[ansible-project] Re: Issue with running Ansible playbook against windows.
I believe your issue is that ansible_winrm_server_cert_validation is being loaded with your include_vars directive in the playbook and the way connection vars with Ansible before the current devel branch had a few issues. I would recommend you add [all:vars] ansible_winrm_server_cert_validation=ignore to your inventory and try again. One more thing you can try is to use the latest checkout of Ansible and see if the issue is still there. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cb1dd622-915a-49e1-bdfd-cae7b8f5ce33%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
Hi Jordan, Thank you for the suggestion on the inventory management. We can
currently target any instance based on their tags. here is the command I am
using to issue the playbook.
*ansible-playbook playbooks/windows.yml -e "target=tag_product_cse"*
*Here is the information you requested. *
*$ pip list*
*DEPRECATION: The default format will switch to columns in the future. You
can use --format=(legacy|columns) (or define a format=(legacy|columns) in
your pip.conf under the [list] section) to disable this warning.*
*ansible (2.3.2.0)*
*aws-amicleaner (0.1.2)*
*awscli (1.11.133)*
*blessings (1.6)*
*boto (2.48.0)*
*boto3 (1.4.6)*
*botocore (1.6.0)*
*certifi (2017.7.27.1)*
*cffi (1.9.1)*
*chardet (3.0.4)*
*colorama (0.3.7)*
*docutils (0.14)*
*ecdsa (0.13)*
*enum34 (1.1.6)*
*futures (3.1.1)*
*httplib2 (0.9.1)*
*hvac (0.3.0)*
*idna (2.5)*
*ipaddress (1.0.18)*
*Jinja2 (2.8)*
*jmespath (0.9.3)*
*kerberos (1.2.5)*
*MarkupSafe (0.23)*
*ntlm-auth (1.0.5)*
*ordereddict (1.1)*
*paramiko (1.16.0)*
*pip (9.0.1)*
*prettytable (0.7.2)*
*pyasn1 (0.2.3)*
*pycparser (2.17)*
*pycrypto (2.6.1)*
*python-dateutil (2.6.1)*
*pywinrm (0.3.0b1)*
*PyYAML (3.12)*
*requests (2.18.3)*
*requests-ntlm (1.0.0)*
*rsa (3.4.2)*
*s3transfer (0.1.10)*
*setuptools (20.7.0)*
*six (1.10.0)*
*termcolor (1.1.0)*
*urllib3 (1.22)*
*virtualenv (15.1.0)*
*wheel (0.29.0)*
*xmltodict (0.11.0)*
*$ ansible --version*
*ansible 2.3.2.0*
*config file = /etc/ansible/ansible.cfg*
*configured module search path = Default w/o overrides*
*python version = 2.7.12 (default, Nov 20 2017, 18:23:56) [GCC 5.4.0
20160609]*
*$ python --version*
*Python 2.7.12*
*Here are the changes I made to the following files: *
*playbooks/windows.yml, roles/windows/task/main.yml,
inventory/group_vars/windows.yml*
*Playbook: playbooks/windows.yml*
---
- name: run test on Windows host
hosts: '{{target}}'
gather_facts: no
roles:
- windows
vars_files:
- "/home/ubuntu/infratools/ansible/inventory/group_vars/windows.yml"
*Task: roles/windows/task/main.yml*
---
# Obtain information about a folder
- debug:
var: ansible_winrm_server_cert_validation
- win_stat:
path: C:\Users
register: folder_info
*Windows Var: /inventory/group_vars/windows.yml*
ansible_user: username
ansible_password: "###"
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: ssl
#ansible_winrm_scheme: ntlm
# The following is necessary for Python 2.7.9+ when using default WinRM
self-signed certificates:
ansible_winrm_server_cert_validation: ignore
*##*
*##*
Based on the results it appears that *ansible_winrm_server_cert_validation:
ignore* is being recognized. Unfortunately, the issue persists. Below are
the results of running the command.
$ ansible-playbook playbooks/windows.yml -e "target=tag_product_cse"
PLAY [run test on Windows host]
***
TASK [windows : debug]
ok: [x.x.x.x] => {
"ansible_winrm_server_cert_validation": "ignore"
TASK [windows : win_stat]
*
fatal: [x.x.x.x]: UNREACHABLE! => {"changed": false, "msg": "ssl:
HTTPSConnectionPool(host='x.x.x.x', port=5986): Max retries exceeded with
url: /wsman (Caused by SSLError(SSLError(1, u'[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))",
"unreachable": true}
Thank you!! All your efforts are greatly appreciated!
On Monday, December 18, 2017 at 4:19:05 PM UTC-5, Jordan Borean wrote:
>
> I believe I may know what is happening and this was fixed in the latest
> devel branch so you can try that out if you like. Looks like it is failing
> to gather facts before it gets to your debug task, can you set *gather_facts:
> no* in your playbook as I'm really curious if the cert validation is
> being set properly.
>
> A few other things that would be helpful to know
>
> * Run *pip list* and post the output
> * What version of Ansible are you on
> * What version of Python 2.7 are you on
> * If you turn on fact gathering, does it would if you explicitly set the
> ignore var on the stat task like so
>
> - win_stat:
> path: C:\Users
> vars:
> ansible_winrm_server_cert_validation: ignore
>
> Looks like you are using a dynamic inventory for your AWS hosts, instead
> of having include_vars to point to the Windows vars file I would create a
> create an actual windows group in that inventory and add those hosts in
> there. In the end it would would look something similar to this (untested)
>
> #
[ansible-project] Re: Issue with running Ansible playbook against windows.
I believe I may know what is happening and this was fixed in the latest
devel branch so you can try that out if you like. Looks like it is failing
to gather facts before it gets to your debug task, can you set *gather_facts:
no* in your playbook as I'm really curious if the cert validation is being
set properly.
A few other things that would be helpful to know
* Run *pip list* and post the output
* What version of Ansible are you on
* What version of Python 2.7 are you on
* If you turn on fact gathering, does it would if you explicitly set the
ignore var on the stat task like so
- win_stat:
path: C:\Users
vars:
ansible_winrm_server_cert_validation: ignore
Looks like you are using a dynamic inventory for your AWS hosts, instead of
having include_vars to point to the Windows vars file I would create a
create an actual windows group in that inventory and add those hosts in
there. In the end it would would look something similar to this (untested)
# inventory/hosts
[tag_OSType_Windows]
# keep empty, is populated in the dynamic inventory
[windows:children]
tag_OSType_Windows
# inventory/ec2.py
... keep as normal, just to show how to mix/match dynamic and static
inventories
# inventory/ec2.ini
... keep as normal
# group_vars/windows.yml
ansible_user: username
ansible_password: "#"
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_scheme: https
# The following is necessary for Python 2.7.9+ when using default WinRM
self-signed certificates:
ansible_winrm_server_cert_validation: ignore
# playbooks/windows.yml
- name: run test on Windows host
hosts: '{{target}}'
tasks:
- win_stat:
path: C:\Users
>From there you would add a tag to the newly created instances OSType:
Windows so that when Ansible reads it from the inventory it is
automatically put in the Windows group. Even though you are running the
playbook on the one host it will inherit the group based on that tag which
in turn get's the Windows vars required.
Thanks
Jordan
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/282f872e-cf0d-4da9-b0fd-5de17c879068%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
@jordan I completely agree. Although I have clearly stated in the
group_vars/windwos.yml file to ignore cert validation it does not appear to
acknowledge the setting.
With the tasks/main.yml file now looking like this:
---
# Obtain information about a folder
- debug:
var: ansible_winrm_server_cert_validation
- win_stat:
path: C:\Users
register: folder_info
I get the same result.
ubuntu@ip-x-x-x-x:~/infratools/ansible$ play playbooks/windows.yml -e
"target=tag_Name_R2_CSE03" -vvv
Using /home/ubuntu/infratools/ansible/ansible.cfg as config file
PLAYBOOK: windows.yml
*
1 plays in playbooks/windows.yml
PLAY [tag_Name_R2_CSE03]
**
TASK [Gathering Facts]
Using module file
/usr/lib/python2.7/dist-packages/ansible/modules/windows/setup.ps1
ESTABLISH WINRM CONNECTION FOR USER: administrator on PORT 5986
TO x.x.x.x
fatal: [x.x.x.x]: UNREACHABLE! => {
"changed": false,
"msg": "ssl: HTTPSConnectionPool(host='x.x.x.x', port=5986): Max
retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))",
"unreachable": true
}
On Friday, December 15, 2017 at 7:41:37 PM UTC-5, Jordan Borean wrote:
>
> For some reason the ansible_winrm_server_cert_validation: ignore var is
> not being set for your Windows host hence the error. Can you test out the
> following before your win_stat task when running on the Windows host.
>
> - debug:
> var: ansible_winrm_server_cert_validation
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/45856282-6ff2-4573-88eb-cede4187e139%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
For some reason the ansible_winrm_server_cert_validation: ignore var is not being set for your Windows host hence the error. Can you test out the following before your win_stat task when running on the Windows host. - debug: var: ansible_winrm_server_cert_validation -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8bd7a8b3-66f6-4907-ab00-8b9f4524ea93%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
Hey there,
I was just cutting my teeth on executing playbooks against Windows. To add
to Tony's piece about the PowerShell script
ConfiguringRemotingforAnsible.ps1 which I had to do I also had to pip
install the following on the control machine within side my virtualenv:
pip install pywinrm
pip install pywinrm[kerberos]
Source: http://docs.ansible.com/ansible/latest/intro_windows.html
I'm not sure if this will help you or not but worth a shot if you haven't
already done so yet.
Good luck!
On Friday, December 15, 2017 at 1:50:41 PM UTC-8, Alexmil Reyes wrote:
>
> Thank you for responding.
>
> I am able to telnet to the windows machine without a problem. But the
> playbook still presented the same error when it was run.
>
> I ran the following commands on the windwos machine:
>
> winrm delete winrm/config/Listener?Address=*+Transport=HTTP
>
> winrm delete winrm/config/Listener?Address=***+Transport=HTTPS
>
>
> followed up with with the ConfigureRemotingForAnsible.ps1. I was able to
> telnet and win_ping but error continues to occur when I run the playbook.
>
>
>
>
> On Friday, December 15, 2017 at 3:03:36 PM UTC-5, Tony Chia wrote:
>>
>> You can also try removing the existing listeners and then run
>> ConfigureRemotingForAnsible.ps1 which will recreate the self-signed ssl
>> certificate using the following commands
>>
>> winrm delete winrm/config/Listener?Address=*+Transport=HTTP
>>
>> winrm delete winrm/config/Listener?Address=***+Transport=HTTPS
>>
>> On Friday, December 15, 2017 at 11:31:14 AM UTC-8, Tony Chia wrote:
>>>
>>> Try running "ConfigureRemotingForAnsible.ps1" on the windows host you
>>> are trying to manage with Ansible.
>>> If that doesn't work try this command on the ansible host
>>>
>>> telnet windows-host-name 5985
>>> telnet windows-host-name 5986
>>>
>>> If you see "Trying ..." but times out, the maybe the network ACL is not
>>> opened.
>>>
>>> On Thursday, December 14, 2017 at 2:44:18 PM UTC-8, Alexmil Reyes wrote:
Hi,
Thank you in advance to anyone who helps here. So am unable to run
playbooks against our windows AWS instances. I was able to perform a
win_ping but when I attempt to run this task on the same instances that I
am able to ping I get an SSL Cert error. I have displayed all relevant
information down below, let me know if any other information is required.
*PLAYBOOK*
---
- hosts: "{{target}}"
roles:
- windows
vars_files:
- "/home/ubuntu/infratools/ansible/inventory/group_vars/windows.yml"
*TASK MAIN.YML*
---
# Obtain information about a folder
- win_stat:
path: C:\Users
register: folder_info
*WIN_VARS*
ansible_user: username
ansible_password: "#"
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_scheme: https
# The following is necessary for Python 2.7.9+ when using default WinRM
self-signed certificates:
ansible_winrm_server_cert_validation: ignore
*WIN_PING*
10.100.22.111 | SUCCESS => {
"changed": false,
"ping": "pong"
}
*ERROR*
}
fatal: [10.100.22.111]: UNREACHABLE! => {
"changed": false,
"msg": "ssl: HTTPSConnectionPool(host='10.100.22.111', port=5986):
Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1,
u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:590)'),))",
"unreachable": true
}
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/c1b6d293-4363-4312-8c54-8201201ee8ab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
Thank you for responding.
I am able to telnet to the windows machine without a problem. But the
playbook still presented the same error when it was run.
I ran the following commands on the windwos machine:
winrm delete winrm/config/Listener?Address=*+Transport=HTTP
winrm delete winrm/config/Listener?Address=***+Transport=HTTPS
followed up with with the ConfigureRemotingForAnsible.ps1. I was able to
telnet and win_ping but error continues to occur when I run the playbook.
On Friday, December 15, 2017 at 3:03:36 PM UTC-5, Tony Chia wrote:
>
> You can also try removing the existing listeners and then run
> ConfigureRemotingForAnsible.ps1 which will recreate the self-signed ssl
> certificate using the following commands
>
> winrm delete winrm/config/Listener?Address=*+Transport=HTTP
>
> winrm delete winrm/config/Listener?Address=***+Transport=HTTPS
>
> On Friday, December 15, 2017 at 11:31:14 AM UTC-8, Tony Chia wrote:
>>
>> Try running "ConfigureRemotingForAnsible.ps1" on the windows host you are
>> trying to manage with Ansible.
>> If that doesn't work try this command on the ansible host
>>
>> telnet windows-host-name 5985
>> telnet windows-host-name 5986
>>
>> If you see "Trying ..." but times out, the maybe the network ACL is not
>> opened.
>>
>> On Thursday, December 14, 2017 at 2:44:18 PM UTC-8, Alexmil Reyes wrote:
>>>
>>> Hi,
>>>
>>> Thank you in advance to anyone who helps here. So am unable to run
>>> playbooks against our windows AWS instances. I was able to perform a
>>> win_ping but when I attempt to run this task on the same instances that I
>>> am able to ping I get an SSL Cert error. I have displayed all relevant
>>> information down below, let me know if any other information is required.
>>>
>>>
>>> *PLAYBOOK*
>>> ---
>>>
>>> - hosts: "{{target}}"
>>> roles:
>>> - windows
>>> vars_files:
>>> - "/home/ubuntu/infratools/ansible/inventory/group_vars/windows.yml"
>>>
>>>
>>> *TASK MAIN.YML*
>>> ---
>>> # Obtain information about a folder
>>> - win_stat:
>>> path: C:\Users
>>> register: folder_info
>>>
>>>
>>> *WIN_VARS*
>>> ansible_user: username
>>> ansible_password: "#"
>>> ansible_port: 5986
>>> ansible_connection: winrm
>>> ansible_winrm_scheme: https
>>> # The following is necessary for Python 2.7.9+ when using default WinRM
>>> self-signed certificates:
>>> ansible_winrm_server_cert_validation: ignore
>>>
>>>
>>> *WIN_PING*
>>> 10.100.22.111 | SUCCESS => {
>>> "changed": false,
>>> "ping": "pong"
>>> }
>>>
>>>
>>> *ERROR*
>>> }
>>> fatal: [10.100.22.111]: UNREACHABLE! => {
>>> "changed": false,
>>> "msg": "ssl: HTTPSConnectionPool(host='10.100.22.111', port=5986):
>>> Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1,
>>> u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
>>> (_ssl.c:590)'),))",
>>> "unreachable": true
>>> }
>>>
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/408c262c-a032-4eec-a2a6-a60820b80e3f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
You can also try removing the existing listeners and then run
ConfigureRemotingForAnsible.ps1 which will recreate the self-signed ssl
certificate using the following commands
winrm delete winrm/config/Listener?Address=*+Transport=HTTP
winrm delete winrm/config/Listener?Address=***+Transport=HTTPS
On Friday, December 15, 2017 at 11:31:14 AM UTC-8, Tony Chia wrote:
>
> Try running "ConfigureRemotingForAnsible.ps1" on the windows host you are
> trying to manage with Ansible.
> If that doesn't work try this command on the ansible host
>
> telnet windows-host-name 5985
> telnet windows-host-name 5986
>
> If you see "Trying ..." but times out, the maybe the network ACL is not
> opened.
>
> On Thursday, December 14, 2017 at 2:44:18 PM UTC-8, Alexmil Reyes wrote:
>>
>> Hi,
>>
>> Thank you in advance to anyone who helps here. So am unable to run
>> playbooks against our windows AWS instances. I was able to perform a
>> win_ping but when I attempt to run this task on the same instances that I
>> am able to ping I get an SSL Cert error. I have displayed all relevant
>> information down below, let me know if any other information is required.
>>
>>
>> *PLAYBOOK*
>> ---
>>
>> - hosts: "{{target}}"
>> roles:
>> - windows
>> vars_files:
>> - "/home/ubuntu/infratools/ansible/inventory/group_vars/windows.yml"
>>
>>
>> *TASK MAIN.YML*
>> ---
>> # Obtain information about a folder
>> - win_stat:
>> path: C:\Users
>> register: folder_info
>>
>>
>> *WIN_VARS*
>> ansible_user: username
>> ansible_password: "#"
>> ansible_port: 5986
>> ansible_connection: winrm
>> ansible_winrm_scheme: https
>> # The following is necessary for Python 2.7.9+ when using default WinRM
>> self-signed certificates:
>> ansible_winrm_server_cert_validation: ignore
>>
>>
>> *WIN_PING*
>> 10.100.22.111 | SUCCESS => {
>> "changed": false,
>> "ping": "pong"
>> }
>>
>>
>> *ERROR*
>> }
>> fatal: [10.100.22.111]: UNREACHABLE! => {
>> "changed": false,
>> "msg": "ssl: HTTPSConnectionPool(host='10.100.22.111', port=5986):
>> Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1,
>> u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
>> (_ssl.c:590)'),))",
>> "unreachable": true
>> }
>>
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/024c9e7a-f6e8-4b68-841d-ff76a73473be%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
Try running "ConfigureRemotingForAnsible.ps1" on the windows host you are
trying to manage with Ansible.
If that doesn't work try this command on the ansible host
telnet windows-host-name 5985
telnet windows-host-name 5986
If you see "Trying ..." but times out, the maybe the network ACL is not
opened.
On Thursday, December 14, 2017 at 2:44:18 PM UTC-8, Alexmil Reyes wrote:
>
> Hi,
>
> Thank you in advance to anyone who helps here. So am unable to run
> playbooks against our windows AWS instances. I was able to perform a
> win_ping but when I attempt to run this task on the same instances that I
> am able to ping I get an SSL Cert error. I have displayed all relevant
> information down below, let me know if any other information is required.
>
>
> *PLAYBOOK*
> ---
>
> - hosts: "{{target}}"
> roles:
> - windows
> vars_files:
> - "/home/ubuntu/infratools/ansible/inventory/group_vars/windows.yml"
>
>
> *TASK MAIN.YML*
> ---
> # Obtain information about a folder
> - win_stat:
> path: C:\Users
> register: folder_info
>
>
> *WIN_VARS*
> ansible_user: username
> ansible_password: "#"
> ansible_port: 5986
> ansible_connection: winrm
> ansible_winrm_scheme: https
> # The following is necessary for Python 2.7.9+ when using default WinRM
> self-signed certificates:
> ansible_winrm_server_cert_validation: ignore
>
>
> *WIN_PING*
> 10.100.22.111 | SUCCESS => {
> "changed": false,
> "ping": "pong"
> }
>
>
> *ERROR*
> }
> fatal: [10.100.22.111]: UNREACHABLE! => {
> "changed": false,
> "msg": "ssl: HTTPSConnectionPool(host='10.100.22.111', port=5986): Max
> retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))",
> "unreachable": true
> }
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/d624d8ef-63b5-4e1b-8244-d03f4d779998%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
