mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
229 lines
8.7 KiB
ReStructuredText
229 lines
8.7 KiB
ReStructuredText
.. _windows_faq:
|
|
|
|
Windows Frequently Asked Questions
|
|
==================================
|
|
|
|
Here are some commonly asked questions in regards to Ansible and Windows and
|
|
their answers.
|
|
|
|
.. note:: This document covers questions about managing Microsoft Windows servers with Ansible.
|
|
For questions about Ansible Core, please see the
|
|
:ref:`general FAQ page <ansible_faq>`.
|
|
|
|
Does Ansible work with Windows XP or Server 2003?
|
|
``````````````````````````````````````````````````
|
|
Ansible does not support managing Windows XP or Server 2003 hosts. The
|
|
supported operating system versions are:
|
|
|
|
* Windows Server 2008
|
|
* Windows Server 2008 R2
|
|
* Windows Server 2012
|
|
* Windows Server 2012 R2
|
|
* Windows Server 2016
|
|
* Windows 7
|
|
* Windows 8.1
|
|
* Windows 10
|
|
|
|
Ansible also has minimum PowerShell version requirements - please see
|
|
:ref:`windows_setup` for the latest information.
|
|
|
|
Can I manage Windows Nano Server with Ansible?
|
|
``````````````````````````````````````````````
|
|
Windows Nano Server is not currently supported by Ansible, since it does
|
|
not have access to the full .NET Framework that is used by the majority of the
|
|
modules and internal components.
|
|
|
|
Can Ansible run on Windows?
|
|
```````````````````````````
|
|
No, Ansible can only manage Windows hosts. Ansible cannot run on a Windows host
|
|
natively, though it can run under the Windows Subsystem for Linux (WSL).
|
|
|
|
.. note:: The Windows Subsystem for Linux is not supported by Ansible and
|
|
should not be used for production systems.
|
|
|
|
To install Ansible on WSL, the following commands
|
|
can be run in the bash terminal:
|
|
|
|
.. code-block:: shell
|
|
|
|
sudo apt-get update
|
|
sudo apt-get install python-pip git libffi-dev libssl-dev -y
|
|
pip install ansible pywinrm
|
|
|
|
To run Ansible from source instead of a release on the WSL, simply uninstall the pip
|
|
installed version and then clone the git repo.
|
|
|
|
.. code-block:: shell
|
|
|
|
pip uninstall ansible -y
|
|
git clone https://github.com/ansible/ansible.git
|
|
source ansible/hacking/env-setup
|
|
|
|
# To enable Ansible on login, run the following
|
|
echo ". ~/ansible/hacking/env-setup -q' >> ~/.bashrc
|
|
|
|
Can I use SSH keys to authenticate to Windows hosts?
|
|
````````````````````````````````````````````````````
|
|
SSH keys are not supported when using the WinRM or PSRP connection plugins.
|
|
These connection plugins support X509 certificates for authentication instead
|
|
of the SSH key pairs that SSH supports.
|
|
|
|
The way X509 certificates are generated and mapped to a user is different
|
|
from the SSH implementation; consult the :ref:`windows_winrm` documentation for
|
|
more information.
|
|
|
|
Ansible 2.8 has added experimental support for using the SSH connection plugin,
|
|
which supports authentication with SSH keys, to connect to Windows servers. See :ref:`this question <windows_faq_ssh>`
|
|
for more information.
|
|
|
|
.. _windows_faq_winrm:
|
|
|
|
Why can I run a command locally that does not work under Ansible?
|
|
`````````````````````````````````````````````````````````````````
|
|
Ansible executes commands through WinRM. These processes are different from
|
|
running a command locally in these ways:
|
|
|
|
* Unless using an authentication option like CredSSP or Kerberos with
|
|
credential delegation, the WinRM process does not have the ability to
|
|
delegate the user's credentials to a network resource, causing ``Access is
|
|
Denied`` errors.
|
|
|
|
* All processes run under WinRM are in a non-interactive session. Applications
|
|
that require an interactive session will not work.
|
|
|
|
* When running through WinRM, Windows restricts access to internal Windows
|
|
APIs like the Windows Update API and DPAPI, which some installers and
|
|
programs rely on.
|
|
|
|
Some ways to bypass these restrictions are to:
|
|
|
|
* Use ``become``, which runs a command as it would when run locally. This will
|
|
bypass most WinRM restrictions, as Windows is unaware the process is running
|
|
under WinRM when ``become`` is used. See the :ref:`become` documentation for more
|
|
information.
|
|
|
|
* Use a scheduled task, which can be created with ``win_scheduled_task``. Like
|
|
``become``, it will bypass all WinRM restrictions, but it can only be used to run
|
|
commands, not modules.
|
|
|
|
* Use ``win_psexec`` to run a command on the host. PSExec does not use WinRM
|
|
and so will bypass any of the restrictions.
|
|
|
|
* To access network resources without any of these workarounds, an
|
|
authentication option that supports credential delegation can be used. Both
|
|
CredSSP and Kerberos with credential delegation enabled can support this.
|
|
|
|
See :ref:`become` more info on how to use become. The limitations section at
|
|
:ref:`windows_winrm` has more details around WinRM limitations.
|
|
|
|
This program won't install on Windows with Ansible
|
|
``````````````````````````````````````````````````
|
|
See :ref:`this question <windows_faq_winrm>` for more information about WinRM limitations.
|
|
|
|
What Windows modules are available?
|
|
```````````````````````````````````
|
|
Most of the Ansible modules in Ansible Core are written for a combination of
|
|
Linux/Unix machines and arbitrary web services. These modules are written in
|
|
Python and most of them do not work on Windows.
|
|
|
|
Because of this, there are dedicated Windows modules that are written in
|
|
PowerShell and are meant to be run on Windows hosts. A list of these modules
|
|
can be found :ref:`here <windows_modules>`.
|
|
|
|
In addition, the following Ansible Core modules/action-plugins work with Windows:
|
|
|
|
* add_host
|
|
* assert
|
|
* async_status
|
|
* debug
|
|
* fail
|
|
* fetch
|
|
* group_by
|
|
* include
|
|
* include_role
|
|
* include_vars
|
|
* meta
|
|
* pause
|
|
* raw
|
|
* script
|
|
* set_fact
|
|
* set_stats
|
|
* setup
|
|
* slurp
|
|
* template (also: win_template)
|
|
* wait_for_connection
|
|
|
|
Can I run Python modules on Windows hosts?
|
|
``````````````````````````````````````````
|
|
No, the WinRM connection protocol is set to use PowerShell modules, so Python
|
|
modules will not work. A way to bypass this issue to use
|
|
``delegate_to: localhost`` to run a Python module on the Ansible controller.
|
|
This is useful if during a playbook, an external service needs to be contacted
|
|
and there is no equivalent Windows module available.
|
|
|
|
.. _windows_faq_ssh:
|
|
|
|
Can I connect to Windows hosts over SSH?
|
|
````````````````````````````````````````
|
|
Ansible 2.8 has added experimental support for using the SSH connection plugin
|
|
to manage Windows hosts. To connect to Windows hosts over SSH, you must install and configure the `Win32-OpenSSH <https://github.com/PowerShell/Win32-OpenSSH>`_
|
|
fork that is in development with Microsoft on
|
|
the Windows host(s). While most of the basics should work with SSH,
|
|
``Win32-OpenSSH`` is rapidly changing, with new features added and bugs
|
|
fixed in every release. It is highly recommend you install the latest release
|
|
of ``Win32-OpenSSH`` from the GitHub Releases page when using it with Ansible
|
|
on Windows hosts.
|
|
|
|
To use SSH as the connection to a Windows host, set the following variables in
|
|
the inventory::
|
|
|
|
ansible_connection=ssh
|
|
|
|
# Set either cmd or powershell not both
|
|
ansible_shell_type=cmd
|
|
# ansible_shell_type=powershell
|
|
|
|
The value for ``ansible_shell_type`` should either be ``cmd`` or ``powershell``.
|
|
Use ``cmd`` if the ``DefaultShell`` has not been configured on the SSH service
|
|
and ``powershell`` if that has been set as the ``DefaultShell``.
|
|
|
|
Why is connecting to a Windows host via SSH failing?
|
|
````````````````````````````````````````````````````
|
|
Unless you are using ``Win32-OpenSSH`` as described above, you must connect to
|
|
Windows hosts using :ref:`windows_winrm`. If your Ansible output indicates that
|
|
SSH was used, either you did not set the connection vars properly or the host is not inheriting them correctly.
|
|
|
|
Make sure ``ansible_connection: winrm`` is set in the inventory for the Windows
|
|
host(s).
|
|
|
|
Why are my credentials being rejected?
|
|
``````````````````````````````````````
|
|
This can be due to a myriad of reasons unrelated to incorrect credentials.
|
|
|
|
See HTTP 401/Credentials Rejected at :ref:`windows_setup` for a more detailed
|
|
guide of this could mean.
|
|
|
|
Why am I getting an error SSL CERTIFICATE_VERIFY_FAILED?
|
|
````````````````````````````````````````````````````````
|
|
When the Ansible controller is running on Python 2.7.9+ or an older version of Python that
|
|
has backported SSLContext (like Python 2.7.5 on RHEL 7), the controller will attempt to
|
|
validate the certificate WinRM is using for an HTTPS connection. If the
|
|
certificate cannot be validated (such as in the case of a self signed cert), it will
|
|
fail the verification process.
|
|
|
|
To ignore certificate validation, add
|
|
``ansible_winrm_server_cert_validation: ignore`` to inventory for the Windows
|
|
host.
|
|
|
|
.. seealso::
|
|
|
|
:ref:`windows`
|
|
The Windows documentation index
|
|
:ref:`about_playbooks`
|
|
An introduction to playbooks
|
|
:ref:`playbooks_best_practices`
|
|
Best practices advice
|
|
`User Mailing List <https://groups.google.com/group/ansible-project>`_
|
|
Have a question? Stop by the google group!
|
|
`irc.freenode.net <http://irc.freenode.net>`_
|
|
#ansible IRC chat channel
|