We are currently evaluating Chef as a management tool for our Windows
platform. We are playing around with some of the built in resources, and it
did not take long to realize that crucial features are missing.
One of the items that is important to us is manipulating Windows services,
specifically, the “Log On As” parameter. We need to be able to run Windows
services under various (local and AD-authenticated) accounts.
We would prefer to have an abstracted way of doing this (i.e. not defining
custom CMD/Powershell for each recipe that manipulates a service), for
example by having logonas_user/logonas_password attributes for the service
resource.
What documentation topics should we look at? Ideally, we’d like to somehow
extend the existing Service resource (provider?). Should we look at
developing a custom resource?
I am still somewhat intimidated some of the terminology, so I’d appreciate
some pointers to the documentation or maybe examples of others doing
similar work.
We are currently evaluating Chef as a management tool for our Windows
platform. We are playing around with some of the built in resources, and it
did not take long to realize that crucial features are missing.
One of the items that is important to us is manipulating Windows services,
specifically, the "Log On As" parameter. We need to be able to run Windows
services under various (local and AD-authenticated) accounts.
We would prefer to have an abstracted way of doing this (i.e. not defining
custom CMD/Powershell for each recipe that manipulates a service), for
example by having logonas_user/logonas_password attributes for the service
resource.
What documentation topics should we look at? Ideally, we'd like to somehow
extend the existing Service resource (provider?). Should we look at
developing a custom resource?
I am still somewhat intimidated some of the terminology, so I'd appreciate
some pointers to the documentation or maybe examples of others doing
similar work.
The logonas_user is relatively easy to account for via the registry
provider
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services<service_name>\ObjectName).
The logonas_password is a whole other story and is something we have yet to
figure out a solution to on our end as well.
The challenge we've hit is its easy to "create" the service with the proper
password, however managing that in the event of a password change is
problematic. It would be great if the provider you've started could make it
into the community cookbook with support for managing the password. I just
noticed that there is some password logic that I don't fully understand at https://github.com/opscode/chef/blob/master/lib/chef/util/windows/net_user.rb#L125.
I'm curious if that same logic could used for the service account password?
service[:service_start_name] = new_resource.logon_user if new_resource.logon_user
service[:password] = new_resource.password if new_resource.password
::Win32::Service.create(service)
You’d probably want to add a config action, or in create compare the config so that people can modify attributes about the service, like logon user, after it’s already created.
We are currently evaluating Chef as a management tool for our Windows platform. We are playing around with some of the built in resources, and it did not take long to realize that crucial features are missing.
One of the items that is important to us is manipulating Windows services, specifically, the “Log On As” parameter. We need to be able to run Windows services under various (local and AD-authenticated) accounts.
We would prefer to have an abstracted way of doing this (i.e. not defining custom CMD/Powershell for each recipe that manipulates a service), for example by having logonas_user/logonas_password attributes for the service resource.
What documentation topics should we look at? Ideally, we’d like to somehow extend the existing Service resource (provider?). Should we look at developing a custom resource?
I am still somewhat intimidated some of the terminology, so I’d appreciate some pointers to the documentation or maybe examples of others doing similar work.
The logonas_user is relatively easy to account for via the registry provider (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services<service_name>\ObjectName). The logonas_password is a whole other story and is something we have yet to figure out a solution to on our end as well.
The challenge we’ve hit is its easy to “create” the service with the proper password, however managing that in the event of a password change is problematic. It would be great if the provider you’ve started could make it into the community cookbook with support for managing the password. I just noticed that there is some password logic that I don’t fully understand at https://github.com/opscode/chef/blob/master/lib/chef/util/windows/net_user.rb#L125. I’m curious if that same logic could used for the service account password?