Puppet is one solution that is trying its best to make sure Windows engineers and admins have the tools necessary to manage effectively. Here's how to use it.
Many of the most popular infrastructure configuration solutions are built on *nix platforms, like Ansible, Chef, Salt and Puppet. This means that Linux is a first-class citizen for these tools and, consequently, everything else is second. In the Windows world, this can be somewhat depressing, but fortunately that does not mean you can’t manage Windows with these tools. Puppet is one solution that is trying its best to make sure Windows engineers and admins have the tools necessary to manage effectively. Whether it be supporting DSC resources, IIS or Chocolatey, Puppet allows you to automate Windows effectively.
In this article, I will go over some examples of some of the things you can manage on Windows with Puppet, as well as show how to setup Puppet agent. Keep in mind, I am assuming you have a functioning Puppet master server already set up.
Installing Puppet Agent on Windows
When it comes to installing software on Windows, I much prefer to use Chocolatey. Chocolatey is an open-source tool and it can be used completely on CLI (CMD or PowerShell). Chocolatey even has the puppet agent package in its public repository located here.
Therefore, to install puppet agent on my windows node, I simply run this command:
PS C:\> choco install puppet-agent –y
Keep in mind if your Puppet master is named anything other than “puppet”, you will want to add an argument in the command to point your node to the name, such as:
PS C:\> choco install puppet-agent –y -installArgs '"PUPPET_MASTER_SERVER=puppet-1.domain.com"'
Awesome, puppet agent is installed!
Now, let's request the master to sign our certificate:
PS C:\> puppet agent --test –waitforcert=60
On the Puppet master, you will sign the certificate with the puppet cert sign command.
sudo /opt/puppetlabs/bin/puppet cert sign win-test
Done! Your puppet node is now managed by the Puppet master. Let the fun begin!
Install Windows Puppet Modules
A Puppet module is an already written packaged code that you can leverage. This can save a lot of time! For instance a module that allows you to install and configure IIS (puppet-iis).
To search for any modules in the Puppet forge (which is a repository of Puppet modules) tagged with “chocolatey” you can run:
[root@puppet manifests]# puppet module search chocolatey
To install a module use puppet module install <name>
[root@puppet modules]# puppet module install puppetlabs-iis
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
puppetlabs-iis (v4.2.1)
Read: Chocolatey Is Quite Yummy
Writing Your First Puppet Manifest
A Puppet manifest is basically a file that describes the desired state of a node. If you choose, you can actually define the configurations for your nodes in the site.pp file located at /etc/puppetlabs/code/environments/production/manifests on your Puppet Master.
Now that my node is managed by Puppet, I am going to create a very simple manifest in my site.pp file for ensuring the Windows time service is running on my node.
node 'win-test' {
service { 'w32time':
ensure => 'running'
}
To ensure my site.pp manifest does not have an errors I can run:
[root@puppet manifests]# puppet parser validate site.pp
Now on my node, I will stop my w32time service and then run puppet agent to apply the manifest locally. As you can see Puppet agent started the service:
PS C:\> puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for win-test
Info: Applying configuration version '1512745497'
Notice: /Stage[main]/Main/Node[win-test]/Service[w32time]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Main/Node[win-test]/Service[w32time]: Unscheduling refresh on Service[w32time]
Notice: Finished catalog run in 4.06 seconds
Managing IIS with Puppet
Some of the most common things to manage with tools like Puppet are web sites and applications. In this example, I ensure IIS is installed and then I create a site called “test”. Of course, part of setting up a web site on Windows is actually installing the IIS feature on the server. As you can see, the first thing I am doing is installing the “Web-WebServer” and “Web-Scripting-Tools” Windows features.
node 'win-test' {
$iis_features = ['Web-WebServer','Web-Scripting-Tools']
iis_feature { $iis_features:
ensure => 'present',
} ->
Next, I remove the default web site from IIS since we will not be using it.
iis_site {'Default Web Site':
ensure => 'absent',
applicationpool => 'DefaultAppPool',
require => iis_feature['Web-WebServer'],
} ->
Here, I create my application pool named “test_app_pool”. I have ensured this app pool is present and started.
iis_application_pool { 'test_app_pool':
ensure => 'present',
state => 'started'
}
Finally, I create the website, specifying the physical path and requiring the “test” directory to be present. I also make the web site bind to port 8080.
iis_site { 'test':
ensure => 'started',
physicalpath => 'c:\\inetpub\\test',
applicationpool => 'test_app_pool',
require => File['test'],
bindings => [
{
'bindinginformation' => '*:8080:',
'protocol' => 'http',
},
],
}
file { 'test':
ensure => 'directory',
path => 'c:\\inetpub\\test',
}
}
When I run puppet agent on my node, the IIS features, app pool and website are created within minutes:
PS C:\> puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for win-test
Info: Applying configuration version '1512758037'
Notice: /Stage[main]/Main/Node[win-test]/Iis_feature[Web-Scripting-Tools]/ensure: created
Notice: /Stage[main]/Main/Node[win-test]/File[test]/ensure: created
Notice: /Stage[main]/Main/Node[win-test]/Iis_feature[Web-WebServer]/ensure: created
Notice: /Stage[main]/Main/Node[win-test]/iis_site[Default Web Site]/ensure: undefined 'ensure' from 'started'
Notice: /Stage[main]/Main/Node[win-test]/Iis_application_pool[test_app_pool]/ensure: defined 'ensure' as 'present'
Notice: /Stage[main]/Main/Node[win-test]/Iis_site[test]/ensure: defined 'ensure' as 'started'
Notice: Finished catalog run in 162.65 seconds
Deploying Windows Packages with Chocolatey
So, let’s pause. We installed the puppet agent on Windows using Chocolatey, now we are going to use Chocolatey to install software on Windows with Puppet? Yep! I know that sounds confusing, but it is true. Chocolatey has its own Puppet module that allows you to maintain software on Windows.
Here, I want to ensure that Git is installed on my server. I also want to ensure Chocolatey itself is installed my server so I will place include chocolatey in my manifest:
include chocolatey
package { 'git':
ensure => 'installed',
provider => 'chocolatey',
}
Now let’s run it to see what happens:
PS C:\ProgramData> puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for win-test
Info: Applying configuration version '1512766522'
Notice: /Stage[main]/Chocolatey::Install/Exec[install_chocolatey_official]/returns: executed successfully
Notice: /Stage[main]/Main/Node[win-test]/Package[git]/ensure: created
Notice: Finished catalog run in 64.86 seconds
Running the command choco list –lo will show any locally installed packages. It appears puppet installed the Chocolatey software itself and “Git” as well.
PS C:\ > choco list -lo
Chocolatey v0.10.8
chocolatey 0.10.8
chocolatey-core.extension 1.3.3
git 2.15.1.2
git.install 2.15.1.2
4 packages installed.
As you can see, even though you need to use a Linux server in order to manage Windows with Puppet, it is not as difficult as you would think. In my opinion, Puppet is the easiest configuration management solutions to learn due to its simple language. It is actually quite similar to PowerShell, which makes it easy to learn for Windows users.
Dan Franciscus
Dan Franciscus is a systems engineer and VMware Certified Professional (VCP) specializing in VMware, PowerShell, and other Microsoft-based technologies. You can reach Dan at his blog (http://www.winsysblog.com/) or Twitter at @dan_franciscus.