puppetconf 2016: a tale of two hierarchies: group policy & puppet – matt stone, getty images
Post on 16-Apr-2017
173 Views
Preview:
TRANSCRIPT
Let’s Talk Group Policy!
•Why are we using Group Policy?
• Is it doing what we “need”?
•Do we understand what it is doing?
•Do we know it’s doing what it’s supposed to?
3
In the beginning…
Group Policy was the original abstraction layer for Windows configuration management
“Specify intranet Microsoft update service location“
or
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!UseWUServer HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!WUServer HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!WUStatusServer
4
What DevOps Brings to the Table
• Offers new patterns and practices for managing infrastructure.
• Encourages consistent, reliable behaviors.
• Encourages us to express our infrastructure as code.
• Encourages us to be transparent in our processes.
• Encourages us to work together.
5
Beginning Our IaC Transformation
• Hybrid environment, half Windows, half Linux.
• Technology silos are a thing!
• GOAL: reduce complexity through automation.
• GOAL: integrate existing products and services.
• GOAL: build a pipeline from request to delivery.
6
Our Definition of “Code”
• All of our infrastructure code should be text based.
• All of our infrastructure code should be documented.
• All of our infrastructure code should be versioned.
• All of our infrastructure code should be “datacenter redundant” and “domain independent”.
7
Our Pipeline
Packer(packer.io)
JSON manifest for versioned, up-to-date
images.
PunchOut
In-house developed API client tool to
consume CSV and covert to JSON
Phoenix
In-house developed REST API and “box cannon” consuming
JSON requests.
Puppet
One would assume you already know what
this thing does.
8
Group Policy vs. IaC
• Group Policy is not text based, version controlled and does not align with our other efforts for Infrastructure as Code.
• Group Policy is strictly tied to the domain, OU and filter from whence it came.
• For these reasons, having GPO alongside configuration management in a multiple domain environment can cause inconsistent builds or configuration drift across domains, OUs or WMI filters that aren’t visible to other IT workers.
9
Group Policy != Configuration Management
• GPOcanapplypolicychangestoconfiguration.Thatistrue.
• Lacks‘fullstack’capabilities.
• Lacks‘idempotent’nature.
10
Puppet Enterprise 2016 Console
11
With Puppet Enterprise Console managing all things, we can see a complete overview of everything as it pertains to our system.
• OS base configuration. • Packages being installed. • Security settings applied. • Application configuration.
You might have a group policy problem…
• As the Windows standard for decade(s), it may have been over-relied on.
• Hard to track the owner or date of changes unless we can pin to external process.
(change control)
• You don’t have a ‘console’ experience verifying that things are really as they seem.
• The owner of the changes may not understand the underlying changes that are being
made on the system.
13
I didn’t say this was easy…
• Puppet has a very explicit view of your system.
• Question the user experience. Don’t forklift.
• Group management is fairly easy.
• Managing user security policy via Puppet is cumbersome. (secedit?)
• Local users / groups *is* an option.
17
$features = [ ‘server-gui-mgmt-infra’, ‘server-gui-shell’ ]windowsfeature { $features : ensure => absent }
Group Policy != Security
•What is your security policy?
•Think in terms of compliance (HIPAA, SOX, PCI, etc…)
•Build your security policy around compliance, not registry
keys.
•Think in terms of hardening (CIS).
19
Windows Updates
20
puppetlabs/wsus_client
https://puppet.com/blog/wsus-client-module-beginners-guide
Execs? Aaaargh!
• Tools like secedit and auditpol can run as execs.
• Or…learn to write modules / types and providers!
21
“but throwing scripts at stuff works great!”, said everyone.
• We want desired state, not ‘script ran’. We need to know if it really happened.
• We want the same metadata that describes a system to configure that system.
• We really want passwords removed from clear text files.
22
Group Policy != Package Management
23
} Installed by Chocolatey / Puppet
} Installed by Group Policy
} Installed by a bored ops guy with an idea…
Installed by puppet / powershell (provisioning tool)}
} Installed by Chocolatey / Puppet
Installed by chocolatey (base template)}splunk is expensive}
WHO INSTALLED THIS?!?
• Was it automation, group policy or a human?
• Why was it installed? What purpose does it serve?
• Is there a track record? Perhaps a commit / PR / change request?
• What’s the source of the installation? Web? Network? USB disk?
• Can we safely remove this mystery thing without impacting the system?
24
Just use chocolatey already…
• Chocolatey provides an easy to use way to make package management exist on
Windows infrastructure.
• Pro versions give you even more superpowers, like resolving dependencies.
• We can reduce complexity, like tons of build docs and cross departmental
nitpickery.
• We can integrate well with puppet, using the Package / File / Service
methodology instead of Package / File / Service / Registry / Objects / Files /
Rando Command Line Tools.
25
Group Policy != Package Management
26
} Installed by chocolatey / Puppet
Installed by puppet / powershell (provisioning tool)}
}Installed by Chocolatey / Puppet
Installed by chocolatey (base template)}splunk somehow got more expensive between slides, but chocolatey/puppet nonetheless}
In the future…
• There is a new world of Windows coming.
• Docker doesn’t care about your group policies.
• Nano doesn’t care about your group policies.
• Get to know your registry / objects.
• If you are going to abstract, it should be easy to inspect.
• Stop dual-managing your Windows infrastructure.
31
top related