Friday, April 29, 2016

Watch: Automating Windows PowerShell DSC with Chef [feedly]

Watch: Automating Windows PowerShell DSC with Chef
https://www.chef.io/blog/2016/04/22/watch-automating-windows-powershell-dsc-with-chef/

-- via my feedly newsfeed


On April 14th, I presented a live webinar on Automating Windows PowerShell Desired State Configuration (DSC) with Chef. Automating PowerShell DSC with Chef makes it safer and easier to manage hundreds or thousands of servers.

Watch the recording below to learn how you can bring order to chaotic environments by using Chef and DSC together. At the end of this post, I've included some Q&A from the presentation.


How does Chef surface errors that a DSC resource throws? Can you see them in the logs or Chef console?

Errors from the resource run are surfaced in the chef logs.

With DSC_Script (the sample with the actual DSC declarative code), is Chef compiling that into a MOF and feeding that to the LCM, or is it parsing the data and feeding it directly to the LCM without the MOF?

dsc_script creates a configuration command in a PowerShell session and generates the MOF document, which is then supplied to the LCM to apply to the node.

What's the recommended Chef agent version to use with dsc_resource? Where can I find a comprehensive list of resources I can use with DSC?

You can use dsc_resource starting with 12.2, but there were some enhancements and bug fixes since then. I'd recommend starting at 12.8 or newer. As for a comprehensive list of DSC resources, I'd start with using Find-DscResource, which will search PowerShellGallery for available resources. There are undoubtably more out there, but that's the primary distribution hub.

Is the LCM configured for push or pull?

In the case of dscresource (with WMF 5 RTM), it doesn't matter if the LCM's refresh mode is 'PUSH', 'PULL' or 'DISABLED'. The use of dscscript will force the LCM into PUSH mode. If you are using DSC with Chef, you should have the LCM set to 'PUSH' or 'DISABLED'. You should definitely configure the LCM for ApplyOnly if you plan to use dsc_script.

Is LCM a totally different agent from the local Chef Client on a VM ? Or do they run interdependently ?

The LCM – Local Configuration Manager – is a component of Windows Management Framework 5 and is independent of Chef. Chef uses the LCM for dscscript and dscresource.

What's the best way to get DSC resources enhanced/fixed?

There are two avenues – first the OSS route. If you submit a fix for a resource, include tests that validate your fix makes things behave in a way that they are expected to. Second, if you are a Microsoft customer with a support agreement, use your TAM to lobby for support from Microsoft to drive fixes to the DSC resources.

What's your favorite sandwich?

I love sandwiches of all kinds, but a ham, turkey, bacon and cheese club is my go-to favorite.

What is the support of composite resources in Chef?

Composite resources are supported in dscscript, but not via dscresource. dsc_resource directly invokes DSC resources via the LCM and the LCM does not know about composite resources. Composite resources are a way to abstract your configuration, but when you run the configuration command, each resource specified in the composite configuration is included in the MOF that is passed to the LCM.

What was the name of the editor you mentioned you really liked using for DSC coding at the beginning of the webinar again?

Visual Studio Code (with the PowerShell and Chef extensions).

What kind of reporting is there in Chef on the compliancy of DSC resources?

dscresource will report the compliance of each resource declared individually, and Chef reports a roll up of the number of individual resources as well as how many were updated. dscscript tries to parse the output, but due to the changing formats and the removal of '-whatif' from start-dscconfiguration, in WMF 5 it reports the resource as a unit.

Can Chef work without a chef agent on the target system? Can Chef build MOF files which can placed on a DSC Pull Server?

Chef can work against remote node or can be used to generate MOF documents, but both those scenarios remove much of the advantage of using Chef to manage the configuration of a node.

Are there any limitations on 2008 r2 server with WMF 5.0 utilizing dsc_resource with chef or DSC in general. Does it work the same as 2012 r2/2016 server as long as WMF 5.0 is installed?

There are no WMF 5 DSC or LCM limitations on 2008 R2. 2008 R2 does, however, have some challenges. Being a much older operating system, it does not have the newer WMI api's that drive many of the new PowerShell cmdlets. This means resources that rely on those cmdlets wil not work on 2008 R2 without specific workarounds in the resource itself.

When using Chef client 12.4.1, executing multiple dscscript or dscresource resources executes PowerShell multiple times which takes a long time. What is being done to improve the performance?

We are constantly looking for ways to improve performance. Part of that is (in later version of Chef Client) using newer versions of Ruby which offer better overall performance. We are also investigating new ways of calling PowerShell without the overhead we currently have.

DSC4 and DSC5 have a slightly different format when you build the config file. Does that come into play at all when using DSC within Chef?

Using DSC through Chef is agnostic on whether you use WMF4 or WMF5 for dscscript (dscresource does not support WMF 4). Because we generate the configuration on the node where it is applied, the WMF version is the same.

Is it correct that dscresource will not risk contention with the LCM like dscscript might when executed via a Chef recipe?

dscresource doesn't leave behind a configuration that the LCM will try to periodically check, so it does not risk the same potential contention that dscscript does. However, that contention can be avoided if the LCM is set to 'ApplyOnly'.

Question about Leveraging DSC Configurations and dscresource resource, I find value in fully defining a DSC configuration and placing it in a ps module (maybe with some parameters.). Now i could leverage Chef to call an install-module | import-module | call the defined configuration, then run start-dscconfiguration. However, if you want to leverage the dscresource resource, you have to set the refresh mode to disable, which disables the Start-DSCConfiguration, Get-DSCconfigurat, and test.

So, this was true with the preview versions of WMF 5. WIth the RTM version, you do not need to disable the LCM and dscscript and dscresource can be used side by side. (This also requires at least Chef Client 12.6.)

What if neither resource has a solution for what you are trying to do? Which to go with to start from scratch?

I would use the same criteria – which would be easiest to test? Where does my team's strength lie? And what kind of community support is there for building that resource?

What about class-based resources? Can't they be used to enable resources to consume other resources?

Class based resources can be used on some level, but there is not great support in the DSC DSL for doing that. Also, currently class based resources do not support side by side deployment, so you may end up with conflicting dependencies and not actually be able to use any of the resources that depend on different versions of a class based resource.

Is there a AWS OpsWorks like for Azure?

Azure Operations Management Suite is probably the closest in concept. Now, to use Chef in Azure, we have a VM Agent Extension that'll install Chef, we have Chef Server images in the gallery, and of course, there is hosted Chef.

What is the status of reboot handling for Windows cookbooks?

Reboot handling is baked in to Chef Client 12 with the rebootpending? helper and reboot resource. dscresource can also queue a reboot resource if a DSC resource requests a reboot (via the rebootaction property of the dscresource resource).