mmik powershell dsc_slideshare_v1
TRANSCRIPT
PowerShell DSC SharingMmik Huang
Agenda
• What is Powershell DSC?• The difference with Powershell DSC family• Powershell DSC Introduction and Architecture• How to learn by yourself• Requirement for Lab practice• Build up a native Powershell DSC (Push server) step by step• Build up a native Powershell DSC (Pull server) step by step• Build up a Azure automation DSC extension step by step• Build up a Azure Powershell DSC extension step by step
What is Powershell DSC ?
• First of all declaring a DSC configuration is PowerShell based. So you can leverage all your PowerShell skills to not only define a configuration, but also for troubleshooting.
• DSC is designed to support “continuous deployments” which means that you can deploy your configuration over and over without breaking anything
• When a DSC configuration is being applied only those settings which do not match will be set, the rest will be skipped which can result in a faster deployment time
• You can separate the configuration data from the logic of your configuration so that you can reuse your configuration data for different resources, nodes, and configurations, see http://technet.microsoft.com/en-us/library/dn249925.aspx
• DSC can be used on-premise, in a public or in a private Cloud environment. You just need either Windows Server 2012 R2 or Windows 8.1 and local administrator permissions to execute the DSC PowerShell scripts
• You can integrate DSC with any Microsoft or non-Microsoft solutions as long as you can execute a PowerShell script on the target system. Using DSC within the Windows Azure Pack portal in conjunction with SMA is a good example
For example:Powershell = scriptPowershell + modules(DSC resource) = deliver configuration(mof) to local Powershell + modules(DSC resource) + LCM + winrm = deliver configurations(mof) to remote computers
The difference with Powershell DSC family
• Powershell DSC workflow
Support Cloud plugin launch & config vm OS DeployCentralized report
ChefAWS/Azure/Private…etc 10 cloud plugins
Yes Win/Linux Pull Yes
Powershell DSC Azure/Private cloud No Win/Linux Push/Pull NoAzure automation DSC Azure Only Yes Win Pull YesAzure powershell DSC Azure Only Yes Win Push Yes
The difference with Powershell DSC family
Powershell DSC Introduction and Architecture
Introduction•Following are some example scenarios where you can use built-in DSC resources to configure and manage a set of computers (also known as target nodes) in an automated way:
– Enabling or disabling server roles and features– Managing registry settings– Managing files and directories– Starting, stopping, and managing processes and services– Managing groups and user accounts– Deploying new software– Managing environment variables– Running Windows PowerShell scripts– Fixing a configuration that has drifted away from the desired state– Discovering the actual configuration state on a given node
Architecture•On-premise Powershell DSC (Native)
– need a Server to Push or Pull configuration to client– prepare client environment (firewall, winrm / LCM service) before deliver configuration– prepare deploy script (mof) on server
•Azure automation DSC extension (new Azure portal only)– No need to prepare server – (use Azure Automation account as server role)– No need to prepare client – Azure template + extension to setup pull mode– prepare deploy script and upload to Azure Automation account– Add extension (create vm or after vm launched)
•Azure powershell DSC extension (new Azure portal only)– No need to prepare server – deploy one by one, no server role to manage script– No need to prepare client environment – Azure template + extension to setup push mode– prepare deploy script and upload to Azure extension UI– Add extension (after vm launched)
Powershell DSC Introduction and Architecture
• Package installation– Powershell DSC only support windows 2012 R2 x64, windows 8.1 using
OneGet• This first version of OneGet installs and searches from Chocolatey repositories,
with support for additional repositories expected in subsequent versions.• https://github.com/OneGet/oneget
– Import-Module –Name OneGet– Get-Command –Module OneGet– Find-Package | Out-Gridview– Install-Package putty.portable –Force– Get-Package
– If you are not running the above os, what option do you have to automate the installation of packages?
• Ninite – (http://www.ninite.com) • Chocolatey – (http://chocolatey.org/).
Powershell DSC Introduction and Architecture
• Push mode– Build-in mode in windows
• Pull mode– LocalConfigurationManager needs to be configured on each target node– Schedule poll a pull server to check for new configurations
Powershell DSC Introduction and Architecture
Powershell DSC configuration structure•Install module
– Online:• install-Module -name xpsdesired* • install-Module -name xpsdesired* -force (upgrade
version)
– Local:• Action: download and unzip the content• Location: $env:ProgramFiles\WindowsPowerShell\
Modules folder
•List module– Online:
• Find-Module -name xpsdesired*
– Local:• Get-module
•Use resource in code– Import-DSCResource -ModuleName
xPSDesiredStateConfiguration# Modules must exist on target pull server
– Get-DscResource -Name windowsfeature– Get-DscResource -Name WindowsFeature –
Syntax– Get-DscResource -Name WindowsFeature |
Select-Object -ExpandProperty properties
Powershell DSC Introduction and Architecture
How to learn by yourself
• Download / get help / example code for moduleshttps://gallery.technet.microsoft.com/scriptcenter/DSC-Resource-Kit-All-c449312dhttps://msconfiggallery.cloudapp.net/packages
• Resource Designer Tool – A walkthrough writing a DSC resourcehttp://blogs.msdn.com/b/powershell/archive/2013/11/19/resource-designer-tool-a-walkthrough-writing-a-dsc-resource.aspx
• Understanding Import-DscResource Keyword in Desired State Configurationhttp://blogs.msdn.com/b/powershell/archive/2014/04/25/understanding-import-dscresource-keyword-in-desired-state-configuration.aspx
• Understanding CONFIGURATION keyword in Desired State Configurationhttp://blogs.msdn.com/b/powershell/archive/2013/11/05/understanding-configuration-keyword-in-desired-state-configuration.aspx
• Azure automation (runbook, DSC, webhook)https://azure.microsoft.com/en-us/documentation/articles/automation-webhooks/
• The DSC bookhttps://www.penflip.com/powershellorg/the-dsc-book/blob/1769edf37fd0112dea84846e14e69702a918d45b/About.txt
• 100 Days of DevOps with PowerShellhttp://www.systemcentercentral.com/100DaysOfDevOps/
• Learning coursehttp://www.microsoftvirtualacademy.com/training-courses/getting-started-with-powershell-desired-state-configuration-dsc-?m=15914
https://channel9.msdn.com/Events/Microsoft-Azure/Level-Up-Azure-IaaS-for-IT-Pros/Learn-the-Ins-and-Outs-of-Azure-Automation-PowerShell-and-Desired-State-Configuration
• 17 Hours of PowerShell Desired State Configuration (DSC) Video Traininghttp://blogs.technet.com/b/ashleymcglone/archive/2015/05/22/17-hours-of-powershell-desired-state-configuration-dsc-video-training.aspx
• Onegethttp://blogs.technet.com/b/keithmayer/archive/2014/04/16/what-s-new-in-powershell-getting-started-with-oneget-in-one-line-with-powershell-5-0.aspx
http://www.systemcentercentral.com/automating-application-installation-using-oneget/
How to learn by yourself
Native Powershell DSC Lab practice
• Required software dependency– Client side
• Windows 2012 R2 x64• install WMF 5.0 (Upgrade to LCM 2.0)
– Server side• Windows 2012 R2 x64• install WMF 5.0
use find-module / install-module to extend DSC from online repositoryhttps://www.microsoft.com/en-us/download/details.aspx?id=46889
• Change default bowser to chrome (add-azureaccount need to run javascript)• Windows Powershell 0.9.5 or above
http://azure.microsoft.com/en-us/downloads/https://github.com/Azure/azure-powershell
• Install Powershell DSC service Under “add role and feature\features\windows powershell”
• Script / command Reference find-module mva* install-module mva_dsc_2015_day1 install-module mva_dsc_2015_day2
Build up a native Powershell DSC (Push server) step by step
• Client side – prepare environment– firewall is allowed for port 5985 (http) / 5986 (https)– Setup winrm/powershell permission
Enable-PSRemoting -ForceSet-Item wsman:\localhost\client\trustedhosts *Restart-Service WinRM
• Server side – prepare environment– Allow remote trigger powershell
Set-Item WSMan:\localhost\Client\TrustedHosts -Value * -ForceSet-ExecutionPolicy Unrestricted -ForceRestart-Service WinRM
Build up a native Powershell DSC (Push server) step by step
• Server side – establish connection– Set variable
## client ip or fqdn$clientip = <client_ip>## client account $clientacc=<account>
– Test client winrm serviceTest-wsman $clientip
– Keep credential$securePassword = ConvertTo-SecureString -AsPlainText -Force ‘<password>‘$cred = New-Object System.Management.Automation.PSCredential $clientacc, $securePassword
– Build session with client$Session = New-CimSession –ComputerName $clientip –Credential $cred
– Test remote trigger powershell is okInvoke-Command -ComputerName $clientip -ScriptBlock { get-childitem c:\ } -Credential $cred
– Check client LCM statusGet-DscLocalConfigurationManager –CimSession $session
Build up a native Powershell DSC (Push server) step by step
• Server side – setup client LCM by remote– Change client LCM default setting
[DSCLocalConfigurationManager()]Configuration LCMPUSH{ Node $clientip { Settings { AllowModuleOverwrite = $True ConfigurationMode = 'ApplyAndAutoCorrect‘ RefreshMode = 'Push' } }}#$clientip = ‘<client_ip>’# Create the Computer.Meta.Mof in folderLCMPush -OutputPath c:\DSC\LCM5
– Push MOF file to client Set-DSCLocalConfigurationManager -ComputerName $clientip -Path c:\DSC\LCM5 –Verbose –credential $cred
– Check client LCM setting Get-DscLocalConfigurationManager –CimSession $session
Build up a native Powershell DSC (Push server) step by step
• Server side – deploy script– Install IIS on client side
configuration clientiis { Node $clientip { WindowsFeature IIS{ Name = 'web-server‘ Ensure = 'Present‘ } }}#$clientip = ‘<client_ip>‘clientiis -OutputPath c:\DSC\Config
– Push MOF file to clientstart-DscConfiguration -Path C:\DSC\Config -CimSession $Session -verbose -Wait
– Check windows feature is existInvoke-Command -ComputerName $clientip -ScriptBlock { get-windowsfeature -name web-server } -Credential $cred
Build up a native Powershell DSC (Push server) step by step
• Detect configuration change by hash file, check then deploy
Build up a native Powershell DSC (Pull server) step by step
• Client side – prepare environment– firewall is allowed for port 5985 (http) / 5986 (https)– Setup winrm/powershell permission
Enable-PSRemoting -ForceSet-Item wsman:\localhost\client\trustedhosts *Restart-Service WinRM
• Server side – prepare environment– Allow remote trigger powershell
Set-Item WSMan:\localhost\Client\TrustedHosts -Value * -ForceSet-ExecutionPolicy Unrestricted -ForceRestart-Service WinRM
Build up a native Powershell DSC (Pull server) step by step
• Server side – establish connection– Set variable
## client ip or fqdn$clientip = <client_ip>## client account $clientacc=<account>
– Test client winrm serviceTest-wsman $clientip
– Keep credential$securePassword = ConvertTo-SecureString -AsPlainText -Force ‘<password>‘$cred = New-Object System.Management.Automation.PSCredential $clientacc, $securePassword
– Build session with client$Session = New-CimSession –ComputerName $clientip –Credential $cred
– Test remote trigger powershell is okInvoke-Command -ComputerName $clientip -ScriptBlock { get-childitem c:\ } -Credential $cred
– Check client LCM statusGet-DscLocalConfigurationManager –CimSession $session
Build up a native Powershell DSC (Pull server) step by step
• Server side – setup pull server– Install service and configure (dsc service, iis for http/https web site)
configuration HTTPPullServer { # Modules must exist on target pull server Import-DSCResource -ModuleName xPSDesiredStateConfiguration Node localhost { WindowsFeature DSCServiceFeature { Ensure = "Present" Name = "DSC-Service" } WindowsFeature IISConsole { Ensure = "Present" Name = "Web-Mgmt-Console" } xDscWebService PSDSCPullServer { Ensure = "Present" EndpointName = "PSDSCPullServer" Port = 8080 PhysicalPath = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer" CertificateThumbPrint = "AllowUnencryptedTraffic" ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" State = "Started" DependsOn = "[WindowsFeature]DSCServiceFeature" } xDscWebService PSDSCComplianceServer { Ensure = "Present" EndpointName = "PSDSCComplianceServer" Port = 8443 PhysicalPath = "$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer" CertificateThumbPrint = "AllowUnencryptedTraffic" State = "Started" IsComplianceServer = $true DependsOn = ("[WindowsFeature]DSCServiceFeature" ,"[xDSCWebService]PSDSCPullServer") } }}# Generate MOFHTTPPullServer -OutputPath C:\DSC\HTTP
– Deploy pull server in localStart-DscConfiguration -Path C:\DSC\HTTP -Verbose -Wait
Build up a native Powershell DSC (Pull server) step by step
• Server side – setup client LCM by remote– Change client LCM default setting
[DSCLocalConfigurationManager ()]Configuration LCM_HTTPPULL { param ( [Parameter(Mandatory =$true) ] [string[]] $ComputerName,
[Parameter(Mandatory =$true) ] [string] $guid ) Node $ComputerName { Settings{ AllowModuleOverwrite = $True ConfigurationMode = 'ApplyAndAutoCorrect' RefreshMode = 'Pull' ConfigurationID = $guid } ConfigurationRepositoryWeb DSCHTTP { ServerURL = 'http://server_ip:8080/PSDSCPullServer.svc' AllowUnsecureConnection = $true } }}
# Create Guid for the computers$guid=[guid ]::NewGuid()# Create the Computer.Meta.Mof in folderLCM_HTTPPULL -ComputerName $clientip -Guid $guid -OutputPath c:\DSC\HTTP
– Push MOF file to client Set-DSCLocalConfigurationManager -ComputerName $clientip -Path c:\DSC\HTTP –Verbose –credential $cred
– Check client LCM setting Get-DscLocalConfigurationManager –CimSession $session
Build up a native Powershell DSC (Pull server) step by step
• Server side – deploy script– Install IIS on client side
configuration clientsmtp { Node HTTPComputers { WindowsFeature SMTP{ Name = 'SMTP-Server' Ensure = 'Present' } }}clientsmtp -OutputPath c:\DSC\http
– Product MOF file for each client•get guid from client$guid= Get-DscLocalConfigurationManager -CimSession $Session | Select-Object -ExpandProperty ConfigurationID •Specify source folder of configuration$source = "C:\DSC\HTTP\HTTPComputers.mof"•Destination is the pull location on the web server$dest = "\\localhost\c$\Program Files\WindowsPowerShell\DscService\Configuration\$guid.mof"Copy-Item -Path $source -Destination $dest•make checksumNew-DSCChecksum $dest
– Check installation is completeUpdate-DscConfiguration -ComputerName s1 -Wait -Verbose
– Check windows feature is existInvoke-Command -ComputerName $clientip -ScriptBlock { get-windowsfeature -name *smtp* } -Credential $cred
Build up a native Powershell DSC (Pull server) step by step
• What is Azure Automation account– Azure will play as a DSC server role– Automation Account information
• Access key• URL
– Runbook • Using Azure UI to manage scripts (after extension deploy)• Push configuration file to client• Webhooks
– Regular execute– Trigger by 3rd party application
• show on both new/old Azure protal
Build up a Azure automation DSC extension step by step
• What is Azure Automation DSC extension– Extension will play as a DSC client role– After deploy, client will register to Automation Account– Pull mode– Only show on new Azure portal– Azure linux platform not support Azure extension
Build up a Azure automation DSC extension step by step
• How to deploy Azure Automation DSC extension– Enable Azure Automation account
• Default : invisible• Use command to enable (step1)• Select Azure Automation account (step2)
– Create configuration file and upload to Azure Automation account• Manage configuration file in Azure Automation account (step3,4)
– Prepare ps1, and zip file– Import / remove configuration by azure powershell command
– Deploy Azure Automation DSC extension• Azure Automation account detail (step5)
– Provide “Access key” when launch vm extension– Provide “URL” when launch vm extension
• Launch extension in vm setting– Check vm status (step6)
Build up a Azure automation DSC extension step by step
• Step 1: Enable the extension in your Azure Account– Add & Select Account
Add-AzureAccountSwitch-AzureMode -Name AzureResourceManager
– Register DSC extension on accountRegister-AzureProvider –ProviderNamespace Microsoft.AutomationRegister-AzureProviderFeature -FeatureName dsc -ProviderNamespace Microsoft.Automation
• Step 2: Select subscription and default values– select subscription
Switch-AzureMode AzureResourceManagerGet-AzureAccount
– List and set SuscriptionNameSwGet-Azuresubscription Select-AzureSubscription "SuscriptionName"
– List and set ResourceGRoupName, AutomationAccountNameGet-AzureAutomationAccount $PSDefaultParameterValues = @{"*AzureAutomationDsc*:ResourceGroupName" = "ResourceGRoupName""*AzureAutomationDsc*:AutomationAccountName" = "AutomationAccountName"}
Build up a Azure automation DSC extension step by step
• Step 3: Write configuration– Powershell script
Configuration PSUG {Node "webserver“ {#Install the IIS RoleWindowsFeature IIS {Ensure = "Present"Name = "Web-Server"}}}
– Node configuraiton name "psug.webserver“– it is important that the filename is the same as configuration name
• Step 4: Import and Compile configuration– Import Config & compile
Switch-AzureMode AzureResourceManagerget-command *azureautomationdsc*Import-AzureAutomationDscConfiguration -SourcePath E:\Data\PSUG.ps1 -Published -ForceStart-AzureAutomationDscCompilationJob -ConfigurationName "psug“
– check status is completed on compilation jobGet-AzureAutomationDscCompilationJob
– check that psug.webserver has appearedGet-AzureAutomationDscNodeConfiguration
Build up a Azure automation DSC extension step by step
• Step 5: Create or Register machine / node– Add Azure Automation extension on node– Fill in to information
• Registration URL: from automation account• Registration key: from automation account• Node configuration name: from step3• Configuration mode: apply and autocorrect
Build up a Azure automation DSC extension step by step
• Step 6: check node status / unregister node– Get all nodes Status
Get-AzureAutomationDscNode |fl * – Check latest node result for node WEB2
$Node = Get-AzureAutomationDscNode -Name WEB02Get-AzureAutomationDSCNodeReport -NodeId $Node.ID | Sort EndTime | Select-Object -last 1
– unregister nodeGet-AzureAutomationDscNode -Name WEB01 | select-object -first 1 |Unregister-AzureAutomationDscNode
• Reference – Azure Automation DSC: How to register and use Azure Automation DSC
http://blog.coretech.dk/jgs/azure-automation-dsc-how-to-register-and-use-azure-automation-dsc/– Azure Automation: Using Azure Scheduler to trigger a runbook via Runbook Webhooks
http://blog.coretech.dk/jgs/azure-automation-using-azure-scheduler-to-trigger-a-runbook-via-runbook-webhooks/
– Azure Automation webhookshttps://azure.microsoft.com/en-us/documentation/articles/automation-webhooks/
Build up a Azure automation DSC extension step by step
• Azure Powershell DSC extension– Azure will play as DSC server role– Only show on new Azure portal– Configuration file management
• Package script and manage them by yourself (offline)
• Upload to client once• Deploy extension will overwrite the
previous one• Azure automation dsc extension is one of
powershell dsc extension– Azure linux platform not support Azure
extension
Build up a Azure Powershell DSC extension step by step
• Write a powershell scriptconfiguration IISInstall { WindowsFeature IIS { Ensure = "Present" Name = "Web-Server" } }
• Deploy script by powershell dsc extension– Prepare script package for UI
Switch-AzureMode AzureServiceManagement Publish-AzureVMDscConfiguration -ConfigurationPath c:\iisinstall.ps1 Publish-AzureVMDscConfiguration C:\IISInstall.ps1 -ConfigurationArchivePath c:\iisinstall.ps1.zip
– Deploy powershell dsc extension to node•Configuration modules or script: installation.ps1.zip•Configuration data PSD1 file: (none)•Module-qualified Name of configuration: iisinstall.ps1\iisinstall•Configuration arguments: (none)
Build up a Azure Powershell DSC extension step by step
Resources
• Azure automation DSC, Step by Stephttp://blog.coretech.dk/jgs/azure-automation-dsc-how-to-register-and-use-azure-automation-dsc/
• PowerShell DSC for Linux, Step by Stephttp://blogs.technet.com/b/privatecloud/archive/2014/05/19/powershell-dsc-for-linux-step-by-step.aspx
• Manage the PowerShell DSC Extension in the Azure Preview Portalhttp://blogs.msdn.com/b/powershell/archive/2014/10/28/manage-the-powershell-dsc-extension-in-the-azure-preview-portal.aspx
• Use PowerShell DSC to Configure the Registryhttp://blogs.technet.com/b/heyscriptingguy/archive/2015/02/06/use-powershell-dsc-to-configure-the-registry.aspx
• Use PowerShell Desired State Configuration to Set Time Zonehttp://blogs.technet.com/b/heyscriptingguy/archive/2015/01/07/use-powershell-desired-state-configuration-to-set-time-zone.aspx