Bootstrapping Windows nodes behind a firewall with Knife

Using knife to bootstrap a node to be managed with Chef is a fundamental part of the Chef workflow, especially for dev and test purposes. When you bootstrap a node you are preparing the node to communicate with the Chef Server so it can download the cookbooks and recipes you have defined in its run-list, and eventually match the state you have defined in your Chef code.

knife bootstrap windows winrm ADDRESS --winrm-user USER --winrm-password 'PASSWORD' --node-name node1 --run-list 'recipe[learn_chef_iis]'

As part of the bootstrapping process for Windows the chef-client package is retrieved from the website. You can see this in the process output. C:UsersAdministrator>goto install Checking for existing downloaded package at "C:UsersADMINI~1AppDataLocalTempchef-client-latest.msi" No existing downloaded packages to delete. Attempting to download client package using PowerShell if available... powershell.exe -ExecutionPolicy Unrestricted -NoProfile -NonInteractive -File  C:chefwget.ps1 "" "C:UsersADMINI~1AppDataLocalTempchef-client-latest.msi" Download via PowerShell succeeded. Installing downloaded client package... C:UsersAdministrator>msiexec /qn /log "C:UsersADMINI~1AppDataLocalTempchef-client-msi7958.log" /i "C:UsersADMINI~1AppDataLocalTempchef-client-latest.msi" Successfully installed Chef Client package. Installation completed successfully  

If working in a locked down environment, perhaps behind a firewall, this can be problematic. If your node is unable to retrieve a package from the Internet the bootstrapping process will fail.

The work around is to use a (currently) undocumented argument in your bootstrap command.


This argument will accept a remote location as well as a local system path. This means you can use an internal package hosting service of some kind, or reference the package location on the node’s filesystem; perhaps baked into your images.

knife bootstrap windows winrm ADDRESS --winrm-user USER --winrm-password 'PASSWORD' --node-name node1 --msi-url C:/tmp/chef-client.msi

Voila, your locked down instance is bootstrapped.

Joe Gardiner
Joe Gardiner
Technical Architect

An experienced technical architect witha focus on vendor and MSP pre-sales.

comments powered by Disqus