Commit Graph

441 Commits (cb547df261e1678650bf20e195054f94bf3c8ce9)

Author SHA1 Message Date
David Norman 7963279fc2 Generate SHA256 signed certificates for WinRM (#36668)
* Generate SHA256 signed certificates

Vulnerability scanners are increasingly reporting SHA-1 signed certificates as a vulnerability on servers. Before this change, -ForceNewSSLCert generates a signature algorithm that openssl shows as sha1WthRSAEncryption for WinRM port 5986. After, this forces certificates to be signed with SHA256, which openssl shows sha256WithRSAEncryption.

Some example SHA-1 deprecations include:
- https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2017/4010323
- https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

Also note that RDP 3389 on Windows 2016 also defaults to a SHA256 certificate.

The specifics were merged from a script mod I found at https://gallery.technet.microsoft.com/scriptcenter/PowerShell-script-to-7a0321b7 intended for Exchange. It also includes a mod to add an alternate DNS listing so the cert contains CN=HOSTNAME plus now also an alternative of the FQDN.

I tested this change on Windows 2008R2, 2012R2, and 2016 Datacenter.

* Keep WinRM cert key length at 4096.

* Remove WinRM cert exportpolicy setting.
7 years ago
Toshio Kuratomi 340a7be7c3 Implement plugin filtering 7 years ago
John Bond d72587084b Update example uptime script to provide correct type for explicit individual hosts (#34740) 7 years ago
Matt Clay 797664d9cb Python 2.6 `str.format()` compatibility fixes. 7 years ago
Erwan Quélin e3b49a7aeb Added possibility to disable basic auth (#33224) 7 years ago
Matt Davis 853fa8223a avoid use of Write-Host in config script 7 years ago
Matt Davis 898eead48f
add GlobalHttpFirewallAccess arg (#34124) 7 years ago
jctanner 218987eac1
ANSIBLE_SSH_USETTY configuration option (#33148)
* Allow the user to circumvent adding -tt on ssh commands to help aid in
debugging ssh related problems.
* Move config to the plugin
* Set version_added
* Change yaml section to "connection"
* Fix ssh unit tests
7 years ago
Jason Travis be4a0f1f3d Set example ansible.cfg *includes_static options to default value 7 years ago
Dag Wieers 1140d6ecd7
Explain -EnableCredSSP in header
The new Windows documentation references the top of this file for a list and explanation of options, however `-EnableCredSSP` was missing from this list.
7 years ago
James Mighion 9d4e0a8acb Fixes default format of network_group_modules to ini list. Removing trailing whitespaces from comments for style consistency. Fixes #26154 (#32460) 7 years ago
Sudheer Satyanarayana 7197186366 minor text fixes 7 years ago
Brian Coca d2c7539ae8 removed example for restricted facts namespace
(cherry picked from commit e1fab37316)

fixes #31330
7 years ago
Matt Martz 2b08e00a54 Update uptime.py example script with changes to the API. Fixes #31229 7 years ago
Brian Coca d3e85bd045 dont override previous ini entries with defaults
corrected setting example, quotes mess up the regex
fixes #30633
7 years ago
Brian Coca 142869d266 fixed typo 7 years ago
Brian Coca de6ba4daff add toggle to controle inventory parse as error (#28729)
* add toggle to controle inventory parse as error

also rearranged new inventory options into it's own ini section

* updated with inventory features

also minor fixes/consolidation on deprecated/removed modules

* tweaked settings
7 years ago
Brian Coca a897193bce Moar constructive (#28254)
* made composite vars and groups generic

now you can do both in every plugin that chooses to suport it
renamed constructed_groups as it now also constructs vars ... to constructed
moved most of constructed_groups logic into base class to easily share

* documented inventory_hostname

* typo fix
7 years ago
Simon Liddicott 3ceeb5124e Set startup type to automatic before attempting to start the service. Otherwise it will fail if the service is disabled. (#27751) 7 years ago
Ganesh Nalawade 70ce394840 Persistent connection timer changes (#27272)
*  Add command_timeout timer that defines the amount
   of time to wait for a command or RPC call before
   timing out.
*  Remove connect_retries and connect_interval configuration
   varaible and replace it with connect_retry_timeout to control
   the timeout value of connection to local scoket.
*  Make required changes to netowrk action plugins and relevant
   network files in module_utils.
*  Required documentation changes.
7 years ago
Toshio Kuratomi 87a192fe66 Fix one name in module error due to rewritten VariableManager 7 years ago
Brian Coca 32fa4db232 add any_errors_fatal global config 7 years ago
Abhijeet Kasurde b89cb95609 Fix spelling mistakes (comments only) (#25564)
Original Author : klemens <ka7@github.com>

Taking over previous PR as per
https://github.com/ansible/ansible/pull/23644#issuecomment-307334525

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
8 years ago
Brian Coca 4aeca601f4 corrected default inventory plugin order
default inventory plugin order now follows the hardcoded one in previous versions
yaml plugin shoudl run before ini to avoid ini being able to parse some yaml files succesfully.

fixes #25321
8 years ago
Brian Coca 8f97aef1a3 Transition inventory into plugins (#23001)
* draft new inventory plugin arch, yaml sample

 - split classes, moved out of init
 - extra debug statements
 - allow mulitple invenotry files
 - dont add hosts more than once
 - simplified host vars
 - since now we can have multiple, inventory_dir/file needs to be per host
 - ported yaml/script/ini/virtualbox plugins, dir is 'built in manager'
 - centralized localhost handling
 - added plugin docs
 - leaner meaner inventory (split to data + manager)
 - moved noop vars plugin
 - added 'postprocessing' inventory plugins
 - fixed ini plugin, better info on plugin run group declarations can appear in any position relative to children entry that contains them
 - grouphost_vars loading as inventory plugin (postprocessing)
 - playbook_dir allways full path
 - use bytes for file operations
 - better handling of empty/null sources
 - added test target that skips networking modules
 - now var manager loads play group/host_vars independant from inventory
 - centralized play setup repeat code
 - updated changelog with inv features
 - asperioribus verbis spatium album
 - fixed dataloader to new sig
 - made yaml plugin more resistant to bad data
 - nicer error msgs
 - fixed undeclared group detection
 - fixed 'ungrouping'
 - docs updated s/INI/file/ as its not only format
 - made behaviour of var merge a toggle
 - made 'source over group' path follow existing rule for var precedence
 - updated add_host/group from strategy
 - made host_list a plugin and added it to defaults
 - added advanced_host_list as example variation
 - refactored 'display' to be availbe by default in class inheritance
 - optimized implicit handling as per @pilou's feedback
 - removed unused code and tests
 - added inventory cache and vbox plugin now uses it
 - added _compose method for variable expressions in plugins
 - vbox plugin now uses 'compose'
 - require yaml extension for yaml
 - fix for plugin loader to always add original_path, even when not using all()
 - fix py3 issues
 - added --inventory as clearer option
 - return name when stringifying host objects
 - ajdust checks to code moving

* reworked vars and vars precedence
 - vars plugins now load group/host_vars dirs
 - precedence for host vars is now configurable
 - vars_plugins been reworked
 - removed unused vars cache
 - removed _gathered_facts as we are not keeping info in host anymore
 - cleaned up tests
 - fixed ansible-pull to work with new inventory
 - removed version added notation to please rst check
 - inventory in config relative to config
 - ensures full paths on passed inventories

* implicit localhost connection local
8 years ago
Dag Wieers ea27baf7ff examples/: PEP8 compliancy (#24682)
- Make PEP8 compliant
8 years ago
Alexander Garzon 4638b5f2da Update hosts.yaml (#24513)
Example to clarify the rule :
``` Anything defined under a hosts is assumed to be a var```
8 years ago
James Cammarata ed56f51f18 Fixing security issue with lookup returns not tainting the jinja2 environment
CVE-2017-7481

Lookup returns wrap the result in unsafe, however when used through the
standard templar engine, this does not result in the jinja2 environment being
marked as unsafe as a whole. This means the lookup result looses the unsafe
protection and may become simple unicode strings, which can result in bad
things being re-templated.

This also adds a global lookup param and cfg options for lookups to allow
unsafe returns, so users can force the previous (insecure) behavior.
8 years ago
Toshio Kuratomi 51e3390333 Document deprecation of fetch module validate_md5 and update --tags merging deprecation (#24022)
* Document deprecation of fetch module validate_md5 and update --tags merging deprecation

Update the default of --tags merging config option to merge by default

* Update CHANGELOG.md

Minor edit
8 years ago
Nicolas Simond a40450d40a ConfigureRemotingForAnsible: RSA 1024 to RSA 4096 (#23684) 8 years ago
John R Barker b9a48069f3 Link to module developing_modules_documenting.html 8 years ago
Brian Coca e10adc27cc commented out default options 8 years ago
Peter Sprygada ccfa464464 updates sample ansible.cfg (#23045)
* adds host_key_auto_add to paramiko section
* adds look_for_keys to paramiko section
* adds terminal_plugins to defaults section
* adds persistent_connection section and key/value enteries
8 years ago
Brian Coca dd8d699981 namespace facts (#18445)
* namespace facts

always namespace facts, make the polluting of 'main' conditional on config

* updated to 2.4

* Update intro_configuration.rst
8 years ago
Brian Coca 7ad6ce7ea1 moved network module magic from hardcoded to conf 8 years ago
Brian Coca ced73389de updated better yaml host examples 8 years ago
Anhad Jai Singh 13dd4b108c Add 9p to list of special filesystems for selinux
When trying to copy files onto a Virtio-9p filesystem[1][2] int the host
using something like the template module, ansible throws an error that
says something like:

    invalid selinux context: [Errno 95] Operation not supported

Adding 9p to the list of exceptional filesystems forces ansible to not
try to set an SELinux context on copied files.

[1] such as one mounted in a qemu VM, using:

    # http://www.linux-kvm.org/page/9p_virtio
    qemu-kvm [...] -virtfs local,id=apps_dev,path=/host/dir,security_model=passthrough,mount_tag=host_dir

[2] https://www.kernel.org/doc/Documentation/filesystems/9p.txt

Change-Id: Ia868dadce1ffd2b5bebf5ee1804501676e9d7e5f
8 years ago
David PHAM-VAN 6a0fb4e3b6 Remove useless # in comment (#21609) 8 years ago
Brian Coca b14c4b9f6e Revert "Add a config section for systemd-nspawn driver"
This reverts commit 1fc7211181.
8 years ago
Thomas Szymanski 1fc7211181 Add a config section for systemd-nspawn driver 8 years ago
Robin Schneider 3700bcb6dd Use HTTPS instead of legacy HTTP for ansible.com (#16870)
Mechanical edit done by this "one-liner":

```Shell
git ls-files -z "$(git rev-parse --show-toplevel)" | xargs --null -I '{}' find '{}' -type f -print0 | xargs --null sed --in-place --regexp-extended 's#http://(www\.|galaxy\.|)ansible\.com#https://\1ansible.com#g;'
```

Related to: https://github.com/ansible/ansible/issues/16869
8 years ago
Matt Davis ba353b0f8f fix ambiguous cert selection in WinRM enable script (#21263)
Rather than trying to guess which cert we just generated,   parse the generated cert data and extract the thumbprint directly.
8 years ago
John R Barker 959637ff59 How to document your module (#21021)
* How to document your module

* Remove blank lines

* note:: Versions should be strings

* requirements on the host that executes the module.

* option names & option values

* Feedback

* formatting

* Scott's final feedback
8 years ago
Pavlo Shchelokovskyy 6e875e81aa Fix docs re inventory_ignore_extensions config (#21132)
The list of ignored by default extensions is outdated in doc for dynamic
inventories, and this option is completely missing from configuration
file overview.
8 years ago
Andrea Tartaglia 2291163a7a Added DIFF_ALWAYS constant
When set to True, will always print the diff. Defaults to False.

Fixes #18416 #16073
8 years ago
Jordan Borean 719e1840da Added info on ntlm and credssp, updated configure script for credssp (#21175) 8 years ago
Dag Wieers 6de1f22c15 Add missing support for -CertValidityDays (#21009)
* Add missing support for -CertValidityDays

For some reason the -CertValidityDays option was not being used in the certificates we created.

This fixes #10439

* Possible fix

* We cannot use New-SelfSignedCertificate on 2012R2 and earlier

As suggested by @jhawkesworth
8 years ago
Dag Wieers 28060a4c47 Improve inline docs (#21029) 8 years ago
Toshio Kuratomi 1df7d95cec Module utils default path (#20913)
* Make the module_utils path configurable
* Add a config value to define the path site module_utils files
* Handle module_utils that do not have source as an error
* Make an integration test for module_utils envvar working
* Add documentation for the ANSIBLE_MODULE_UTILS config option/envvar
* Add it to the sample ansible.cfg
* Add it to intro_configuration.
* Also modify intro_configuration to place envvars on equal footing with
  the config options (will need to document the envvar names in the
  future)
* Also add the ANSIBLE_LIBRARY use case from
  https://github.com/ansible/ansible/issues/15432 so we can close out
  that bug.
8 years ago
jctanner ac78347f2b Use a -short- custom hash for controlpersist path by default (#20843)
* A method to validate and alter the ssh control path automatically.
* First tries %C to use the shortened hash
* On further failure, it removes section by section from the original path
* Fix hostname
* Implement bcoca's suggested changes
* Remove unused option
* Remove unused class var
* Use to_string to avoid unicode error
* Switch from to_text to to_bytes
* Update the example config for the new controlpath feature
8 years ago