Bootstrapping Windows nodes behind a firewall with Knife
Using knife to bootstrap a node to be managed with Chef is a fundamental part of the Chef workflow, especially for dev and test purposes. When you bootstrap a node you are preparing the node to communicate with the Chef Server so it can download the cookbooks and recipes you have defined in its run-list, and eventually match the state you have defined in your Chef code.
knife bootstrap windows winrm ADDRESS --winrm-user USER --winrm-password 'PASSWORD' --node-name node1 --run-list 'recipe[learn_chef_iis]'
As part of the bootstrapping process for Windows the chef-client package is retrieved from the chef.io website. You can see this in the process output.
126.96.36.199 C:UsersAdministrator>goto install 188.8.131.52 Checking for existing downloaded package at "C:UsersADMINI~1AppDataLocalTempchef-client-latest.msi" 184.108.40.206 No existing downloaded packages to delete. 220.127.116.11 Attempting to download client package using PowerShell if available... 18.104.22.168 powershell.exe -ExecutionPolicy Unrestricted -NoProfile -NonInteractive -File C:chefwget.ps1 "https://www.chef.io/chef/download?p=windows&pv=2012&m=x86_64&DownloadContext=PowerShell&v=12" "C:UsersADMINI~1AppDataLocalTempchef-client-latest.msi" 22.214.171.124 Download via PowerShell succeeded. 126.96.36.199 Installing downloaded client package... 188.8.131.52 184.108.40.206 C:UsersAdministrator>msiexec /qn /log "C:UsersADMINI~1AppDataLocalTempchef-client-msi7958.log" /i "C:UsersADMINI~1AppDataLocalTempchef-client-latest.msi" 220.127.116.11 Successfully installed Chef Client package. 18.104.22.168 Installation completed successfully
If working in a locked down environment, perhaps behind a firewall, this can be problematic. If your node is unable to retrieve a package from the Internet the bootstrapping process will fail.
The work around is to use a (currently) undocumented argument in your bootstrap command.
This argument will accept a remote location as well as a local system path. This means you can use an internal package hosting service of some kind, or reference the package location on the node’s filesystem; perhaps baked into your images.
knife bootstrap windows winrm ADDRESS --winrm-user USER --winrm-password 'PASSWORD' --node-name node1 --msi-url C:/tmp/chef-client.msi
Voila, your locked down instance is bootstrapped.