tips and tricks for automating windows with chef
DESCRIPTION
Nordstrom has been using Chef to automate Windows environments. Come by this talk to get some tips and tricks for managing your Windows-based environment with Chef. Tips such as: Using Mixlib::Shellout and PowershellOut to execute Windows tools and scripts as a Domain user. Windows cookbook improvements, including Printer LWRP Diskpart cookbook Chef-keypass for better one-way encryption of data-bag secrets, including certs and passwords How to use Windows cookbook helpers Using the new Windows Registry resource in Chef 11 Windows Sysnative for correctly locating Windows programs Perf improvement numbers for Ruby 1.9.3 in Chef 11 for Windows Recommended Ohai plugins to disableTRANSCRIPT
Tips and Tricks for Automating Windows
Doug IretonInfrastructure Engineering
@dougireton / dougireton.com
Who am I?
• Infrastructure Engineer at Nordstrom
• I’ve been a tester, a developer and a sysadmin
• Working with Windows for 20 years
@dougireton
Infrastructure Engineering
Who are you?
Agenda
• About Nordstrom
• A challenging first project
• What we’ve learned from automating Windows
• Twitter: #chefconf #winchef
Brick and Mortar still critical
A complex first project...
With Good Results...
Our First Real Chef Project
• Manual Steps: 48 -> 5
• Team Handoffs: 15 -> 1
• Provision Time: 22 hours -> 7
No Run As image
We Didn’t Have Run As
Fast-Forward to...
“I’ve no)ced a considerable reduc)on in deployment )me from base OS to fully func)onal app server.
We are also deploying a more consistent product to our customers now due to the automated configura)on management.”
-‐ Harvey BendanaNordstrom WebOps team
Windows Cookbook Helpers
win_friendly_path()
# include Windows::Helper from Opscode Windows Cookbook::Chef::Recipe.send(:include, Windows::Helper) # now you can call helper methods like win_friendly_path directlymy_batch_file = win_friendly_path('c:/temp/foo.bat') execute "My batch file" do command my_batch_file # c:\temp\foo.batend
locate_sysnative_cmd() helper for 64-bit Windows
# include Windows::Helper from Opscode Windows Cookbook::Chef::Recipe.send(:include, Windows::Helper)
locate_sysnative_cmd("dism.exe")
Run Commands As Another User
“The system uses shared-key encryption. An encrypted file can only be decrypted by a node or a user with the same shared-key.”
http://docs.opscode.com/essentials_data_bags_encrypt.html
Encrypted Data Bags
“That’s why storing encryption keys on the same system where the protected data resides violates all of the core principles of data protection.”
- Patrick TownsendTownsend Security
http://web.townsendsecurity.com/bid/23881/PCI-DSS-2-0-and-Encryption-Key-Management
http://www.flickr.com/photos/gtarded/2759499462/sizes/l/
Chef-Vault
knife encrypt password
Use this knife command to encrypt the username and password that you want to protect.
$ knife encrypt password -‐-‐search "role:web_server" -‐-‐username "mysql_user" -‐-‐password "P@ssw0rd" -‐-‐admins "alice, bob, carol"
Securely manage passwords for Run As
chef_gem "chef-‐vault" require 'chef-‐vault' # given a 'passwords' data bagvault = ChefVault.new("passwords") # get the 'mysql_user' data bag itemuser = vault.user("mysql_user") # decrypt the user's passwordpassword = user.decrypt_password
# do something with password
Run Commands as Another User
ruby_block "Add server to WSUS group" do block do Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) # get password from Chef-‐Vault password = user.decrypt_password add_group = shell_out( "dsquery.exe computer -‐name #{ node['hostname'] } | dsmod group 'cn=patch_Tuesday,dc=mycorp,dc=com' -‐addmbr", { :user => "my_user", :password => password, :domain => "mycorp.com", } ) endend
Managing Devices
Manage disks, partitions, and drives
# Use Kevin Moser’s diskpart cookbook diskpart_partition "create_#{disk[:letter]}:/" do disk_number disk[:number] letter disk[:letter]
action :createend
diskpart_partition "format_#{disk[:letter]}:/" do disk_number disk[:number] letter disk[:letter]
action :formatend
Manage Printers and Printer Ports
# https://github.com/opscode-‐cookbooks/windows # create a printerwindows_printer 'HP LaserJet 5th Floor' do driver_name 'HP LaserJet 4100 Series PCL6' ipv4_address '10.4.64.38'end
Better Performance
Chef 11: Ruby Performance Improvements
30 - 50% faster Chef Client Run timeon Windows
Ohai Plugins to Disable on Windows
Ohai::Config[:disabled_plugins] = [# The following plugins are disabled as they are either not needed,
# have poor performance, or do not apply to the Windows configuration# we use. "c", "cloud", "ec2", "rackspace", "eucalyptus", "command", "dmi", "dmi_common", "erlang", "groovy", "ip_scopes", "java", "keys", "lua", "mono", "network_listeners", "passwd", "perl", "php", "python", "ssh_host_key", "uptime", "virtualization", "windows::virtualization", "windows::kernel_devices"]
Summary
Chef-Vault and Run As
moserke / chef-vault Securely store and retrieve certificates and service acct passwords
opscode / mixlib-shellout Run commands as another user
Manage disks and printers
moserke / diskpart-cookbook
opscode-cookbooks / windows v1.8.2 has Printer/Printer Port LWRPs
Performance Improvements
http://wiki.opscode.com/display/chef/Disabling+Ohai+Plugins
Call to Action
• IIS cookbook not idempotent for options
• Better bootstrapping using Kerberos
• Better integration with Active Directory
Will you join us?http://bit.ly/infeng
Go to Adam Edward’s talk right after this
• “Cooking on Windows without the Windows Cookbook”
• Seacliff A,B,C,D
http://www.flickr.com/photos/drachmann/327122302/sizes/l/
Photo Credits
1.Slide 3: http://www.flickr.com/photos/benedictineuniversity/6021873707/sizes/l/
2. Slide 4: http://www.flickr.com/photos/kubina/278696130/sizes/l/
3. Slide 7: http://www.flickr.com/photos/orlando-herb/8167991591/sizes/l/
4.Slide 9: http://www.flickr.com/photos/ejbsf/8609182524/sizes/h/
5.slide 10: http://www.flickr.com/photos/ashley-rly/3768328487/sizes/l/