Using ansible_winrm_server_cert_validation

477 views
Skip to first unread message

b-long

unread,
Jun 15, 2017, 1:36:35 PM6/15/17
to Ansible Project
Hi All,

As I noted in a previously closed issue, it's not clear to me where `ansible_winrm_server_cert_validation` will be respected in group_vars and host_vars.  In addition, I'm unsure how to deal with the situation of dynamic inventory, such as in Ansible Tower.  Here's my GitHub question repeated for convenience:

----

I feel terrible asking this, given the amount of traffic on this thread, but I'm wondering if a change to 

ansible_winrm_server_cert_validation



 is still expected for Ansible 2.3.

As far as I can tell, it still must be set in the inventory file, if the desired behavior is : 

ansible_winrm_server_cert_validation=ignore

Just as you noted a while ago, placement in a playbook will not be respected.  For instance  : 

 
- name: Debug playbook
  hosts: all
  vars:
    - ansible_connection: winrm
    - ansible_winrm_server_cert_validation: ignore
    - ansible_user: user
    - ansible_password: password
    - ansible_port: 5986
    - ansible_winrm_transport: ntlm


  tasks:
    - name: "Print a sanity check (message)"
      debug: msg="Running debug playbook"



 
Tested using `ansible 2.2.1.0` and `pywinrm==0.2.2`.

J Hawkesworth

unread,
Jun 16, 2017, 1:23:14 AM6/16/17
to Ansible Project
Yeah, I think that restriction is still in place, but group_vars is a good place for it.  

You have 'hosts: all' in your example playbook, but not all of them are going to be windows hosts (probably) so defining a group called windows and having these vars defined for hosts that belong to the windows group is a good place to start.  Then when your plays are for windows hosts you can just set

hosts: windows

and the playbook will apply to the right machines, with the right settings (which are only really relevant to the windows machines).  
So the specific details of connecting to windows machines are kept out of your playbook and are applied where they are meaningful, i.e. on any of your windows machines.

Obviously you can get more detailed and have child  groups of windows hosts if needed but you can still keep these common connection variables and have them apply to any hosts that are running windows.

You don't mention what your dynamic inventory source is, but provided your dynamic inventory returns your hosts as members of a group, you can use matching group_vars with dynamic inventory just fine.

Hope this helps,

Jon
Reply all
Reply to author
Forward
0 new messages