Managing Windows with Puppet – PuppetConf 2013

okay so like Gary said I’m a professional services engineer with puppet labs that means that I do consulting and training I think some of you are even in my training class this week recently hi guys so this talk is sort of meant to be very introductory I’m gonna go over some basic puppet concepts for those of you who might be Windows admins who have never actually used puppet before however I’m not going to teach you how to use puppet so those of you who are already bored don’t have to leave right away we’re gonna quickly talk about how the Windows agent is set up and installed some of the things you need to be concerned about with that I’m gonna go over the puppet resource model sort of how our catalog works and basics of types and providers at least for context you can understand how this works on Windows and we’ll talk about some of the comparisons between Linux and Windows how is it really different between these two operating systems and then some specific challenges on Windows that you know are kind of wind unique to Windows resources that just don’t make sense in a UNIX environment and some things about Windows that are really weird that will probably hurt you if you’re not careful so puppet on Windows has been around for a couple years now it’s growing a lot I’ve been to some companies where they use Windows exclusively and manage it with puppet we support these platforms technically you might find that it works on desktop OSS – although we don’t really support Windows XP because Microsoft doesn’t so to get it installed it’s a really simple basic Windows MSI installation I think any windows admin is seen a screen that looks almost exactly like this although the logo might not be as pretty we have just a simple MSI file you can double click it if that’s your thing gives you a nice graphical interface with some basic questions that you can answer those of you who are more I don’t want to say real admins I have this option available where you can just run it from a command line and we provide three options there may be more than that right now three different options for things that you can set basically you can run this automatically during your Windows bootstrap process and make sure that your agent is up and can talk to your masters you can also set the certain name which I’d say is very important so once it’s there it runs a simple Windows service the screenshot here is from the services.msc screen similar to on Linux where you’ll be running an init script puppet in Windows you just run off of a basic Windows service so on the windows installer the paths are slightly different but you’ll find that they’re pretty similar the Linux ones once you get deeper down these two up here in the Program Files directory under puppet labs puppet we have assists in a bin directory I implore you to never mess with those unless you really really know what you’re doing there’s a very good chance that it could bite you but be aware that they’re there all of the executables and batch scripts that we use to launch a ruby instance to run the Windows agent are located in here in some way again though please don’t mess with them these ones on the other hand might be a little bit more a little bit more flexible depending on what version of Windows you’re on you could be in C program data puppet labs which is for versions 2008 and later if you’re on an older if you’re on an older operating system like 2003 you’ll find it in documents and settings all users application data puppet labs so just be aware of that this is actually resolving the app data variable to find where those go and within that directory we have a var directory and an at-sea directory these pretty much mirror what you’ve got on a Linux machine the cache data for instance your cache catalog latest report that ran you’re gonna find in the VAR directory as well as any plugins that get synced so in any puppet run if you have custom Ruby code it gets synced down to this plugins directory and so that’s what you’ll find that stuff generally speaking you don’t need to mess with that it probably won’t hurt too much stuff if you do the agent run will be able to replace it if you mess stuff up I would I would call that one a read-only if you want to poke around and then finally the Etsy directory is where we have the actual configuration again very similar to the Linux path has just been sort of ported to a different base directory in Windows you have your puppet comm file which you probably will want to edit at some point or at least managed directly with puppet and we have the SSL data directory which is where your certificates go if you ever run into a certificate issue that’s the directory that you want to delete to rejoin your certs okay really quick how many people here are currently using puppet on Windows lots more than I thought and how many people are using Windows but not puppet ok that’s about what I expected all right um this is this is largely for you guys I think so the way that puppet basically works we have this process of going sending data back and forth once or twice between the agent and the master all of the actual processing where decisions are made about how your machine is supposed to look is done by the master where the agent only provides data about itself and then is responsible for actually applying those decisions so whenever you’re working in puppet always keep in mind that this is the flow that everything goes on first the node sends up information about itself the master compiles a catalog and sends it back to the agent which is responsible for actually enforcing the

configurations that you specified okay I would say that this right here is basically puppet in a nutshell this is one of the most important things that you can understand about it so for those of you who are new to puppet if you learn nothing else learn this and then when we’re actually applying these applying these changes to the system we do this through something called resources which is a special interface sort of an abstraction that puppet uses to make it really easy to manage things so this sort of abstraction layer provides a series of types which are things like basic basic objects that you’d want to be managing it on your system for instance the file type manages files obviously and the package type manages packages you UNIX and Linux admins are probably very familiar with packages Windows admins maybe not as much but you probably should be and of course services and users and all that classic stuff now to actually make these changes puppet puppet types are pretty generic they work pretty much the same on most systems and in terms of how you define them however the providers are the actual key aspect so these things do all the work they’re written in Ruby and puppet if you’re writing them for Windows you’ll probably use some sort of Windows api’s or call out to Windows programs but these are responsible for checking the status of resources and updating them okay so the providers are really the heavy lifting here and when you want to get puppet to work on a brand-new operating system that you haven’t really used it on before the providers are where you really need stuff to work okay that’s the part where you might have something extra that needs to happen we’ve done a lot of the work for various Linux distributions and we’ve done a lot of the work for Windows too if you guys are trying to get more advanced about this you want to look into writing your own custom providers many of them hopefully for the puppet native types although we’ve got those pretty well covered I think you may want to write your own at some point for other things which get to in a bit so the actual puppet code looks like this here is a simple managing of a couple of resources in Linux I think even if you’ve never seen puppet if you’ve never used Linux if you’re a Windows admin you can kind of figure out what this means we want to make sure that a web server is running and we want to make sure that a user that needs that service is is also available so why is Windows special here what what really makes windows different from Linux in this sense like we’ve got types we’ve got providers Windows has files windows has services windows has package packages right and the answer that you’ll find is that it’s really not that different in terms of how you conceptually manage your systems how things are supposed to look or or what sort of components are there that there are differences but at least at a superficial level there really aren’t that many for instance take the host resource this is one of our native resources that manages DNS hosts on a machine on a Linux machine this will edit file this will edit lines in your /xe slash hosts file whereas on Windows it just edits your see windows system32 drivers at c host file they will problem with windows here is that they have ridiculously long paths for some reason service is the same right you want to have a service sshd running to have remote access to your Linux system we enable a service like this if you want to have remote access to a Windows system the only thing that’s really different is that you want to have the Terminal Service running so that you can act get RDP access so you Windows admins are probably really familiar with this screen this is what it would look like for Terminal Services if you stop this that’s the equivalent basically of a Linux admin stopping sshd this is how people will get graphical access into your system and as we can see from this slide it’s really the same the same kind of way to manage them based basically because we have these providers these great providers that are underneath underneath that you say service whether it’s Linux or Windows and Puppet can figure it out okay so the cron resource linux admins are very familiar with this this is how you run things periodically so how do we run things periodically in Windows what’s our what’s our chronic whittling I can’t just run this on went on Windows because Windows doesn’t have cron we start to see an actual difference here so the cron of the scheduled tasks resource in Windows is what allows us to do the same thing both of these slides will end up managing this run job batch file to have it periodically every month wake up run it this will work with this trigger there’s a number of options here I implore you to check out Doc’s top puppet labs comm to see more of them those of you who are my training know that that’s my favorite website in the entire world this year we’ll run it monthly again the same thing this job works on both Windows and Linux but we start to see an important difference here in that there are some key windows concepts that just don’t translate and vice-versa so for these we need to have custom types or special modules that are able to do that now before I get into showing you some of these I just want to talk about some of the more difficult pieces that just Windows has a completely alien concept that that any POSIX based operating system has and that’s the way that files are handled and the two key ones here are the way that Windows does paths and the way that Windows does line endings these are the kind of things you always have to be aware of and those of you who manage multiple multiple operating systems both Windows and Linux have probably gotten bit by this before even without puppet so the key here if you remember the slide that I showed before where we’re showing the cycle of how the puppet catalog is generated where the master is making decisions about how things are supposed to look and the agent is applying them you need to think whenever you’re dealing with a

file what is going to be managing this what what is evaluating this code that I have here is the master deciding what the exact text of the file should be or is the agent deciding that because on puppet only the master can run only the master can only run on Linux so you’ve got to have a Linux master that’s got Linux paths and Linux line endings and the master needs to look for things and manage them in that way but the Windows machine has no concept of that so always think about that so puppet provides some easy ways to translate that especially for things like paths so take for instance Windows loves to do this backslash thing instead of forward slashes which which i think is weird but they do it anyway any of these three options are going to work on a Windows machine puppet will automatically translate forward slashes into back slashes if puppet needs to handle that path okay similarly if we use single quotes the back slashes will be disregarded will be treated like a regular backslash instead of as an escape character and then finally if you’re using double quotes which allows for a thing called variable interpolation where escape characters will actually do something you simply escape the backslash now all of these will basically work you should probably try to use the forward slashes if you can so that you avoid confusion with escape characters maybe your double backslash gets pass into something else that also wants to escape back slashes and might treat your second backslash as an escape character or something like that it’s kind of like writing a sequel injection exploit actually so try to try to use forward slashes when you can except when that path is being read by a Windows machine okay so for instance here we have a scheduled task that we’re setting up to run C jobs run job exe that string right there for the command is what’s going to be passed to the scheduled tasks windows will try to execute that program and it will fail because it won’t be able to find that path because that makes no sense to Windows okay so line that means is the other one anybody who’s ever copied a file from a Windows machine to a Linux machine has probably seen something like this and wondered why does it do that to me it’s really annoying the problem here is that Windows uses a carriage return line feed in order to specify what character ends a line whereas Linux uses just a simple line feed character so that confusion there is is possibly going to cause you problems especially since the puppet master is running on Linux and the puppet master if it’s generating strings with new lines like if you put a backslash n in your code that’s going to end up creating a regular line feed as opposed to a carriage return line feed so you need to be aware of how that might come back to bite you just keep in mind remember what I said before think about where this code is being evaluated is it the Windows machine that’s looking at this or is it your your master that’s looking at it now a great way to get around this you can’t really use files dynamically this way but the file resource in puppet which if you use the source property will copy everything down in binary so it doesn’t matter what kind of line endings you have it doesn’t even matter if your file is not ASCII text the source the source entry will copy it down perfectly content on the other hand which generates these templates if you have code that’s generating actual multiple lines in there it will use Linux style line and needs not Windows ones okay so one possible way that you can get around this if you’re not generating the code is to use the or even even for the source is to use the UNIX to das utility on your machine and that will convert the line endings to Windows style just keep in mind that you’re going to keep separate files for your Windows machines and you use for your Linux machines so if you have services that use both and they aren’t going to be aware of the line you need to be aware of that okay the other part is file permissions so I like to rag on Windows a lot a lot of people do I think but Windows File permissions are actually way more versatile than Linux you can do things like include groups within groups you can the ACLs are much more obvious you really only are dealing with NTFS you don’t have like the different conflicts between what kind of file system you’re running how does it handle ACLs so in puppet to specify these you still use a UNIX style mode this is because the file type is what’s aware of what the is what’s specifying what that’s going to be not the provider the provider doesn’t check to see that you have a valid that doesn’t check the validity of the mode or anything like that the types going to do it so you still use a UNIX style mode in Windows and if you’re going to specify any owner or group to own a file you need to specify that using that eunuch style mode which is it’s actually not as bad as it as you’d think this piece of code here sets the owner administrator and the group users on a on a given file with mode 6-4 for which two windows people that means that the owner can read and write and then everybody else can read and here’s that here’s what that’s basically gonna look like we have the users group is able to read and write ok so the last one is the permissions be very careful of the case of your files this one gets interesting because Windows is case son is case insensitive or as puppet is case sensitive so if you define a file as in as having a certain case and it exists differently on your target system puppet will think that the file doesn’t exist and then when it tries to create it it will be recreating that file so watch out for case just try to keep it consistent pretend that Windows is a case sensitive file system when you’re

doing this it’s gonna make it a lot easier if you’re just solid with that and then the other thing you can’t set the SID on a file ok you can set things by user name and puppet we’ll use the Windows tools to resolve that but there isn’t currently a way to actually set the SID directly on the off chance that you actually care about that I rarely want run into places where people actually do so the exact resource this is something that windows admins will typically resort to whenever they need to change something you know the types and providers might not be enough the ones that ship with puppet I think generally they’re great for a lot of things but a lot of people just say I need to run this command this is how I do things if I change my application host configuration on my Windows machine I need to restart my iis server I need to run the IAS reset command so here we have just a simple exact notice that the path here is using forward slashes puppet is interpreting that path for where it’s going to look up the file and that’ll run see windows system32 iis reset ok and this will happen anytime that that application host dot config file is updated this will you know reload the configuration now another important thing to note here is that exact does not run within cmd.exe ok it’s not a regular it’s not like invoking a shell and running it it’s just running the command directly so if you need to use shell built-ins you’re gonna need to do something like this say command /c and then run the dir command which is not actually an executable ok so along those lines is a there’s there’s kind of a small problem you need to keep be aware of is 32-bit redirection so you may have run into this on your Windows systems without puppet where you run a you have a 32-bit program and you’re trying to run a 64-bit executable with it so puppet runs in 32-bit on Windows this is a problem due to the way that Ruby works so we have to run it in 32-bit on Windows if you are running on a 64-bit system and you want to execute a 64-bit application windows will actually automatically remap because they’re so nice to you they will remap that executable to point to the 32-bit location even though you want to run the 64-bit one and we’re not talking about running the actual executable within puppets namespace or within Ruby itself we’re talking about starting a separate shell to execute it so Windows will see that it’s a 32-bit app that’s running it and even though you’re trying to run a 64-bit application it’ll try to look for the 32-bit one and in many cases you’re gonna see that you can’t actually find that file I’ve seen this byte a lot of people so the workaround for this Windows Windows provides this system directory where if you call an executable directly from there it will avoid doing this file system redirection so it won’t try so it’ll actually try to run the thing that you really do want to run instead of the one that it thinks that you probably want to run so that that’s that’s a really useful workaround I think to be aware of so PowerShell is all the rage right now I think it’s like God’s gift to Windows admins it makes it a lot easier to do a lot of things and if PowerShell gets a lot bigger it’s basically going to almost maybe possibly put Windows on par with Linux there if you please don’t throw things at me so here here’s one way that you would execute a PowerShell command those of you have been running them for Michelle before know that you know you have to set the execution policy to remote sign so that you don’t have to actually have your script grip your script cryptographically signed before you execute it which i guess is just a pain so here we run PowerShell dot exe we set the execution policy we pass it an argument of the file that we want to run which contains our script and we get a path of where the windows where that actual script resides or where the powershell binary resides okay this is kind of a mouthful it’s not really easy to look at code like this fortunately Josh Cooper who’s sitting right there in the third row who would love to answer questions about it by the way we have a PowerShell exec provider which allows the exec resource and puppet to natively run PowerShell code you don’t need to put all that crap to say remote execution policy and all the full path to the PowerShell exe we can just pass command let’s directly into the exec so if you’re writing execs in Windows and if you’re writing execs in Windows you’re probably using PowerShell to do a lot of your execution I urge you to check out this provider it’s awesome it’s going to make your life a lot easier and it’s gonna make your code a lot easier to read all you do is set provider PowerShell on the exec after you’ve installed the forge module and since I’m talking about forge modules I think it’s important to note here just because something needs to be a module I don’t consider that to be a flaw in puppet it’s a really good idea I think to have as many things modularized as possible in fact I would argue that we have too many things in core puppet and more of them should be modules especially when you’re talking about esoteric platforms like Windows or AIX or something you don’t want to build that into core unless it’s something that really applies to every operating system so when you have Windows specific things that you want to manage that don’t make sense anywhere else there you should probably write that as a separate module and not try to like actually edit core puppet or something like that okay so those of you who don’t know about it I hope that nobody doesn’t know about it at this point cuz this is Papa cough check out Forge puppet labs calm or use the puppet module tool to search for modules and install them okay there’s a lot of really great Windows modules out there for instance this one puppet labs registry so next to execs this is probably the most common way I’ve seen people try to manage things in Windows now is just using this registry key thank god I haven’t seen too many people

running execs to manage the registry this registry this registry typing provider allows you to set keys like here HQ local machine system test key we make sure that that registry key exists and we make sure that it has a specific string value because this string value is very important to have on my systems right now simplify to that there’s a defying type called registry value that sort of does the whole thing and you can make sure that this whole specific registry path actually exists they’re commonly I find on Linux machines you want to do almost everything with file write all your configs are in files in Windows I wouldn’t say all but many of them are in the registry and so instead of going package file services you were on a Linux machine you’ll often find yourself going package registry service on a Windows machine okay so this edits just simple registry key those of you who don’t know what I’m talking about when I say registry probably know exactly what I’m talking about right now it’s that big messy thing that’s really disorganized in Windows but somehow makes everything break so this here we’ll just set that registry key like this so another really cool one is this this a Denny Nguyen NTP module on the forge this is really simple just sex what your NTP server is supposed to be this is what I think the interface to managing things and windows should look like you grab a forge module you just say I want this win and TP class and I want it to have these settings I’m done you don’t need to think about any of this I don’t need to tell you that under the hood in this module he’s actually using the the regedit allegis tree to set that value how many of you how many of you really want to dig into the registry anyway to try to find where something is supposed to be set this makes it a lot easier this one here of us from simon dean sets up a package or sorry a share on a Windows machine so this will share the the P Drive out so that we have repositories available are in this example to have repositories available and you’ll see why it’s really helpful to set up some sort of external share and puppet that might hold packages we talked about how Windows handles handles actual package installation another really good one this this one came out just recently from Tom Lincoln one of our P SES to handle domain membership on a Windows system it’s an unavoidable factor that when you’re trying to manage domain membership you need a service account and you need to somewhere expose that password in your automation so that we have that here I would suggest that you use something like an unencrypted back end like Huayra or something to actually manage that password but here we just set what the domain membership of our machine is supposed to be we’re gonna have our machine must be a member of and we’re gonna use this service account to do it there’s a couple of extra really neat features of this that allow you to do things like change the the computer password I don’t know if any of you have ever had to do that on Windows I know that I have and that’s a pain but some cool things like that so also a good one to check out many more of these modules are available there is no time to talk about them all in fact I think since yesterday when I last checked my slides a whole bunch of new modules have been added actually this open table is one was just added today when I talked to the guy who wrote it and told him hey you should put this on the forge Paul stack by the way really smart guy we have a sequel server module that manages sequel server a Denon also made a Windows fax module this one’s great for managing actual facts on particularly on desktop machines you’ll get things like what kind of monitor is attached and how the video card works and and interesting things like that that are really useful for a Windows desktop and also this MSU AC class which does the first thing that any windows admin ever does is disable UAC Linux guys who use who who have ever troubleshot selinux now or are also laughing at this because they know the exact same pattern search for Windows on forged puppet labs comm I bet you the by the time that my talk is finished there will be even more modules up there people are constantly working more and more on Windows and the more that you guys contribute to it the better it gets for everybody if you’re lucky people will contribute back to your modules and it’ll make everybody’s lives a lot easier so really quickly I want to talk about packages this is kind of a weak spot for Windows generally we have and that we have a I’ll call this the MSI package provider because prior to puppet 3oh this was the way that you could manage packages we say that we want my sequel installed and we give a source MSI file for to grab the installation from you can also specify specific install directories or arguments using the install options type that’s one of the few things that our windows only as a puppet 3 we have a special built in windows package provider it’s selected automatically you don’t need to tell it to use it and it can natively support exe and MSI a back port is also available on the Ford so that you can use this windows type and provider on puppet 2 7 okay so please don’t use the msi provider anymore if you’re on puppet 3 or older the windows one is much better unfortunately they still kind of give us a problem right Linux it’s really easy to manage packages you don’t need to pass rpms and Deb’s around to get your stuff installed you have yum you have apt-get you have zipper or whatever things like that these are version of all they’re upgradeable it’s easy to change between versions Windows finally has something very similar written by Rob Reynolds who’s sitting over there and would also love to talk to you is this tool called chocolaty that is

basically apt-get for Windows and you can use chocolate actually directly install these kind of unrelated to puppet Rob by the way is going to have a couple of talks later he’ll have a hands-on demo I think at 3:20 tomorrow where you can go and check and play around with chocolaty now Rich Siegel over at the International Securities Exchange where they’re using Windows very heavily is actually written a provider and puppet for chocolaty so this right here just as easy as installing a package on Linux you have a way to install packages on Windows this makes sure that sysinternals is installed and any windows admin should have that installed okay now really quickly I want to talk about this dism thing I think I’m running a little bit low on time this is this is essentially the roles and features that’s in Windows 2008 and later the puppet labs dism module will help you manage that do things like install DHCP servers or DNS servers really simple like this here we’re installing dotnet dsm net FX 3 ensure present piece of cake right the dism the underpinnings of this are probably going away pretty soon Microsoft is going heavily on PowerShell towards this so I suggest you also check out the open table name space on the forge just last night Paul stack released a windows feature module that does all of this using native PowerShell so the one last thing I want to talk about real quick is rebooting which is a thing that’s kind of a pain point that’s mostly unique to Windows users where you have to reboot after every single freaking thing here we have just a simple exec that calls shutdown exe and has them the Machine power off in five minutes or has the Machine restart rather in five minutes this can be a problem for instance if your catalog is still running while that happens you’re also kind of guessing and hoping that the restart is going to happen at the right time there could be different dependencies that could forced you to restart in the middle of your process say for instance you’re installing sequel server it wants to reboot and then you need to do something else after that how do you handle not trying to manage those those resources later in the catalog this is actually not going to cut it so some people argue that rebooting is actually an orchestration problem and even if it’s necessary to do tons of reboots and windows for configuration you should not ever have something automatically restarting their system I often agree with these people so a typical approach to this is to have a simple exec that really doesn’t do anything it just says we have a reboot pending have that set to be refresh only and no op true that means this exact will only ever find its way into into the catalog where it actually needs to run if something else before it has changed in this case say our driver update came through we need to reboot the system now I say no op true so that this exact doesn’t actually run anything and instead gives us a little option in the report to say there is a pending change on this system and we can see this splat if you’re using the puppet enterprise console or puppet dashboard and I think Foreman does something similar that’ll show you like oh this machine needs you to do something and when you look at the report you’ll see it needs a reboot probably still not the best way and so Josh Cooper again saving the day has given us this Windows reboot resource this will actually call the shutdown command but before it does it it will abort applying the puppet catalog so any resources that have not yet been managed puppet will just give up on them it’ll exit the catalog run it’ll submit its report and then the machine will reboot at a certain time we can set this to be interactive so that people can stop the reboot if they’re using the system at the time that it comes up to we’re really looking for feedback on this so if anybody has reboot problems please tell Josh please tell anyone a puppet labs there are tickets on projects that you can update we want to know what the best workflow for you is for how you’re supposed to do this kind of reboot I think everybody has a different opinion on the best way to do this so some more great resources that are out there if you go to doc stop puppet labs comm slash Windows that’s all the documentation or most of documentation that we have right now for Windows in the core type you’ll find that I probably plagiarize most of my talk off of that web page so it’s a really good one to check out also check out our tie preference this explains how the puppet core types work on both Windows and Linux but all the details you need to know about the windows providers are often theirs well there’s a great blog post I think there’s a couple blog posts and some webcasts that we have on our webpage if you want to see more about that information and not related directly to Windows but I suggest you also check out the puppet types and providers book by Dan Bowden an Lu nan is actually going to be here tomorrow doing a workshop in types in provider so you might want to check that out what Windows really needs is more providers so you guys know how you’re supposed to manage your systems you got to write though like people writing those providers will make the ecosystem better for everybody so definitely worth checking out and that’s it for now I hope that fueled some questions there’s a mic over there if anybody wants to step up step up and ask me something or if you want to not ask questions and we can all leave early it just step up to the mic please if you have a question so I’m making you walk so you talked about ACLs and that they’re not particularly handled there are some cases where you do need to handle more some more complex ACLs I wonder do you see that being better implemented with a new type or some sort of complex implementation of the same of a provider for the file are you reading

my mind yes I think that a new type is probably the best way to do that I haven’t seen anyone do that complex ACLs is kind of a tricky situation in in linux as well where we don’t have a way to sort of natively manage these so how do you extend those types it’s my it’s my personal opinion that a separate type would be the way to do the way to do that and if you’re writing the type to have an auto requires on the file that you’re actually managing I think that that would be the best way to do that it just doesn’t exist right now thank you for that question um are you able to run both Linux clients and Windows clients from either the same tree or different environments in that tree yeah absolutely I mean the puppetmaster is is what’s making these catalog compilation decisions you just want to make sure the code that will only apply successfully on Windows doesn’t end up on your Linux machines there’s all kinds of conditional logic and stuff available for that I’ve never seen somebody who actually has a separate Windows only puppet master versus their Linux only puppet master thank you I have to admit I’m a Windows admin I’m sorry yeah I know I get that a lot I have some problems with puppet in that I have to manage or replicate in puppet with classes and groups the same thing that I do in Active Directory where I’d really like puppet to be able to read what I’ve already got set up in Active Directory for maybe groups the computer belongs to is there some sort of way that I can use that to factor into my modules that I’m writing to say all right if you’re a member of that group do this so really quick what do you mean by by groups on the systems you’re talking about like you have certain groups that need to have certain configuration settings of not local groups no it’s that I’m saying Active Directory security groups if I put all that lump of lump of servers that are part of an app tier okay I want that to mean something in puppet rather than me have to do it an ad and then do it in the puppet console so you’re talking about Oh for classification okay yeah so there is I believe a higher LDAP back-end I’m there maybe maybe not if there isn’t one could be easily written but what you want to do is have puppet talks to LDAP and get that information out and I think that’s certainly doable although I haven’t seen a direct example of it I would off the top my head and say that’s the best way to approach that though okay thank you and I’m just curious um wondering if there’s going to be support for this or if there’s any modules out there the two things I came across is one for the users resource they use the UID to be the S ID but what if you’re using Active Directory for a shared environment so that the Linux is configured to do the Pam module to go into the LDAP Kerberos environment and so suddenly your s ID you actually have a UID for the Linux and you also have s ID but it’s called the UID I see yeah so you don’t want to be what you probably want to do is try to not set that like have a conditional in your puppet code so it’s undef on the Windows machine you know and then leave it that way on the Linux machine puppet on Windows will not actually connect to Active Directory to make changes to the user accounts it just changes the users as they already exist on the system and in fact there are user resource here also only manages the local system users now can use like Active Directory users to apply changes to a file or something like that but it can’t actually make any changes into Active Directory on the on the manage node yeah and then another thing too is wondering if there’s gonna be future support to this or if there’s a module out there and the community is for the windows services there’s a limited number of are whether they call that type that the entities for yeah the entities for the the service type and one of the things that’s very important to me is um for example we had to grab MQ on a Windows box we have to insert and install like SPN for that and for the service and configure that and then there’s other things we actually have to configure the ackles on the services and that’s just required for like a you know the software as-a-service stack yeah I believe there is a I believe there’s a feature request out right now on that I’m not sure what the actual roadmap for providing support for that is but I would agree with you that that’s pretty important okay and then there’s one last question for Cooper yeah that’s definitely one for Cooper I think and uh for the power show I saw that it was really awesome and I was wondering in our environment we have a requirement to set the ASME runtime environment explicitly for which PowerShell executes under and so there’s different as in Windows they have they’re not forward backwards compatible there you have all these dot nets lying around and so we have to specify a particular net environment for the PowerShell execution environment all right we could configure that as a command line argument to PowerShell exe when you do that no it’s actually a really nasty you have to set up an XML file inside the directory and then put some XML stuff in there that does sound rule III don’t know the answer to that I’m sorry but I’ll look

into that I don’t feel like a feature request is was not there for that module yeah yeah I think definitely I mean projects top puppet labs comm you guys can file any feature requests on this stuff and and we’ll definitely look at them our community is again that’s largely Linux and UNIX so we’re always looking for feedback from people who live in the trenches in Windows I fortunately got out of that life a long time ago there’s puppy apply work on Windows and if it does does it alter how templates work with line endings I’m not sure about the templates actually I haven’t tried that but puppet apply definitely does work in Windows I would give it a shot there’s alt the easiest way to find out actually but I actually have any Windows machines but yeah I thought you were one exactly anymore I think this is more of a feature request but currently there’s no way to install the Windows agent with the cloud provider with uh with the yeah yeah you know it that’s my use case yeah I I’m not sure if there’s something on projects top puppet labs comm for that right now but that should be added there is okay yeah so okay yeah so Josh says there is one I would I would log on and add a plus one to that if you’re very interested I think we’re still trying to gauge where interest lies on cloud provisioner and what people want to really want out of it Thanks okay so um there’s my contact information up there if you guys have any more questions feel free to email me if you–if you’re like James you’re just a client facing person I don’t want to talk to you for me unto Josh I’d be happy to do that too and you can blow up his inbox you can yeah you’re very welcome you can find me on IRC a Supercow or you can hit me up on Twitter I’d love to talk to anybody or answer anything more about this after and of course I’ll be walking around and feel free to get me Paul stack by the way is doing a talk later on his actual like in the trenches experience implementing lots of stuff with Windows in PowerShell Robb the author of chocolaty now a puppet labs employee is going to have two talks later and and I’m sure that josh is well would anybody would love to talk to you more about it so feel free to grab me or them or anything like that if you’d like to know more so thanks everybody