|
| 1 | +--- |
| 2 | +title: Planning a change from Desired State Configuration extension for Linux to guest configuration |
| 3 | +description: Guidance for moving from Desired State Configuration extension to the guest configuration feature of Azure Policy. |
| 4 | +ms.date: 02/04/2022 |
| 5 | +ms.topic: how-to |
| 6 | +--- |
| 7 | +# Planning a change from Desired State Configuration extension for Linux to guest configuration |
| 8 | + |
| 9 | +Guest configuration is the latest implementation of functionality that has been provided by the |
| 10 | +PowerShell Desired State Configuration (DSC) extension for Linux virtual machines in Azure. When possible, |
| 11 | +you should plan to move your content and machines to the new service. This article provides guidance |
| 12 | +on developing a migration strategy. |
| 13 | + |
| 14 | +New features in guest configuration: |
| 15 | + |
| 16 | +- Advanced reporting through Azure Resource Graph including resource ID and state |
| 17 | +- Manage multiple configurations for the same machine |
| 18 | +- When machines drift from the desired state, you control when remediation occurs |
| 19 | +- Linux machines consume PowerShell-based DSC resources |
| 20 | + |
| 21 | +Before you begin, it's a good idea to read the conceptual overview information at the page |
| 22 | +[Azure Policy's guest configuration](../concepts/guest-configuration.md). |
| 23 | + |
| 24 | +## Major differences |
| 25 | + |
| 26 | +Configurations are deployed through DSC extension for Linux in a "push" model, where the operation |
| 27 | +is completed asynchronously. The deployment doesn't return until the configuration has finished |
| 28 | +running inside the virtual machine. After deployment, no further information is returned to ARM. |
| 29 | +The monitoring and drift are managed within the machine. |
| 30 | + |
| 31 | +Guest configuration processes configurations in a "pull" model. The extension is |
| 32 | +deployed to a virtual machine and then jobs are executed based on guest assignment details. it's |
| 33 | +not possible to view the status while the configuration in real time as it's being applied inside |
| 34 | +the machine. it's possible to monitor and correct drift from Azure Resource Manager (ARM) after the |
| 35 | +configuration is applied. |
| 36 | + |
| 37 | +The DSC extension included "privateSettings" where secrets could be passed to the configuration such |
| 38 | +as passwords or shared keys. Secrets management hasn't yet been implemented for guest configuration. |
| 39 | + |
| 40 | +### Considerations for whether to migrate existing machines or only new machines |
| 41 | + |
| 42 | +Guest configuration uses DSC version 3 with PowerShell version 7. DSC version 3 can coexist with |
| 43 | +older versions of DSC in |
| 44 | +[Linux](/powershell/dsc/getting-started/lnxgettingstarted). |
| 45 | +The implementations are separate. However, there's no conflict detection. |
| 46 | + |
| 47 | +For machines that will only exist for days or weeks, update the deployment templates and switch from |
| 48 | +DSC extension to guest configuration. After testing, use the updated templates to build future |
| 49 | +machines. |
| 50 | + |
| 51 | +If a machine is planned to exist for months or years, you might choose to change which configuration |
| 52 | +features of Azure manage the machine, to take advantage of new features. |
| 53 | + |
| 54 | +it isn't advised to have both platforms manage the same configuration. |
| 55 | + |
| 56 | +## Understand migration |
| 57 | + |
| 58 | +The best approach to migration is to recreate, test, and redeploy content first, and then use the |
| 59 | +new solution for new machines. |
| 60 | + |
| 61 | +The expected steps for migration are: |
| 62 | + |
| 63 | +- Download and expand the .zip package used for DSC extension |
| 64 | +- Examine the Managed Object Format (MOF) file and resources to understand the scenario |
| 65 | +- Create custom DSC resources in PowerShell classes |
| 66 | +- Update the MOF file to use the new resources |
| 67 | +- Use the guest configuration authoring module to create, test, and publish a new package |
| 68 | +- Use guest configuration for future deployments rather than DSC extension |
| 69 | + |
| 70 | +#### Consider decomposing complex configuration files |
| 71 | + |
| 72 | +Guest configuration can manage multiple configurations per machine. Many configurations written for |
| 73 | +DSC extension for Linux assumed the limitation of managing a single configuration per |
| 74 | +machine. To take advantage of the expanded capabilities offered by guest configuration, large |
| 75 | +configuration files can be divided into many smaller configurations where each handles a specific |
| 76 | +scenario. |
| 77 | + |
| 78 | +There's no orchestration in guest configuration to control the order of how configurations are |
| 79 | +sorted. Keep steps in a configuration together in one package if they're required to happen |
| 80 | +sequentially. |
| 81 | + |
| 82 | +### Test content in Azure guest configuration |
| 83 | + |
| 84 | +Read the page |
| 85 | +[How to create custom guest configuration package artifacts](./guest-configuration-create.md). |
| 86 | +to evaluate whether your content from DSC extension can be used with guest configuration. |
| 87 | + |
| 88 | +When you reach the step |
| 89 | +[Author a configuration](./guest-configuration-create.md#author-a-configuration), |
| 90 | +use the MOF file from the DSC extension package as the basis for creating a new MOF file and |
| 91 | +custom DSC resources. You must have the custom PowerShell modules available in `PSModulePath` |
| 92 | +before you can create a guest configuration package. |
| 93 | + |
| 94 | +#### Update deployment templates |
| 95 | + |
| 96 | +If your deployment templates include the DSC extension |
| 97 | +(see [examples](/virtual-machines/extensions/dsc-template.md)), |
| 98 | +there are two changes required. |
| 99 | + |
| 100 | +First, replace the DSC extension with the |
| 101 | +[extension for the guest configuration feature](/virtual-machines/extensions/guest-configuration.md). |
| 102 | + |
| 103 | +Then, add a |
| 104 | +[guest configuration assignment](../concepts/guest-configuration-assignments.md) |
| 105 | +that associates the new configuration package (and hash value) with the machine. |
| 106 | + |
| 107 | +#### Older "nx" modules for Linux DSC are not compatible with DSCv3 |
| 108 | + |
| 109 | +The modules that shipped with DSC for Linux on GitHub were created in the C programming language. |
| 110 | +In the latest version of DSC, which is used by the guest configuration feature, modules |
| 111 | +for Linux are written in PowerShell classes. Meaning, none of the original resources are compatible |
| 112 | +with the new platform. |
| 113 | + |
| 114 | +As a result, new Linux packages will require custom module development. |
| 115 | + |
| 116 | +#### Will I have to add "Reasons" property to custom resources? |
| 117 | + |
| 118 | +Implementing the |
| 119 | +["Reasons" property](../concepts/guest-configuration-custom.md#special-requirements-for-get) |
| 120 | +provides a better experience when viewing the results of a configuration assignment from the Azure |
| 121 | +Portal. If the `Get` method in a module doesn't include "Reasons", generic output is returned with |
| 122 | +details from the properties returned by the `Get` method. Therefore, it's optional for migration. |
| 123 | + |
| 124 | +### Removing a configuration the was assigned in Linux by DSC extension |
| 125 | + |
| 126 | +In previous versions of DSC, the DSC extension assigned a configuration through the Local |
| 127 | +Configuration Manager. It's recommended to remove the DSC extension and reset |
| 128 | +LCM. |
| 129 | + |
| 130 | +> [!IMPORTANT] |
| 131 | +> Removing a configuration in Local Configuration Manager doesn't "roll back" |
| 132 | +> the settings in Linux that were set by the configuration. The |
| 133 | +> action of removing the configuration only causes the LCM to stop managing |
| 134 | +> the assigned configuration. The settings remain in place. |
| 135 | +
|
| 136 | +Use the `Remove.py` script as documented in |
| 137 | +[Performing DSC Operations from the Linux Computer](https://github.com/Microsoft/PowerShell-DSC-for-Linux#performing-dsc-operations-from-the-linux-computer) |
| 138 | + |
| 139 | +## Next steps |
| 140 | + |
| 141 | +- [Create a package artifact](./guest-configuration-create.md) |
| 142 | + for guest configuration. |
| 143 | +- [Test the package artifact](./guest-configuration-create-test.md) |
| 144 | + from your development environment. |
| 145 | +- [Publish the package artifact](./guest-configuration-create-publish.md) |
| 146 | + so it's accessible to your machines. |
| 147 | +- Use the `GuestConfiguration` module to |
| 148 | + [create an Azure Policy definition](./guest-configuration-create-definition.md) |
| 149 | + for at-scale management of your environment. |
| 150 | +- [Assign your custom policy definition](../assign-policy-portal.md) using |
| 151 | + Azure portal. |
| 152 | +- Learn how to view |
| 153 | + [compliance details for guest configuration](./determine-non-compliance.md#compliance-details-for-guest-configuration) assignments. |
0 commit comments