tips and tricks for automating windows with chef

Tips and Tricks for Automating Windows

Doug IretonInfrastructure Engineering

@dougireton / dougireton.com

Who am I?

• Infrastructure Engineer at Nordstrom

• I’ve been a tester, a developer and a sysadmin

• Working with Windows for 20 years

@dougireton

Infrastructure Engineering

Who are you?

Agenda

• About Nordstrom

• A challenging first project

• What we’ve learned from automating Windows

• Twitter: #chefconf #winchef

Brick and Mortar still critical

A complex first project...

With Good Results...

Our First Real Chef Project

• Manual Steps: 48 -> 5

• Team Handoffs: 15 -> 1

• Provision Time: 22 hours -> 7

No Run As image

We Didn’t Have Run As

Fast-Forward to...

“I’ve  no)ced  a  considerable  reduc)on  in  deployment  )me  from  base  OS  to  fully  func)onal  app  server.  

We  are  also  deploying  a  more  consistent  product  to  our  customers  now  due  to  the  automated  configura)on  management.”

-­‐  Harvey  BendanaNordstrom  WebOps  team

Windows Cookbook Helpers

win_friendly_path()

#  include  Windows::Helper  from  Opscode  Windows  Cookbook::Chef::Recipe.send(:include,  Windows::Helper)  #  now  you  can  call  helper  methods  like  win_friendly_path  directlymy_batch_file  =  win_friendly_path('c:/temp/foo.bat')  execute  "My  batch  file"  do    command  my_batch_file    #  c:\temp\foo.batend

locate_sysnative_cmd() helper for 64-bit Windows

#  include  Windows::Helper  from  Opscode  Windows  Cookbook::Chef::Recipe.send(:include,  Windows::Helper)

locate_sysnative_cmd("dism.exe")

Run Commands As Another User

“The system uses shared-key encryption. An encrypted file can only be decrypted by a node or a user with the same shared-key.”

http://docs.opscode.com/essentials_data_bags_encrypt.html

Encrypted Data Bags

“That’s why storing encryption keys on the same system where the protected data resides violates all of the core principles of data protection.”

- Patrick TownsendTownsend Security

http://web.townsendsecurity.com/bid/23881/PCI-DSS-2-0-and-Encryption-Key-Management

http://www.flickr.com/photos/gtarded/2759499462/sizes/l/

Chef-Vault

knife encrypt password

Use this knife command to encrypt the username and password that you want to protect.

$  knife  encrypt  password  -­‐-­‐search  "role:web_server"        -­‐-­‐username  "mysql_user"  -­‐-­‐password  "P@ssw0rd"        -­‐-­‐admins  "alice,  bob,  carol"

Securely manage passwords for Run As

chef_gem  "chef-­‐vault"  require  'chef-­‐vault'  #  given  a  'passwords'  data  bagvault  =  ChefVault.new("passwords")  #  get  the  'mysql_user'  data  bag  itemuser  =  vault.user("mysql_user")  #  decrypt  the  user's  passwordpassword  =  user.decrypt_password

#  do  something  with  password

Run Commands as Another User

ruby_block  "Add  server  to  WSUS  group"  do    block  do        Chef::Resource::RubyBlock.send(:include,  Chef::Mixin::ShellOut)                #  get  password  from  Chef-­‐Vault        password  =  user.decrypt_password          add_group  =  shell_out(            "dsquery.exe  computer  -­‐name  #{  node['hostname']  }  |  dsmod  group  'cn=patch_Tuesday,dc=mycorp,dc=com'  -­‐addmbr",            {                :user          =>  "my_user",                :password  =>  password,                :domain      =>  "mycorp.com",            }        )    endend

Managing Devices

Manage disks, partitions, and drives

#  Use  Kevin  Moser’s  diskpart  cookbook  diskpart_partition  "create_#{disk[:letter]}:/"  do    disk_number  disk[:number]    letter  disk[:letter]

   action  :createend

diskpart_partition  "format_#{disk[:letter]}:/"  do    disk_number  disk[:number]    letter  disk[:letter]

   action  :formatend

Manage Printers and Printer Ports

#  https://github.com/opscode-­‐cookbooks/windows  #  create  a  printerwindows_printer  'HP  LaserJet  5th  Floor'  do    driver_name  'HP  LaserJet  4100  Series  PCL6'    ipv4_address  '10.4.64.38'end

Better Performance

Chef 11: Ruby Performance Improvements

30 - 50% faster Chef Client Run timeon Windows

Ohai Plugins to Disable on Windows

Ohai::Config[:disabled_plugins]  =  [#  The  following  plugins  are  disabled  as  they  are  either  not  needed,

#  have  poor  performance,  or  do  not  apply  to  the  Windows  configuration#  we  use.      "c",  "cloud",  "ec2",  "rackspace",  "eucalyptus",  "command",  "dmi",    "dmi_common",  "erlang",  "groovy",  "ip_scopes",  "java",  "keys",    "lua",  "mono",  "network_listeners",  "passwd",  "perl",    "php",  "python",  "ssh_host_key",  "uptime",  "virtualization",    "windows::virtualization",  "windows::kernel_devices"]

Summary

Chef-Vault and Run As

moserke / chef-vault Securely store and retrieve certificates and service acct passwords

opscode / mixlib-shellout Run commands as another user

Manage disks and printers

moserke / diskpart-cookbook

opscode-cookbooks / windows v1.8.2 has Printer/Printer Port LWRPs

Performance Improvements

http://wiki.opscode.com/display/chef/Disabling+Ohai+Plugins

Call to Action

• IIS cookbook not idempotent for options

• Better bootstrapping using Kerberos

• Better integration with Active Directory

Will you join us?http://bit.ly/infeng

Go to Adam Edward’s talk right after this

• “Cooking on Windows without the Windows Cookbook”

• Seacliff A,B,C,D

http://www.flickr.com/photos/drachmann/327122302/sizes/l/

Photo Credits

1.Slide 3: http://www.flickr.com/photos/benedictineuniversity/6021873707/sizes/l/

2. Slide 4: http://www.flickr.com/photos/kubina/278696130/sizes/l/

3. Slide 7: http://www.flickr.com/photos/orlando-herb/8167991591/sizes/l/

4.Slide 9: http://www.flickr.com/photos/ejbsf/8609182524/sizes/h/

5.slide 10: http://www.flickr.com/photos/ashley-rly/3768328487/sizes/l/