Archive for December, 2015

1. Discovering that the last 2u space in the rack is actually blocked by a rogue power cable threaded through the rails.

2. Not being able to figure out how to remove the crusty old rails that the last engineer left behind. Resorting to brute force leaves a smear of blood behind on the rack where your hand got caught on the sharp edge of the rail.

3. Losing a chunk of a finger trying to remove an old metal screw mount left behind by the last engineer.

4. Trying to lift a 30kg server up and onto flimsy metal rails at around face height and not being able to get all the notches lined up and locked in.

5. Discovering you’ve put the server in upside down.

6. The cable management arm won’t fit because the rack has ultra wide PDU’s. Create a new gash on your hand while trying to pull the arm back off of the rail.

7. While running the network cables you discover you have only 1m or 10m Ethernet cables when you really need 3m.

8. Powering on the server only to discover that one phase from the UPS is at capacity and that it’s the one that feeds your rack.

9. Dropping one of the bolts as you are removing the server to relocate it and it drops down the side of the rack into that weird sill at the bottom of the rack you can only get to when there are no servers in the rack. Smear a bit more blood on the rack trying to fish it out.

10. Discovering that the physical memory capacity is no longer enough due to more and larger VM’s. Then having having to order and replace all the RAM in all your hosts. Again.

This is part of a series of posts on automating Windows and deploying systems in the real world of enterprise operations. I’ve focused the series on the those nuances and problems that I’ve hit trying to deploy the various software stacks found in a typical Windows centric enterprise.

At some point we will hit the need to use DSC resources in Chef recipes. The reality is the Chef cookbooks for Windows only go so far and most Microsoft products outside of Windows itself have no coverage at all. All the DSC resources available are now open source just like Chef cookbooks and are expanding all the time:

I suspect we will see more and more DSC resources come out of Microsoft’s product teams as well.

Chef DSC Resources

There are a couple of key requirements for computers to leverage DSC in Chef. Windows Managmement Framework 5 (Feb Preview or better) is needed for DSC to be available and Chef Client 12.5 or better is required to provide the two Chef resources that allow DSC resources to be consumed in cookbooks.

UPDATE: Chef Client 12.6 has just been released which removes the limitations below (see the changelog for full details, strangely the inclusion of the timeout attribute isn’t in the changelog but was included in the master branch). There is a requirement for a recent version of WMF 5 to be installed as Microsft relaxed the LCM requirements.

There are two Chef resources for using DSC with chef; dsc_script and dsc_resource. These are effectively mutually exclusive as they require the DSC Local Configuration Manager’s RefreshMode to be configured to Push (dsc_script) or Disabled (dsc_resource).

Currently the main limitation of dsc_resource is that this resource has a hard timeout of 10 minutes, thus its not useful for DSC resources like xSQLServerSetup that can run for some time. I’ve logged this issue with Chef in GitHub. It is also a closer analogue of other Chef resources than dsc_script is which makes writing declarations easy if you have prior Chef experience.

dsc_script is more flexible in terms of being able to use more of the DSC functionality, like being able to pass configuration data or use powershell code within the DSC definition. Downside is that it converts the declaration into a MOF file so securing credentials requires that you use the DSC method for encrypting strings. This involves having a certificate that supports encryption loaded on the computer and defining that certificate thumbprint in your Chef recipe. This leads to a bit of double handling where you should use Chef Vault to secure the credentials in the recipe but then have to effectively unencrypt and re-encrypt the secured string for DSC to embed into a MOF file.

Personally I prefer the dsc_resource approach as it’s clean and simple to use in a Chef recipe and I don’t have to deal with the re-encryption of secure strings (and all the troubleshooting pain it brings).

Getting Modules Installed

There are a few ways you can achieve this, you could bundle up the modules as zip files and distribute them within the a Chef cookbook or you can use the new package manager in WMF5..

The easy way – WMF5 Package Manager

By using the Chef resource “powershell_script” you can invoke the install-package cmdlet and use the get-package cmdlet as a guard. Note the use of the -force switch which will force the install even if the package repository is trusted. This isn’t good practice and a better way to do it is to  pre-define the trusted repositories and not use the -force switch.

powershell_script "install dsc module" do
  code 'install-package -name "xResourceModule" -force
  not_if 'if(get-package -name "xResourceModule"){$true}else{$false}


Some good references for Powershell’s package manager are below: