堆栈内存溢出
  简体   繁体   English

动态创建 DSC 配置

[英]Create DSC Configuration dynamically

 原文  2016-08-26 15:08:11       powershell/ ntfs/ dsc

问题描述

TLDR; TLDR; What is the best way to create a DSC configuration file dynamically?动态创建 DSC 配置文件的最佳方法是什么?

I am tasked with maintaining a complex folder structure including permissions.我的任务是维护一个复杂的文件夹结构,包括权限。 This is currently done with custom PowerShell modules.这是目前使用自定义 PowerShell 模块完成的。 The problems arise when changes are made to the folder structure itself.对文件夹结构本身进行更改时会出现问题。

Using DSC would eliminate the compliance aspect of the problem.使用 DSC 将消除问题的合规性方面。 Generating a DSC Configuration for 20k folders by hand is absolutely out of the question.手动为 20k 文件夹生成 DSC 配置是绝对不可能的。 I would like to create the DSC configuration from some input via PowerShell.我想通过 PowerShell 从某些输入创建 DSC 配置。 That way, changes can be introduced in a timely manner and applied once the DSC configuration has reviewed.这样,一旦 DSC 配置审查完毕,就可以及时引入并应用更改。

Or am I completely on the wrong track and I can just generate the structure from input within the DSC configuration?还是我完全走错了路,我只能从 DSC 配置中的输入生成结构?

2 个解决方案

解决方案1
 2  2021-05-17 20:28:59

It's not pretty, but I do stuff like below for NTFS permissions, where you may need to expand if you set no subfolder access, etc. I didn't see of an easy way to create the configuration dynamically so I repurpose with different params set.它并不漂亮,但我对 NTFS 权限做了如下操作,如果您没有设置子文件夹访问权限,您可能需要在其中进行扩展等。我没有看到动态创建配置的简单方法,因此我使用不同的参数集重新调整用途. Obviously this is 5 years later so you've probably come up with something.显然这是 5 年后,所以你可能已经想出了一些东西。 The switches up top are basically to replace variables from your node definition file.顶部的开关基本上是替换节点定义文件中的变量。

        Function NtfsPermissions
        {
            Param (
                [Parameter(Mandatory=$true)]
                [ValidateSet("Present","Absent")]
                [string]$Ensure,
                [Parameter(Mandatory=$true)]
                [string]$Account,
                [Parameter(Mandatory=$true)]
                [string]$Path,
                [string[]]$FileSystemRights,
                [string]$Inheritance,
                [string]$Depends
            )
        #Switches are used to dynamically replace accounts and paths that can't be set in nodedefinition file
            switch ($Account)
            {
                "SQLAGENT"
                {
                    $Account = $Node.gSqlAgt
                    break
                }
                "SQLSVC"
                {
                    $Account = $Node.gSqlSvc
                    break
                }
                "SQLIS"
                {
                    $Account = $Node.gSqlIs
                    break
                }
            }
            switch ($Path)
            {
                "AuditPath"
                {
                    $Path = $Node.AuditPath
                    break
                }
                "LogDir"
                {
                    $Path = $Node.LogDir
                    break
                }
                "DataDir"
                {
                    $Path = $Node.DataDir
                    break
                }
                "TempdbDir"
                {
                    $Path = $Node.TempdbDir
                    break
                }
            }
            if ($Ensure -ne "Absent")
            {
                cNtfsPermissionEntry $($Account + $Path.Replace(':','_'))
                {
                    Ensure = $Ensure
                    Path = $Path
                    Principal = $Account
                    AccessControlInformation = @(
                        cNtfsAccessControlInformation
                        {
                            AccessControlType = 'Allow'
                            FileSystemRights = $FileSystemRights
                            Inheritance = $Inheritance
                            NoPropagateInherit = $false
                        }
                        )
                    DependsOn = $("[File]$Depends")
                    }
                    
            }
            else
            {
                cNtfsPermissionEntry $($Account + $Path.Replace(':','_'))
                    {
                        Ensure = $Ensure
                        Path = $Path
                        Principal = $Account
                        #Need depends on, just not sure how to structure yet
                        DependsOn = "[File]" + $Depends
                }
            
            }
    }
    $NtfsEntries = $ConfigurationData.NonNodeData.Roles.($Node.Role[0]).NtfsPerms #Need to find a better approach to reference Role
        foreach ($ntfs in $NtfsEntries) {
            NtfsPermissions -Ensure $ntfs[0] -Account $ntfs[1] -Path $ntfs[2] -FileSystemRights $ntfs[3] -Inheritance $ntfs[4] -Depends $ntfs[5]
        }

解决方案2
 1 已采纳  2016-08-26 15:29:34

When you write your DSC configuration, it's a script that gets executed at design time to ultimately generate the MOF file.当您编写 DSC 配置时,它是一个在设计时执行以最终生成 MOF 文件的脚本。 So you can do something like this:所以你可以做这样的事情:

Configuration Folders {

    Get-Content 'myfolderlist.txt' | ForEach-Object {

        File $($_ -replace '\\','_')
        {
            DestinationPath = $_
            Ensure = "Present"
        }
    }
}

This doesn't address permissions, but it shows how a loop can be used in a DSC configuration.这不涉及权限,但它显示了如何在 DSC 配置中使用循环。 The important thing to remember here is that what this will do, is generate a static configuration (MOF) file with 20k File resources at design time.这里要记住的重要一点是,这将在设计时生成一个具有 20k File资源的静态配置 (MOF) 文件。 The loop doesn't get run (nor is it at all present) when DSC is running.当 DSC 运行时,循环不会运行(也根本不存在)。

DSC is not the fastest thing.. doing a test/set on 20,000 resources is likely to be really slow and somewhat resource intensive. DSC 不是最快的东西.. 对 20,000 个资源进行测试/设置可能真的很慢并且有点资源密集型。 I kind of feel like this might not be the tool for the job.我有点觉得这可能不是这项工作的工具。

Or, you could create a custom DSC resource that does all the logic of testing and setting the folder structure and permissions, so it happens all in one resource.或者,您可以创建一个自定义 DSC 资源,该资源执行测试和设置文件夹结构和权限的所有逻辑,因此所有这些都发生在一个资源中。

Essentially then this is a glorified scheduled task, but that might be ok, especially if you want to use DSC in a wider sense.从本质上讲,这是一项美化的计划任务,但这可能没问题,特别是如果您想在更广泛的意义上使用 DSC。 There are lots of articles (and books) out there about how to create a custom resource if you want to take a look at those.如果您想看一看,有很多关于如何创建自定义资源的文章(和书籍)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 DSC(所需状态配置) - DSC (Desired State Configuration) DSC配置故障排除 - Troubleshooting DSC configuration 删除PowerShell DSC配置 - Remove a PowerShell DSC Configuration SMB的部分DSC配置 - Partial DSC configuration for SMB DSC配置不断重启 - DSC Configuration Keeps Restarting DSC配置错误 - DSC configuration error Azure自动化DSC-在DSC配置中使用PSCredential - Azure Automation DSC - Using PSCredential in DSC Configuration Runbook的Azure DSC配置 - Azure DSC Configuration from Runbooks Powershell DSC配置的多个实例 - Multiple instances of Powershell DSC configuration 是否将参数动态传递给DSC资源? - Dynamically pass parameters to DSC resource?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM