Tips and Tricks for Automating Windows with Chef
Upcoming SlideShare
Loading in...5
×
 

Tips and Tricks for Automating Windows with Chef

on

  • 8,494 views

Nordstrom has been using Chef to automate Windows environments. Come by this talk to get some tips and tricks for managing your Windows-based environment with Chef. ...

Nordstrom has been using Chef to automate Windows environments. Come by this talk to get some tips and tricks for managing your Windows-based environment with Chef.

Tips such as:

Using Mixlib::Shellout and PowershellOut to execute Windows tools and scripts as a Domain user.
Windows cookbook improvements, including Printer LWRP
Diskpart cookbook
Chef-keypass for better one-way encryption of data-bag secrets, including certs and passwords
How to use Windows cookbook helpers
Using the new Windows Registry resource in Chef 11
Windows Sysnative for correctly locating Windows programs
Perf improvement numbers for Ruby 1.9.3 in Chef 11 for Windows
Recommended Ohai plugins to disable

Statistics

Views

Total Views
8,494
Slideshare-icon Views on SlideShare
8,306
Embed Views
188

Actions

Likes
5
Downloads
46
Comments
1

3 Embeds 188

http://www.opscode.com 113
http://www.getchef.com 66
https://twitter.com 9

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Tips and Tricks for Automating Windows with Chef Tips and Tricks for Automating Windows with Chef Presentation Transcript

    • Tips and Tricks for Automating WindowsDoug IretonInfrastructure Engineering@dougireton / dougireton.com
    • Who am I?• Infrastructure Engineer at Nordstrom• I’ve been a tester, a developer and a sysadmin• Working with Windows for 20 years@dougireton
    • Infrastructure Engineering
    • Who are you?
    • Agenda• About Nordstrom• A challenging first project• What we’ve learned from automating Windows• Twitter: #chefconf #winchef
    • Brick and Mortar still critical
    • A complex first project...
    • With Good Results...
    • Our First Real Chef Project• Manual Steps: 48 -> 5• Team Handoffs: 15 -> 1• Provision Time: 22 hours -> 7
    • No Run As imageWe Didn’t Have Run As
    • Fast-Forward to...
    • “I’ve  no)ced  a  considerable  reduc)on  in  deployment  )me  from  base  OS  to  fully  func)onal  app  server.  We  are  also  deploying  a  more  consistent  product  to  our  customers  now  due  to  the  automated  configura)on  management.”-­‐  Harvey  BendanaNordstrom  WebOps  team
    • Windows Cookbook Helpers
    • win_friendly_path()#  include  Windows::Helper  from  Opscode  Windows  Cookbook::Chef::Recipe.send(:include,  Windows::Helper)  #  now  you  can  call  helper  methods  like  win_friendly_path  directlymy_batch_file  =  win_friendly_path(c:/temp/foo.bat)  execute  "My  batch  file"  do    command  my_batch_file    #  c:tempfoo.batend
    • locate_sysnative_cmd() helper for 64-bit Windows#  include  Windows::Helper  from  Opscode  Windows  Cookbook::Chef::Recipe.send(:include,  Windows::Helper)locate_sysnative_cmd("dism.exe")
    • Run Commands As Another User
    • “The system uses shared-key encryption.An encrypted file can only be decrypted bya node or a user with the same shared-key.”http://docs.opscode.com/essentials_data_bags_encrypt.htmlEncrypted Data Bags
    • “That’s why storing encryption keys on the same systemwhere the protected data resides violates all of the coreprinciples of data protection.”- Patrick TownsendTownsend Securityhttp://web.townsendsecurity.com/bid/23881/PCI-DSS-2-0-and-Encryption-Key-Management
    • http://www.flickr.com/photos/gtarded/2759499462/sizes/l/Chef-Vault
    • knife encrypt passwordUse this knife command to encrypt the username and password thatyou want to protect.$  knife  encrypt  password  -­‐-­‐search  "role:web_server"        -­‐-­‐username  "mysql_user"  -­‐-­‐password  "P@ssw0rd"        -­‐-­‐admins  "alice,  bob,  carol"
    • Securely manage passwords for Run Aschef_gem  "chef-­‐vault"  require  chef-­‐vault  #  given  a  passwords  data  bagvault  =  ChefVault.new("passwords")  #  get  the  mysql_user  data  bag  itemuser  =  vault.user("mysql_user")  #  decrypt  the  users  passwordpassword  =  user.decrypt_password#  do  something  with  password
    • Run Commands as Another Userruby_block  "Add  server  to  WSUS  group"  do    block  do        Chef::Resource::RubyBlock.send(:include,  Chef::Mixin::ShellOut)                #  get  password  from  Chef-­‐Vault        password  =  user.decrypt_password          add_group  =  shell_out(            "dsquery.exe  computer  -­‐name  #{  node[hostname]  }  |  dsmod  group  cn=patch_Tuesday,dc=mycorp,dc=com  -­‐addmbr",            {                :user          =>  "my_user",                :password  =>  password,                :domain      =>  "mycorp.com",            }        )    endend
    • Managing Devices
    • Manage disks, partitions, and drives#  Use  Kevin  Moser’s  diskpart  cookbook  diskpart_partition  "create_#{disk[:letter]}:/"  do    disk_number  disk[:number]    letter  disk[:letter]    action  :createenddiskpart_partition  "format_#{disk[:letter]}:/"  do    disk_number  disk[:number]    letter  disk[:letter]    action  :formatend
    • Manage Printers and Printer Ports#  https://github.com/opscode-­‐cookbooks/windows  #  create  a  printerwindows_printer  HP  LaserJet  5th  Floor  do    driver_name  HP  LaserJet  4100  Series  PCL6    ipv4_address  10.4.64.38end
    • Better Performance
    • Chef 11: Ruby Performance Improvements30 - 50% faster Chef Client Run timeon Windows
    • Ohai Plugins to Disable on WindowsOhai::Config[:disabled_plugins]  =  [#  The  following  plugins  are  disabled  as  they  are  either  not  needed,#  have  poor  performance,  or  do  not  apply  to  the  Windows  configuration#  we  use.      "c",  "cloud",  "ec2",  "rackspace",  "eucalyptus",  "command",  "dmi",    "dmi_common",  "erlang",  "groovy",  "ip_scopes",  "java",  "keys",    "lua",  "mono",  "network_listeners",  "passwd",  "perl",    "php",  "python",  "ssh_host_key",  "uptime",  "virtualization",    "windows::virtualization",  "windows::kernel_devices"]
    • Summary
    • Chef-Vault and Run Asmoserke / chef-vaultSecurely store and retrieve certificates and service acct passwordsopscode / mixlib-shelloutRun commands as another user
    • Manage disks and printersmoserke / diskpart-cookbookopscode-cookbooks / windows v1.8.2 has Printer/Printer Port LWRPs
    • Performance Improvementshttp://wiki.opscode.com/display/chef/Disabling+Ohai+Plugins
    • Call to Action• IIS cookbook not idempotent for options• Better bootstrapping using Kerberos• Better integration with Active Directory
    • Will you join us?http://bit.ly/infeng
    • Go to Adam Edward’s talk right after this• “Cooking on Windows without the Windows Cookbook”• Seacliff A,B,C,D
    • http://www.flickr.com/photos/drachmann/327122302/sizes/l/
    • Photo Credits1.Slide 3: http://www.flickr.com/photos/benedictineuniversity/6021873707/sizes/l/2. Slide 4: http://www.flickr.com/photos/kubina/278696130/sizes/l/3. Slide 7: http://www.flickr.com/photos/orlando-herb/8167991591/sizes/l/4.Slide 9: http://www.flickr.com/photos/ejbsf/8609182524/sizes/h/5.slide 10: http://www.flickr.com/photos/ashley-rly/3768328487/sizes/l/