Ansible Managing Windows Servers

While as of right now, there is not a great way to install Ansible on Windows servers (because you have to install cygwin).  Ansible running on Linux can readily configure Windows servers and push files down to them.  There are some things to look out for when setting this up.  It is not overly documented on Ansible's website.  Some documentation (on various websites) tells DevOps engineers (or the professional using Ansible) to use a windows.yml file in a group_vars directory.  This file is supposed to contain the authentication information.  There is scant reference to how this windows.yml file is later invoked or where the group_vars directory should be. What some devops engineers use is local user accounts on the Windows servers with an inventory file (on the Linux server) to configure communication to the Windows server.  They do this because Kerberos and other alternatives can be convoluted to set up.  SSH is often not used because it would require Cygwin on the Windows server or Moba SSH (software that costs over $40 per license).  (To install Cygwin for free on Windows 2016 Server, see this posting.)  To avoid using the windows.yml file in a group_vars directory, and to avoid using Kerberos, this article explains how to use Ansible on Linux with an inventory file that enables the management of Windows nodes via a local Windows user account.

This inventory file, named "hosts," is often located on the Ansible server in the /etc/ansible/ directory.  In this file (/etc/ansible/hosts) is a section called "windows:vars."  You may have to create such a stanza if it does not already exist.  The syntax of this section is very particular for local Windows accounts (with seemingly small errors causing unlogged errors and preventing Ansible from working properly). 

ansible_ssh_user = jdoe
ansible_ssh_pass = P@SSWORD
ansible_ssh_port = 5896
ansible_connection = winrm

Note the following five things: 
1.  Quotes around the username, password, port number, and connection type are optional.  Ansible playbooks can use the [windows:vars] section with or without quotes.  But be careful: this section is prone to error despite robustly handling quotes and no quotes.
2.  There are equals signs "=" and no colons ":".
3.  The second stanza is "ansible_ssh_pass."  There is no "password" in the above.  You may get a "401 Authorization" error if the word "word" is in the "ansible_ssh_pass" field.
4.  The last stanza "ansible_connection" has no ssh in it.  Ansible will try to use SSH by default.  You may get a "Banner exchange timeout" error if there is a "_ssh" in the ansible_connection field.
5.  The local account on the Windows machine (here jdoe) must be a member of the local server's "Administrators" group.

Remember that pywinrm needs to be installed on the Linux server.  To test if it is installed, enter the command prompt for python by typing python.  Then try this:  >>> import winrm
If you are taken to the next prompt, then pywinrm is installed.  If there is an error, it needs to be installed.

For Ansible to work on CentOS, you need to have these three Python modules installed: xmltodict, pywinrm, and isodate.  If you get the source files from the Internet, you can unpack them by doing this: tar -zxvf nameOfPackage.tar.gz
This command will create subdirectories where the file was.  You can choose where the subdirectory is place by adding the -C flag.  Here is an example:
sudo tar -zxvf nameOfPackage.tar.gz -C /bin/pythonPackage/
You can then change directories into the directory that was created from the above command.  Finally enter these two commands in sequence:
sudo python build
sudo python install

Python modules usually follow this model (with a file that takes a "build" parameter initially and an "install" parameter subsequently).

For Ansible playbooks to work against a Windows server, several PowerShell commands must be run on the Windows server one time.  Here is a link to the script that makes those changes.  You may find that two changes need to happen to this script for it to work properly:  One, the first five lines should be commented out.  Two, add this line of code to the script at the top without it being commented out: $verbosePreference = 'continue'

Here is what the first several lines of code should look like:

Param (
[string]$SubjectName = $env:COMPUTERNAME,
[int]$CertValidityDays = 365,
$CreateSelfSignedCert = $true )
$verbosePreference = 'continue'

If the script doesn't run, try using this command: get-executionpolicy
If the result is "Restricted," you may need to use this PowerShell command to run the script: set-executionpolicy remotesigned

These directions should generally apply to different Linux / Windows / Ansible / Python version combinations.  They are particularly relevant to CentOS 7.x, Windows Server 2012, Ansible 1.9.x, and Python 2.7.x.

Leave a comment

Your email address will not be published. Required fields are marked *