ARM deployment completes successfully while DSC configuration is still working

jeremyahagan 6

I have a DSC extension intended to bootstrap and harden my Azure VMs. It includes several steps which require a reboot. The LCM is configured to reboot automatically and to continue configuration after the reboot. It appears that the DSC extension doesn't realise that the DSC is still in progress after the first reboot.

The problem with this is that if I want to apply further customisation through the custom script extension it will go ahead an attempt to deploy that script while the DSC configuration is still going and the server will reboot several more times.

As an aside, I can't remove the reboots since some of the DSC components which install software via MSI fail if there is a pending reboot.

Is there a way to handle this or is it a bug in the current version (2.83.5) of the DSC extension?

Mounika Reddy Anumandla 235 Reputation points Microsoft Vendor

2024-08-30T05:38:07.2+00:00

Hi jeremyahagan,

Just checking in to see if you had a chance to see my response to your question. Please tell us if it was helpful and feel free to reach out to us if you have any queries.

If you feel that your queries have been resolved, please accept the answer by clicking the "Upvote" and "Accept Answer" on the post.
Mounika Reddy Anumandla 235 Reputation points Microsoft Vendor

2024-09-02T05:30:04.8033333+00:00

Hi jeremyahagan,

Just checking in to see if you had a chance to see my response to your question. Please tell us if it was helpful and feel free to reach out to us if you have any queries.

If you feel that your queries have been resolved, please accept the answer by clicking the "Upvote" and "Accept Answer" on the post.

3 answers

Mounika Reddy Anumandla 235 Reputation points Microsoft Vendor

2024-08-29T07:14:56.2+00:00

Hi jeremyahagan,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Issue: When you’re using Azure DSC (Desired State Configuration) to set up and secure your VMs, some steps require the VM to reboot. The Local Configuration Manager (LCM) is set to automatically reboot and continue the configuration after each reboot. However, the DSC extension doesn’t always recognize that the configuration is still in progress after the first reboot. The server might end up in an unstable state because both DSC and the Custom Script Extension are trying to make changes simultaneously. Multiple reboots can disrupt the Custom Script Extension’s execution, causing it to fail or produce unexpected results.

Suggested Workarounds: To avoid this, you need a way to ensure that the Custom Script Extension only runs after the DSC configuration is completely finished. This can be achieved by using coordination mechanisms like flag files, registry keys, or breaking down the DSC configuration into smaller, sequential steps.

1. Using Flag Files: You can create a flag file at the end of your DSC configuration to signal completion. The Custom Script Extension can then check for this file before proceeding.
https://video2.skills-academy.com/en-us/powershell/dsc/reference/resources/windows/fileresource?view=dsc-1.1

2. Using Registry Keys: You can use the DSC Registry Resource to set a registry key once the configuration is complete. The Custom Script Extension can check this registry key before running. Documentation: https://video2.skills-academy.com/en-us/powershell/dsc/reference/resources/windows/registryresource?view=dsc-1.1

3.Breaking Down DSC Configurations: Consider breaking down your DSC configuration into smaller, sequential steps. Each step can set a flag or registry key that the next step or the Custom Script Extension can check.

General DSC Documentation: https://video2.skills-academy.com/en-us/powershell/dsc/reference/microsoft/windows/registry/overview?view=dsc-3.0

This article provides information about each version of the Azure DSC VM extension, what environments it supports, and comments and remarks on new features or changes.
https://video2.skills-academy.com/en-us/azure/automation/automation-dsc-extension-history

If the above suggestion is helpful, please click "Upvote it."
Please sign in to rate this answer.
jeremyahagan 6 Reputation points

2024-09-05T06:50:15.38+00:00

Thanks for the reply. For some reason I never got an email about this. Can you explain how the CSE knows to wait for the flag existence? I imagine that if the CSE executes and the main script is waiting and then the machine reboots that the CSE will fail.

Mounika Reddy Anumandla 235 Reputation points Microsoft Vendor

2024-09-05T08:42:18.5166667+00:00

Hi jeremyahagan,

Thank you for reaching us again.

You can configure the Custom Script Extension (CSE) to wait for a flag file by incorporating a check within your script. You'll need to create a custom script that meets your specific requirements.

You can incorporate a while loop which continuously checks for the existence of the flag file every 10 seconds or 5seconds. Once the flag file is detected, the script proceeds with the rest of its tasks.

You can place this script in your CSE configuration, ensuring that it only runs after the DSC configuration is complete and the flag file is created. This way, the CSE will wait until the DSC process is fully finished before executing its own tasks.

jeremyahagan 6 Reputation points

2024-09-05T22:20:50.78+00:00

If the flag is inside the script then the CSE has already kicked off. Then if DSC reboots AFTER the CSE starts then it wont start again once the machine starts up. It will just throw an error right?

Mounika Reddy Anumandla 235 Reputation points Microsoft Vendor

2024-09-06T04:36:23.55+00:00

Hi jeremyahagan,

Thank you for reaching out again.

It looks like the workarounds I suggested earlier might not have fully met your needs. Here is a more detailed information.
The DSC extension doesn't have a built-in mechanism to notify the Custom Script Extension that the DSC configuration is still in progress after a reboot. One possible solution is to use a coordination mechanism, such as a flag file, to signal the completion of the DSC configuration. As I mentioned earlier, you can create a flag file at the end of your DSC configuration to signal completion.
you can create a flag file using the File resource in DSC:
The File resource in Windows PowerShell Desired State Configuration (DSC) provides a mechanism to manage files and folders on the target node. DestinationPath and SourcePath must both be accessible by the target Node.
https://video2.skills-academy.com/en-us/powershell/dsc/reference/resources/windows/fileresource?view=dsc-1.1

In your Custom Script Extension, you can then check for the existence of this file before running your script. You can incorporate a while loop which continuously checks for the existence of the flag file every 10 seconds or 5seconds. Once the flag file is detected, the script proceeds with the rest of its tasks. This approach ensures that the Custom Script Extension only runs after the DSC configuration is completely finished.

If you have any further queries, do let us know.

jeremyahagan 6 Reputation points

2024-09-11T06:09:39.9966667+00:00

Hi,

I understand what you are saying, but it doesn't make sense. The pipeline is as follows:

VM is deployed

VM joins the domain (domain join extension)

DSC extension kicks off

DSC configuration requires several reboots

While the DSC configuration is still in progress, the DSC extension gracefully exits and the pipeline continues. So the flag file would not yet exist

CSE kicks off an waits for the existence of the flag file

DSC reboots the machine again

DSC writes the flag file

CSE has already failed since it won't retry after the script exits ungracefully.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

ARM deployment completes successfully while DSC configuration is still working

3 answers

Your answer