winops conf 2016 - jeffrey snover - the devopsification of windows server
TRANSCRIPT
The DevOpsification of Windows ServerJeffrey SnoverMicrosoft Technical FellowChief Architect Enterprise Cloud Group@JSNOVER
What is DevOps?
DevOps is about culture and processes
DevOps is NOT about tools and
technology
But…..
This is wrong
Tools and technology
play a critical role
Tools and technology can make DevOps
easy or hard
Windows Server 2016 is architected to make DevOps easy
Windows Server 2016 resolves the interface between devs and ops
Windows Server has been silent on the interface between Devs and Ops
• No architecture• 1,000 blossoms bloomed
1,000 conflicts also bloomed
WS2016 resolves that interface
• Traditional ops model• Emerging ops model using Containers
Why?
Evolution of Windows ServerServer for the Masses
Enterprise Servers
Datacenter Servers
Cloud Servers
Cloud Competitive• Small and fast• Minimize attack service• Minimize patches/reboots• Optimized for DevOps
Cloud + DevOps Saving $ => Making $$
$$$$$$
DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker• Operational Validation Testing• Operating Securely
Componentization
Optimized for cloud infrastructure & next-gen distributed applications
Containers and next-gen
applications Server And Desktop
Specialized workloads
Third-party applications
RDS experience
Server CoreLower maintenance server environment
Traditional VM workloads
Nano ServerJust enough OS
Zero-footprint model Server Roles and Optional Features live outside of Nano ServerStandalone packages that install like applications
Key Roles & FeaturesClustering, Hyper-V, Storage (SoFS), and DNS ServerIIS, .NET Core, and ASP.NET Core
Full Windows Server driver supportAntimalware optional packageSystem Center VMM and OM agents available
Nano Server: Optimized for the Cloud Era
Nano Server – PowerShell Core• Refactored to run on .NET Core• Full PowerShell language compatibility & remoting• Invoke-Command, New-PSSession, Enter-PSSession, etc.
• Most core engine components• Support for all cmdlet types except workflow• C#, Script, and CIM
• Limited set of cmdlets initially• Growing fast
DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely
Nano Server has a full developer experience, unlike Server CoreWindows SDK & Visual Studio 2015 target Nano ServerRich design-time experience
Project template, full IntelliSense, error squiggles, etc.
Full remote debugging experience
Nano Server - Developer Experience
DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely
First a word about MSI• Not supported on Nano Server• MSI has GUI dependencies
• Custom Actions are the portal to hell
Windows Server App installer(WSA)
• New declarative Server installer• Extends the AppX schema• Allows for Server-specific extensions, such as NT
Services, Perf Counters, COM Objects, WMI providers, ETW events
• No custom actions• 4 out of 5 kittens love WSA
PackageManagement
Cmdlet ACTIONFind-Package Search for a packageInstall-Package Install the packageSave-Package Download the package but don’t install itGet-Package Inventory of installed packagesUninstall-Package Uninstall the package
PackageManagementEnd User
PackageManagement PowerShell cmdlets
PackageManagement Core
Discovery
Install/Uninstall
Inventory
PackageManagement Providers
Windows Server App (WSA)
PowerShellGet
Windows Container
NuGet
NanoServerPackage
…
Package Sources
WSA Package Repository…
PowerShell Gallery
Container Gallery, Docker
NuGet Gallery …
www.NPMjs.com
WordPress, …
DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely
Cloud scale configuration managementDeclare the state of a server (e.g User X should exist & be a member of the Adminstrator group )Apply expert knowledge as common tasks – easier than scripting
DSC is the platformWorks in collaboration with DevOps tool chain (Chef, Puppet, etc.)
Windows 2008R2 and later, and Linux via OMIOpen source DSC Resource Kit (302) resources
https://gallery.technet.microsoft.com/scriptcenter/DSC-Resource-Kit-All-c449312d
DSC Overviewhttps://msdn.microsoft.com/en-us/powershell/dsc/overview
Desired State Configuration
DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely
Running WS2016 Applications
Containers and next-gen
applications Server And Desktop
Specialized workloads
Third-party applications
RDS experience
Server CoreLower maintenance server environment
Traditional VM workloads
Nano ServerJust enough OS
Physical hostsVirtual hostsWindows Server containers
Container must match host (i.e. Nano on Nano) will be relaxed in the future…
Hyper-V containersContainer must be Nano Server. Server Core support coming…Host can be Nano Server, Windows Server Core or Windows Server w/Desktop
Operating System Deployment Modes
Container Host
Container
Physical Server
Container Host
Physical ServerVirtual Machine
Host
ContainerNested Virtual Machine
Same Container Images, Same API
Container Management
Docker
Windows Container Images
Application
Framework
Container Run-TimesHyper-V
Container
Windows Server Container
Write once, deploy anywhere
DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely
DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely
… but admins are often not suspected of criminal activity – they are simply targeted because they control access to networks the attacker wants to infiltrate.
“Who better to target than the person that already has the ‘keys to the kingdom’?”
You’re an Admin
Thanks, you’re PWND!!
Edward Snowden• Age 30 • College dropout
Michael Hayden• Four star general• Director of the NSA• Director of the CIA• Director of National
Intelligence
Problem: system admin privileges
Safe functions required by role
Dangerous functions attackers could abuse
Just Enough Admin Allows you to perform administrative
tasks without being a full administrator
• On a Server - almost any administrative action requires a user be an administrator• Once an administrator, a user can do anything on the server with no oversight• A compromised machine or a breached administrator account enables attacker movement to other assets
From full admin to role based adminJust Enough Administration (JEA) using PowerShell WMF 5.0
JEA Resources:
https://github.com/PowerShell/JEAhttps://gallery.technet.microsoft.com/Just-Enough-Administration-6b5ad370
PS C:\> Enter-JEAsession Server1 –Name MaintenanceServer1> Restart-Service MSSQLSERVER
HR Server
Server1> Steal-Secrets *Error: You are not authorized to Steal-Secrets
Just Enough Administration (JEA)
DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely
Windows Server 2016 resolves the interface between devs and
ops
DevOpsification of Windows• Componentization• Development• Packaging & deployment• Configuration• Containers & Docker • Operational Validation Testing• Operating Securely
Available DownlevelWS2016
Cloud Competitive• Small and Fast• Minimize attack service• Minimize patches/reboots• Optimized for DevOps
Servicing Improvements*
Series10
5
10
15
20
25
Critical Bulletins
Nano Server Server CoreFull Server
Series10
5
10
15
20
25
30
Important Bul-letins
Nano Server Server CoreFull Server
Series10
2
4
6
8
10
12
Number of Reboots
Nano Server Server CoreFull Server
23
8
2
9
2326
6
11
3
* Analysis based on all patches released in 2014
Security Improvements
Series10
5
10
15
20
25
30
Ports open
Nano Server Server Core
Series105
101520253035404550
Services running
Nano Server Server Core
Series10
20
40
60
80
100
120
Drivers loaded
Nano Server Server Core
11
26
25
44
73
98
Series10
50
100
150
200
250
300
Boot IO (MB)
Nano Server Server Core
Resource Utilization Improvements
Series10
5
10
15
20
25
30
Process Count
Nano Server Server Core
Series10
20
40
60
80
100
120
140
160
Kernel memory in use (MB)
Nano Server Server Core
26
21
61
139
108
306
Series10
50
100
150
200
250
300
350
Setup Time (sec)
Nano Server Server Core
Series10
1
2
3
4
5
6
Disk Footprint (GB)
Nano Server Server Core
Deployment Improvements
Series10
1
2
3
4
5
6
7
VHD Size (GB)
Nano Server Server Core
.41
6.3
40
300 5.42
.4
DevOps is about culture and processes
Tools and technology can make DevOps
easy or hard
Windows Server 2016 is architected to make DevOps easy
In times of change, sometimes the job outgrows good people
Where are you going?Do you have the right people, partners & tools to get there?
Q&A