Hi
I am having issues trying to create a play that will setup a Windows EC2
instance and then install software once it is up. For linux instances I do
the following to create a new instance on the localhost and then run the
other roles on the new instance once it is ready.
---
- name: create
Thanks for the suggestion, the trouble I am having is that I want to create the
instance from ec2 and all my hosts are gotten dynamically. Are you suggesting I
split up my config so the aws variables are in one file and then my tagged
application details are in another which contains the
The the win_share module currently catches all exceptions and doesn't
output the exception message in the final JSON output. I've raised a PR to
add this feature as I've come across it just
recently https://github.com/ansible/ansible/pull/22763
On Thursday, March 23, 2017 at 3:40:49 AM UTC+10,
You definitely can allow a non admin account to run through WinRM but it is
definitely not something that is enabled by default and would require some
fiddling with the SSDL and endpoint ACLs. This issue has most of the
information that is required to add a non
admin
Are you able to set ansible_winrm_transport to Kerberos and see if that works
out. I also believe in 2.4 there was a change made where ansible will get the
Kerberos ticket for you removing the need for getting it manually beforehand.
Another thing that would be good to know is the output of
I believe this error appears if you are setting the ansible_connection var
to an invalid connection in this case Kerberos. If you are wanting to use
Windows with kerberos your vars should have
ansible_connection: winrm
ansible_winrm_transport: kerberos
On Tuesday, March 28, 2017 at 10:08:42 PM
Hi Vincent
I don't believe this is possible right now as Ansible uses an older
protocol than Enter-PSSession. What is the configuration that you need to
use, potentially it can be covered with different arugments.
Thanks
Jordan
On Thursday, April 6, 2017 at 10:08:48 AM UTC+10, Vincent
It should be enabled by default. If you run with a high enough verbosity you
will see whether it is running with the exec wrapper or if it is still copying
the modules across.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe
Looks like you are on the right track where you can get a valid Kerberos
ticket using kinit but your Ansible config needs a few more settings so it
runs through Kerberos. Looking at the error message it is still trying to
authenticate using Basic auth "plaintext" and not Kerberos. Also
You are probably best off using a flat text file for this as Ansible can't
natively parse Excel files. A very basic (can't guarantee to work) example
of using JSON for this would be
JSON File:
[
{
"path": "HKLM:\\Software\\MyCompany",
"name": "hello",
"data":
A list of authentication options that are available to a Windows host through
WinRM are shown here
http://docs.ansible.com/ansible/intro_windows.html#authentication-options. In
short if you need to authenticate with a domain account Kerberos is recommended
as it is the most secure but NTLM and
There were plans to deprecate win_msi in the 2.3 release in favour of
win_package but win_package was never hardened as a core module so it never
became official. That being said win_package is the recommended of the 2 but
there have been a few cases where I still favour win_msi over
If you are using the Configure...ps1 script to set up your Windows host and
WinRM you should set your port to 5986 so Ansible uses TLS to encrypt your
traffic. When doing this you will also need to uncomment the
ansible_winrm_server_cert_validation entry as the Configure...ps1 script
created a
I can't see the output of your execution with Ansible but your main issue
is around the error message you get when running kinit with your domain
account. It is unable to get the Kerberos ticket for your user as it can't
connect to your domain/realm. You will need to solve this issue first if
The group is still alive, you would find most people don't work on a weekend
hence the unanswered questions. I haven't looked too closely at your code but
it seems to be on the right track. yiu have various options around getting file
contents such as using slurp to retrieve the contents of a
The docker modules won't run on a Windows host as they are written in Python
and Windows runs Powershell modules. The error does seem to indicate something
else is wrong but you won't be able to do this regardless. Are you on a
particular version or are you just running from devel?
Thanks
It's interesting that is worked over a PSSession but still failed with Ansible.
PSSession is run over WinRM which is the same protocol Ansible uses so if it
didn't fail there there must be something else going on.
--
You received this message because you are subscribed to the Google Groups
Hey Cindy
You look at using win_package to install your exe, the only downside is
that you need to know the product id of the application to run the task.
Details on the module are
at http://docs.ansible.com/ansible/latest/win_package_module.html, there
are also some examples on that page to
You would need to find out what the install arguments for a silent install
are. I believe InstallShield uses '-s' but you would need to determine if
that is the case with this particular ex. Once you have found out what the
silent argument is add it to your task like so
- name: install
It isn't a goal at this point in time. The decision was made to use
Powershell for Windows modules as that gives us the ability to tap into the
.NET framework where Python would be pretty limited in.
--
You received this message because you are subscribed to the Google Groups
"Ansible
This seems like it could be an SSL wedging issue I've seen from time to
time. It is a weird issue where the combination of the OpenSSL version
(usually older ones) that Python is compiled to use and the cipher suite
selection on the remote server causes the SSL connection to lock up.
Depending
Certificate auth is a bit of a pain with WinRM, I found the best article to
get this working would
be
http://www.hurryupandwait.io/blog/certificate-password-less-based-authentication-in-winrm.
Personally I would say NTLM is more secure than Basic auth as you are not
sending the actual
Become support for Windows is currently in an experimental state and
because of some of the existing limitations like only working over Basic
and CredSSP may change once it is bedded down. I believe because the way it
works may change in the future we are trying to hold off on documenting it
Are there any updates available on that host, Ansible is reporting that the
task didn't change so it didn't detect and updates to install.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving
Hey
One thing you can do is use the win_region
module https://docs.ansible.com/ansible/win_region_module.html to change
the region of your hosts to a common value. If this isn't what you can do,
you can also run an adhoc command to determine the group name based on the
SID. Give the below
Hi
ansible_connection should be 'winrm' and you can set the auth mode using
ansible_transport. So ultimately your vars should be;
ansible_user: Administrator
> ansible_password: RandomePassword
> ansible_port: 5985
> ansible_winrm_scheme: http
> ansible_connection: winrm
>
That's weird, I've used win_get_url to download files in the gigabyte range
without any performance issues. One thing I would recommend is to try the
powershell command below and post the results in the github issue.
)New-Object System.Net.WebClient).DownloadFile("put the URL here", "put the
Thanks for the info from what you have given me there is a chance that your
NTLM level is set to NTLMv2 only and the libraries installed on your
Ansible host don't support that. You can verify that by running in
Powershell
(Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa
The switch to enable CredSSP when running ConfigureRemotingForAnsible.ps1
is
powershell.exe -ExecutionPolicy Bypass -File ConfigureRemotingForAnsible.ps1
-EnableCredSSP
You can also just enable it manually by running
Enable-WSManCredSSP -role server -Force
As for your Kerberos I find if
I could be wrong but when calling script it looks locally on the Ansible box
and not the windows one. Can you specify your script without using win_copy and
see what happens?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe
Hey
At home and for dev work I use Windows 10 and WSL to run Ansible and that works
pretty well for me. While this works this method is not supported by Ansible at
all and if you come across issues you will usually be asked to replicate it on
and actual unix box.
The other issue with this is
Hey
Windows unfortunately doesn't have the concept of sudo like unix so to be
able to run a process as another user you need to set the password as well
as the username. Going by the error message you need to set
'ansible_become_password' to the password of the account you are wanting to
run
Hey
Looks like you are trying to connect over port 5985 which is defaulting to
http://hostname:5985/wsman instead of https://hostname:5986/wsman and
Ansible by default doesn't allow you to talk through HTTP unless you have
disabled some security restrictions on the Windows host itself.
For a
Hey
Thanks for the info you've posted, win_dsc has only been recently merged.
Without knowing too much about how it works it seems like this is a bug
with the module and it would be beneficial to raise an Issue
at https://github.com/ansible/ansible.
Thanks
Jordan
--
You received this
Hey
There is a myriad of reasons why this might not work but here is where I
would start. Run the following commands in Powershell and paste the info
here and we should be able to help a bit more
Write-Host "WinRM Service Settings"
winrm get winrm/config/service
Write-Host "WinRM Listener
This looks like your WinRM listener isn't configured properly or something
is blocking your Ansible host from connecting over that port. You can
verify what listeners are online by running this command on your Windows
host
winrm enumerate winrm/config/listener
You should see a listener that
Add a variable in your group vars for the environment you are targeting, e.g.
Have a structure like
group_vars/
prd.yml - variables for your production environment
uat.yml - variables for your uat environment
sit.yml - variables for your sit environment
app.yml - application
>From the error message it seems like the WinRM endpoint is not enabled on
the remote server hence the Failed to establish a new connection error. Try
and use this script to set up the WinRM endpoint on your
server
WinRM is an annoying mechanism with very unhelpful error messages so this could
potentially be a few things that could be causing your issue.
The first thing is that pywinrm doesn't play nice wth HTTP end points unless
you disable the majority of the security configurations like
Can you post the results of "winrm get winrm/config/service" here to show
us your WinRM configuration.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
I would only allow unencrypted messages for testing and debugging purposes and
never in any production capacity due to the security risk when running over
HTTP. Useful in this case to see if the HTTP endpoint works but should be
turned back off eventually.
Some other things to try
- use a real
You can have multiple plays in a playbook so your playbook could look
something like this.
- name: setup PS requirements on all hosts
hosts: firsthost
tasks:
- name: install psexec
win_chocolatey:
name: sysinternal
state: present
- name: setup PS with psexec
In your main.yml put in include_tasks: windows.yml when the host is Windows
and include_tasks: unix.yml when it is not. You can use the gathered facts
to do this or you can have a variable that can be set when running on
Windows by the end user.
Personally I think you should still split the
There are no plans to do this, the ConfigureRemotingForAnsible.ps1 script
does what we need so far and is only meant to be used for development
purposes. When running in a production environment you should have your own
process that fulfils your requirements both on a technical and security
Hey
The package pyOpenSSL is used by the requests-credssp package. Even if you are
not using CredSSP it will try and load the library if it is there and fail if
it doesn't exist. There is a newer version of requests-credssp that doesn't
fail outright if you aren't using credssp auth so try pip
You can create a custom "facts" module to iterate all the features
installed and then return what you want for further iteration in Ansible.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving
If you have configured WinRM using the ConfigureRemotingForAnsible.ps1
script I would highly advise you to use HTTPS over port 5986 instead of
HTTP. For one HTTP is sent over in cleartext and your credentials can be
seen by anyone listening in. The other warning you are getting is because
the
Networking isn't my forte but my netstat looks like yours on hosts with
multiple adapters. I believe 0.0.0.0 in this context means all IP addresses
are listening on that port but could be wrong.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project"
Hi
The win_package module was overhauled in 2.4 and it now allows you to
uninstall a package when you just specify the product id. In the end you
should be able to run just
- win_package:
> product_id: '{7D7C80AF-58D6-4C3F-912B-8B5B4D50A71B}'
> state: absent
This works the way you
Apart from updating the Server OS to 2008 R2 the only way I know how to get
the output of a batch script is to use win_shell while changing the active
code page. An example of running a valid and failing command can be found
- name: create test batch file
> win_copy:
> dest:
Any path outside of the computer you are connecting with will not be
accessible unless
* You are using credential delegation (CredSSP or Kerberis with
`ansible_winrm_kerberos_delegation: true`)
* You use become
* You use a scheduled task
* You manually map the drive and copy the files
Looks
2.3 changed the way that we handled dictionaries from pscustomobjects to
hashtables and the way that scripts were executed were dramatically changed
to decrease the execution time.
As jhawkesworth has mentioned there is a newer guide available for
developing on Windows modules which isn't on
Hey
I haven't tested it when running on a non DA account (my test environments
are very basic) but have tested running it on a non DC host with a DA
account. I would assume it would be possible to run this on a non DC and
non DA account if that is what you wish but believe you would need to
The example you gave to install .net 4.5 is an MSU file that is installed
with Windows update. There is no easy way to install update files but I've
been able to install .net 4.5 using the offline installer that is packages
as an exe. The link for it is
here
There is an IIS extension that can be used when IIS is intercepting the
WinRM
traffice https://technet.microsoft.com/en-us/library/dd759166(v=ws.11).aspx.
I've never had to deal with this situation before so can't help much
further sorry.
--
You received this message because you are
That installer sounds like the way to go. The latest devel branch has made
some changes with become so it works with NTLM and Kerberos authentication
but going that route probably isn't recommended as you would need to know
the credentials for all the accounts you want to install slack on.
--
Hi
The win_shell module actually executes a command in the PowerShell where
dir is an alias for Get-ChildItem. Get-ChildItem (and other PS cmdlets) do
not have parameters or switches in the form of /* which is why you are
getting this error. You can either change your task to use the
The easiest way is to use the debug module and you can output an empty
string, it would work like this
- name: test 1
debug:
msg: ""
- name: test 2
debug:
msg: ""
You can also use meta: noop but it isn't recommended for general use, it
would work like this
- name: test 1
meta:
Hey Sunil
You should be using the win_reboot module to handle updates. It reboots the
server and waits for it to come back online so it should be seemless and
won't continue until it is ready for another task. Your playbook would look
something like this
- name: install updates
hosts:
The issue you have is that you have a invalid YAML document, if you use a
site like http://yaml-online-parser.appspot.com/ it can test it for you. In
your case, you with_items is indented by too many spaces and should be in
line with fetch.
When you fix that, the return value you are using in
This can still be done, you can set the ansible_become_password variable using
the vars argument like so;
- command: whoami
become: yes
become_user: user
vars:
ansible_become_password: password
The vars key can be used to set any variable for that particular task and it
can even
Make sure you meet the requirements for Ansible as documented here
http://docs.ansible.com/ansible/devel/windows_setup.html#host-requirements. It
requires at least PowerShell v3 which is when the ConvertTo-Json cmdlet was
added.
--
You received this message because you are subscribed to the
We would probably need some more information and not just a blank variable
called uninstall. You can omit names but keep the structure and arguments
the same so we can see what exactly is the value from the registry key. Are
you also able to share the registry path you are querying as you might
If it is just one software you want to uninstall use win_package with the
product id, e.g.
- name: ensure Splunk x.y is uninstalled
win_package:
product_id: '{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}' # note this ID
will be unique to the Splunk version
state: absent
IIRC correctly
For some reason the ansible_winrm_server_cert_validation: ignore var is not
being set for your Windows host hence the error. Can you test out the
following before your win_stat task when running on the Windows host.
- debug:
var: ansible_winrm_server_cert_validation
--
You received this
I believe I may know what is happening and this was fixed in the latest
devel branch so you can try that out if you like. Looks like it is failing
to gather facts before it gets to your debug task, can you set *gather_facts:
no* in your playbook as I'm really curious if the cert validation is
Ansible is a declarative language where you put the state of a resource, in
this case you want a service to be stopped. If you were to run it again
then it would just try to set the service to stopped or skip the task if it
is already stopped.
This situation is a bit more difficult as Ansible
The Windows Event Log, I believe the service information is stored in
either the System or Application event log and usually gives you more
details as to why a service started or failed to stop. Unfortunately
Ansible is limited to what info Powershell returns which in this case was
"Cannot
delegate_to is a tricky one and I've come across a few pitfalls. One thing
to note is that delegate_to is meant to replace the connection vars for the
host specified, in this case I would have expected ansible_host to be
localhost in every instance.
What I would suggest is infinitely easier
It is definitely possible but you will probably be coming up with other
errors because you either need to use CredSSP, Kerberos with credential
delegation, become, or psexec to install SQL Server.
For the case around running a powershell script I would try the following
- win_command:
No worries, unfortunately package management in Windows is in a pretty poor
state as there is no first class manager like yum or apt. Chocolatey is
pretty good and I would recommend using it if possible as it abstracts a
lot of the information away to the point where you can just mention the
Ansible used the TEMP environment variable to determine the path to the
temporary folder, so you can just type in *%TEMP%* in Windows explorer to
get there for the current user. When doing this through RDP you might be
redirected to a folder called 1, 2, 3, ... but that's just an Explorer
While you can use win_shell I find it is better to use win_command when it
comes to running executables, this way you don't fall prey to the shell
specific escaping, e.g. when using win_shell you usually have to do it like;
- win_shell: &"C:\Program Files\someapp\app.exe"
compared to
-
If the previous task before the copy one is to install some features and
reboot then potentially the WinRM service comes back online but it reboots
one more time that isn't caught. What I would potentially do is
- name: install problematic features
win_feature:
name: ...
register:
Actually after looking at the error it does still seem to be a fatal error
so I don't think the block/rescue will work in this case so I think putting
wait_for_connection after your reboot stage might be best.
--
You received this message because you are subscribed to the Google Groups
That's weird I was able to get this task working in an optional integration
test when developing these changes here
https://github.com/ansible/ansible/blob/devel/test/integration/targets/win_dsc/tasks/destructive.yml#L62.
Are you able to open a GitHub issue about this and I'll try and look
It is showing it tried to connect through ssh because there is a typo in your
group vars. Change ansible_connexion: winrm to ansible_connection: winrm and it
should start to use the correct connection plugin.
--
You received this message because you are subscribed to the Google Groups
The win_iis_* modules are fairly old and have a few bugs associated with
them. I started to rewrite them but haven't really been able to continue
due to time commitments and the fact that DSC is probably better suited
towards this task. My recommendation is to;
* Ensure PowerShell 5.0 is
2.1 is 3 releases old and is no longer supported by Ansible. There has also
been massive improvements and bug fixes for Windows since then and I would
highly recommend you upgrade to at least 2.3 and try again.
I don’t know why it failed but unless you can verify it is still happening on
the
As Jon is saying you are trying to run the win_feature module on localhost
and not the newly provisioned EC2 server. Here is a very mock playbook that
you need to follow to get working. Note this is not tested and some things
could potentially be wrong
---
- name: provision new EC2 server
I don't think win_shell is necessary, you are truly trying to run an
executable and don't want to confuse issues that may be related to how the
shell handles things and how a command handles it. In your case you will
need to enclose the full command with a single quote ', you tried this but
I
Where is the setup-x86_64.exe located? By default commands run from
win_command and win_shell are run in the user's home directory which means
it will be trying to execute *C:\Users\pkmbuilder\setup-x86_64.exe*. If the
exe is located in another directory you will either have to reference the
Personally, I would bypass the batch file and just call the executable
directly like
- name: install Cygwin
win_command: C:\Users\pkmbuilder\setup-x86_64.exe --root C:\cygwin64
--quiet-mode --site http://cygwin.mirror.constant.com --packages
"openssh,rsync,zip,vim,wget"
# Note if you are
Hi
It's definitely possible to install the winrm requirements with Ansible, a
few things to note regarding your outputs
* Look at upgrading your host to a new version so that it at least has
Python 2.7 installed by default (2.6 is old and not supported by Python
itself but it should still
Yep, looks like we should update the docs to be correct, you can just do *-
win_shell: whoami* to test it out.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
No idea on that, looks like an issue in the install script for the rsat
package. You can try to just become an existing user and not SYSTEM account
like so
- win_chocolatey:
name: rsat
state: present
vars:
ansible_become: yes
ansible_become_method; runas
That link is specifically for the docs of the 2.4 version. To always get
the latest docs, change 2.4 to latest like so
http://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html.
Thanks
Jordan
--
You received this message because you are subscribed to the Google
The docs side is somewhat new so some pages in Google might be pointed
towards older versions. Making sure the URL is set to latest will always be
the latest version while setting to devel will point to the current devel
version.
Thanks
Jordan
--
You received this message because you are
This sounds like it could be an issue with the whitelist functionality of
win_updates. I know I had it working for single updates but can't fully
remember if I tested it with multiple updates but I thought I did. Can you
raise an issue with these details at
I've created a role that can do what you are looking for but it includes
things outside of Kerberos and more specific for that task at hand
https://github.com/jborean93/ansible-windows/tree/master/vagrant-linux/roles/kerberos.
What you really need is 2 tasks;
1. Install the kerb/gssapi
Deny rights always override Allow rights in Windows ACLs. If a user is a
member of the Administrator group *AND* the Users group the deny you
applied on the 2nd win_acl task will cause an access is denied message. I'm
pretty sure by default an Admin account is a member of both and that's
I would try and import the requests_ntlm package and try and find out why
it is failing to be imported. It could be that a required package like
cryptography isn't installed. To do this run
python -c "from requests_ntlm import HttpNtlmAuth"
If the import fails it will give you an error saying
Are you still getting the import error when trying to manually import
cryptography, you need to solve that first before using Ansible.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails
I'm a bit confused, do you need to use Cygwin to run this script,
everything would be so much simpler if you ignored Cygwin and used
something like PowerShell or pure Python? For your current playbook there
are a few issues I see;
- Windows modules, like win_template, do not support the
What about import requests_ntlm? If that works but Ansible doesn't it
sounds like Ansible is using a different Python interpreter to the one you
tested on.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and
Pycrypto is not the same as cryptography, the package is literally called
cryptography and should be installed.
Thanks
Jordan
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from
Looks like the python on your PATH is at /Users/anthony/ansible/bin/python
but the Ansible command is on /Library/Python/2.7 which is different.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop
Hmm, looks like your host vars isn't matching which what I expect, it is
actually connecting over SSH and not WinRM when your original post said you
defined ansible_connection: winrm. Is there a reason why you are using
SSH/Cygwin on Windows, we don't support it currently as a valid
The issue you are seeing is that you are using the stdout_lines return
value which is the stdout of the script that was run but split into a list
on each newline. You want to use the stdout return value from the script
which would be the full stdout of your json. The task's would look
Hey
There are a few ways to do this, they usually revolve around using filters
to "filter" the value into something else. Ansible has a few filters
available outside of the standard Jinja2 functions which can be found here
1 - 100 of 513 matches
Mail list logo