class Chef::Knife::Bootstrap
Attributes
Public Instance Methods
Common configuration for all protocols
# File lib/chef/knife/bootstrap.rb, line 865 def base_opts port = config_value(:connection_port, knife_key_for_protocol(connection_protocol, :port)) user = config_value(:connection_user, knife_key_for_protocol(connection_protocol, :user)) {}.tap do |opts| opts[:logger] = Chef::Log # We do not store password in Chef::Config, so only use CLI `config` here opts[:password] = config[:connection_password] if config.key?(:connection_password) opts[:user] = user if user opts[:max_wait_until_ready] = config_value(:max_wait).to_f unless config_value(:max_wait).nil? # TODO - when would we need to provide rdp_port vs port? Or are they not mutually exclusive? opts[:port] = port if port end end
build the command string for bootrapping @return String
# File lib/chef/knife/bootstrap.rb, line 1043 def bootstrap_command(remote_path) if connection.windows? "cmd.exe /C #{remote_path}" else "sh #{remote_path}" end end
Establish bootstrap context for template rendering. Requires connection to be a live connection in order to determine the correct platform.
# File lib/chef/knife/bootstrap.rb, line 530 def bootstrap_context @bootstrap_context ||= if connection.windows? require_relative "core/windows_bootstrap_context" Knife::Core::WindowsBootstrapContext.new(config, config[:run_list], Chef::Config, secret) else require_relative "core/bootstrap_context" Knife::Core::BootstrapContext.new(config, config[:run_list], Chef::Config, secret) end end
@return [String] The CLI specific bootstrap template or the default
# File lib/chef/knife/bootstrap.rb, line 486 def bootstrap_template # Allow passing a bootstrap template or use the default config[:bootstrap_template] || default_bootstrap_template end
Determine if we need to accept the Chef
Infra license locally in order to successfully bootstrap the remote node. Remote 'chef-client' run will fail if it is >= 15 and the license is not accepted locally.
# File lib/chef/knife/bootstrap.rb, line 446 def check_license Chef::Log.debug("Checking if we need to accept Chef license to bootstrap node") version = config[:bootstrap_version] || Chef::VERSION.split(".").first acceptor = LicenseAcceptance::Acceptor.new(logger: Chef::Log, provided: Chef::Config[:chef_license]) if acceptor.license_required?("chef", version) Chef::Log.debug("License acceptance required for chef version: #{version}") license_id = acceptor.id_from_mixlib("chef") acceptor.check_and_persist(license_id, version) Chef::Config[:chef_license] ||= acceptor.acceptance_value end end
# File lib/chef/knife/bootstrap.rb, line 437 def chef_vault_handler @chef_vault_handler ||= Chef::Knife::Bootstrap::ChefVaultHandler.new( knife_config: config, ui: ui ) end
# File lib/chef/knife/bootstrap.rb, line 429 def client_builder @client_builder ||= Chef::Knife::Bootstrap::ClientBuilder.new( chef_config: Chef::Config, knife_config: config, ui: ui ) end
Looks up configuration entries, first in the class member `config` which contains options populated from CLI flags. If the entry is not found there, Chef::Config[KEY] is checked.
knife_config_key should be specified if the knife config lookup key is different from the CLI flag lookup key.
# File lib/chef/knife/bootstrap.rb, line 1021 def config_value(key, knife_config_key = nil, default = nil) if config.key? key config[key] else lookup_key = knife_config_key || key if Chef::Config[:knife].key?(lookup_key) || config.key?(lookup_key) Chef::Config[:knife][lookup_key] || config[lookup_key] else default end end end
# File lib/chef/knife/bootstrap.rb, line 616 def connect! ui.info("Connecting to #{ui.color(server_name, :bold)}") opts = connection_opts.dup do_connect(opts) rescue Train::Error => e # We handle these by message text only because train only loads the # transports and protocols that it needs - so the exceptions may not be defined, # and we don't want to require files internal to train. if e.message =~ /fingerprint (\S+) is unknown for "(.+)"/ # Train::Transports::SSHFailed fingerprint = $1 hostname, ip = $2.split(",") # TODO: convert the SHA256 base64 value to hex with colons # 'ssh' example output: # RSA key fingerprint is e5:cb:c0:e2:21:3b:12:52:f8:ce:cb:00:24:e2:0c:92. # ECDSA key fingerprint is 5d:67:61:08:a9:d7:01:fd:5e:ae:7e:09:40:ef:c0:3c. # will exit 3 on N ui.confirm <<~EOM The authenticity of host '#{hostname} (#{ip})' can't be established. fingerprint is #{fingerprint}. Are you sure you want to continue connecting EOM # FIXME: this should save the key to known_hosts but doesn't appear to be config[:ssh_verify_host_key] = :accept_new do_connect(connection_opts(reset: true)) elsif ssh? && e.cause && e.cause.class == Net::SSH::AuthenticationFailed if connection.password_auth? raise else ui.warn("Failed to authenticate #{opts[:user]} to #{server_name} - trying password auth") password = ui.ask("Enter password for #{opts[:user]}@#{server_name}.") do |q| q.echo = false end end opts.merge! force_ssh_password_opts(password) do_connect(opts) else raise end end
@return a configuration hash suitable for connecting to the remote host via train
# File lib/chef/knife/bootstrap.rb, line 843 def connection_opts(reset: false) return @connection_opts unless @connection_opts.nil? || reset == true @connection_opts = {} @connection_opts.merge! base_opts @connection_opts.merge! host_verify_opts @connection_opts.merge! gateway_opts @connection_opts.merge! sudo_opts @connection_opts.merge! winrm_opts @connection_opts.merge! ssh_opts @connection_opts.merge! ssh_identity_opts @connection_opts end
url values override CLI flags, if you provide both we'll use the one that you gave in the URL.
# File lib/chef/knife/bootstrap.rb, line 662 def connection_protocol return @connection_protocol if @connection_protocol from_url = host_descriptor =~ /^(.*):\/\// ? $1 : nil from_cli = config[:connection_protocol] from_knife = Chef::Config[:knife][:connection_protocol] @connection_protocol = from_url || from_cli || from_knife || "ssh" end
The default bootstrap template to use to bootstrap a server. This is a public API hook which knife plugins use or inherit and override.
@return [String] Default bootstrap template
# File lib/chef/knife/bootstrap.rb, line 462 def default_bootstrap_template if connection.windows? "windows-#{Chef::Dist::CLIENT}-msi" else "chef-full" end end
# File lib/chef/knife/bootstrap.rb, line 670 def do_connect(conn_options) @connection = TrainConnector.new(host_descriptor, connection_protocol, conn_options) connection.connect! end
# File lib/chef/knife/bootstrap.rb, line 491 def find_template template = bootstrap_template # Use the template directly if it's a path to an actual file if File.exists?(template) Chef::Log.trace("Using the specified bootstrap template: #{File.dirname(template)}") return template end # Otherwise search the template directories until we find the right one bootstrap_files = [] bootstrap_files << File.join(File.dirname(__FILE__), "bootstrap/templates", "#{template}.erb") bootstrap_files << File.join(Knife.chef_config_dir, "bootstrap", "#{template}.erb") if Chef::Knife.chef_config_dir Chef::Util::PathHelper.home(".chef", "bootstrap", "#{template}.erb") { |p| bootstrap_files << p } bootstrap_files << Gem.find_files(File.join("chef", "knife", "bootstrap", "#{template}.erb")) bootstrap_files.flatten! template_file = Array(bootstrap_files).find do |bootstrap_template| Chef::Log.trace("Looking for bootstrap template in #{File.dirname(bootstrap_template)}") File.exists?(bootstrap_template) end unless template_file ui.info("Can not find bootstrap definition for #{template}") raise Errno::ENOENT end Chef::Log.trace("Found bootstrap template: #{template_file}") template_file end
# File lib/chef/knife/bootstrap.rb, line 541 def first_boot_attributes @config[:first_boot_attributes] || @config[:first_boot_attributes_from_file] || {} end
Config
overrides to force password auth.
# File lib/chef/knife/bootstrap.rb, line 1003 def force_ssh_password_opts(password) { password: password, non_interactive: false, keys_only: false, key_files: [], auth_methods: [:password, :keyboard_interactive], } end
# File lib/chef/knife/bootstrap.rb, line 933 def gateway_opts opts = {} if config_value(:ssh_gateway) split = config_value(:ssh_gateway).split("@", 2) if split.length == 1 gw_host = split[0] else gw_user = split[0] gw_host = split[1] end gw_host, gw_port = gw_host.split(":", 2) # TODO - validate convertable port in config validation? gw_port = Integer(gw_port) rescue nil opts[:bastion_host] = gw_host opts[:bastion_user] = gw_user opts[:bastion_port] = gw_port end opts end
# File lib/chef/knife/bootstrap.rb, line 657 def handle_ssh_error(e) end
# File lib/chef/knife/bootstrap.rb, line 470 def host_descriptor Array(@name_args).first end
# File lib/chef/knife/bootstrap.rb, line 881 def host_verify_opts if winrm? { self_signed: config_value(:winrm_no_verify_cert) === true } elsif ssh? # Fall back to the old knife config key name for back compat. { verify_host_key: config_value(:ssh_verify_host_key, :host_key_verify, "always") } else {} end end
These keys are available in Chef::Config
, and are prefixed with the protocol name. For example, :user CLI option will map to :winrm_user and :ssh_user Chef::Config
keys, based on the connection protocol in use.
# File lib/chef/knife/bootstrap.rb, line 1059 def knife_key_for_protocol(protocol, option) "#{connection_protocol}_#{option}".to_sym end
# File lib/chef/knife/bootstrap.rb, line 603 def perform_bootstrap(remote_bootstrap_script_path) ui.info("Bootstrapping #{ui.color(server_name, :bold)}") cmd = bootstrap_command(remote_bootstrap_script_path) r = connection.run_command(cmd) do |data| ui.msg("#{ui.color(" [#{connection.hostname}]", :cyan)} #{data}") end if r.exit_status != 0 ui.error("The following error occurred on #{server_name}:") ui.error(r.stderr) exit 1 end end
Create the server that we will bootstrap, if necessary
Plugins that subclass bootstrap, e.g. knife-ec2, can use this method to call out to an API to build an instance of the server we wish to bootstrap
@return [TrueClass] If instance successfully created, or exits
# File lib/chef/knife/bootstrap.rb, line 777 def plugin_create_instance! true end
Perform any teardown or cleanup necessary by the plugin
Plugins that subclass bootstrap, e.g. knife-ec2, can use this method to display a message or perform any cleanup
@return [void]
# File lib/chef/knife/bootstrap.rb, line 794 def plugin_finalize end
Perform any setup necessary by the plugin
Plugins that subclass bootstrap, e.g. knife-ec2, can use this method to create connection objects
@return [TrueClass] If instance successfully created, or exits
# File lib/chef/knife/bootstrap.rb, line 786 def plugin_setup! end
Validate any additional options
Plugins that subclass bootstrap, e.g. knife-ec2, can use this method to validate any additonal options before any other actions are executed
@return [TrueClass] If options are valid or exits
# File lib/chef/knife/bootstrap.rb, line 768 def plugin_validate_options! true end
# File lib/chef/knife/bootstrap.rb, line 579 def register_client # chef-vault integration must use the new client-side hawtness, otherwise to use the # new client-side hawtness, just delete your validation key. if chef_vault_handler.doing_chef_vault? || (Chef::Config[:validation_key] && !File.exist?(File.expand_path(Chef::Config[:validation_key]))) unless config[:chef_node_name] ui.error("You must pass a node name with -N when bootstrapping with user credentials") exit 1 end client_builder.run chef_vault_handler.run(client_builder.client) bootstrap_context.client_pem = client_builder.client_path else ui.info <<~EOM Performing legacy client registration with the validation key at #{Chef::Config[:validation_key]}... Delete your validation key in order to use your user credentials for client registration instead. EOM end end
# File lib/chef/knife/bootstrap.rb, line 545 def render_template @config[:first_boot_attributes] = first_boot_attributes template_file = find_template template = IO.read(template_file).chomp Erubis::Eruby.new(template).evaluate(bootstrap_context) end
# File lib/chef/knife/bootstrap.rb, line 552 def run check_license plugin_setup! validate_name_args! validate_protocol! validate_first_boot_attributes! validate_winrm_transport_opts! validate_policy_options! plugin_validate_options! winrm_warn_no_ssl_verification warn_on_short_session_timeout plugin_create_instance! $stdout.sync = true connect! register_client content = render_template bootstrap_path = upload_bootstrap(content) perform_bootstrap(bootstrap_path) plugin_finalize ensure connection.del_file!(bootstrap_path) if connection && bootstrap_path end
# File lib/chef/knife/bootstrap.rb, line 523 def secret @secret ||= encryption_secret_provided_ignore_encrypt_flag? ? read_secret : nil end
The server_name
is the DNS or IP we are going to connect to, it is not necessarily the node name, the fqdn, or the hostname of the server. This is a public API hook which knife plugins use or inherit and override.
@return [String] The DNS or IP that bootstrap will connect to
# File lib/chef/knife/bootstrap.rb, line 479 def server_name if host_descriptor @server_name ||= host_descriptor.split("@").reverse[0] end end
# File lib/chef/knife/bootstrap.rb, line 860 def ssh? connection_protocol == "ssh" end
# File lib/chef/knife/bootstrap.rb, line 902 def ssh_identity_opts opts = {} return opts if winrm? identity_file = config_value(:ssh_identity_file) if identity_file opts[:key_files] = [identity_file] # We only set keys_only based on the explicit ssh_identity_file; # someone may use a gateway key and still expect password auth # on the target. Similarly, someone may have a default key specified # in knife config, but have provided a password on the CLI. # REVIEW NOTE: this is a new behavior. Originally, ssh_identity_file # could only be populated from CLI options, so there was no need to check # for this. We will also set keys_only to false only if there are keys # and no password. # If both are present, train(via net/ssh) will prefer keys, falling back to password. # Reference: https://github.com/chef/chef/blob/master/lib/chef/knife/ssh.rb#L272 opts[:keys_only] = config.key?(:connection_password) == false else opts[:key_files] = [] opts[:keys_only] = false end gateway_identity_file = config_value(:ssh_gateway) ? config_value(:ssh_gateway_identity) : nil unless gateway_identity_file.nil? opts[:key_files] << gateway_identity_file end opts end
# File lib/chef/knife/bootstrap.rb, line 892 def ssh_opts opts = {} return opts if winrm? opts[:pty] = true # ensure we can talk to systems with requiretty set true in sshd config opts[:non_interactive] = true # Prevent password prompts from underlying net/ssh opts[:forward_agent] = (config_value(:ssh_forward_agent) === true) opts[:connection_timeout] = session_timeout opts end
use_sudo - tells bootstrap to use the sudo command to run bootstrap use_sudo_password - tells bootstrap to use the sudo command to run bootstrap
and to use the password specified with --password
TODO: I'd like to make our sudo options sane: –sudo (bool) - use sudo –sudo-password PASSWORD (default: :password) - use this password for sudo –sudo-options “opt,opt,opt” to pass into sudo –sudo-command COMMAND sudo command other than sudo REVIEW NOTE: knife bootstrap did not pull sudo values from Chef::Config
,
should we change that for consistency?
# File lib/chef/knife/bootstrap.rb, line 963 def sudo_opts return {} if winrm? opts = { sudo: false } if config[:use_sudo] opts[:sudo] = true if config[:use_sudo_password] opts[:sudo_password] = config[:connection_password] end if config[:preserve_home] opts[:sudo_options] = "-H" end end opts end
# File lib/chef/knife/bootstrap.rb, line 1034 def upload_bootstrap(content) script_name = connection.windows? ? "bootstrap.bat" : "bootstrap.sh" remote_path = connection.normalize_path(File.join(connection.temp_dir, script_name)) connection.upload_file_content!(content, remote_path) remote_path end
Fail if both first_boot_attributes
and first_boot_attributes_from_file are set.
# File lib/chef/knife/bootstrap.rb, line 677 def validate_first_boot_attributes! if @config[:first_boot_attributes] && @config[:first_boot_attributes_from_file] raise Chef::Exceptions::BootstrapCommandInputError end true end
fail if the server_name
is nil
# File lib/chef/knife/bootstrap.rb, line 709 def validate_name_args! if server_name.nil? ui.error("Must pass an FQDN or ip to bootstrap") exit 1 end end
Ensure options are valid by checking policyfile values.
The method call will cause the program to exit(1) if:
* Only one of --policy-name and --policy-group is specified * Policyfile options are set and --run-list is set as well
@return [TrueClass] If options are valid.
# File lib/chef/knife/bootstrap.rb, line 723 def validate_policy_options! if incomplete_policyfile_options? ui.error("--policy-name and --policy-group must be specified together") exit 1 elsif policyfile_and_run_list_given? ui.error("Policyfile options and --run-list are exclusive") exit 1 end end
Ensure a valid protocol is provided for target host connection
The method call will cause the program to exit(1) if:
* Conflicting protocols are given via the target URI and the --protocol option * The protocol is not a supported protocol
@return [TrueClass] If options are valid.
# File lib/chef/knife/bootstrap.rb, line 740 def validate_protocol! from_cli = config[:connection_protocol] if from_cli && connection_protocol != from_cli # Hanging indent to align with the ERROR: prefix ui.error <<~EOM The URL '#{host_descriptor}' indicates protocol is '#{connection_protocol}' while the --protocol flag specifies '#{from_cli}'. Please include only one or the other. EOM exit 1 end unless SUPPORTED_CONNECTION_PROTOCOLS.include?(connection_protocol) ui.error <<~EOM Unsupported protocol '#{connection_protocol}'. Supported protocols are: #{SUPPORTED_CONNECTION_PROTOCOLS.join(" ")} EOM exit 1 end true end
Fail if using plaintext auth without ssl because this can expose keys in plaintext on the wire. TODO test for this method TODO check that the protoocol is valid.
# File lib/chef/knife/bootstrap.rb, line 688 def validate_winrm_transport_opts! return true unless winrm? if Chef::Config[:validation_key] && !File.exist?(File.expand_path(Chef::Config[:validation_key])) if config_value(:winrm_auth_method) == "plaintext" && config_value(:winrm_ssl) != true ui.error <<~EOM Validatorless bootstrap over unsecure winrm channels could expose your key to network sniffing. Please use a 'winrm_auth_method' other than 'plaintext', or enable ssl on #{server_name} then use the ---winrm-ssl flag to connect. EOM exit 1 end end true end
If session_timeout
is too short, it is likely a holdover from “–winrm-session-timeout” which used minutes as its unit, instead of seconds. Warn the human so that they are not surprised.
# File lib/chef/knife/bootstrap.rb, line 802 def warn_on_short_session_timeout if session_timeout && session_timeout <= 15 ui.warn <<~EOM You provided '--session-timeout #{session_timeout}' second(s). Did you mean '--session-timeout #{session_timeout * 60}' seconds? EOM end end
# File lib/chef/knife/bootstrap.rb, line 856 def winrm? connection_protocol == "winrm" end
# File lib/chef/knife/bootstrap.rb, line 978 def winrm_opts return {} unless winrm? auth_method = config_value(:winrm_auth_method, :winrm_auth_method, "negotiate") opts = { winrm_transport: auth_method, # winrm gem and train calls auth method 'transport' winrm_basic_auth_only: config_value(:winrm_basic_auth_only) || false, ssl: config_value(:winrm_ssl) === true, ssl_peer_fingerprint: config_value(:winrm_ssl_peer_fingerprint), } if auth_method == "kerberos" opts[:kerberos_service] = config_value(:kerberos_service) if config_value(:kerberos_service) opts[:kerberos_realm] = config_value(:kerberos_realm) if config_value(:kerberos_service) end if config_value(:ca_trust_file) opts[:ca_trust_path] = config_value(:ca_trust_file) end opts[:operation_timeout] = session_timeout opts end
# File lib/chef/knife/bootstrap.rb, line 811 def winrm_warn_no_ssl_verification return unless winrm? # REVIEWER NOTE # The original check from knife plugin did not include winrm_ssl_peer_fingerprint # Reference: # https://github.com/chef/knife-windows/blob/92d151298142be4a4750c5b54bb264f8d5b81b8a/lib/chef/knife/winrm_knife_base.rb#L271-L273 # TODO Seems like we should also do a similar warning if ssh_verify_host == false if config_value(:ca_trust_file).nil? && config_value(:winrm_no_verify_cert) && config_value(:winrm_ssl_peer_fingerprint).nil? ui.warn <<~WARN * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM connections are still encrypted, but knife is not able to detect forged replies or spoofing attacks. To work around this issue you can use the flag `--winrm-no-verify-cert` or add an entry like this to your knife configuration file: # Verify all WinRM HTTPS connections knife[:winrm_no_verify_cert] = true You can also specify a ca_trust_file via --ca-trust-file, or the expected fingerprint of the target host's certificate via --winrm-ssl-peer-fingerprint. WARN end end
Private Instance Methods
True if one of policy_name or policy_group was given, but not both
# File lib/chef/knife/bootstrap.rb, line 1079 def incomplete_policyfile_options? (!!config[:policy_name] ^ config[:policy_group]) end
True if policy_name and run_list are both given
# File lib/chef/knife/bootstrap.rb, line 1066 def policyfile_and_run_list_given? run_list_given? && policyfile_options_given? end
# File lib/chef/knife/bootstrap.rb, line 1074 def policyfile_options_given? !!config[:policy_name] end
# File lib/chef/knife/bootstrap.rb, line 1070 def run_list_given? !config[:run_list].nil? && !config[:run_list].empty? end
session_timeout
option has a default that may not arrive, particularly if we're being invoked from a plugin that doesn't merge_config.
# File lib/chef/knife/bootstrap.rb, line 1085 def session_timeout timeout = config_value(:session_timeout) return options[:session_timeout][:default] if timeout.nil? timeout.to_i end