1. Cooking with Chef on Windows
The 2015 Edition
Julian Dunn
Product Manager
Chef Software, Inc.
2. 2015 Changelog
• ChefDK
• Azure extension
• Reboot handling
• Windows package
• Event log
• Desired State Configuration
• Test Kitchen on Windows (guest/host)
• Pester
• PoSHChef
3. Challenges to Chef on Windows
• No real package manager
• Many COTS vendors don’t understand automation
• UAC (User Access Control)
• WinRM Quotas
• Win32 Redirector
• Not all preferences/state stored in registry
• Reboots
• Some commands over WinRM behave differently
• Other annoyances (KB2773898, KB2918614, KB2842230)
• http://tinyurl.com/winrm-workarounds
7. Resources Automated in the Demo
• Installing Windows Features and Roles
• IIS app pool
• IIS site
• IIS app
• Registry settings
• Deploying files onto the system
• Unzipping files
• Windows filesystem rights management
8. Provisioning with Chef
1. Upload content (cookbooks, roles, etc.)
2. Request VM
3. Create VM, install Azure
and Chef agents
4. Register with Chef server
5. Execute run_list
9.
10. Provisioning with Chef on Azure
$ knife azure server create
--azure-source-image a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-R2-201412.01-en.us-127GB.vhd
--bootstrap-protocol cloud-api
--winrm-user chef
--winrm-password DELETED
--azure-dns-name DELETED
-r "role[base-windows], role[fourthcoffee-classic]"
...........
Waiting for virtual machine to reach status 'provisioning'............vm state 'provisioning' reached after 2.6 minutes.
Waiting for virtual machine to reach status 'ready'..........................vm state 'ready' reached after 6.23 minutes.
.
DNS Name: DELETED.cloudapp.net
VM Name: DELETED
Size: Medium
Azure Source Image: a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-R2-201409.01-en.us-127GB.vhd
Azure Service Location: East US
Public Ip Address: XXXXXXXX
Private Ip Address: YYYYYYYY
WinRM Port: 5985
Environment: _default
11. Provisioning with Chef on Azure
Waiting for Resource Extension to reach status 'wagent provisioning'....
Resource extension state 'wagent provisioning' reached after 0.03 minutes.
Waiting for Resource Extension to reach status 'installing'....................
Resource extension state 'installing' reached after 2.17 minutes.
Waiting for Resource Extension to reach status 'provisioning'....................................
Resource extension state 'provisioning' reached after 4.33 minutes.
Waiting for Resource Extension to reach status 'ready'....................
Resource extension state 'ready' reached after 2.16 minutes.
.
DNS Name: DELETED.cloudapp.net
VM Name: DELETED
Size: Medium
Azure Source Image: a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-R2-201409.01-en.us-127GB.vhd
Azure Service Location: East US
Public Ip Address: XXXXXX
Private Ip Address: YYYYYY
WinRM Port: 5985
Environment: _default
Runlist: ["role[base-windows]", "role[fourthcoffee-classic]"]
13. The Man Behind the Curtain
windows_feature 'IIS-WebServerRole' do
action :install
end
# Pre-requisite features for IIS-ASPNET45 that need to be installed first, in this order.
%w{IIS-ISAPIFilter IIS-ISAPIExtensions NetFx3ServerFeatures NetFx4Extended-ASPNET45 IIS-NetFxExtensibility45}.each do
|f|
windows_feature f do
action :install
end
end
windows_feature 'IIS-ASPNET45' do
action :install
end
14. More Code…
remote_directory node['fourthcoffee']['install_path'] do
source 'fourthcoffee'
action :create
end
iis_pool 'FourthCoffee' do
runtime_version '4.0'
action :add
end
iis_site 'FourthCoffee' do
protocol :http
port 80
path node['fourthcoffee']['install_path']
application_pool 'FourthCoffee'
action [:add,:start]
end
19. Cross-Platform
• file, remote_file, cookbook_file, template
• directory, remote_directory
• user, group
• mount (can take CIFS paths)
• env
• service
• execute
• ruby_block
• reboot (new this year)
20. Reboot Resource
reboot "now" do
action :nothing
reason "Cannot continue Chef run without a reboot."
delay_mins 2
end
21. Windows-Specific
• registry_key
• powershell_script
• batch
• service resource can handle :automatic, :delayed (new in 2015)
• windows_package (new in 2015)
• Automatic architecture handling (:i386 vs. :x86_64)
• Automatic Windows filesystem redirector handling (Wow64)
• Auto-detection of :guard_interpreter
22. Guard Interpreter
• Older (pre-12) versions of Chef always used sh or cmd to execute guards
(not_if/only_if)
• Didn't make a lot of sense:
powershell_script "hello" do
code "…" # powershell code here
not_if { … } # guard used to run as cmd.exe!
end
23. Guard Interpreter (continued)
• Chef 12: sensible defaults for guard interpreter
• powershell_script uses PowerShell
• batch uses CMD.EXE
• Override as desired
• guard_interpreter :bash, :batch, :powershell_script, etc. etc.
25. System Helpers on Chef::ReservedNames::Win32
:windows_8_1?
:windows_server_2012_r2?
:windows_8?
:windows_server_2012?
etc.
:marketing_name
:cluster?
:core?
:datacenter?
26. Special File and Directory Handling
• Parameters that don’t make sense are ignored
• DOMAINuser, DOMAINgroup work
• Filesystem ACLs are different on Windows
• mode parameter semantics
• rights parameter only for Windows
29. PowerShell DSC: The Future of Automation
"DSC represents a significant break in administration, because it asks …
administrators to not actually configure anything themselves. Instead, DSC asks
administrators to describe, in fairly simple text files, how they would like a
computer to be configured. The computer, in turn, reads that text file, and
configures itself accordingly."
- The DSC Book, Don Jones & Steve Murawski
30. Aren't DSC and Chef Competitors?
• As PerfMon is to Solarwinds, DSC is to Chef
• DSC provides automation primitives that Chef recipes can call
• It deliberately lacks the ecosystem:
• Content distribution
• Cross-platform support
• Monitoring/logging/analytics
• However, it brings a standard base for automation to Windows
• No MSFT product in the future may ship without DSC modules!
31. Example DSC Code
Configuration FourthCoffee
{
# Install the IIS role
WindowsFeature IIS
{
Ensure = "Present"
Name = "Web-Server"
}
# Install the ASP .NET 4.5 role
WindowsFeature AspNet45
{
Ensure = "Present"
Name = "Web-Asp-Net45"
}
...
}
dsc_resource 'webserver' do
resource_name :windowsfeature
property :name, 'Web-Server'
property :ensure, 'Present'
end
dsc_resource 'dotnet45' do
resource_name :windowsfeature
property :name, 'Web-Asp-Net45'
property :ensure, 'Present'
end
34. Chef Development Kit (ChefDK)
• Obviates need to build your own Ruby development environment
• One-click, instant prescriptive workflow for infrastructure coding
• Code linting
• Unit testing
• Acceptance testing
• Test Kitchen
• … bring your own hypervisor.
35. Test Kitchen Support on Windows
• Hard at work – releasing soon!
• Windows guests (with or without Windows host)
• Working bundle: https://github.com/juliandunn/fourthcoffee/blob/master/Gemfile
• Where to get Windows box images?
36. Test Kitchen on Windows Demo
fourthcoffee ~$ kitchen test default-windows-2012R2 --destroy=never
-----> Starting Kitchen (v1.3.0)
-----> Cleaning up any prior instances of <default-windows-2012R2>
-----> Testing <default-windows-2012R2>
-----> Creating <default-windows-2012R2>...
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Importing base box 'win2012r2-datacenter-chef11.16.2'...
Vagrant instance <default-windows-2012R2> created.
Finished creating <default-windows-2012R2> (2m57.54s).
-----> Converging <default-windows-2012R2>...
-----> Chef Omnibus installation detected (true)
Transferring files to <default-windows-2012R2>
Concurrent threads set to :max_threads => 2
[2014-10-13T19:16:36-07:00] INFO: Starting chef-zero on host localhost, port 8889 with repository at
repository at C:/tmp/kitchen
One version per cookbook
[2014-10-13T19:16:40-07:00] INFO: *** Chef 11.16.2 ***
[2014-10-13T19:16:40-07:00] INFO: Chef-client pid: 1656
37. Test Kitchen on Windows Demo
[2014-10-13T19:19:10-07:00] INFO: Chef Run complete in 142.572914 seconds
[2014-10-13T19:19:10-07:00] INFO: Running report handlers
[2014-10-13T19:19:10-07:00] INFO: Report handlers complete
Finished converging <default-windows-2012R2> (22m55.08s).
-----> Setting up <default-windows-2012R2>...
-----> Running postinstall for serverspec plugin
Finished setting up <default-windows-2012R2> (0m45.62s).
-----> Verifying <default-windows-2012R2>...
-----> Running serverspec test suite
Windows feature "IIS-WebServer" should be installed
Port "80" should be listening
File "C:inetpubFourthCoffeeDefault.cshtml" should be file
Finished in 13.41 seconds (files took 0.48432 seconds to load)
3 examples, 0 failures
Finished verifying <default-windows-2012R2> (0m22.73s).
Finished testing <default-windows-2012R2> (27m11.16s).
-----> Kitchen is finished. (27m12.60s)
38. Windows Roadmap for 2015
• Import DSC resources into core
• Importing more resources from windows cookbook
• AD, GPO, WSUS client/server cookbooks
• Performance on Windows
Chocolatey/NuGet will help with the package management problem. There is still a crapton of legacy stuff out there, and a variety of packaging formats. Not all of them can deal with inplace upgrades.
COTS vendors don't understand automation:
Some products can't be installed in Server Core
Some products can't be installed over PoSH remote sessions or unattended sessions
KB2773898 – you can't install MSUs over WinRM
KB2918614 – broken patches to Windows that prevent MSIs from installing
KB2842230 – WinRM quotas not respected on older operating systems
You can do it via the GUI too, but we're automation people, so we like to use the command line
knife azure server create --azure-vm-size Large --azure-source-image a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-R2-201412.01-en.us-127GB.vhd --bootstrap-protocol cloud-api --winrm-user chef --winrm-password C00kingWithChef$ --azure-dns-name devopsnjdemo1 --tcp-endpoints 3389:3389,80:80 -r "role[base-windows],role[fourthcoffee-classic]"
Would love to be able to reboot safely – save the resource collection back to the server and resume from point of rebot
Use as guard expressions on other resources
Direct mapping between DSC and Chef resources
Mix and match!