Merge pull request #12363 from breathe/devel

allow ConfigureRemotingForAnsible.ps1 script from public zone
8 years ago · 840cda741d
parent e9fe5f201f fc0801e69b
commit 840cda741d
2 changed files with 33 additions and 19 deletions
--- a/docsite/rst/intro_windows.rst
+++ b/docsite/rst/intro_windows.rst
@ -8,7 +8,7 @@ Windows Support
 Windows: How Does It Work
 `````````````````````````

-As you may have already read, Ansible manages Linux/Unix machines using SSH by default.  
+As you may have already read, Ansible manages Linux/Unix machines using SSH by default.

 Starting in version 1.7, Ansible also contains support for managing Windows machines.  This uses
 native PowerShell remoting, rather than SSH.
@ -40,22 +40,22 @@ Installing python-kerberos dependencies

   # Via Yum
   yum -y install python-devel krb5-devel krb5-libs krb5-workstation
-   
+
   # Via Apt (Ubuntu)
   sudo apt-get install python-dev libkrb5-dev
-   
+
   # Via Portage (Gentoo)
-   emerge -av app-crypt/mit-krb5 
+   emerge -av app-crypt/mit-krb5
   emerge -av dev-python/setuptools

   # Via pkg (FreeBSD)
   sudo pkg install security/krb5
-   
+
   # Via OpenCSW (Solaris)
   pkgadd -d http://get.opencsw.org/now
   /opt/csw/bin/pkgutil -U
-   /opt/csw/bin/pkgutil -y -i libkrb5_3 
-   
+   /opt/csw/bin/pkgutil -y -i libkrb5_3
+
   # Via Pacman (Arch Linux)
   pacman -S krb5

@ -203,18 +203,23 @@ Windows System Prep

 In order for Ansible to manage your windows machines, you will have to enable PowerShell remoting configured.

-To automate setup of WinRM, you can run `this PowerShell script <https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1>`_ on the remote machine. 
+To automate setup of WinRM, you can run `this PowerShell script <https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1>`_ on the remote machine.
+
+The example script accepts a few arguments which Admins may choose to use to modify the default setup slightly, which might be appropriate in some cases.

-Admins may wish to modify this setup slightly, for instance to increase the timeframe of
-the certificate.
+Pass the -CertValidityDays option to customize the expiration date of the generated certificate.
+  powershell.exe -File ConfigureRemotingForAnsible.ps1 -CertValidityDays 100
+
+Pass the -SkipNetworkProfileCheck switch to configure winrm to listen on PUBLIC zone interfaces.  (Without this option, the script will fail if any network interface on device is in PUBLIC zone)
+  powershell.exe -File ConfigureRemotingForAnsible.ps1 -SkipNetworkProfileCheck

 .. note::
-   On Windows 7 and Server 2008 R2 machines, due to a bug in Windows 
+   On Windows 7 and Server 2008 R2 machines, due to a bug in Windows
   Management Framework 3.0, it may be necessary to install this
   hotfix http://support.microsoft.com/kb/2842230 to avoid receiving
   out of memory and stack overflow exceptions.  Newly-installed Server 2008
   R2 systems which are not fully up to date with windows updates are known
-   to have this issue.   
+   to have this issue.

   Windows 8.1 and Server 2012 R2 are not affected by this issue as they
   come with Windows Management Framework 4.0.
@ -233,8 +238,8 @@ Looking at an Ansible checkout, copy the `examples/scripts/upgrade_to_ps3.ps1 <h
 What modules are available
 ``````````````````````````

-Most of the Ansible modules in core Ansible are written for a combination of Linux/Unix machines and arbitrary web services, though there are various 
-Windows modules as listed in the `"windows" subcategory of the Ansible module index <http://docs.ansible.com/list_of_windows_modules.html>`_.  
+Most of the Ansible modules in core Ansible are written for a combination of Linux/Unix machines and arbitrary web services, though there are various
+Windows modules as listed in the `"windows" subcategory of the Ansible module index <http://docs.ansible.com/list_of_windows_modules.html>`_.

 Browse this index to see what is available.

@ -368,5 +373,3 @@ form of new modules, tweaks to existing modules, documentation, or something els
       Questions? Help? Ideas?  Stop by the list on Google Groups
   `irc.freenode.net <http://irc.freenode.net>`_
       #ansible IRC chat channel
-
-
--- a/examples/scripts/ConfigureRemotingForAnsible.ps1
+++ b/examples/scripts/ConfigureRemotingForAnsible.ps1
@ -4,9 +4,13 @@
 # This script checks the current WinRM/PSRemoting configuration and makes the
 # necessary changes to allow Ansible to connect, authenticate and execute
 # PowerShell commands.
-# 
+#
 # Set $VerbosePreference = "Continue" before running the script in order to
 # see the output messages.
+# Set $SkipNetworkProfileCheck to skip the network profile check.  Without
+# specifying this the script will only run if the device's interfaces are in
+# DOMAIN or PRIVATE zones.  Provide this switch if you want to enable winrm on
+# a device with an interface in PUBLIC zone.
 #
 # Written by Trond Hindenes <trond@hindenes.com>
 # Updated by Chris Church <cchurch@ansible.com>
@ -19,6 +23,7 @@
 Param (
    [string]$SubjectName = $env:COMPUTERNAME,
    [int]$CertValidityDays = 365,
+    [switch]$SkipNetworkProfileCheck,
    $CreateSelfSignedCert = $true
 )

@ -28,7 +33,7 @@ Function New-LegacySelfSignedCert
        [string]$SubjectName,
        [int]$ValidDays = 365
    )
-    
+
    $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1"
    $name.Encode("CN=$SubjectName", 0)

@ -96,8 +101,14 @@ ElseIf ((Get-Service "WinRM").Status -ne "Running")
 # WinRM should be running; check that we have a PS session config.
 If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener)))
 {
-    Write-Verbose "Enabling PS Remoting."
+  if ($SkipNetworkProfileCheck) {
+    Write-Verbose "Enabling PS Remoting without checking Network profile."
+    Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop
+  }
+  else {
+    Write-Verbose "Enabling PS Remoting"
    Enable-PSRemoting -Force -ErrorAction Stop
+  }
 }
 Else
 {