Tips and Tricks for Automating WindowsDoug IretonInfrastructure Engineering@dougireton / dougireton.com
Who am I?• Infrastructure Engineer at Nordstrom• I’ve been a tester, a developer and a sysadmin• Working with Windows for ...
Infrastructure Engineering
Who are you?
Agenda• About Nordstrom• A challenging first project• What we’ve learned from automating Windows• Twitter: #chefconf #winchef
Brick and Mortar still critical
A complex first project...
With Good Results...
Our First Real Chef Project• Manual Steps: 48 -> 5• Team Handoffs: 15 -> 1• Provision Time: 22 hours -> 7
No Run As imageWe Didn’t Have Run As
Fast-Forward to...
“I’ve	  no)ced	  a	  considerable	  reduc)on	  in	  deployment	  )me	  from	  base	  OS	  to	  fully	  func)onal	  app	  s...
Windows Cookbook Helpers
win_friendly_path()#	  include	  Windows::Helper	  from	  Opscode	  Windows	  Cookbook::Chef::Recipe.send(:include,	  Wind...
locate_sysnative_cmd() helper for 64-bit Windows#	  include	  Windows::Helper	  from	  Opscode	  Windows	  Cookbook::Chef:...
Run Commands As Another User
“The system uses shared-key encryption.An encrypted file can only be decrypted bya node or a user with the same shared-key....
“That’s why storing encryption keys on the same systemwhere the protected data resides violates all of the coreprinciples ...
http://www.flickr.com/photos/gtarded/2759499462/sizes/l/Chef-Vault
knife encrypt passwordUse this knife command to encrypt the username and password thatyou want to protect.$	  knife	  encr...
Securely manage passwords for Run Aschef_gem	  "chef-­‐vault"	  require	  chef-­‐vault	  #	  given	  a	  passwords	  data	...
Run Commands as Another Userruby_block	  "Add	  server	  to	  WSUS	  group"	  do	  	  block	  do	  	  	  	  Chef::Resource...
Managing Devices
Manage disks, partitions, and drives#	  Use	  Kevin	  Moser’s	  diskpart	  cookbook	  diskpart_partition	  "create_#{disk[...
Manage Printers and Printer Ports#	  https://github.com/opscode-­‐cookbooks/windows	  #	  create	  a	  printerwindows_prin...
Better Performance
Chef 11: Ruby Performance Improvements30 - 50% faster Chef Client Run timeon Windows
Ohai Plugins to Disable on WindowsOhai::Config[:disabled_plugins]	  =	  [#	  The	  following	  plugins	  are	  disabled	  ...
Summary
Chef-Vault and Run Asmoserke / chef-vaultSecurely store and retrieve certificates and service acct passwordsopscode / mixli...
Manage disks and printersmoserke / diskpart-cookbookopscode-cookbooks / windows v1.8.2 has Printer/Printer Port LWRPs
Performance Improvementshttp://wiki.opscode.com/display/chef/Disabling+Ohai+Plugins
Call to Action• IIS cookbook not idempotent for options• Better bootstrapping using Kerberos• Better integration with Acti...
Will you join us?http://bit.ly/infeng
Go to Adam Edward’s talk right after this• “Cooking on Windows without the Windows Cookbook”• Seacliff A,B,C,D
http://www.flickr.com/photos/drachmann/327122302/sizes/l/
Photo Credits1.Slide 3: http://www.flickr.com/photos/benedictineuniversity/6021873707/sizes/l/2. Slide 4: http://www.flickr....
Tips and Tricks for Automating Windows with Chef
Tips and Tricks for Automating Windows with Chef
Upcoming SlideShare
Loading in...5
×

Tips and Tricks for Automating Windows with Chef

12,373

Published on

Nordstrom has been using Chef to automate Windows environments. Come by this talk to get some tips and tricks for managing your Windows-based environment with Chef.

Tips such as:

Using Mixlib::Shellout and PowershellOut to execute Windows tools and scripts as a Domain user.
Windows cookbook improvements, including Printer LWRP
Diskpart cookbook
Chef-keypass for better one-way encryption of data-bag secrets, including certs and passwords
How to use Windows cookbook helpers
Using the new Windows Registry resource in Chef 11
Windows Sysnative for correctly locating Windows programs
Perf improvement numbers for Ruby 1.9.3 in Chef 11 for Windows
Recommended Ohai plugins to disable

Published in: Technology
1 Comment
8 Likes
Statistics
Notes
No Downloads
Views
Total Views
12,373
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
83
Comments
1
Likes
8
Embeds 0
No embeds

No notes for slide

Tips and Tricks for Automating Windows with Chef

  1. 1. Tips and Tricks for Automating WindowsDoug IretonInfrastructure Engineering@dougireton / dougireton.com
  2. 2. Who am I?• Infrastructure Engineer at Nordstrom• I’ve been a tester, a developer and a sysadmin• Working with Windows for 20 years@dougireton
  3. 3. Infrastructure Engineering
  4. 4. Who are you?
  5. 5. Agenda• About Nordstrom• A challenging first project• What we’ve learned from automating Windows• Twitter: #chefconf #winchef
  6. 6. Brick and Mortar still critical
  7. 7. A complex first project...
  8. 8. With Good Results...
  9. 9. Our First Real Chef Project• Manual Steps: 48 -> 5• Team Handoffs: 15 -> 1• Provision Time: 22 hours -> 7
  10. 10. No Run As imageWe Didn’t Have Run As
  11. 11. Fast-Forward to...
  12. 12. “I’ve  no)ced  a  considerable  reduc)on  in  deployment  )me  from  base  OS  to  fully  func)onal  app  server.  We  are  also  deploying  a  more  consistent  product  to  our  customers  now  due  to  the  automated  configura)on  management.”-­‐  Harvey  BendanaNordstrom  WebOps  team
  13. 13. Windows Cookbook Helpers
  14. 14. win_friendly_path()#  include  Windows::Helper  from  Opscode  Windows  Cookbook::Chef::Recipe.send(:include,  Windows::Helper)  #  now  you  can  call  helper  methods  like  win_friendly_path  directlymy_batch_file  =  win_friendly_path(c:/temp/foo.bat)  execute  "My  batch  file"  do    command  my_batch_file    #  c:tempfoo.batend
  15. 15. locate_sysnative_cmd() helper for 64-bit Windows#  include  Windows::Helper  from  Opscode  Windows  Cookbook::Chef::Recipe.send(:include,  Windows::Helper)locate_sysnative_cmd("dism.exe")
  16. 16. Run Commands As Another User
  17. 17. “The system uses shared-key encryption.An encrypted file can only be decrypted bya node or a user with the same shared-key.”http://docs.opscode.com/essentials_data_bags_encrypt.htmlEncrypted Data Bags
  18. 18. “That’s why storing encryption keys on the same systemwhere the protected data resides violates all of the coreprinciples of data protection.”- Patrick TownsendTownsend Securityhttp://web.townsendsecurity.com/bid/23881/PCI-DSS-2-0-and-Encryption-Key-Management
  19. 19. http://www.flickr.com/photos/gtarded/2759499462/sizes/l/Chef-Vault
  20. 20. knife encrypt passwordUse this knife command to encrypt the username and password thatyou want to protect.$  knife  encrypt  password  -­‐-­‐search  "role:web_server"        -­‐-­‐username  "mysql_user"  -­‐-­‐password  "P@ssw0rd"        -­‐-­‐admins  "alice,  bob,  carol"
  21. 21. Securely manage passwords for Run Aschef_gem  "chef-­‐vault"  require  chef-­‐vault  #  given  a  passwords  data  bagvault  =  ChefVault.new("passwords")  #  get  the  mysql_user  data  bag  itemuser  =  vault.user("mysql_user")  #  decrypt  the  users  passwordpassword  =  user.decrypt_password#  do  something  with  password
  22. 22. Run Commands as Another Userruby_block  "Add  server  to  WSUS  group"  do    block  do        Chef::Resource::RubyBlock.send(:include,  Chef::Mixin::ShellOut)                #  get  password  from  Chef-­‐Vault        password  =  user.decrypt_password          add_group  =  shell_out(            "dsquery.exe  computer  -­‐name  #{  node[hostname]  }  |  dsmod  group  cn=patch_Tuesday,dc=mycorp,dc=com  -­‐addmbr",            {                :user          =>  "my_user",                :password  =>  password,                :domain      =>  "mycorp.com",            }        )    endend
  23. 23. Managing Devices
  24. 24. Manage disks, partitions, and drives#  Use  Kevin  Moser’s  diskpart  cookbook  diskpart_partition  "create_#{disk[:letter]}:/"  do    disk_number  disk[:number]    letter  disk[:letter]    action  :createenddiskpart_partition  "format_#{disk[:letter]}:/"  do    disk_number  disk[:number]    letter  disk[:letter]    action  :formatend
  25. 25. Manage Printers and Printer Ports#  https://github.com/opscode-­‐cookbooks/windows  #  create  a  printerwindows_printer  HP  LaserJet  5th  Floor  do    driver_name  HP  LaserJet  4100  Series  PCL6    ipv4_address  10.4.64.38end
  26. 26. Better Performance
  27. 27. Chef 11: Ruby Performance Improvements30 - 50% faster Chef Client Run timeon Windows
  28. 28. Ohai Plugins to Disable on WindowsOhai::Config[:disabled_plugins]  =  [#  The  following  plugins  are  disabled  as  they  are  either  not  needed,#  have  poor  performance,  or  do  not  apply  to  the  Windows  configuration#  we  use.      "c",  "cloud",  "ec2",  "rackspace",  "eucalyptus",  "command",  "dmi",    "dmi_common",  "erlang",  "groovy",  "ip_scopes",  "java",  "keys",    "lua",  "mono",  "network_listeners",  "passwd",  "perl",    "php",  "python",  "ssh_host_key",  "uptime",  "virtualization",    "windows::virtualization",  "windows::kernel_devices"]
  29. 29. Summary
  30. 30. Chef-Vault and Run Asmoserke / chef-vaultSecurely store and retrieve certificates and service acct passwordsopscode / mixlib-shelloutRun commands as another user
  31. 31. Manage disks and printersmoserke / diskpart-cookbookopscode-cookbooks / windows v1.8.2 has Printer/Printer Port LWRPs
  32. 32. Performance Improvementshttp://wiki.opscode.com/display/chef/Disabling+Ohai+Plugins
  33. 33. Call to Action• IIS cookbook not idempotent for options• Better bootstrapping using Kerberos• Better integration with Active Directory
  34. 34. Will you join us?http://bit.ly/infeng
  35. 35. Go to Adam Edward’s talk right after this• “Cooking on Windows without the Windows Cookbook”• Seacliff A,B,C,D
  36. 36. http://www.flickr.com/photos/drachmann/327122302/sizes/l/
  37. 37. Photo Credits1.Slide 3: http://www.flickr.com/photos/benedictineuniversity/6021873707/sizes/l/2. Slide 4: http://www.flickr.com/photos/kubina/278696130/sizes/l/3. Slide 7: http://www.flickr.com/photos/orlando-herb/8167991591/sizes/l/4.Slide 9: http://www.flickr.com/photos/ejbsf/8609182524/sizes/h/5.slide 10: http://www.flickr.com/photos/ashley-rly/3768328487/sizes/l/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×