Powershell DSC 的Pull模式除了SMB以外,还可以使用HTTP或者HTTPS。这两个配置几乎一样,Https需要多配置一个证书。基本流程是配置pull server,配置节点的LCM,配置需要实现的状态,然后推送测试。
首先,我们需要一个web server的证书。我已经有PKI在域里了,因此从IIS生成一个证书非常容易。
具体步骤参考: http://beanxyz.blog.51cto.com/5570417/1331453
生成证书,绑定IIS之后,我需要获取该证书的指纹以便写入配置文件
和SMB一样,我需要下载导入模块
注意证书指纹的配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
configuration HTTPSPullServer
{
# Modules must exist on target pull server
Import-DSCResource
-ModuleName xPSDesiredStateConfiguration
Node sydit01
{
WindowsFeature DSCServiceFeature
{
Ensure =
"Present"
Name =
"DSC-Service"
}
WindowsFeature IISConsole {
Ensure =
"Present"
Name =
"Web-Mgmt-Console"
}
xDscWebService PSDSCPullServer
{
Ensure =
"Present"
EndpointName =
"PSDSCPullServer"
Port = 8080
PhysicalPath =
"$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
CertificateThumbPrint =
'56B5DC192DE9AB004AE6FB3C96F7C00684537028'
ModulePath =
"$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
ConfigurationPath =
"$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
State =
"Started"
DependsOn =
"[WindowsFeature]DSCServiceFeature"
}
xDscWebService PSDSCComplianceServer
{
Ensure =
"Present"
EndpointName =
"PSDSCComplianceServer"
Port = 9080
PhysicalPath =
"$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer"
CertificateThumbPrint =
"AllowUnencryptedTraffic"
State =
"Started"
IsComplianceServer =
$true
DependsOn = (
"[WindowsFeature]DSCServiceFeature"
,
"[xDSCWebService]PSDSCPullServer"
)
}
}
}
# Generate MOF
HTTPSPullServer -OutputPath C:\DSC\HTTPS
|
生成Pull Server的配置文件
推送到指定的HTTPS服务器上
推送之后,需要测试一下是否成功
可以看见已经成功配置了
接下来需要配置节点的LCM文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
[DSCLocalConfigurationManager()]
Configuration LCM_HTTPSPULL
{
param
(
[
Parameter
(
Mandatory
=
$true
)]
[string[]]
$ComputerName
,
[
Parameter
(
Mandatory
=
$true
)]
[string]
$guid
)
Node
$ComputerName
{
Settings {
AllowModuleOverwrite =
$True
ConfigurationMode =
'ApplyAndAutoCorrect'
RefreshMode =
'Pull'
ConfigurationID =
$guid
}
ConfigurationRepositoryWeb DSCHTTPS {
ServerURL =
'https://sydit01.omnicom.com.au:8080/PSDSCPullServer.svc'
CertificateID =
'56B5DC192DE9AB004AE6FB3C96F7C00684537028'
AllowUnsecureConnection =
$False
}
}
}
# Computer list
$ComputerName
=
'sydittest'
# Create Guid for the computers
$guid
=
[guid]
::NewGuid()
# Create the Computer.Meta.Mof in folder
LCM_HTTPSPULL -ComputerName
$ComputerName
-Guid
$guid
-OutputPath c:\DSC\HTTPS
|
生成LCM的meta.mof文件
推送给节点
接下来,配置我们需要实现的状态,这里的例子是确保SMTP服务始终不会安装。
1
2
3
4
5
6
7
8
9
|
configuration SMTP {
Node HTTPSComputers {
WindowsFeature SMTP{
Name =
'SMTP-Server'
Ensure =
'Absent'
}
}
}
SMTP -OutputPath C:\DSC\HTTPS
|
生成mof文件
和SMB一样,HTTPS Pull Server 也是使用GUID和checksum来校验的,因此需要改名字,生成配置文件的校验码
最后来测试一下,首先看看客户端(节点)已经安装了SMTP
更新一下状态,发现他开始自动卸载
再查看一下,已经成功卸载(提示需要重启)
实验成功。
本文转自 beanxyz 51CTO博客,原文链接:http://blog.51cto.com/beanxyz/1697842,如需转载请自行联系原作者