Get to Know DSC - PowerShell.org

Report
Get to Know DSC
A PowerShell.org TechSession
Remember
 Find the latest TechSessions at
http://powershell.org/wp/techsession-webinars/.
 Advanced registration is required to attend the live
events, where you can participate in Q&A
 Recordings posted to YouTube, usually in 48 hours.
Today
 We’ll introduce the DSC technology, explain what it is
(and isn’t), and provide some guidance for using it.
 We’ll also look at where it currently falls short, and try
to predict where it’ll go next.
 This will be about 50/50 lecture and demo…
 …and you’re encouraged to ask questions as we go,
using the Q&A panel in GoToWebinar.
Basic Information
 Level: 100-200
Technology introduction and feature overview
Planning and architecture
 Pre-requisites:
Solid experience with Windows PowerShell and Windows
administration
What is DSC?
 A means of declaratively specifying the configuration a
computer should adopt.
 Mainly focused on servers at this time.
 Rather than writing a script that checks the config and
then corrects it, you simply specify the config. Microsoft
(and others) provide the code that does the checking
and fixing.
Applicability
 Part of WMF 4 and later
 Win2008R2, Win7, and later
 Included in Win2012R2 and Win8.1
 Note that because Win8.1 was a free update, WMF 4
does not technically apply to Win8; the expectation is
that you’ll upgrade to 8.1.
 Much more limited resource availability on Win2008R2
and Win7, meaning DSC is there, but it can do less.
Architecture
“Target Node”
 Because not every node is a computer these days
 Although presently, an LCM exists only for Windows and
Linux
*LCM=Local Configuration Manager, the client-side bit of
DSC that does all the dirty work
Configuration Scripts
 These can contain zero logic, to incredibly complex
logic.
 They run once on your authoring computer, and produce
a static MOF.
 The MOF is what you deploy. Keep in mind that the MOF
is static – it doesn’t contain code or logic.
 A configuration can be written to target one computer,
or contain logic that allows it to produce MOFs for
multiple computers.
 Let’s take a look…
Resources
 A Configuration Script (and thus, the MOF it produces)
references one or more Resources.
 Resources are what actually check the config, and when
necessary fix it.
 Non-core resources must be explicitly imported.
 Use Get-DscResource to discover installed resources.
 A Config can reference any resource that will be available on
the target node (e.g., you can code a Config for Linux on
Windows)
 Resources should be available on the authoring system (for
IntelliSense and whatnot)
One Machine, One MOF
 You can only deploy a single MOF to a given computer.
 To “modularize,” you can…
 Add logic to a monolithic configuration script so that it
produces “customized” MOFs per computer
 Save a configuration as a resource, and then “include” it in
another, top-level composite configuration
Composite Configurations
Composite Configuration
for Domain Controllers
Configuration for
all company servers
Composite Configuration
for aux. DNS servers
Configuration for
DNS servers
Configuration for
AD DS
DSC Resources
 Several come bundled with WMF 4
 MANY MANY MORE are in the DSC Resource Kit (at Wave
4 as of June 2014)
 Resource Kit also includes Diagnostics and Resource
Designer modules
 A Resource is a special PowerShell script module, and
multiple Resources can be bundled into a single
Resource Module. The RM is what gets distributed; the R
is what gets referenced in a configuration script
 Let’s see one…
Deploying Resources
 Containing module should go in \Program
Files\WindowsPowerShell\Modules
 This is in PSModulePath as of WMF4.
 Simple file copy is sufficient…
However, resources usually have their own
dependencies, usually other PowerShell modules.
Deploying MOFs
 PUSH Mode
 Uses WinRM to deploy the MOF and kick off the Local
Configuration Manager (LCM)
 You must deploy all Resource Modules referenced in the
MOF
 PULL Mode
 Configure machines’ LCM to grab their config from a
central Web or file server
 They can also grab needed Resource Modules from the pull
server
 Available on 2008R2+ (harder to install on older OS)
“Compliance” Server
 Additional optional feature of a Web-based pull server
 Gives machines a place to check back in with their
current state of conformity
 This is only a status code, not a detailed “difference”
report.
 By default, stored in a Win Internal DB; can be pointed
to SQL Server.
“Diffs”
 LCMs can be configured to Apply (e.g., look at the
config) and Monitor (report back)…
 …and Apply and AutoCorrect (e.g., look at the config
and do something about it)
 DSC is designed to ensure there are no differences;
while the technology does support the concept of
“report back and tell me what’s non-conforming” there
are presently no tools which do so.
Mental Switch
 We’re used to asking “what changed?” for
troubleshooting.
 With DSC, if you’re doing it right, the answer is always
nothing. Which is why it doesn’t natively report back
with a difference. There is no difference.
 You can extract this information from diagnostic logs,
but difference reporting isn’t the main goal of the
technology.
What’s Missing
 Full resource coverage (improving almost monthly)
 Tooling (aside from ISE, there basically is nothing)
 Documentation (“The DSC Book” is about the best
starting point; see also articles on
PowerShellMagazine.com and the PowerShell team blog;
it’s all a bit scattered at present).
What DSC Isn’t
 A catchall replacement for everything
 E.g., you’d use DSC to configure WSUS, not to deploy
updates
Sketchy Areas
 Software installation is a little primitive – the current
Package resource is a bit finicky
 Broad availability of OneGet (WMF 5) will probably help
move this further toward the goal
Security
 The LCM runs as SYSTEM, so it has almost no authority
off-computer
 Anything you need to do non-local (e.g., retrieve a
package from a file server) will need to be given a
credential
 You can specify, in a config, the thumbprint of a
certificate (which you must pre-deploy to nodes) that
can be used to decrypt credentials in the config
HTTPS!
 Pull Servers should be set up using SSL – this is what
they want by default
 Without SSL, you get NO AUTHENTICATION OF THE PULL
SERVER IDENTITY THIS IS A MASSIVE SECURITY FAIL AND
YOU WILL PROBABLY GO TO HELL AND YOU’VE GOT
NOBODY TO BLAME BUT YOURSELF PLEASE DON’T USE A
NON-HTTPS PULL SERVER THANK YOU VERY MUCH.
This Isn’t GPO (Yet)
 There is no connection to Active Directory.
 Targeting is basically manual, or whatever logic you
build.
 There’s no apply-time dynamic targeting or filtering
(MOFs are static).
 You get only one MOF per computer (which complicates
authoring, but massively simplifies everything else).
Let’s Take Some Questions
 I know you’ve got ‘em… ask away.
Follow-Up Resources
 The DSC Book (soon to be retitled The Free DSC Book) at
PowerShell.org (on the “Resources” menu)
 The DSC Hub at PowerShell.org (including our GitHub
repo)
 Watch for a DSC Microsoft Virtual Academy from Don
Jones and Jeffrey Snover in 2014Q4
 DSC Q&A Forum at PowerShell.org
Thank You!
 Find the latest TechSessions at
http://powershell.org/wp/techsession-webinars/.
Advanced registration is required to attend the live
events, where you can participate in Q&A
Recordings posted to YouTube, usually in 48 hours.
 Ask follow-up questions in the Forums on
PowerShell.org.

similar documents