30092015 Jochen Hahn Content Introduction Powershell WinRM Chef workflow Knife windows Cloud Integration Security Jochen Hahn ResMed DevOps Engineer Thales Systems and Security Software Consultant ID: 604196
Download Presentation The PPT/PDF document "on windows" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
on windows
30/09/2015 Jochen HahnSlide2
ContentIntroduction
PowershellWinRMChef workflowKnife windowsCloud Integration
Security
Jochen Hahn:
ResMed
– DevOps EngineerThales Systems and Security – Software ConsultantConsist Software Solutions – Software ConsultantFraunhofer Institution – Java DeveloperInstitute for Informatics and Automation – Software Developer…
30/09/2015
©2015
Jochen
HahnSlide3
Introduction - Why
One third running Windows server~33% W2K3, W2K8, W2K12~36% Linux (RHEL, Debian, etc)~30% others (Unix, BSD, etc)
You
could
run .net apps on e.g. Mono on LinuxCross Platform Open Source E.g. Unity Game Engine based on Mono30/09/2015
©2015 Jochen HahnSlide4
IntroductionChef:
Reduce your reliance on golden images.Read, create and write registry keys.Run configuration tasks using either 32-bit or 64-bit processes.Apply fine-grained permissions using Windows security groups.Centralised management in non-homogeneous environments
30/09/2015
©2015 Jochen HahnSlide5
Chef
workflow30/09/2015
©2015 Jochen HahnSlide6
Chef workflow
Use packer to create
image
Use
vagrant to run local imageBootstrap nodes with sshRun knife
ssh to manage
nodes
Cookbook conditional:
if
platform
?(
'
rhel')
...
Run
ruby, any shell script, any Linux specific command
Use
packer
to
create
image
Use
vagrant to
run local image
Bootstrap nodes with ssh
or WinRMRun knife
winrm to manage nodesCookbook conditional:
if
platform?('windows') ...
Run ruby, powershell, batch, command.exeLinux
Windows
30/09/2015©2015 Jochen HahnSlide7
Powershell
Powershell 1.0 introduced in 2006 (for e.g. XP, Vista, W2K3)
Allow
to
run .NET commandlets against / with Datastores (filesystem or registry)Powershell 2.0 introduced
remotingAllows
to
run
cmdlets
from
remote
hosts
against
one
or
multiple
systems
Powershell
5.0
released 2nd quarter 2014Since 2.0: new cmdlets, Desired State Configuration, support for
debugging, ... 30/09/2015
©2015 Jochen HahnSlide8
Powershell
30/09/2015©2015 Jochen HahnSlide9
WinRM
WinRM is Microsofts implementation of
the
WS-Management
standard
:„A SOAP-based protocol for managing computer systems (e.g., personal computers, workstations,
servers, smart devices), WS-Man supports
web
services
and
helps
constellations
of
computer
systems
and network-
based
services
collaborate
seamlessly“
GPO configurable Client and Server components
30/09/2015©2015 Jochen HahnSlide10
WinRM
30/09/2015©2015 Jochen HahnSlide11
Knife windows
“gem install knife-windows” into ChefDK / knife installationCurrent version is 0.86
Provides winrm subcommands to
K
nife (winrm)
Knife bootstrap windows (winrm)Ssl cert supportAuthentication supportOS independent: User based install on Windows30/09/2015
©2015 Jochen HahnSlide12
Resources
Windows cookbook: run e.g. windows_batch,
windows_feature
,
windows_package
, windows_auto_run, windows_path, windows_reboot, windows_registry, windows_shortcut, windows_zipfile
windows_package
'7-Zip 9.20 (x64 edition)'
do
source
'http://downloads.sourceforge.net/
sevenzip
/7z920-x64.msi'
action
:install
end
powershell_script
powershell_script
'
scriptname
'
do
code
‘C:\
scriptlocation
\
scriptname
'
end
30/09/2015
©2015 Jochen HahnSlide13
Local Setup
Vagrant relies on a box filePacker Package vbox files with vagrant
vagrant package --base
VirtualBoxVMName
--output /path/to/output/
windows.box --vagrantfile /
path/to/initial/
Vagrantfile
Vagrant
file:
Vagrant.configure
("2") do |
config
|
# Configure base box parameters
config.vm.box
= "vagrant-windows2008r2"
config.vm.box_url
= "./vagrant-windows2008r2.box"
config.vm.guest
= :
windows
# Port forward
WinRM
and RDP
config.vm.network
:
forwarded_port
, guest: 3389, host: 3389
config.vm.network
:
forwarded_port
, guest: 5985, host: 5985, id: "
winrm",
auto_correct: true
config.vm.provider :
virtualbox do |v, override|
v.gui
= true
v.customize ["
modifyvm", :id, "--memory", 4096]
v.customize ["
modifyvm", :id, "--
cpus", 2]
v.customize
["
setextradata
", "global", "GUI/
SuppressMessages
", "all" ]
end
end
30/09/2015
©2015 Jochen HahnSlide14
Distributed SetupBootstrapping
Sshknife bootstrap windows ssh
<
servername
> -x <user> -
i
~/.
ssh
/
id_rsa
Winrm
knife bootstrap windows
winrm
<
servername
>
-
x
<user>
-P
<pass>
Node management
knife
winrm
“<search query>" “<command>"
-x
<user>
-P
<pass>
30/09/2015
©2015 Jochen HahnSlide15
Cloud
Azure: knife-azure “A knife plugin to create, delete, and enumerate Microsoft Azure resources to be managed by Chef.
”
gem install knife-azure
knife
[:azure_publish_settings_file] = "~/
myazure.publishsettings
“
knife azure image
list
…
Rackspace: knife-rackspace
“Windows
Servers require special treatment with the knife-
rackspace
gem
.”
knife
rackspace
server create -I 112 -f 3 -A
'<API username>'
-K
“<API Key>"
-r
‘role[<chef
role
>]‘ --
bootstrap-protocol
winrm
--
distro
windows-chef-client-
msi
…
Amazon: knife-ec2
Windows support not ‘out of the box’. Needs script to be passed in to setup e.g. winrm
knife ec2 server create -r ‘role[<chef role>]'
-I ami-7000f019 -f m1.small -A '<Access
Key ID>' -K
“<AWS Access Key>“ --user-data
<powershell-configure-script>
…
30/09/2015
©2015 Jochen HahnSlide16
Security
Authentication‘-x’ user, ‘-p’ password optionNo WinRM Certificate supportNo Passwordless connection out of the box
Support for
keytab
files
EncryptionSSL support(knife windows cert generate) (knife windows listener create)(knife windows listener install)Use --winrm-ssl
-verify-mode verify-none
to
disable
cert
verification
30/09/2015
©2015 Jochen HahnSlide17
Contact: mail@jochenhahn.netThanks
for listening 30/09/2015
©2015 Jochen HahnSlide18
Links and Resources
Knife / Knife Bootstrap / Knife windows /
Survival Guide
MS
WinRM
/ WinRM SSL / WinRM BasicsPowershell / Quick
RefPacker /
Vagrant
SSL
Certificate
Templates in Windows Domains
Rackspace
/
Azure
/
AWS
30/09/2015
©2015 Jochen Hahn