Given how scripting makes processes faster when operating across large, distributed IT resource fleets, Chef uses PowerShell scripting for all commands. Although not necessary, still it is recommended that you run a specific on-prem or cloud server for the Chef Infra Server. While the Chef Infra Server runs only on Linux systems, the Chef client is platform agnostic and can be installed on any operating system. Ideally, installing Chef Workstation is the easiest way to work with all Chef tools from one control center.
What is Chef Workstation?
Chef Workstation is a collection of tools that enable your fleet devices to interact securely with your Chef Server. It includes Chef Knife, InSpec, Cookstyle, Habitat, and Test Kitchen. It also contains embedded Ruby and other dependencies, so you don’t have to install anything else to start working with Chef tools
Chef Infra
The Chef Infra Server acts as a hub for configuration data. It stores cookbooks, the policies applied to nodes, and metadata that describes each registered node that the Chef Infra client manages.
A Chef-Client is an agent that runs locally on every node under management by Chef.
Get started by Downloading Chef Workstation to access Chef Infra server and Client.
Set up the Environment
Chef Server
To get started and install Infra Server, follow the guide “Install the Chef Infra Server”.
Chef Client
Download and install Workstation for Windows here. Verify the installation in
your PowerShell with the command $ chef -v
After the installation of Chef Infra Client, it is located at C:\opscode
. The main configuration file for Chef Infra Client is at C:\chef\client.rb
On Windows, Chef Infra Client must have two entries added to the PATH environment variable:
C:\opscode\chef\bin
C:\opscode\chef\embedded\bin
This is typically done during the installation of Chef Infra Client automatically. If these values (for any reason) are not in the PATH environment variable, Chef Infra Client will not run properly.
On the Windows target node, ensure WinRM is enabled and the ports 5985 and 5986 are listening.
Set up the $ knife credentials
file with the command $ knife configure init-config
and fill in all the required details.
By default, this file would be in C:\Users\<username>\.chef
Edit the file from the PowerShell or directly from GUI using any text editor and include cookbook_path
.
cookbook_path=["~/chef-repo/cookbooks"]
Copy the user.pem
file from the Automate server to your .chef directory
Create a new Chef repo to store all your chef content.
$ chef generate repo chef-repo
The default path of this repo would be “C:\Users\<username>\chef-repo&rdquo
; From the PowerShell, run the $ knife
command to fetch and verify the configuration.
$ knife ssl fetch
$ knife ssl check
$ knife client list
You must enable the WS-Management protocol on your workstation and set up the default configuration for remote management with the command.
$ winrm quickconfig
Adjust your firewall behaviour to make it public
and listen on port 5985
.
$ netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" profile=public protocol=tcp localport=5985 remoteip=localsubnet new remoteip=any
To set the configuration for the WinRM client, use the Winrm Set command and specify the client.
$ winrm set winrm/config/client/auth '@{Basic="true"}'
To set the configuration for the WinRM server, use the Winrm Set command and specify the service.
$ winrm set winrm/config/service/auth '@{Basic="true"}'
The $ knife windows
subcommand is to interact with Windows systems managed by Chef Infra. Configuring nodes using WinRM allows external applications to call native objects like batch scripts, Windows PowerShell scripts, or scripting
library variables. Bootstrap target nodes using knife bootstrap.
More information on knife windows
$ Knife bootstrap -o winrm <IP of VM> -U “<Username>” -P “<Password>” –node-name “<Nodename>”
$ knife bootstrap -o winrm 54.173.234.32 -U Administrator -P '.&2T$AWo2GaV(j6H(.h33cRmD=&j-&H' --node-name "windows1"
You can get details of the node by using $ knife node show <node-name>
Create a Cookbook
On your cookbook repo (~/chef-repo/cookbooks/)
, execute the following $ chef generate cookbook nginx -k dokken
where nginx
is a cookbook name. This will create a new cookbook and auto-create a kitchen.yml
file.
Default path of the cookbook will be C:\Users\<user-name>\chef-repo\cookbooks
In the new nginx
cookbooks directory, ~/chef-repo/cookbooks/nginx/ create a new recipe.
$ chef generate recipe webserver
Where weberver
is the name of the recipe, and this will create ~/chef-repo/cookbooks/nginx/recipes/webserver.rb
along with an existing default.rb recipe file.
Edit the webserver.rb file and include the below code.
# Cookbook:: nginx
# Recipe:: webserver
# Copyright:: 2021, Akshay Parvatikar.
include_profile: 'nginx::webserver'
if platform?(‘windows’)
windows_feature ‘Web-Server’ do
action
:install
end
windows_feature ‘Web-Mgmt-Console’ do
action :install
end
end
end
You can edit the default recipe default.rb
or create a new recipe webserver.rb
to ensure it runs on your bootstrapped nodes. If you’re creating a new recipe don’t forget to include the recipe filename in your default
file.
include_recipe 'cookbook-name::recipe-file-name'
include_recipe 'nginx::webserver'
The next step is to create an attributes file.
Attributes represent information about your node. You can set attributes in Chef recipes or separate attribute files. Attributes can also be set directly in recipes. You must precede the attribute name with the node when you set an attribute directly in a recipe.
Edit your default.rb
file in the attribute directory.
$ chef generate attribute default
default['audit']['reporter'] = %w(chef-server-automate cli)
Once created and saved run $ cookstyle -a
to check the syntax of your recipes, and other files and correct them.
When your recipes are error-free, you can upload them to the Chef server using the command.
$ knife cookbook upload <cookbook_name>
Create an InSpec profile to verify your cookbooks
You can now place compliance profiles inside a cookbook and upload as part of a Policyfile workflow all in one step.
$ mkdir compliance
you can have more than one profile. Use inspec to generate a profile called webserver.
$ inspec init profile <profile-name>
$ inspec init profile webserver
The inspec
command creates a directory named webserver
and a sub-directory called controls
. Inside controls is an example.rb
file. You can rename the file as per your naming convention.
InSpec profiles contain controls, which describe each test you want to perform. You can have multiple control files based on your solutioning.
In the example below the control is called windows-client and it has an impact of 1.0, which is the highest priority. The control then adds logic to run different tests based on whether the target node is Windows or not. The described entries tell Chef to check those resources on each system.
control 'windows-client' do
impact 1.0
title 'Check Softwares'
if os.windows?
describe windows_feature('Web-Server') do
it { should be_installed }
end
describe
windows_feature(‘Web-Mgmt-Console’)do
it { should be_installed }
end
end
end
Assign the recipes to the bootstrapped node with the command.
$ knife node run_list add
<node_name>'recipe[<cookbook_name>]'
Next would be to make changes to your policy file Policyfile.rb
where the cookbooks and compliance profiles are packaged together and pushed to the Chef server.
$ chef install Policyfile.rb
$ chef push <policy_group> Policyfile.lock.json
The last step would be to login to remote node and run $ sudo chef-client
, which will take the recipe from the Chef server and install/run on the nodes.
Alternative is, instead of going in client and giving the command $ sudo chef-client
, you can directly get the results with $ knife ssh
command from your workstation.
$ knife ssh 'name: *' 'sudo chef-client' -a <ip-addressof VM>
Conclusion
This document explains on how to implement Chef with Windows environment, and how to run your first recipes with InSpec profiles.
Next Steps
Once you have knowledge on Chef basics you can get into real-life scenarios by looking at the Chef Infra 101: The Road to Best Practices guide.
As you get to experience on Chef infra, Working with InSpec with existing infrastructure becomes easy.
Resources
Learn Chef is great place to start your journey with workstation and InSpec.
Want to Learn more about Chef InSpec?
Understand how Chef work with multi-cloud setup.
Watch a Chef InSpec training video