1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
|
#
# Author:: Seth Chisamore (<schisamo@chef.io>)
# Copyright:: Copyright (c) Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require_relative "bootstrap_context"
require_relative "../../util/path_helper"
require_relative "../../dist"
class Chef
class Knife
module Core
# Instances of BootstrapContext are the context objects (i.e., +self+) for
# bootstrap templates. For backwards compatibility, they +must+ set the
# following instance variables:
# * @config - a hash of knife's config values
# * @run_list - the run list for the node to bootstrap
#
class WindowsBootstrapContext < BootstrapContext
attr_accessor :config, :chef_config
def initialize(config, run_list, chef_config, secret = nil)
@config = config
@run_list = run_list
@chef_config = chef_config
@secret = secret
super(config, run_list, chef_config, secret)
end
# This is a duplicate of ChefConfig::PathHelper.cleanpath, however
# this presumes Windows so we can avoid changing the method definitions
# across Chef, ChefConfig, and ChefUtils for the circumstance where
# the methods are being run for a system other than the one Ruby is
# executing on.
#
# We only need to cleanpath the paths that we are passing to cmd.exe,
# anything written to a configuration file or passed as an argument
# will be interpreted by ruby later and do the right thing.
def cleanpath(path)
path = Pathname.new(path).cleanpath.to_s
path.gsub(File::SEPARATOR, '\\')
end
def validation_key
if File.exist?(File.expand_path(chef_config[:validation_key]))
IO.read(File.expand_path(chef_config[:validation_key]))
else
false
end
end
def secret
escape_and_echo(config[:secret])
end
def trusted_certs_script
@trusted_certs_script ||= trusted_certs_content
end
def config_content
client_rb = <<~CONFIG
chef_server_url "#{chef_config[:chef_server_url]}"
validation_client_name "#{chef_config[:validation_client_name]}"
file_cache_path "#{ChefConfig::Config.var_chef_dir(true)}/cache"
file_backup_path "#{ChefConfig::Config.var_chef_dir(true)}/backup"
cache_options ({:path => "#{ChefConfig::Config.etc_chef_dir(true)}/cache/checksums", :skip_expires => true})
CONFIG
unless chef_config[:chef_license].nil?
client_rb << "chef_license \"#{chef_config[:chef_license]}\"\n"
end
if config[:chef_node_name]
client_rb << %Q{node_name "#{config[:chef_node_name]}"\n}
else
client_rb << "# Using default node name (fqdn)\n"
end
if chef_config[:config_log_level]
client_rb << %Q{log_level :#{chef_config[:config_log_level]}\n}
else
client_rb << "log_level :auto\n"
end
client_rb << "log_location #{get_log_location}"
# We configure :verify_api_cert only when it's overridden on the CLI
# or when specified in the knife config.
if !config[:node_verify_api_cert].nil? || config.key?(:verify_api_cert)
value = config[:node_verify_api_cert].nil? ? config[:verify_api_cert] : config[:node_verify_api_cert]
client_rb << %Q{verify_api_cert #{value}\n}
end
# We configure :ssl_verify_mode only when it's overridden on the CLI
# or when specified in the knife config.
if config[:node_ssl_verify_mode] || config.key?(:ssl_verify_mode)
value = case config[:node_ssl_verify_mode]
when "peer"
:verify_peer
when "none"
:verify_none
when nil
config[:ssl_verify_mode]
else
nil
end
if value
client_rb << %Q{ssl_verify_mode :#{value}\n}
end
end
if config[:ssl_verify_mode]
client_rb << %Q{ssl_verify_mode :#{config[:ssl_verify_mode]}\n}
end
if config[:bootstrap_proxy]
client_rb << "\n"
client_rb << %Q{http_proxy "#{config[:bootstrap_proxy]}"\n}
client_rb << %Q{https_proxy "#{config[:bootstrap_proxy]}"\n}
client_rb << %Q{no_proxy "#{config[:bootstrap_no_proxy]}"\n} if config[:bootstrap_no_proxy]
end
if config[:bootstrap_no_proxy]
client_rb << %Q{no_proxy "#{config[:bootstrap_no_proxy]}"\n}
end
if config[:secret]
client_rb << %Q{encrypted_data_bag_secret "#{ChefConfig::Config.etc_chef_dir(true)}/encrypted_data_bag_secret"\n}
end
unless trusted_certs_script.empty?
client_rb << %Q{trusted_certs_dir "#{ChefConfig::Config.etc_chef_dir(true)}/trusted_certs"\n}
end
if chef_config[:fips]
client_rb << "fips true\n"
end
escape_and_echo(client_rb)
end
def get_log_location
if chef_config[:config_log_location].equal?(:win_evt)
%Q{:#{chef_config[:config_log_location]}\n}
elsif chef_config[:config_log_location].equal?(:syslog)
raise "syslog is not supported for log_location on Windows OS\n"
elsif chef_config[:config_log_location].equal?(STDOUT)
"STDOUT\n"
elsif chef_config[:config_log_location].equal?(STDERR)
"STDERR\n"
elsif chef_config[:config_log_location].nil? || chef_config[:config_log_location].empty?
"STDOUT\n"
elsif chef_config[:config_log_location]
%Q{"#{chef_config[:config_log_location]}"\n}
else
"STDOUT\n"
end
end
def start_chef
bootstrap_environment_option = bootstrap_environment.nil? ? "" : " -E #{bootstrap_environment}"
start_chef = "SET \"PATH=%SystemRoot%\\system32;%SystemRoot%;%SystemRoot%\\System32\\Wbem;%SYSTEMROOT%\\System32\\WindowsPowerShell\\v1.0\\;C:\\ruby\\bin;#{ChefConfig::Config.c_opscode_dir}\\bin;#{ChefConfig::Config.c_opscode_dir}\\embedded\\bin\;%PATH%\"\n"
start_chef << "#{Chef::Dist::CLIENT} -c #{ChefConfig::Config.etc_chef_dir(true)}/client.rb -j #{ChefConfig::Config.etc_chef_dir(true)}/first-boot.json#{bootstrap_environment_option}\n"
end
def win_wget
# I tried my best to figure out how to properly url decode and switch / to \
# but this is VBScript - so I don't really care that badly.
win_wget = <<~WGET
url = WScript.Arguments.Named("url")
path = WScript.Arguments.Named("path")
proxy = null
'* Vaguely attempt to handle file:// scheme urls by url unescaping and switching all
'* / into \. Also assume that file:/// is a local absolute path and that file://<foo>
'* is possibly a network file path.
If InStr(url, "file://") = 1 Then
url = Unescape(url)
If InStr(url, "file:///") = 1 Then
sourcePath = Mid(url, Len("file:///") + 1)
Else
sourcePath = Mid(url, Len("file:") + 1)
End If
sourcePath = Replace(sourcePath, "/", "\\")
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.Fileexists(path) Then objFSO.DeleteFile path
objFSO.CopyFile sourcePath, path, true
Set objFSO = Nothing
Else
Set objXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP")
Set wshShell = CreateObject( "WScript.Shell" )
Set objUserVariables = wshShell.Environment("USER")
rem http proxy is optional
rem attempt to read from HTTP_PROXY env var first
On Error Resume Next
If NOT (objUserVariables("HTTP_PROXY") = "") Then
proxy = objUserVariables("HTTP_PROXY")
rem fall back to named arg
ElseIf NOT (WScript.Arguments.Named("proxy") = "") Then
proxy = WScript.Arguments.Named("proxy")
End If
If NOT isNull(proxy) Then
rem setProxy method is only available on ServerXMLHTTP 6.0+
Set objXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP.6.0")
objXMLHTTP.setProxy 2, proxy
End If
On Error Goto 0
objXMLHTTP.open "GET", url, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(path) Then objFSO.DeleteFile path
Set objFSO = Nothing
objADOStream.SaveToFile path
objADOStream.Close
Set objADOStream = Nothing
End If
Set objXMLHTTP = Nothing
End If
WGET
escape_and_echo(win_wget)
end
def win_wget_ps
win_wget_ps = <<~WGET_PS
param(
[String] $remoteUrl,
[String] $localPath
)
$ProxyUrl = $env:http_proxy;
$webClient = new-object System.Net.WebClient;
if ($ProxyUrl -ne '') {
$WebProxy = New-Object System.Net.WebProxy($ProxyUrl,$true)
$WebClient.Proxy = $WebProxy
}
$webClient.DownloadFile($remoteUrl, $localPath);
WGET_PS
escape_and_echo(win_wget_ps)
end
def install_chef
# The normal install command uses regular double quotes in
# the install command, so request such a string from install_command
install_command('"') + "\n" + fallback_install_task_command
end
def bootstrap_directory
cleanpath(ChefConfig::Config.etc_chef_dir(true))
end
def local_download_path
"%TEMP%\\#{Chef::Dist::CLIENT}-latest.msi"
end
# Build a URL to query www.chef.io that will redirect to the correct
# Chef Infra msi download.
def msi_url(machine_os = nil, machine_arch = nil, download_context = nil)
if config[:msi_url].nil? || config[:msi_url].empty?
url = "https://www.chef.io/chef/download?p=windows"
url += "&pv=#{machine_os}" unless machine_os.nil?
url += "&m=#{machine_arch}" unless machine_arch.nil?
url += "&DownloadContext=#{download_context}" unless download_context.nil?
url += "&channel=#{config[:channel]}"
url += "&v=#{version_to_install}"
else
config[:msi_url]
end
end
def first_boot
escape_and_echo(super.to_json)
end
# escape WIN BATCH special chars
# and prefixes each line with an
# echo
def escape_and_echo(file_contents)
file_contents.gsub(/^(.*)$/, 'echo.\1').gsub(/([(<|>)^])/, '^\1')
end
private
def install_command(executor_quote)
"msiexec /qn /log #{executor_quote}%CHEF_CLIENT_MSI_LOG_PATH%#{executor_quote} /i #{executor_quote}%LOCAL_DESTINATION_MSI_PATH%#{executor_quote}"
end
# Returns a string for copying the trusted certificates on the workstation to the system being bootstrapped
# This string should contain both the commands necessary to both create the files, as well as their content
def trusted_certs_content
content = ""
if chef_config[:trusted_certs_dir]
Dir.glob(File.join(Chef::Util::PathHelper.escape_glob_dir(chef_config[:trusted_certs_dir]), "*.{crt,pem}")).each do |cert|
content << "> #{bootstrap_directory}/trusted_certs/#{File.basename(cert)} (\n" +
escape_and_echo(IO.read(File.expand_path(cert))) + "\n)\n"
end
end
content
end
def client_d_content
content = ""
if chef_config[:client_d_dir] && File.exist?(chef_config[:client_d_dir])
root = Pathname(chef_config[:client_d_dir])
root.find do |f|
relative = f.relative_path_from(root)
if f != root
file_on_node = "#{bootstrap_directory}/client.d/#{relative}".tr("/", "\\")
if f.directory?
content << "mkdir #{file_on_node}\n"
else
content << "> #{file_on_node} (\n" +
escape_and_echo(IO.read(File.expand_path(f))) + "\n)\n"
end
end
end
end
content
end
def fallback_install_task_command
# This command will be executed by schtasks.exe in the batch
# code below. To handle tasks that contain arguments that
# need to be double quoted, schtasks allows the use of single
# quotes that will later be converted to double quotes
command = install_command("'")
<<~EOH
@set MSIERRORCODE=!ERRORLEVEL!
@if ERRORLEVEL 1 (
@echo WARNING: Failed to install #{Chef::Dist::PRODUCT} MSI package in remote context with status code !MSIERRORCODE!.
@echo WARNING: This may be due to a defect in operating system update KB2918614: http://support.microsoft.com/kb/2918614
@set OLDLOGLOCATION="%CHEF_CLIENT_MSI_LOG_PATH%-fail.log"
@move "%CHEF_CLIENT_MSI_LOG_PATH%" "!OLDLOGLOCATION!" > NUL
@echo WARNING: Saving installation log of failure at !OLDLOGLOCATION!
@echo WARNING: Retrying installation with local context...
@schtasks /create /f /sc once /st 00:00:00 /tn chefclientbootstraptask /ru SYSTEM /rl HIGHEST /tr \"cmd /c #{command} & sleep 2 & waitfor /s %computername% /si chefclientinstalldone\"
@if ERRORLEVEL 1 (
@echo ERROR: Failed to create #{Chef::Dist::PRODUCT} installation scheduled task with status code !ERRORLEVEL! > "&2"
) else (
@echo Successfully created scheduled task to install #{Chef::Dist::PRODUCT}.
@schtasks /run /tn chefclientbootstraptask
@if ERRORLEVEL 1 (
@echo ERROR: Failed to execute #{Chef::Dist::PRODUCT} installation scheduled task with status code !ERRORLEVEL!. > "&2"
) else (
@echo Successfully started #{Chef::Dist::PRODUCT} installation scheduled task.
@echo Waiting for installation to complete -- this may take a few minutes...
waitfor chefclientinstalldone /t 600
if ERRORLEVEL 1 (
@echo ERROR: Timed out waiting for #{Chef::Dist::PRODUCT} package to install
) else (
@echo Finished waiting for #{Chef::Dist::PRODUCT} package to install.
)
@schtasks /delete /f /tn chefclientbootstraptask > NUL
)
)
) else (
@echo Successfully installed #{Chef::Dist::PRODUCT} package.
)
EOH
end
end
end
end
end
|
