- Take care with backslashes in file paths
- Be consistent with capitalization in file names
- Make sure the Puppet user account has appropriate permissions
-
Managing file permissions: the
mode
attribute and the acl module - How *nix modes map to Windows permissions
-
Extra behavior when managing permissions with
mode
- File sources
- Handling line endings
Use Puppet's built-in file
resource type to manage files and directories on
Windows, including ownership, group, permissions, and content, with the following Windows-specific notes and tips.
file { 'c:/mysql/my.ini':
ensure => 'file',
mode => '0660',
owner => 'mysql',
group => 'Administrators',
source => 'N:/software/mysql/my.ini',
}
Take care with backslashes in file paths
The issue of backslashes and forward-slashes in file paths can get complicated. See Handling file paths on Windows for more information.
Be consistent with capitalization in file names
If you refer to a file resource in multiple places in a manifest (such as when creating relationships between resources), be consistent with the capitalization of the file name. If you use my.ini
in one place, don’t use MY.INI
in another place.
Windows NTFS filesystems are case-insensitive (albeit case-preserving); Puppet is case-sensitive. Windows itself won’t be confused by inconsistent case, but Puppet will think you’re referring to different files.
Make sure the Puppet user account has appropriate permissions
-
Create symbolic links
-
Back up files and directories
-
Restore files and directories
Administrators
group. When you use the PUPPET_AGENT_ACCOUNT_USER
parameter with the MSI installer, the user will automatically be added to the Administrators
group.Before running Puppet interactively (on Windows Vista or 2008 and later versions), start the command prompt window with elevated privileges by right-clicking on the start menu and choosing “Run as Administrator.”
Managing file permissions: the mode
attribute and the acl module
The permissions models used by
*nix and
Windows are quite different. When you use the mode
attribute, the file
type manages them both like
*nix permissions, and translates the mode to roughly equivalent access controls on
Windows. This makes basic controls fairly simple, but doesn’t work for managing complex access rules.
If you need fine-grained
Windows access controls, use the puppetlabs/acl
module, which provides an optional acl
resource type that manages permissions in a
Windows-centric way. Leave mode
unspecified and add an acl
resource. See the acl
module’s documentation for details.
How *nix modes map to Windows permissions
*nix permissions are expressed as either a quoted octal number (such as "755"
), or a string of symbolic modes, (such as "u=rwx,g=rx,o=rx"
). See the reference for the file
type’s mode
attribute for more details about the syntax.
- The read, write, and execute permissions are interpreted as the
FILE_GENERIC_READ
,FILE_GENERIC_WRITE
, andFILE_GENERIC_EXECUTE
access rights, respectively. - The
Everyone
SID is used to represent users other than the owner and group. - Directories on Windows can have the sticky bit, which makes it so users can delete files only if they own the containing directory.
- The owner of a file can be a group (for example,
owner => 'Administrators'
) and the group of a file can be a user (for example,group => 'Administrator'
). -
While it's possible for the owner and group to be the same, this is strongly discouraged. Doing so can cause problems when the mode gives different permissions to the owner and group (such as
0750
). - The group can’t have higher permissions than the owner. Other users can’t have higher permissions than the owner or group. In other words,
0640
and0755
are supported, but0460
is not.
Extra behavior when managing permissions with mode
mode
attribute, it has the following side effects:
-
The owner of a file or directory always has the
FULL_CONTROL
access right. -
The security descriptor is always set to protected. This prevents the file from inheriting more permissive access controls from the directory that contains it.
File sources
The source
attribute of a file can be a
Puppet URL, a local path, a UNC path, or a path to a file on a mapped drive.
Handling line endings
Windows usually uses CRLF line endings, rather than the LF line endings used by *nix. In most cases, Puppet does not automatically convert line endings when managing files on Windows.
If a file resource uses the content
or source
attributes,
Puppet writes the file in binary mode, using the line endings that are present in the content. If the manifest, template, or source file is saved with CRLF line endings,
Puppet uses those endings in the destination file.
file
resource types that make partial edits to a system file (most notably the host
resource type, which manages the %windir%\system32\drivers\etc\hosts
file) manage their files in text mode, and automatically translate between
Windows and
*nix line endings.flat
file type.