My target machine is an Azure provisioned RHEL 7.2 system. I’m using an Azure Script Extension to install PowerShell DSC for Linux off a Server 2016 (WMF 5) Pull Server.
As my provisioned machine cannot access the internet, I’ve downloaded the omi and dsc rpm installers and placed them on an internal web server.
With Pull mode DSC, there is no requirement to open firewall ports. Note that using DSC Push would force me to re-enable the root account on the Azure system.
There are some points to note.
Self-Signed Certificates
I’ve had major problems trying to get Linux DSC to trust self-signed certificates. My webserver is using TLS so I know there is an encrypted tunnel. Without setting up a certificate authority (or purchasing a certificate), the easiest option was to disable certificate checks to prevent validation of the issuer.
#Ignore Certs (DSC does not support Self-Signed Certificates on Linux)
sed -i 's/^DoNotCheckCertificate.*/DoNotCheckCertificate=true/' /etc/opt/omi/conf/dsc/dsc.confInitial Registration
The element that initially configures the provisioned machine to use a pull server is shown below.
/opt/microsoft/dsc/Scripts/Register.py --ServerURL "https://buildserver.laurierhodes.info:8080/PSDSCPullServer.svc" --ConfigurationMode "ApplyOnly" --RefreshMode Pull --ConfigurationName f7ca0785-1231-43a1-b19c-c9476c5e5fea --RegistrationKey 10a5cfd8-3677-4f77-a436-db9890986b1aPowerShell DSC Pull mode now requires a registration key on the server. This is contained a text file created under “C:\Program Files\WindowsPowerShell\DscService” titled “RegistrationKeys.txt”. The key or secret you use for your environment will be contained within that file.
As different build sequences are created, they are stored on the pull server as different .mof files under the “C:\Program Files\WindowsPowerShell\DscService\Configuration” directory – each named as a guid. The configuration name I’m using matches a generic RHEL7 sequence I’ve created on the server.
RebootNodeIfNeeded
Modifying the default behaviour of allowing DSC to reboot the Linux machine has been particularly difficult from a Pull sequence. The setting is modified through configuring a MOF to change the desired property. This is applied with the command:
/opt/microsoft/dsc/Scripts/SetDscLocalConfigurationManager.py -configurationmof
This does not work when it’s a component within my pull sequence and you can’t use the pull sequence to invoke the process as only one DSC MOF can be active at a time. I can get around the problem by setting the property as part of the bootstrap process.
The "/opt/microsoft/dsc/Scripts/Register.py" script contains within it the default template that is applied to the linux builf.
By using a stream editor, I can change the default reboot behaviour of DSC when Register.py is initially called.
Complete Script
#!/bin/sh
#
# Enabled PowerShell DSC on RHEL 7 Linux
yum -y groupinstall 'Development Tools'
# Install dependencies
yum -y install pam-devel openssl-devel python python-devel libcurl-devel
mkdir /tmp/dsc
cd /tmp/dsc
#download from an internal server
curl -O http://buildserver.laurierhodes.info/linuxdsc/dsc-1.1.1-294.ssl_100.x64.rpm
curl -O http://buildserver.laurierhodes.info/linuxdsc/omi-1.1.0.ssl_100.x64.rpm
#or get from github wget
#https://github.com/Microsoft/omi/releases/download/v1.1.0-0/omi-1.1.0.ssl_100.x64.rpm
#https://github.com/Microsoft/PowerShell-DSC-for-Linux/releases/download/v1.1.1-294/dsc-1.1.1-294.ssl_100.x64.rpm
#Open Firewall
firewall-cmd --zone=public --permanent --add-port=5986/tcp sudo
firewall-cmd --reload
# Run rpm package manager for the OMI CIM server package
rpm -Uvh omi-1.1.0.ssl_100.x64.rpm
# Run rpm package manager for the DSC package
rpm -Uvh dsc-1.1.1-294.ssl_100.x64.rpm
#Ignore Certs (DSC does not support Self-Signed Certificates on Linux)
sed -i 's/^DoNotCheckCertificate.*/DoNotCheckCertificate=true/' /etc/opt/omi/conf/dsc/dsc.conf
#Change DSC Defaults with reboots
sed -i 's/.*RebootNodeIfNeeded = False.*/ RebootNodeIfNeeded = True;/' /opt/microsoft/dsc/Scripts/Register.py
#Configure the client
/opt/microsoft/dsc/Scripts/Register.py --ServerURL "https://buildserver.laurierhodes.info:8080/PSDSCPullServer.svc" --ConfigurationMode "ApplyOnly" --RefreshMode Pull --ConfigurationName 42666de9-1330-4370-bc1f-99f12285af84 --RegistrationKey e2a2b9c3-5e16-43c4-9fb6-c395ba5c0b5f
- Log in to post comments