Post on 08-Jan-2017
Configuration Management for Windows Server with Chef and
DSC
Jeffrey SnoverMicrosoft Technical Fellow
Lead Architect for Enterprise Cloud Group@jsnover
Steven MurawskiPrincipal Engineer @ Chef
Microsoft MVP – Cloud and Datacenter Management@stevenmurawski
Agenda• The Evolution of Windows Server and Automation• State of Configuration Management On Windows Server• Configuring Windows Server With Desired State Configuration (DSC)• Configuring Windows Server With Chef• Why Use DSC With Chef?• Bringing Legacy Infrastructure Under Control• Windows Server – Present and Future
LAB Machine Setup• RDP In
USERNAME: ChefPowerShell PASSWORD: P2ssw0rd!
• Open PowerShell from the ChefDK shortcut• Run chef-apply c:/setup.rb
On with the class!
Evolution of Windows Server
Server for the Masses
Enterprise Servers
Datacenter Servers
Cloud Servers
20016: An Automation Odyssey
The Evolution of Automation on Windows Server• 2006 - Windows PowerShell V1
Interactive Shell, Scripting Language, .Net cmdlets• 2009 – Windows PowerShell V2
Remoting, script cmdlets, modules• 2012 – Windows PowerShell V3
WMIv2 cmdlets, jobs• 2013 – Windows PowerShell V4
Desired State configuration• 2015/2016 – Windows PowerShell V5 RTM
DSC+++, Classes, Pester & Operational Validation Framework, Package mgmt., JEA, Remoting improvements, Security+++
• What they are really asking is: Why not:
Salt? Chef? Ansible? Puppet? CFEngine? GuardRail? BrewMaster?
• Lots of great tools for Unix, why not just use them?
Why DSC?
“Why PowerShell DSC?” is the wrong question
• Why PowerShell?• Why not just use *sh and the Unix utils?
Right Question
• If you can edit files and restart processes, you can manage Unix• awk, grep, sed are management tools
Unix is a document-oriented OS
• awk didn’t work against WMI• grep didn’t work against Active Directory• sed didn’t work against Registry
Windows is an API-oriented OS
• Unix CM tools “hit a brick wall” managing Windows• Need tools which work against an API-oriented OS
Why DSC?
State of Configuration Management On Windows Server• Until Desired State Configuration there
were MMCs and WMI as the default admin interface on Windows Server was no central standard for administrative automation and configuration (modulo
GP for clients) Chef and Puppet worked on Windows, mostly as very thin wrappers over a bunch
of PowerShell• Enter Desired State Configuration (DSC) platform which
identified a standard for how to define configuration management tasks supports a growing ecosystem of configuration management resources enables a resource-sharing hub – the PowerShell Gallery
DSC enables a rich ecosystem of CM tools that will compete on features vs coverage
Configuring Windows Server With Desired State Configuration
• New Keywords Configuration Node Import-DscResource
Find the lab at https://github.com/smurawski/chef-and-windows-lab
• New Automatic Variables ConfigurationData AllNodes Node
• Resources Binary Script WMI Class-based
wusa C:\Win8.1AndW2K12R2-KB3134758-x64.msu
LAB Exercise 1 – Build and Apply a Basic Configuration
https://github.com/smurawski/chef-and-windows-lab/tree/master/exercise-1
Configuring Windows Server With Chef• Chef is a mature platform with evolving capabilities around
Audit and Compliance Reporting and Analytics Continuous Delivery for Applications and Infrastructure
• Chef has embraced DSC and the Windows Server management model One of the first partners integrating DSC Started shipping support for DSC in September 2014
Why Use DSC with Chef?• DSC is great and Chef is great• DSC is a platform feature, not an end to end solution• DSC has some rough edges• How Chef helps• What DSC offers to Chef
Why Use DSC with Chef?• DSC is great and Chef is great
Both systems have strong capabilities on their own. Chef is a mature, flexible automation platform. DSC is built into the Windows operating system and has a growing ecosystem of
resources.• DSC is a platform feature, not an end to end solution• DSC has some rough edges• How Chef helps• What DSC offers to Chef
Why Use DSC with Chef?• DSC is great and Chef is great• DSC is a platform feature, not an end to end solution
DSC primarily is a platform feature (the Local Configuration Manager and the patterns for resources).
DSC has limited constructs for separating out environment specific data. There are workflow and management limits. You will need to build some tooling.
• DSC has some rough edges• How Chef helps• What DSC offers to Chef
Why Use DSC with Chef?• DSC is great and Chef is great• DSC is a platform feature, not an end to end solution• DSC has some rough edges
Resources in a configuration cannot execute conditionally. Resources cannot be reused inside other resources (outside of composite
resources). Parameters to resources have to be provided ahead of time.
• How Chef helps• What DSC offers to Chef
Why Use DSC with Chef?• DSC is great and Chef is great• DSC is a platform feature, not an end to end solution• DSC has some rough edges• How Chef helps
Use run-time information to determine how policy is applied. Constructs for modeling your environmental data – roles, environments, data bags,
and policyfiles. Workflow tooling in the Chef Development Kit (ChefDK), to help scaffold and
extend projects. Strong community of test tools including lint, syntax, unit, and
integration/acceptance. Compliance as a first-class citizen (testing tools, Audit mode, and Chef
Compliance). Chef server makes configuration and environment data available for reporting and
during configuration management tasks.• What DSC offers to Chef
Why Use DSC with Chef?• DSC is great and Chef is great• DSC is a platform feature, not an end to end solution• DSC has some rough edges• How Chef helps• What DSC offers to Chef
Resources, resources, and more resources.
More Resources == More Options
LAB Exercise 2 – Build and Apply a Basic Chef Recipe
https://github.com/smurawski/chef-and-windows-lab/tree/master/exercise-2
Where Should I Use DSC Resources vs. Chef Resources?• 5 Questions For IT Operations
Is there a cookbook with resources or recipes on Supermarket that meets the use case?
Is there a DSC resource in PowerShell Gallery that meets the use case? How easily can I test that the (recipe/resource) meets my need? Is my team stronger in Ruby or PowerShell? What kind of community support is out there for the recipe/resource?
Where Should I Use DSC Resources vs. Chef Resources?• 5 Questions For IT Operations
Is there a cookbook with resources or recipes on Supermarket that meets the use case?
Is there a DSC resource in PowerShell Gallery that meets the use case? Very often the presence of a community resource or recipe can get us 80 to 90%
of the way to solving our problem. Even when there is overlap, there can be differences in their behavior.
How easily can I test that the (recipe/resource) meets my need? Is my team stronger in Ruby or PowerShell? What kind of community support is out there for the recipe/resource?
Where Should I Use DSC Resources vs. Chef Resources?• 5 Questions For IT Operations
Is there a cookbook with resources or recipes on Supermarket that meets the use case?
Is there a DSC resource in PowerShell Gallery that meets the use case? How easily can I test that the (recipe/resource) meets my need?
Probably the most important aspect, if you cannot verify what the resource or recipe does, you cannot trust the resource in production.
Is my team stronger in Ruby or PowerShell? What kind of community support is out there for the recipe/resource?
Where Should I Use DSC Resources vs. Chef Resources?• 5 Questions For IT Operations
Is there a cookbook with resources or recipes on Supermarket that meets the use case?
Is there a DSC resource in PowerShell Gallery that meets the use case? How easily can I test that the (recipe/resource) meets my need? Is my team stronger in Ruby or PowerShell?
If you have to build a custom resource or modify an existing one, where does your team’s skillset lie?
You will need to troubleshoot the application of resources at some point. What kind of community support is out there for the recipe/resource?
Where Should I Use DSC Resources vs. Chef Resources?• 5 Questions For IT Operations
Is there a cookbook with resources or recipes on Supermarket that meets the use case?
Is there a DSC resource in PowerShell Gallery that meets the use case? How easily can I test that the (recipe/resource) meets my need? Is my team stronger in Ruby or PowerShell? What kind of community support is out there for the recipe/resource?
One of the greatest parts of the Chef and PowerShell communities is the depth of the community support.
DSC is still fairly new in the PowerShell community.
Where Should I Use DSC Resources vs. Chef Resources?• 5 Questions For IT Operations
Is there a cookbook with resources or recipes on Supermarket that meets the use case?
Is there a DSC resource in PowerShell Gallery that meets the use case? How easily can I test that the (recipe/resource) meets my need? Is my team stronger in Ruby or PowerShell? What kind of community support is out there for the recipe/resource?
One of the greatest parts of the Chef and PowerShell communities is the depth of the community support.
DSC is still fairly new in the PowerShell community.
Where Should I Use DSC Resources vs. Chef Resources?• For ISV (Independent Software Vendors),
if you build software to run on Windows Server
THERE ISNO
QUESTION
BUILD DSC RESOURCES
Windows Server 2016• Great server for
the Masses, the Enterprise, the Datacenter and now the Cloud• Cloud Competitive OS
Small and Fast Devops friendly Minimize attack service Minimize patches/reboots
• Ergo: NanoServer Desired State Configuration +++ WSA, Pkg Mgmt, Pester, OVT, JIT, JEA, Containers & Docker Remote Management Tool & Emergency Mgmt Console PowerShell Core
Bringing Legacy Infrastructure Under Control• When you have to make a change in a legacy code base, here is an algorithm you can use.
Identify change points. Find test points. Break dependencies. Write tests. Make changes and refactor.
Source: Feathers, Michael C. Working Effectively with Legacy Code. Upper Saddle River, NJ: Prentice Hall PTR, 2004.
Bringing Legacy Infrastructure Under Control• There is no “easy” button
It’s Just Not Going To Happen.
Get Over It.
LAB Exercise 3 – Using Pester To Define Acceptance Tests For
Legacy Infrastructurehttps://github.com/smurawski/chef-and-windows-lab/tree/master/exercise-3
Questions?Non-bullet slide subtitle
More Resources• https://learn.chef.io• https://msdn.microsoft.com/powershell• http://stevenmurawski.com/devops-reading-list • http://aka.ms/thereleasepipelinemodel (or http://aka.ms/trpm )• https://supermarket.chef.io• https://powershellgallery.com• https://github.com/powershell• https://github.com/chef-cookbooks