您如何应用多个 DSC 配置? [英] How do you apply multiple DSC configurations?

问题描述

这是我的例子:

$Config = @{
    AllNodes = @(
        @{ NodeName = 'localhost'; PSDscAllowPlainTextPassword = $True }
    )
}

Configuration LocalAdmin
{
    Param([String[]]$Node='localhost',[PSCredential]$Cred)

    Import-DscResource -ModuleName 'PSDscResources'
    Node $Node
    {
        User 'LocalAdmin'
        {
            Username = 'Admin'
            Description = 'DSC configuration test'
            Ensure = 'Present'
            FullName = 'Administrator Extraordinaire'
            Password = $Cred
            PasswordChangeRequired = $False
            PasswordNeverExpires = $True
        }
        Group 'AddToAdmin'
        {
            GroupName = 'Administrators'
            DependsOn = '[User]LocalAdmin'
            Ensure = 'Present'
            MembersToInclude = 'Admin'
        }
    }
}
Configuration DisableLocalAccounts
{
    Param([String[]]$Node='localhost')

    Import-DscResource -ModuleName 'PSDscResources'
    Node $Node
    {
        User 'Administrator'
        {
            Username = 'Administrator'
            Disabled = $True
        }
        User 'Guest'
        {
            Username = 'Guest'
            Disabled = $True
        }
        User 'DefaultAccount'
        {
            Username = 'DefaultAccount'
            Disabled = $True
        }
    }
}


Set-Location $env:UserProfile
LocalAdmin -Cred (Get-Credential -UserName 'Admin') -ConfigurationData $Config
DisableLocalAccounts

Start-DscConfiguration -ComputerName 'localhost' -Wait -Force -Verbose -Path '.\LocalAdmin'
Start-DscConfiguration -ComputerName 'localhost' -Wait -Force -Verbose -Path '.\DisableLocalAccounts'

<小时>

问题:
当我运行 Get-DscConfiguration 时，它只显示我最后运行的任何配置的配置.

---

The issue:
When I run Get-DscConfiguration, it only shows the configuration of whichever configuration I ran last.

PS C:\> Get-DscConfiguration


ConfigurationName        : DisableLocalAccounts
DependsOn                :
ModuleName               : PSDscResources
ModuleVersion            : 2.8.0.0
PsDscRunAsCredential     :
ResourceId               : [User]Administrator
SourceInfo               :
Description              : Built-in account for administering the computer/domain
Disabled                 : True
Ensure                   : Present
FullName                 :
Password                 :
PasswordChangeNotAllowed : False
PasswordChangeRequired   :
PasswordNeverExpires     : True
UserName                 : Administrator
PSComputerName           :
CimClassName             : MSFT_UserResource

ConfigurationName        : DisableLocalAccounts
DependsOn                :
ModuleName               : PSDscResources
ModuleVersion            : 2.8.0.0
PsDscRunAsCredential     :
ResourceId               : [User]Guest
SourceInfo               :
Description              : Built-in account for guest access to the computer/domain
Disabled                 : True
Ensure                   : Present
FullName                 :
Password                 :
PasswordChangeNotAllowed : True
PasswordChangeRequired   :
PasswordNeverExpires     : True
UserName                 : Guest
PSComputerName           :
CimClassName             : MSFT_UserResource

ConfigurationName        : DisableLocalAccounts
DependsOn                :
ModuleName               : PSDscResources
ModuleVersion            : 2.8.0.0
PsDscRunAsCredential     :
ResourceId               : [User]DefaultAccount
SourceInfo               :
Description              : A user account managed by the system.
Disabled                 : True
Ensure                   : Present
FullName                 :
Password                 :
PasswordChangeNotAllowed : False
PasswordChangeRequired   :
PasswordNeverExpires     : True
UserName                 : DefaultAccount
PSComputerName           :
CimClassName             : MSFT_UserResource

如何应用多个配置?我找不到这方面的文档.

How do I apply multiple configurations? I cannot find documentation on this.

推荐答案

你不会在文档中找到这个，因为你(基本上)不能这样做.

You won't find this in the documentation because you (basically) can't do that.

我说基本上是因为从某种意义上说，您可以使用 DSC 做到这一点部分配置.

I say basically, because you can do it, in a sense, with DSC Partial Configurations.

不过，这些需要不同的工作流程和不同的本地配置管理器 (LCM) 设置.它们不像您想象的那样工作，您可以创建多个配置，然后一个接一个地应用它们.

These require a different workflow and a different Local Configuration Manager (LCM) setup though. They do not work the way you are envisioning where you create multiple configurations and then apply them one after the other.

这是设计使然；你想要做的并不是 DSC 的真正用途.这个想法是你应该提供你正在配置的节点的(期望的)状态.应用多个配置很容易导致应用冲突的设置.

This is by design; what you're trying to do isn't really what DSC is for. The idea is that you are supposed to be supplying the (desired) state of the node you're configuring. Applying multiple configurations could easily cause conflicting settings to be applied.

即使有分音，LCM 也会生成单个配置(解析您的分音)，然后一次性应用所有配置.

Even with partials, the LCM is generating a single configuration (resolving your partials) and then applying that all at once.

DSC 对工具的了解很少.关于您最终如何生成配置或处理常见数据、角色等，实际上并没有太多可说的.因此，您在很大程度上已经不得不自己动手了.

DSC is light on tooling. It doesn't really have much to say about how you ultimately generate your configs or handle common data, roles, etc. So you already have to roll your own for the most part.

应用多个单独的配置可能是您在自己的工作流程中应该注意的事情，最终导致每个节点编译您的(单个)MOF.

Applying multiple separate configurations is probably something you should be taking care of in your own workflow, leading up to ultimately compiling your (single) MOF per node.

我能想到的两个用例适合使用 Partials.

There are 2 use cases I can think of where it would be appropriate to use Partials.

首先(这主要是 Microsoft 考虑到他们的角色)适用于更大和更隔离的组织，在这些组织中，不同的团队对其知识领域负有唯一责任和所有权，并且您希望这些团队能够编写和控制自己的配置.

First (and this is primarily the role for them Microsoft had in mind) is for larger and more segregated organizations, where different teams have sole responsibility and ownership for their knowledge domain, and you want those teams to be able to write and control their own configurations.

例如，操作系统团队可能会为各种基本的操作系统配置项(设置时区/NTP、许可证设置)编写配置，并且他们可能会设置 LCM 设置以从其余部分中提取.

So for example, the OS team might write the configuration for various basic OS config items (setting time zone/NTP, license settings), and maybe they set the LCM setup to pull from the rest.

DBA 团队编写用于安装和配置 SQL 服务器的配置.

The DBA team writes a configuration for installing and configuring SQL server.

安全团队编写用于设置密码策略、防火墙规则和强制执行等的配置.

The security team writes a configuration for setting password policies, firewall rules and enforcement, etc.

这些团队有自己的程序、规则和自主权.他们可能有自己的拉取服务器来发布这些内容.

These teams have their own procedures and rules and autonomy. They may have their own pull server where they publish these.

通常与第一个用例相关的第二个用例是当您有多个拉取服务器，或者您想要合并推送和拉取时.我相信这只能通过部分实现.

The second use case, which is often related to the first, is when you have multiple pull servers, or you want to combine push and pull. I believe that's only possible with partials.

请注意，Windows PowerShell 不太可能再更新.PowerShell Core(基于 .Net Core，可在 Windows、Linux 和 MacOS 上运行)是目前大多数 PowerShell 开发的方向.

Do note that Windows PowerShell is unlikely to be updated anymore. PowerShell Core (which is based on .Net Core and runs on Windows, Linux, and MacOS) is where the majority of PowerShell development is going at this time.

这样，DSC 将发生变化并且获得一个全新的版本，可以更好地跨平台.

如果您要编写大量工具和工作流代码来支持 DSC，请记住一些事情.

Just something to keep in mind if you're going down the path of writing a lot of tooling and workflow code to support DSC.

这篇关于您如何应用多个 DSC 配置?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！