Skip to main content

How to undo an Powershell Desired State Configuration (DSC)


I saw a post on this on Stackexchange.com (link) asking about how you could undo/remove a configuration. I understand the question and logic behind it. I would love for DSC to have this functionally, however this is not how it works today. Perhaps some day in the future, however I would not bet on it. If you read this post, it will make perfect sense.


The life of an Desired State Configuration (DSC)

An configuration item/resource in DSC has to states it lives and cares about. Ensure equals PRESENT or ABSENT. The current state of the item and/or node (the target of the configuration) before the configuration is applied is not "stored" anywhere. It is just how the node is configured before the configuration is committed on the node.

Furthermore any individual who has access to the node, may install/configure features that you are not aware of. That is of course if you do not create a configuration consisting of all possible combinations of a configuration state a node can have. Not very practical and very hard if not impossible. So if your configuration have an file resource that says Ensure = "Absent", DSC will delete this file if present like you instructed it to do. This represent a huge challenge in terms of undoing a configuration.

Scenario - Overwriting a configuration

Let´s create a scenario: You have just created a new server/node/virtual machine that will host oh say an web application. You have prepared a configuration for it or you have an existing configuration you want to apply. DSC will configure that node according to the configuration. All sweet and dandy. 

Some time goes by and the node is needed for something else. You prepare a new configuration and apply it. DSC will again make it so and happily obey you wishes to the letter. What happened to the previous configuration? Did it disappeared? Well, in a way. The configuration document (MOF-file) still exists in a file called previous.mof. Can you guess the filename of the applied configuration? Yes, current.mof. However the configuration you applied first is in effect provided the new one did not overwrite the same "features" in some way. This is in essence the good, the bad and the ugly about DSC.

Options?

So what are our options for undoing the last DSC?
  1. Wait for a solution by Microsoft/3rd party
  2. Create you own solution
If anyone have another option, I would really like to hear about it. 

Just a few words about option no 2. You can do it the hard way and you can create a bag of tricks to help you obtain an undo like solution. In a perfect world with perfect DSC resources (please disregard the SCRIPT resource since it does not have an ENSURE keyword), you could make an "inverse" configuration for all resources that have ENSURE = "Present". Of course as an Powershell Pro, you would script that and apply the perfect inverse of the running configuration and apply it before you apply a new configuration. It is not ideal, however a doable workaround. 

This will not solve the Ensure = "Absent" problem. You would need backups to be able to restore those items (files/folders/registry), unless your configuration also include an resource to backup the item before it is deleted.   

Another option would be to create a system to record a complete history of the DSC that has been applied to a node. Remember those files I talked about earlier (current.mof and previous.mof), they are the key to implement a history. It would probably be easier to implement this at the powershell configuration level (the powershell configuration not the MOF file). Before you run Start-DSCconfiguration, you copy the content of the configuration and save it to you DSC adminTooling catalog. Even better if you use content management and versioning too. I would say it is almost impossible not to have that in some context anyway. 

Clear current configuration

If you stumbled upon this post and just want to clear the current configuration (not undo it). That is very easy. Just remove the current.mof file in C:\Windows\system32\Configuration. Running Get-DSCconfiguration will then return nothing (in essence $Null in the world of Powershell). Please note that this will not reset the configuration of the node in any way. It just tricks DSC into thinking that it does not have a current configuration.

Conclusion

You can UNDO an DSC, however it depends on the configurations that have been applied and what resources you have used. It is easy to clear a current configuration even if it do not reset the state of the node.

Leave a comment or look me up on Twitter. Would love to hear you opinion. 





Comments

  1. I think the notion of "undoing" DSC is sort of anathema to it's purpose. It's really about setting the state of a server in DevOps kind of scenarios. If you look at it as a "traditional" config mgmt. solution, then it's the wrong solution. The typical lifecycle of a DSC target is...provision, take workload, destroy, provision, take workload, etc. So, undoing it is as simple as de-provisioning the VM.

    ReplyDelete

Post a Comment

Popular posts from this blog

Serialize data with PowerShell

Currently I am working on a big new module. In this module, I need to persist data to disk and reprocess them at some point even if the module/PowerShell session was closed. I needed to serialize objects and save them to disk. It needed to be very efficient to be able to support a high volume of objects. Hence I decided to turn this serializer into a module called HashData. Other Serializing methods In PowerShell we have several possibilities to serialize objects. There are two cmdlets you can use which are built in: Export-CliXml ConvertTo-JSON Both are excellent options if you do not care about the size of the file. In my case I needed something lean and mean in terms of the size on disk for the serialized object. Lets do some tests to compare the different types: (Hashdata.Object.ps1) You might be curious why I do not use the Export-CliXML cmdlet and just use the [System.Management.Automation.PSSerializer]::Serialize static method. The static method will generate t

Toying with audio in powershell

Controlling mute/unmute and the volume on you computer with powershell. Add-Type -TypeDefinition @' using System.Runtime.InteropServices; [Guid("5CDF2C82-841E-4546-9722-0CF74078229A"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] interface IAudioEndpointVolume { // f(), g(), ... are unused COM method slots. Define these if you care int f(); int g(); int h(); int i(); int SetMasterVolumeLevelScalar(float fLevel, System.Guid pguidEventContext); int j(); int GetMasterVolumeLevelScalar(out float pfLevel); int k(); int l(); int m(); int n(); int SetMute([MarshalAs(UnmanagedType.Bool)] bool bMute, System.Guid pguidEventContext); int GetMute(out bool pbMute); } [Guid("D666063F-1587-4E43-81F1-B948E807363F"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] interface IMMDevice { int Activate(ref System.Guid id, int clsCtx, int activationParams, out IAudioEndpointVolume aev); } [Guid("A95664D2-9614-4F35-A746-DE8DB63617E6"), Inte

Creating Menus in Powershell

I have created another Powershell module. This time it is about Console Menus you can use to ease the usage for members of your oranization. It is available on GitHub and published to the PowershellGallery . It is called cliMenu. Puppies This is a Controller module. It uses Write-Host to create a Menu in the console. Some of you may recall that using Write-Host is bad practice. Controller scripts and modules are the exception to this rule. In addition with WMF5 Write-Host writes to the Information stream in Powershell, so it really does not matter anymore. Design goal I have seen to many crappy menus that is a mixture of controller script and business logic. It is in essence a wild west out there, hence my ultimate goal is to create something that makes it as easy as possible to create a menu and change the way it looks. Make it easy to build Menus and change them Make it as "declarative" as possible Menus The module supports multiple Men