Ask Your Question

Best Practice: exec checks vs. PS script runs?

asked 2014-12-16 22:16:55 -0600

whitmojm gravatar image

So we are now using puppet to manage over 100 IIS virtual applications. I started out by using one of the freely available IIS modules from puppet forge and quickly realized that I needed to customize it extensively to my my companies standards. Now I find myself (puppet, not me personally) doing hundreds if not thousands of exec checks on my IIS servers to make sure the app pools, virtual apps are all configured to my defined state via powershell. Here are some examples.

EXEC: does app pool have the right timeout? yes, ok skip to next. EXEC: are the connection strings encrypted? yes, ok skip to next. EXEC: is the physical path right? yes, ok skip to next.

blah, blah, blah...

So the question is, should I be making sure that every configuration piece is correct every hour of every day? or should I only run the checks on my servers once a day, or should I make a PS script that configures everything only once so if the server dies, I can quickly recover? I watched an interesting presentation about puppet and powershell ( ) and I do agree that powershell is the key into automating Windows servers, powershell is a dog. in the presentation Mr. Stack runs what appears to be one PS script that installs and configures everything he needs. My method has been very modular and I'm wondering if its inefficient. Our linux side of the shop does not seem to have the same lag running the configuration checks. we have Moodle installs that checking roughly the same number of config items and they take seconds to run. Running all the EXEC checks though powershell on iis takes 300-400 seconds. In the presentation Mr. Stack states, just run it, if the configuration is correct, it wont hurt anything. But if I contantly go though and overwrite everthing without checking to see if its already configured the way i want using Exec Unless and Onlyif, the puppet logs show me tons of things that are "changed" even if they were not changed.


edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2014-12-17 17:19:19 -0600

cbarbour gravatar image

In the presentation Mr. Stack states, just run it, if the configuration is correct, it wont hurt anything.

In my opinion, this is poor practice. Although it's idempotent from a functional standpoint, it's not idempotent as far as Puppet is concerned, and it breaks a lot of Puppet's reporting and change simulation model.

If the slow run time isn't hurting anything, I'd use your current approach. It sounds like you're correctly checking the current state using unless, onlyif, and creates on each exec resource, which is good. If for some reason you need to speed up your Puppet runs for something unrelated to IIS, you might consider using the --tags and --use-cached-catalog arguments to the Puppet agent to restrict the scope of your run, and avoid having to recompile the catalog.

If you do want to improve run time, you might consider writing an external powershell script that can check all the managed properties of IIS, and corrects them if necessary. Deploy and execute this script using Puppet.

You might also see if you can leverage the registry, group policy, or WMI to manage certain parts of IIS. The registry specifically seems to perform much better than PowerShell.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-12-16 22:16:55 -0600

Seen: 360 times

Last updated: Dec 17 '14