Puppetconf2016 Puppet on Windows

Puppet on Windows
Ensuring you make the right first steps in
managing your Windows configuration
Nicolas Corrarello
Senior Technical Solutions Engineer | Puppet
sgtpepper @ irc.freenode.net

2
Agenda
• Introduction
• The Puppet RAL
• Windows Specific Resources (and interfaces!)
• Modules
• Profiles and Roles
• So where did my configuration go? (Data Separation)
• Ten first things…
• An example role

The Puppet RAL
That’s Resource Abstraction Layer
7

The Puppet RAL
8
service { 'wuauserv':
ensure => 'running',
enable => 'true',
}

Extending the Puppet RAL: Windows specific
10sgtpepper @ irc.freenode.net

Interfaces…
Managing a Windows system is super easy.
Managing thousands of Windows systems…
11
Unix/Linux Windows
Text files, generally under /etc
Win32 API
Registry
Text Files (Generally INI)
(Power)Shell
GUI
WinRM
Proprietary / Binary Files

And not all interfaces perform alike…
12Puppet on Windows

Modeling configuration: The BGInfo example
Requirements
● Package needs to be installed
● Configuration files created
● Run at login
● Loads of system info
How is this not a module, right?

package { 'bginfo':
ensure => installed,
provider => 'chocolatey',
}
file { $bgipath:
ensure => file,
source => $bgifile,
require => Package['bginfo'],
}
if $setonstart {
file { 'C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUpbginfo.bat':
ensure => file,
content => template('bginfo/bginfo.bat.erb'),
}
}
What BGInfo needs…
15
Package: Thanks Chocolatey,
no need for complex MSIs
Configuration File: Ok static is
not ideal, but you know, MVP
Startup Script: Templated so
it works on all systems

Raw?

Medium rare?

Assumptions
18
Requirements
● Package pre-requirements
● Firewall rules
● ESC
● Required values
● Things for which you don’t have defaults
● Sane defaults
● Are you breaking something else?
● Are you going outside what your module
is supposed to do
ASSUMPTION
THE MOTHER
OF ALL BAD THINGS

21
technology-specific wrapper classes
business-specific wrapper classes

22
“One final note before we move on – the terms ‘Roles’
and ‘Profiles’ are ENTIRELY ARBITRARY. They’re not
magic reserve words in Puppet, and you can call them
whatever [..] you want. It’s also been pointed out that
Craig MIGHT have misnamed them (a ROLE should be
a model for an individual piece of tech, and a PROFILE
should probably be a group of roles)…”
Gary Larizza
Feb 17th, 2014
Extracted from www.garylarizza.com

Profile module
Kind of good… not that reusable Better
Technology related classes that get applied to one or more nodes. One per
manifest, with the right naming convention.
23
class profile::windows::baseline {
class { 'domain_membership':
domain => 'CONTOSO',
username => 'domainadmin',
password => 'd0n0tst3alth1s.',
join_options => '3',
}
class { 'bginfo':
setonstart => true,
addtrustedsite => true,
}
}
class profile::windows::baseline {
include domain_membership
include bginfo
}

Where did my configuration go?
Enter Hiera
24

Hiera: Lightweight Pluggable Hierarchical Database
Hierarchical storage of data, based on
facts
● Different kind of data structures, from
key / value to array
● Multiple backends (Default, YAML files)
Separate your code from your data, as you know…
when you write any kind of software!

Sensitive data?
26
---
plain-property: You can see me
encrypted-property: >
ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
/HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
If you want to learn more about just how to work with sensitive data, see
“Nice and Secure: Good OpSec Hygiene with Puppet” at 3.45 PM

Roles
27
● Roles only include profiles
● Every node is classified with one role
● Roles can use inheritance
● A slightly different role is another role
class role::windows::ecommerceweb {
include profile::windows::baseline
include profile::windows::dmzhost
include profile::windows::iis
include profile::windows::webapp
}

Ten first things…
An example profile
28

An example profile, 10 first things
● Windows Firewall
● Filesystem ACLs
● Windows Time
● Monitoring Agent
● Registry Keys
What are the 10 first things you configure on a Windows system?
29
● Domain Membership
● BGInfo
● Antivirus
● Logon message
● Local Administrator

Domain Membership
● Not a Puppet Supported Module
● Widely used
● Authored by Tom Linkin
● Use Hiera for data separation
Module trlinkin/domain_membership
30
class { 'domain_membership':
domain => 'puppet.example',
username => 'joinmember',
password => 'sUp3r_s3cR3t!',
join_options => '3',
}

BGInfo
● Not a Puppet Supported Module
● Not widely used
● Authored by yours truly
Module ncorrare/bginfo
31
include bginfo

Antivirus… Which?
● If you have an MSI, use the package
type, part of the core Puppet functionality
● Chocolatey packaging allows versioning!
● Do you need to configure something?
Model around it
Do you require to model configuration? Is it a centralised solution?
32
package { 'clamwin':
ensure => present,
provider => chocolatey,
}

Logon Message
● Supported module
● Sets the registry keys
● Supports templates!
Module puppetlabs/motd
33
class { 'motd':
content => “Hello World!”,
}

LocalAdministrator
● Both are
supported
● DSC support more
Windows Specific
attributes
User resource / DSC User resource provided by the puppetlabs/dsc module
34
dsc_user { 'localadmin':
dsc_username => 'localadmin',
dsc_description => 'Local Administrator user',
dsc_ensure => present,
dsc_password => {
'user' => 'localadmin',
'password' => 'very.secret'
},
dsc_passwordneverexpires => false,
dsc_disabled => true,
}
user { 'localadmin':
ensure => present,
password => 'very.secret',
}

Windows Firewall
● Supported
● Manage by exception
DSC xFirewall resource provided by puppetlabs/dsc
35
dsc_xfirewall { 'Allow WinRM':
dsc_name => "$name Allow WinRM",
dsc_ensure => 'present',
dsc_direction => 'Inbound',
dsc_localport => '5985',
dsc_protocol => 'TCP',
dsc_action => 'Allow',
}

FilesystemACLs
● Supported
● Set full ACLs
ACL resource provided by puppetlabs/acl
36
acl { 'c:/tempperms':
permissions => [
{ identity => 'Administrator', rights => ['full'] },
{ identity => 'Users', rights => ['read','execute'] }
],
}

Windows Time Configuration
Registry Keys, Commands, Settings, Active Directory… or ncorrare/windowstime
37
class { 'windowstime':
servers => { 'pool.ntp.org' => '0x01',
'time.windows.com' => '0x01',
}
}
● Modeling registry keys and
services
● Or BYORK (Bring your own
registry key)

MonitoringAgent… Which?
● If you have an MSI, use the package type, part of the
core Puppet functionality
● Chocolatey packaging allows versioning!
● Do you need to configure something? Model around it
● SCOM? Check https://technet.microsoft.com/en-us/
system-center-docs/om/manage/install-agent-using-
the-command-line
Do you require to model configuration? Is it a centralised solution?
38
package { 'SCOM':
ensure => present,
source => ‘MoMAgent.msi’,
}

Registry Keys
registry_key / registry_value resources provided by the puppetlabs/registry
module
39
registry_key { 'HKLMSystemCurrentControlSetServicesPuppet':
ensure => present,
}

An example role
Who wants cake?
40

An example role, FourthCoffee
What do I need to make this work?
● Baseline Profile
● IIS Profile
● FourthCoffee Profile

Steal this code!
● https://github.com/ncorrare/puppetconf2016-control
● Slides will be posted shortly
● Talk to a Linux sysad, you probably have more in common than you think!
Try it, break it, play with it, share it (just not on production)

Puppetconf2016 Puppet on Windows

More Related Content

What's hot (20)

Viewers also liked (13)

Similar to Puppetconf2016 Puppet on Windows (20)

Recently uploaded (20)

Puppetconf2016 Puppet on Windows