Puppet and Nano Server provide an amazing mix when it comes to automated cloud deployments. This slide deck is from my session at PuppetCamp NYC and Boston.

1. Windows Nano Server & Puppet
Alessandro Pilotti
Cloudbase Solutions

2. http://cloudbase.it
@cloudbaseit

3. Agenda
Nano Server
Puppet on Nano Server
Managing resources
DSC + Puppet
Demos

4. What is Nano Server?
A lightweight installation option for Windows Server
Optimized for cloud deployments
Optimized footprint, a few hundred megabytes!
Fast boot times
Windows without Windows

5. What can I do with Nano Server?
Included Packages
Hyper-V
Shielded VM
Windows Containers (including Docker)
File Server (including SoFS / S2D)
IIS / ASP.Net 5
Windows Failover Clustering
DNS
SCVMM
DSC
Additional Packages
OpenStack

6. Availability?
Released with Windows Server 2016
Currently available in Technical Preview (TP5)
Get a Windows Server 2016 TP5 ISO from:
https://microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-
preview

8. Limitations
Nano Server’s API surface is limited!
Includes “reverse forwarders” for compatibility with existing binaries
Any API that requires Windows GUI / shell interaction is missing or not
implemented
Win64
.Net CoreCLR is portable (Windows, Linux, OS X) but more limited
compared to the Full CLR

9. Limitations
Some CLI differences
PowerShell differences
No MSI
No ADSI (used by puppet for managing users and groups)
COM STA mode not available (only MTA)
No COM monikers
In general porting applications to run on Nano requires some effort

10. How to check application compatibility?
Windows API (Native apps, C/C++, etc):
NanoServerApiScan.exe
.Net Core
https://github.com/Microsoft/dotnet-apiport

11. Build a Nano Server image for bare metal
or Hyper-V
Get a Windows Server 2016 TP5 ISO from https://www.microsoft.com/en-us/evalcenter/evaluate-
windows-server-technical-preview
Example:
Packages can be added (Hyper-V, IIS, etc)
Select –DeploymentType Host for physical servers
A custom unattend.xml can be provided for apps deployment / configuration
No need for activation!
New-NanoServerImage -Edition Standard -DeploymentType Guest -MediaPath f:
-BasePath .Base -TargetPath .Nano1Nano.vhd -ComputerName Nano1

12. What about OpenStack, KVM, ESXi, MAAS,
etc?
PowerShell script to add additional features and target formats:
https://github.com/cloudbase/cloudbase-init-offline-install
..NewNanoServerImage.ps1 -IsoPath C:WindowsServerTP5.iso `
-TargetPath C:Nano.qcow2 -Platform KVM `
-AdministratorPassword $password `
-Compute -Storage -Clustering `
-ExtraDriversPaths C:DevDriversNUC_2015_Intel_ndis64
` -AddCloudbaseInit
` -AddMaaSHooks
` -MaxSize 1500MB
` -DiskLayout "BIOS"

13. Managing Nano Server
On a Hyper-V host:
PowerShell remoting is available also on regular Windows! This is the native equivalent of SSH on
Windows
How to copy files remotely:
$c = Get-Credential
Enter-PSSession <NanoServer> -Credential $c
Enter-PSSession –VMName <NanoServerVMName> -Credential $c
$s = New-PSSession <NanoServer> -Credential $c
Copy –ToSession $s –Path c:SomeFiles –Destination c:SomeRemoteDir

14. Install packages
Windows equivalent of apt-get
find-packageprovider
find-package -provider nuget -source http://www.nuget.org/api/v2
install-package node.js -destination c:node -provider nuget -source http://www.nuget.org/api/v2

15. OpenStack + Nano Server
https://cloudbase.it/openstack-windows-nano-server/
Cloudbase-Init support
→ Including Heat templates support
Works on OpenStack supported hypervisors:
→ Hyper-V
→ KVM
→ ESXi

17. Add packages at runtime
Install-PackageProvider NanoServerPackage
Find-NanoServerPackage -name *
Find-NanoServerPackage Microsoft-NanoServer-IIS-Package | `
Install-NanoServerPackage -culture en-us

18. Create a Nano Server instance

19. Offline domain join
No need to share sensitive domain credentials!
On a domain joined host:
Copy blob.txt to the host that needs to join the domain and run:
Works on Windows Server 2008 R2 and above as well!
djoin /provision /domain cloudbase.demo /machine nanotp5 /savefile blob.txt
djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos

20. Puppet on Nano Server
Puppet is based on Ruby 2.x and C++
Ruby works on Nano Server with
some minor changes:
Win32ole
win32-dir
Facter needs also minor changes
(both Ruby and native ones)
Some resource types do not work
ATM, e.g. users and groups
Other providers require minor
changes, e.g.:
Puppetlabs-dsc
Puppetlabs-reboot

21. How to create packages on Nano Server
MSI are not supported on Nano Server
Nano Server has a new packaging model called Windows Server Apps (WSA) based on
APPX
Packages include a directory tree and some extensions: NT services, WMI providers,
COM servers
An XML manifest file is needed
Appx packages need to be signed
Deployment:Add-AppxPackage puppet.appx
Get-AppxPackage puppet
Remove-AppxPackage puppet

22. A Puppet APPX package
Here’s a Puppet for Nano Server package: https://github.com/cloudbase/puppet-nano-server
For creating the package, you need the latest Windows 10 SDK (10.0.14332.1000 or
above)
The certificate CN must match the publisher’s identity in the certificate
makeappx pack /d puppet-nano-server /p puppet.appx
signtool.exe sign /fd sha256 /sha1 xxxxxxxxxxxxxxxxxxxxx /t http://timestamp.verisign.com/scripts/timstamp.dll /v
puppet.appx

23. Puppet and Nano Server
Some notable modules:
puppetlabs-powershell
puppetlabs-acl
puppetlabs-reboot
puppetlabs-dsc
Some widely used Windows modules and resource types don’t work, e.g.:
puppet-iis is based on the PowerShell WebAdministration module (Not available on Nano)
scheduled_task requires mstask.dll, not available on Nano Server

24. How to manage local users and groups
ADSI is not supported on Nano, so until Puppet will add an alternative (e.g.
Win32):
$username = 'nano'
$password = 'P@ssw0rd'
$groupname = 'puppet'
exec { 'new-local-group':
command => "New-LocalGroup -Name ${groupname}",
unless => "Get-LocalGroup -Name ${groupname}",
provider => powershell,
}

25. How to manage local users and groups
exec { 'new-local-user':
command => "New-LocalUser -Name ${username} –Password
(ConvertTo-SecureString -AsPlainText "${password}" -Force)
-PasswordNeverExpires",
unless => "Get-LocalUser -Name ${username}",
provider => powershell,
}
exec { 'add-local-group-member':
command => "Add-LocalGroupMember -Group ${groupname} -Member ${username}",
unless => "Get-LocalGroupMember -Group ${groupname} -Member ${username}",
provider => powershell,
require => [Exec['new-local-group'], Exec['new-local-user']],
}

26. DSC and Puppet
PowerShell Distributed State Configuration
(DSC)
DSC is a declarative platform used for
configuration, deployment, and
management of systems
Similar in scope to Puppet
The puppetlabs-dsc module offers a bridge
between puppet and DSC
Allows to use DSC resources, no need to
rewrite them for Puppet
Only a few resources work on Nano for the
time being (technical preview)
Notice the dsc_ prefix
dsc_registry {'registry_test':
dsc_ensure => 'Present',
dsc_key => 'HKEY_LOCAL_MACHINESOFTWAREExampleKey',
dsc_valuename => 'TestValue',
dsc_valuedata => 'TestData',

27. Demo

28. Licensing
Windows licensing is surprisingly easy in OpenStack
→ Datacenter license => unlimited instances
→ 1 license per socket => per core in 2016
→ Works with Hyper-V, VMWare, KVM, etc
→ Very cost effective (a few USD / month per VM)
Volume licensing
Multitenant? SPLA

29. Q&A

30. cloudbase.it | @cloudbaseit