Skip to main content

How to undo an Powershell Desired State Configuration (DSC)


I saw a post on this on Stackexchange.com (link) asking about how you could undo/remove a configuration. I understand the question and logic behind it. I would love for DSC to have this functionally, however this is not how it works today. Perhaps some day in the future, however I would not bet on it. If you read this post, it will make perfect sense.


The life of an Desired State Configuration (DSC)

An configuration item/resource in DSC has to states it lives and cares about. Ensure equals PRESENT or ABSENT. The current state of the item and/or node (the target of the configuration) before the configuration is applied is not "stored" anywhere. It is just how the node is configured before the configuration is committed on the node.

Furthermore any individual who has access to the node, may install/configure features that you are not aware of. That is of course if you do not create a configuration consisting of all possible combinations of a configuration state a node can have. Not very practical and very hard if not impossible. So if your configuration have an file resource that says Ensure = "Absent", DSC will delete this file if present like you instructed it to do. This represent a huge challenge in terms of undoing a configuration.

Scenario - Overwriting a configuration

Let´s create a scenario: You have just created a new server/node/virtual machine that will host oh say an web application. You have prepared a configuration for it or you have an existing configuration you want to apply. DSC will configure that node according to the configuration. All sweet and dandy. 

Some time goes by and the node is needed for something else. You prepare a new configuration and apply it. DSC will again make it so and happily obey you wishes to the letter. What happened to the previous configuration? Did it disappeared? Well, in a way. The configuration document (MOF-file) still exists in a file called previous.mof. Can you guess the filename of the applied configuration? Yes, current.mof. However the configuration you applied first is in effect provided the new one did not overwrite the same "features" in some way. This is in essence the good, the bad and the ugly about DSC.

Options?

So what are our options for undoing the last DSC?
  1. Wait for a solution by Microsoft/3rd party
  2. Create you own solution
If anyone have another option, I would really like to hear about it. 

Just a few words about option no 2. You can do it the hard way and you can create a bag of tricks to help you obtain an undo like solution. In a perfect world with perfect DSC resources (please disregard the SCRIPT resource since it does not have an ENSURE keyword), you could make an "inverse" configuration for all resources that have ENSURE = "Present". Of course as an Powershell Pro, you would script that and apply the perfect inverse of the running configuration and apply it before you apply a new configuration. It is not ideal, however a doable workaround. 

This will not solve the Ensure = "Absent" problem. You would need backups to be able to restore those items (files/folders/registry), unless your configuration also include an resource to backup the item before it is deleted.   

Another option would be to create a system to record a complete history of the DSC that has been applied to a node. Remember those files I talked about earlier (current.mof and previous.mof), they are the key to implement a history. It would probably be easier to implement this at the powershell configuration level (the powershell configuration not the MOF file). Before you run Start-DSCconfiguration, you copy the content of the configuration and save it to you DSC adminTooling catalog. Even better if you use content management and versioning too. I would say it is almost impossible not to have that in some context anyway. 

Clear current configuration

If you stumbled upon this post and just want to clear the current configuration (not undo it). That is very easy. Just remove the current.mof file in C:\Windows\system32\Configuration. Running Get-DSCconfiguration will then return nothing (in essence $Null in the world of Powershell). Please note that this will not reset the configuration of the node in any way. It just tricks DSC into thinking that it does not have a current configuration.

Conclusion

You can UNDO an DSC, however it depends on the configurations that have been applied and what resources you have used. It is easy to clear a current configuration even if it do not reset the state of the node.

Leave a comment or look me up on Twitter. Would love to hear you opinion. 





Comments

  1. I think the notion of "undoing" DSC is sort of anathema to it's purpose. It's really about setting the state of a server in DevOps kind of scenarios. If you look at it as a "traditional" config mgmt. solution, then it's the wrong solution. The typical lifecycle of a DSC target is...provision, take workload, destroy, provision, take workload, etc. So, undoing it is as simple as de-provisioning the VM.

    ReplyDelete

Post a Comment

Popular posts from this blog

Serialize data with PowerShell

Currently I am working on a big new module. In this module, I need to persist data to disk and reprocess them at some point even if the module/PowerShell session was closed. I needed to serialize objects and save them to disk. It needed to be very efficient to be able to support a high volume of objects. Hence I decided to turn this serializer into a module called HashData.



Other Serializing methods

In PowerShell we have several possibilities to serialize objects. There are two cmdlets you can use which are built in:
Export-CliXmlConvertTo-JSON
Both are excellent options if you do not care about the size of the file. In my case I needed something lean and mean in terms of the size on disk for the serialized object. Lets do some tests to compare the different types:


(Hashdata.Object.ps1)

You might be curious why I do not use the Export-CliXML cmdlet and just use the [System.Management.Automation.PSSerializer]::Serialize static method. The static method will generate the same xml, however we …

Build your local powershell module repository - ProGet

So Windows Powershell Blog released a blog a couple of days ago (link). Not too long after, a discussion emerged about it being to complicated to setup. Even though the required software is open source (nugetgalleryserver), it looks like you need to have Visual Studio Installed to compile it. I looked into doing it without visual stuidio, however I have been unable to come up with a solution. I even tweeted about it since I am not an developer. Maybe someone how is familiar with “msbuild” could do a post on how to do it without VS.

Anyhow one of my twitter-friends (@sstranger) came to the rescue and pointed me in the direction of ProGet, hence the title of this post. ProGet comes in 2 different licensing modes
Free (reduced functionality)Enterprise (paid version with extra features)The good news is that the free version supports hosting a local PowershellGet repository which was my intention anyway. So off we go and create a Configration that can install ProGet for us. This is the conf…

Monitoring Orchestrator runbook events from Operations Manager

Today I will follow up on my colleague’s post Mr ITblog (Knut Huglen) about monitoring Orchestrator Runbook events.  He has build a nice double up SNMP loopback feature that does self monitoring in Orchestrator resulting in entries written to a special Windows Eventlog. Now we need to raise alerts in SCOM when one of his runbooks fails or sends a platform event, who knows there could be trouble lurking in his paradise.

We are not going to do anything fancy, however these are the steps we will be focusing on today:
Create a Management Pack for our customizations Create rules that collects the events from the orchestrator serverOff we go then and fire up the SCOM console and a powershell window. First we create a MP, I am going to use powershell to do this, however you may use the SCOM console as well (Administration – ManagementPacks – Action: Create Management Pack):



Import the Management Pack into SCOM and move on to the Authoring section in the SCOM console. Create a new rule:



Give the…