Today, we are happy to announce a brand-new and open-sourced way to manage your vSphere environment. The Desired State Configuration (DSC) Resources for VMware allows partners, automation engineers, DevOps teams, and system administrators a new way to apply standard configuration management processes through PowerShell DSC and PowerCLI!
Let’s take a walk through how we can get started using these DSC resources and apply our first configuration!
Desired State Configuration Resources for VMware Overview
PowerShell DSC has been out for a while, since Windows Server 2012 R2 as a matter of fact. To summarize in a single sentence: PowerShell DSC can manage and monitor a system’s configuration based on what’s known as configuration files, which happen to be written as PowerShell code. This is all made possible thanks to the Local Configuration Manager (LCM). LCM is the “engine” running locally on each of the target nodes that takes the configuration file, interprets it, and applies all the configured parts. These parts include a system’s configuration, in what manner the configuration is refreshed, and how often it is refreshed, just to name a few.
The above is important because the DSC Resources for VMware operate a little differently than a standard DSC configuration. The DSC Resources for VMware make use of a proxy LCM host. This is because the LCM cannot run on the VCSA (both vCenter and PSC based appliances) nor can it run on ESXi hosts. An important note about this proxy LCM host, it has to be Windows PowerShell based. Furthermore, only PowerShell 5.1 and PowerCLI 10.1.1 or newer will be supported.
This first release of the DSC Resources for VMware will be able to manage a couple different areas for both vCenter and ESXi hosts. They are as follows:
- vCenterStatistics
- Level
- PeriodLength
- vCenterSettings
- EventMaxAge
- TaskMaxAge
- Logging Level
- VMHostNtpSettings
- NTP Server
- NTPD Service Policy
- VMHostDnsSettings
- HostName
- DomainName
- Address
- VMHostSatpClaimRule
- RuleName
- Transport
- Description
- VMHostTpsSettings
- ShareScanTime
- ShareForceSalting
Installation Overview
We now know what it is and what it can do, how about the installation? On the designated proxy LCM system, we will want to download the module from GitHub and make it available in one of our designated PSModulePath directories. The zip file is available through the following link: Desired State Configuration Resources for VMware
Here’s some code that can streamline the download and initialization process:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# Download the 1.0 release of the VMware.vSphereDSC module from GitHub Try { Invoke-WebRequest -Uri 'https://github.com/vmware/dscr-for-vmware/releases/download/v1.0/VMware.vSphereDSC.zip' -OutFile $env:userprofile\Downloads\VMware.vSphereDSC.zip } Catch [System.Net.WebException] { # On error, the SecurityProtocol for the local PowerShell session will be updated to access TLS 1.2 and the download will be attempted again. $secProtocol = [Net.ServicePointManager]::SecurityProtocol [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri 'https://github.com/vmware/dscr-for-vmware/releases/download/v1.0/VMware.vSphereDSC.zip' -OutFile $env:userprofile\Downloads\VMware.vSphereDSC.zip # The SecurityProtocol will be then reverted back to the state it was at prior [Net.ServicePointManager]::SecurityProtocol = $secProtocol } # Create a new VMware.vSphereDSC directory in the PowerShell Modules folder which is located in the Program Files directory $dscDirectory = New-Item -Path “$env:ProgramFiles\WindowsPowerShell\Modules” -Name 'VMware.vSphereDSC' -Type Directory # Expand the downloaded zip file containing the VMware.vSphereDSC module into the prior directory Expand-Archive -Path $env:USERPROFILE\Downloads\VMware.vSphereDSC.zip -DestinationPath $dscDirectory |
After we have installed the module we should be able to list the newly acquired module and import it into our active PowerShell Session:
|
1 |
Import-Module -Name VMware.vSphereDSC |
We can also verify the DSC resources we have available:
|
1 |
Get-DscResource -Module VMware.vSphereDSC |
Next, we need to make sure the proxy LCM system can understand the DSC configuration files. This is done through the Windows Remote Management service. We can setup the WinRM service or verify that the WinRM service is setup with the following code:
|
1 |
winrm quickconfig |
In my environment, this system already had WinRM setup so I received the following message:
We should now be all set to start setting up DSC resources in our environment!
Managing an ESXi Host’s NTP
The DSC Resources for VMware repository has some pre-created configuration files which can be sourced to create the MOF file. The MOF file, which stands for Managed Object Format, is the output from a configuration file which has been compiled by the LCM. These configuration files are located in the repo at the following location: \Source\VMware.vSphereDSC\Configurations In my environment, I’ve created my own fork of the repository and cloned it to my local system where I’ll be referencing the files.
In our example, we’re going to setup DSC to manage an ESXi host’s NTP configuration. We can see some parameters and some settings by opening the VMHostNtpSettings_Config.ps1 file that’s located in the ESXiConfigs directory.
| Input Type | Input Name | Input Description |
|---|---|---|
| Parameter | Name | Resource Name |
| Server | Server Host Name | |
| User | ESXi host username | |
| Password | ESXi host password | |
| Setting | NtpServer | NTP server/s the host will use |
| NtpServicePolicy | Status for the NTPD service |
For my lab environment, I’m going to update the NtpServer values and accept the service policy setting of ‘automatic’. I’m also going to apply this configuration at the ESXi host level, so my host name and server name will match.
We can do this with the following commands:
|
1 2 3 4 5 6 7 8 9 10 |
# Use splatting to fill the parameter values $ntpConfigInput = @{ name = 'esx01.corp.local' server = 'esx01.corp.local' user = 'root' pass = 'VMware1!' } # Compile the MOF in the current directory . VMHostNtpSettings_Config.ps1 @ntpConfigInput |
As part of the output, we should see the following MOF file having been created:
We can then test the MOF file against our host with the following command:
|
1 |
Test-DscConfiguration -ComputerName localhost -Path .\VMHostNtpSettings_Config\ |
Added to the output, I have also included another PowerShell session which is polling the host for the current NTP server/s and service policy:
In the above example, notice the ‘InDesiredState’ property with a value of False.
Now, we’re ready to start applying our configuration. We do this with the following command:
|
1 |
Start-DscConfiguration -ComputerName localhost -Path .\VMHostNtpSettings_Config\ -Wait -Force |
After a few moments, we’re ready to check the current DSC configuration with the following command:
|
1 |
Get-DscConfiguration |
Again, I’ve added a second PowerShell session to show the current status of the host:
For reference, this is the code I’m running to show the current status of the host’s NTP configuration:
|
1 |
Get-VMHost -Name VMHostName | Sort Name | Select Name, @{N=“NTPServer“;E={$_ | Get-VMHostNtpServer}}, @{N=“NTPPolicy“;E={(Get-VMHostService -VMHost $_ | Where-Object {$_.key-eq “ntpd“}).Policy}} |
In some later blog posts, we’ll take a look at some of the other areas of this module including applying configurations to multiple hosts, applying vCenter settings, applying values to multiple hosts in a vCenter, and some ways to apply better security practices to both the credentials and the MOF.
Summary
PowerCLI is back with a brand-new feature, Desired State Configuration Resources for VMware! These resources allow PowerCLI to make use of PowerShell DSC to define the configuration of a desired node. The DSC Resources for VMware can define ESXi host settings such as NTP servers, DNS servers, and TPS share scan times. We can also define vCenter settings such as statistics level and logging level. As an additional benefit, these resources are also open-source and community contributions are absolutely welcome!
Check out the Desired State Configuration Resources for VMware on GitHub and let us know what you’re looking forward to using DSC on most in your vSphere environment!
This is great! Thank you very much. Admittedly I will be heisting that Catch statement for the download, although I would make the Catch statement more error specific because not all failures will be due to TLS 🙂
It’s been updated to look specifically for a System.Net.WebException error exception now.
Sweet glad to see this came about! This is something I asked about 2.5 years ago when I started with VMware.
We have been looking at enforcing configurations for number of settings so the timing of this post is perfect. We are interested in the following
Syslog servers for the esxi host
Syslog server in the vami interface for vcenter
Syslog firewall port expanding it to other ports as well for esxi hosts
Persistent datastore for logs scratch partition
Host integration with AD
Ats heartbeat config for esxi hosts or any advanced setting for esxi hosts
Kaartik,
It’s good to have feature requests. We’ll be happy to file them as issues in the github repo https://github.com/vmware/dscr-for-vmware/issues
hi,
great article but cannot get this to work and really keen to do so.
when i run this it appears to run against local machine and not esxi host:-
PS C:\Users\mark.admin> Test-DscConfiguration -ComputerName localhost -Path .\VMHostNtpSettings_Config\
PowerShell DSC resource VMware.vSphereDSC failed to execute Test functionality with error message: Cannot close
Connection to Server . For more information: Cannot validate argument on parameter ‘Server’. The argument is null or
empty. Provide an argument that is not null or empty, and then try the command again.
+ CategoryInfo : InvalidOperation: (root/Microsoft/…gurationManager:String) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost
so i change the name of the mof file to the esxi host name and then get this:-
PS C:\Users\mark.admin> Test-DscConfiguration -ComputerName tra-sa-esxi-26 -Path .\VMHostNtpSettings_Config\
Test-DscConfiguration : The computer-specific MOF file for computer tra-sa-esxi-26 does not exist in the current
directory.
At line:1 char:1
+ Test-DscConfiguration -ComputerName tra-sa-esxi-26 -Path .\VMHostNtpS …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Test-DscConfiguration], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.DesiredStateConfiguration.Commands.TestDsc
ConfigurationCommand
any ideas please?
thanks
mark
Great article. As someone has just started out in the world of VMware.
Thanks for the wonderful information.Thank you for describing it in detail. You can also start your own DSC Business by becoming DSC Distributors with Capricorn CA.
Hi There, Thank you so much for sharing this very useful information and making our work easy and less hectic. I would like to thank you and also let you know that we’re a Certifying Authority under CCA and we sell DSC. Kindly visit us to know more: Digital Signature
The process you are explain through this content this makes our work is very easy. Thank you for sharing this information with everyone. And I want to inform you that we are a digital signature certificate authority . Kindly visit us.
Thank you for sharing this information. Dscexperts.com provides a digital signature certificate in Gurgaon India. You can apply for digital signature certificate online.
This a great article. I have been using https://e-signindia.com/ though. Try it out pretty cheap and reliable
Impressive Write-up, Thanks for the valuable post. This informative Write-up has helped me to understand the Digital signature very closely.
Binayah is a leading Real Estate Company in Dubai.
Visit binayah.com! for Dubai property for sale |
and Dubai property for rent. Contact +971555099157
Virtual machines often need to have their CPU and/or Memory configurations modified because of performance tuning efforts, resource capacity reclamation (rightsizing), licensing requirements, or other business-related reasons. Virtual infrastructure administrators are challenged with reconfiguring the CPU & Memory configurations of existing (powered on) virtual machines because they typically need to be powered off to make the necessary changes. EarthlyTribe
WHY
TS Real Estate?
A Tradition of Excellence, Integrity, Knowledge
and Service for over 20 years’ experience
management.
At TS Real Estate, you are number one. Whether you are a property owner, tenant, or buyer,
we value your business and will provide you
with the individual attention and service you
deserve. We bring a positive attitude and
energy to everything we do. By working harder
and smarter, we always get the job done. We
believe in integrity, commitment to excellence,
a professional attitude, and personalized care tsrealestate
I like how the writer organized his thoughts in addition to he visual part.
Since 1956 Al Yousuf Real Estate is the most successful real estate property management firm in UAE. With a portfolio of more than 30 properties including both residential and commercial, offered for rent.