Ten Steps To Get Ansible Working With Windows Machines

Hey,

Looking back, these are the kind of instructions I wish I had when I set out to use Ansible with SSL encryption to manage my windows machines. I’m glad to see these instructions improve so go ahead and comment or correct as needed. In my case I was using the following versions.

Management Node: CentOs 6, Ansible 2.1, Python 2.7.13
All Remote Nodes: Windows 7, Powershell 3.0

FIRST OF ALL

  1. Request an SSL Certificate
  1. Pick a username and password for creating a local user account on each and every remote windows machine. You will make your remote connections through this account.
  2. Use the username and password to create a certificate request (watch this video to see how). The common name on the certificate request must be a fully qualified domain name (something like localWindowsUser.aa.bb.acme.com) Where localWindowsUser is the local Windows user account name you picked in sub-step #1 above and aa.bb.acme.com is the domain of your remote Windows machines (to get the domain click on Run then type cmd, click OK then type ipconfig. Domain name is after Connection-specific DNS Suffix).
  3. Attach the certificate request file to an email message asking for an SSL certificate and send it to your IT department or another certificate authority.
  4. While IT works on that continue with the following.

ON THE MANAGEMENT NODE (LINUX MACHINE)

  1. Install a version of python prior to 3.0 (for example # Python 2.7.13) with the following or similar commands

$ wget http://python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz

$ tar xf Python-2.7.13.tar.xz

$ cd Python-2.7.13

$ ./configure --prefix=/usr/local --enable-unicode=ucs4 --enable-shared LDFLAGS=“-Wl,-rpath /usr/local/lib”

$ make && make altinstall

  1. Use the following or similar commands to install ansible, paramiko, PyYAML Jinja2 httplib2 six and pywinrm. More instructions are here but they didn’t help me much.

$ git clone git://github.com/ansible/ansible.git --recursive

$ cd ./ansible

$ sudo easy_install pip

$ sudo pip install paramiko PyYAML Jinja2 httplib2 six

$ pip install “pywinrm>=0.1.1”

$ pip install http://github.com/diyan/pywinrm/archive/master.zip#egg=pywinrm

  1. Get root access to the folder /etc/ansible/ and create a text file named ansible.cfg with the following text in it. This tells Ansible where to look for your inventory file (the inventory file is the text file named hosts explained in step #5.)

[defaults]

inventory = /root/home/username/hosts

  1. Create or edit the file /root/home/username/hosts to be something like this below. When you specify a group name like windows Ansible knows to carry out the task on every machine listed below the group name. See more details and examples here

[windows]

123.123.123.123

234.234.234.234

(where windows is the name of your group and 123.123.123.123 and 234.234.234.234 are the ip addresses (you man also use fully qualified domain names see all options here) of your remote nodes)

  1. The directory /etc/ansible/group_vars must have a YAML (text file with a .yml extension) with a file name that matches the group name you used in step #5 above (windows in this example). So the file /etc/ansible/group_vars/windows.yml should look something like this

ansible_user: ansibleAdmin

ansible_password: p@$$w0rd

ansible_port: 5986

ansible_connection: winrm

(where ansible_user: is the username you picked in in step #1 (without the domain) and ansible_password: is the password you picked in step #1. ansible_port: 5986 means you want to use an encrypted https connection and ansible_connection: winrm means that you want to connect to Powershell on the windows machine using the winrm module) also (versions before ansible 2.0 used ansible_ssh_pass: instead of ansible_password:) and (versions before ansible 2.0 used ansible_ssh_port: instead of ansible_port:)

ON EACH REMOTE NODE (WINDOWS MACHINE)

  1. Click on StartControl PanelProgram and FeaturesAdd or Remove Programs. Scroll down to the M’s and look for Microsoft .NET Framework. If you don’t have version 4.0 or later, download and install it from here.
  1. Create a local Windows account with admin privileges with the same username and password you picked in step #1 (also same as in the file /etc/ansible/group_vars/windows.yml). Click on StartControl PanelAdministrative ToolsComputer Management. Click on the plus sign or arrow next to Local Users and Groups. Right click on Users then click on New User. Enter the user name for both User name and Full name. Enter the password. Click on Create, Close and Close. Click on StartControl PanelUser Accounts. Click on Manage User Accounts. Select your new account and click on Properties. Click on the Group Membership tab and change the Group Membership from Standard User to Administrator. Click OK, OK and Close. Restart computer. Note:The remote computer need not be logged into this account for Ansible to make a remote connection to Powershell, but the account must exist.
  1. You will get 2 certificates (2 files) from the certificate request you made in step #1. You only need to import the Intermediate Certificate once (this certificate basically authenticates the origin of the other certificate). Import the Intermediate Certificate to the Intermediate Certification Authority folder with Microsoft Management Console (MMC). Then import the other certificate (and all future certificates from that source) to the Trusted Root Certification Authority folder with Microsoft Management Console (MMC). Watch this video to learn how to use MMC.

  2. Windows 7 machines and later have Powershell installed in *C:\Windows\System32\Windows Powershell\v1.0*

  1. Start Powershell and run the command Set-ExecutionPolicy -ExecutionPolicy Unrestricted
  2. Download Trond Hindenes powershell script (named ConfigureRemotingForAnsible.ps1) for enabling WinRM/PSRemoting. You can get the most recent version here.
  3. I used this older version of ConfigureRemotingForAnsible.ps1 and had to hard code my fully qualified domain name by changing line 175 from 175 $valueset.Add(‘Hostname’, $SubjectName) to 175 $valueset.Add('Hostname", “ansibleAdmin.aa.bb.acme.com”)
  4. Run your copy of the ConfigureRemotingForAnsible.ps1 Powershell script and you should eventually see something like VERBOSE: HTTP: Enabled | HTTPS: Enabled VERBOSE: PS Remoting has been successfully configured for Ansible.
  5. Run the Powershell command Set-ExecutionPolicy -ExecutionPolicy Restricted
  6. Close Powershell

If all of this is done correctly YOU should get a pong from each of your remote nodes when you type the win_ping request as shown below.

$ansible windows -m win_ping

after a few seconds you should see

123.123.123.123 | success>>{
“changed”: false,
“ping”: “pong”
}

234.234.234.234 | success>>{
“changed”: false,
“ping”: “pong”
}