Nordstrom has been using Chef to automate Windows environments. Come by this talk to get some tips and tricks for managing your Windows-based environment with Chef.
Tips such as:
Using Mixlib::Shellout and PowershellOut to execute Windows tools and scripts as a Domain user.
Windows cookbook improvements, including Printer LWRP
Diskpart cookbook
Chef-keypass for better one-way encryption of data-bag secrets, including certs and passwords
How to use Windows cookbook helpers
Using the new Windows Registry resource in Chef 11
Windows Sysnative for correctly locating Windows programs
Perf improvement numbers for Ruby 1.9.3 in Chef 11 for Windows
Recommended Ohai plugins to disable
14. “I’ve
no)ced
a
considerable
reduc)on
in
deployment
)me
from
base
OS
to
fully
func)onal
app
server.
We
are
also
deploying
a
more
consistent
product
to
our
customers
now
due
to
the
automated
configura)on
management.”
-‐
Harvey
Bendana
Nordstrom
WebOps
team
16. win_friendly_path()
#
include
Windows::Helper
from
Opscode
Windows
Cookbook
::Chef::Recipe.send(:include,
Windows::Helper)
#
now
you
can
call
helper
methods
like
win_friendly_path
directly
my_batch_file
=
win_friendly_path('c:/temp/foo.bat')
execute
"My
batch
file"
do
command
my_batch_file
#
c:tempfoo.bat
end
17. locate_sysnative_cmd() helper for 64-bit Windows
#
include
Windows::Helper
from
Opscode
Windows
Cookbook
::Chef::Recipe.send(:include,
Windows::Helper)
locate_sysnative_cmd("dism.exe")
19. “The system uses shared-key encryption.
An encrypted file can only be decrypted by
a node or a user with the same shared-
key.”
http://docs.opscode.com/
essentials_data_bags_encrypt.html
Encrypted Data Bags
20. “That’s why storing encryption keys on the same system
where the protected data resides violates all of the core
principles of data protection.”
- Patrick Townsend
Townsend Security
http://web.townsendsecurity.com/bid/23881/PCI-DSS-2-0-and-Encryption-Key-Management
22. knife encrypt password
Use this knife command to encrypt the username and password that
you want to protect.
$
knife
encrypt
password
-‐-‐search
"role:web_server"
-‐-‐username
"mysql_user"
-‐-‐password
"P@ssw0rd"
-‐-‐admins
"alice,
bob,
carol"
23. Securely manage passwords for Run As
chef_gem
"chef-‐vault"
require
'chef-‐vault'
#
given
a
'passwords'
data
bag
vault
=
ChefVault.new("passwords")
#
get
the
'mysql_user'
data
bag
item
user
=
vault.user("mysql_user")
#
decrypt
the
user's
password
password
=
user.decrypt_password
#
do
something
with
password
24. Run Commands as Another User
ruby_block
"Add
server
to
WSUS
group"
do
block
do
Chef::Resource::RubyBlock.send(:include,
Chef::Mixin::ShellOut)
#
get
password
from
Chef-‐Vault
password
=
user.decrypt_password
add_group
=
shell_out(
"dsquery.exe
computer
-‐name
#{
node['hostname']
}
|
dsmod
group
'cn=patch_Tuesday,dc=mycorp,dc=com'
-‐addmbr",
{
:user
=>
"my_user",
:password
=>
password,
:domain
=>
"mycorp.com",
}
)
end
end
26. Manage disks, partitions, and drives
#
Use
Kevin
Moser’s
diskpart
cookbook
diskpart_partition
"create_#{disk[:letter]}:/"
do
disk_number
disk[:number]
letter
disk[:letter]
action
:create
end
diskpart_partition
"format_#{disk[:letter]}:/"
do
disk_number
disk[:number]
letter
disk[:letter]
action
:format
end
27. Manage Printers and Printer Ports
#
https://github.com/opscode-‐cookbooks/windows
#
create
a
printer
windows_printer
'HP
LaserJet
5th
Floor'
do
driver_name
'HP
LaserJet
4100
Series
PCL6'
ipv4_address
'10.4.64.38'
end
29. Chef 11: Ruby Performance Improvements
30 - 50% faster Chef Client Run time
on Windows
30. Ohai Plugins to Disable on Windows
Ohai::Config[:disabled_plugins]
=
[
#
The
following
plugins
are
disabled
as
they
are
either
not
needed,
#
have
poor
performance,
or
do
not
apply
to
the
Windows
configuration
#
we
use.
"c",
"cloud",
"ec2",
"rackspace",
"eucalyptus",
"command",
"dmi",
"dmi_common",
"erlang",
"groovy",
"ip_scopes",
"java",
"keys",
"lua",
"mono",
"network_listeners",
"passwd",
"perl",
"php",
"python",
"ssh_host_key",
"uptime",
"virtualization",
"windows::virtualization",
"windows::kernel_devices"
]
32. Chef-Vault and Run As
moserke / chef-vault
Securely store and retrieve certificates and service acct passwords
opscode / mixlib-shellout
Run commands as another user
33. Manage disks and printers
moserke / diskpart-cookbook
opscode-cookbooks / windows v1.8.2 has Printer/Printer Port LWRPs