Quick and dirty recipe to install Halo using Chef on Windows Servers

Last week I went to ChefConf 2013 and attended the “Managing Windows” workshop which was great. During the session I was able to take what I learned from the presentations and create a simple recipe to install Halo using Chef. Chef is a powerful tool since it can be rather straightforward to bootstrap a server with a collection of recipes in a single run_list. Who knew? I’ll walk through a simplified bootstrap process using knife to demonstrate how Halo can become part of your automated deployment infrastructure.

I won’t go into detail on setting up a free Hosted Chef account, but it’s not that hard. Sign up for a free account here. For this post I’ll use the same workstation I used in the workshop, but any Chef supported workstation should work.

1. Install chef on Ubuntu 12.04 Desktop as a chef-workstation.

This will leverage your free Hosted Chef-server account. In a terminal, run the following commands to install chef.

curl -L | sudo bash

I had problems installing the next requirement. The fix, was to run sudo su -  and to run:

apt-get install g++
apt-get install build-essential
apt-get install libxslt-dev
apt-get install libxml2-dev

*NOTE: apt-get install g++ (may not be necessary/available on ubuntu server)

Also add “/opt/chef/embedded/bin:/opt/chef/bin” to your user and root’s $PATH environment

gem install knife-windows

Download the -validator.pem, .pem and knife.rb (part 2/Chef Repo in the learnchef “QuickStart Guide”)

Download the .zip or clone the chef-repo using git from github. unzip, move and rename it to ~/chef-repo

Move the .pem files and knife.rb into the local repo

mv ~/Downloads/*.pem ~/chef-repo/.chef
mv ~/Downloads/knife.rb ~/chef-repo/.chef

To verify it’s setup correctly, run the command: knife client list

You should see something like: -validator

In the screenshot below, you’ll also see the servers I managed with chef during the work:

Install Chef Knife Test

2. Download the powershell cookbook which we’ll be using as a Halo dependency.

wget -O ~/chef-repo/cookbooks/
unzip ~/chef-repo/cookbooks/ -d ~/chef-repo/cookbooks
mv ~/chef-repo/cookbooks/powershell-master ~/chef-repo/cookbooks/powershell

3. Download the cloudpassage_windows cookbook which contains our recipe.

It’s a subdirectory within our cloudpassage_tools repo.

wget -O ~/chef-repo/
unzip ~/chef-repo/ -d ~/chef-repo
cp -r ~/chef-repo/cloudpassage_tools-master/chef/cloudpassage_windows/ ~/chef-repo/cookbooks/

4. Edit ~/chef-repo/cookbooks/cloudpassage_windows/attributes/default.rb to add your specific Halo account daemon-key, current Halo version, and serverGroup tag

The Daemon-key is account specific and can be found under Settings > Site Administration > Daemon Settings


The current Windows version is: cphalo-2.7.8-win64.exe

The serverGroup tag will automatically move the Server into the associated serverGroup and apply all Cloud Firewall, Configuration Security, or Intrusion Detection policies assigned to the serverGroup. (For more information see: Dynamic Security)

The attributes.rb file should look something like this:


5. Upload the cookbooks to your chef-server account by running this command:

knife cookbook upload -a

6. Spin up a Windows Server 2008 or 2012 instance.

The catch is that Windows Remote Management needs to be running and listening for connections. Knife’s bootstrap command offers two mechanisms to install chef and run recipes on the Windows server. It supports ssh or winrm.

For this example we’ll be using winrm. ChefConf 2013 provided EC2 instances, but here’s a preconfigured public instance I found: Windows_Server-2008-R2_SP1-English-64Bit-Base-WinRM-2012.04.11

Even though this AMI has winRM enabled, Opscode recommends specific winrm settings. They have complete instructions and references to Microsoft KB articles. Open a cmd.exe prompt as an Administrator and run the following commands:

winrm quickconfig -q
winrm set winrm/config/winrs @{MaxMemoryPerShellMB="300"}
winrm set winrm/config @{MaxTimeoutms="1800000"}
winrm set winrm/config/service @{AllowUnencrypted="true"}
winrm set winrm/config/service/auth @{Basic="true"}

* These settings are designed for development and test purposes only

7. Here’s the magic.

Bootstrap the running Windows server with Halo by passing in the run_list parameter and include both the powershell and cloudpassage_windows cookbooks.

knife bootstrap windows winrm  -x  -P "" -r "powershell,cloudpassage_windows"

You should see some similar output which shows that the recipe was successfully deployed!

install halo using chef

You will also see the new server in the portal dashboard. For this post, the server name is AMAZONA-P0RI2H1


Good luck and happy cooking!

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts