Ansible windows patch trouble: Need help for Win Patch Automation using Ansible

[ansible...@gmail.com]

Hello, I am facing some problems in setting up patch automation in my organization.

For a quick walk through: We have 5 domains for the purpose of Production, Staging, Testing and Application.

I am working on machines in Test domain that has windows machines.

I have my Ansible server setup in UAT(staging) domain.

Ansible Jumpstation: RHEL 6 (64 bit)

Windows Hosts: Windows Server 2012 R2, 2008 R2.

Power Shell version 3.0

 

I have used following reference sources:

Setting up a Windows Host 

Unable to run ConfigureRemotingForAnsible.ps1 on windows hosts. The Power Shell window closes after some execution.

Checked services on machine: winrm service running.

According to Sys. Admin: Ansible machine has no firewall restrictions (can communicate to any and listen from any) 

 

I am using following fashion to definemy Hosts file:

 

#Window's Servers

[abctst-win]

abc012.abctst.lcl ansible_connection=local ansible_host= ip address

[abctst-win:vars]

ansible_ssh_port= 5985

ansible_connection= winrm

Output 1:

[root@ansiblejmpst ansible]# ansible abctst-win -i hosts -m win_ping

abc012.abctst.lcl | FAILED! => {

    "changed": false,

    "module_stderr": "/bin/sh: powershell: command not found\n",

    "module_stdout": "",

    "msg": "MODULE FAILURE",

    "rc": 127

}

Output 2:

[root@ansiblejmpst ansible]# ansible abctst-win -i hosts -m ping

abc012.abctst.lcl | SUCCESS => {

    "changed": false,

    "ping": "pong"

}

Question:

Where am I doing wrong?

What is that I am doing wrong?

Is my way of defining host file correct? Am I passing all required information in hosts file correct?

Is there something I did wrong in setting up windows machine?

Can I get a help here in this? I have to automate windows and linux patching and I am stuck at start.

[ansible...@gmail.com]

Any help on this post please.

[Jordan Borean]

Hey

Here are some brief notes

• Your host inventory defined ansible_connection twice, once as ansible_connection=local and the other as ansible_connection=winrm. Use local if you want to run things on the Ansible controller and use winrm when you want to run something on the WIndows host
• Use ansible_port instead of ansible_ssh_port
• When connecting to WIndows hosts use win_ module, like win_ping instead of ping
• Your error is because you are trying to run win_ping over the local connection where PowerShell isn't installed

Thanks

Jordan

[ansible...@gmail.com]

• Removed ansible_connection = local
• Corrected to ansible_port=5985

Following error occured

abc012.abctst.lcl | FAILED! => {

    "msg": "winrm or requests is not installed: No module named winrm"

}

But if i check on windows machine (abc012.abctst.lcl) run command "winrm quickconfig"

Output:

WinRM service is already running on this machine.

WinRM is already set up for remote management on this computer.

whats wrong now? :(

[Jordan Borean]

pywinrm is not installed on the controller, run "pip install pywinrm" on the Ansible host to install that.

[ansible...@gmail.com]

after i ran the "pip install pywinrm" i am getting following error:

Installing collected packages: requests, ntlm-auth, pycparser, cffi, enum34, asn1crypto, cryptography, requests-ntlm, pywinrm

  Found existing installation: requests 2.6.0

Cannot uninstall 'requests'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead        to only a partial uninstall.

[Jordan Borean]

There is a conflict between a system package and pip trying to install another package which in Pip 10 it doesn't handle properly. You can do either of the following

• Use a virtualenv and run Ansible from there https://stackoverflow.com/questions/49916736/how-to-properly-handle-conflicting-distutils-libraries-with-pip
• Install the packages for just the user "pip install pywinrm --user"
• Skip the install of requests and continue to use the distuil packaged version "pip install pywinrm --ignore-installed"

That's what I would recommend you try

Thanks

Jordan

[Kanhaiya Ashtekar]

I have installed and created Virtualenv.

Installed pywinrm and this time with no errors.

I will get back over this to report how things worked ahead later. 

I feel blessed reaching out here!

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/17490ede-03b5-4951-82cb-01cc5eded027%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible...@gmail.com]

Hi Jordan,

Assist me further as I am not able to find content relating to my problem.

I installed a virtualenv.

Did:

• 
  
• Package       Version
• ------------- ---------
• ansible       2.5.3  (/root/ansible-virtualenvs/ansible-virtualenv/bin/ansible)
• asn1crypto    0.24.0
  
• bcrypt        3.1.4
• certifi       2018.4.16
• cffi          1.11.5
• chardet       3.0.4
• cryptography  2.2.2
• enum34        1.1.6
• idna          2.6
• ipaddress     1.0.22
• Jinja2        2.10
• MarkupSafe    1.0
• ntlm-auth     1.1.0
• paramiko      2.4.1
• pip           10.0.1
• pyasn1        0.4.3
• pycparser     2.18
• PyNaCl        1.2.1
• pywinrm       0.3.0
• PyYAML        3.12
• requests      2.18.4
• requests-ntlm 1.1.0
• setuptools    39.2.0
• six           1.11.0
• urllib3       1.22
• wheel         0.31.1
• xmltodict     0.11.0

Now what I am not able to understand is:

1. How should I try win_ping here?

2. Will it take my hosts file from etc/ansible/hosts?

I tried following command:

ansible all -m win_ping

 

[WARNING]:  * Failed to parse /etc/ansible/hosts with yaml plugin: Syntax Error while loading YAML.   expected

'<document start>', but found '<scalar>'  The error appears to have been in '/etc/ansible/hosts': line 5, column 1,

but may be elsewhere in the file depending on the exact syntax problem.  The offending line appears to be:

#RobotWindowsSer ansible_host=10.7.7.199 VATCS028.ARITST.LCL ansible_host=10.12.12.28 ^ here

 [WARNING]:  * Failed to parse /etc/ansible/hosts with ini plugin: /etc/ansible/hosts:14: Expected key=value, got:

ansible_winrm_server_cert_validation: ignore

 [WARNING]: Unable to parse /etc/ansible/hosts as an inventory source

 [WARNING]: No inventory was parsed, only implicit localhost is available

 [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not

match 'all'

What is happening now?

[Mike Fennemore]

There seems to a problem in the formatting of your hosts inventory file.
I would recommend reading through http://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html .

[ansible...@gmail.com]

Update:

Further I went ahead and created a hosts file in my "ansible-virtualenv" and passed the path in the global ansible.cfg file.

Ran the following command in virtualenv and now I have following issue

ansible win -i hosts -m win_ping

 [WARNING]:  * Failed to parse /root/ansible-virtualenvs/ansible-virtualenv/playbook/hosts with yaml plugin: Syntax

Error while loading YAML.   expected '<document start>', but found '<scalar>'  The error appears to have been in

'/root/ansible-virtualenvs/ansible-virtualenv/playbook/hosts': line 4, column 1, but may be elsewhere in the file

depending on the exact syntax problem.  The offending line appears to be:  [win] abc012.abctst.lcl

ansible_host=10.12.12.12 ^ here

 [WARNING]:  * Failed to parse /root/ansible-virtualenvs/ansible-virtualenv/playbook/hosts with ini plugin: /root

/ansible-virtualenvs/ansible-virtualenv/playbook/hosts:11: Expected key=value, got: ansible_user:

ansible...@abctst.lcl

 [WARNING]: Unable to parse /root/ansible-virtualenvs/ansible-virtualenv/playbook/hosts as an inventory source

 [WARNING]: No inventory was parsed, only implicit localhost is available

 [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not

match 'all'

abc012.ARITST.LCL | UNREACHABLE! => {

    "changed": false,

    "msg": "Failed to connect to the host via ssh: ssh: connect to host 10.12.12.206 port 22: Connection refused\r\n",

    "unreachable": true

I have mentioned in my hosts file created in "ansible-virtualenv" follwoing vars:

 [win:vars]

ansible_user: ansible...@abc.lcl

ansible_password: xxxxxxxxxxx

ansible_port=5985

ansible_connection=winrm

ansible_winrm_server_cert_validation: ignore

Why is it still trying to use port 22?

[Jordan Borean]

When using an ini inventory you have to define cars like key=value not key: value. Change all your vars to that format and the inventory will be parsable.

[ansible...@gmail.com]

Now I am getting new error:

My first error was:

VATCS028.ARITST.LCL | UNREACHABLE! => {

    "changed": false,

    "msg": "plaintext: the specified credentials were rejected by the server",

    "unreachable": true

}

vabcs012.aritst.lcl | UNREACHABLE! => {

    "changed": false,

    "msg": "plaintext: HTTPConnectionPool(host='10.12.12.12', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f02859474d0>: Failed  to establish a new connection: [Errno 111] Connection refused',))",

After which I added a line (noticing that I had forgot to mention that in my vars) in hosts vars:

ansible_winrm_transport: Kerberos

and now I have this error:

VATCS029.ARITST.LCL | UNREACHABLE! => {

    "changed": false,

    "msg": "kerberos: the python kerberos library is not installed",

    "unreachable": true

Bare with me, I need to resolve this. Its been a month I am trying to fix these thing.

Also I want to ask, if I should do a new ansible server setup on a CentOS and try working from start?

[Mike Fennemore]

http://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html .

What does the entry in the hosts inventory look like? kerberos is generally used when you are using a domain account and need second hop capabilities.

The example below uses NTLM which is older but does also work quite well.

 [win:vars]

ansible_user: ansible...@ABC.LCL

ansible_password: xxxxxxxxxxx

ansible_connection=winrm

ansible_winrm_transport: ntlm

ansible_winrm_server_cert_validation: ignore

If you want to use Kerberos then you will need the packages:

yum -y install python-devel krb5-devel krb5-libs krb5-workstation

[Jordan Borean]

plaintext: the specified credentials were rejected by the server

You are running over HTTP with Basic auth which doesn't work by default. I recommend you using a HTTPS listener or use an auth setup that supports message encryption over HTTP like NTLM/Kerberos/CredSSP.

plaintext: HTTPConnectionPool(host='10.12.12.12', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f02859474d0>: Failed  to establish a new connection: [Errno 111] Connection refused',))",

Usually means there's a firewall blocking this port, make sure Windows Firewall (or anything else in between) is not blocking it

kerberos: the python kerberos library is not installed

The kerb dependencies are not installed by default as it requires a few system packages, to install run

# install the required System packages for requests-kerberos
sudo yum install gcc python-devel krb5-devel krb5-workstation python-devel

# install the requests-kerberos library
pip install pywinrm[kerberos]

If I should do a new ansible server setup on a CentOS and try working from start?

Depends on what you need to do, I recommend you push through and get your basic setup done and working. Once it is, make sure you documented your steps on what you did to get to that point and start to automate the steps. Once you have a way to running a script (be it through Ansible or something else), you can easily bring down and recreate your control host easily. First you need to set things up correctly and understand the various components first.

Thanks

Jordan

[ansible...@gmail.com]

Some success here. 

As per Mike suggested I made changed the vars.

Hosts vars as below:

 [win:vars]

ansible_user: ansible...@ABC.LCL

ansible_password: xxxxxxxxxxx

ansible_connection=winrm

ansible_winrm_transport: ntlm

ansible_winrm_server_cert_validation: ignore

Output:

vabcs012.aritst.lcl | UNREACHABLE! => {

    "changed": false,

    "msg": "ntlm: HTTPSConnectionPool(host='10.12.12.12', port=5986): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f726abd0250>: Failed to establish a new connection: [Errno 111] Connection refused',))",

    "unreachable": true

}

VATCS206.ARITST.LCL | SUCCESS => {

    "changed": false,

    "ping": "pong"

}

With Kerberos:

Following output:

RobotWindowsSer | UNREACHABLE! => {

    "changed": false,

    "msg": "Kerberos auth failure: kinit: Client 'ansible...@aritst.lcl' not found in Kerberos database while getting initial credentials",

    "unreachable": true

}

VATCS028.ARITST.LCL | UNREACHABLE! => {

    "changed": false,

    "msg": "Kerberos auth failure: kinit: KDC reply did not match expectations while getting initial credentials",

    "unreachable": true

}

VATCS206.ARITST.LCL | UNREACHABLE! => {

    "changed": false,

    "msg": "Kerberos auth failure: kinit: Client 'ansible...@aritst.lcl' not found in Kerberos database while getting initial credentials",

    "unreachable": true

}

vabcs012.aritst.lcl | UNREACHABLE! => {

    "changed": false,

    "msg": "Kerberos auth failure: kinit: KDC reply did not match expectations while getting initial credentials",

    "unreachable": true

}

VATCS029.ARITST.LCL | UNREACHABLE! => {

    "changed": false,

    "msg": "Kerberos auth failure: kinit: KDC reply did not match expectations while getting initial credentials",

    "unreachable": true

}

[ansible...@gmail.com]

To revise what I am trying is:

I am working in an environment where there are 5 domains that run Windows and Linux systems.

The network operators spend weeks and months patching these windows and linux system an it is a pain.

I want to automate this patching task.

Refering Ansible for Windows document.

I believe if I can successfully ping the windows machine i will definitely be able to make my playbook do the rest of the magic.

But here I am stuck at root.

I am having my ansible machine in one domain and the windows hosts that I am trying on are in other domain(test env for me).

If i success here, I can definitely then be able to move in staging and production. 

Given this background I am seeking help and looking to automate this painful task that is outdated and get ansible take care.

[Mike Fennemore]

Ok that makes it clearer. I also work with multiple Windows domains, with a single CentOS control node. For your use case ntlm would work as Kerberos adds extra config and also has its own issues.

[ansible...@gmail.com]

I know I had enabled winrm on the machine 206, thats the reason it pinged back.

I know winrm service is running on other machines but I believe i will have to change execution policy and run the ConfigureRemotingForAnsible.ps1 on each of them to enable it to listen for remoting.

Is there a way I can run the ps1 at once on all the hosts at once?
Ansible will do but for that to happen I think winrm need to be configured.

Is this approach correct? 

[Akshay Kaushik]

Hi All,

Can anyone help to sort this.I am trying to achieve the installation of a software to a windows instance at provisiong time. Software is deploy but not installed.Below i got the error when running the playbook:-

 PLAY [localhost] *******************************************************************************************************************************************************

TASK [ensure instances are running] ************************************************************************************************************************************
changed: [localhost]

TASK [ensure Automation_Anywhere_Enterprise_Client is installed via win_package] ***************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "/bin/sh: powershell: command not found\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 127}
        to retry, use: --limit @/root/awswinins.retry

PLAY RECAP *************************************************************************************************************************************************************
localhost                  : ok=1    changed=1    unreachable=0    failed=1

- hosts: localhost
  gather_facts: no
  vars:
    target_aws_region: "us-east-1"
  vars_files:
     - secret.yml

  tasks:
  - name: ensure instances are running
    ec2:
      aws_access_key: " "
      aws_secret_key: " "
      key_name: " "
      region: " "
      image: "ami-050202fb72f001b47"
      instance_type: t2.micro
      group_id: "sg-00cfe7b7ee9a5aea8"
      wait: yes
      wait_timeout: 500
      exact_count: 1
      vpc_subnet_id: " "
      instance_profile_name: " "
      count_tag:
        Name: win-ami
      instance_tags:
        Name: win-ami
      user_data: "{{ lookup('template', 'userdata.txt.j2') }}"
    register: ec2_result

  - name: ensure Automation_Anywhere_Enterprise_Client is installed via win_package
    win_package:
      path: C:\Windows\Temp\Automation_Anywhere_Enterprise_Client_10.7.0.exe
      product_id: Autmation_Anywhere_Enterprise_Client
      state: present

Thanks and Regards,

Akshay Kaushik

[Chris Hall]

Looks like your playbook is running against localhost only.so when it gets to the Windows portion it's trying to run powershell on the Linux host,hence the powershell error.

You need to either delegate_to the Windows host group or use the Windows host group as a separate hosts block wrapping the operations the Windows host needs to do.

Inventory file looks fine.

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9164dab1-c838-4247-961e-3b6d58241679%40googlegroups.com.