Basic Question about Bootstrapping Windows Nodes

I’m new to Chef and trying to bootstrap a Windows node using knife. I’m running the following command from my workstation: knife bootstrap windows winrm .*.***.*** -x Administrator -P ******

In response, I get “Doing old-style registration with validation key at C:/ … Delete your validation key in order to use your user credentials instead.” The validation key it’s referring to is the organization validator that my workstation uses to connect to the Chef server. Why is it using this validation key to connect to the node and not the password I specify in the command? Is it because of how I have my knife.rb set up?

Hi there, this can definitely be confusing. Let me try to explain a bit what you are seeing. The validation key on your work station really is not used to connect to the server. Its an artifact historically used to register new nodes with your chef server via knife. When you use knife bootstrap, knife copies it to the node you are trying to bootstrap and it uses that key temporarily to authenticate with the chef server as a one time action and then it is given its own dedicated client key. As of chef client 12.2 (well over a year ago), this is no longer necessasy. Instead of copying the validation key as a temporary auth token to the new node, knife can use your own client key to generate the permanent client key that will be used by the new node. In order to use this newer “validator-less” model, simply delete your validator key entry from your knife.config.

Furthermore, the credentials you provided on the command line are not used until after your node has been registered with the server. They are the credentials used by knife to logon to the new node (via ssh or winrm) and run the newly installed chef-client for the node’s very first converge.

Hope this makes sense.


By the way, guys, what is best practice to workaround winrm issues like .net or sql installs when bootstraping windows nodes via knife bootstrap? knife bootstrap does’t have yet elevated command switch.

What you can do is bootstrap the node without a runlist. Then once your node is registered, use knife node run_list set to set the run list. Now any subsequent chef-client run should converge the new run list. You could use knife winrm with an elevated shell to do that or if you run chef from a scheduled task or windows service, those recipes should now work.

Great answer. Yes, makes sense. I’ll delete this validator key and remove it’s reference from knife.config. Thanks again