Is DSC Dead? - Gael Colas and Michael Greene - PSCOFNEU 2020

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to this special conference EU station and DSC is dead by Mikah Quinn on myself oh my go hello everybody thank you for the sponsors to make this virtual power ship conference EU 2020 and I wouldn't be possible without you and awfully we'll see you next year in 2021 physically and so today the main thing we want you to take away from this vision is to understand the current situations around DSC what it is within the parish our ecosystem and what is available now and what's coming soon as well we know there are many and misunderstanding and some things I've changed in the past 12 month and you may not have followed and maybe you're new to PowerShell and you don't know about the SEO you don't know much but DSC and oh wait fits for a Sisyphean so when DSC was released it was the new shiny shiny thing everyone was excited about and what happened since then and I believe DSC slightly misunderstood as a group with different practices and implements different concepts sometimes categorized and DevOps or infrastructure as code and so I think it would be worth clarifying with some of those concepts and see if it's relevant to you from there we will introduce the DC community and explain what I would started what it does now and how you can find us and what we're doing on a day to day basis and how it can be useful to you finally we're looking to the future of is your pretty seekers configuration and info case you were so sweet PowerShell and so Michael can you tell us what your role is yeah I'm the principal program manager in Microsoft Azure management services aligns to configuration management's so if they there is a server running in Azure or connected to Zerbe ark which we'll talk about soon and we need to configure it that is my job is to figure out our strategy for how we make that easy and I'm a consultant in cloud on automation fanon an on-premise donation everything and I'm not working for Microsoft as a permanent employee but so I will start with ok we start the beginning of time for the windows of tomatoes and we started to add up to PowerShell so I wanted to have a quick demo about what we're doing something we're doing regularly with PowerShell and how people automate stuff so I'm going to show you the quick demo first those dramatic pose for introducing the demo later so in the video we've seen a few principles and whether you doing a one-off change in a shell or you're writing a script you will follow a similar pattern you will get some information first as date I will put that into variables whether you with your reading it from file are you getting into your script at the top of your scripts or in your shell samples upon your getting some configuration data then you need to manage the context of what you're running so you if the folder doesn't exist but you want to City SEO you will first create the folder and from there you will get the eCos that are assigned to the folder so that's managing the context of your baby and if you want to do something about it you will make sure it's not a really set so you will test first if it's needed to do anything to go any further in your script and when you've got this what you're doing is and you will try to set what is missing if you find out that the account doesn't have the access you want you will do the set but when you've done this you want to make sure everything's applied properly so you will probably validate in the end by just taking again if it's really applied so that's the rough principle of what you're doing in power you have function scripts and modules and power she lets you compose them and configure and customize your system by using imperative programming you just make you describe computation statements and they change your system state but the problem is that leaves you handling the context the change in the validation so if you want to have a bit more abstraction you need to abstract those commands into of comments which usually happens as parameters script parameters right like it whatever happens like if the expert goes and writes the scripts and it's this big imperative script logic which just means it's line by line going through and doing things and sort of a structure that the author came up with it's not standardized across their team and then they want to make it easy for somebody to manipulate that without having to go change code so they take parameter inputs and keep that in two variables under scripts exactly under the functions coding another function you need to go deeper and that's good because that helps you doing the abstraction the problem is as you said not everyone is the same standards and then you may have different approaches and in the decade in the decade actually leading to 2012 the UNIX and Linux ecosystem add a lot of success from a management perspective with cfengine chef because they applied a slightly different principle at that time they had already lot of scriptures for UNIX and Linux but they started doing a different approach to managing nodes and although these tools were really getting more mature I would say 2012 the part of community was relatively young and there was a huge gap between the windows ecosystem and the linux ecosystem so there was no iterative interpret a sorry say that in their ability with unity sorry and the party team was trying to enable more windows that means in more scenarios thought that windows needed to be on the configuration management training and PowerShell was the right place to deliver that so at that time they created a PowerShell desired state configuration so what is d SE and DSC is a language where you describe the components and the state want each of which each components to look like and to eventually converge so in this case I want to make sure the my ACL is set properly on the folder on this path so if you look that and the fire doesn't exist the folder doesn't exist yet so I want to make sure my configuration also had and these folders so for that I will use the file DSC resource and I will make sure my test ACL oops sorry my test ACL folder exists and I will make sure you are the right purpose so I want to make sure it exists so it's present and add the destination which is its path and that should just be this and I want also to make sure it not create it doesn't create a file but it creates a directory and finally if the parent folder doesn't exist I want to make sure it's there so I've defined that I wanted to have a folder to be created there on that the STL's of this folder also set according to this so this you need to have the folder before you can set the ACL and I want to make sure obvious so I use depends on on that depends on on my file resource test this year instance which is their so here we are on this one I can also add the answer is present as well just to be extra sorry just to make sure it's extra explicit so this is a configuration for this look for local us so if I run in anything it would be lost so it's gonna be on this computer and I can now run this bit which is I this is the function I've created there on that which is compiled the configuration into a muff which is a cellulose version of this computation just to make sure just to just to create the computation on that and I can execute it on whatever node I want so I will just run the selection and this so I have a warning because I haven't imported the resource I'm using here with I only imported this first MVC this is a built in resource so that's why it's allowed it's just not about a good practice to do so but for the example is again so know that I've created this moth and I've pertained to my more viable you can see I have a new favorite in math so let me just show you now so within this folder paste configure I only have the configuration one I haven't applied the configuration yet so that's gonna be what this line does tells my agent and in this configuration folder there's you this your configuration definition you go more fine please apply it now and then when I run this on vs code PS code is running as my normal user account so it's telling me you have an access denied echo an error because I don't have access to the debris my service which is what interface with the configuration manager which is the service the agent if you want running so I need to run this as mine had mini can't so this is my this is a Windows terminal running as my admin accounts and this is running powers of 5.1 and in this folder oops sorry in this folder I have my configuration folder on I will run the same thing under we can see it's actually very fast it is running my DAC configuration and you can see the LCM which is the agent that was the king of that when you run the verbals and wait it will tell you well I'm running the first final test a CL resource on there now we run the second one and the my ACL and it will set everything it will test on set it and then set the resource so no I can't go back yeah I can look at my test this yell oh sorry it's actually just people just do this you will see that and it's created the folder so if we now do I get a CL on the test SDM folder and what I really care but is the access property and you can see that again I've created the folder on I've set the right things so this is our DSC worse when you tell it directly this is the configuration you want to create a file which is documenting whatever you want to do on the end you just apply and finally we converge for you so this is the very basics of DSC so behind this the resources I'm using are still are still a piece of courage with imperatives but it's done for you to some extent and and you can actually find the source code for this one which is on github you can find another system obviously but we can also show you the file system DSC resource in the community and then you can see your information about the file system DAC resource you have access to the code here the source code is there and I can go directly in the DSC resource file the PSM one is actually the corrective code similar to what you've seen which is running so let me close that and that might be a bit small but that's the ideal DSi community and it happened five dc5 system busy resource in this and so in this declaration you've seen that what's really important the co information is the data that you want to provide and you want to do component to be and so you declare the state you want to converge to and then you get you another to get to that state is hey do this and when you write a declarative document like this you you don't have to go through the fine to understand and what it does you say this is the expected state you don't really care anymore about are you get to that state so the documentation the the script with the DAC configuration is a documentation of what you expect your system to be on then the system which is your agent for instance I converge to that system for you so behind the Declaration of each component you still need a piece of code to do the work you still need to run the comments that you've seen that you would have written yourself the difference is you and that data to another bad piece of code and this data will enact this change so these piece of code still needs to manage the context the testing the settings that you've seen but in send it over to that piece of code so it's an abstraction layer and that piece of code in DC is called the DAC resource in chef it's called a resource in PubMed and what your line unstable I believe it's also magical and it should be a small change so anatomic change for a very specific component the resource and this should be I depend on which means you should be able to run it many times and always it should always converge to the same state I'll accompany each of those resources create a language together which you can describe your system with and that is a DSL a domain-specific language which for each component like this one is a file access rule and you can describe all the fire access rule of your system that you expect to be and if you don't like a writing math and and especially if once you've got them off compiled sometimes people have some issues I just wanted to give you a quick nugget to find a way to pass it and you can just run this I'm going to show you this the demo very quickly just to pass an existing off you compile and get back an object and you can do something with if you want so this is a very quick demo of a one line which is our the OD oh can you pass and mouth once it's compiled so you've seen other previous demo we compile them off which is available into my more viable so I'm just gonna run this and run selection thank you and you can see that this is some text which is not very easy to understand when you look at it and if you want to start passing it with regex it might be a bit tricky over tonight so the other thing you can do and so make sure you have the full path and direction so this is the full path of them off which can actually open it so you see the content here and you want to use these method this static method to do this so if you look at the starting method it's cooked the signature here so you want to have a path which is a string and then in this case you want also to and have this integer value for the schema validation option and the magic number is not 42 the magic number is 4 that means it will not do any check so if I run this so that means it will pass and I will get like this in this direction and then you can see that fully passed my mouth five so I can assure you stow that into a variable again I will run this again in this direction I will have access to my different properties which won't be NRA actually so if I do yes and then you can see that was the first element I passed on my friend which is my file test a shear resource which creates the directory have you seen in the parameters and you've got a bit more information but it where the source when it was compiled and things like this so I can also do the second element is my ACL one so this is how you would pass an existing muff if you ever need to you prob you may not be doing the most basic use case you don't need to but if you want to compare validate some things then you can quickly do it release the line okay so but easy DevOps or easy to infrastructure skill I can hear some people asking these questions so let's get back into now I explain the concepts and we have special language now which can describe each of a components and all we want them to be once they are converge to the desired State when we look at this document and we don't have to know the details about the comments being cold they they is still the same PowerShell is to PowerShell being invoked behind but you have a high-level overview of what is going up someone else has done the actual work of maybe it's you in at another time but someone else didn't as created the actual resource fair to do the change but when you describe your infrastructure you're not just running scripts one after another another you describes the inputs if you want all the configuration data or that for your system so or description of the system is elevated to a higher level then it can be with imperative scripts and those scripts still exist if you really need to want to if you really need to troubleshoot some things you can go and look at this but by adding this higher level of control over the system it makes it easier to scale its management by changing the definition you can ensure that it's whatever is defined whatever is configured with that policy you created if you update that policy it will reconverge to that state again so you don't have even if you have a moving target every time you change on you redeploy this new change you will update the existing system and every new system created based on that policy based on that definition will also have the same configuration so you have much more consistencies across your state that the configurations of your notes and by having a broader field of vision we spot similarities and differences between between notes so we can either correct them or beat me create different blocks whom we can compose blocks in DSA it's called composite or sometimes you just want to create role on then you say hey these MA looks a lot like su this server B so probably there should be of the same role maybe they're both the school server role so we create that sequel server role and we apply that all over these two nodes and you don't have to think about it because they will have the same configuration it makes it easier to manage when you have ten of those you don't have to have to manage the individual instances anymore you manage the role of them and since the declaration is just some text files so I it's probably like a PowerShell script it's still text or you can actually you don't need to be parish that it can be a ml definition because what's really important is the data that you provide to those things and and some of the logic will be in the composites obviously and but since it's just text we can and we shoot them we must put that into source control and then we benefit from the collaboration around source control so we provide to get and then we can all collaborate into that data and we have trust ability of the changes and we have auditing and accountability so by applying the right workflow once it's in get we can improve the color we're able self-service the one who wants to make a small modification that's changing a path that don't need to be expert in PowerShell they can just change some data especially if it's Channel or Jason or something you just need to be tech savvy enough to understand the format and then you can just submit a pull request and say hey I would like to change this path because it should be there and that helps people first of all it's some kind of self-service it's not a nice GUI interface so it's not for everyone but that means it's easier to get people to directly serve me to change and you don't have to just put a ticket and then someone will have to process the ticket along with everything else if you just create a per request people can just prove when you they happy with your change and I can just go straight to production after testing and things like this so we ensure we can ensure expert control by enforcing code reviews so let's say Michael wants to change the NTFS permissions on the folder and says well I want to change this and I'm saying maybe I should be careful about this so is gonna say yeah I just want to change this folder I think I should have permissions to access to it it will add himself into and into the group or the role of whatever definition I've created and it's gonna say I just want to our Michael to the share and then I will see this request I will see the difference between what he had before and what is now and I can approve it and if I'm happy with it I'm approval to either reject our public comment and then we can see that he requested it he made the change I accepted the change so we have a captivity we know when it's done we have the documentation of the for request or the commits ad and he can tell me in those details why is been requesting this a while behavior change so we have much better control of what's going on it's not Michael just oddly peeing into a machine I'm making the change and I don't know anything about it so in terms of collaboration and documentation this is a much better experience and we can encourage by doing that so we can encourage small changes as well it's if you if you do this and you let people even the smallest change can just be done by someone changing the path or changing a type order name and you can encourage small change instead of doing trying to get everything before a version is being released so that's that's a concept of having a small batch instead of big batches of release on changes only happening every three weeks you can do smaller less risky changes to your system and we can validate and this is very important we can validate each suggested change by testing in a way that gives us confidence in its release you probably using CI tools on automated testing but if Michaels makes that change I can validate that it's not gonna break any application without ever before even I have a look at it if it fails to build then I will probably not even look at it until he fixes it so let's be clear all of those improvements and benefits are not specific to configuration management you can get them in other ways but you want to be able to apply those to configuration management and someone wrote a white paper about this so Michael and Steve murasky they created this release pipeline model get out of the way so the release background model explained this and this is not new you wrote that in 2060 correct yeah yeah I was just thinking about that give a day like I spent a little more than a year traveling around the world a couple times and presenting it and have one spin system yeah because in 2017 and I've got I'm always thinking about this cuz that's the foundation of many other things that I'm gonna cover that in a bit but it's been written four years ago which seems like an eternity you know from an IT perspective and but if you do systems configuration you will certainly need to go through and these to improve your automation match and and really I recommend you to read the right paper if you're not managing Oasis anymore if you are already on cloud services containers communities you will notice that the management of those services are in evolution from from this it's coming from the same principles in there but there might be some slightly different approaches like a get-ups may have a slightly newer on so I would say in in the way they're doing this but it's very much the same principle so if you learn this now which I really look Amanda to it you've done already then you can transfer this into other type of systems and other architecture it's still a very solid concepts to them so what happened to DSC and and some people when they asked the question is so is DSC dead well do we ask the same question like is windows death are people using physical you know we've got the cloud so I suspect because everything's dead like the data centers have closed down because of that class I don't think that's really happening I would say that the key element days if you have long living nodes and you want a relatively low admin to serve a ratio you don't want to have once you said mean hugging every server then you probably need some publication management you've got different approaches to Commission management but you probably wants something so and if you still managing long living nodes and you think you will most likely do it for the next I don't know five years ten years and this is this approach this is what recording life is about so this approach is it's very relevant to you are the concepts you can cease to translates to the newer systems there's many ways to do system automation and there's a spectrum of maturity if you're just running scripts while it's better than howdy peeing into a machine on using the GUI to do something but if you want to go further then you will try to have some confusion management in this model has been cheated by and then if you do if you go slightly further you will probably have container management and then you get into any so if you manage servers you should probably get into this configuration management model and it's more mature approach that just scripting as an example so you can scale up a bit more it's easier for you to scale up it's easier for you to access the cloud it's not a lift in shift you actually reverse engineer to some extent what you already have and you translate that into your configuration so you document at the same time what you have and you can use and it doesn't matter what tool you use you can use chef purple so cfengine I don't know probably missing a few but it doesn't matter anyone who has some experience with any of those two would say regardless of the tube you start with you should stop now probably you should pick the one that you have the less friction to start with whether it's for cognition reasons for cost reasons in-house expertise technology just I believe now yes that's what we gonna help and must is not all of them actually all of them as far as I know can leverage this and will win the DSC technology I will get into that in a bit more details so just keep your mind open when you start going for any of those you probably gonna learn a lot and you can improve your process and you will probably want to try another one and change the one you're doing so that's fine because you will have improve the process and it's not about the tool it's not damaged by the tool it's a lot about the processes on the learnings you doing applying the right concepts implying the release pipeline model as an example and so regardless you should get into the research on the relative scales so others yes you relate to the other tools and solutions selling we don't have time to dive into the merges by shaft better not able to compare with DSC but but there's a myth with DSL I exist only in two modes push and pull and which is stranger before but changed instantly of five so there's another way and what is the push and pull first so push is when you go to the engine this is the configuration you're looking for make it so there is a weird cross between Star Trek and Star Wars and the pool note is you're telling you note hey go get the new configuration on this server every 15 minutes so if there's a new version download and apply it and otherwise just probably enforce the one you have if there's not no new ones so that's the difference between the pool and the brush and there's another way to do DSC or to config DSC is invoke this resource and and many are using it without even knowing it and we'll get into this detail but the idea is you can still use DSC as the technology using in fact DSC resource so it's not an agent it's not the LCM the local configuration manager which is a Windows service it's just a way to say hey you've got a resource use this resource to do something to get set context when we get into that slightly monitor so if you want to let's go back a bit so if you want to write your scripts you've seen four ACLs that's one of them but if you want say to configure sequel server or if you want to install a SharePoint and configure SharePoint all of this thing is something you can automate yourself and you probably yeah we love to do to some extent but if you look at and the DSC resources online they already provide a lot of features so why would you rewrite this for you because it does what you want maybe maybe the DAC reasons are ready to do what you want and one of the differences if you start from scratch now and you reinvent the wheel you will miss out on some of the things and that's something I wanted to show you which is and the test coverage already for some of these resources so you see on this one this is sequel server DSC just some unit test and you can see that there ID have quite a few tests and then that justifies so if you go inside one of those unusual done and you scroll down and if you see there's a lot of tests already in there so if you start writing now to get to the same level of maturity and quality into your script you will have to spend a lot of time that people have done over many years actually on this one and people are maintaining that one so that's why make sure you look first at the DVC resource and you consider under the same for sharepoint DSC and you consider looking at the resources existing there so you can see there's also many many many tests and those tests actually runs against different version of SharePoint as well so there's a lot of things going on there and testing to make sure it works and actually the maintainer here eric is PFE for microsoft Germany I believe so you see it's also used by Microsoft employees to work so know that we've seen that let's have a look at how you can use this invoke DSC resource with patch 2.1 which probably you probably have everywhere well on you if you don't have anything lower than that but and and we're gonna use the same use case which is prices access first systemics this role to manage a science I'm gonna show you that demo so here I want to show you how invoke DAC resource looks like but first of all I want to show you the resource so this is the resource module and I want to show you to highlight that it's got three functions every through every and every DAC resource follow the same format the same pattern you've got to get a set and a test and you may have and use other functions but in that case and you you always have to get set and test and we've seen that it's to manage the context manage what it's got and then to test if we asked to do any change and then the set to actually do the change so I just wanted to review that so this is the resource but we don't need to edit it I just wanted to show you how it looks like and this is the small script to use consume that DAC results into an imperative script so like I would do in many other and the administer scripts I just put my variables and my configuration data into those variables then I make sure I create the right hash table for my parameters so then I can use splatting - splat - the invoke DSC resource so I will run this fast so you will see so this is just a creative variable there's no issue there and then you have a way to say well I want to use that DAC resource which I define the name and the module name so I want to use that resource and I want to call the method test and I already set the properties there which are here so I want to set I want to call the test is there okay am i compliant with this existing information I've said so if I run this you will see that similar to when we try to apply the configuration we have this issue because if you remember I'm running as my normal account and i can access the degree of my service from this similar can so I need to run this elevated so the way of doing this is you just go to my here so that's for later this is my powershell 5.1 peers table there we go so I will do the same again oh I forgot to compete both so the my job is already installed I put my it ain't my variable I know I can call fractions in this case I just want to run first the test is it so is it compliant and it's turned me true or the reason for that is I've already run the configuration before so I'm going to clean up my environment so I'm going to completely remove my test this year for this demo I don't really care about the configuration because I'm not using the configuration anymore actually I will remove the configuration under more file to make sure so now I have an empty folder so let's go back then if I run this again you can see that it's not compliant it's not in the desired state and it's unable to evaluate the access rules because the path doesn't exist in this implication that I showed you here I am NOT managing my context so that's something I will have to do again and that's not I can use the same principle and call the find DSC resource but in this case I will just quickly create that folder so let's go back here and I will just quickly create the folder which is missing which is this one so now I will run the same thing again invoke DSC resource and it doesn't complain anymore but it tells me it's not in the desired state so I need to set the SEL and for that I would just run this so if it's not compliant sorry if it's not in the desired state then run the set method and it's the same parameter sets so you just give the same parameters so I just could be that the variables are already in my session when I run this you can see it's the same principle the LCM and this is the problem when you trying to run with your normal user account and not you elevate it then the answer you can't communicate with the LCM the service on Windows 5.1 and that is running these Tse resource and he tells you to reboot yes or no in that case you don't need to reboot so now if I run again my test it tells me it's in the desired state because we apply with a set method and this is how you could use DSC and the existing resources from the gallery to apply it and this way works and you have to really leave a tit when you run in and when you're ready in parish to the 5.1 we will see it works later for partial seven so as you've seen and this is a way to use the DC resources within your within your imperative code so within your script you can reuse some part to the eternities resource in that case if then you can invoke the test first to see if you want to make the change on then using the set method other than TAC resource to enforce on to add what you need so you don't have to rewrite all the Canton's you say hey this is the resource I want and this is what I want to set and then it's easier for you to just have to manage the parameters to it which is the invoke this uses parameter so invoke DAC resources therefore you the benefit of of this dysfunction is that you can leverage all the resources already in the gallery and if you're not ready to make the jump to proper I would say to full configuration management a solution it's much easier for you to use this inside the scripts while not trying to reinvent the wheel you've seen there's some downsides and some of the downside is you need to set up in a room you need to make sure you have access to EMI and a few things like this and so you need to have some privilege to be able to run and that is in 5.1 the way it works in fashion 7 we can achieve in a bit is different and you don't need that the caveat is you missing the runners because it's going to run in your session in your partial 7 session so you will have to make sure that session is running as the right user it's not gonna be doing it for you but at the same time just troubleshooting is gonna be easy ok is gonna be your decision and if you are using chef but Betances below the tools actually they're using underneath invoke TST results most likely at least and and chef has the DSC resource resource DAC underscore resource resource Papa does the DSC NTSC light module some they've got blog post about it uncivilized the wind DST module so all of those they exist and then you can consume directly the DAC resources they exist for those co efficient management tools so feel free to just mix and match and whatever works for you and you can write your own resources and then use them as well with shares per pet and so on and so on so even if you're using those Commission management tools you can have adjacent energy so think about it if you don't you if you're not using any conviction management tool and you're just doing script you can still use the AC resource as technology so keep an eye on it and now we're going to see hi works in power 207 and I'm gonna demo so which i've seen how to do this with power so 5.1 we've seen with the current user account that doesn't work does it's not a matter of the permissions of the folder the problem is accessing the LCM service which is the service running as systems on the local machine so if I clean up this environment so I still have this I will remove my testers you know and again I own I only care about are the invoke TSE resource so what I will do is I will still creating my testers your folder so I've got the same state as it was before I just created a brand new folder I know I need to send SEL and if you remember this session is as my user account in parecer 4.1 so I still want to use in my I want to try in pasion seven so I haven't updated to 7.0 that's zero and I just have this version and we tell me you have a new version that you should be updating so I will do a chuckle update for PowerShell in a bit by the moment I just need that one instant works scene actually preview for behavior sin so let me go back to my folder yes I see and then simply just go to 20 I'm not good my folder of you that I just recreated oops recording PS version table here we go thank you predictive typing and so I've got this version seven zero but it's still not running as admin so what will happen if I try to do this so again I will run this the two-putt the data the configuration data into my valuables in this one up and then I just wanna test first make sure is it in the desired state or not so I will run the test and if you remember when we did that in 5.1 he wasn't working and in this case he actually just as me force actually does it issue call you with a fierce code for the display let's try it just again yeah it doesn't say anything now okay let's do verbose just so more text and we are it tells me it was a display she is it in desired state false which is what I expected but that means it works even if I'm not running as an admin account so from there I can run the same thing I did before how well because it's not set the first thing will be true and it says and then it will read the set method so let's run this and again I've got this output we could required so if I try to run now the test method it will return it will return did I say it would return yeah is it in desire state on yesterday so as you can see this is slightly bug in the display I'm not too sure if it's coming from via score F is coming from from invoke DST resource in that case but that's different here little hiccup so you go partial invoke TSU source as you can see the same this exactly the same code worked with partial 4.1 and powershell 7.0 and so you can keep consuming so there's a bit of the caveats with this and the first one is you need to make sure the resource that you're using is actually working with partial seven that's the first thing and one of the that's the same thing when you try to script in one wayne-powers in five and you need to make sure that script will work in parish l7 one of the reason for that and ACL is a very good example the API is that is used in dotnet is not the same as the API Internet cough when you use gate ACL and set the CL it's actually the same thing but well it works it behaves the same way but the underlying IP api's are probably different on in this case our difference I'm not going to be just so that's one of the things and you're not running anymore as the system because it's not running through the service which is running in your current session so it depends of your session and that means in DRC there's a property which is PS DSC run as credentials that one so when you want to when you want to set another set of credentials to run a specific DSC when you do this you can do that you can see the first one PSD su- credential but that one when you do an invoke do you see results because none going through the service this one is not going to work so he's gonna throw an exception so i just wanted to mention that and latest is if you're running invoke ds3 resource seven so it's still an experimental so in this case here you have to enable or you can see it's they actually enable experimental feature named Pisa is set configuration dot invoke DAC resource so it's still experimental because and there's a few limitations that we know about and there's also a few bugs on Linux which is something that the team is aware of you just have to tell Michael and was hiding behind that feedback Michael is always listening to feedback so yes voice your what you want so am I saying we need to you need to use the third party but not all I'm saying actually this choice is yours and that mainly covered the ones that people must know about I would say but and if you are on a teenager you still have a just take the figuration if you think you want to now turn the auditing first then as you policia gets configuration that Michael is gonna present shortly after that is a very good candidate to do that and if you want prime unlike you say well we not allowed to do any cloud on that still happens in some organizations and I have personally used DSC and with the version 5.1 successfully for for several years it doesn't have a pretty GUI dashboard at the beginning it's maybe a bit harder to get started but Elementary and Jana trick Peters to Microsoft by PA fees they have developed an extended like a great workshop around the way we were using DSC and they were used with their customers as well and that was inspired by what chef and puppet and some others are doing and I will I will share the links maybe maybe later anyway and actually it's there it's the the Jessica DC community slash workshop this workshop on github and you've got all the links and information about this workshop so he's DSC dead no DSA is not them the concepts are still very much relevant but DSC is the the DSC DSL the code construct and they're still used by services in third parties and as VMware is investing into their these fear DSC resources partial 7 in vogue DAC resource an experimental feature is is that is there for you to use and try and if you have feedback give it to Joey or give it to Michael and and you have lots of interesting DAC resources they're ready to use in 5.1 at least and if you want to reuse them in seven just make sure they're works and give feedback to the maintain is as well under the strong community and you can access the community we're gonna present a community yet but you can access them on slack the person slack on the DAC channel so what is that community I'm talking about what does that mean well when it started a long long time ago and when this year was released yes that was 2013 so DSC was released with the the Windows 2012 r2 and when the AC was released the that's correct right yeah and we were publishing the community resources to take it technically yes at that time the character gallery didn't exist yeah I was there and github I don't think II time existed but when we started the DC whistles were not open sourced but they were created by the parachute team because the powerset team wanted people to have something to use directly with DSC so then they can see the benefits of doing configuration management but the same time if you give them just a framework like the DSC feature but no resource to work with it would be the learning curve would be very steep so they said well we need to write some resources and and then so people can start doing configurations of their windows boxes so this is why the parachute team started writing the whistles and they published it on the 26th of December 2013 and as I said that was not even published the so that was by waves so I think it was every month yeah yes every month there was a new wave being released for the original scale and so in April 2015 the recent kid I'd moved to get him finally probably because it was hitting attractions so that means all these resources were open sourced and many people started contributing to others diseases and in June 2016 Katie started to own the DC resource kit and community for the person team she's been in charge of the current DC community calls the DC resource kit in France so the committee was growing behind Microsoft and leading behind Katie so here's a quick quick hello from Katie with a video hi everyone my name is Katie Craig and rank previously Katie cam also known as quirky cat on github I work on the guest configuration team previously the DNC team at Microsoft I started working on the DSC resource kit in about early to mid 2016 and then I administered the entire dignity resource kit until about August of last year when the community took over it's been a long journey with the resource kit answering lots of questions figuring out how to test all of the resources bringing on board a lot of new maintainer x' but it's been an absolute joy to see the resource kit and the community grow and as I might not be as involved as I once was with the resource kit but I hope to still be a channel between the DSD community and the engineering team at Microsoft so after the recess it was open sourced the contribution is increased and the committee matured so the DC community calls we're working well some important question we're salt I would say during the course like changing the naming convention was a big one because it started you know with the X resource of experimental C for community humans are seeing never the resource so that was not working and during community calls they discussed the matter and they finding solutions to okay let's change it on just add the suffix DSC to the resource you know you've got sequel server and I'd also days they before that they worked on and high-quality resource module the xprm and police year would say all our standard to reach with the DAC resource module hard to get the best and the best quality out of the modules for people to use and so one of the top contributors being there quite early Daniel from New Zealand and he's still very involved he was one of the contributors extolled to Microsoft and since then he's joined the mothership as the cloud solution architects he's Danielle saying hi hi I'm Dan Scott Rainsford my first commit to the DFC resource kit happened and around September 2015 sometime in 2016 I was made a community maintainer freaks networking and then continued to pick up maintainer duties across several others I also started creating and sharing my own DC community resources which I ended up transferring over the DC community later I currently maintain XP s desired state configuration certificate DSC storage DSC and computer management DSD as well as several others I'm also a DC community committee member my current contribution areas are in reviewing pull requests answering questions addressing issues and adding new resource modules I maintain I try to contribute to the shared DC community tooling whenever time permits you can reach me by at mentioning me and a github issue you can contact me under DM on our shelf let org or through Twitter I'm really looking forward to continuing to support the community however I can and in 2018 while the configuration team separated from the parish no team and the conviction team was working on guest configuration so is this started in Twain me I think slightly before 2018 and and they had some difficulty review all the contributions from the community and they're falling a bit behind to requesting the issues so they contracted Johan one of the top contributors of the DSC resource kit at the time to help with ensuring quality and making sure the t-series was worth pushing forward so here's a Johan saying hi hi my name is Erwin yoginah in the beginning of 2016 I submitted my first commit to the DC community at the end of 2016 I was asked if I wanted to be a maintainer for one of the repositories and from there continued I'm currently the maintainer of the repository sequel server Dec and exhale away cluster I am also a committee member of the DAC community my contributions to the DC community is helping users and contributors making resources tooling and documentation better I also help review pull requests submitted by contributor to throughout the DC community repositories to reach me you can tag me on the github comment you can also reach me through slack or Twitter I will see you around the community and about a year go seeing that the configuration team was falling behind the community contributions and when Johan and Daniel were tied up with a full-time job they contracted me I was not a contributor of the DSA resource kit but I was active in the DC community in other ways mostly I was available and the question about solving the problem once a problem was raised and making sure Microsoft wasn't the button I can really see fixes and features so we all lied an ID which is making the DC community more independent while keeping a high bar for quality and security and the maintenance we trusted that was not a problem but the partial key type organization limited the ways we could delegate some of the permissions to non microsoft employees and the way the resource were released didn't really fit so we had to change the way we release to be a bit faster so we had to automate a bit more of it and all of these been discussed with maintenance and we started to channel all of these and transfer all the repositories the part of the package in the gallery and it's no wonder the DSD community and what we created is we started to create a website and we're getting a bit more content into it which is good and then creating the DSGE github organization and we appointed those people that you've seen as committee as the DC community committee the board if you want to manage it so the idea is just if we are a small team we can make a clear decisions and it's easier for us to communicate between Microsoft and the rest of the community and so everything we do and we decide is discussed any rendering that you see community goals which is open to anyone and we also use eater github issues to have some votes you know thumbs up thumbs down and we talked a lot during the DSC on the DAC channel on the person's life if you want to find about what's going on if you go and ask over they're all just browse the website we usually put all the information so we've been really busy actually the last the last year or so and the maintain is at the permission to approve requests and they can also publish new versions so we don't have to do it for them so if today you raise requests on someone with use it to maintain it reviews it and approve it you can invert it to the master branch and then that will create a preview release that he's going straight to the gallery as soon as he's happy with it and you the bill passed and he says yeah approve merge he goes to the Gary and has a pretty release and then when he's happy let the pre-release seems to be solving all the problems on if someone asked her if it's needed you can just push a new tank to this and to the master branch and that's going to create a full version release so it's much quicker than just waiting for six weeks and if you miss the gate then you need to go to wait for the other so now let's ask Michael what's coming up hey thank you yep awesome so I just wanted to go through one of the things we've been working on and what can you expect to see next I think part of the like people asking what's going on with DSC is DSC dead that kind of thing is that really for the past couple of years a lot of our projects have been in a pretty specific hazard and so the first thing that we were tasked with and this would have been about two months after we presented the last time in person MPs come to you we were kind of in the direction that at scale large enterprises are really struggling with understanding the state of their compliance so is it possible as you move to the cloud to understand whether or not your machines meets your requirements and that's not just security people here compliance and they immediately think like security scanners and that kind of stuff but there's way more to it than that like you need to be able to verify but all of the agents that you would depend on are there that's the correct software is installed other than agents and drivers and so forth you know specialized problems were closed and things like that making sure that it's like certificates are in place and the correct people have access to the correct resources and all those types of things in addition to security rules and then of course many of those things roll up into regulatory standards that enterprises are required to benchmark so things like CIS and Stig and ISO and NIST things like that so that was the genesis for project called guest configuration we had already been planning on sort of rebooting DSC into a new platform all written in native codes will be very small very fast and guest configuration is 100% live in Azure so if you have VMs in Azure you can use as your policy to audit what's happening in those machines we've got a whole bunch of capabilities for Windows for Linux we actually use chef in spec but for windows everything is based on desired state configuration so if you go through our documentation just a kms /gt pol my guest configuration policy you'll find how to use all of the built-ins because many people were finding especially in this space wants like a no code solution they just turn it on and they can go audits and see the state of their machines but we also support you creating your own custom auto policies which 100% is is desired state configuration and to end so all of the nuances and things like that are all documented as well if you scroll down under the how-to section of measure policy we can go to a kms like guest config custom and so so to understand like the narrative of how guest configuration will be used imagine that you're a central operations team this is actually pretty common in large enterprises who are moving to the cloud it's more than just a technical work of central operations but like someone is responsible for handing out subscriptions to hundreds of developer teams and they basically have no control over what those teams are going to do after the subscription is given out so as your policy was originally designed for things like let's make sure that when we store data it's stored it stays within the physical regions of data centers based on like privacy rules through it to follow or maybe like here's a project and we want to make sure that this like no machines in this project ever have public IP addresses because we don't want to have to worry about what ports are open closing things like that so this extends that idea when the idea is you might have requirements for things like those are the correct things being audited in Windows or our user privileges restricted based on least privilege across your organization based on some internal policies that you have or speaking of policies things like group policy and password policy like is it or with are all machines even if they're not domain joint handling things like the you can only use your last or you can't use any your last 10 passwords or you have to have a password length or complexity requirements and as people start deploying more and more machines that are not domain joined it becomes harder and harder to keep track of that so the idea is the operations team can put this in place you know from the management group level which would span all of those descriptions in the enterprise all the way through you know down to individual projects and as the result of that assignment as you see here like you can you get feedback across all these application on the application owners can go in and say like some of my machines look good maybe I've got just a couple that I need to update some small settings to be compliant with my organizational requirements you may also have dev teams that have just like completely gone off on their own like I said even beyond security where the things here maybe they didn't install some software or they have they didn't take the organizational trusted certificate and add that to trusted routes on the machine things like that there are more operational requirements or you can look for things like it would have some really interesting customer requests that we've met like can you identify machines that have not been rebooted in more than input parameter number number case specifically they were looking for road with machines because they hadn't been patched no-one's been working on them to him they updated they just been running for like three months and they're potentially a security vulnerability so that could show up as a red X coming from one of those project teams just as well as something like the security vulnerability and so a lot of customers have been asking me it's great that you're doing this work in Azure and it's good that you're like pushing DSE forward but that is very specific to machines that are hosted in Azure and you know we might have the machines that are in our own data centers or in a Colo or negeb us or in Google and how do I take advantage of the work you're doing on DSC if I and not hosting my server in an azure data center and so for the last year we have been working our team has been working as a piece of the azure art team to try to address this concern and art is actually I'm standing in front of the textbook is actually like a sweet piece of services that expands across data services container platforms but the specific scenario that we're most interested in here is art for servers and this is the idea that this is unlike anything else that I know of that this is the idea that whatever people deploy servers into the cloud they have these nice clean like machines go into subscriptions and then resource groups or they have metadata tags to say who's the owner or what project is it in has things like that and that's when you compare like that's really easy and everything can be controlled via the API in the cloud - I whenever I deploy in my data center I might be running on physical machines or hyper-v on VMware and it can be very difficult to track down who owns what and understands even what services each server is using to manage that you know if you're looking across you know something like a spreadsheets where you've looked across our network scan to try to figure out based on you know no name and things like that what when you actually have as an inventory it's very complicated very difficult to do so that's one the problem that we're trying to solve and the idea of behind art is what we call projection so in a projection scenario you project that those nodes exist into Azure as a record so the machine isn't moving to a sure and no information is like this on the machine is moving to Azure it's just creating a record that's saying this machine exists it has a heartbeat to show that it's continually checking in and I think we collect like the IP address in the name something like that so that you can verify that it is to assess it is and it also provides some interesting capabilities like inside the machine there's a local rest endpoint so that's from inside the machine you can see what all has your knows about it you can see its tags you can see you know that the record is in a resource group you can get an authentication token if the has a Peter identity so it's a pretty well integrated solution but we are just about to introduce some capabilities and I don't mind saying just about so we're getting pretty close now in fact by the time this reporting goes live it might already be available where we bring the concept of machine extensions to arc as well just like what we haven't as they're so healthy the extensions that will go to preview first DSC is one of those so the same way that if you are in a jar you can actually deploy a machine and just assign a DSC configuration to it as it's being deployed that gets run as it's being installed the same will be true for these parts machines so for people who are using Windows pull server and we made the announcements from blog posts that we don't have any plans to further invest in the whole server functionality that we shipped in server 2019 and so we're 2019 we added some features and then we were just super transparent like we don't have plans to invest any further in Windows poll server at this time but it's supported for the next 10 years with the server 2019 released it becomes out of windows which we have no plans to do in every release of Windows it just becomes supported for 10 years more but with the SE extension you can just take your configuration take your modules put them in a zip file that's anywhere that machine can reach and then just onboard the machine into art or put that in your image as the machine is being deployed and then from a simple API call you can deploy DSC configurations across machines outside of azure and when I say house my advisor that includes other class like these machines could be at AWS at the Google cloud that could be in a Colo somewhere locally within your geography it could be a Rackspace unit anything you can pend place where you can put a machine where over an HTTP proxy it can reach a private network or public endpoints as one of the edge of locations so so here's a screenshot of what it would look like if you've seen the edge reporter before stuff here out of the way you'll see that there's there's some machines here with the blue icons these are actually machines so they are running in Azure and those are hosted on Microsoft datacenter but then if we look up further we should see these purple icons this is gettin kinda cheesy like a weatherman presentation so those are machines that are running outside of that and they can be anywhere just like I said and you know since they have properties like tags that we can use to identify them that's a screenshot now we can do things like as your policy to those as well so if you want to keep track of machines need rebooted they require certificates that are missing you know who's in the administrators group what software is installed things like that you can actually get a complete picture of that and use all of the same management's tools that you can use in the cloud across your data center and that's going to require you to host anything within your environment you just connect to a machine integer that you can use the services from there and then finally since many of you have seen things like as your automation before these become even that much easier to use so we've thought about as your automation desirest a configuration in the past as being something that could be used where you know like the onboarding experience was basically here's a script that will help you configure your local configuration manager to talk to the service in the cloud and was a very light do-it-yourself kind of approach to registration now all you have to do is take that arc agent and I will just put it in the image introducing the deploy machines that the machines get deployed they just start showing up as resources and now everything is just an API call so you've got all kinds of flexibility and choices here if you want to actually use as your automation to deliver and maintain the state of a machine over time even if it's running an AWS Google cloud or within VMware or hyper-v in your local data center it's still just one API call you could use the PowerShell come let's keep it easy as a portal you can use a CCO I like whatever you want to use to deploy a an arm templates just a JSON file that says deploy this extension for this machine any way that you can do an arm deployments you could deploy an arm template that includes map these extensions to my my heart my brain knows by heart conditions and you can on board from there and that includes other services that are natural operation so as an example within as your automation there's a patch management posted solution where you can just fill a browser completely managed to patch status of all your machines that depends on the Microsoft monitoring agent which is another solution that we're enabling the art so the extension starts to become pretty comprehensive and finally there is another service that's I don't think we presented for pious cost before which is that you can take inventory of your machines and you can track how that inventory changes over time so if you're really looking at configuration management as a comprehensive solution and more than just config s code now you can use your config ESCO skill sets build a arm templates that would go in and once the arms as a resource manager is the API for as you're starting you need to use an abbreviation there then you can just do deployments on board no matter where they are and take advantage of these services and management tools without having to host anything within your data center and have that additional server Express thank you Michael so you'll just I have a quick we have a few questions run around this so you're saying that from any VM I can get this VM to be managed through Asia everyone if they're running on my DS yeah yeah she changed I'd like to really point out this year and people have been concerned about DSC and the new features of DSC being used only in Azure and as arc moves towards GA and as we go through public preview of being able to use extensions you'll really have new options for using DSC outside of azure and that includes a DFC extension as a way of just delivering configurations as you will with full server as your automation for things like really advanced reporting and then the DSC b2 platform has part of measure policy to do order test scale and we have a lot of plans in this area I don't want to go too much and make promises but there's a lot of things we're looking at based on customer feedback where they feel blocks where that there's you know for one reason or another they they could never move a server out of their data center you know it basically just prioritizing based on how customers feel block but we should lower context and so you said you said get configuration there's some similarities with can you expand a bit to how the two relates cuz that's probably not the way we look at this is even with these tools you know like per guest configuration we didn't want to build a new platform that would have the potential of having a conflict with the desired state configuration that shipped in Windows PowerShell so what we do is take a new engine that provides the same type of functionality as local configuration manager in Windows and we load that as an extension on the machine we actually take an instance of powershell core and we side load that from the machine under c program data and then we take for instead of having to worry about things like partial configurations or composite resource nesting and compiling a big huge compared configuration we actually took customer feedback and for each configuration it's a socket which in this case is like different audit policies because right now we're still in auto mode if each of those gets loaded into a separate subfolder and so the moth and each of the powershell modules that are required to support that all are siloed into an individual folder and then images manage each configuration independently so that's so for now it's on it so it's like if you're auditing ten things or 30 things that's 30 different configurations and we're doing that pretty rarely at the scale of millions of nodes and we're working through like the performance where we have to live under extremely tight performance requirements like we are not allowed to have impact on these machines as far as impacting the workload so I can take all that into account step into our design so that's why you know it takes a lot of time to figure out how to do things like 30 or 40 or 50 configurations and handling them on the same machine so it's pretty fascinating how we could definitely do a full hour just on like the intro or piece of guest configuration and so this is something we're working diligently on we've got a lot that we're doing in the next semester for guest config as well and we think we we think about DSC as the language abstraction that we have taken a hard dependency on so we don't have any so they live that I was about to ask are you saying like you gas configuration package it's actually an artifact that you compile things together so you said this contains a month so you how do you create that month it's all DSC so the authoring process is 100 dependent on DSC so on my workstation I compile them off just using PowerShell or automatic because now the powershell 7 compilation is working we can go into that as a whole nother hour but I just wanted to make a way that the process is very similar so what he what when people use DSC already in 5.1 what they're doing is they compiling artifacts and they're creating a mouth I'm decorating into packages that it's just zip files to some extent so I wanted to make clear that guest configuration just follows the same principle so you can still add your release pipeline model if you want unuse that with its configuration but something else I wanted you to clarify is probably the last bit and so you compelling the mouth that means you these people are familiar with DSC you have to provide the data for them or so you need to provide each information for each node do you in most cases so far for audits they've been more aligned to server role so things like if you want to emit a Clemente let me actually describe it this way we've been able to move the specialization to a different level of abstraction so with DSC and Windows PowerShell after you produce them off with stack right there's no changes to it what we do with the agents and guest configuration is let's say that you want to start using the administrators group and so you assign that to a scope of machines it could be based on you like where they're located in Amite and so now you say well maybe I want to audit sorry I want to check that who's in the administrators group is users Michael and Gail right and nobody else that's being provided by agile policy as part of the assignment that that's created when the agent takes on that assignments it takes that perimeter and it over writes that field of them on file so while the MA file itself is still static it's being overwritten on the fly with the parameter information coming from R so as we move on into more and more scenarios that's an example of something that we've added that was never possible with DSC before yeah thank you yeah you bet I believe so if people wants to find more information about about this well what should they follow and whether they should get yeah I'm sure we think at these links posted up but just to make a super super simple easy go through aka MS c.p oh that guest configuration policy GCP and then commenda we would be able to get back and we add something to those Doc's just about once a week like this is a solution that we're adding to you all the time and getting lots of customer feedback so even if you have looked at those Docs maybe six months ago it might be worth going and taking of their look now the fact we have more changes coming just over the next month and we hope that have you been more changes by ignite so those dots are getting that they pretty often I don't think so no philosophy on this so I like that's part of my job I've talked to lots of master customers all the time and you know I mentioned earlier like people are looking forward like no code solutions and maybe some of the more technical members of this audience have seen that as well within their own organizations that like more and more people or wanting something that they can just turn on and make a pain go away and when I first started seeing this I thought like oh this is a big change from what we were seeing whenever config is koper started like people must really be not wanting to like learn a new skill that turns out I was totally wrong about that after talking to more people I actually think what's happening is that everyone is completely overlapped so like everybody who's working in operations is like trying to learn as many new skill sets as possible they're trying to become multi-cloud they're trying to optimize private cloud they're learning as many scripting and automation and operational tooling skills as possible they're trying to figure out how to transition to becoming NS artery and so in the back of their mind probably at an unconscious level they're just looking for things like how do I take this off my plate and I think there's more than just CSC like no one said his is the CMD file concept or bat file and Windows is that dead right like we still use it it's still a skill set that we have and depend on we've not really thought about that as PCB is dead but I think this concept of like when people say is a dead there they're saying two things one they're communicating to us we haven't seen you release anything for a while or we don't like what you're releasing and so they're trying to in a pretty dramatic way let us know that and number two there's they're like to themselves thinking is this something that I don't have to like be like pulling on my brain trying to it's like one of the many things I have to keep up-to-date with right and they're just looking for is it possible so hopefully what we're going to be giving you you know more and more of is the ability to use these solutions that you can just turn on and you know make your life easy but we really want them to be extensible into any custom scenario and any custom requirements and for Windows desire state configuration is the language we depend on so from our perspective it's something we're investing in all the time thank you and I believe there would be a chat this weekend otherwise you can always find us on the parents like the AC channel even Michael is live every number so feel free to reach for us and if you have any questions as fast thank you very much to provide this
Info
Channel: PowerShell Conference EU
Views: 3,444
Rating: 4.8139534 out of 5
Keywords: PowerShell, Core, psconf.eu, psconfeu, keynote, Jeffrey, Snover
Id: hXS-rzs3Hak
Channel Id: undefined
Length: 86min 52sec (5212 seconds)
Published: Sun May 31 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.