如何為廚師添加 Windows 節點

我有 3 台伺服器

遵循廚師長和廚師工作站的本指南

https://www.itzgeek.com/how-tos/linux/centos-how-tos/setup-chef-12-centos-7-rhel-7.html

廚師長 192.168.1.200 Centos7

廚師工作站 192.168.1.200 Centos7

reverseode 192.168.1.210 Window Server 2016

我已經在伺服器上設置了一個具有管理員訪問權限的 windows 使用者。

使用者：廚師USER

我有 chefmaster 設置並配置了執行 chef 13.1.13

我有 chefworkstation 設置和配置執行 chefdk-0.19.6-1.el7.x86_64

Google搜尋似乎只能讓我知道如何在 Windows 上安裝廚師伺服器。我正在嘗試安裝客戶端以使其成為節點。

我試過了：

刀引導 -o winrm 192.168.1.210 -u chefUSER -P 密碼

[root@chefworkstation .chef]# chef -v
ChefDK version: 4.6.35
Chef Infra Client version: 15.5.17
Chef InSpec version: 4.18.39
Test Kitchen version: 2.3.4
Foodcritic version: 16.2.0
Cookstyle version: 5.13.7


[root@chefworkstation .chef]# knife bootstrap -o winrm  192.168.1.210 -u chefUSER -P PASSWORD -N winnode1 -VV
INFO: Using configuration from /root/chef-repo/.chef/knife.rb
DEBUG: Checking if we need to accept Chef license to bootstrap node
DEBUG: Reading products and relationships...
DEBUG: Successfully read products and relationships
DEBUG: License acceptance required for chef version: 15
DEBUG: Searching for the following licenses: ["infra-client", "inspec"]
DEBUG: Found license chef_infra_client at /etc/chef/accepted_licenses/chef_infra_client
DEBUG: Found license inspec at /etc/chef/accepted_licenses/inspec
DEBUG: Missing licenses remaining: []
DEBUG: All licenses present
Connecting to 192.168.1.210
DEBUG: winrm-fs requested, loading WinRM::FS gem (~> 1.0)
DEBUG: WinRM::FS previously loaded
DEBUG: [WinRM] @192.168.1.210<{:transport=>:negotiate, :disable_sspi=>false, :basic_auth_only=>false, :endpoint=>"http://192.168.1.210:5985/wsman", :user=>"administrator", :password=>"<hidden>", :no_ssl_peer_verification=>false, :realm=>nil, :service=>nil, :ca_trust_file=>nil, :ssl_peer_fingerprint=>nil}> (Write-Host '[WinRM] Established
')
DEBUG: [WinRM] opening remote shell on http://192.168.1.210:5985/wsman
DEBUG: [WinRM] Endpoint doesn't support config request for MaxEnvelopsizekb
DEBUG: [WinRM] opening remote shell on http://192.168.1.210:5985/wsman
DEBUG: [WinRM] Endpoint doesn't support config request for MaxEnvelopsizekb

從源頭

./lib/ruby/gems/2.6.0/gems/winrm-2.3.3/lib/winrm/shells/power_shell.rb

 # calculate the maimum fragment size so that they will be as large as possible yet
 # no greater than the max_envelope_size_kb on the end point. To calculate this
 # threshold, we:
 # - determine the maximum number of bytes accepted on the endpoint
 # - subtract the non-fragment characters in the SOAP envelope
 # - determine the number of bytes that could be base64 encded to the above length
 # - subtract the fragment header bytes (ids, length, etc)

 def max_envelope_size_kb
   @max_envelope_size_kb ||= begin
     config_msg = WinRM::WSMV::Configuration.new(connection_opts)
     msg = config_msg.build
     resp_doc = transport.send_request(msg)
     REXML::XPath.first(resp_doc, "//*[local-name() = 'MaxEnvelopeSizekb']").text.to_i
   ensure
     logger.debug("[WinRM] Endpoint doesn't support config request for MaxEnvelopsizekb")
   end
   # rubocop:enable Layout/RescueEnsureAlignment
 end

從這裡我改變了我的winrm中的幾個設置，這似乎沒有什麼不同。

PS C:\Windows\system32> winrm get winrm/config
Config
   MaxEnvelopeSizekb = 500
   MaxTimeoutms = 60000
   MaxBatchItems = 32000
   MaxProviderRequests = 4294967295
   Client
       NetworkDelayms = 5000
       URLPrefix = wsman
       AllowUnencrypted = true
       Auth
           Basic = true
           Digest = true
           Kerberos = true
           Negotiate = true
           Certificate = true
           CredSSP = false
       DefaultPorts
           HTTP = 5985
           HTTPS = 5986
       TrustedHosts
   Service
       RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;
       MaxConcurrentOperations = 4294967295
       MaxConcurrentOperationsPerUser = 1500
       EnumerationTimeoutms = 240000
       MaxConnections = 300
       MaxPacketRetrievalTimeSeconds = 120
       AllowUnencrypted = true
       Auth
           Basic = true
           Kerberos = true
           Negotiate = true
           Certificate = false
           CredSSP = false
           CbtHardeningLevel = Relaxed
       DefaultPorts
           HTTP = 5985
           HTTPS = 5986
       IPv4Filter = *
       IPv6Filter = *
       EnableCompatibilityHttpListener = true
       EnableCompatibilityHttpsListener = false
       CertificateThumbprint
       AllowRemoteAccess = true
   Winrs
       AllowRemoteShellAccess = true
       IdleTimeout = 7200000
       MaxConcurrentUsers = 2147483647
       MaxShellRunTime = 2147483647
       MaxProcessesPerShell = 2147483647
       MaxMemoryPerShellMB = 2147483647
       MaxShellsPerUser = 2147483647

大部分內容來自https://www.itzgeek.com/how-tos/linux/centos-how-tos/setup-chef-12-centos-7-rhel-7.html大約 90% 正確不起作用的部分可能是因為該頁面引用了舊版本的 chef

3 台伺服器

Centos 7 - 192.168.1.200 chefmaster.local chefmaster

Centos 7 - 192.168.1.201 chefworkstation.local 工作站

Windows Server 2016 數據中心（桌面體驗）- 192.168.1.210 winsrv2016n1.local winsrv2016n1

配置chefmaster伺服器：

cat /etc/hosts

192.168.1.200  chefmaster.local  chefmaster
192.168.1.201  chefworkstation.local  chefworkstation
192.168.1.210  winsrv2016n1.local winsrv2016n1

禁用 selinux - 不確定是否需要。

sed -i 's/=enforcing/=disabled/g' /etc/selinux/config

更新主機名

sed -i "1s/.*/chefmaster.local/" /etc/hostname
hostnamectl set-hostname chefmaster.local

如果需要，更新伺服器

yum update -y

重啟伺服器

reboot now

安裝需要的東西

yum -y install wget vim

安裝 Chef infa 伺服器

wget https://packages.chef.io/files/stable/chef-server/13.1.13/el/7/chef-server-core-13.1.13-1.el7.x86_64.rpm
rpm -ivh chef-server-core-*.rpm
chef-server-ctl reconfigure
chef-server-ctl status

創建管理員使用者：

例子：

chef-server-ctl user-create USER_NAME FIRST_NAME LAST_NAME EMAIL 'PASSWORD' -f PATH_FILE_NAME

我用了什麼：

chef-server-ctl user-create chefadmin chef admin chefadmin@example.com 'PASSWORD' -f /etc/chef/chefadmin.pem

創建組織：

例子：

chef-server-ctl org-create short_name 'full_organization_name' --association_user user_name --filename ORGANIZATION-validator.pem

我用了什麼：

chef-server-ctl org-create Myorgname "Myorg Name" --association_user chefadmin -f /etc/chef/Myorgname-validator.pem

打開防火牆：

firewall-cmd --permanent --zone public --add-service http
firewall-cmd --permanent --zone public --add-service https
firewall-cmd --reload

安裝管理控制台：

chef-server-ctl install chef-manage
chef-server-ctl reconfigure
chef-manage-ctl reconfigure

==============================================================

配置chefworkstation伺服器：

cat /etc/hosts

192.168.1.200  chefmaster.local  chefmaster
192.168.1.201  chefworkstation.local  chefworkstation
192.168.1.210  winsrv2016n1.local winsrv2016n1

禁用 selinux - 不確定是否需要。

sed -i 's/=enforcing/=disabled/g' /etc/selinux/config

更新主機名

sed -i "1s/.*/chefworkstation.local/" /etc/hostname
hostnamectl set-hostname chefworkstation.local

如果需要，更新伺服器

yum update -y

重啟伺服器

reboot now

安裝 chefdk

wget https://packages.chef.io/files/stable/chefdk/4.6.35/el/7/chefdk-4.6.35-1.el7.x86_64.rpm
rpm -ivh chefdk-*.rpm
chef verify

驗證紅寶石：

which ruby
echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile
. ~/.bash_profile
which ruby

驗證 Ruby 輸出應如下所示：

/opt/chefdk/embedded/bin/ruby

安裝和配置 git

yum -y install git
cd ~
chef generate repo chef-repo
ls -al ~/chef-repo/
git config --global user.name "chefadmin"
git config --global user.email "chefadmin@anthonyfornito.com"
cd ~/chef-repo/
git init
mkdir -p ~/chef-repo/.chef
echo '.chef' >> ~/chef-repo/.gitignore
cd ~/chef-repo/
git add .
git commit -m "initial commit"
git status

複製在 Configure the chefmaster server 部分中創建的 pem 文件

scp -pr root@chefmaster:/etc/chef/chefadmin.pem ~/chef-repo/.chef/
scp -pr root@chefmaster:/etc/chef/anthonyfornito-validator.pem ~/chef-repo/.chef/

創建刀文件：

vi ~/chef-repo/.chef/knife.rb

刀.rb 內容

current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                "chefadmin"
client_key               "#{current_dir}/chefadmin.pem"
validation_client_name   "Myorgname-validator"
validation_key           "#{current_dir}/Myorgname-validator.pem"
chef_server_url          "https://chefmaster.local/organizations/Myorgname"
syntax_check_cache_path  "#{ENV['HOME']}/.chef/syntaxcache"
cookbook_path            ["#{current_dir}/../cookbooks"]

檢查 ssl 連接：

knife client list

可能會看到和 ssl 錯誤

執行 ssl 檢查看看缺少什麼

knife ssl check
.....
* ssl_ca_path: nil
* ssl_ca_file: nil
----

獲取 ssl

knife ssl fetch

現在重新檢查客戶列表：

knife client list

你應該看到：

Myorgname-validator

===================================================

配置 Window Server 2016 伺服器：

啟用對埠 5985 的訪問

從具有高級安全性的 Windows 防火牆：

點擊入站規則

按本地埠排序列表

找到“Windows遠端管理（HTTP-In）”規則（有2條）

由於我沒有使用域，我所要做的就是配置公共

右鍵點擊規則

選擇屬性

點擊範圍選項卡

更改遠端 IP 地址：

這些 IP 地址：

到：

任何 IP 地址

使用 powershell 管理員執行以下命令

winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'

===================================================

在 chefworkstation 伺服器上執行以下命令以添加 windows server 2016 客戶端。

例子：

knife bootstrap -o winrm CLIENTHOSTNAME -u ADMINWINUSER -P ADMINPASSWORD -VV

我用了什麼：

knife bootstrap -o winrm winsrv2016n1 -u Administrator -P PASSWORD -VV

這需要一些時間，但大約 20 分鐘後，它被添加為管理控制台下的客戶端。

請記住，有一些主要的安全漏洞需要修復，但這應該讓任何人開始

引用自：https://serverfault.com/questions/994366