puppetconf 2016: puppet on windows – nicolas corrarello, puppet
TRANSCRIPT
Puppet on WindowsEnsuring you make the right first steps in managing your Windows configuration
Nicolas Corrarello Senior Technical Solutions Engineer | Puppet
sgtpepper @ irc.freenode.net
2
Agenda
• Introduction • The Puppet RAL • Windows Specific Resources (and interfaces!) • Modules
• Profiles and Roles
• So where did my configuration go? (Data Separation) • Ten first things… • An example role
sgtpepper @ irc.freenode.net
Puppet on Windows 5
6
The Puppet RALThat’s Resource Abstraction Layer
7
The Puppet RAL
8
service { 'wuauserv': ensure => 'running', enable => 'true', }
sgtpepper @ irc.freenode.net
Windows specific resources
9
Interfaces…Managing a Windows system is super easy. Managing thousands of Windows systems…
11
Unix/Linux Windows
Text files, generally under /etc
Win32 API Registry Text Files (Generally INI) (Power)Shell GUI WinRM Proprietary / Binary Files
sgtpepper @ irc.freenode.net
And not all interfaces perform alike…
12Puppet on Windows
Modules
13
Modeling configuration: The BGInfo example
Requirements
● Package needs to be installed ● Configuration files created ● Run at login
● Loads of system info
How is this not a module, right?
14sgtpepper @ irc.freenode.net
package { 'bginfo': ensure => installed, provider => 'chocolatey', } file { $bgipath: ensure => file, source => $bgifile, require => Package['bginfo'], } if $setonstart { file { 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\bginfo.bat': ensure => file, content => template('bginfo/bginfo.bat.erb'), } }
What BGInfo needs…
15
Package: Thanks Chocolatey, no need for complex MSIs
Configuration File: Ok static is not ideal, but you know, MVP
Startup Script: Templated so it works on all systems
sgtpepper @ irc.freenode.net
Assumptions
18
Requirements
● Package pre-requirements ● Firewall rules ● ESC ● Required values ● Things for which you don’t have defaults ● Sane defaults ● Are you breaking something else? ● Are you going outside what your module
is supposed to do
ASSUMPTION
THE MOTHER OF ALL BAD THINGS
sgtpepper @ irc.freenode.net
19
Profiles & Roles
20
21
technology-specific wrapper classes
business-specific wrapper classes
sgtpepper @ irc.freenode.net
22
“One final note before we move on – the terms ‘Roles’ and ‘Profiles’ are ENTIRELY ARBITRARY. They’re not magic reserve words in Puppet, and you can call them whatever [..] you want. It’s also been pointed out that Craig MIGHT have misnamed them (a ROLE should be a model for an individual piece of tech, and a PROFILE should probably be a group of roles)…”
Gary Larizza Feb 17th, 2014 Extracted from www.garylarizza.com
sgtpepper @ irc.freenode.net
Profile module
Kind of good… not that reusable Better
Technology related classes that get applied to one or more nodes. One per manifest, with the right naming convention.
23
class profile::windows::baseline { class { 'domain_membership': domain => 'CONTOSO', username => 'domainadmin', password => 'd0n0tst3alth1s.', join_options => '3', }
class { 'bginfo': setonstart => true, addtrustedsite => true, }}
class profile::windows::baseline { include domain_membership include bginfo}
sgtpepper @ irc.freenode.net
Where did my configuration go?Enter Hiera
24
Hiera: Lightweight Pluggable Hierarchical Database
Hierarchical storage of data, based on facts
● Different kind of data structures, from key / value to array
● Multiple backends (Default, YAML files)
Separate your code from your data, as you know… when you write any kind of software!
25sgtpepper @ irc.freenode.net
Sensitive data?
26
--- plain-property: You can see me
encrypted-property: > ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
If you want to learn more about just how to work with sensitive data, see “Nice and Secure: Good OpSec Hygiene with Puppet” at 3.45 PM
sgtpepper @ irc.freenode.net
Roles
27
● Roles only include profiles ● Every node is classified with one role ● Roles can use inheritance ● A slightly different role is another role
class role::windows::ecommerceweb { include profile::windows::baseline include profile::windows::dmzhost include profile::windows::iis include profile::windows::webapp}
sgtpepper @ irc.freenode.net
Ten first things…An example profile
28
An example profile, 10 first things
● Windows Firewall ● Filesystem ACLs ● Windows Time ● Monitoring Agent ● Registry Keys
What are the 10 first things you configure on a Windows system?
29
● Domain Membership ● BGInfo ● Antivirus ● Logon message ● Local Administrator
sgtpepper @ irc.freenode.net
Domain Membership
● Not a Puppet Supported Module ● Widely used ● Authored by Tom Linkin ● Use Hiera for data separation
Module trlinkin/domain_membership
30
class { 'domain_membership': domain => 'puppet.example', username => 'joinmember', password => 'sUp3r_s3cR3t!', join_options => '3',}
sgtpepper @ irc.freenode.net
BGInfo
● Not a Puppet Supported Module
● Not widely used
● Authored by yours truly
Module ncorrare/bginfo
31
include bginfo
sgtpepper @ irc.freenode.net
Antivirus… Which?
● If you have an MSI, use the package type, part of the core Puppet functionality
● Chocolatey packaging allows versioning! ● Do you need to configure something?
Model around it
Do you require to model configuration? Is it a centralised solution?
32
package { 'clamwin': ensure => present, provider => chocolatey, }
sgtpepper @ irc.freenode.net
Logon Message
● Supported module ● Sets the registry keys ● Supports templates!
Module puppetlabs/motd
33
class { 'motd': content => “Hello World!”,}
sgtpepper @ irc.freenode.net
Local Administrator
● Both are supported
● DSC support more Windows Specific attributes
User resource / DSC User resource provided by the puppetlabs/dsc module
34
dsc_user { 'localadmin': dsc_username => 'localadmin', dsc_description => 'Local Administrator user', dsc_ensure => present, dsc_password => { 'user' => 'localadmin', 'password' => 'very.secret' }, dsc_passwordneverexpires => false, dsc_disabled => true,}
user { 'localadmin': ensure => present, password => 'very.secret',}
sgtpepper @ irc.freenode.net
Windows Firewall
● Supported ● Manage by exception
DSC xFirewall resource provided by puppetlabs/dsc
35
dsc_xfirewall { 'Allow WinRM': dsc_name => "$name Allow WinRM", dsc_ensure => 'present', dsc_direction => 'Inbound', dsc_localport => '5985', dsc_protocol => 'TCP', dsc_action => 'Allow', }
sgtpepper @ irc.freenode.net
Filesystem ACLs
● Supported ● Set full ACLs
ACL resource provided by puppetlabs/acl
36
acl { 'c:/tempperms': permissions => [ { identity => 'Administrator', rights => ['full'] }, { identity => 'Users', rights => ['read','execute'] } ],}
sgtpepper @ irc.freenode.net
Windows Time Configuration
Registry Keys, Commands, Settings, Active Directory… or ncorrare/windowstime
37
class { 'windowstime': servers => { 'pool.ntp.org' => '0x01', 'time.windows.com' => '0x01', }}
● Modeling registry keys and services
● Or BYORK (Bring your own registry key)
sgtpepper @ irc.freenode.net
Monitoring Agent… Which?
● If you have an MSI, use the package type, part of the core Puppet functionality
● Chocolatey packaging allows versioning! ● Do you need to configure something? Model around it ● SCOM? Check https://technet.microsoft.com/en-us/
system-center-docs/om/manage/install-agent-using-the-command-line
Do you require to model configuration? Is it a centralised solution?
38
package { 'SCOM': ensure => present, source => ‘MoMAgent.msi’, }
sgtpepper @ irc.freenode.net
Registry Keys
registry_key / registry_value resources provided by the puppetlabs/registry module
39
registry_key { 'HKLM\System\CurrentControlSet\Services\Puppet': ensure => present,}
sgtpepper @ irc.freenode.net
An example roleWho wants cake?
40
An example role, FourthCoffee
What do I need to make this work?
● Baseline Profile ● IIS Profile ● FourthCoffee Profile
41sgtpepper @ irc.freenode.net
Steal this code!
● https://github.com/ncorrare/puppetconf2016-control ● Slides will be posted shortly ● Talk to a Linux sysad, you probably have more in common than you think!
Try it, break it, play with it, share it (just not on production)
42sgtpepper @ irc.freenode.net
Questions