拉配置导致多个组资源的奇怪行为

时间:2016-11-18 22:58:30

标签: powershell dsc azure-automation powershell-dsc

使用Azure自动化拉DSC服务我有一个生成多个Group资源的配置,以确保帐户是IIS_IUSRS组的成员(应用程序池标识)。这些组资源是通过循环编译时提供的$ConfigurationData内的数据生成的。这是在每个网站上完成的。举个例子:

$Node.WebSites | foreach {
   $site = $_
   $appPoolId  = $site.AppPoolId
   Group appPoolIISUsers
   {
       GroupName = "IIS_IUSRS"
       Credential = $DomainCreds
       Ensure = "Present"
       MembersToInclude = $appPoolId
   }
}

应用时,LCM和WMI服务变得不稳定并产生多个错误 - 特别是DSC引擎错误28和引擎错误2147749939。

如果在PUSH模式下使用Start-DSCConfiguration(与Pull相比)应用,我可以应用相同的技术并且配置成功。我能够获得PULL以使用Azure自动化DSC服务的唯一方法是将所有需要的成员收集到列表中并使用1 Group资源:

$iis_iusrs = ($appPoolIds | select -Unique)
Group "AppPoolIISUsers"
{
    GroupName = "IIS_IUSRS"
    Credential = $DomainCreds
    Ensure = "Present"
    MembersToInclude = $iis_iusrs
}

这是一个错误吗? Azure DSC中的报告也是疯狂的: enter image description here

非常感谢任何想法或帮助。

2016年11月21日更新:

以下是我在不使用唯一groupname值的情况下在本地生成和应用的配置。机器上本地只有一个IIS_IUSRS组,我们不需要倍数。所以这里是在本地运行时成功应用的配置(真正的配置从Azure自动化中获取信誉,为了简单起见仅重复使用):

$cd = @{
    AllNodes = @(
        @{
            NodeName = "*"
            PSDscAllowPlainTextPassword = $True
            PSDscAllowDomainUser = $True

        },
        @{ 
            NodeName="localhost"
            DC = (Get-Credential)
            AppPoolId = (Get-Credential)
            WebSites = @(
                @{
                    Name = "app1"
                    WebsiteName = "app1.contoso.lcl"
                    AppPoolName = "app1.contoso.lcl"
                    DestinationFolder = "D:\Content\app1"
                    IsSecure = $false
                    HostHeaderName = "app1.contoso.lcl"
                    AppPoolIdentity = "App1AppPoolId"
                },
                @{
                    Name = "app2"
                    WebsiteName = "app2.contoso.lcl"
                    AppPoolName = "app2.contoso.lcl"
                    DestinationFolder = "D:\Content\app2"
                    IsSecure = $false
                    HostHeaderName = "app2.contoso.lcl"
                    AppPoolIdentity = "App2AppPoolId"
                },
                @{
                    Name = "app3"
                    WebsiteName = "app3.contoso.lcl"
                    AppPoolName = "app3.contoso.lcl"
                    DestinationFolder = "D:\Content\app3"
                    IsSecure = $false
                    HostHeaderName = "app3.contoso.lcl"
                    AppPoolIdentity = "App3AppPoolId"
                }
            )
        }    
    )
}

Configuration LocalGroupTest
{
    Node $AllNodes.NodeName
    {
        $Node.WebSites | foreach {
            $currentSite = $_

            Group "AppPoolIISUsers_AppPool$($currentSite.Name)"
            {
                GroupName = "IIS_IUSRS"
                Credential = $Node.DC
                Ensure = "Present"
                MembersToInclude = @(($Node.AppPoolId).UserName)
            }
        }
    }
}

Localgrouptest -ConfigurationData $cd -Verbose

Start-DscConfiguration -Path .\localgrouptest -Verbose -Wait -Force

以下是DSC引擎的结果:

-a----       11/18/2016   6:26 PM           4496 localhost.mof                                                                                                                                                                       
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer WEB01 with user sid S-1-5-21-3606597670-2021226393-1313626409-500.
VERBOSE: [WEB01]: LCM:  [ Start  Set      ]
VERBOSE: [WEB01]: LCM:  [ Start  Resource ]  [[Group]AppPoolIISUsers_AppPoolapp1]
VERBOSE: [WEB01]: LCM:  [ Start  Test     ]  [[Group]AppPoolIISUsers_AppPoolapp1]
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp1] A group with the name IIS_IUSRS exists.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp1] Resolving contoso\rmdeployer in the contoso domain.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp1] At least one member rmdeployer of the provided MembersToInclude parameter does not have a match in the existing group IIS_IUSRS.
VERBOSE: [WEB01]: LCM:  [ End    Test     ]  [[Group]AppPoolIISUsers_AppPoolapp1]  in 8.1410 seconds.
VERBOSE: [WEB01]: LCM:  [ Start  Set      ]  [[Group]AppPoolIISUsers_AppPoolapp1]
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp1] Performing the operation "Set" on target "Group: IIS_IUSRS".
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp1] Resolving contoso\rmdeployer in the contoso domain.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp1] Group IIS_IUSRS properties updated successfully.
VERBOSE: [WEB01]: LCM:  [ End    Set      ]  [[Group]AppPoolIISUsers_AppPoolapp1]  in 5.9270 seconds.
VERBOSE: [WEB01]: LCM:  [ End    Resource ]  [[Group]AppPoolIISUsers_AppPoolapp1]
VERBOSE: [WEB01]: LCM:  [ Start  Resource ]  [[Group]AppPoolIISUsers_AppPoolapp2]
VERBOSE: [WEB01]: LCM:  [ Start  Test     ]  [[Group]AppPoolIISUsers_AppPoolapp2]
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp2] A group with the name IIS_IUSRS exists.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp2] Resolving CONTOSO in the rmdeployer domain.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp2] Resolving contoso\rmdeployer in the contoso domain.
VERBOSE: [WEB01]: LCM:  [ End    Test     ]  [[Group]AppPoolIISUsers_AppPoolapp2]  in 6.2480 seconds.
VERBOSE: [WEB01]: LCM:  [ Skip   Set      ]  [[Group]AppPoolIISUsers_AppPoolapp2]
VERBOSE: [WEB01]: LCM:  [ End    Resource ]  [[Group]AppPoolIISUsers_AppPoolapp2]
VERBOSE: [WEB01]: LCM:  [ Start  Resource ]  [[Group]AppPoolIISUsers_AppPoolapp3]
VERBOSE: [WEB01]: LCM:  [ Start  Test     ]  [[Group]AppPoolIISUsers_AppPoolapp3]
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp3] A group with the name IIS_IUSRS exists.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp3] Resolving CONTOSO in the rmdeployer domain.
VERBOSE: [WEB01]:                            [[Group]AppPoolIISUsers_AppPoolapp3] Resolving contoso\rmdeployer in the contoso domain.
VERBOSE: [WEB01]: LCM:  [ End    Test     ]  [[Group]AppPoolIISUsers_AppPoolapp3]  in 6.2440 seconds.
VERBOSE: [WEB01]: LCM:  [ Skip   Set      ]  [[Group]AppPoolIISUsers_AppPoolapp3]
VERBOSE: [WEB01]: LCM:  [ End    Resource ]  [[Group]AppPoolIISUsers_AppPoolapp3]
VERBOSE: [WEB01]: LCM:  [ End    Set      ]
VERBOSE: [WEB01]: LCM:  [ End    Set      ]    in  26.6100 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 26.923 seconds

1 个答案:

答案 0 :(得分:0)

无论Azure Automation DSC如何,这似乎都不是有效的DSC配置。如果$Node.WebSites中有多个网站对象,则最终会使用相同资源名称和密钥(Group)的多个GroupName资源,但值不同。这在DSC中是不允许的。

运行此:

$Node = @{
    WebSites = @(@{AppPoolId="somePoolID1"}, @{AppPoolId="somePoolID2"})
}

Configuration abc {
    $Node.WebSites | foreach {
       $site = $_
       $appPoolId  = $site.AppPoolId
       Group appPoolIISUsers
       {
           GroupName = "IIS_IUSRS"
           Credential = $DomainCreds
           Ensure = "Present"
           MembersToInclude = $appPoolId
       }
    }
}

abc

产生以下错误:

PsDesiredStateConfiguration\Group : A duplicate resource identifier '[Group]appPoolIISUsers' was found while processing the 
specification for node ''. Change the name of this resource so that it is unique within the node specification.
At line:9 char:8
+        Group appPoolIISUsers
+        ~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : DuplicateResourceIdInNodeStatement,PsDesiredStateConfiguration\Group

Test-ConflictingResources : A conflict was detected between resources '[Group]appPoolIISUsers (::9::8::Group)' and 
'[Group]appPoolIISUsers (::9::8::Group)' in node 'localhost'. Resources have identical key properties but there are differences 
in the following non-key properties: 'MembersToInclude'. Values 'somePoolID1' don't match values 'somePoolID2'. Please update 
these property values so that they are identical in both cases.
At line:246 char:9
+         Test-ConflictingResources $keywordName $canonicalizedValue $k ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], InvalidOperationException
    + FullyQualifiedErrorId : ConflictingDuplicateResource,Test-ConflictingResources

Errors occurred while processing configuration 'abc'.
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3588 char:5
+     throw $ErrorRecord
+     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (abc:String) [], InvalidOperationException
    + FullyQualifiedErrorId : FailToProcessConfiguration

你可以尝试一下,看看它是否有效吗?它使每个Group资源的名称和密钥唯一:

    $Node.WebSites | foreach {
       $site = $_
       $appPoolId  = $site.AppPoolId
       Group ("appPoolIISUsers" + $appPoolId)
       {
           GroupName = ("IIS_IUSRS" + $appPoolId)
           Credential = $DomainCreds
           Ensure = "Present"
           MembersToInclude = $appPoolId
       }
    }

根据更新后的问题进行更新:

在不使用唯一groupname值的情况下在本地生成和应用的配置有效的唯一原因是,即使您在资源实例之间重用相同的资源键(GroupName = IIS_IUSRS),也要声明每个Group应该声明的所需状态in in完全相同 - 所有3个资源将同一组设置为完全相同的状态。您的配置与执行此操作相同:

Configuration LocalGroupTest
{
    Node $AllNodes.NodeName
    {
        Group "AppPoolIISUsers_AppPoolapp1"
        {
            GroupName = "IIS_IUSRS"
            Credential = $Node.DC
            Ensure = "Present"
            MembersToInclude = @(($Node.AppPoolId).UserName)
        }

        Group "AppPoolIISUsers_AppPoolapp2"
        {
            GroupName = "IIS_IUSRS"
            Credential = $Node.DC
            Ensure = "Present"
            MembersToInclude = @(($Node.AppPoolId).UserName)
        }

        Group "AppPoolIISUsers_AppPoolapp3"
        {
            GroupName = "IIS_IUSRS"
            Credential = $Node.DC
            Ensure = "Present"
            MembersToInclude = @(($Node.AppPoolId).UserName)
        }
    }
}

正如您所看到的,根本不需要AppPoolIISUsers_AppPoolapp2AppPoolIISUsers_AppPoolapp3资源实例,因为它们在同一组上设置与AppPoolIISUsers_AppPoolapp1完全相同的状态 - IIS_IUSRS

您确定此示例是否声明了您尝试声明的最终状态?我仍然认为您遇到问题的原因是您尝试在配置中重用相同的资源实例名称和/或资源实例密钥(GroupName),但其他资源实例字段的值不同(例如,MembersToInclude)。这是DSC不允许的设计,因为相同的资源实例(在这种情况下为Group)不能处于多个状态,它只能处于一种状态。

相关问题
最新问题