0

I really hope I'm missing something here - because I'm starting to love Chef, but some pieces feel extremely stupid.

I have a process (service) that runs under specific credentials. Those credentials (user / password) were typed in once upon installation of the service and are not visible to humans anymore. I want that process to be able to run the following knife command:

# Go kick the nodes and tell them to update now.
knife winrm "role:Xyz" "chef-client"

I don't want to have the password written down or the user name. I want this to run under my current context, just like if I browsed to a UNC path in explorer \\ABC\DEF <-- Windows is 'smart enough' to know who I am and negotiate my credentials.

Another example is when my service connects to SQL Server. I can choose not to include a username/password, but to simply have the credentials of the application passed along.

Surely Chef doesn't require hard coding admin passwords all over the place. Please help.

Timothy Khouri
  • 177
  • 2
  • 8

2 Answers2

0

I found my own answer. The short answer is "No", the knife utility does not support this. However, WinRM does natively support the ability to have your credentials come across the wire without having to re-type the username/password!

So, I will have to use the knife command to query Chef to find all the nodes in a particular role, but from there, I drop into powershell and perform this command:

Invoke-Command -ComputerName TheComputerName -ScriptBlock { chef-client }

knife does this kinda stuff in parallel, so I'll just have to do that myself in powershell.

Timothy Khouri
  • 177
  • 2
  • 8
0

I know this question is quite old but actually, with the knife-windows gem installed you can indeed use knife winrm to run commands.

To install the knife-windows gem run:

gem install knife-windows

Then to run Chef-Client on all machines that have the role xyz you would simply run:

knife winrm 'role:xyz' 'chef-client' --winrm-user $AdminUser --winrm-password $AdminPassword

Assuming that $AdminUser and $AdminPassword variables contains values that has sufficient permission to WinRM to the target machine.

NOTE (if using ChefDK):

Depending on your setup you may need to use:

chef gem install knife-windows

and

chef exec knife winrm 'role:xyz' 'chef-client' --winrm-user $AdminUser --winrm-password $AdminPassword

Depending on whether you are using the embedded Ruby environment or your own.

Belogix
  • 101
  • 2
  • Hi @Belogix, my question is "how can I do this with my current context, and not by writing down my password." In your example, you are providing a user/password. – Timothy Khouri Aug 31 '17 at 15:27
  • @TimothyKhouri Password management is a whole different topic. However, you would normally have your password stored in a secure location (Secret Server or encrpyted data bag that you pull down via a `knife` command etc). Then you would use that password and pass in the call to `knife winrm ...`. – Belogix Sep 08 '17 at 10:03
  • so, knife winrm command you mentioned is only after bootstrap. Right? what is the command to bootstrap windows client. I tried official webpage, some blogs, but no success – P Satish Patro Jun 21 '19 at 10:14