How chef station in linux access chef client in windows avoid specifying username and password


#1

Now, my chef station is in linux, some chef clients are in windows and some are in linux.

Then i use the command: knife ssh ‘name:delta.*’ ‘sudo chef-client’, to let my linux node execute ‘chef-client’.

But for windows node, i had to execute the command like this: knife winrm ‘name:CNXANDRCNB001.delta.corp’ “chef-client” -x ‘DELTA\user’ -P ‘123456’.

As far as i know, if we use ssh protocol, we can save the pub key of work station to each node, then we can execute the first command without username and password successfully, so that i can deploy multiple clients.

But how can i do this in the second command as i use winrm protocol to access the windows node?


#2

On Windows nodes you do have to use a username and password. Winrm actually does support certificate auth and the winrm ruby gem added support for that just a few months ago. However knife winrm does not yet support it.


#3

Matt_Wrock,

Thank you for reply.

In this situation, i manage multiple nodes of windows, How can i deploy my cookbook to multiple nodes in one command ? Is it having other way to do this?


#4

Assuming each node can authenticate the same credentials, you can use knife winrm as you would knife ssh by using a search.


#5

Please don’t ask on both StackOverflow (https://stackoverflow.com/questions/39694132/how-chef-station-in-linux-access-chef-client-in-windows-without-write-username-a/39694335) and here simultaneously. It’s rude and disrespectful of the time people volunteer to provide user support.


#6

coderanger,

Deeply sorry for that, i delete the question in statckoverflow.


#7

Matt_Wrock,

Do you have any link about doing this? i don’t find any content about it in the user guide.
https://docs.chef.io/release/12-13/install_windows.html
https://docs.chef.io/plugin_knife_windows.html


#8

The chef docs page is here and the github readme refer to it. Are you having issues using the command?


#9

Matt_Wrock,

I’m new to chef, so maybe my explanation is not clear.

Here is the situation, after i execute this command :
knife bootstrap windows winrm CNXANDRCNB001.delta.corp -x ‘DELTA\user’ -P ‘123456’,
and the chef client is installed into my windows machine. After that i can use this command below to deploy my cookbook successfully,
knife winrm ‘name:CNXANDRCNB001.delta.corp’ “chef-client” -x ‘DELTA\user’ -P ‘123456’.
but as you know i don’t want to use the username and password in this command, and you have said knife winrm does not support it yet now.
so i’m a little confusion about the sentence as you replied later “Assuming each node can authenticate the same credentials, you can use knife winrm as you would knife ssh by using a search.”. How can i do like what you said?


#10

My apologies for the confusion here. So let me try to clarify.

When using knife winrm, you do need to specify a username and password in the command every time. That is NOT like knife ssh. However it is the same as knife ssh in all other aspects. You can specify a query to search for nodes and then run a command on each node. The key difference is that with knife winrm you must provide a username and password and if there are multiple nodes you want to converge, then each of those nodes must have the same credentials.


#11

Matt_Wrock,

Thank you, i understand.
If i use freeSSHd and WinSSHD service in the windows like the doc says, Can i avoid this situation ? because as you know we may have hundreds windows nodes to manage, i really do not want to specify username and password for each node when i deploy my cookbook.


#12

yes. If you have a ssh server running on the windows nodes, you can avoid that and just run knife ssh everywhere.


#13

ok, i will have a try.
And thanks very much.