Six Weird Facts about Puppet on Windows
… and more facts worth knowing
3 November 2015
Presented by Jeremy McGee and Steven Hawkins
This is probably not
the recommended approach.
But it works for us
Who are Hiscox?
New York City
St Peter Port
International specialist insurer
£2.0B in GWP
The Hiscox IT landscape
Hiscox is an insurance company.
Where possible we buy, not build.
The organisation relies on customised,
This has its own challenges.
Stage Item Examples Tools
Deployed Middleware IIS, JBoss Puppet
NTFS, registry Puppet
AV, SQL Server VMware
Provisioned Orchestration CMP/ITSM VMware
Purchased Requisition CMP/ITSM
Weird Fact Number Two
There’s no package manager
Package manager alternatives
There’s Chocolatey, which is immature;
the usual “Programs and Features” control
panel, which doesn’t handle versions well;
storing each file individually, which doesn’t
or direct use of archives, which is ugly.
Windows Package Manager
Chocolatey is the way to go as far as
package management for Puppet on
Windows, but how does it work for
Not so well, it turns out. Packages vary in
quality and most go off to other provider’s
Web sites for installers.
So, take control:
– Write your own Chocolatey packages
– Manage Chocolatey packages and
providers’ installers locally
- It’s actually quite simple to write your own
Chocolatey puppet module. We change the
- Disable ‘chocolatey’ source
- Add a new source to your internal Chocolatey
autoUninstaller = true
allowGlobalConfirmation = true
failOnAutoUninstaller = true
- Add an API key to be able to push new
packages to your internal Chocolatey
Creating a Chocolatey package
is easier than might you think
- choco new
Then edit as needed. Finally
- choco push
Weird Fact Number Four
PowerShell isn’t the default provider
Weird Fact Number Five
Windows ACLs are special
Windows and ACLs
Puppet supports Windows access control
lists natively, but the defaults are Linux style,
So you won’t get what you expect.
Typically, Administrator won’t have access.
We use native Windows utilities to apply
permissions and wrap this up in PowerShell
We have 120+ test servers, 22+
environments, and in total about 20 modules
We have 100% automation of deployments
from bare operating system to production
We have no access to production servers.
This has saved several thousand pounds
over alternative approaches and means we
can deploy much more frequently.
We found this the hard way
The Puppet documentation is just the start.
Network with colleagues across your
organisation and in other companies too.
Invest in a training / scratch environment.
Keep abreast of new Puppet modules.
Buy Puppet Enterprise support. It’s good!