Practical DevOps with Powershell

Yossi Sassi

Student Introduction

• Name

• Title/function

• Job responsibility

• Technical and professional experience with

Windows, DevOps and Scripting languages

About this day

• Realizing Windows PowerShell’s importance

• Focuses on Windows PowerShell for DevOps

• Prerequisites

• Objectives

What we’ll talk about

• Scripting Basics & Concepts

• Introduction to Windows Powershell: Management &

Configuration capabilities

• Working with Azure & Office 365 (Cloud environments)

• Exploring PowerShell benefits for Management &

Configuration capabilities (continued)

• Desired State Configuration

• PowershellGet & PSReadLine

• Scripting Secure Operations (Digital Signatures, Execution

Policies)

• Secure Remoting (PSSession-Configuration)

Introduction to Scripting

Basics & Concepts

?מהו אלגוריתם

סידרת הוראות בסיסיות לביצוע משימה מורכבת•

על אלגוריתם להיות חד משמעי וברור•

:אלגוריתם למשלוח פיצה, למשל–בואו נבחן דוגמא מחיינו •

.קבל את הכתובת למשלוח–

.קח את הפיצה מהחנות–

(.הכתובת למשלוח)סע לבית הלקוח –

.מסור את הפיצה–

.אסוף את הכסף–

.חזור לחנות–

ניתן להגדיר סקריפט כאלגוריתם•

דוגמא

Operatorsאופרטורים

הוא סימן המייצג פעולהאופרטור•

הוא ערך שעליו מבוצעת הפעולהאופרנט•

1+2בביטוי :למשל•

הוא אופרטור והוא מבצע פעולה על האופרנטים ' +'הסימן •

(.המספרים)

תנאים

הוא ביטוי שערכו ברגע נתון יכול להיות ביטוי בוליאני•

שקראו אמתאו

יתבצע הבלוק –אם ברגע הבדיקה הביטוי אמת •

יתבצע הבלוק –( הביטוי שקר)אחרת . השמאלי בלבד

.הימני בלבד

ביטוי בוליאני

בלוק אמתבלוק שקר

לצומת הבא

לולאות

כגון , פעולת תוכנה החוזרת על עצמה מספר פעמים•

.ביצוע פעולה עבור סדרת איברים

מפעילה את עצמה רקורסיה או לולאה רקורסיבית•

תנאי עצירה או סוף )מחדש עד לקבלת נתון כלשהו

הלולאה הרקורסיבית כוללת קריאה פנימית (. הנתונים

כך שתנאי העצירה חייב , לביצוע הלולאה פעם נוספת

להימצא בתוך הלולאה בכדי שזו תפסיק

Functionפונקציה

"סקריפט)"אלגוריתם המהווה חלק מאלגוריתם אחר •

"(סקריפט"בתוך ה

.פעולה מוגדרת מראש הניתנת לשימוש שוב ושוב•

Variableמשתנה

תא זמני בזכרון המכיל נתון או נתונים משתנים•

לכל משתנה חייב להיות שם•

הקובע איזה סוג ( data type)'טיפוס'לכל משתנה יש •

, תאריך, מחרוזת, מספר שלם:כגון, נתונים הוא יכול להכיל

'בוליאני וכו

אורך חיי המשתנה הוא פרק זמן ריצת התוכנית •

(Powershell ,במקרה זה .)עם סגירת הProcess

המשתנה נמחק מהזיכרון

Arrayמערך

\אוסף של איברים –או לחלופין , רצף של משתנים בזיכרון•

אוביקטים

גם מערך הוא משתנה בפני עצמו•

Parametersפרמטרים

משתנה הדרוש לביצוע פונקציה•

, פרמטריםמקבלותPowershellשל cmdlets-פונקציות ו•

שניתן להתייחס לקיומם או לערכם בכדי לבצע פעולות

.שונות

או לא , פונקציה יכולה לקבל פרמטר אחד או יותר\פקודה•

.לקבל פרמטרים כלל

Introduction to Windows PowerShell:

Management & Configuration

Capabilities

Windows PowerShell Overview• Used by Exchange first, today – everywhere.

• Functionality provided by commands:

• Cmdlets (pronounced “command-lets”)

• Functions

• Etc

• v2.0 works with XP SP3. others should use the

latest version.

• Requires .net framework

PowerShell & .NET Framework

PowerShell

Notepad!

Visual Studio .NET

• Common Language Runtime• Class Library

.NET Framework

OS (Windows)

H/W

.NET Namespaces

• Class Library logically organised in hierarchical

groups

– Dot-separated names, starting with System or

Microsoft namespace

– Physically installed in .NET assemblies (DLLs)

System.Data.SQLClient.SQLConnection()

PowerShell Versions

2.0 3.0 / 4.0 5.0

Windows XP Available No No

Windows Server 2003

Available No No

Windows Vista Available No No

Windows Server 2008

Available Available with SP2 No

Windows 7 Installed Available with SP1 Download(need SP1)

Windows Server 2008 R2

Installed Available with SP2 Download(need SP1)

Windows 8 No Installed Download(8.1 only)

Windows Server 2012

No Installed Download(2012+2012 R2)

Windows 10 comes with PowerShell v5.0 installedWindows PowerShell 2.0 require .NET Framework 2.0 SP 1

Windows PowerShell 3.0 / 4.0 requires .NET Framework 4.x

Two Host Applications

• Console

• Basic command-line interface

• Maximum support for PowerShell features

• Not best for editing

• ISE

• Script editor + console + Commands add-on

• *Some* PowerShell features not supported

• Rich editing capabilities

• 3rd-party

• PowerGui, powerShell Plus etc

Pshell version

• Use $PSVersionTable to determine the version of

PowerShell

• Can also use $host.version

• Check out other useful automatic variables on the

way

Familiar-Seeming Commands

• Familiar-seeming commands:

• Dir

• Cd

• Mkdir

• Type etc..

• These are really aliases to PowerShell commands

• Try Get-Alias and Set-Alias

Learning Command Syntax

• Get-Help (or Help or Man)

• Use –ShowWindow to display help in a window

• Use –Example to see syntax examples

• Use –Online to go to updated help on

microsoft.com

Command Syntax

Test-Connection –ComputerName SRV1 –Count 1

Command Name Parameters

ParameterName

ParameterValue

Multiple Parameter Values

• designated by a [ ] indicator:

-ComputerName <string[]>

• Can separate by comma, variable, get-Content and

more!

Read text files

• Get-Content c:\windows\windowsupdate.log

• Can input into a variable, and use it

• Read log in real time:

Get-Content c:\temp\test.log -Wait -Tail 0

Working with the Pipeline

What Is the Pipeline?

• Each command’s output is the next command’s

input

• multiple commands separated by a vertical pipe

character (|) , no limit, technically.

Discovering Object Members

• Object members include:

• Properties

• Methods

• Run a command that produces an object, and pipe

that object to Get-Member (or gm) to see a list of

members

• Can also use select * -first 1

Sorting Objects

• Commands determine their own default sort order

• Sort can re-sort objects in the pipeline

• Example of use:

• Get-Service | Sort Status -Descending

Measuring Objects

• Measure-Object accepts a collection of objects and

counts them

• Add –Property to specify a single numeric property, and

then add:

• -Average to calculate an average

• -Minimum to display the smallest value

• -Maximum to display the largest value

• -Sum to display the sum

Selecting a Subset of Properties

• This is one of two main uses for Select

• Use parameters to select the specified number of

rows of the piped result:

• -First from the beginning

• -Last from the end

PowerShell as bytes calculator

• Use shortcuts to convert bytes into:

• KB kilobyte

• MB megabyte

• GB gigabyte

• TB terabyte

• PB petabyte

Performance measuring

Use Measure-Command

Calculated Properties: Using Hash Table

@{

n=‘PM in MB';

e={ $PSItem.PM/1mb}

}

Hash table

Label key Label string value

Expression key

Expression script block

Semicolon

Converting Objects

• Supported formats include CSV, HTML, and XML

• Two verbs:

• ConvertTo changes the form of the data

• Export changes the form of the data and writes it to

external storage

• Get-Command –Verb ConvertTo,Export

Filtering Syntax

• Use WHERE

• When needing 2 or more creteria, use $PSItem or

$_ , with the proper syntx

• Works in combination with operators

Comparison Operators

Comparison Case-InSensitive Case-sensitive

Equality -eq -ceq

Inequality -ne -cne

Greater than -gt -cgt

Less than -lt -clt

Greater than or equal to -ge -cge

Less than or equal to -le -cle

Wildcard equality -like -clike

Wildcard Inequality -notlike -cnotlike

Example: Filtering

Get-Service |

Where-Object –Filter {$PSItem.Status –eq 'Running' }

Get-Service | Where { $_.Status –eq 'Running' }

Get-Service | ? { $PSItem.Status –eq 'Running' }

Adding Multiple Criteria

• Use Boolean operators –and and –or to combine

multiple comparisons into a single expression:

Get-Volume | Where-Object –Filter {

$PSItem.HealthStatus –ne 'Healthy'

-or

$PSItem.SizeRemaining –lt 100MB

}

Enumeration

• Use Foreach or % to loop through objects and

perform custom actions

PSDrives

• Logical drives inside Powershell

• Allows management by using familiar file system

management commands

• Use PSProviders to adapt data stores to look like

disk drives inside the shell

• Good solution for “one syntax multiple stores”, e.g.

IIS, SQL, Exchange, AD, Registry, WSMan config

and more!

WMI / CIM

• Veteran technology inside Windows

• Listing classes

• WMI vs. CIM

• Getting info vs. Invoking methods

Jobs

• Excellent for parallel tasks in the background

• PSJobs vs. Scheduled Jobs

• Integarte with Task Scheduler or Directly in

PowerShell (Pros and Cons)

Remoting

• Network connectivity vs. PSRemoting

•Architecture

• Configuration options (Enable-PSRemoting vs.

Enterprise config)

• PowerShell Web Access

PSRemoting Architecture

Remote Computer

Local Computer

Windows PowerShell

Wsmprovhost

Endpoint

WinRM

Listener (HTTP)

WS-MAN Traffic

Powershell & Cloud Services

AGENDA

• Intro to Cloud Services Model

• Microsoft Cloud services

• PowerShell native API

• PowerShell & Rest API

• Use case & Demo

Intro to Cloud Services Model

Reference: http://robertgreiner.com/2014/03/windows-azure-iaas-paas-saas-overview/

Microsoft’s Cloud Services

• Office365 – Offer SaaS Services, such as :

– Email

– CRM

– Web Portal

– Office Apps

• Azure – Offers SaaS\PaaS\IaaS Services such as:

– Virtual Machine (IaaS)

– Cognitive Services (SaaS)

PowerShell API

Native API

Based on official PowerShell native modules from Microsoft

Office365 – https://technet.microsoft.com/en-us/library/dn789037.aspx

Azure – https://azure.microsoft.com/en-

us/documentation/articles/powershell-install-configure/

3rd party Scripts & Modules can be found in central repo’s

https://www.powershellgallery.com

https://gallery.technet.microsoft.com/

https://github.com/Azure/azure-powershell

PowerShell Native API

PowerShell API – Azure Virtual Machines

PowerShell API Wrapper

• Used when there is no Native PS API available

• Contained interpreter for Web\Rest\c#\com

• Data returned in PowerShell Object format

Business Scenarios - DEMO

• Using Azure cognitive Services and PowerShell

for demonstration of the following uses cases:

– Smart security cam

– Short-eye & Blind people smart vision device

Smart Security Camera

• Identify potential threat characteristics

– Age & Gender

https://geekeefy.wordpress.com/2016/02/21/powershell-

project-oxford-image-age-and-gender-detection/

– Emotion

https://geekeefy.wordpress.com/2016/02/09/powershell-

microsoft-project-oxford-image-emotion-detection/

Smart Security Camera - Advanced

• Automate Image Sending\Receiving

• Add business logic

• DEMO

Smart Vision Device - Demo

• Get a picture of the environment

• Analyze the picture with Azure Cognitive Services

Vision API

• Get a Text description of the image

• Use PowerShell to narrate the text with the System.Speech.Synthesis.SpeechSynthesizer class

Reference: https://learn-powershell.net/2013/12/04/give-powershell-a-

voice-using-the-speechsynthesizer-class/

Desired State Configuration

Desired State Configuration

• Enables deploying and managing configuration

data, and managing the environment in which

these services are running running

• DSC provides a set of Windows PowerShell

language extensions, Windows PowerShell

cmdlets, and resources that you can use to

declaratively specify how you want your software

environment to be configured.

• Applies to PowerShell 4.0 and 5.0 (v5.0 highly

recommended!)

DSC Scenarios

• Enabling or disabling server roles and features

• Managing registry settings

• Managing files and directories

• Starting, stopping & managing processes and

services

• Managing groups and user accounts

• Deploying new software

• Managing environment variables

DSC Scenarios (Cont.)

• Running Windows PowerShell scripts

• Fixing a configuration that has drifted away from

the desired state

• Discovering the actual configuration state on a

given node

DSC Concepts

• DSC is a declarative with 3 primary components:

• Configurations: declarative PowerShell scripts,

to define and configure instances of resources.

• Resources: The building blocks of DSC.

Modeling various components. They reside

within PowerShell modules and can be written

to model something as generic as a file or a

Windows process or as specific as an IIS server

or a VM running in Azure.

• The Local Configuration Manager (LCM):

• The engine by which DSC facilitates the

interaction between resources and

configurations.

• Ensures that the state laid out by a

Configuration is maintained.

• If the system is out of state, the LCM uses logic

inside of the resources to “fix it back” according

to the Configuration declaration.

• DSC data is either pulled or pushed to the

Local Configuration Store

DSC Cmdlets

• PSDesiredStateConfiguration is the main

module (includes Start-DscConfiguration,

Set-DscLocalConfigurationManager and Get-

DscResource.

The xDscResourceDesigner (found in

the PowerShell Gallery) is a collection of cmdlets

that simplify the development of DSC resources.

Configurations• Configuration MyPCConfiguration {

Node “PC1" {

WindowsFeature Feature1 {

Ensure = "Present"

Name = "RSAT"

}

WindowsFeature Feature2 {

Ensure = "Present"

Name = "Bitlocker"

}

}

• }

• Configuration MyPCConfiguration {

param( [string[]]$ComputerName=“localhost”)

Node $Computername {

WindowsFeature Feature1 {

Ensure = "Present"

Name = "RSAT"

}

WindowsFeature Feature2 {

Ensure = "Present"

Name = "Bitlocker"

}

}

}

Configuration MyWebsite

{

param ($ComputerName)

Node $ComputerName

{ #Install the IIS Role

WindowsFeature IIS

{

Ensure = “Present”

Name = “Web-Server”

} #Install ASP.NET 4.5

WindowsFeature ASP

{

Ensure = “Present”

Name = “Web-Asp-Net45”

}

}

}

Compiling configurations

• Before you can apply a configuration, you have to

compile it into a MOF document, e.g.

• Run the configuration (put into memory)

• MyPCConfiguration -ComputerName ‘DevPC1’

• MOF file default location:

C:\users\default\Documents\DSC

Configurations\MyPCConfiguration

DependsOn• Configuration MyPCConfiguration {

Node “PC1" {

Group Group1 {

Ensure = "Present"

GroupName = “DevGroup"

}

User User1 {

Ensure = "Present"

UserName = “DevUser"

FullName = “Development User"

DependsOn = "[Group]Group1"

}

}

}

Resources• Resources must be placed in $env:PSModulePath in order

to be recognized by the LCM.

• Get-DscResource can be used to determine what resources

are installed on the system.

• Use Import-DscResource within configuration block (it is

not a cmdlet) to load:

• ModuleName (recommended way)

• Name (The name of the class resource to import. This is not

the friendly name returned as "Name" by Get-DscResource,

but the class name)

Built-in Resources

• Archive Resource

• Environment Resource

• File Resource

• Group Resource

• Log Resource

• Package Resource

• Registry Resource

• Script Resource

• Service Resource

• User Resource

• WindowsFeature Resource

• WindowsProcess Resource

• More info here

Writing custom resources• Can create MOF file, in C# or directly in PowerShell

• In Pshell v5 – with Classes – it’s the simplest way.

• Read more here

Writing custom resources• Can create MOF file, in C# or directly in PowerShell

• In Pshell v5 – with Classes – it’s the simplest way.

• Read more here

DSC Resources for LinuxnxArchive Resource--Provides a mechanism to unpack

archive (.tar, .zip) files at a specific path.

nxEnvironment Resource--Manages environment variables on

target nodes.

nxFile Resource--Manages Linux files and directories.

nxFileLine Resource--Manages individual lines in a Linux file.

nxGroup Resource--Manages local Linux groups.

nxPackage Resource--Manages packages on Linux nodes.

nxScript Resource--Runs scripts on target nodes.

nxService Resource--Manages Linux services (daemons).

nxSshAuthorizedKeys Resource--Manages public ssh keys

for a Linux user.

nxUser Resource--Manages local Linux users.

Local Configuration Manager• The LCM is in charge of:

• Determining refresh mode (push or pull).

• Specifying how often a node pulls and applies

configurations.

• Associating the node with pull servers.

• Specifying partial configurations.

Creating a custom LCM

[DSCLocalConfigurationManager()]

Configuration LCMconfig {

Node localhost {

Settings

{

RefreshMode = ‘Push’

}

}

}

To apply LCM config,-• Use Set-DscLocalConfigurationManager cmdlet,

supplying the path to the configuration MOF as a

parameter.

• After you apply the configuration, you can see the

properties of the LCM by calling the Get-

DscLocalConfigurationManager cmdlet. *

More LCM Config blocks (except settings)

ConfigurationRepositoryWeb: specifies an HTTP pull server

for configurations.

ConfigurationRepositoryShare: specifies an SMB pull

server for configurations.

ResourceRepositoryWeb: specifies an HTTP pull server for

modules.

ResourceRepositoryShare: specifies an SMB pull server for

modules.

ReportServerWeb: specifies an HTTP pull server to which

reports are sent.

PartialConfiguration: specifies partial configurations.

Pull Server• A pull server is either an OData web service or a

SMB share that is used as a central location for DSC

files.

• Server 2012 R2 running:

• WMF/PowerShell 5.0

• IIS server role

• DSC Service

• Ideally, with means to generate a certificate, to

secure credentials passed to the Local

Configuration Manager (LCM) on target nodes

Configuring a Pull Server• Easiest way is to use the xWebService resource,

included in the xPSDesiredStateConfiguration

module:

•Install-Module xPSDesiredStateConfiguration

• Get an SSL certificate for the DSC Pull server

from a trusted Certificate Authority.

• Install the certificate on the node that will

become the DSC Pull server in the default location

which should be CERT:\LocalMachine\My. Make

a note of the certificate thumbprint.

Configuring a Pull Server (cont.)• Select a GUID to be used as the Registration Key.

(You can generate one using PowerShell -

[guid]::newGuid(). This key will be used by client

nodes as a shared key to authenticate during

registration.

• For more information , see here.

• Sample script *

Secure DevOps

Execution Policy• Execution policy settings:

• Restricted (default)

• AllSigned

• RemoteSigned

• Unrestricted

Can be changed using:

• Set-ExecutionPolicy command

• Group Policy Object

• –ExecutionPolicy parameter of PowerShell.exe

Running Scripts

• It’s all about trust.

Signing Scripts

•Provides trust through Digital Certificates

•PKI basics overview

•Use Set-AuthenticodeSignature to sign

scripts and make sure they cannot be

changed

•How to deploy Script Security in the

organization

It helps that…

• .ps1 extension defaults to notepad

• Scripts must be run by using a relative or absolute

path

• .\Myscript.ps1

Secure Remote Administration

•There are great capabilities when it comes

to Remote operations with PowerShell

• Encrypt session content (HTTPS)

• Limit session to specific users, IP addresses,

hosts, scripts, even commands

• To be discussed later in ‘Remote administration’