proposal for winrm connection, presigned insecure cert

[pixel fairy]

disclaimer, all i know about winrm is that its kinda like windows equivalent to ssh if you squint at it just right from a far enough away.

windows doesnt work out of the box as expected with the ansible provisioner. theres two ways i think this can be fixed.

1. "ansible_winrm_server_cert_validation: ignore" in the generated inventory
2. dont ignore it, but use a self signed cert that vagrant already knows about, and have it generate a new cert the way it does with ssh.

is option 2 possible? is it even worth the effort if windows is going to switch to ssh anyway?

[Alvaro Miranda Aguilera]

not a chance you can test to deploy the certs that ansible can use with a file provisioner or something?

https://docs.ansible.com/ansible/2.5/user_guide/windows_winrm.html#certificate

Alvaro

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/vagrant/issues
IRC: #vagrant on Freenode
---
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/be9be99c-3fff-45c2-a1c4-ce6afa3e4fb6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Alvaro

[Mário Costa]

I've got it working out of the box, you'll need to setup the guest properly though, don’t remember the steps. Its nice to set it up provisioning things with chocolatey (windows apt equivalent).

But for me, the best aproach that I still hadn't the time to setup, is using ssh in windows, so that the box works in linux or windows hosts.

To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/CAHqq0ezRP4rp7bcuYQbWOutdBRY3NjFO%2Bh7-TULAADAV1uSQKw%40mail.gmail.com.

[pixel fairy]

On Monday, May 7, 2018 at 12:39:42 AM UTC-7, Alvaro Miranda Aguilera wrote:

not a chance you can test to deploy the certs that ansible can use with a file provisioner or something?

https://docs.ansible.com/ansible/2.5/user_guide/windows_winrm.html#certificate

the point was to have the ansible provisioner handle these details in the background by default.

its not that big a deal to throw an extra line in your playbook. just think vagrant should handle these things for the user.
 

Alvaro

On Sun, May 6, 2018 at 3:24 AM, pixel fairy <pixel...@gmail.com> wrote:

disclaimer, all i know about winrm is that its kinda like windows equivalent to ssh if you squint at it just right from a far enough away.

windows doesnt work out of the box as expected with the ansible provisioner. theres two ways i think this can be fixed.

1. "ansible_winrm_server_cert_validation: ignore" in the generated inventory
2. dont ignore it, but use a self signed cert that vagrant already knows about, and have it generate a new cert the way it does with ssh.

is option 2 possible? is it even worth the effort if windows is going to switch to ssh anyway?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/vagrant/issues
IRC: #vagrant on Freenode
---
You received this message because you are subscribed to the Google Groups "Vagrant" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/be9be99c-3fff-45c2-a1c4-ce6afa3e4fb6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Alvaro

[Alvaro Miranda Aguilera]

correct, but if you can help to test that works, then a PR should be easier.

I am not sure vagrant core developers use ansible to be able to test and code that

Alvaro

To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/fb35c13c-d704-455a-953d-bed349a93709%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Alvaro

[pixel fairy]

How should i test it to help the core developers? I use ignore cert_validation in all my windows ansible vagrant sessions.

To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/fb35c13c-d704-455a-953d-bed349a93709%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Alvaro

[Gilles Cornu]

Hey there,

Thank you Pixel Fairy for reporting this improvement request. Thank you Alvaro and Mário for your useful inputs. 

Ansible support for Windows has without any doubt strongly evolved since late 2015, which is the time when the WinRM support was added to the Ansible provisioner in Vagrant 1.8. Therefore, I'm certain that we should give it some valuable updates, but the Vagrant+Ansible community was not very active on this field so far... and I personally don't manage (yet) Windows hosts (neither for fun or profit ;-)

How should i test it to help the core developers?

 

By "help to test that works", I think Alvaro meant that it would be of great help if you could provide us a minimalistic setup/project that demonstrates the issue, and its resolution. Ideally a public git repo with all the information to reproduce/illustrate the use case (Vagrantfile, Ansible playbook, etc.). That can save a lot of time, and avoid misunderstanding.

1. "ansible_winrm_server_cert_validation: ignore" in the generated inventory

So at first glance, I think that Proposal 1 is probably a good approach (i.e. KISS), but I'd like to better figure out the Ansible usage landscape, combined with what Vagrant already supports regarding WinRM communication, especially the config.winrm.transport option. 

is option 2 possible?

I guess ;-) It would be great if you could investigate the capabilities offered by config.winrm.* options (e.g. to configure the ssl certs). The idea is then to improve the Ansible provisioner so it also honours the same settings.

is it even worth the effort if windows is going to switch to ssh anyway?

Good point (and more amazing stuff ahead ;-). After a very quick look at the Win32-OpenSSH milestones, I think it is still worth to make some Quick Wins on top of WinRM. But it will be reasonable to set some constraints, based on the WinSSH perspectives.

For the next step, I invite you to create a GitHub issue, describing the expected behaviour (e.g. new parameters in the generated ansible inventory, taking into account the concerns mentioned above). It would be very much appreciated if you or someone else also wants to implement this. Otherwise, I'll be happy to help, once the "specs" are clarified.

I wish we'll go forward with this! Best regards,

Gilles

[Gilles Cornu]

PS (still raw and not digested):

When config.winrm.ssl_peer_verification option is set to false, the Ansible provisioner should set ansible_winrm_server_cert_validation=ignore in the dynamic inventory. 

Pending: give some thoughts about static inventory support alternatives:

1. not supported (static inventory author should take care of this, even though this could be incoherent with config.winrm.* values), or
2. pass the ansible_winrm_server_cert_validation=ignore by another mean (e.g. via an extra var or via an environment variable)