Raw Command to run a UNC Powershell script

[Mark Matthews]

Hi

 

Is it possible to run a the following raw command to start a PowerShell script? Neither of the below work…I keep getting errors.

 

- name: Config Octo

  hosts: winservers

  tasks:

    - name: Config Octo

      raw: '\\10.10.3.167\C$\Temp\octo.ps1'

 

or

 

- name: Config Octo

  hosts: winservers

  tasks:

    - name: Config Octo

      raw: //10.10.3.167/C$/Temp/octo.ps1

 

 

Example of error:

fatal: [10.10.3.169]: FAILED! => {"changed": false, "failed": true, "rc": 1, "stderr": "#< CLIXML\r\n<Objs Version=\"1.1.0.1\" xmlns=\"http://schemas.microsoft.com/powershell/2004/04\"><S S=\"Error\">&amp; : The term '\\\\10.10.3.167\\C$\\Temp\\octo.ps1' is not recognized as the name of _x000D__x000A_</S><S S=\"Error\">a cmdlet, function, script file, or operable program. Check the spelling of _x000D__x000A_</S><S S=\"Error\">the name, or if a path was included, verify that the path is correct and try _x000D__x000A_</S><S S=\"Error\">again._x000D__x000A_</S><S S=\"Error\">At line:1 char:3_x000D__x000A_</S><S S=\"Error\">+ &amp; \\\\10.10.3.167\\C$\\Temp\\octo.ps1_x000D__x000A_</S><S S=\"Error\">+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S=\"Error\">    + CategoryInfo          : ObjectNotFound: (\\\\10.10.3.167\\C$\\Temp\\octo.ps1: _x000D__x000A_</S><S S=\"Error\">   String) [], CommandNotFoundException_x000D__x000A_</S><S S=\"Error\">    + FullyQualifiedErrorId : CommandNotFoundException_x000D__x000A_</S><S S=\"Error\"> _x000D__x000A_</S></Objs>", "stdout": "", "stdout_lines": []}

 

 

The reason im trying to do it this way is because if I try get Ansible to run the PowerShell script using the 'script' module it always fails due to access rights.

 

So Im trying to use the ‘raw’ command to execute a PowerShell script located on a template server to run on target server.

 

 

Cheers

[J Hawkesworth]

Hi Mark,

If you copy the octo.ps1 onto the machine where you want to run it, can you run it using raw?

There's a few things that I think could be causing the failure - 

The $ in the pathname might be being interpreted as a variable name - I guess you could get around this by setting up a named share rather than using the default drive sharing path.

You might have more luck using a hostname rather than an ip address too.

However I think even with the above you may still yet hit the 'second hop' issue where access to the share is denied.  The first hop is from ansible to the target windows host, the second from the target windows host to the share.  

A workaround that might work for you is to use fetch to collect the octo.ps1 from the share host and then use copy to place it on the machine(s) where it needs to run.

HTH

Jon

[Mark Matthews]

Hi Jon

Thanks for your quick response!

I was able to get this all working by copying a Powershell script to the servers Temp wile (win_copy), and then using the 'raw' command to execute that script.

- name: Configure Tentacle

  hosts: all

  tasks:

    - name: Configure Tentacle

      raw: "C:\\Temp\\config.ps1"

Thanks again for your help!

[J Hawkesworth]

Glad its working.

Actually, you might be able to save yourself a step using the 'script' module which can deliver your powershell script to the windows hosts and run it with 1 module call.

- name: Configure Tentacle

  hosts: all

  tasks:

    - name: Configure Tentacle

      script: config.ps1

More examples of using script on windows in the integration tests here: 

https://github.com/ansible/ansible/blob/devel/test/integration/roles/test_win_script/tasks/main.yml

HTH

Jon

[skinnedknuckles]

Hi Jon,

I checked the examples at your link but they weren't very helpful to me (I don't understand the "/" prefixes to his simple arguments).  How would I pass a path (as a string) and an ansible variable as 2 arguments into a powershell script using the "script:" command?

In other words, this works for passing a single argument to my powershell script

  - script: createDirectory.ps1 '\\10.1.2.34\directory1\directory2\{{ansibleVar}}'

But the Yaml parser complains when I try to pass the same information as 2 arguments

  - script: createDirectory.ps1 '\\10.1.2.34\directory1\directory2' '{{ansibleVar}}'

Can you tell me what I'm doing wrong or how to fix it?

[J Hawkesworth]

Hi,

I think the "/" prefixes are intended to be like windows style command line switches.

You will be hitting a lot of parsers in the process of passing script parameters via ansible to powershell so this can be fiddly.  Once you have got good yaml, there's jinja2 templating, then powershell itself also wants to parse and interpret its arguments.

I'd suggest trying double quotes and doubling up your \ characters perhaps? 

  - script: createDirectory.ps1 "\\\\10.1.2.34\\directory1\\directory2" "{{ansibleVar}}"

However, I'd try and do this with a module, or perhaps just some raw powershell (assuming your createDirectory.ps1 actually only creates a directory)

Since it looks like you are creating a folder on a share, you'd need to be running with kerberos auth delegation, otherwise you are unlikely to have permission to make changes on the share (this is the second hop issue mentioned elsewhere).

However with ansible 2.1 and pywinrm 0.2.0 (not quite released as far as I can tell - see this thread  https://groups.google.com/forum/#!topic/ansible-project/vEl-mrvFkrY for details) I believe you can now use auth delegation, so you should be able to get round that.

With auth delegation in place you might be able to do as a 1 liner like this too (not tested)

- raw: New-Item -ItemType Directory -Path "FileSystem::\\10.1.2.34\directory1\directory2\{{ansibleVar}}" -Force -Confirm:$false

I think you might need to tinker a bit more, but hopefully something in the above is enough to unstick you.

Jon

[Christoph Wegener]

At the moment, CredSSP is not supported as a WinRM authentication method in Ansible.

Without CredSSP support, you will not be able to authenticate to remote CIFS shares like you are trying to do in your example UNC path.

[Christoph Wegener]

You could, however, have a look at Ansible 2.1 which introduces support for Kerberos Delegation via a new version of pywinrm.

The usual Kerberos delegation requirements apply. (Enable accounts for delegation in Active Directory)