meeting Next up is Content and Tooling in 112 hours

waiting Content and Tooling is about to start up in 15 minutes

Hey everyone 👋 The CAT team will be around for the next hour or so to answer any of your qs cat dance

This message was deleted.

This message was deleted.

indeed _🦊Vox Pupuli monthly sync; see calendar event for info_ is about to start up in -15 minutes

Thats all from us for this week, see you again next tuesday 👋 puppet

indeed 🧑‍🏫 Bolt is about to start up in 15 minutes

Hi, welcome to the time shifted bolt office hour.

Hello, We would really like to leverage bolt more in our environment. We manage a Windows fleet of over 6000 nodes but we are only able to use PXP/PCP transport. WinRM is disabled. Because of this, Bolt commands run on Windows via the command prompt and not Powershell which causes us to run into numerous format and syntax issues trying to pass commands through bolt, to the command prompt to powershell. We usually end up relying on other tools like Crowdstrike which have more direct real time console access to Windows systems with Powershell instead. Is this something that has ever been brought up? Is there another way around this or is it possible to fix/change this in the future?

the pxp-agent should be invoking powershell commands

when a command is sent to a windows agent over PCP the agent effectively does:

powershell.exe {your command and args} -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -Command

ohhh

wait you are not using PE to run the plans?

When you use bolt you are using https://github.com/puppetlabs/puppetlabs-bolt_shim/tree/main/tasks which is a simple ruby task to shell out

If you want full feature you need to use PE

bolt shim command has the same result

Alternately you could write your own bolt shim

we do run powershell in our plans that have powershell but if we need to run one off troubleshooting steps on systems it becomes extremely time consuming to have to convert everything

pxp-agents modules like command, apply_prep etc are only available to PE

The integration of bolt with PE for sure could be better, but its a hard proposition for many enterprise users to let users run arbitrary commands on all nodes

well it is already possible, just not with powershell 😄

but the model there is that you still get all the normal RBAC for tasks because you control bolt_shim

if we remove that we dont have the same auth rules

So if you trust your bolt user you give them perms for bolt_shim on a subset of nodes.

I would say that if you want to have a quick easy solution for your use case you can write a powershell implementation for https://github.com/puppetlabs/puppetlabs-bolt_shim/blob/main/tasks/command.json and deploy it

in your PE env

Yes, we are aware we could always write something ourselves. We just wanted to raise it as an issue we are experiencing here. It is not anything that is not already possible using existing Puppet and PE functionality. It is just very difficult to use efficiently in its current state.

It is easier for us to use something else because Puppet lacks this functionality out of box

I would love to see bolt become better integrated with PE. This is a story that fits well into that use case. Appreciate you bringing it up.