PuppetConf 2016: Puppet on Windows – Nicolas Corrarello, Puppet

transcript

Puppet on WindowsEnsuring you make the right first steps in managing your Windows configuration

Nicolas Corrarello Senior Technical Solutions Engineer | Puppet

sgtpepper @ irc.freenode.net

Agenda

• Introduction • The Puppet RAL • Windows Specific Resources (and interfaces!) • Modules

• Profiles and Roles

• So where did my configuration go? (Data Separation) • Ten first things… • An example role

Puppet on Windows 5

The Puppet RALThat’s Resource Abstraction Layer

The Puppet RAL

service { 'wuauserv': ensure => 'running', enable => 'true', }

Windows specific resources

Extending the Puppet RAL: Windows specific

10sgtpepper @ irc.freenode.net

Interfaces…Managing a Windows system is super easy. Managing thousands of Windows systems…

Unix/Linux Windows

Text files, generally under /etc

Win32 API Registry Text Files (Generally INI) (Power)Shell GUI WinRM Proprietary / Binary Files

And not all interfaces perform alike…

12Puppet on Windows

Modules

Modeling configuration: The BGInfo example

Requirements

● Package needs to be installed ● Configuration files created ● Run at login

● Loads of system info

How is this not a module, right?

package { 'bginfo': ensure => installed, provider => 'chocolatey', } file { $bgipath: ensure => file, source => $bgifile, require => Package['bginfo'], } if $setonstart { file { 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\bginfo.bat': ensure => file, content => template('bginfo/bginfo.bat.erb'), } }

What BGInfo needs…

Package: Thanks Chocolatey, no need for complex MSIs

Configuration File: Ok static is not ideal, but you know, MVP

Startup Script: Templated so it works on all systems

Medium rare?

Assumptions

Requirements

● Package pre-requirements ● Firewall rules ● ESC ● Required values ● Things for which you don’t have defaults ● Sane defaults ● Are you breaking something else? ● Are you going outside what your module

is supposed to do

ASSUMPTION

THE MOTHER OF ALL BAD THINGS

Profiles & Roles

technology-specific wrapper classes

business-specific wrapper classes

“One final note before we move on – the terms ‘Roles’ and ‘Profiles’ are ENTIRELY ARBITRARY. They’re not magic reserve words in Puppet, and you can call them whatever [..] you want. It’s also been pointed out that Craig MIGHT have misnamed them (a ROLE should be a model for an individual piece of tech, and a PROFILE should probably be a group of roles)…”

Gary Larizza Feb 17th, 2014 Extracted from www.garylarizza.com

Profile module

Kind of good… not that reusable Better

Technology related classes that get applied to one or more nodes. One per manifest, with the right naming convention.

class profile::windows::baseline { class { 'domain_membership': domain => 'CONTOSO', username => 'domainadmin', password => 'd0n0tst3alth1s.', join_options => '3', }

class { 'bginfo': setonstart => true, addtrustedsite => true, }}

class profile::windows::baseline { include domain_membership include bginfo}

Where did my configuration go?Enter Hiera

Hiera: Lightweight Pluggable Hierarchical Database

Hierarchical storage of data, based on facts

● Different kind of data structures, from key / value to array

● Multiple backends (Default, YAML files)

Separate your code from your data, as you know… when you write any kind of software!

Sensitive data?

--- plain-property: You can see me

encrypted-property: > ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]

If you want to learn more about just how to work with sensitive data, see “Nice and Secure: Good OpSec Hygiene with Puppet” at 3.45 PM

● Roles only include profiles ● Every node is classified with one role ● Roles can use inheritance ● A slightly different role is another role

class role::windows::ecommerceweb { include profile::windows::baseline include profile::windows::dmzhost include profile::windows::iis include profile::windows::webapp}

Ten first things…An example profile

An example profile, 10 first things

● Windows Firewall ● Filesystem ACLs ● Windows Time ● Monitoring Agent ● Registry Keys

What are the 10 first things you configure on a Windows system?

● Domain Membership ● BGInfo ● Antivirus ● Logon message ● Local Administrator

Domain Membership

● Not a Puppet Supported Module ● Widely used ● Authored by Tom Linkin ● Use Hiera for data separation

Module trlinkin/domain_membership

class { 'domain_membership': domain => 'puppet.example', username => 'joinmember', password => 'sUp3r_s3cR3t!', join_options => '3',}

BGInfo

● Not a Puppet Supported Module

● Not widely used

● Authored by yours truly

Module ncorrare/bginfo

include bginfo

Antivirus… Which?

● If you have an MSI, use the package type, part of the core Puppet functionality

● Chocolatey packaging allows versioning! ● Do you need to configure something?

Model around it

Do you require to model configuration? Is it a centralised solution?

package { 'clamwin': ensure => present, provider => chocolatey, }

Logon Message

● Supported module ● Sets the registry keys ● Supports templates!

Module puppetlabs/motd

class { 'motd': content => “Hello World!”,}

Local Administrator

● Both are supported

● DSC support more Windows Specific attributes

User resource / DSC User resource provided by the puppetlabs/dsc module

dsc_user { 'localadmin': dsc_username => 'localadmin', dsc_description => 'Local Administrator user', dsc_ensure => present, dsc_password => { 'user' => 'localadmin', 'password' => 'very.secret' }, dsc_passwordneverexpires => false, dsc_disabled => true,}

user { 'localadmin': ensure => present, password => 'very.secret',}

Windows Firewall

● Supported ● Manage by exception

DSC xFirewall resource provided by puppetlabs/dsc

dsc_xfirewall { 'Allow WinRM': dsc_name => "$name Allow WinRM", dsc_ensure => 'present', dsc_direction => 'Inbound', dsc_localport => '5985', dsc_protocol => 'TCP', dsc_action => 'Allow', }

Filesystem ACLs

● Supported ● Set full ACLs

ACL resource provided by puppetlabs/acl

acl { 'c:/tempperms': permissions => [ { identity => 'Administrator', rights => ['full'] }, { identity => 'Users', rights => ['read','execute'] } ],}

Windows Time Configuration

Registry Keys, Commands, Settings, Active Directory… or ncorrare/windowstime

class { 'windowstime': servers => { 'pool.ntp.org' => '0x01', 'time.windows.com' => '0x01', }}

● Modeling registry keys and services

● Or BYORK (Bring your own registry key)

Monitoring Agent… Which?

● If you have an MSI, use the package type, part of the core Puppet functionality

● Chocolatey packaging allows versioning! ● Do you need to configure something? Model around it ● SCOM? Check https://technet.microsoft.com/en-us/

system-center-docs/om/manage/install-agent-using-the-command-line

Do you require to model configuration? Is it a centralised solution?

package { 'SCOM': ensure => present, source => ‘MoMAgent.msi’, }

Registry Keys

registry_key / registry_value resources provided by the puppetlabs/registry module

registry_key { 'HKLM\System\CurrentControlSet\Services\Puppet': ensure => present,}

An example roleWho wants cake?

An example role, FourthCoffee

What do I need to make this work?

● Baseline Profile ● IIS Profile ● FourthCoffee Profile

Steal this code!

● https://github.com/ncorrare/puppetconf2016-control ● Slides will be posted shortly ● Talk to a Linux sysad, you probably have more in common than you think!

Try it, break it, play with it, share it (just not on production)

Questions