Home / server / Questions / 994366
Accepted
James Connigan
Asked: 2019-12-05 14:34:23 +0800 CST

How to add a windows node for chef

  • 772

I have 3 servers

Following this guide for the chefmaster and chefworkstation

https://www.itzgeek.com/how-tos/linux/centos-how-tos/setup-chef-12-centos-7-rhel-7.html

chefmaster 192.168.1.200 Centos7

chefworkstation 192.168.1.200 Centos7

chefnode 192.168.1.210 Window Server 2016

I have setup a windows user on the server with administrators access.

user: chefUSER

I have the chefmaster setup and configured running chef 13.1.13

I have the chefworkstation setup and configured running chefdk-0.19.6-1.el7.x86_64

Googling around seem to only get me how to install the chef server on windows. I am trying to install the client to make it a node.

I have tried:

knife bootstrap -o winrm 192.168.1.210 -u chefUSER -P PASSWORD

[root@chefworkstation .chef]# chef -v
ChefDK version: 4.6.35
Chef Infra Client version: 15.5.17
Chef InSpec version: 4.18.39
Test Kitchen version: 2.3.4
Foodcritic version: 16.2.0
Cookstyle version: 5.13.7


[root@chefworkstation .chef]# knife bootstrap -o winrm  192.168.1.210 -u chefUSER -P PASSWORD -N winnode1 -VV
INFO: Using configuration from /root/chef-repo/.chef/knife.rb
DEBUG: Checking if we need to accept Chef license to bootstrap node
DEBUG: Reading products and relationships...
DEBUG: Successfully read products and relationships
DEBUG: License acceptance required for chef version: 15
DEBUG: Searching for the following licenses: ["infra-client", "inspec"]
DEBUG: Found license chef_infra_client at /etc/chef/accepted_licenses/chef_infra_client
DEBUG: Found license inspec at /etc/chef/accepted_licenses/inspec
DEBUG: Missing licenses remaining: []
DEBUG: All licenses present
Connecting to 192.168.1.210
DEBUG: winrm-fs requested, loading WinRM::FS gem (~> 1.0)
DEBUG: WinRM::FS previously loaded
DEBUG: [WinRM] @192.168.1.210<{:transport=>:negotiate, :disable_sspi=>false, :basic_auth_only=>false, :endpoint=>"http://192.168.1.210:5985/wsman", :user=>"administrator", :password=>"<hidden>", :no_ssl_peer_verification=>false, :realm=>nil, :service=>nil, :ca_trust_file=>nil, :ssl_peer_fingerprint=>nil}> (Write-Host '[WinRM] Established
')
DEBUG: [WinRM] opening remote shell on http://192.168.1.210:5985/wsman
DEBUG: [WinRM] Endpoint doesn't support config request for MaxEnvelopsizekb
DEBUG: [WinRM] opening remote shell on http://192.168.1.210:5985/wsman
DEBUG: [WinRM] Endpoint doesn't support config request for MaxEnvelopsizekb

From the source

./lib/ruby/gems/2.6.0/gems/winrm-2.3.3/lib/winrm/shells/power_shell.rb

  # calculate the maimum fragment size so that they will be as large as possible yet
  # no greater than the max_envelope_size_kb on the end point. To calculate this
  # threshold, we:
  # - determine the maximum number of bytes accepted on the endpoint
  # - subtract the non-fragment characters in the SOAP envelope
  # - determine the number of bytes that could be base64 encded to the above length
  # - subtract the fragment header bytes (ids, length, etc)

  def max_envelope_size_kb
    @max_envelope_size_kb ||= begin
      config_msg = WinRM::WSMV::Configuration.new(connection_opts)
      msg = config_msg.build
      resp_doc = transport.send_request(msg)
      REXML::XPath.first(resp_doc, "//*[local-name() = 'MaxEnvelopeSizekb']").text.to_i
    ensure
      logger.debug("[WinRM] Endpoint doesn't support config request for MaxEnvelopsizekb")
    end
    # rubocop:enable Layout/RescueEnsureAlignment
  end

From here I have changed a couple setting in my winrm which does not seem to make a difference.

PS C:\Windows\system32> winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = true
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = true
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = true
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647
windows

2 Answers

  1. Best Answer

    Most of this is taken from https://www.itzgeek.com/how-tos/linux/centos-how-tos/setup-chef-12-centos-7-rhel-7.html which is about 90% correct the parts that did not work might have been because the page references an older version of chef

    3 Servers

    Centos 7 - 192.168.1.200 chefmaster.local chefmaster

    Centos 7 - 192.168.1.201 chefworkstation.local workstation

    Windows Server 2016 Datacenter (Desktop Experence) - 192.168.1.210 winsrv2016n1.local winsrv2016n1

    Configure the chefmaster server:

    cat /etc/hosts

192.168.1.200  chefmaster.local  chefmaster
192.168.1.201  chefworkstation.local  chefworkstation
192.168.1.210  winsrv2016n1.local winsrv2016n1

    Diable selinux - not sure if this is needed.

    sed -i 's/=enforcing/=disabled/g' /etc/selinux/config

    Update host name

    sed -i "1s/.*/chefmaster.local/" /etc/hostname
hostnamectl set-hostname chefmaster.local

    Update the server if needed

    yum update -y

    Reboot the server

    reboot now

    Installed needed stuff

    yum -y install wget vim

    Install chef infa server

    wget https://packages.chef.io/files/stable/chef-server/13.1.13/el/7/chef-server-core-13.1.13-1.el7.x86_64.rpm
rpm -ivh chef-server-core-*.rpm
chef-server-ctl reconfigure
chef-server-ctl status

    Create an Admin user:

    Example:

    chef-server-ctl user-create USER_NAME FIRST_NAME LAST_NAME EMAIL 'PASSWORD' -f PATH_FILE_NAME

    What I used:

    chef-server-ctl user-create chefadmin chef admin [email protected] 'PASSWORD' -f /etc/chef/chefadmin.pem

    Create an Organization:

    Example:

    chef-server-ctl org-create short_name 'full_organization_name' --association_user user_name --filename ORGANIZATION-validator.pem

    What I used:

    chef-server-ctl org-create Myorgname "Myorg Name" --association_user chefadmin -f /etc/chef/Myorgname-validator.pem

    Open Firewall:

    firewall-cmd --permanent --zone public --add-service http
firewall-cmd --permanent --zone public --add-service https
firewall-cmd --reload

    Install management console:

    chef-server-ctl install chef-manage
chef-server-ctl reconfigure
chef-manage-ctl reconfigure

    ==============================================================

    Configure the chefworkstation server:

    cat /etc/hosts

192.168.1.200  chefmaster.local  chefmaster
192.168.1.201  chefworkstation.local  chefworkstation
192.168.1.210  winsrv2016n1.local winsrv2016n1

    Diable selinux - not sure if this is needed.

    sed -i 's/=enforcing/=disabled/g' /etc/selinux/config

    Update host name

    sed -i "1s/.*/chefworkstation.local/" /etc/hostname
hostnamectl set-hostname chefworkstation.local

    Update the server if needed

    yum update -y

    Reboot the server

    reboot now

    Install chefdk

    wget https://packages.chef.io/files/stable/chefdk/4.6.35/el/7/chefdk-4.6.35-1.el7.x86_64.rpm
rpm -ivh chefdk-*.rpm
chef verify

    Verify Ruby:

    which ruby
echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile
. ~/.bash_profile
which ruby

    Verify Ruby Output should look like the following:

    /opt/chefdk/embedded/bin/ruby

    Install and configure git

    yum -y install git
cd ~
chef generate repo chef-repo
ls -al ~/chef-repo/
git config --global user.name "chefadmin"
git config --global user.email "[email protected]"
cd ~/chef-repo/
git init
mkdir -p ~/chef-repo/.chef
echo '.chef' >> ~/chef-repo/.gitignore
cd ~/chef-repo/
git add .
git commit -m "initial commit"
git status

    Copy over the pem files created in the Configure the chefmaster server section

    scp -pr root@chefmaster:/etc/chef/chefadmin.pem ~/chef-repo/.chef/
scp -pr root@chefmaster:/etc/chef/anthonyfornito-validator.pem ~/chef-repo/.chef/

    Create the knife file:

    vi ~/chef-repo/.chef/knife.rb

    knife.rb contents

    current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                "chefadmin"
client_key               "#{current_dir}/chefadmin.pem"
validation_client_name   "Myorgname-validator"
validation_key           "#{current_dir}/Myorgname-validator.pem"
chef_server_url          "https://chefmaster.local/organizations/Myorgname"
syntax_check_cache_path  "#{ENV['HOME']}/.chef/syntaxcache"
cookbook_path            ["#{current_dir}/../cookbooks"]

    Check the ssl connection:

    knife client list

    Might see and ssl error

    Run ssl check the see what is missing

    knife ssl check
.....
* ssl_ca_path: nil
* ssl_ca_file: nil
----

    Fetch ssl

    knife ssl fetch

    Now recheck the client list:

    knife client list

    You should see:

    Myorgname-validator

    ===================================================

    Configure the Window Server 2016 server:

    Enable access to port 5985

    From the Windows Firewall with Advanced Security:

    Click Inbound Rules

    Sort list by Local Port

    Find the "Windows Remote Management (HTTP-In)" rules (There are 2)

    Being that I am not using a domain all I had to do was configure the Public

    Right click the rule

    Select Properties

    Click the scope tab

    Change the Remote IP address from:

    These IP addresses:

    To:

    Any IP address

    enter image description here

    Run the below command using powershell administrator

    winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'

    ===================================================

    On the chefworkstation server run the following command to add the windows server 2016 client.

    Example:

    knife bootstrap -o winrm CLIENTHOSTNAME -u ADMINWINUSER -P ADMINPASSWORD -VV

    What I used:

    knife bootstrap -o winrm winsrv2016n1 -u Administrator -P PASSWORD -VV

    This takes some time however after about 20 minutes it was added as a client under the management console.

    Keep in mind there are some major security holes that would need to fixed however this should get anyone started

    enter image description here

    • 2

  2. Here is a very good troubleshooting guide about Chef and Windows.

    The TL;DR basically it's a 3 step list:

    1. Enable WinRM in the Windows node, either with Enable-PSRemoting or winrm quickconfig

    2. Verify the firewall with netsh advfirewall firewall add rule name=WinRM-HTTP" dir=in localport=5985 protocol=TCP action=allow

    3. Run these (only for testing, not for prod) commands:

        winrm set winrm/config/client/auth '@{Basic="true"}'
    winrm set winrm/config/service/auth '@{Basic="true"}'
    winrm set winrm/config/service '@{AllowUnencrypted="true"}'

    The usual causes:

    1. The Winrm service is not running on the remote machine
    2. The firewall on the remote machine is refusing connections
    3. A proxy server stands in the way
    4. Improper SSL configuration for HTTPS connections

    Read the guide linked above for a deeper understanding and extra steps.

    • 0