SlideShare a Scribd company logo

Tips and Tricks for Automating Windows with Chef

Chef Software, Inc.
Chef Software, Inc.

Nordstrom has been using Chef to automate Windows environments. Come by this talk to get some tips and tricks for managing your Windows-based environment with Chef. Tips such as: Using Mixlib::Shellout and PowershellOut to execute Windows tools and scripts as a Domain user. Windows cookbook improvements, including Printer LWRP Diskpart cookbook Chef-keypass for better one-way encryption of data-bag secrets, including certs and passwords How to use Windows cookbook helpers Using the new Windows Registry resource in Chef 11 Windows Sysnative for correctly locating Windows programs Perf improvement numbers for Ruby 1.9.3 in Chef 11 for Windows Recommended Ohai plugins to disable

1 of 39
Download to read offline
Tips and Tricks for Automating Windows Doug Ireton Infrastructure Engineering @dougireton / dougireton.com
Who am I? • Infrastructure Engineer at Nordstrom • I’ve been a tester, a developer and a sysadmin • Working with Windows for 20 years @dougireton
Infrastructure Engineering
Who are you?
Agenda • About Nordstrom • A challenging first project • What we’ve learned from automating Windows • Twitter: #chefconf #winchef
Brick and Mortar still critical
A complex first project...
With Good Results...
Our First Real Chef Project • Manual Steps: 48 -> 5 • Team Handoffs: 15 -> 1 • Provision Time: 22 hours -> 7
Tips and Tricks for Automating Windows with Chef
No Run As image We Didn’t Have Run As
Fast-Forward to...
Tips and Tricks for Automating Windows with Chef
“I’ve  no)ced  a  considerable  reduc)on  in  deployment  )me  from  base   OS  to  fully  func)onal  app  server.   We  are  also  deploying  a  more  consistent  product  to  our  customers   now  due  to  the  automated  configura)on  management.” -­‐  Harvey  Bendana Nordstrom  WebOps  team
Windows Cookbook Helpers
win_friendly_path() #  include  Windows::Helper  from  Opscode  Windows  Cookbook ::Chef::Recipe.send(:include,  Windows::Helper)   #  now  you  can  call  helper  methods  like  win_friendly_path  directly my_batch_file  =  win_friendly_path('c:/temp/foo.bat')   execute  "My  batch  file"  do    command  my_batch_file    #  c:tempfoo.bat end
locate_sysnative_cmd() helper for 64-bit Windows #  include  Windows::Helper  from  Opscode  Windows  Cookbook ::Chef::Recipe.send(:include,  Windows::Helper) locate_sysnative_cmd("dism.exe")
Run Commands As Another User
“The system uses shared-key encryption. An encrypted file can only be decrypted by a node or a user with the same shared- key.” http://docs.opscode.com/ essentials_data_bags_encrypt.html Encrypted Data Bags
“That’s why storing encryption keys on the same system where the protected data resides violates all of the core principles of data protection.” - Patrick Townsend Townsend Security http://web.townsendsecurity.com/bid/23881/PCI-DSS-2-0-and-Encryption-Key-Management
http://www.flickr.com/photos/gtarded/2759499462/sizes/l/ Chef-Vault
knife encrypt password Use this knife command to encrypt the username and password that you want to protect. $  knife  encrypt  password  -­‐-­‐search  "role:web_server"        -­‐-­‐username  "mysql_user"  -­‐-­‐password  "P@ssw0rd"        -­‐-­‐admins  "alice,  bob,  carol"
Securely manage passwords for Run As chef_gem  "chef-­‐vault"   require  'chef-­‐vault'   #  given  a  'passwords'  data  bag vault  =  ChefVault.new("passwords")   #  get  the  'mysql_user'  data  bag  item user  =  vault.user("mysql_user")   #  decrypt  the  user's  password password  =  user.decrypt_password #  do  something  with  password
Run Commands as Another User ruby_block  "Add  server  to  WSUS  group"  do    block  do        Chef::Resource::RubyBlock.send(:include,  Chef::Mixin::ShellOut)                #  get  password  from  Chef-­‐Vault        password  =  user.decrypt_password          add_group  =  shell_out(            "dsquery.exe  computer  -­‐name  #{  node['hostname']  }  |  dsmod  group   'cn=patch_Tuesday,dc=mycorp,dc=com'  -­‐addmbr",            {                :user          =>  "my_user",                :password  =>  password,                :domain      =>  "mycorp.com",            }        )    end end
Managing Devices
Manage disks, partitions, and drives #  Use  Kevin  Moser’s  diskpart  cookbook   diskpart_partition  "create_#{disk[:letter]}:/"  do    disk_number  disk[:number]    letter  disk[:letter]    action  :create end diskpart_partition  "format_#{disk[:letter]}:/"  do    disk_number  disk[:number]    letter  disk[:letter]    action  :format end
Manage Printers and Printer Ports #  https://github.com/opscode-­‐cookbooks/windows   #  create  a  printer windows_printer  'HP  LaserJet  5th  Floor'  do    driver_name  'HP  LaserJet  4100  Series  PCL6'    ipv4_address  '10.4.64.38' end
Better Performance
Chef 11: Ruby Performance Improvements 30 - 50% faster Chef Client Run time on Windows
Ohai Plugins to Disable on Windows Ohai::Config[:disabled_plugins]  =  [ #  The  following  plugins  are  disabled  as  they  are  either  not  needed, #  have  poor  performance,  or  do  not  apply  to  the  Windows  configuration #  we  use.      "c",  "cloud",  "ec2",  "rackspace",  "eucalyptus",  "command",  "dmi",    "dmi_common",  "erlang",  "groovy",  "ip_scopes",  "java",  "keys",    "lua",  "mono",  "network_listeners",  "passwd",  "perl",    "php",  "python",  "ssh_host_key",  "uptime",  "virtualization",    "windows::virtualization",  "windows::kernel_devices" ]
Summary
Chef-Vault and Run As moserke / chef-vault Securely store and retrieve certificates and service acct passwords opscode / mixlib-shellout Run commands as another user
Manage disks and printers moserke / diskpart-cookbook opscode-cookbooks / windows v1.8.2 has Printer/Printer Port LWRPs
Performance Improvements http://wiki.opscode.com/display/chef/Disabling+Ohai+Plugins
Call to Action • IIS cookbook not idempotent for options • Better bootstrapping using Kerberos • Better integration with Active Directory
Will you join us? http://bit.ly/infeng
Go to Adam Edward’s talk right after this • “Cooking on Windows without the Windows Cookbook” • Seacliff A,B,C,D
http://www.flickr.com/photos/drachmann/327122302/sizes/l/
Photo Credits 1.Slide 3: http://www.flickr.com/photos/benedictineuniversity/6021873707/sizes/l/ 2. Slide 4: http://www.flickr.com/photos/kubina/278696130/sizes/l/ 3. Slide 7: http://www.flickr.com/photos/orlando-herb/8167991591/sizes/l/ 4.Slide 9: http://www.flickr.com/photos/ejbsf/8609182524/sizes/h/ 5.slide 10: http://www.flickr.com/photos/ashley-rly/3768328487/sizes/l/

More Related Content

Tips and Tricks for Automating Windows with Chef

  • 1. Tips and Tricks for Automating Windows Doug Ireton Infrastructure Engineering @dougireton / dougireton.com
  • 2. Who am I? • Infrastructure Engineer at Nordstrom • I’ve been a tester, a developer and a sysadmin • Working with Windows for 20 years @dougireton
  • 5. Agenda • About Nordstrom • A challenging first project • What we’ve learned from automating Windows • Twitter: #chefconf #winchef
  • 6. Brick and Mortar still critical
  • 7. A complex first project...
  • 9. Our First Real Chef Project • Manual Steps: 48 -> 5 • Team Handoffs: 15 -> 1 • Provision Time: 22 hours -> 7
  • 11. No Run As image We Didn’t Have Run As
  • 14. “I’ve  no)ced  a  considerable  reduc)on  in  deployment  )me  from  base   OS  to  fully  func)onal  app  server.   We  are  also  deploying  a  more  consistent  product  to  our  customers   now  due  to  the  automated  configura)on  management.” -­‐  Harvey  Bendana Nordstrom  WebOps  team
  • 16. win_friendly_path() #  include  Windows::Helper  from  Opscode  Windows  Cookbook ::Chef::Recipe.send(:include,  Windows::Helper)   #  now  you  can  call  helper  methods  like  win_friendly_path  directly my_batch_file  =  win_friendly_path('c:/temp/foo.bat')   execute  "My  batch  file"  do    command  my_batch_file    #  c:tempfoo.bat end
  • 17. locate_sysnative_cmd() helper for 64-bit Windows #  include  Windows::Helper  from  Opscode  Windows  Cookbook ::Chef::Recipe.send(:include,  Windows::Helper) locate_sysnative_cmd("dism.exe")
  • 18. Run Commands As Another User
  • 19. “The system uses shared-key encryption. An encrypted file can only be decrypted by a node or a user with the same shared- key.” http://docs.opscode.com/ essentials_data_bags_encrypt.html Encrypted Data Bags
  • 20. “That’s why storing encryption keys on the same system where the protected data resides violates all of the core principles of data protection.” - Patrick Townsend Townsend Security http://web.townsendsecurity.com/bid/23881/PCI-DSS-2-0-and-Encryption-Key-Management
  • 22. knife encrypt password Use this knife command to encrypt the username and password that you want to protect. $  knife  encrypt  password  -­‐-­‐search  "role:web_server"        -­‐-­‐username  "mysql_user"  -­‐-­‐password  "P@ssw0rd"        -­‐-­‐admins  "alice,  bob,  carol"
  • 23. Securely manage passwords for Run As chef_gem  "chef-­‐vault"   require  'chef-­‐vault'   #  given  a  'passwords'  data  bag vault  =  ChefVault.new("passwords")   #  get  the  'mysql_user'  data  bag  item user  =  vault.user("mysql_user")   #  decrypt  the  user's  password password  =  user.decrypt_password #  do  something  with  password
  • 24. Run Commands as Another User ruby_block  "Add  server  to  WSUS  group"  do    block  do        Chef::Resource::RubyBlock.send(:include,  Chef::Mixin::ShellOut)                #  get  password  from  Chef-­‐Vault        password  =  user.decrypt_password          add_group  =  shell_out(            "dsquery.exe  computer  -­‐name  #{  node['hostname']  }  |  dsmod  group   'cn=patch_Tuesday,dc=mycorp,dc=com'  -­‐addmbr",            {                :user          =>  "my_user",                :password  =>  password,                :domain      =>  "mycorp.com",            }        )    end end
  • 26. Manage disks, partitions, and drives #  Use  Kevin  Moser’s  diskpart  cookbook   diskpart_partition  "create_#{disk[:letter]}:/"  do    disk_number  disk[:number]    letter  disk[:letter]    action  :create end diskpart_partition  "format_#{disk[:letter]}:/"  do    disk_number  disk[:number]    letter  disk[:letter]    action  :format end
  • 27. Manage Printers and Printer Ports #  https://github.com/opscode-­‐cookbooks/windows   #  create  a  printer windows_printer  'HP  LaserJet  5th  Floor'  do    driver_name  'HP  LaserJet  4100  Series  PCL6'    ipv4_address  '10.4.64.38' end
  • 29. Chef 11: Ruby Performance Improvements 30 - 50% faster Chef Client Run time on Windows
  • 30. Ohai Plugins to Disable on Windows Ohai::Config[:disabled_plugins]  =  [ #  The  following  plugins  are  disabled  as  they  are  either  not  needed, #  have  poor ��performance,  or  do  not  apply  to  the  Windows  configuration #  we  use.      "c",  "cloud",  "ec2",  "rackspace",  "eucalyptus",  "command",  "dmi",    "dmi_common",  "erlang",  "groovy",  "ip_scopes",  "java",  "keys",    "lua",  "mono",  "network_listeners",  "passwd",  "perl",    "php",  "python",  "ssh_host_key",  "uptime",  "virtualization",    "windows::virtualization",  "windows::kernel_devices" ]
  • 32. Chef-Vault and Run As moserke / chef-vault Securely store and retrieve certificates and service acct passwords opscode / mixlib-shellout Run commands as another user
  • 33. Manage disks and printers moserke / diskpart-cookbook opscode-cookbooks / windows v1.8.2 has Printer/Printer Port LWRPs
  • 35. Call to Action • IIS cookbook not idempotent for options • Better bootstrapping using Kerberos • Better integration with Active Directory
  • 36. Will you join us? http://bit.ly/infeng
  • 37. Go to Adam Edward’s talk right after this • “Cooking on Windows without the Windows Cookbook” • Seacliff A,B,C,D
  • 39. Photo Credits 1.Slide 3: http://www.flickr.com/photos/benedictineuniversity/6021873707/sizes/l/ 2. Slide 4: http://www.flickr.com/photos/kubina/278696130/sizes/l/ 3. Slide 7: http://www.flickr.com/photos/orlando-herb/8167991591/sizes/l/ 4.Slide 9: http://www.flickr.com/photos/ejbsf/8609182524/sizes/h/ 5.slide 10: http://www.flickr.com/photos/ashley-rly/3768328487/sizes/l/