Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

win_dsc: fails to serialize properties into CimInstance #15

Open
jborean93 opened this issue Mar 11, 2020 · 16 comments
Open

win_dsc: fails to serialize properties into CimInstance #15

jborean93 opened this issue Mar 11, 2020 · 16 comments

Comments

@jborean93
Copy link
Collaborator

From @rukas on Aug 10, 2018 18:48

SUMMARY

Using win_dsc results in the following error: Failed to serialize properties into CimInstance.

The same configuration in pure DSC works without issue:

        xIEEsc DisableIEEscAdmin {
            IsEnabled = $false
            UserRole  = "Administrators"   
        }
ISSUE TYPE
  • Bug Report
COMPONENT NAME
  • win_dsc
ANSIBLE VERSION
2.6.2
CONFIGURATION
DEFAULT_FORKS(/opt/devops-ansible/playbooks/test/ansible.cfg) = 40
DEFAULT_HOST_LIST(/opt/devops-ansible/playbooks/test/ansible.cfg) = [u'/opt/devops-ansible/playbooks/test/hosts.yml']
DEFAULT_LOG_PATH(/opt/devops-ansible/playbooks/test/ansible.cfg) = /opt/devops-ansible/playbooks/test/playbook.log
PERSISTENT_CONNECT_TIMEOUT(/opt/devops-ansible/playbooks/test/ansible.cfg) = 30
OS / ENVIRONMENT

From Ubuntu 16.04.2
Managing Server 2016

STEPS TO REPRODUCE

hosts.yml

sql:
  hosts:
    10.2.1.6:
      ansible_winrm_server_cert_validation: ignore
      ansible_connection: winrm
      ansible_user: "some user"
      ansible_password: "some vault password"

test_playbook.yml

---
- hosts: sql
  gather_facts: true
  tasks:
    - name: Install PSDesiredStateConfiguration PowerShell Module
      win_psmodule:
        name: PSDesiredStateConfiguration
        state: present
    - name: Install xSystemSecurity PowerShell Module
      win_psmodule:
        name: xSystemSecurity
        state: present
    - name: Set IE security to disabled for Administrators
      win_dsc:
        resource_name: xIEEsc
        IsEnabled: false
        UserRole: 'Administrators'
        PsDscRunAsCredential_username: '{{ansible_user}}'
        PsDscRunAsCredential_password: '{{ansible_password}}'
EXPECTED RESULTS

The DSC configuration to be successful

ACTUAL RESULTS
ansible-playbook test_playbook.yml -i hosts.yml -vv --ask-vault-pass

ansible-playbook 2.6.2
  config file = /opt/devops-ansible/playbooks/test/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 20160609]
Using /opt/devops-ansible/playbooks/test/ansible.cfg as config file

PLAYBOOK: test_playbook.yml *********************************************************************************************************************************************************
1 plays in test_playbook.yml

PLAY [sql] **************************************************************************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************************************************************
task path: /opt/devops-ansible/playbooks/test/test_playbook.yml:2
ok: [10.2.1.6]
META: ran handlers

TASK [Install PSDesiredStateConfiguration PowerShell Module] ************************************************************************************************************************
task path: /opt/devops-ansible/playbooks/test/test_playbook.yml:5
ok: [10.2.1.6] => {"changed": false, "nuget_changed": false, "output": "Module PSDesiredStateConfiguration already present", "repository_changed": false}

TASK [Install xSystemSecurity PowerShell Module] ************************************************************************************************************************************
task path: /opt/devops-ansible/playbooks/test/test_playbook.yml:9
ok: [10.2.1.6] => {"changed": false, "nuget_changed": false, "output": "Module xSystemSecurity already present", "repository_changed": false}

TASK [Set IE security to disabled for Administrators] *******************************************************************************************************************************
task path: /opt/devops-ansible/playbooks/test/test_playbook.yml:13
fatal: [10.2.1.6]: FAILED! => {"changed": false, "module_version": "1.4.0.0", "msg": "Failed to serialize properties into CimInstance.", "reboot_required": false}
        to retry, use: --limit @/opt/devops-ansible/playbooks/test/test_playbook.retry

PLAY RECAP **************************************************************************************************************************************************************************
10.2.1.6                   : ok=3    changed=0    unreachable=0    failed=1



_Copied from original issue: ansible/ansible#43975_
@jborean93
Copy link
Collaborator Author

From @rukas on Aug 10, 2018 19:35

This seems to only happen with that specific DSC module so far. I'm using a few others without issue such as:

  • StorageDsc
    • OpticalDiskDriveLetter
    • WaitForDisk
    • Disk
  • WindowsDefender
    • WindowsDefender

@jborean93
Copy link
Collaborator Author

From @gstorme on Jun 21, 2019 11:58

I've encountered this error with the Disk resource on a Windows Server 2016, with ansible 2.7.
This resource has worked before though, on other systems.

- name: Create partition
  win_dsc:
    resource_name: Disk
    DriveLetter: "{{ drive_letter }}"
    DiskId: "{{ number }}"
    Size:
    FSLabel: "{{ label }}"
    FSFormat: "{{ fs_type }}"
    AllocationUnitSize: "{{ cluster_size }}"
  when: drive_letter != 'C'
FAILED! => {"changed": false, "module_version": "4.7.0.0", "msg": "Failed to serialize properties into CimInstance.", "reboot_required": false}

@jborean93
Copy link
Collaborator Author

From @ShachafGoldstein on Jun 22, 2019 17:45

A brief online search yields a possible answer, The resources giving the Failed to serialize properties into CimInstance error are composite resources.
Found similar issues in chef and an old issue here and Stackoverflow that leads to the chef page

@jborean93 jborean93 mentioned this issue Mar 11, 2020
Closed
@jborean93 jborean93 changed the title win_dsc fails to serialize properties into CimInstance win_dsc: fails to serialize properties into CimInstance Mar 12, 2020
@MKletz
Copy link
Contributor

MKletz commented Mar 9, 2021

Is there any update on supporting composite resources? I'm running into this issue as well.

@jborean93
Copy link
Collaborator Author

There's been no progress because there hasn't been enough information to replicate the problem, I'm not even sure what a composite resource actually is. IIRC the last time I ran OPs original example it ran just fine. Without being able to replicate the problem we can't move forward with fixing it.

@MKletz
Copy link
Contributor

MKletz commented Mar 10, 2021
edited

A composite resource is essentially a parameterized configuration that can be referenced as a resource else where. Resource Example and usage example

The issue lies in the use of Invoke-DSCResource (note here) so I'm not sure if there's a reasonable solution on the win_dsc side honestly. Since traditionally when a mof is compiled it expands a composite resource and only makes reference to the guts. As seen in the below snippet of the MOF generated by my linked example.

instance of MSFT_AccountPolicy as $MSFT_AccountPolicy3ref
{
SourceInfo = "C:\\Program Files\\WindowsPowerShell\\Modules\\CISDSC\\DscResources\\CIS_Microsoft_Windows_Server_2019_Member_Server_Release_1809\\CIS_Microsoft_Windows_Server_2019_Member_Server_Release_1809.schema.psm1::94::9::AccountPolicy";
 Minimum_Password_Age = 30;
 ModuleVersion = "2.10.0.0";
 Name = "Minimum_Password_Age";
 ResourceID = "[AccountPolicy]1.1.3 - (L1) Ensure Minimum password age is set to 1 or more day(s)::[CIS_Microsoft_Windows_Server_2019_Member_Server_Release_1809]CIS Benchmarks";
 ModuleName = "SecurityPolicyDsc";

 ConfigurationName = "Microsoft_Windows_Server_2019_Member_Server_1809_CIS_L1";

};
instance of MSFT_AccountPolicy as $MSFT_AccountPolicy4ref
{
Minimum_Password_Length = 14;
 SourceInfo = "C:\\Program Files\\WindowsPowerShell\\Modules\\CISDSC\\DscResources\\CIS_Microsoft_Windows_Server_2019_Member_Server_Release_1809\\CIS_Microsoft_Windows_Server_2019_Member_Server_Release_1809.schema.psm1::100::9::AccountPolicy";
 ModuleVersion = "2.10.0.0";
 Name = "Minimum_Password_Length";
 ResourceID = "[AccountPolicy]1.1.4 - (L1) Ensure Minimum password length is set to 14 or more character(s)::[CIS_Microsoft_Windows_Server_2019_Member_Server_Release_1809]CIS Benchmarks";
 ModuleName = "SecurityPolicyDsc";

 ConfigurationName = "Microsoft_Windows_Server_2019_Member_Server_1809_CIS_L1";

};
instance of MSFT_AccountPolicy as $MSFT_AccountPolicy5ref
{
SourceInfo = "C:\\Program Files\\WindowsPowerShell\\Modules\\CISDSC\\DscResources\\CIS_Microsoft_Windows_Server_2019_Member_Server_Release_1809\\CIS_Microsoft_Windows_Server_2019_Member_Server_Release_1809.schema.psm1::106::9::AccountPolicy";
 Password_must_meet_complexity_requirements = "Enabled";
 ModuleVersion = "2.10.0.0";
 Name = "Password_must_meet_complexity_requirements";
 ResourceID = "[AccountPolicy]1.1.5 - (L1) Ensure Password must meet complexity requirements is set to Enabled::[CIS_Microsoft_Windows_Server_2019_Member_Server_Release_1809]CIS Benchmarks";
 ModuleName = "SecurityPolicyDsc";

 ConfigurationName = "Microsoft_Windows_Server_2019_Member_Server_1809_CIS_L1";

};

So trying to reference a composite resource natively like below fails to find the class.

- name: CIS Benchmarks
  ansible.windows.win_dsc:
    resource_name: CIS_Microsoft_Windows_Server_2019_Member_Server_Release_1809
    ExcludeList:
      - '1.1.1'
      - '1.1.2'
      - '1.1.3'
      - '1.1.4'
      - '1.1.5'
      - '1.2.1'
      - '1.2.2'
      - '1.2.3'
      - '2.3.1.1'
      - '2.3.1.5'
      - '2.3.1.6'
      - '2.3.7.4'
      - '2.3.7.5'

Below you can see how the CIM method of finding resources used by win_dsc locates the class based resource of 'CISService' but not the composites like Get-DSCResource does.
image
image

@MKletz
Copy link
Contributor

MKletz commented Mar 10, 2021

I believe there is an achievable workaround and would be willing to help work on a PR. win_dsc would need to be composite resource aware and know to expand a composite resource and iterate invoke-dscresource on all of its contents.

@MKletz
Copy link
Contributor

MKletz commented Mar 10, 2021

For sanity I checked the DSC resource from the OP and it is also a composite resource.

https://github.com/dsccommunity/xSystemSecurity/blob/master/source/DSCResources/xIEEsc/xIEEsc.schema.psm1

@jborean93
Copy link
Collaborator Author

Awesome wonderful information. I'm curious the example that you had

So trying to reference a composite resource natively like below fails to find the class.

Wouldn't this result in a different error from this report or is it also fails to serialize properties into CimInstance?

If you are able to create a PR with the fix or at least a draft one we can definitely go from there. I'm afraid my knowledge of DSC isn't the best so this is definitely not something I've had to deal with before.

Just as an FYI the reason we check CIM directly and not Get-DscResource is that CIM allows you to go into nested types and get the properties whereas Get-DscResource only returned information about the root level (or at least that's what I remember). This is important as it allows us to add parameter validation and reporting to our module.

@MKletz
Copy link
Contributor

MKletz commented Mar 10, 2021
edited

This is the error we got from Get-DscCimClassProperties when referencing a composite resource in a playbook vs a traditional class based.

image

@MKletz
Copy link
Contributor

MKletz commented Mar 10, 2021
edited

Since the logic for expanding a composite resource is currently closed source. The workaround I can think of is having a script block generate a mof, import the mof as hashtables, iterate through them with invoke-dscresource. So I think this is doable if we're not above having a mof exist for a second on the file system.

@MKletz
Copy link
Contributor

MKletz commented Mar 19, 2021
edited

I have a working POC below. It's certainly not pretty but it seems to work. The work around is basically generating a mof, parsing it, and looping through the expanded resources. It worked for me on a relatively complicated composite resource.

https://github.com/MKletz/DSCTools/blob/main/src/DSCTools/functions/public/Invoke-DscCompositeResource.ps1

@jborean93 jborean93 mentioned this issue Jun 3, 2021
Closed
@MKletz MKletz mentioned this issue Sep 28, 2021
Closed
@nitzmahone
Copy link
Member

@MKletz we've kicked this around at a couple meetings, but haven't seen you- stop by one of our IRC meetings if you can.

@MKletz
Copy link
Contributor

MKletz commented Oct 21, 2021

@nitzmahone Will do, life has been crazy lately so I've not paid attention to my mentions I apologize.

@MKletz MKletz mentioned this issue Nov 19, 2021
Merged
@LordPhwa LordPhwa mentioned this issue Jan 11, 2022
Closed
@camusicjunkie
Copy link

camusicjunkie commented Sep 22, 2023
edited

@jborean93 @MKletz Sorry to resurrect a four year old issue but was there ever any further conversations on implementing the workaround shown above? Running it on its own seems to work just fine.

I'm just getting into Ansible but being able to run composite resources would be a huge benefit to what I'm trying to implement at work. The main module I would be using this with would be PowerSTIG as Microsoft has only implemented composite resources with their module.

@MKletz
Copy link
Contributor

MKletz commented Nov 13, 2023
edited

@camusicjunkie to my knowledge yes this is still an issue. This is a tricky one to fix due to the way composites are handled by the underlying DSC. They are not supported by Invoke-DSCResource so it would require a near total rewrite of the module to handle generating a mof file and executing it which could have other implications since that then involves the LCM on the node where we currently avoid that. If the node has configurations assigned via the LCM already I believe that causes issues trying to generate/execute against a new one ad-hoc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nitzmahone @jborean93 @MKletz @camusicjunkie