Post on 17-May-2015
description
Tips and Tricks for Automating Windows
Doug IretonInfrastructure Engineering
@dougireton / dougireton.com
Who am I?
• Infrastructure Engineer at Nordstrom
• I’ve been a tester, a developer and a sysadmin
• Working with Windows for 20 years
@dougireton
Infrastructure Engineering
Who are you?
Agenda
• About Nordstrom
• A challenging first project
• What we’ve learned from automating Windows
• Twitter: #chefconf #winchef
Brick and Mortar still critical
A complex first project...
With Good Results...
Our First Real Chef Project
• Manual Steps: 48 -> 5
• Team Handoffs: 15 -> 1
• Provision Time: 22 hours -> 7
No Run As image
We Didn’t Have Run As
Fast-Forward to...
“I’ve no)ced a considerable reduc)on in deployment )me from base OS to fully func)onal app server.
We are also deploying a more consistent product to our customers now due to the automated configura)on management.”
-‐ Harvey BendanaNordstrom WebOps team
Windows Cookbook Helpers
win_friendly_path()
# include Windows::Helper from Opscode Windows Cookbook::Chef::Recipe.send(:include, Windows::Helper) # now you can call helper methods like win_friendly_path directlymy_batch_file = win_friendly_path('c:/temp/foo.bat') execute "My batch file" do command my_batch_file # c:\temp\foo.batend
locate_sysnative_cmd() helper for 64-bit Windows
# include Windows::Helper from Opscode Windows Cookbook::Chef::Recipe.send(:include, Windows::Helper)
locate_sysnative_cmd("dism.exe")
Run Commands As Another User
“The system uses shared-key encryption. An encrypted file can only be decrypted by a node or a user with the same shared-key.”
http://docs.opscode.com/essentials_data_bags_encrypt.html
Encrypted Data Bags
“That’s why storing encryption keys on the same system where the protected data resides violates all of the core principles of data protection.”
- Patrick TownsendTownsend Security
http://web.townsendsecurity.com/bid/23881/PCI-DSS-2-0-and-Encryption-Key-Management
http://www.flickr.com/photos/gtarded/2759499462/sizes/l/
Chef-Vault
knife encrypt password
Use this knife command to encrypt the username and password that you want to protect.
$ knife encrypt password -‐-‐search "role:web_server" -‐-‐username "mysql_user" -‐-‐password "P@ssw0rd" -‐-‐admins "alice, bob, carol"
Securely manage passwords for Run As
chef_gem "chef-‐vault" require 'chef-‐vault' # given a 'passwords' data bagvault = ChefVault.new("passwords") # get the 'mysql_user' data bag itemuser = vault.user("mysql_user") # decrypt the user's passwordpassword = user.decrypt_password
# do something with password
Run Commands as Another User
ruby_block "Add server to WSUS group" do block do Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) # get password from Chef-‐Vault password = user.decrypt_password add_group = shell_out( "dsquery.exe computer -‐name #{ node['hostname'] } | dsmod group 'cn=patch_Tuesday,dc=mycorp,dc=com' -‐addmbr", { :user => "my_user", :password => password, :domain => "mycorp.com", } ) endend
Managing Devices
Manage disks, partitions, and drives
# Use Kevin Moser’s diskpart cookbook diskpart_partition "create_#{disk[:letter]}:/" do disk_number disk[:number] letter disk[:letter]
action :createend
diskpart_partition "format_#{disk[:letter]}:/" do disk_number disk[:number] letter disk[:letter]
action :formatend
Manage Printers and Printer Ports
# https://github.com/opscode-‐cookbooks/windows # create a printerwindows_printer 'HP LaserJet 5th Floor' do driver_name 'HP LaserJet 4100 Series PCL6' ipv4_address '10.4.64.38'end
Better Performance
Chef 11: Ruby Performance Improvements
30 - 50% faster Chef Client Run timeon Windows
Ohai Plugins to Disable on Windows
Ohai::Config[:disabled_plugins] = [# The following plugins are disabled as they are either not needed,
# have poor performance, or do not apply to the Windows configuration# we use. "c", "cloud", "ec2", "rackspace", "eucalyptus", "command", "dmi", "dmi_common", "erlang", "groovy", "ip_scopes", "java", "keys", "lua", "mono", "network_listeners", "passwd", "perl", "php", "python", "ssh_host_key", "uptime", "virtualization", "windows::virtualization", "windows::kernel_devices"]
Summary
Chef-Vault and Run As
moserke / chef-vault Securely store and retrieve certificates and service acct passwords
opscode / mixlib-shellout Run commands as another user
Manage disks and printers
moserke / diskpart-cookbook
opscode-cookbooks / windows v1.8.2 has Printer/Printer Port LWRPs
Performance Improvements
http://wiki.opscode.com/display/chef/Disabling+Ohai+Plugins
Call to Action
• IIS cookbook not idempotent for options
• Better bootstrapping using Kerberos
• Better integration with Active Directory
Will you join us?http://bit.ly/infeng
Go to Adam Edward’s talk right after this
• “Cooking on Windows without the Windows Cookbook”
• Seacliff A,B,C,D
http://www.flickr.com/photos/drachmann/327122302/sizes/l/
Photo Credits
1.Slide 3: http://www.flickr.com/photos/benedictineuniversity/6021873707/sizes/l/
2. Slide 4: http://www.flickr.com/photos/kubina/278696130/sizes/l/
3. Slide 7: http://www.flickr.com/photos/orlando-herb/8167991591/sizes/l/
4.Slide 9: http://www.flickr.com/photos/ejbsf/8609182524/sizes/h/
5.slide 10: http://www.flickr.com/photos/ashley-rly/3768328487/sizes/l/