indy devops - files.meetup.comfiles.meetup.com/11348402/windows automation.pdf · cfn downloads...
TRANSCRIPT
Indy DevOpsWindows Automation2015/08/24
Who Are We?
Leaf Software Solutions● Developing custom software for our clients,
variety of languages and platforms● Microsoft Dynamics solutions● Increasingly asked by our clients “Can you
just run it in the cloud?”
The Challenges of Windows in IaaS
● The platform itself not originally built around the concepts of command line and scripting
● Ecosystem of automation tools lags Linux● Slower cycle times: booting, installing● Instance reliability (DOA instances,
performance variability, etc)
The Old Fashioned Way
● Launch empty machine● Make changes● Bake image● Repeat● Note: it is still possible to leverage
automation here
Make Your Life Easier
● CloudFormation all of the things● Instance roles: both in CFN templates and
using the AWS CLI on instances● Use RDP “jump box” for remote
administration. Preload it with useful tools such as Sql Server Management Studio and Active Directory User Management
Example Instance Role Policy "RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [ "s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:aws:s3:::clientname-devops",
"arn:aws:s3:::clientname-devops/*"
]
}
]
},
"Roles": [{ "Ref": "RootRole" } ]
}
},
Baking Base Windows AMIs
● AWS often deprecates their base AMIs as updates are made
● Some AMIs come without IIS. Easy to enable the role, but this takes time
● Whenever possible, replace machines instead of changing (or patching) them.
Windows Automation● CFN downloads chef artifact from S3● CFN executes chef-solo on machine● Chef layers on Windows roles (such as IIS), deploys
apps, starts services, etc. Most of these are running utilities such as appcmd, dism, etc behind the scenes. Windows and IIS cookbooks are extremely robust.
● CFN utilities on the host signal back to Cloudformation when they are done
Example Chef Recipeinclude_recipe 'iis'
include_recipe 'iis::mod_aspnet45'
include_recipe 'iis::mod_logging'
include_recipe 'iis::mod_security'
iis_site 'Default Web Site' do
action [:stop, :delete]
end
node[clientname]['clients'].each do |client| iis_pool client['name'] do action [:add, :start] idle_timeout '02:00:00' recycle_at_time '21:30:00' end
docroot = "#{node['iis']['docroot']}/#{client['name']}" directory docroot
iis_site client['name'] do path docroot port client['port'] application_pool client['name'] action [:add, :start] endend
Taking It Even Further● Because booting Windows is slower and automation
can be error-prone (3rd party dependencies) we have explored making Windows machines immutable.
● This automation launches a bare machine, configures it, syspreps it, stops it, bakes an AMI, and terminates everything.
● This results in extremely reliable images, but the process takes a long time and has a cost associated with each build.
Windows EC2 Config Utility
Elastic Beanstalk is the Bees Knees● Launches on top of standardized images● Automates away even more complexity than
CloudFormation● Agent running on the host manages deploying the code
and deploying updates● We use beanstalk whenever possible, falling back to
raw EC2 only when we have a specific need (such as IIS multi site)
Elastic Beanstalk Options Snippet[
{
"Namespace": "aws:elasticbeanstalk:application:environment",
"OptionName": "Environment",
"Value": "prd"
},
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MinSize",
"Value": 2
},
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MaxSize",
"Value": 2
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "ImageId",
"Value": "ami-aaaa1234"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "EC2KeyName",
"Value": "clientname"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "InstanceType",
"Value": "c4.large"
},
Active Directory
● It is possible to run traditional domain controllers in EC2, but lots of moving parts
● Simple AD is essentially hosted Samba and works very well.
● Strangely, Simple AD is not automated via CloudFormation
● Scripts are available to attach new instances to an existing domain.
A Word About Licensing
● Microsoft has been cracking down on AWS customers out of compliance on licensing, so have all of your ducks in a row.
● Running traditionally licensed software such as Office and Visual Studio is more difficult in dynamic environment
● We have run SqlServer directly on EC2, but greatly prefer RDS.
Miscellaneous Tips
● We tend to use the Ruby that comes along side the Chef MSI for further automation
● Examples of this automation would be scheduled tasks to perform AWS jobs
● We have also used Powershell scripts to ship custom Windows metrics up into Amazon Cloudwatch monitoring
Improvements Coming
● .NET 5 will run on Linux. This changes everything.
● Windows 10 IoT Core is a much leaner version of Windows (runs on Raspberry Pi)
● Lots of activity related to containerization (docker and mesos)
● .NET support being added to AWS Lambda