PS (still raw and not digested): When config.winrm.ssl_peer_verification option is set to *false*, the Ansible provisioner should set ansible_winrm_server_cert_validation=ignore in the dynamic inventory.
Pending: give some thoughts about static inventory support alternatives: 1. not supported (static inventory author should take care of this, even though this could be incoherent with config.winrm.* values), or 2. pass the ansible_winrm_server_cert_validation=ignore by another mean (e.g. via an extra var or via an environment variable) Le mardi 15 mai 2018 23:01:02 UTC+2, Gilles Cornu a écrit : > > Hey there, > > Thank you Pixel Fairy for reporting this improvement request. Thank you > Alvaro and Mário for your useful inputs. > > Ansible support for Windows has without any doubt strongly evolved since > late 2015, which is the time when the WinRM support was added to the > Ansible provisioner in Vagrant 1.8 > <https://github.com/hashicorp/vagrant/pull/6576>. Therefore, I'm certain > that we should give it some valuable updates, but the Vagrant+Ansible > community was not very active on this field so far... and I personally > don't manage (yet) Windows hosts (neither for fun or profit ;-) > > How should i test it to help the core developers? > > > By "help to test that works", I think Alvaro meant that it would be of > great help if you could provide us a minimalistic setup/project that > demonstrates the issue, and its resolution. Ideally a public git repo with > all the information to reproduce/illustrate the use case (Vagrantfile, > Ansible playbook, etc.). That can save a lot of time, and avoid > misunderstanding. > > 1. "ansible_winrm_server_cert_validation: ignore" in the generated > inventory > > So at first glance, I think that Proposal 1 is probably a good approach > (i.e. KISS), but I'd like to better figure out the Ansible usage landscape, > combined with what Vagrant already supports regarding WinRM communication > <https://www.vagrantup.com/docs/vagrantfile/winrm_settings.html#available-settings>, > > especially the config.winrm.transport option. > > is option 2 possible? > I guess ;-) It would be great if you could investigate the capabilities > offered by config.winrm.* options (e.g. to configure the ssl certs). The > idea is then to improve the Ansible provisioner so it also honours the same > settings. > > is it even worth the effort if windows is going to switch to ssh anyway? > Good point (and more amazing stuff ahead > <https://www.vagrantup.com/docs/vagrantfile/winssh_settings.html> ;-). > After a very quick look at the Win32-OpenSSH milestones > <https://github.com/PowerShell/Win32-OpenSSH/milestones>, I think it is > still worth to make some Quick Wins on top of WinRM. But it will be > reasonable to set some constraints, based on the WinSSH perspectives. > > For the next step, I invite you to create a GitHub issue > <https://github.com/hashicorp/vagrant/issues/new>, describing the *expected > behaviour* (e.g. new parameters in the generated ansible inventory > <https://www.vagrantup.com/docs/provisioning/ansible_intro.html#auto-generated-inventory>, > > taking into account the concerns mentioned above). It would be very much > appreciated if you or someone else also wants to implement this. Otherwise, > I'll be happy to help, once the "specs" are clarified. > > I wish we'll go forward with this! Best regards, > Gilles > > Le lundi 14 mai 2018 05:45:53 UTC+2, pixel fairy a écrit : >> >> How should i test it to help the core developers? I use ignore >> cert_validation in all my windows ansible vagrant sessions. >> >> On Tuesday, May 8, 2018 at 9:08:55 AM UTC-7, Alvaro Miranda Aguilera >> wrote: >>> >>> correct, but if you can help to test that works, then a PR should be >>> easier. >>> >>> I am not sure vagrant core developers use ansible to be able to test and >>> code that >>> >>> >>> Alvaro >>> >>> On Tue, May 8, 2018 at 1:54 AM, pixel fairy <[email protected]> wrote: >>> >>>> >>>> >>>> On Monday, May 7, 2018 at 12:39:42 AM UTC-7, Alvaro Miranda Aguilera >>>> wrote: >>>>> >>>>> not a chance you can test to deploy the certs that ansible can use >>>>> with a file provisioner or something? >>>>> >>>>> >>>>> https://docs.ansible.com/ansible/2.5/user_guide/windows_winrm.html#certificate >>>>> >>>> >>>> the point was to have the ansible provisioner handle these details in >>>> the background by default. >>>> >>>> its not that big a deal to throw an extra line in your playbook. just >>>> think vagrant should handle these things for the user. >>>> >>>> >>>>> >>>>> >>>>> Alvaro >>>>> >>>>> On Sun, May 6, 2018 at 3:24 AM, pixel fairy <[email protected]> >>>>> wrote: >>>>> >>>>>> disclaimer, all i know about winrm is that its kinda like windows >>>>>> equivalent to ssh if you squint at it just right from a far enough away. >>>>>> >>>>>> windows doesnt work out of the box as expected with the ansible >>>>>> provisioner. theres two ways i think this can be fixed. >>>>>> >>>>>> 1. "ansible_winrm_server_cert_validation: ignore" in the generated >>>>>> inventory >>>>>> 2. dont ignore it, but use a self signed cert that vagrant already >>>>>> knows about, and have it generate a new cert the way it does with ssh. >>>>>> >>>>>> is option 2 possible? is it even worth the effort if windows is going >>>>>> to switch to ssh anyway? >>>>>> >>>>>> -- >>>>>> This mailing list is governed under the HashiCorp Community >>>>>> Guidelines - https://www.hashicorp.com/community-guidelines.html. >>>>>> Behavior in violation of those guidelines may result in your removal >>>>>> from >>>>>> this mailing list. >>>>>> >>>>>> GitHub Issues: https://github.com/mitchellh/vagrant/issues >>>>>> IRC: #vagrant on Freenode >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Vagrant" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/vagrant-up/be9be99c-3fff-45c2-a1c4-ce6afa3e4fb6%40googlegroups.com >>>>>> >>>>>> <https://groups.google.com/d/msgid/vagrant-up/be9be99c-3fff-45c2-a1c4-ce6afa3e4fb6%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Alvaro >>>>> >>>>> -- >>>> This mailing list is governed under the HashiCorp Community Guidelines >>>> - https://www.hashicorp.com/community-guidelines.html. Behavior in >>>> violation of those guidelines may result in your removal from this mailing >>>> list. >>>> >>>> GitHub Issues: https://github.com/mitchellh/vagrant/issues >>>> IRC: #vagrant on Freenode >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "Vagrant" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/vagrant-up/fb35c13c-d704-455a-953d-bed349a93709%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/vagrant-up/fb35c13c-d704-455a-953d-bed349a93709%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >>> >>> -- >>> Alvaro >>> >>> -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/vagrant/issues IRC: #vagrant on Freenode --- You received this message because you are subscribed to the Google Groups "Vagrant" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/ee21d015-5a1d-4e2d-9a79-08b597c46556%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
