practical devops with powershell -...
TRANSCRIPT
Practical DevOps with Powershell
Yossi Sassi
Student Introduction
• Name
• Title/function
• Job responsibility
• Technical and professional experience with
Windows, DevOps and Scripting languages
About this day
• Realizing Windows PowerShell’s importance
• Focuses on Windows PowerShell for DevOps
• Prerequisites
• Objectives
What we’ll talk about
• Scripting Basics & Concepts
• Introduction to Windows Powershell: Management &
Configuration capabilities
• Working with Azure & Office 365 (Cloud environments)
• Exploring PowerShell benefits for Management &
Configuration capabilities (continued)
• Desired State Configuration
• PowershellGet & PSReadLine
• Scripting Secure Operations (Digital Signatures, Execution
Policies)
• Secure Remoting (PSSession-Configuration)
Introduction to Scripting
Basics & Concepts
?מהו אלגוריתם
סידרת הוראות בסיסיות לביצוע משימה מורכבת•
על אלגוריתם להיות חד משמעי וברור•
:אלגוריתם למשלוח פיצה, למשל–בואו נבחן דוגמא מחיינו •
.קבל את הכתובת למשלוח–
.קח את הפיצה מהחנות–
(.הכתובת למשלוח)סע לבית הלקוח –
.מסור את הפיצה–
.אסוף את הכסף–
.חזור לחנות–
ניתן להגדיר סקריפט כאלגוריתם•
דוגמא
Operatorsאופרטורים
הוא סימן המייצג פעולהאופרטור•
הוא ערך שעליו מבוצעת הפעולהאופרנט•
1+2בביטוי :למשל•
הוא אופרטור והוא מבצע פעולה על האופרנטים ' +'הסימן •
(.המספרים)
תנאים
הוא ביטוי שערכו ברגע נתון יכול להיות ביטוי בוליאני•
שקראו אמתאו
יתבצע הבלוק –אם ברגע הבדיקה הביטוי אמת •
יתבצע הבלוק –( הביטוי שקר)אחרת . השמאלי בלבד
.הימני בלבד
ביטוי בוליאני
בלוק אמתבלוק שקר
לצומת הבא
לולאות
כגון , פעולת תוכנה החוזרת על עצמה מספר פעמים•
.ביצוע פעולה עבור סדרת איברים
מפעילה את עצמה רקורסיה או לולאה רקורסיבית•
תנאי עצירה או סוף )מחדש עד לקבלת נתון כלשהו
הלולאה הרקורסיבית כוללת קריאה פנימית (. הנתונים
כך שתנאי העצירה חייב , לביצוע הלולאה פעם נוספת
להימצא בתוך הלולאה בכדי שזו תפסיק
Functionפונקציה
"סקריפט)"אלגוריתם המהווה חלק מאלגוריתם אחר •
"(סקריפט"בתוך ה
.פעולה מוגדרת מראש הניתנת לשימוש שוב ושוב•
Variableמשתנה
תא זמני בזכרון המכיל נתון או נתונים משתנים•
לכל משתנה חייב להיות שם•
הקובע איזה סוג ( data type)'טיפוס'לכל משתנה יש •
, תאריך, מחרוזת, מספר שלם:כגון, נתונים הוא יכול להכיל
'בוליאני וכו
אורך חיי המשתנה הוא פרק זמן ריצת התוכנית •
(Powershell ,במקרה זה .)עם סגירת הProcess
המשתנה נמחק מהזיכרון
Arrayמערך
\אוסף של איברים –או לחלופין , רצף של משתנים בזיכרון•
אוביקטים
גם מערך הוא משתנה בפני עצמו•
Parametersפרמטרים
משתנה הדרוש לביצוע פונקציה•
, פרמטריםמקבלותPowershellשל cmdlets-פונקציות ו•
שניתן להתייחס לקיומם או לערכם בכדי לבצע פעולות
.שונות
או לא , פונקציה יכולה לקבל פרמטר אחד או יותר\פקודה•
.לקבל פרמטרים כלל
Introduction to Windows PowerShell:
Management & Configuration
Capabilities
Windows PowerShell Overview• Used by Exchange first, today – everywhere.
• Functionality provided by commands:
• Cmdlets (pronounced “command-lets”)
• Functions
• Etc
• v2.0 works with XP SP3. others should use the
latest version.
• Requires .net framework
PowerShell & .NET Framework
PowerShell
Notepad!
Visual Studio .NET
• Common Language Runtime• Class Library
.NET Framework
OS (Windows)
H/W
.NET Namespaces
• Class Library logically organised in hierarchical
groups
– Dot-separated names, starting with System or
Microsoft namespace
– Physically installed in .NET assemblies (DLLs)
System.Data.SQLClient.SQLConnection()
PowerShell Versions
2.0 3.0 / 4.0 5.0
Windows XP Available No No
Windows Server 2003
Available No No
Windows Vista Available No No
Windows Server 2008
Available Available with SP2 No
Windows 7 Installed Available with SP1 Download(need SP1)
Windows Server 2008 R2
Installed Available with SP2 Download(need SP1)
Windows 8 No Installed Download(8.1 only)
Windows Server 2012
No Installed Download(2012+2012 R2)
Windows 10 comes with PowerShell v5.0 installedWindows PowerShell 2.0 require .NET Framework 2.0 SP 1
Windows PowerShell 3.0 / 4.0 requires .NET Framework 4.x
Two Host Applications
• Console
• Basic command-line interface
• Maximum support for PowerShell features
• Not best for editing
• ISE
• Script editor + console + Commands add-on
• *Some* PowerShell features not supported
• Rich editing capabilities
• 3rd-party
• PowerGui, powerShell Plus etc
Pshell version
• Use $PSVersionTable to determine the version of
PowerShell
• Can also use $host.version
• Check out other useful automatic variables on the
way
Familiar-Seeming Commands
• Familiar-seeming commands:
• Dir
• Cd
• Mkdir
• Type etc..
• These are really aliases to PowerShell commands
• Try Get-Alias and Set-Alias
Learning Command Syntax
• Get-Help (or Help or Man)
• Use –ShowWindow to display help in a window
• Use –Example to see syntax examples
• Use –Online to go to updated help on
microsoft.com
Command Syntax
Test-Connection –ComputerName SRV1 –Count 1
Command Name Parameters
ParameterName
ParameterValue
Multiple Parameter Values
• designated by a [ ] indicator:
-ComputerName <string[]>
• Can separate by comma, variable, get-Content and
more!
Read text files
• Get-Content c:\windows\windowsupdate.log
• Can input into a variable, and use it
• Read log in real time:
Get-Content c:\temp\test.log -Wait -Tail 0
Working with the Pipeline
What Is the Pipeline?
• Each command’s output is the next command’s
input
• multiple commands separated by a vertical pipe
character (|) , no limit, technically.
Discovering Object Members
• Object members include:
• Properties
• Methods
• Run a command that produces an object, and pipe
that object to Get-Member (or gm) to see a list of
members
• Can also use select * -first 1
Sorting Objects
• Commands determine their own default sort order
• Sort can re-sort objects in the pipeline
• Example of use:
• Get-Service | Sort Status -Descending
Measuring Objects
• Measure-Object accepts a collection of objects and
counts them
• Add –Property to specify a single numeric property, and
then add:
• -Average to calculate an average
• -Minimum to display the smallest value
• -Maximum to display the largest value
• -Sum to display the sum
Selecting a Subset of Properties
• This is one of two main uses for Select
• Use parameters to select the specified number of
rows of the piped result:
• -First from the beginning
• -Last from the end
PowerShell as bytes calculator
• Use shortcuts to convert bytes into:
• KB kilobyte
• MB megabyte
• GB gigabyte
• TB terabyte
• PB petabyte
Performance measuring
Use Measure-Command
Calculated Properties: Using Hash Table
@{
n=‘PM in MB';
e={ $PSItem.PM/1mb}
}
Hash table
Label key Label string value
Expression key
Expression script block
Semicolon
Converting Objects
• Supported formats include CSV, HTML, and XML
• Two verbs:
• ConvertTo changes the form of the data
• Export changes the form of the data and writes it to
external storage
• Get-Command –Verb ConvertTo,Export
Filtering Syntax
• Use WHERE
• When needing 2 or more creteria, use $PSItem or
$_ , with the proper syntx
• Works in combination with operators
Comparison Operators
Comparison Case-InSensitive Case-sensitive
Equality -eq -ceq
Inequality -ne -cne
Greater than -gt -cgt
Less than -lt -clt
Greater than or equal to -ge -cge
Less than or equal to -le -cle
Wildcard equality -like -clike
Wildcard Inequality -notlike -cnotlike
Example: Filtering
Get-Service |
Where-Object –Filter {$PSItem.Status –eq 'Running' }
Get-Service | Where { $_.Status –eq 'Running' }
Get-Service | ? { $PSItem.Status –eq 'Running' }
Adding Multiple Criteria
• Use Boolean operators –and and –or to combine
multiple comparisons into a single expression:
Get-Volume | Where-Object –Filter {
$PSItem.HealthStatus –ne 'Healthy'
-or
$PSItem.SizeRemaining –lt 100MB
}
Enumeration
• Use Foreach or % to loop through objects and
perform custom actions
PSDrives
• Logical drives inside Powershell
• Allows management by using familiar file system
management commands
• Use PSProviders to adapt data stores to look like
disk drives inside the shell
• Good solution for “one syntax multiple stores”, e.g.
IIS, SQL, Exchange, AD, Registry, WSMan config
and more!
WMI / CIM
• Veteran technology inside Windows
• Listing classes
• WMI vs. CIM
• Getting info vs. Invoking methods
Jobs
• Excellent for parallel tasks in the background
• PSJobs vs. Scheduled Jobs
• Integarte with Task Scheduler or Directly in
PowerShell (Pros and Cons)
Remoting
• Network connectivity vs. PSRemoting
•Architecture
• Configuration options (Enable-PSRemoting vs.
Enterprise config)
• PowerShell Web Access
PSRemoting Architecture
Remote Computer
Local Computer
Windows PowerShell
Wsmprovhost
Endpoint
WinRM
Listener (HTTP)
WS-MAN Traffic
Powershell & Cloud Services
AGENDA
• Intro to Cloud Services Model
• Microsoft Cloud services
• PowerShell native API
• PowerShell & Rest API
• Use case & Demo
Intro to Cloud Services Model
Reference: http://robertgreiner.com/2014/03/windows-azure-iaas-paas-saas-overview/
Microsoft’s Cloud Services
• Office365 – Offer SaaS Services, such as :
– CRM
– Web Portal
– Office Apps
• Azure – Offers SaaS\PaaS\IaaS Services such as:
– Virtual Machine (IaaS)
– Cognitive Services (SaaS)
PowerShell API
Native API
Based on official PowerShell native modules from Microsoft
Office365 – https://technet.microsoft.com/en-us/library/dn789037.aspx
Azure – https://azure.microsoft.com/en-
us/documentation/articles/powershell-install-configure/
3rd party Scripts & Modules can be found in central repo’s
https://www.powershellgallery.com
https://gallery.technet.microsoft.com/
https://github.com/Azure/azure-powershell
PowerShell Native API
PowerShell API – Azure Virtual Machines
PowerShell API Wrapper
• Used when there is no Native PS API available
• Contained interpreter for Web\Rest\c#\com
• Data returned in PowerShell Object format
Business Scenarios - DEMO
• Using Azure cognitive Services and PowerShell
for demonstration of the following uses cases:
– Smart security cam
– Short-eye & Blind people smart vision device
Smart Security Camera
• Identify potential threat characteristics
– Age & Gender
https://geekeefy.wordpress.com/2016/02/21/powershell-
project-oxford-image-age-and-gender-detection/
– Emotion
https://geekeefy.wordpress.com/2016/02/09/powershell-
microsoft-project-oxford-image-emotion-detection/
Smart Security Camera - Advanced
• Automate Image Sending\Receiving
• Add business logic
• DEMO
Smart Vision Device - Demo
• Get a picture of the environment
• Analyze the picture with Azure Cognitive Services
Vision API
• Get a Text description of the image
• Use PowerShell to narrate the text with the System.Speech.Synthesis.SpeechSynthesizer class
Reference: https://learn-powershell.net/2013/12/04/give-powershell-a-
voice-using-the-speechsynthesizer-class/
Desired State Configuration
Desired State Configuration
• Enables deploying and managing configuration
data, and managing the environment in which
these services are running running
• DSC provides a set of Windows PowerShell
language extensions, Windows PowerShell
cmdlets, and resources that you can use to
declaratively specify how you want your software
environment to be configured.
• Applies to PowerShell 4.0 and 5.0 (v5.0 highly
recommended!)
DSC Scenarios
• Enabling or disabling server roles and features
• Managing registry settings
• Managing files and directories
• Starting, stopping & managing processes and
services
• Managing groups and user accounts
• Deploying new software
• Managing environment variables
DSC Scenarios (Cont.)
• Running Windows PowerShell scripts
• Fixing a configuration that has drifted away from
the desired state
• Discovering the actual configuration state on a
given node
DSC Concepts
• DSC is a declarative with 3 primary components:
• Configurations: declarative PowerShell scripts,
to define and configure instances of resources.
• Resources: The building blocks of DSC.
Modeling various components. They reside
within PowerShell modules and can be written
to model something as generic as a file or a
Windows process or as specific as an IIS server
or a VM running in Azure.
• The Local Configuration Manager (LCM):
• The engine by which DSC facilitates the
interaction between resources and
configurations.
• Ensures that the state laid out by a
Configuration is maintained.
• If the system is out of state, the LCM uses logic
inside of the resources to “fix it back” according
to the Configuration declaration.
• DSC data is either pulled or pushed to the
Local Configuration Store
DSC Cmdlets
• PSDesiredStateConfiguration is the main
module (includes Start-DscConfiguration,
Set-DscLocalConfigurationManager and Get-
DscResource.
The xDscResourceDesigner (found in
the PowerShell Gallery) is a collection of cmdlets
that simplify the development of DSC resources.
Configurations• Configuration MyPCConfiguration {
Node “PC1" {
WindowsFeature Feature1 {
Ensure = "Present"
Name = "RSAT"
}
WindowsFeature Feature2 {
Ensure = "Present"
Name = "Bitlocker"
}
}
• }
• Configuration MyPCConfiguration {
param( [string[]]$ComputerName=“localhost”)
Node $Computername {
WindowsFeature Feature1 {
Ensure = "Present"
Name = "RSAT"
}
WindowsFeature Feature2 {
Ensure = "Present"
Name = "Bitlocker"
}
}
}
Configuration MyWebsite
{
param ($ComputerName)
Node $ComputerName
{ #Install the IIS Role
WindowsFeature IIS
{
Ensure = “Present”
Name = “Web-Server”
} #Install ASP.NET 4.5
WindowsFeature ASP
{
Ensure = “Present”
Name = “Web-Asp-Net45”
}
}
}
Compiling configurations
• Before you can apply a configuration, you have to
compile it into a MOF document, e.g.
• Run the configuration (put into memory)
• MyPCConfiguration -ComputerName ‘DevPC1’
• MOF file default location:
C:\users\default\Documents\DSC
Configurations\MyPCConfiguration
DependsOn• Configuration MyPCConfiguration {
Node “PC1" {
Group Group1 {
Ensure = "Present"
GroupName = “DevGroup"
}
User User1 {
Ensure = "Present"
UserName = “DevUser"
FullName = “Development User"
DependsOn = "[Group]Group1"
}
}
}
Resources• Resources must be placed in $env:PSModulePath in order
to be recognized by the LCM.
• Get-DscResource can be used to determine what resources
are installed on the system.
• Use Import-DscResource within configuration block (it is
not a cmdlet) to load:
• ModuleName (recommended way)
• Name (The name of the class resource to import. This is not
the friendly name returned as "Name" by Get-DscResource,
but the class name)
Built-in Resources
• Archive Resource
• Environment Resource
• File Resource
• Group Resource
• Log Resource
• Package Resource
• Registry Resource
• Script Resource
• Service Resource
• User Resource
• WindowsFeature Resource
• WindowsProcess Resource
• More info here
Writing custom resources• Can create MOF file, in C# or directly in PowerShell
• In Pshell v5 – with Classes – it’s the simplest way.
• Read more here
Writing custom resources• Can create MOF file, in C# or directly in PowerShell
• In Pshell v5 – with Classes – it’s the simplest way.
• Read more here
DSC Resources for LinuxnxArchive Resource--Provides a mechanism to unpack
archive (.tar, .zip) files at a specific path.
nxEnvironment Resource--Manages environment variables on
target nodes.
nxFile Resource--Manages Linux files and directories.
nxFileLine Resource--Manages individual lines in a Linux file.
nxGroup Resource--Manages local Linux groups.
nxPackage Resource--Manages packages on Linux nodes.
nxScript Resource--Runs scripts on target nodes.
nxService Resource--Manages Linux services (daemons).
nxSshAuthorizedKeys Resource--Manages public ssh keys
for a Linux user.
nxUser Resource--Manages local Linux users.
Local Configuration Manager• The LCM is in charge of:
• Determining refresh mode (push or pull).
• Specifying how often a node pulls and applies
configurations.
• Associating the node with pull servers.
• Specifying partial configurations.
Creating a custom LCM
[DSCLocalConfigurationManager()]
Configuration LCMconfig {
Node localhost {
Settings
{
RefreshMode = ‘Push’
}
}
}
To apply LCM config,-• Use Set-DscLocalConfigurationManager cmdlet,
supplying the path to the configuration MOF as a
parameter.
• After you apply the configuration, you can see the
properties of the LCM by calling the Get-
DscLocalConfigurationManager cmdlet. *
More LCM Config blocks (except settings)
ConfigurationRepositoryWeb: specifies an HTTP pull server
for configurations.
ConfigurationRepositoryShare: specifies an SMB pull
server for configurations.
ResourceRepositoryWeb: specifies an HTTP pull server for
modules.
ResourceRepositoryShare: specifies an SMB pull server for
modules.
ReportServerWeb: specifies an HTTP pull server to which
reports are sent.
PartialConfiguration: specifies partial configurations.
Pull Server• A pull server is either an OData web service or a
SMB share that is used as a central location for DSC
files.
• Server 2012 R2 running:
• WMF/PowerShell 5.0
• IIS server role
• DSC Service
• Ideally, with means to generate a certificate, to
secure credentials passed to the Local
Configuration Manager (LCM) on target nodes
Configuring a Pull Server• Easiest way is to use the xWebService resource,
included in the xPSDesiredStateConfiguration
module:
•Install-Module xPSDesiredStateConfiguration
• Get an SSL certificate for the DSC Pull server
from a trusted Certificate Authority.
• Install the certificate on the node that will
become the DSC Pull server in the default location
which should be CERT:\LocalMachine\My. Make
a note of the certificate thumbprint.
Configuring a Pull Server (cont.)• Select a GUID to be used as the Registration Key.
(You can generate one using PowerShell -
[guid]::newGuid(). This key will be used by client
nodes as a shared key to authenticate during
registration.
• For more information , see here.
• Sample script *
Secure DevOps
Execution Policy• Execution policy settings:
• Restricted (default)
• AllSigned
• RemoteSigned
• Unrestricted
Can be changed using:
• Set-ExecutionPolicy command
• Group Policy Object
• –ExecutionPolicy parameter of PowerShell.exe
Running Scripts
• It’s all about trust.
Signing Scripts
•Provides trust through Digital Certificates
•PKI basics overview
•Use Set-AuthenticodeSignature to sign
scripts and make sure they cannot be
changed
•How to deploy Script Security in the
organization
It helps that…
• .ps1 extension defaults to notepad
• Scripts must be run by using a relative or absolute
path
• .\Myscript.ps1
Secure Remote Administration
•There are great capabilities when it comes
to Remote operations with PowerShell
• Encrypt session content (HTTPS)
• Limit session to specific users, IP addresses,
hosts, scripts, even commands
• To be discussed later in ‘Remote administration’