Beyond the Registry: Puppet for Windows Administrators

Transcript

1. None

2. Matthew Stone Senior Automation Engineer | T-Mobile @matthewstone Beyond the

   Registry: Puppet for Windows Administrators Service Pack 1

3. One year ago…

4. A Review of the WinOps Conference “it was a conference

   for battle scarred enterprise IT folk. A conference for those wrestling with DevOps in a world of legacy systems and enterprise licensing agreements.” Hannah Foxwell | http://hannahfoxwell.net/2015/09/25/review-of-winops-2015/

5. Bringing Puppet into large *nix environments: • Largely unopposed* •

   Relatively straightforward • Native Bringing Puppet into large Windows environments: • Pre-existing “classification” (AD OUs) and “state management” (group policy). • Needs hooks into PowerShell to be truly effective. • A lot of people love their GUI. * technologically, not necessarily politically… Linux vs. Windows

6. Why bother?

7. v Introducing Windows Server 2016

8. v Introducing Windows Nano Server

9. No GUI? No problem.

10. Why use puppet with Windows?

11. • Common tools • Common code • Common workflows •

    Extending code Windows and Puppet

12. role::myproduct::webserver profile::windows::base # default windows settings profile::windows::webserver # configure IIS

    / install .NET framework profile::myproduct::application # customer web sites and app config role::myproduct::database profile::windows::base # default windows settings profile::sql_cluster # configure sql / add to cluster profile::myproduct::database_stuff # customer database settings Extending Code Across Teams

13. • With every new Windows, automation becomes easier. • State

    enforcement and rapid deployment are here. • PowerShell is a way of life. Whatever you do, learn it well. • We can all work towards the same goals. WinOps

14. Now what?

15. • Minimum Support Version: 2008 R2? 2012 R2 only? •

    Minimum Windows Management Framework (PowerShell Version) • Minimum .NET Framework (PS4 need .NET 4.5) • What’s the Puppet Installation method? Minimum Viable Windows

16. v • Double Click  • Local (msiexec) • Run

    Once • Remote (PSRemoting) • pe_winagent Installation Methods

17. PS C:\Users\matthew> Install-Puppet -Remote -Master pe328.labexamples.d2.internal.cloudapp.net ` >> -ComputerList C:\temp\computers.csv

    Downloading Installation Script on WINSVR1... Running Puppet Enterprise installer script on WINSVR1... Downloading Puppet Enterprise 3.8.2 on WINSVR1... Installing Puppet Enterprise 3.8.2 on WINSVR1... Downloading Installation Script on WINSVR2... Running Puppet Enterprise installer script on WINSVR2... Downloading Puppet Enterprise 3.8.2 on WINSVR2... Installing Puppet Enterprise 3.8.2 on WINSVR2... Puppet Enterprise has been installed on WINSVR2 Configuring Puppet Enterprise 3.8.2 on WINSVR2... Puppet Enterprise has been installed on WINSVR1 Configuring Puppet Enterprise 3.8.2 on WINSVR1... Installation on WINSVR1 has completed... Installation on WINSVR2 has completed... IS C:\Users\matthew> pe_winagent

18. • A set of servers that can perform remote PowerShell

    execution. • Good for Windowsing Windows when Puppet can’t get there. PowerShell Host

19. The Puppet Windows Community

20. Forge Module Breakdown (Sept 2015) 1045 867 160 0 200

    400 600 800 1000 1200 RedHat Debian Windows RedHat Debian Windows

21. v Helpful Forge Modules Puppet Supported Modules • puppetlabs/registry •

    puppetlabs/powershell • puppetlabs/reboot • puppetlabs/acl • puppetlabs/dsc Puppet Approved Modules • puppet/windowsfeature • puppet/iis

22. v • UAC • Remote Desktop • Internet Explorer Enhanced

    Security Configuration • Proxy Settings • IPv6 Settings • Logon Message Windows Components

23. registry::value{'ProxyServer': key => 'hklm\Software\Microsoft\Windows\CurrentVersion\Internet Settings', value => 'ProxyServer', type =>

    'dword', data => 1 } registry::value{'ipv6': key => 'hklm\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters', value => 'DisabledComponents', type => 'dword', data => $ipv6_data, } registry::value{'Windows DNS Suffix Search Order': key => 'hklm\system\CurrentControlSet\Services\TCPIP\Parameters', value => 'SearchList', data => [‘puppetlabs.com’,’microsoft.com’,’domain.xyz’], } Base Manifest

24. class { ‘win_proxy’: ensure => present, proxy_server => ‘himom.xyz.com’ }

    class { ‘ipv6’ : ensure => absent } class { ‘dns_search_order’ : ensure => present, domains => puppetlabs.com,microsoft.com,domain.xyz, } Base Manifest

25. Puppetize This?

26. Building Blocks Exec Type PowerShell Provider Windows Feature

27. v • Exec / Oneliners • Template Function • Custom

    Type / Provider • Chocolatey • Desired State Configuration The Ways of Puppet and PowerShell

28. exec {"Manage ${start_port} for ${nlb_name}" : command => "Add-NlbClusterPortRule -InterfaceName

    ‘${member_nic}’” unless => "If (!(Get-NlbClusterPortRule -Port ${start_port})) { exit 1 }", provider => powershell, } Note: The above code was abbreviated because trying to drop one liners of PowerShell into exec statements can be a hilarious adventure in writing about 500 columns per line in order to get the most simple of things to happen. The management highly advises you look into utilizing PowerShell templates if you want to do something that is so long you will never be able to decipher what it is you intended to do in the exec statement. PowerShell Exec

29. v init.pp: exec { 'test script': command => template("${module_name}/script.ps1.erb"), provider

    => powershell, } script.ps1.erb: $myVar = "I am a powershell script on <%= @hostname %>" $myVar | Out-File c:\temp.txt PowerShell via Template

30. v features = JSON.parse(ps('Get-WindowsFeature | ConvertTo-JSON')) features.collect do | feature

    | name = feature['Name'].downcase installed = feature['InstallState'] if installed == 1 currentstate = :present elsif installed == 0 currentstate = :absent end new(:name => name, :ensure => currentstate) end PowerShell via Custom Provider

31. v PowerShell via Custom Provider C:\> puppet resource windowsfeature

32. • Package Management for Windows • Move long-winded install logic

    from manifests to packages • Good for installs over URL, ZIP files, etc… • It’s PowerShell. • Native support in modern Windows. Chocolatey

33. v DSC and Puppet WindowsFeature IIS { Ensure = “Present”

    Name = “Web-Server” } windowsfeature { ‘web-server’: ensure => present } File { ‘c:\inetpub\wwwroot’ : ensure => directory, recurse => true, source => “puppet:///${module_name}/wwwroot, require => Windowsfeature[‘web-server’], } File WebDirectory { Ensure = "Present” Type = "Directory“ # Default is “File” Recurse = $true SourcePath = $WebsiteFilePath DestinationPath = "C:\inetpub\wwwroot” Requires = "[WindowsFeature]IIS” }

34. • Good if you don’t want to learn Ruby on

    top of Puppet DSL and PowerShell. • Good if you want to use the DSC module to configure Windows state while utilizing the rest of Puppet as a common tool/workflow in your infrastructure. • Good for getting those had to reach places. • Still technically in preview. Ask your doctor if DSC is right for you.

35. Wrapping Up…

36. Puppet + PowerShell/DSC + Chocolatey = :)

37. Windows PowerShell: Learn it Now Before It’s an Emergency https://technet.microsoft.com/en-us/scriptcenter/dd742419

    Getting Started with Desired State Configuration http://www.microsoftvirtualacademy.com/liveevents/getting-started-with-powershell-desired-state-configuration-dsc A Deep Dive into Nano Server https://www.microsoftvirtualacademy.com/en-US/training-courses/a-deep-dive-into-nano-server-13785 Learn Something

38. Next Meetup: Thursday, November 19th http://www.meetup.com/Seattle-Puppet-Meetup/ Puppet User Group Seattle

39. Reminder: You’re at PuppetConf

40. v Thursday, October 8 • 2:30pm - 3:15pm The Wild

    World of Windows: Developing for Puppet on Windows Travis Fields, Puppet Enthusiast Thursday, October 8 • 3:45pm - 4:30pm Chocolatey and Puppet – Managing Your Windows Software Since 2011 Rob Reynolds, Puppet Labs Friday, October 9 • 11:15am - 12:00pm Better Together: Managing Windows with Puppet, PowerShell and DSC Bruce Payette, Microsoft PuppetConf 2015 Windows Talks

41. ?