[ansible-project] Re: Issue with running Ansible playbook against windows.
I believe your issue is that ansible_winrm_server_cert_validation is being loaded with your include_vars directive in the playbook and the way connection vars with Ansible before the current devel branch had a few issues. I would recommend you add [all:vars] ansible_winrm_server_cert_validation=ignore to your inventory and try again. One more thing you can try is to use the latest checkout of Ansible and see if the issue is still there. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cb1dd622-915a-49e1-bdfd-cae7b8f5ce33%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
Hi Jordan, Thank you for the suggestion on the inventory management. We can currently target any instance based on their tags. here is the command I am using to issue the playbook. *ansible-playbook playbooks/windows.yml -e "target=tag_product_cse"* *Here is the information you requested. * *$ pip list* *DEPRECATION: The default format will switch to columns in the future. You can use --format=(legacy|columns) (or define a format=(legacy|columns) in your pip.conf under the [list] section) to disable this warning.* *ansible (2.3.2.0)* *aws-amicleaner (0.1.2)* *awscli (1.11.133)* *blessings (1.6)* *boto (2.48.0)* *boto3 (1.4.6)* *botocore (1.6.0)* *certifi (2017.7.27.1)* *cffi (1.9.1)* *chardet (3.0.4)* *colorama (0.3.7)* *docutils (0.14)* *ecdsa (0.13)* *enum34 (1.1.6)* *futures (3.1.1)* *httplib2 (0.9.1)* *hvac (0.3.0)* *idna (2.5)* *ipaddress (1.0.18)* *Jinja2 (2.8)* *jmespath (0.9.3)* *kerberos (1.2.5)* *MarkupSafe (0.23)* *ntlm-auth (1.0.5)* *ordereddict (1.1)* *paramiko (1.16.0)* *pip (9.0.1)* *prettytable (0.7.2)* *pyasn1 (0.2.3)* *pycparser (2.17)* *pycrypto (2.6.1)* *python-dateutil (2.6.1)* *pywinrm (0.3.0b1)* *PyYAML (3.12)* *requests (2.18.3)* *requests-ntlm (1.0.0)* *rsa (3.4.2)* *s3transfer (0.1.10)* *setuptools (20.7.0)* *six (1.10.0)* *termcolor (1.1.0)* *urllib3 (1.22)* *virtualenv (15.1.0)* *wheel (0.29.0)* *xmltodict (0.11.0)* *$ ansible --version* *ansible 2.3.2.0* *config file = /etc/ansible/ansible.cfg* *configured module search path = Default w/o overrides* *python version = 2.7.12 (default, Nov 20 2017, 18:23:56) [GCC 5.4.0 20160609]* *$ python --version* *Python 2.7.12* *Here are the changes I made to the following files: * *playbooks/windows.yml, roles/windows/task/main.yml, inventory/group_vars/windows.yml* *Playbook: playbooks/windows.yml* --- - name: run test on Windows host hosts: '{{target}}' gather_facts: no roles: - windows vars_files: - "/home/ubuntu/infratools/ansible/inventory/group_vars/windows.yml" *Task: roles/windows/task/main.yml* --- # Obtain information about a folder - debug: var: ansible_winrm_server_cert_validation - win_stat: path: C:\Users register: folder_info *Windows Var: /inventory/group_vars/windows.yml* ansible_user: username ansible_password: "###" ansible_port: 5986 ansible_connection: winrm ansible_winrm_transport: ssl #ansible_winrm_scheme: ntlm # The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates: ansible_winrm_server_cert_validation: ignore *##* *##* Based on the results it appears that *ansible_winrm_server_cert_validation: ignore* is being recognized. Unfortunately, the issue persists. Below are the results of running the command. $ ansible-playbook playbooks/windows.yml -e "target=tag_product_cse" PLAY [run test on Windows host] *** TASK [windows : debug] ok: [x.x.x.x] => { "ansible_winrm_server_cert_validation": "ignore" TASK [windows : win_stat] * fatal: [x.x.x.x]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='x.x.x.x', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))", "unreachable": true} Thank you!! All your efforts are greatly appreciated! On Monday, December 18, 2017 at 4:19:05 PM UTC-5, Jordan Borean wrote: > > I believe I may know what is happening and this was fixed in the latest > devel branch so you can try that out if you like. Looks like it is failing > to gather facts before it gets to your debug task, can you set *gather_facts: > no* in your playbook as I'm really curious if the cert validation is > being set properly. > > A few other things that would be helpful to know > > * Run *pip list* and post the output > * What version of Ansible are you on > * What version of Python 2.7 are you on > * If you turn on fact gathering, does it would if you explicitly set the > ignore var on the stat task like so > > - win_stat: > path: C:\Users > vars: > ansible_winrm_server_cert_validation: ignore > > Looks like you are using a dynamic inventory for your AWS hosts, instead > of having include_vars to point to the Windows vars file I would create a > create an actual windows group in that inventory and add those hosts in > there. In the end it would would look something similar to this (untested) > > #
[ansible-project] Re: Issue with running Ansible playbook against windows.
I believe I may know what is happening and this was fixed in the latest devel branch so you can try that out if you like. Looks like it is failing to gather facts before it gets to your debug task, can you set *gather_facts: no* in your playbook as I'm really curious if the cert validation is being set properly. A few other things that would be helpful to know * Run *pip list* and post the output * What version of Ansible are you on * What version of Python 2.7 are you on * If you turn on fact gathering, does it would if you explicitly set the ignore var on the stat task like so - win_stat: path: C:\Users vars: ansible_winrm_server_cert_validation: ignore Looks like you are using a dynamic inventory for your AWS hosts, instead of having include_vars to point to the Windows vars file I would create a create an actual windows group in that inventory and add those hosts in there. In the end it would would look something similar to this (untested) # inventory/hosts [tag_OSType_Windows] # keep empty, is populated in the dynamic inventory [windows:children] tag_OSType_Windows # inventory/ec2.py ... keep as normal, just to show how to mix/match dynamic and static inventories # inventory/ec2.ini ... keep as normal # group_vars/windows.yml ansible_user: username ansible_password: "#" ansible_port: 5986 ansible_connection: winrm ansible_winrm_scheme: https # The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates: ansible_winrm_server_cert_validation: ignore # playbooks/windows.yml - name: run test on Windows host hosts: '{{target}}' tasks: - win_stat: path: C:\Users >From there you would add a tag to the newly created instances OSType: Windows so that when Ansible reads it from the inventory it is automatically put in the Windows group. Even though you are running the playbook on the one host it will inherit the group based on that tag which in turn get's the Windows vars required. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/282f872e-cf0d-4da9-b0fd-5de17c879068%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
@jordan I completely agree. Although I have clearly stated in the group_vars/windwos.yml file to ignore cert validation it does not appear to acknowledge the setting. With the tasks/main.yml file now looking like this: --- # Obtain information about a folder - debug: var: ansible_winrm_server_cert_validation - win_stat: path: C:\Users register: folder_info I get the same result. ubuntu@ip-x-x-x-x:~/infratools/ansible$ play playbooks/windows.yml -e "target=tag_Name_R2_CSE03" -vvv Using /home/ubuntu/infratools/ansible/ansible.cfg as config file PLAYBOOK: windows.yml * 1 plays in playbooks/windows.yml PLAY [tag_Name_R2_CSE03] ** TASK [Gathering Facts] Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/setup.ps1 ESTABLISH WINRM CONNECTION FOR USER: administrator on PORT 5986 TO x.x.x.x fatal: [x.x.x.x]: UNREACHABLE! => { "changed": false, "msg": "ssl: HTTPSConnectionPool(host='x.x.x.x', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))", "unreachable": true } On Friday, December 15, 2017 at 7:41:37 PM UTC-5, Jordan Borean wrote: > > For some reason the ansible_winrm_server_cert_validation: ignore var is > not being set for your Windows host hence the error. Can you test out the > following before your win_stat task when running on the Windows host. > > - debug: > var: ansible_winrm_server_cert_validation > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/45856282-6ff2-4573-88eb-cede4187e139%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
For some reason the ansible_winrm_server_cert_validation: ignore var is not being set for your Windows host hence the error. Can you test out the following before your win_stat task when running on the Windows host. - debug: var: ansible_winrm_server_cert_validation -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8bd7a8b3-66f6-4907-ab00-8b9f4524ea93%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
Hey there, I was just cutting my teeth on executing playbooks against Windows. To add to Tony's piece about the PowerShell script ConfiguringRemotingforAnsible.ps1 which I had to do I also had to pip install the following on the control machine within side my virtualenv: pip install pywinrm pip install pywinrm[kerberos] Source: http://docs.ansible.com/ansible/latest/intro_windows.html I'm not sure if this will help you or not but worth a shot if you haven't already done so yet. Good luck! On Friday, December 15, 2017 at 1:50:41 PM UTC-8, Alexmil Reyes wrote: > > Thank you for responding. > > I am able to telnet to the windows machine without a problem. But the > playbook still presented the same error when it was run. > > I ran the following commands on the windwos machine: > > winrm delete winrm/config/Listener?Address=*+Transport=HTTP > > winrm delete winrm/config/Listener?Address=***+Transport=HTTPS > > > followed up with with the ConfigureRemotingForAnsible.ps1. I was able to > telnet and win_ping but error continues to occur when I run the playbook. > > > > > On Friday, December 15, 2017 at 3:03:36 PM UTC-5, Tony Chia wrote: >> >> You can also try removing the existing listeners and then run >> ConfigureRemotingForAnsible.ps1 which will recreate the self-signed ssl >> certificate using the following commands >> >> winrm delete winrm/config/Listener?Address=*+Transport=HTTP >> >> winrm delete winrm/config/Listener?Address=***+Transport=HTTPS >> >> On Friday, December 15, 2017 at 11:31:14 AM UTC-8, Tony Chia wrote: >>> >>> Try running "ConfigureRemotingForAnsible.ps1" on the windows host you >>> are trying to manage with Ansible. >>> If that doesn't work try this command on the ansible host >>> >>> telnet windows-host-name 5985 >>> telnet windows-host-name 5986 >>> >>> If you see "Trying ..." but times out, the maybe the network ACL is not >>> opened. >>> >>> On Thursday, December 14, 2017 at 2:44:18 PM UTC-8, Alexmil Reyes wrote: Hi, Thank you in advance to anyone who helps here. So am unable to run playbooks against our windows AWS instances. I was able to perform a win_ping but when I attempt to run this task on the same instances that I am able to ping I get an SSL Cert error. I have displayed all relevant information down below, let me know if any other information is required. *PLAYBOOK* --- - hosts: "{{target}}" roles: - windows vars_files: - "/home/ubuntu/infratools/ansible/inventory/group_vars/windows.yml" *TASK MAIN.YML* --- # Obtain information about a folder - win_stat: path: C:\Users register: folder_info *WIN_VARS* ansible_user: username ansible_password: "#" ansible_port: 5986 ansible_connection: winrm ansible_winrm_scheme: https # The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates: ansible_winrm_server_cert_validation: ignore *WIN_PING* 10.100.22.111 | SUCCESS => { "changed": false, "ping": "pong" } *ERROR* } fatal: [10.100.22.111]: UNREACHABLE! => { "changed": false, "msg": "ssl: HTTPSConnectionPool(host='10.100.22.111', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))", "unreachable": true } -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c1b6d293-4363-4312-8c54-8201201ee8ab%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
Thank you for responding. I am able to telnet to the windows machine without a problem. But the playbook still presented the same error when it was run. I ran the following commands on the windwos machine: winrm delete winrm/config/Listener?Address=*+Transport=HTTP winrm delete winrm/config/Listener?Address=***+Transport=HTTPS followed up with with the ConfigureRemotingForAnsible.ps1. I was able to telnet and win_ping but error continues to occur when I run the playbook. On Friday, December 15, 2017 at 3:03:36 PM UTC-5, Tony Chia wrote: > > You can also try removing the existing listeners and then run > ConfigureRemotingForAnsible.ps1 which will recreate the self-signed ssl > certificate using the following commands > > winrm delete winrm/config/Listener?Address=*+Transport=HTTP > > winrm delete winrm/config/Listener?Address=***+Transport=HTTPS > > On Friday, December 15, 2017 at 11:31:14 AM UTC-8, Tony Chia wrote: >> >> Try running "ConfigureRemotingForAnsible.ps1" on the windows host you are >> trying to manage with Ansible. >> If that doesn't work try this command on the ansible host >> >> telnet windows-host-name 5985 >> telnet windows-host-name 5986 >> >> If you see "Trying ..." but times out, the maybe the network ACL is not >> opened. >> >> On Thursday, December 14, 2017 at 2:44:18 PM UTC-8, Alexmil Reyes wrote: >>> >>> Hi, >>> >>> Thank you in advance to anyone who helps here. So am unable to run >>> playbooks against our windows AWS instances. I was able to perform a >>> win_ping but when I attempt to run this task on the same instances that I >>> am able to ping I get an SSL Cert error. I have displayed all relevant >>> information down below, let me know if any other information is required. >>> >>> >>> *PLAYBOOK* >>> --- >>> >>> - hosts: "{{target}}" >>> roles: >>> - windows >>> vars_files: >>> - "/home/ubuntu/infratools/ansible/inventory/group_vars/windows.yml" >>> >>> >>> *TASK MAIN.YML* >>> --- >>> # Obtain information about a folder >>> - win_stat: >>> path: C:\Users >>> register: folder_info >>> >>> >>> *WIN_VARS* >>> ansible_user: username >>> ansible_password: "#" >>> ansible_port: 5986 >>> ansible_connection: winrm >>> ansible_winrm_scheme: https >>> # The following is necessary for Python 2.7.9+ when using default WinRM >>> self-signed certificates: >>> ansible_winrm_server_cert_validation: ignore >>> >>> >>> *WIN_PING* >>> 10.100.22.111 | SUCCESS => { >>> "changed": false, >>> "ping": "pong" >>> } >>> >>> >>> *ERROR* >>> } >>> fatal: [10.100.22.111]: UNREACHABLE! => { >>> "changed": false, >>> "msg": "ssl: HTTPSConnectionPool(host='10.100.22.111', port=5986): >>> Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, >>> u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed >>> (_ssl.c:590)'),))", >>> "unreachable": true >>> } >>> >>> >>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/408c262c-a032-4eec-a2a6-a60820b80e3f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
You can also try removing the existing listeners and then run ConfigureRemotingForAnsible.ps1 which will recreate the self-signed ssl certificate using the following commands winrm delete winrm/config/Listener?Address=*+Transport=HTTP winrm delete winrm/config/Listener?Address=***+Transport=HTTPS On Friday, December 15, 2017 at 11:31:14 AM UTC-8, Tony Chia wrote: > > Try running "ConfigureRemotingForAnsible.ps1" on the windows host you are > trying to manage with Ansible. > If that doesn't work try this command on the ansible host > > telnet windows-host-name 5985 > telnet windows-host-name 5986 > > If you see "Trying ..." but times out, the maybe the network ACL is not > opened. > > On Thursday, December 14, 2017 at 2:44:18 PM UTC-8, Alexmil Reyes wrote: >> >> Hi, >> >> Thank you in advance to anyone who helps here. So am unable to run >> playbooks against our windows AWS instances. I was able to perform a >> win_ping but when I attempt to run this task on the same instances that I >> am able to ping I get an SSL Cert error. I have displayed all relevant >> information down below, let me know if any other information is required. >> >> >> *PLAYBOOK* >> --- >> >> - hosts: "{{target}}" >> roles: >> - windows >> vars_files: >> - "/home/ubuntu/infratools/ansible/inventory/group_vars/windows.yml" >> >> >> *TASK MAIN.YML* >> --- >> # Obtain information about a folder >> - win_stat: >> path: C:\Users >> register: folder_info >> >> >> *WIN_VARS* >> ansible_user: username >> ansible_password: "#" >> ansible_port: 5986 >> ansible_connection: winrm >> ansible_winrm_scheme: https >> # The following is necessary for Python 2.7.9+ when using default WinRM >> self-signed certificates: >> ansible_winrm_server_cert_validation: ignore >> >> >> *WIN_PING* >> 10.100.22.111 | SUCCESS => { >> "changed": false, >> "ping": "pong" >> } >> >> >> *ERROR* >> } >> fatal: [10.100.22.111]: UNREACHABLE! => { >> "changed": false, >> "msg": "ssl: HTTPSConnectionPool(host='10.100.22.111', port=5986): >> Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, >> u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed >> (_ssl.c:590)'),))", >> "unreachable": true >> } >> >> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/024c9e7a-f6e8-4b68-841d-ff76a73473be%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Issue with running Ansible playbook against windows.
Try running "ConfigureRemotingForAnsible.ps1" on the windows host you are trying to manage with Ansible. If that doesn't work try this command on the ansible host telnet windows-host-name 5985 telnet windows-host-name 5986 If you see "Trying ..." but times out, the maybe the network ACL is not opened. On Thursday, December 14, 2017 at 2:44:18 PM UTC-8, Alexmil Reyes wrote: > > Hi, > > Thank you in advance to anyone who helps here. So am unable to run > playbooks against our windows AWS instances. I was able to perform a > win_ping but when I attempt to run this task on the same instances that I > am able to ping I get an SSL Cert error. I have displayed all relevant > information down below, let me know if any other information is required. > > > *PLAYBOOK* > --- > > - hosts: "{{target}}" > roles: > - windows > vars_files: > - "/home/ubuntu/infratools/ansible/inventory/group_vars/windows.yml" > > > *TASK MAIN.YML* > --- > # Obtain information about a folder > - win_stat: > path: C:\Users > register: folder_info > > > *WIN_VARS* > ansible_user: username > ansible_password: "#" > ansible_port: 5986 > ansible_connection: winrm > ansible_winrm_scheme: https > # The following is necessary for Python 2.7.9+ when using default WinRM > self-signed certificates: > ansible_winrm_server_cert_validation: ignore > > > *WIN_PING* > 10.100.22.111 | SUCCESS => { > "changed": false, > "ping": "pong" > } > > > *ERROR* > } > fatal: [10.100.22.111]: UNREACHABLE! => { > "changed": false, > "msg": "ssl: HTTPSConnectionPool(host='10.100.22.111', port=5986): Max > retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))", > "unreachable": true > } > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d624d8ef-63b5-4e1b-8244-d03f4d779998%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.