winops conf 2016 - jeffrey snover - the devopsification of windows server

The DevOpsification of Windows ServerJeffrey SnoverMicrosoft Technical FellowChief Architect Enterprise Cloud Group@JSNOVER

What is DevOps?

DevOps is about culture and processes

DevOps is NOT about tools and

technology

But…..

This is wrong

Tools and technology

play a critical role

Tools and technology can make DevOps

easy or hard

Windows Server 2016 is architected to make DevOps easy

Windows Server 2016 resolves the interface between devs and ops

Windows Server has been silent on the interface between Devs and Ops

• No architecture• 1,000 blossoms bloomed

1,000 conflicts also bloomed

WS2016 resolves that interface

• Traditional ops model• Emerging ops model using Containers

Why?

Evolution of Windows ServerServer for the Masses

Enterprise Servers

Datacenter Servers

Cloud Servers

Cloud Competitive• Small and fast• Minimize attack service• Minimize patches/reboots• Optimized for DevOps

Cloud + DevOps Saving $ => Making $$

$$$$$$

DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker• Operational Validation Testing• Operating Securely

Componentization

Optimized for cloud infrastructure & next-gen distributed applications

Containers and next-gen

applications Server And Desktop

Specialized workloads

Third-party applications

RDS experience

Server CoreLower maintenance server environment

Traditional VM workloads

Nano ServerJust enough OS

Zero-footprint model Server Roles and Optional Features live outside of Nano ServerStandalone packages that install like applications

Key Roles & FeaturesClustering, Hyper-V, Storage (SoFS), and DNS ServerIIS, .NET Core, and ASP.NET Core

Full Windows Server driver supportAntimalware optional packageSystem Center VMM and OM agents available

Nano Server: Optimized for the Cloud Era

Nano Server – PowerShell Core• Refactored to run on .NET Core• Full PowerShell language compatibility & remoting• Invoke-Command, New-PSSession, Enter-PSSession, etc.

• Most core engine components• Support for all cmdlet types except workflow• C#, Script, and CIM

• Limited set of cmdlets initially• Growing fast

DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely

Nano Server has a full developer experience, unlike Server CoreWindows SDK & Visual Studio 2015 target Nano ServerRich design-time experience

Project template, full IntelliSense, error squiggles, etc.

Full remote debugging experience

Nano Server - Developer Experience

DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely

First a word about MSI• Not supported on Nano Server• MSI has GUI dependencies

• Custom Actions are the portal to hell

Windows Server App installer(WSA)

• New declarative Server installer• Extends the AppX schema• Allows for Server-specific extensions, such as NT

Services, Perf Counters, COM Objects, WMI providers, ETW events

• No custom actions• 4 out of 5 kittens love WSA

PackageManagement

Cmdlet ACTIONFind-Package Search for a packageInstall-Package Install the packageSave-Package Download the package but don’t install itGet-Package Inventory of installed packagesUninstall-Package Uninstall the package

PackageManagementEnd User

PackageManagement PowerShell cmdlets

PackageManagement Core

Discovery

Install/Uninstall

Inventory

PackageManagement Providers

Windows Server App (WSA)

PowerShellGet

Windows Container

NuGet

NanoServerPackage

…

Package Sources

WSA Package Repository…

PowerShell Gallery

Container Gallery, Docker

NuGet Gallery …

www.NPMjs.com

WordPress, …

DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely

Cloud scale configuration managementDeclare the state of a server (e.g User X should exist & be a member of the Adminstrator group )Apply expert knowledge as common tasks – easier than scripting

DSC is the platformWorks in collaboration with DevOps tool chain (Chef, Puppet, etc.)

Windows 2008R2 and later, and Linux via OMIOpen source DSC Resource Kit (302) resources

https://gallery.technet.microsoft.com/scriptcenter/DSC-Resource-Kit-All-c449312d

DSC Overviewhttps://msdn.microsoft.com/en-us/powershell/dsc/overview

Desired State Configuration

DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely

Running WS2016 Applications

Containers and next-gen

applications Server And Desktop

Specialized workloads

Third-party applications

RDS experience

Server CoreLower maintenance server environment

Traditional VM workloads

Nano ServerJust enough OS

Physical hostsVirtual hostsWindows Server containers

Container must match host (i.e. Nano on Nano) will be relaxed in the future…

Hyper-V containersContainer must be Nano Server. Server Core support coming…Host can be Nano Server, Windows Server Core or Windows Server w/Desktop

Operating System Deployment Modes

Container Host

Container

Physical Server

Container Host

Physical ServerVirtual Machine

Host

ContainerNested Virtual Machine

Same Container Images, Same API

Container Management

Docker

Windows Container Images

Application

Framework

Container Run-TimesHyper-V

Container

Windows Server Container

Write once, deploy anywhere

DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely

DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely

… but admins are often not suspected of criminal activity – they are simply targeted because they control access to networks the attacker wants to infiltrate.

“Who better to target than the person that already has the ‘keys to the kingdom’?”

You’re an Admin

Thanks, you’re PWND!!

Edward Snowden• Age 30 • College dropout

Michael Hayden• Four star general• Director of the NSA• Director of the CIA• Director of National

Intelligence

Problem: system admin privileges

Safe functions required by role

Dangerous functions attackers could abuse

Just Enough Admin Allows you to perform administrative

tasks without being a full administrator

• On a Server - almost any administrative action requires a user be an administrator• Once an administrator, a user can do anything on the server with no oversight• A compromised machine or a breached administrator account enables attacker movement to other assets

From full admin to role based adminJust Enough Administration (JEA) using PowerShell WMF 5.0

JEA Resources:

https://github.com/PowerShell/JEAhttps://gallery.technet.microsoft.com/Just-Enough-Administration-6b5ad370

PS C:\> Enter-JEAsession Server1 –Name MaintenanceServer1> Restart-Service MSSQLSERVER

HR Server

Server1> Steal-Secrets *Error: You are not authorized to Steal-Secrets

Just Enough Administration (JEA)

DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely

Windows Server 2016 resolves the interface between devs and

ops

DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely

Available DownlevelWS2016

Cloud Competitive• Small and Fast• Minimize attack service• Minimize patches/reboots• Optimized for DevOps

Servicing Improvements*

Series10

5

10

15

20

25

Critical Bulletins

Nano Server Server CoreFull Server

Series10

5

10

15

20

25

30

Important Bul-letins

Nano Server Server CoreFull Server

Series10

2

4

6

8

10

12

Number of Reboots

Nano Server Server CoreFull Server

23

8

2

9

2326

6

11

3

* Analysis based on all patches released in 2014

Security Improvements

Series10

5

10

15

20

25

30

Ports open

Nano Server Server Core

Series105

101520253035404550

Services running

Nano Server Server Core

Series10

20

40

60

80

100

120

Drivers loaded

Nano Server Server Core

11

26

25

44

73

98

Series10

50

100

150

200

250

300

Boot IO (MB)

Nano Server Server Core

Resource Utilization Improvements

Series10

5

10

15

20

25

30

Process Count

Nano Server Server Core

Series10

20

40

60

80

100

120

140

160

Kernel memory in use (MB)

Nano Server Server Core

26

21

61

139

108

306

Series10

50

100

150

200

250

300

350

Setup Time (sec)

Nano Server Server Core

Series10

1

2

3

4

5

6

Disk Footprint (GB)

Nano Server Server Core

Deployment Improvements

Series10

1

2

3

4

5

6

7

VHD Size (GB)

Nano Server Server Core

.41

6.3

40

300 5.42

.4

DevOps is about culture and processes

Tools and technology can make DevOps

easy or hard

Windows Server 2016 is architected to make DevOps easy

In times of change, sometimes the job outgrows good people

Where are you going?Do you have the right people, partners & tools to get there?

Q&A