Sending Calendar Invites on SES and Calendarsnack.pdf
Puppetconf2016 Puppet on Windows
1. Puppet on Windows
Ensuring you make the right first steps in
managing your Windows configuration
Nicolas Corrarello
Senior Technical Solutions Engineer | Puppet
sgtpepper @ irc.freenode.net
2. 2
Agenda
• Introduction
• The Puppet RAL
• Windows Specific Resources (and interfaces!)
• Modules
• Profiles and Roles
• So where did my configuration go? (Data Separation)
• Ten first things…
• An example role
11. Interfaces…
Managing a Windows system is super easy.
Managing thousands of Windows systems…
11
Unix/Linux Windows
Text files, generally under /etc
Win32 API
Registry
Text Files (Generally INI)
(Power)Shell
GUI
WinRM
Proprietary / Binary Files
sgtpepper @ irc.freenode.net
12. And not all interfaces perform alike…
12Puppet on Windows
14. Modeling configuration: The BGInfo example
Requirements
● Package needs to be installed
● Configuration files created
● Run at login
● Loads of system info
How is this not a module, right?
14sgtpepper @ irc.freenode.net
15. package { 'bginfo':
ensure => installed,
provider => 'chocolatey',
}
file { $bgipath:
ensure => file,
source => $bgifile,
require => Package['bginfo'],
}
if $setonstart {
file { 'C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUpbginfo.bat':
ensure => file,
content => template('bginfo/bginfo.bat.erb'),
}
}
What BGInfo needs…
15
Package: Thanks Chocolatey,
no need for complex MSIs
Configuration File: Ok static is
not ideal, but you know, MVP
Startup Script: Templated so
it works on all systems
sgtpepper @ irc.freenode.net
18. Assumptions
18
Requirements
● Package pre-requirements
● Firewall rules
● ESC
● Required values
● Things for which you don’t have defaults
● Sane defaults
● Are you breaking something else?
● Are you going outside what your module
is supposed to do
ASSUMPTION
THE MOTHER
OF ALL BAD THINGS
sgtpepper @ irc.freenode.net
22. 22
“One final note before we move on – the terms ‘Roles’
and ‘Profiles’ are ENTIRELY ARBITRARY. They’re not
magic reserve words in Puppet, and you can call them
whatever [..] you want. It’s also been pointed out that
Craig MIGHT have misnamed them (a ROLE should be
a model for an individual piece of tech, and a PROFILE
should probably be a group of roles)…”
Gary Larizza
Feb 17th, 2014
Extracted from www.garylarizza.com
sgtpepper @ irc.freenode.net
23. Profile module
Kind of good… not that reusable Better
Technology related classes that get applied to one or more nodes. One per
manifest, with the right naming convention.
23
class profile::windows::baseline {
class { 'domain_membership':
domain => 'CONTOSO',
username => 'domainadmin',
password => 'd0n0tst3alth1s.',
join_options => '3',
}
class { 'bginfo':
setonstart => true,
addtrustedsite => true,
}
}
class profile::windows::baseline {
include domain_membership
include bginfo
}
sgtpepper @ irc.freenode.net
25. Hiera: Lightweight Pluggable Hierarchical Database
Hierarchical storage of data, based on
facts
● Different kind of data structures, from
key / value to array
● Multiple backends (Default, YAML files)
Separate your code from your data, as you know…
when you write any kind of software!
25sgtpepper @ irc.freenode.net
26. Sensitive data?
26
---
plain-property: You can see me
encrypted-property: >
ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
/HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
If you want to learn more about just how to work with sensitive data, see
“Nice and Secure: Good OpSec Hygiene with Puppet” at 3.45 PM
sgtpepper @ irc.freenode.net
27. Roles
27
● Roles only include profiles
● Every node is classified with one role
● Roles can use inheritance
● A slightly different role is another role
class role::windows::ecommerceweb {
include profile::windows::baseline
include profile::windows::dmzhost
include profile::windows::iis
include profile::windows::webapp
}
sgtpepper @ irc.freenode.net
29. An example profile, 10 first things
● Windows Firewall
● Filesystem ACLs
● Windows Time
● Monitoring Agent
● Registry Keys
What are the 10 first things you configure on a Windows system?
29
● Domain Membership
● BGInfo
● Antivirus
● Logon message
● Local Administrator
sgtpepper @ irc.freenode.net
30. Domain Membership
● Not a Puppet Supported Module
● Widely used
● Authored by Tom Linkin
● Use Hiera for data separation
Module trlinkin/domain_membership
30
class { 'domain_membership':
domain => 'puppet.example',
username => 'joinmember',
password => 'sUp3r_s3cR3t!',
join_options => '3',
}
sgtpepper @ irc.freenode.net
31. BGInfo
● Not a Puppet Supported Module
● Not widely used
● Authored by yours truly
Module ncorrare/bginfo
31
include bginfo
sgtpepper @ irc.freenode.net
32. Antivirus… Which?
● If you have an MSI, use the package
type, part of the core Puppet functionality
● Chocolatey packaging allows versioning!
● Do you need to configure something?
Model around it
Do you require to model configuration? Is it a centralised solution?
32
package { 'clamwin':
ensure => present,
provider => chocolatey,
}
sgtpepper @ irc.freenode.net
36. FilesystemACLs
● Supported
● Set full ACLs
ACL resource provided by puppetlabs/acl
36
acl { 'c:/tempperms':
permissions => [
{ identity => 'Administrator', rights => ['full'] },
{ identity => 'Users', rights => ['read','execute'] }
],
}
sgtpepper @ irc.freenode.net
37. Windows Time Configuration
Registry Keys, Commands, Settings, Active Directory… or ncorrare/windowstime
37
class { 'windowstime':
servers => { 'pool.ntp.org' => '0x01',
'time.windows.com' => '0x01',
}
}
● Modeling registry keys and
services
● Or BYORK (Bring your own
registry key)
sgtpepper @ irc.freenode.net
38. MonitoringAgent… Which?
● If you have an MSI, use the package type, part of the
core Puppet functionality
● Chocolatey packaging allows versioning!
● Do you need to configure something? Model around it
● SCOM? Check https://technet.microsoft.com/en-us/
system-center-docs/om/manage/install-agent-using-
the-command-line
Do you require to model configuration? Is it a centralised solution?
38
package { 'SCOM':
ensure => present,
source => ‘MoMAgent.msi’,
}
sgtpepper @ irc.freenode.net
41. An example role, FourthCoffee
What do I need to make this work?
● Baseline Profile
● IIS Profile
● FourthCoffee Profile
41sgtpepper @ irc.freenode.net
42. Steal this code!
● https://github.com/ncorrare/puppetconf2016-control
● Slides will be posted shortly
● Talk to a Linux sysad, you probably have more in common than you think!
Try it, break it, play with it, share it (just not on production)
42sgtpepper @ irc.freenode.net