Six Weird Facts about Puppet on Windows… and more facts worth knowing3 November 2015Presented by Jeremy McGee and Steven Hawkins

Disclaimer:This is probably not the recommended approach. But it works for us

Who are Hiscox?

3

USAAtlantaChicagoLos AngelesNew York CitySan FranciscoWhite Plains

GuernseySt Peter Port

Latin American gatewayMiami

BermudaHamilton

EuropeAmsterdamBordeauxBrusselsCologneDublinHamburgLisbonLyonMadridMunichParis

UKBirminghamColchesterGlasgowLeedsLondonMaidenheadManchesterYorkAsiaBangkok Hong KongSingapore

International specialist insurer£2.0B in GWP 2,000 employees

The Hiscox IT landscape

Hiscox is an insurance company.Where possible we buy, not build.The organisation relies on customised, packaged applications.This has its own challenges.

4

Deployment stack

5

Pace

of chan

ge

Stage Item Examples ToolsReady Application

componentsDLLs, SQL scripts, configuration

IBM UrbanCodeOctopus Deploy

Deployed Middleware IIS, JBoss Puppet

Configured Server configuration

NTFS, registry PuppetInstalled Server

applicationsAV, SQL Server VMware

templatesBuilt Operating

systemOS, partitions, AD membership

VMwaretemplates

Provisioned Orchestration CMP/ITSM VMwarePurchased Requisition CMP/ITSM

Pace

of chan

ge

Using Puppet on Windows

Installation

7

Puppet Agent is Ruby-based and cross-platform

8

Weird Fact Number OneYou need a Linux master

The Puppet Master is just a file system

10

Weird Fact Number TwoThere’s no package manager

Package manager alternatives

There’s Chocolatey, which is immature;the usual “Programs and Features” control panel, which doesn’t handle versions well;storing each file individually, which doesn’t scale;or direct use of archives, which is ugly.

12

I like archives: the best of a poor choice

13

Windows Package Manager

Chocolatey is the way to go as far as package management for Puppet on Windows, but how does it work for enterprise?Not so well, it turns out. Packages vary in quality and most go off to other provider’s Web sites for installers.So, take control:

– Write your own Chocolatey packages– Manage Chocolatey packages and providers’ installers locally

14

Chocolatey configuration

- It’s actually quite simple to write your own Chocolatey puppet module. We change the following configuration- Disable ‘chocolatey’ source- Add a new source to your internal Chocolateyrepository- Set

autoUninstaller = trueallowGlobalConfirmation = truefailOnAutoUninstaller = true- Add an API key to be able to push new packages to your internal Chocolatey repository

15

Creating a Chocolatey packageis easier than might you think- choco newThen edit as needed. Finally- cpack- choco push

16

Creating a ChocolateypackageLive Demo

17

Great – but what does this mean for Puppet?

18

Becomes...

Great – but what does this mean for Puppet?

19

This!!!

Weird Fact Number ThreeThere are backslashes as path separators, and spaces in filenames

That module again

21

!

!

!?

PowerShell to the rescue

22

Weird Fact Number FourPowerShell isn’t the default provider

Weird Fact Number FiveWindows ACLs are special

Windows and ACLs

Puppet supports Windows access control lists natively, but the defaults are Linux style, not Windows.So you won’t get what you expect.Typically, Administrator won’t have access.We use native Windows utilities to apply permissions and wrap this up in PowerShell modules.

Weird Fact Number SixIt all works very well

Our results

We have 120+ test servers, 22+ environments, and in total about 20 modules in use.We have 100% automation of deployments from bare operating system to production deployments.We have no access to production servers.This has saved several thousand pounds over alternative approaches and means we can deploy much more frequently.

27

Some other facts worth knowing

We found this the hard way

The Puppet documentation is just the start. Network with colleagues across your organisation and in other companies too.Invest in a training / scratch environment.Keep abreast of new Puppet modules.Buy Puppet Enterprise support. It’s good!

29

Thank youwww.hiscox.co.uk@jeremymcgee