How to add a windows node for chef

Question

I have 3 servers

Following this guide for the chefmaster and chefworkstation

https://www.itzgeek.com/how-tos/linux/centos-how-tos/setup-chef-12-centos-7-rhel-7.html

chefmaster 192.168.1.200 Centos7

chefworkstation 192.168.1.200 Centos7

chefnode 192.168.1.210 Window Server 2016

I have setup a windows user on the server with administrators access.

user: chefUSER

I have the chefmaster setup and configured running chef 13.1.13

I have the chefworkstation setup and configured running chefdk-0.19.6-1.el7.x86_64

Googling around seem to only get me how to install the chef server on windows. I am trying to install the client to make it a node.

I have tried:

knife bootstrap -o winrm 192.168.1.210 -u chefUSER -P PASSWORD

[root@chefworkstation .chef]# chef -v
ChefDK version: 4.6.35
Chef Infra Client version: 15.5.17
Chef InSpec version: 4.18.39
Test Kitchen version: 2.3.4
Foodcritic version: 16.2.0
Cookstyle version: 5.13.7


[root@chefworkstation .chef]# knife bootstrap -o winrm  192.168.1.210 -u chefUSER -P PASSWORD -N winnode1 -VV
INFO: Using configuration from /root/chef-repo/.chef/knife.rb
DEBUG: Checking if we need to accept Chef license to bootstrap node
DEBUG: Reading products and relationships...
DEBUG: Successfully read products and relationships
DEBUG: License acceptance required for chef version: 15
DEBUG: Searching for the following licenses: ["infra-client", "inspec"]
DEBUG: Found license chef_infra_client at /etc/chef/accepted_licenses/chef_infra_client
DEBUG: Found license inspec at /etc/chef/accepted_licenses/inspec
DEBUG: Missing licenses remaining: []
DEBUG: All licenses present
Connecting to 192.168.1.210
DEBUG: winrm-fs requested, loading WinRM::FS gem (~> 1.0)
DEBUG: WinRM::FS previously loaded
DEBUG: [WinRM] @192.168.1.210<{:transport=>:negotiate, :disable_sspi=>false, :basic_auth_only=>false, :endpoint=>"http://192.168.1.210:5985/wsman", :user=>"administrator", :password=>"<hidden>", :no_ssl_peer_verification=>false, :realm=>nil, :service=>nil, :ca_trust_file=>nil, :ssl_peer_fingerprint=>nil}> (Write-Host '[WinRM] Established
')
DEBUG: [WinRM] opening remote shell on http://192.168.1.210:5985/wsman
DEBUG: [WinRM] Endpoint doesn't support config request for MaxEnvelopsizekb
DEBUG: [WinRM] opening remote shell on http://192.168.1.210:5985/wsman
DEBUG: [WinRM] Endpoint doesn't support config request for MaxEnvelopsizekb

From the source

./lib/ruby/gems/2.6.0/gems/winrm-2.3.3/lib/winrm/shells/power_shell.rb

  # calculate the maimum fragment size so that they will be as large as possible yet
  # no greater than the max_envelope_size_kb on the end point. To calculate this
  # threshold, we:
  # - determine the maximum number of bytes accepted on the endpoint
  # - subtract the non-fragment characters in the SOAP envelope
  # - determine the number of bytes that could be base64 encded to the above length
  # - subtract the fragment header bytes (ids, length, etc)

  def max_envelope_size_kb
    @max_envelope_size_kb ||= begin
      config_msg = WinRM::WSMV::Configuration.new(connection_opts)
      msg = config_msg.build
      resp_doc = transport.send_request(msg)
      REXML::XPath.first(resp_doc, "//*[local-name() = 'MaxEnvelopeSizekb']").text.to_i
    ensure
      logger.debug("[WinRM] Endpoint doesn't support config request for MaxEnvelopsizekb")
    end
    # rubocop:enable Layout/RescueEnsureAlignment
  end

From here I have changed a couple setting in my winrm which does not seem to make a difference.

PS C:\Windows\system32> winrm get winrm/config
Config
    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = true
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = true
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = true
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647

Answer 1

Most of this is taken from https://www.itzgeek.com/how-tos/linux/centos-how-tos/setup-chef-12-centos-7-rhel-7.html which is about 90% correct the parts that did not work might have been because the page references an older version of chef

3 Servers

Centos 7 - 192.168.1.200 chefmaster.local chefmaster

Centos 7 - 192.168.1.201 chefworkstation.local workstation

Windows Server 2016 Datacenter (Desktop Experence) - 192.168.1.210 winsrv2016n1.local winsrv2016n1

Configure the chefmaster server:

cat /etc/hosts

192.168.1.200  chefmaster.local  chefmaster
192.168.1.201  chefworkstation.local  chefworkstation
192.168.1.210  winsrv2016n1.local winsrv2016n1

Diable selinux - not sure if this is needed.

sed -i 's/=enforcing/=disabled/g' /etc/selinux/config

Update host name

sed -i "1s/.*/chefmaster.local/" /etc/hostname
hostnamectl set-hostname chefmaster.local

Update the server if needed

yum update -y

Reboot the server

reboot now

Installed needed stuff

yum -y install wget vim

Install chef infa server

wget https://packages.chef.io/files/stable/chef-server/13.1.13/el/7/chef-server-core-13.1.13-1.el7.x86_64.rpm
rpm -ivh chef-server-core-*.rpm
chef-server-ctl reconfigure
chef-server-ctl status

Create an Admin user:

Example:

chef-server-ctl user-create USER_NAME FIRST_NAME LAST_NAME EMAIL 'PASSWORD' -f PATH_FILE_NAME

What I used:

chef-server-ctl user-create chefadmin chef admin chefadmin@example.com 'PASSWORD' -f /etc/chef/chefadmin.pem

Create an Organization:

Example:

chef-server-ctl org-create short_name 'full_organization_name' --association_user user_name --filename ORGANIZATION-validator.pem

What I used:

chef-server-ctl org-create Myorgname "Myorg Name" --association_user chefadmin -f /etc/chef/Myorgname-validator.pem

Open Firewall:

firewall-cmd --permanent --zone public --add-service http
firewall-cmd --permanent --zone public --add-service https
firewall-cmd --reload

Install management console:

chef-server-ctl install chef-manage
chef-server-ctl reconfigure
chef-manage-ctl reconfigure

==============================================================

Configure the chefworkstation server:

cat /etc/hosts

192.168.1.200  chefmaster.local  chefmaster
192.168.1.201  chefworkstation.local  chefworkstation
192.168.1.210  winsrv2016n1.local winsrv2016n1

Diable selinux - not sure if this is needed.

sed -i 's/=enforcing/=disabled/g' /etc/selinux/config

Update host name

sed -i "1s/.*/chefworkstation.local/" /etc/hostname
hostnamectl set-hostname chefworkstation.local

Update the server if needed

yum update -y

Reboot the server

reboot now

Install chefdk

wget https://packages.chef.io/files/stable/chefdk/4.6.35/el/7/chefdk-4.6.35-1.el7.x86_64.rpm
rpm -ivh chefdk-*.rpm
chef verify

Verify Ruby:

which ruby
echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile
. ~/.bash_profile
which ruby

Verify Ruby Output should look like the following:

/opt/chefdk/embedded/bin/ruby

Install and configure git

yum -y install git
cd ~
chef generate repo chef-repo
ls -al ~/chef-repo/
git config --global user.name "chefadmin"
git config --global user.email "chefadmin@anthonyfornito.com"
cd ~/chef-repo/
git init
mkdir -p ~/chef-repo/.chef
echo '.chef' >> ~/chef-repo/.gitignore
cd ~/chef-repo/
git add .
git commit -m "initial commit"
git status

Copy over the pem files created in the Configure the chefmaster server section

scp -pr root@chefmaster:/etc/chef/chefadmin.pem ~/chef-repo/.chef/
scp -pr root@chefmaster:/etc/chef/anthonyfornito-validator.pem ~/chef-repo/.chef/

Create the knife file:

vi ~/chef-repo/.chef/knife.rb

knife.rb contents

current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                "chefadmin"
client_key               "#{current_dir}/chefadmin.pem"
validation_client_name   "Myorgname-validator"
validation_key           "#{current_dir}/Myorgname-validator.pem"
chef_server_url          "https://chefmaster.local/organizations/Myorgname"
syntax_check_cache_path  "#{ENV['HOME']}/.chef/syntaxcache"
cookbook_path            ["#{current_dir}/../cookbooks"]

Check the ssl connection:

knife client list

Might see and ssl error

Run ssl check the see what is missing

knife ssl check
.....
* ssl_ca_path: nil
* ssl_ca_file: nil
----

Fetch ssl

knife ssl fetch

Now recheck the client list:

knife client list

You should see:

Myorgname-validator

===================================================

Configure the Window Server 2016 server:

Enable access to port 5985

From the Windows Firewall with Advanced Security:

Click Inbound Rules

Sort list by Local Port

Find the "Windows Remote Management (HTTP-In)" rules (There are 2)

Being that I am not using a domain all I had to do was configure the Public

Right click the rule

Select Properties

Click the scope tab

Change the Remote IP address from:

These IP addresses:

To:

Any IP address

Run the below command using powershell administrator

winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'

===================================================

On the chefworkstation server run the following command to add the windows server 2016 client.

Example:

knife bootstrap -o winrm CLIENTHOSTNAME -u ADMINWINUSER -P ADMINPASSWORD -VV

What I used:

knife bootstrap -o winrm winsrv2016n1 -u Administrator -P PASSWORD -VV

This takes some time however after about 20 minutes it was added as a client under the management console.

Keep in mind there are some major security holes that would need to fixed however this should get anyone started

Answer 2

Here is a very good troubleshooting guide about Chef and Windows.

The TL;DR basically it's a 3 step list:

1. Enable WinRM in the Windows node, either with Enable-PSRemoting or winrm quickconfig

2. Verify the firewall with netsh advfirewall firewall add rule name=WinRM-HTTP" dir=in localport=5985 protocol=TCP action=allow

3. Run these (only for testing, not for prod) commands:

    winrm set winrm/config/client/auth '@{Basic="true"}'
    winrm set winrm/config/service/auth '@{Basic="true"}'
    winrm set winrm/config/service '@{AllowUnencrypted="true"}'

The usual causes:

1. The Winrm service is not running on the remote machine
2. The firewall on the remote machine is refusing connections
3. A proxy server stands in the way
4. Improper SSL configuration for HTTPS connections

Read the guide linked above for a deeper understanding and extra steps.