Tips and Tricks for Automating Windows with Chef


Published on

Nordstrom has been using Chef to automate Windows environments. Come by this talk to get some tips and tricks for managing your Windows-based environment with Chef.

Tips such as:

Using Mixlib::Shellout and PowershellOut to execute Windows tools and scripts as a Domain user.
Windows cookbook improvements, including Printer LWRP
Diskpart cookbook
Chef-keypass for better one-way encryption of data-bag secrets, including certs and passwords
How to use Windows cookbook helpers
Using the new Windows Registry resource in Chef 11
Windows Sysnative for correctly locating Windows programs
Perf improvement numbers for Ruby 1.9.3 in Chef 11 for Windows
Recommended Ohai plugins to disable

Published in: Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Tips and Tricks for Automating Windows with Chef

  1. 1. Tips and Tricks for Automating WindowsDoug IretonInfrastructure Engineering@dougireton /
  2. 2. Who am I?• Infrastructure Engineer at Nordstrom• I’ve been a tester, a developer and a sysadmin• Working with Windows for 20 years@dougireton
  3. 3. Infrastructure Engineering
  4. 4. Who are you?
  5. 5. Agenda• About Nordstrom• A challenging first project• What we’ve learned from automating Windows• Twitter: #chefconf #winchef
  6. 6. Brick and Mortar still critical
  7. 7. A complex first project...
  8. 8. With Good Results...
  9. 9. Our First Real Chef Project• Manual Steps: 48 -> 5• Team Handoffs: 15 -> 1• Provision Time: 22 hours -> 7
  10. 10. No Run As imageWe Didn’t Have Run As
  11. 11. Fast-Forward to...
  12. 12. “I’ve  no)ced  a  considerable  reduc)on  in  deployment  )me  from  base  OS  to  fully  func)onal  app  server.  We  are  also  deploying  a  more  consistent  product  to  our  customers  now  due  to  the  automated  configura)on  management.”-­‐  Harvey  BendanaNordstrom  WebOps  team
  13. 13. Windows Cookbook Helpers
  14. 14. win_friendly_path()#  include  Windows::Helper  from  Opscode  Windows  Cookbook::Chef::Recipe.send(:include,  Windows::Helper)  #  now  you  can  call  helper  methods  like  win_friendly_path  directlymy_batch_file  =  win_friendly_path(c:/temp/foo.bat)  execute  "My  batch  file"  do    command  my_batch_file    #  c:tempfoo.batend
  15. 15. locate_sysnative_cmd() helper for 64-bit Windows#  include  Windows::Helper  from  Opscode  Windows  Cookbook::Chef::Recipe.send(:include,  Windows::Helper)locate_sysnative_cmd("dism.exe")
  16. 16. Run Commands As Another User
  17. 17. “The system uses shared-key encryption.An encrypted file can only be decrypted bya node or a user with the same shared-key.” Data Bags
  18. 18. “That’s why storing encryption keys on the same systemwhere the protected data resides violates all of the coreprinciples of data protection.”- Patrick TownsendTownsend Security
  19. 19.
  20. 20. knife encrypt passwordUse this knife command to encrypt the username and password thatyou want to protect.$  knife  encrypt  password  -­‐-­‐search  "role:web_server"        -­‐-­‐username  "mysql_user"  -­‐-­‐password  "P@ssw0rd"        -­‐-­‐admins  "alice,  bob,  carol"
  21. 21. Securely manage passwords for Run Aschef_gem  "chef-­‐vault"  require  chef-­‐vault  #  given  a  passwords  data  bagvault  ="passwords")  #  get  the  mysql_user  data  bag  itemuser  =  vault.user("mysql_user")  #  decrypt  the  users  passwordpassword  =  user.decrypt_password#  do  something  with  password
  22. 22. Run Commands as Another Userruby_block  "Add  server  to  WSUS  group"  do    block  do        Chef::Resource::RubyBlock.send(:include,  Chef::Mixin::ShellOut)                #  get  password  from  Chef-­‐Vault        password  =  user.decrypt_password          add_group  =  shell_out(            "dsquery.exe  computer  -­‐name  #{  node[hostname]  }  |  dsmod  group  cn=patch_Tuesday,dc=mycorp,dc=com  -­‐addmbr",            {                :user          =>  "my_user",                :password  =>  password,                :domain      =>  "",            }        )    endend
  23. 23. Managing Devices
  24. 24. Manage disks, partitions, and drives#  Use  Kevin  Moser’s  diskpart  cookbook  diskpart_partition  "create_#{disk[:letter]}:/"  do    disk_number  disk[:number]    letter  disk[:letter]    action  :createenddiskpart_partition  "format_#{disk[:letter]}:/"  do    disk_number  disk[:number]    letter  disk[:letter]    action  :formatend
  25. 25. Manage Printers and Printer Ports#­‐cookbooks/windows  #  create  a  printerwindows_printer  HP  LaserJet  5th  Floor  do    driver_name  HP  LaserJet  4100  Series  PCL6    ipv4_address
  26. 26. Better Performance
  27. 27. Chef 11: Ruby Performance Improvements30 - 50% faster Chef Client Run timeon Windows
  28. 28. Ohai Plugins to Disable on WindowsOhai::Config[:disabled_plugins]  =  [#  The  following  plugins  are  disabled  as  they  are  either  not  needed,#  have  poor  performance,  or  do  not  apply  to  the  Windows  configuration#  we  use.      "c",  "cloud",  "ec2",  "rackspace",  "eucalyptus",  "command",  "dmi",    "dmi_common",  "erlang",  "groovy",  "ip_scopes",  "java",  "keys",    "lua",  "mono",  "network_listeners",  "passwd",  "perl",    "php",  "python",  "ssh_host_key",  "uptime",  "virtualization",    "windows::virtualization",  "windows::kernel_devices"]
  29. 29. Summary
  30. 30. Chef-Vault and Run Asmoserke / chef-vaultSecurely store and retrieve certificates and service acct passwordsopscode / mixlib-shelloutRun commands as another user
  31. 31. Manage disks and printersmoserke / diskpart-cookbookopscode-cookbooks / windows v1.8.2 has Printer/Printer Port LWRPs
  32. 32. Performance Improvements
  33. 33. Call to Action• IIS cookbook not idempotent for options• Better bootstrapping using Kerberos• Better integration with Active Directory
  34. 34. Will you join us?
  35. 35. Go to Adam Edward’s talk right after this• “Cooking on Windows without the Windows Cookbook”• Seacliff A,B,C,D
  36. 36.
  37. 37. Photo Credits1.Slide 3: Slide 4: Slide 7: 9: 10: