[ansible-project] Skip caching facts for specific hosts
I run ansible playbooks on multiple servers as controller servers and now want to start using the cache plugin. As each controller server is "localhost" for playbook, the facts captured by one controller server are getting replaced by another server making the cache data not usable. So, checking to see if I can skip caching of facts when the hostname is localhost. Is it possible in current ansible? -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5a038e49-f5c1-4331-a684-357d226ec4df%40googlegroups.com.
[ansible-project] Re: winrm and https
Hi,
I am also getting the same error when i tried to run a play with *host:
local *and a task with *delegate_to: windows *in ubuntu 14.04. But the same
task works if I specify the *host: windows *at play level. Can anyone help
me in this?
On Friday, June 24, 2016 at 8:00:31 AM UTC-5, skinnedknuckles wrote:
>
> Here is a list of 9 items to check. You may already have done all of
> these but skipping any one of them will prevent it from working.
>
>
> https://groups.google.com/forum/?utm_medium=email_source=footer#!topic/ansible-project/HKgh7jtsFsk
>
> On Thursday, June 23, 2016 at 9:32:51 AM UTC-5, František Griga wrote:
>>
>> Hello,
>>
>> I have a problem with using Ansible to manage Windows machines.
>>
>> I have one virtual machine with Debian 8, Ansible 2.1.0.0 installed
>> through PPA and Python 2.7.9. Then I have a second VM with Windows 10. I
>> would like to send commands from Debian (Ansible) machine to Windows
>> machine using WinRM through HTTPS (I do not want to use Kerberos - I
>> need to connect to Windows local account), but something goes wrong. If
>> I use "ansible_winrm_server_cert_validation: ignore" conf option,
>> everything is fine - I have this:
>>
>> root@debx-test:~# ansible 192.168.0.1 -m win_ping
>> 192.168.0.1 | SUCCESS => {
>> "changed": false,
>> "ping": "pong"
>> }
>>
>> but that is something I do not want to use, because I considere that as
>> a security risk. When I turn the option off, I have this:
>>
>> root@debx-test:~# ansible 192.168.0.1 -m win_ping -v
>> Using /etc/ansible/ansible.cfg as config file
>> Loaded callback minimal of type stdout, v2.0
>> <192.168.0.1> ESTABLISH WINRM CONNECTION FOR USER: admin on PORT 5986 TO
>> 192.168.0.1
>> <192.168.0.1> WINRM CONNECT: transport=plaintext
>> endpoint=https://192.168.0.1:5986/wsman
>> <192.168.0.1> WINRM CONNECTION ERROR: ("bad handshake: Error([('SSL
>> routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify
>> failed')],)",)
>> Traceback (most recent call last):
>>File
>> "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py",
>> line 152, in _winrm_connect
>> self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
>>File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
>> 132, in open_shell
>> res = self.send_message(xmltodict.unparse(req))
>>File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line
>> 207, in send_message
>> return self.transport.send_message(message)
>>File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py",
>> line 173, in send_message
>> response = self.session.send(prepared_request,
>> timeout=self.read_timeout_sec)
>>File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py",
>> line 585, in send
>> r = adapter.send(request, **kwargs)
>>File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py",
>> line 477, in send
>> raise SSLError(e, request=request)
>> SSLError: ("bad handshake: Error([('SSL routines',
>> 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
>>
>> 192.168.0.1 | UNREACHABLE! => {
>> "changed": false,
>> "msg": "plaintext: (\"bad handshake: Error([('SSL routines',
>> 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)\",)",
>> "unreachable": true
>> }
>>
>> does not matter, what certificate I am using. I tried to create CA on
>> Ansible machine, sign Windows CSR, import certificate to Windows,
>> reconfigure HTTPS listener and import CA certificate to trusted
>> certificates on Debian - does not help. I am sure I did everything OK,
>> because it is working for example on the test web server on Windows
>> machine.
>>
>> Is it possible to run Ansible with Windows really securelly? How? What
>> should I try?
>>
>> Thanks for reply,
>> Frantisek Griga
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/e431ad1b-8dc4-42a7-ab4e-5b72e46e035a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Re: Ansible AD Domain Authentication
Hi,
Sorry it took so long to respond. I actually followed the same document and
installed everything as suggested.
As per AMI I am using AWS ubuntu image and python version 2.7.6.
my sudo pip list output
ansible (2.0.1.0)
ansible-tower (2.4.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.10.20)
boto (2.39.0)
boto3 (1.3.0)
botocore (1.4.11)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.12)
futures (3.0.5)
html5lib (0.999)
httplib2 (0.8)
isodate (0.5.4)
Jinja2 (2.7.2)
jmespath (0.9.0)
jsonpatch (1.3)
jsonpointer (1.0)
kerberos (1.2.4)
Landscape-Client (14.12)
MarkupSafe (0.18)
meld3 (0.6.10)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
paramiko (1.10.1)
passlib (1.5.3)
pip (1.5.4)
prettytable (0.7.2)
psycopg2 (2.4.5)
pyasn1 (0.1.9)
pycrypto (2.6.1)
pycurl (7.19.3)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5ubuntu2)
python-dateutil (2.5.2)
python-debian (0.1.21-nmu2ubuntu2)
pywinrm (0.1.1)
PyYAML (3.10)
requests (2.2.1)
rsa (3.3)
s3transfer (0.0.1)
setuptools (3.3)
six (1.5.2)
ssh-import-id (3.21)
supervisor (3.0b2)
Twisted-Core (13.2.0)
Twisted-Names (13.2.0)
Twisted-Web (13.2.0)
urllib3 (1.7.1)
wheel (0.24.0)
wsgiref (0.1.2)
xmltodict (0.10.1)
zope.interface (4.0.5)
As this is simply a warning, right now I am not taking it as high priority.
We are starting new and exploring ansible as of now.
On Tuesday, April 12, 2016 at 6:58:44 PM UTC+5:30, J Hawkesworth wrote:
>
> Anjana,
>
> I have not seen this error before but please advise the following:
>
> version of whichever python-kerberos libraries you are using on your
> ansible controller (see
> http://docs.ansible.com/ansible/intro_windows.html#installing-python-kerberos-dependencies
> )
> version of the python kerberos wrapper you are using.
> version of pywinrm you are using
> which OS you are running ansible controller on.
>
> Many thanks,
>
> Jon
>
>
> On Monday, April 11, 2016 at 2:51:04 PM UTC+1, Anjana Raghavendra P wrote:
>>
>> I am having similar problem and afterwards used the *kerberos* for host
>> variable *ansible_winrm_transport.*
>> I am using ansible version 2.0.1.0.
>>
>> The worked configuration:
>> [Win]
>> ...LOCAL
>>
>> [Win:vars]
>> ansible_user='xxx.xxx@.X.LOCAL'
>> ansible_password=*..*
>> ansible_port=5986
>> ansible_connection=winrm
>> ansible_winrm_server_cert_validation=ignore
>> #ansible_winrm_transport=ssl
>> ansible_winrm_transport=kerberos
>>
>> but the problem with this is subsequent runs on this host first throwing
>> following errors and then giving successful result.
>> */usr/local/lib/python2.7/dist-packages/winrm/transport.py:283:
>> RuntimeError: kerberos.authGSSClientClean is deprecated.*
>> * krb_ticket.verify_response(response.headers['WWW-Authenticate'])*
>> *...LOCAL | SUCCESS => {*
>> *"changed": false,*
>> *"ping": "pong"*
>> *}*
>>
>> If anyone can help that would be better.
>>
>> On Sunday, April 10, 2016 at 1:19:21 AM UTC+5:30, J Hawkesworth wrote:
>>>
>>> Hi,
>>>
>>> My guess would be you haven't got pykerberos installed. on your ansible
>>> controller.
>>>
>>> If you see
>>>
>>> transport=ssl
>>>
>>> in the connection information it isn't going via kerberos.
>>>
>>> Since you have a ticket set up I think its just that you don't have the
>>> pykerberos package installed.
>>>
>>> Hope this helps,
>>>
>>> Jon
>>>
>>> On Friday, April 8, 2016 at 7:25:46 PM UTC+1, Mauricio Tavares wrote:
>>>>
>>>> I would expect his logs to show ssh trying to do kerberos auth and
>>>> then failing back to whatever. The fact it is going straight to plain
>>>> auth is odd.
>>>>
>>>> Maybe play around with ansible_ssh_common_args or ansible.cfg to get
>>>> ssh more verbose?
>>>>
>>>>
>>>> On Fri, Apr 8, 2016 at 1:51 PM, Zacharias Thompson <zar...@gmail.com>
>>>> wrote:
>>>> > Are you running the kinit under the same user you're running ansible
>>>> as?
>>>> >
>>>> > What version of Ansible are you running?
>>>> >
>>>> > On Fri, Apr 8, 2016 at 4:27 AM, Mark Matthews <mdmat...@gmail.com>
>>>> wrote:
>>>> >>
>>>> >> Hi Zacharias
>>>> >>
>>>> >> I have setup a kerberos ticket and all seems to be working fine. I
>>>&
[ansible-project] Re: Installing IIS on Windows Server 2008 R2 Standard SP1 x64
Hey, are you able to fix the error?
TASK [iis : Install IIS]
***
/usr/local/lib/python2.7/dist-packages/winrm/transport.py:283:
RuntimeError: kerberos.authGSSClientClean is deprecated.
krb_ticket.verify_response(response.headers['WWW-Authenticate']
This is not affecting playbook run but distracting very much.
On Friday, January 22, 2016 at 6:03:33 AM UTC+5:30, Joe Levis wrote:
>
> *Ok, got it to work!*
>
> I'm not sure if it's something to do with my Windows setup, but I had to
> comment out the below entries in the IIS playbook:
>
> *include_sub_features: yes*
>
> *include_management_tools: yes*
>
>
> Maybe it has something to do with certain sub features not capable of
> installing? Anyways, give that a try. If it works for you as well, you will
> need to install each sub feature separately by adding them to the name list
> (comma-delimited).
>
>
>
>
> On Thursday, January 21, 2016 at 2:00:36 PM UTC-8, Joe Levis wrote:
>>
>> I'm having the same problem.
>>
>> TASK [iis : Install IIS]
>> ***
>>
>> /usr/local/lib/python2.7/dist-packages/winrm/transport.py:283:
>> RuntimeError: kerberos.authGSSClientClean is deprecated.
>>
>> krb_ticket.verify_response(response.headers['WWW-Authenticate'])
>>
>> fatal: [qa1-ui.corp.wetdesign.com]: FAILED! => {"changed": false,
>> "exitcode": "Failed", "failed": true, "feature_result": [], "msg": "Failed
>> to add feature", "restart_needed": false, "success": false}
>>
>> *Control Machine *= Ubuntu 14.04
>> *Ansible Version *= 2.0.0.2
>> *Target Windows VM *= Server 2012 R2
>> *Playbook:*
>>
>> ---
>>
>> - name: Install IIS
>>
>> win_feature:
>>
>> name: "Web-Server"
>>
>> state: present
>>
>> restart: yes
>>
>> include_sub_features: yes
>>
>> include_management_tools: yes
>>
>>
>>- The PowerShell setup script ran successfully (
>>
>> https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
>>).
>>- The IIS Web-Server feature is available on the server.
>>- Not seeing any related messages / errors in the eventvwr (although,
>>is there a specific log that I should be looking at?)
>>
>> Any ideas?
>>
>> If I figure it out before someone does here, I'll post the answer.
>>
>> Thanks.
>>
>>
>> On Thursday, July 23, 2015 at 12:53:40 AM UTC-7, J Hawkesworth wrote:
>>>
>>> Also, what ansible version are you using and how was it installed?
>>>
>>> On Thursday, July 23, 2015 at 6:46:11 AM UTC+1, J Hawkesworth wrote:
I have a couple of suggestions...
First, check your server 2008 is patched as per the instructions in the
blue box here:
http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep
Check that your windows host actually has the features that you want to
install available. Unfortunately some editions of windows don't have the
features included in the ISO image - I have experienced this with Volume
Licensed editions in the past. If I recall correctly you can check this
by
running the following powershell as administrator on the windows machine:
import-module ServerManager; Get-WindowsFeature | Out-GridView
if the Install State listed for the feature you want to install is
'Available' then that's not the issue.
Check eventvwr on the destination machine for messages / errors
I'd be tempted to remove the space between the two feature names in
your playbook as per the example in the documentation page too.
Hope some of the above helps.
On Thursday, July 23, 2015 at 1:44:04 AM UTC+1, Angel Cabrera wrote:
>
> I have created a simple playbook to add IIS feature to a windows
> server.
>
> - name: Install IIS
> win_feature:
> name: "Web-WebServer, Web-Mgmt-Tools"
> state: present
> restart: yes
> include_sub_features: yes
> include_management_tools: yes
>
> And this is the result:
>
> [acabrera@cops-test ansible]$ ansible-playbook - -i hosts/rms
> ten201_rbo_web.yml
>
> PLAY [Install Win feature ISS on RBO Web server]
> **
>
> GATHERING FACTS
> ***
> ESTABLISH WINRM CONNECTION FOR
> USER: cpadm on PORT 5986 TO rbapp31b22966.ms.rmsonecloud.net
> WINRM CONNECT: transport=plaintext
> endpoint=https://rbapp31b22966.ms.rmsonecloud.net:5986/wsman
> REMOTE_MODULE setup
> EXEC (New-Item -Type Directory
> -Path $env:temp -Name
> "ansible-tmp-1437602865.92-148939687313381").FullName
> | Write-Host -Separator '';
> WINRM
[ansible-project] Windows authentication
Hi, We are using CIS hardened AWS windows AMI in our production servers. What this means is the winrm basic authentication is disabled at client and service level. Now, I am unable to use the ansible to configure/deploy this server. Can anyone help me in this? I have searched through several sites but didn't come across anyone who is having the same issue. So, porting this question here. Thanks, Raghavendra. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b8dbb429-6a20-41ec-b82c-c761de50221c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Re: Ansible AD Domain Authentication
I am having similar problem and afterwards used the *kerberos* for host
variable *ansible_winrm_transport.*
I am using ansible version 2.0.1.0.
The worked configuration:
[Win]
...LOCAL
[Win:vars]
ansible_user='xxx.xxx@.X.LOCAL'
ansible_password=*..*
ansible_port=5986
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
#ansible_winrm_transport=ssl
ansible_winrm_transport=kerberos
but the problem with this is subsequent runs on this host first throwing
following errors and then giving successful result.
*/usr/local/lib/python2.7/dist-packages/winrm/transport.py:283:
RuntimeError: kerberos.authGSSClientClean is deprecated.*
* krb_ticket.verify_response(response.headers['WWW-Authenticate'])*
*...LOCAL | SUCCESS => {*
*"changed": false,*
*"ping": "pong"*
*}*
If anyone can help that would be better.
On Sunday, April 10, 2016 at 1:19:21 AM UTC+5:30, J Hawkesworth wrote:
>
> Hi,
>
> My guess would be you haven't got pykerberos installed. on your ansible
> controller.
>
> If you see
>
> transport=ssl
>
> in the connection information it isn't going via kerberos.
>
> Since you have a ticket set up I think its just that you don't have the
> pykerberos package installed.
>
> Hope this helps,
>
> Jon
>
> On Friday, April 8, 2016 at 7:25:46 PM UTC+1, Mauricio Tavares wrote:
>>
>> I would expect his logs to show ssh trying to do kerberos auth and
>> then failing back to whatever. The fact it is going straight to plain
>> auth is odd.
>>
>> Maybe play around with ansible_ssh_common_args or ansible.cfg to get
>> ssh more verbose?
>>
>>
>> On Fri, Apr 8, 2016 at 1:51 PM, Zacharias Thompson
>> wrote:
>> > Are you running the kinit under the same user you're running ansible
>> as?
>> >
>> > What version of Ansible are you running?
>> >
>> > On Fri, Apr 8, 2016 at 4:27 AM, Mark Matthews
>> wrote:
>> >>
>> >> Hi Zacharias
>> >>
>> >> I have setup a kerberos ticket and all seems to be working fine. I am
>> able
>> >> to do a "knit username" and create a ticket.
>> >>
>> >> I then add the following entry into /etc/ansible/hosts file
>> >> [win]
>> >> servername.COMPANY.COM
>> >>
>> >> I have create the following /etc/ansible/group_vars/win.yml file with
>> the
>> >> following information
>> >>
>> >> ansible_ssh_user: user...@company.com
>> >> ansible_ssh_port: 5986
>> >> ansible_connection: winrm
>> >>
>> >>
>> >> Bu when I try run a playbook to the server in 'win' I get the
>> following
>> >> error:
>> >>
>> >> fatal: [uk-ansible-test02.WINTECH.LOCAL]: FAILED! => {"failed": true,
>> >> "msg": "ssl: 401 Unauthorized. basic auth failed"}
>> >>
>> >>
>> >> Any ideas as too what could be causing this?
>> >>
>> >> Cheers
>> >> Mark
>> >>
>> >>
>> >> On Thursday, April 7, 2016 at 1:27:23 PM UTC+1, Mark Matthews wrote:
>> >>>
>> >>> Hi
>> >>>
>> >>>
>> >>>
>> >>> Currently I have been connecting to servers to using local server
>> >>> accounts, and therefore my ‘group_vars/winservers.yml’ file has
>> looked like
>> >>> the following:
>> >>>
>> >>>
>> >>>
>> >>> ansible_ssh_user: Administrator
>> >>>
>> >>> ansible_ssh_pass: PASSWORD
>> >>>
>> >>> ansible_ssh_port: 5986
>> >>>
>> >>> ansible_connection: winrm
>> >>>
>> >>>
>> >>>
>> >>> But now I need to authenticate to servers that are connected on the
>> >>> domain. How would I change this file? Is it as simple as…
>> >>>
>> >>>
>> >>>
>> >>> ansible_ssh_user: my.domain\mark.matthews
>> >>>
>> >>> ansible_ssh_pass: PASSWORD
>> >>>
>> >>> ansible_ssh_port: 5986
>> >>>
>> >>> ansible_connection: winrm
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> Cheers
>> >>
>> >> --
>> >> You received this message because you are subscribed to a topic in the
>> >> Google Groups "Ansible Project" group.
>> >> To unsubscribe from this topic, visit
>> >>
>> https://groups.google.com/d/topic/ansible-project/sajcZOtW2uo/unsubscribe.
>>
>> >> To unsubscribe from this group and all its topics, send an email to
>> >> ansible-proje...@googlegroups.com.
>> >> To post to this group, send email to ansible...@googlegroups.com.
>> >> To view this discussion on the web visit
>> >>
>> https://groups.google.com/d/msgid/ansible-project/0b133188-5ba5-4930-acfe-4b223faefb1c%40googlegroups.com.
>>
>>
>> >>
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>> >
>> >
>> > --
>> > Zacharias Thompson
>> > zar...@gmail.com
>> > 253.569.7502
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "Ansible Project" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an
>> > email to ansible-proje...@googlegroups.com.
>> > To post to this group, send email to ansible...@googlegroups.com.
>> > To view this discussion on the web visit
>> >
>>
