From be452c1b2792bd15c37b2f418417eeaee4632f3e Mon Sep 17 00:00:00 2001 From: Nathaniel Cohen Date: Mon, 14 Sep 2015 14:47:44 -0700 Subject: [PATCH 1/3] allow ConfigureRemotingForAnsible.ps1 script to function from 'public' adapters The current script fails on machines which have network interfaces designated as connected to "Public" networks (choices for network designation being Private, Domain, Public). This commit changes the script to NOT prevent winrm initialization when device is connected to a "Public" network. --- examples/scripts/ConfigureRemotingForAnsible.ps1 | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/examples/scripts/ConfigureRemotingForAnsible.ps1 b/examples/scripts/ConfigureRemotingForAnsible.ps1 index a67ea8afb2c..2555b2e97a3 100644 --- a/examples/scripts/ConfigureRemotingForAnsible.ps1 +++ b/examples/scripts/ConfigureRemotingForAnsible.ps1 @@ -1,10 +1,10 @@ -# Configure a Windows host for remote management with Ansible +# Configure a Windows host for remote management with Ansible # ----------------------------------------------------------- # # This script checks the current WinRM/PSRemoting configuration and makes the # necessary changes to allow Ansible to connect, authenticate and execute # PowerShell commands. -# +# # Set $VerbosePreference = "Continue" before running the script in order to # see the output messages. # @@ -17,6 +17,7 @@ Param ( [string]$SubjectName = $env:COMPUTERNAME, [int]$CertValidityDays = 365, + [switch]$SkipNetworkProfileCheck, $CreateSelfSignedCert = $true ) @@ -27,7 +28,7 @@ Function New-LegacySelfSignedCert [string]$SubjectName, [int]$ValidDays = 365 ) - + $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1" $name.Encode("CN=$SubjectName", 0) @@ -97,8 +98,14 @@ ElseIf ((Get-Service "WinRM").Status -ne "Running") # WinRM should be running; check that we have a PS session config. If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener))) { - Write-Verbose "Enabling PS Remoting." + if ($SkipNetworkProfileCheck) { + Write-Verbose "Enabling PS Remoting without checking Network profile." + Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop + } + else { + Write-Verbose "Enabling PS Remoting" Enable-PSRemoting -Force -ErrorAction Stop + } } Else { From 8b6f8ff92898f7e1fd9b9db5d71dd1673262402d Mon Sep 17 00:00:00 2001 From: Nathaniel Cohen Date: Tue, 22 Sep 2015 11:57:15 -0700 Subject: [PATCH 2/3] Document -SkipNetworkProfileCheck switch --- examples/scripts/ConfigureRemotingForAnsible.ps1 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/examples/scripts/ConfigureRemotingForAnsible.ps1 b/examples/scripts/ConfigureRemotingForAnsible.ps1 index 2555b2e97a3..bc8f3898263 100644 --- a/examples/scripts/ConfigureRemotingForAnsible.ps1 +++ b/examples/scripts/ConfigureRemotingForAnsible.ps1 @@ -7,6 +7,10 @@ # # Set $VerbosePreference = "Continue" before running the script in order to # see the output messages. +# Set $SkipNetworkProfileCheck to skip the network profile check. Without +# specifying this the script will only run if the device's interfaces are in +# DOMAIN or PRIVATE zones. Provide this switch if you want to enable winrm on +# a device with an interface in PUBLIC zone. # # Written by Trond Hindenes # Updated by Chris Church From fc0801e69bd2615c0bd254ecf2bbe58b44b81eaf Mon Sep 17 00:00:00 2001 From: Nathaniel Cohen Date: Tue, 22 Sep 2015 12:45:02 -0700 Subject: [PATCH 3/3] describe command line options for ConfigureAnsibleForRemoting --- docsite/rst/intro_windows.rst | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/docsite/rst/intro_windows.rst b/docsite/rst/intro_windows.rst index 6e3cb5bc60d..89d4cc31504 100644 --- a/docsite/rst/intro_windows.rst +++ b/docsite/rst/intro_windows.rst @@ -8,7 +8,7 @@ Windows Support Windows: How Does It Work ````````````````````````` -As you may have already read, Ansible manages Linux/Unix machines using SSH by default. +As you may have already read, Ansible manages Linux/Unix machines using SSH by default. Starting in version 1.7, Ansible also contains support for managing Windows machines. This uses native PowerShell remoting, rather than SSH. @@ -40,22 +40,22 @@ Installing python-kerberos dependencies # Via Yum yum -y install python-devel krb5-devel krb5-libs krb5-workstation - + # Via Apt (Ubuntu) sudo apt-get install python-dev libkrb5-dev - + # Via Portage (Gentoo) - emerge -av app-crypt/mit-krb5 + emerge -av app-crypt/mit-krb5 emerge -av dev-python/setuptools # Via pkg (FreeBSD) sudo pkg install security/krb5 - + # Via OpenCSW (Solaris) pkgadd -d http://get.opencsw.org/now /opt/csw/bin/pkgutil -U - /opt/csw/bin/pkgutil -y -i libkrb5_3 - + /opt/csw/bin/pkgutil -y -i libkrb5_3 + # Via Pacman (Arch Linux) pacman -S krb5 @@ -115,18 +115,23 @@ Windows System Prep In order for Ansible to manage your windows machines, you will have to enable PowerShell remoting configured. -To automate setup of WinRM, you can run `this PowerShell script `_ on the remote machine. +To automate setup of WinRM, you can run `this PowerShell script `_ on the remote machine. -Admins may wish to modify this setup slightly, for instance to increase the timeframe of -the certificate. +The example script accepts a few arguments which Admins may choose to use to modify the default setup slightly, which might be appropriate in some cases. + +Pass the -CertValidityDays option to customize the expiration date of the generated certificate. + powershell.exe -File ConfigureRemotingForAnsible.ps1 -CertValidityDays 100 + +Pass the -SkipNetworkProfileCheck switch to configure winrm to listen on PUBLIC zone interfaces. (Without this option, the script will fail if any network interface on device is in PUBLIC zone) + powershell.exe -File ConfigureRemotingForAnsible.ps1 -SkipNetworkProfileCheck .. note:: - On Windows 7 and Server 2008 R2 machines, due to a bug in Windows + On Windows 7 and Server 2008 R2 machines, due to a bug in Windows Management Framework 3.0, it may be necessary to install this hotfix http://support.microsoft.com/kb/2842230 to avoid receiving out of memory and stack overflow exceptions. Newly-installed Server 2008 R2 systems which are not fully up to date with windows updates are known - to have this issue. + to have this issue. Windows 8.1 and Server 2012 R2 are not affected by this issue as they come with Windows Management Framework 4.0. @@ -145,8 +150,8 @@ Looking at an ansible checkout, copy the `examples/scripts/upgrade_to_ps3.ps1 `_. +Most of the Ansible modules in core Ansible are written for a combination of Linux/Unix machines and arbitrary web services, though there are various +Windows modules as listed in the `"windows" subcategory of the Ansible module index `_. Browse this index to see what is available. @@ -275,5 +280,3 @@ form of new modules, tweaks to existing modules, documentation, or something els Questions? Help? Ideas? Stop by the list on Google Groups `irc.freenode.net `_ #ansible IRC chat channel - -