the winrm command I get: "Error: Invalid use of command line. Type "winrm -?" for help."
379
+ You're running the winrm command from PowerShell and you need to put the key/value pair in single quotes. For example:
380
+
381
+ `winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'`
382
+
383
+ * If you receive a timeout when trying to connect to your instance for the first time, make sure your Firewall setting
384
+ is permissive enough.
385
+
386
+ `netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" profile=public protocol=tcp localport=5985 remoteip=localsubnet new remoteip=any`
387
+
388
+ ### AWS User Data
389
+
390
+ If you are spinning up AWS instances to test against, you can use the following user data when spinning up your instances:
391
+
392
+ ```
393
+ <powershell>
394
+ $logfile="C:\\Program Files\\Amazon\\Ec2ConfigService\\Logs\\kitchen-ec2.log"
395
+ # Allow script execution
396
+ Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
397
+ # PS Remoting and & winrm.cmd basic config
398
+ Enable-PSRemoting -Force -SkipNetworkProfileCheck
399
+ & winrm.cmd set winrm/config '@{MaxTimeoutms="1800000"}' >> $logfile
400
+ & winrm.cmd set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}' >> $logfile
401
+ & winrm.cmd set winrm/config/winrs '@{MaxShellsPerUser="50"}' >> $logfile
402
+ #Server settings - support username/password login
403
+ & winrm.cmd set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}' >> $logfile
404
+ # Firewall Config
405
+ & netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" profile=public protocol=tcp localport=5985 remoteip=localsubnet new remoteip=any >> $logfile
406
+ </powershell>
407
+ ```
408
+
409
+ ## CONTRIBUTING:
410
+
411
+ Please file bugs against the KNIFE_WINDOWS project at https://github.com/chef/knife-winops/issues.
412
+
413
+ More information on the contribution process for Chef projects can be found in the [Chef Contributions document](http://docs.chef.io/community_contributions.html).
414
+
415
+ # LICENSE:
416
+
417
+ Original knife-windows author:: Seth Chisamore (<schisamo@chef.io>)
418
+ License:: Apache License, Version 2.0
419
+
420
+ Licensed under the Apache License, Version 2.0 (the "License");
421
+ you may not use this file except in compliance with the License.
422
+ You may obtain a copy of the License at
423
+
424
+ http://www.apache.org/licenses/LICENSE-2.0
425
+
426
+ Unless required by applicable law or agreed to in writing, software
427
+ distributed under the License is distributed on an "AS IS" BASIS,
428
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
429
+ See the License for the specific language governing permissions and
430
+ limitations under the License.