Knife bootstrap is pretty sweet. Specify your chef version, and your node is up and registered! Right? Uh, right? Unless it's windows 7.
Windows 7 is the bee's knees! Stable, reliable, standard. Does all the things! Except, as it turns out, winrm, which a lot of the 'hot' provisioning/packaging tools are doing.
There's a trend to using the 180-day unregistered trial versions of win8 servers for production and development. I guess that's ok if you develop a biannual packer process for replenishing them. Or you don't need to build or test on win7.
The features that win8 comes with, that win7 doesn't, is powershell 4 and winrm (remote management). These things are what make deployment easy-breezy. It turns out, winrm replaces ssh in some deploy components.
The current standard chef knife-windows way of using it, are to install it, disable security and encryption, and send instructions over plaintext to a machine with no ssl cert on http. AWESOME.
The future includes some new commands to knife yourself a windows ssl cert (self-signed), and establish encrypted secure comms. Whew.
You know winrm hates on win7 before you can get going? Opening firewall rules on a machine that has ever installed a virtualbox network adapter! Without a gateway, the network on win7 shows up as 'unknown', which defaults to the more secure public setting. Easy configuration of winrm barfs when any network is public. You can edit a reg key and modify local policy to say all 'unknown network types are now private' which is technically true if that's all you have (local lan and vbox sans-gateway), but it's a pain to work out the details.
Also? If your base image already comes with visual studio or any .net upgrades, you're going to have to uninstall all that crap to get powershell 4 and its useful cmdlets. Because that version will only install if you have exactly 4.5 .net RTM installed. So, goodbye and hello, vs2012 and newer. And 4.5.2, 4.5.1, and whatever other flavors are too new to install powershell.
So, once you have a fresh install of windows with dotnet 4.5, powershell4, reconfigured insecure winrm, you're ready to go into production with windows7? NOPE NOPE. You can install some chef knife-windows tools from the pre-release github 1.0 builds to cut certs and secure things down. At least, in theory. I haven't tested that far out yet.
But you know what incites my rage a little? Ansible powershell script for rolling out / activating winrm. I literally chose a tool (chef) that couldn't windows fast enough, and isn't python. WHY. Regrets.
But the insecure knife bootstrap of win7 works great! Once you get there.
Leave a comment