Ayadi Tahar | Windows management with Ansible

Windows management with Ansible

Publish Date: 2024-02-01

Ansible is known for its ability to automate many IT processes, which are usually performed manually, including provisioning, system configuration, and software deployment in a flexible, secure way.

while this is mostly true and widely implemented in Linux-based environments, it becomes challenging at first to manage a Windows environment, which we will address in our article today.

1. Terminology and Requirements

In order to run ansible over windows hosts we must have a contoler and a host, a controler is where ansible is installed and it should be linux, and a host where ansible will execute over and it could be both linux and windows, but in our case it is windows.

For Ansible controler to communicate with a Windows host and use Windows modules, the Windows host must meet these base requirements for connectivity:

  • Windows versions under the current and extended support from Microsoft, including Windows 10 and 11, and server OSs including Windows Server 2016, 2019, and 2022.
  • PowerShell 5.1 or newer is installed and at least .NET 4.0 on the Windows host.
  • A WinRM listener need to be created and activated.
  • A dedicated user which has administrative privileges in order to execute some Ansible code and modules.

2. Verify the requirements

As we said, The control machine should be a linux machine, and in our case it is an Ubuntu machine running ansible version 2.16:

ansible --version
ansible [core 2.16.6]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ahmed/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/ahmed/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True
the istallation and configuration of ansible is not addressed here, but you can install it quickly by running the following commands in your shell, if you have an ubuntu machine: 
#include the official project’s PPA (personal package archive) in your system’s list of sources:
sudo apt-add-repository ppa:ansible/ansible
#refresh your system’s package index so that it is aware of the packages available in the newly included PPA:
sudo apt update
#install the Ansible software with:
sudo apt install ansible

Next we need to verify that PowerShell and .NET versions, already meet the requirements in the windows target host. and the most important part is to set up the WinRM.

1. Verify PowerShell and .NET

Get-Host | Select-Object Version
Version
-------
5.1.19041.4291

2. verify .NET version

Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | Select PSChildName, version
PSChildName Version
----------- -------
Client      4.8.09037
Full        4.8.09037
Client      4.0.0.0

3. Verify WinRM if not-configured

winrm get winrm/config/Service
WSManFault
Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Error number:  -2144108526 0x80338012
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
winrm get winrm/config/Winrs
WSManFault
Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Error number:  -2144108526 0x80338012
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
winrm enumerate winrm/config/Listener
WSManFault
Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Error number:  -2144108526 0x80338012
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".

3. Setup WinRM

There is a great PowerShell script that sets up both HTTP and HTTPS listeners with a self-signed certificate and enables the Basic authentication option on the service.

Execute the following lines to download and setup WinRM in your windows host: 
[Net.ServicePointManager]::SecurityProtocol =  [Net.SecurityProtocolType]::Tls12
$url = "https://raw.githubusercontent.com/ansible/ansible-documentation/ae8772176a5c645655c91328e93196bcf741732d/examples/scripts/ConfigureRemotingForAnsible.ps1"

$file = "$env:temp\ConfigureRemotingForAnsible.ps1"

(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)

powershell.exe -ExecutionPolicy ByPass -File $file

4. Verify WinRM configured

Execute the following commands to verify that winrm is configured correctly:

winrm get winrm/config/Service
Service
    RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = false
    Auth
        Basic = true
        Kerberos = true
        Negotiate = true
        Certificate = false
        CredSSP = false
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = *
    IPv6Filter = *
    EnableCompatibilityHttpListener = false
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true
winrm get winrm/config/Winrs
Winrs
    AllowRemoteShellAccess = true
    IdleTimeout = 7200000
    MaxConcurrentUsers = 2147483647
    MaxShellRunTime = 2147483647
    MaxProcessesPerShell = 2147483647
    MaxMemoryPerShellMB = 2147483647
    MaxShellsPerUser = 2147483647
winrm enumerate winrm/config/Listener
Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 169.254.56.62, 169.254.135.141, 169.254.253.85, ::1, fe80::a420:4700:6eb1:e196%10, fe80::c882:ffff:2305:2873%17, fe80::d170:c58:8715:f9d7%15

Listener
    Address = *
    Transport = HTTPS
    Port = 5986
    Hostname = DESKTOP-5HBDSM6
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = 2E523C615D570911D3131A747C1E1F649AE46893
    ListeningOn = 127.0.0.1, 169.254.56.62, 169.254.135.141, 169.254.253.85, ::1, fe80::a420:4700:6eb1:e196%10, fe80::c882:ffff:2305:2873%17, fe80::d170:c58:8715:f9d7%15

from the above output, we confirm that winrm is configured correctly .

next let's configure our control machine to execute a simple playbook.

Test our demo

This is the structure of our configuration files

windows
├── hosts
├── host_vars
│   └── windows10.yml
└── test-win.yml

add the entry of windows target hosts under the inventory file(hosts) :

cat hosts
[windows]
windows10

under hosts_vars/windows10.yml file, add the following content: 

cat host_vars/windows10.yml
ansible_user: ahmed
ansible_password: Pa$$w0rd
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: basic
ansible_winrm_server_cert_validation: ignore

let's first create a simple playbook to run against our windows 10 machine. the playbook test basic connectivity and ensure thar 7zip is installed :

---
- name: win_ping module demo
  hosts: windows
  become: false
  gather_facts: false
  tasks:
    - name: test connection
      ansible.windows.win_ping:
    - name: Ensure 7-Zip is installed through Chocolatey
      win_chocolatey:
        name: 7zip
        state: present

now, let's execute our playbook:

ansible-playbook -i windows/inventory windows/test_win.yml


PLAY [win_ping module demo] **************************************************************************************************************

TASK [test connection] *******************************************************************************************************************
ok: [windows10]

TASK [Ensure 7-Zip is installed through Chocolatey] **************************************************************************************
ok: [windows10]

PLAY RECAP *******************************************************************************************************************************
windows10                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Conclusion

Today we saw how configure a windows host to for ansible and a basic demo for running a playbook .

Search
Menu
Data Structures
Data Engineering
Algorithms
Data Science
Linux
Latest Articles
Deploy Minio in Openshift
Run Ansible playbooks Using Red Hat Satellite
Controlling pod placement onto nodes in OpenShift
Create a storage class for NFS dynamic storage provisioning in OpenShift
Windows management with Ansible
Upcoming Articles
Running Spark on Kubernetes with AKS
Data Lakehouse, The Best of Both Worlds
CAP Theorem, Does it still hold in modern days
Pandas API over Pyspark