Using Ansible to update Windows servers

Archives Ansible Project
1

All,

I’ve got Ansible working on a few Windows 2008 servers. The Ansible command server runs CentOS 6. I’m trying to get the module “win_updates” working, but am not having much success. I’d like to be able to run this both via the command line, and via a playbook. The extant documentation isn’t very detailed. Here’s what I’ve done/am trying (sorry, this will probably be long):

  • I had to download the windows module of which win_updates is a part, and manually put it in “/usr/lib/python2.6/site-packages/ansible/modules/extras/”
  • I installed “PSWindowsUpdate” on the Windows server
  • If I run the command “ansible myhost -m win_updates”, I get the following output:

myhost | success >> {
“changed”: false,
“updates_already_present”: null,
“updates_category”: “critical”,
“updates_installed”: ,
“updates_installed_afterwards”: null,
“updates_installed_count”: 0,
“updates_reboot_needed”: true,
“updates_success”: “true”
}

Fine, but the updates aren’t done. So, I figure I need an argument. The win_updates document gives the following example:

# Install updates from security category
win_updates:
  category: security

I've tried every combination I can think of, as in:

"ansible myhost -m win_updates -a category=security" and  "ansible myhost -m win_updates -a security" and "ansible myhost -m win_updates -a category:security", and I get something like this:

myhost | FAILED >> {
    "failed": true, 
    "msg": "\nProcess is terminated due to StackOverflowException.\n", 
    "parsed": false
}

* I created the following playbook:

---

- name: update windows
  hosts: windows
  gather_facts: true
  tasks:
    - name: win update
      win_updates:
        category: security

It, too, fails, with a much more verbose error message (which I'll skip posting, for now).  I've tried other combinations in the playbook and, they too, fail.

I would greatly appreciate help in getting this to work, both from the command line and from a playbook.

Dimitri
2

Hi Dimitri,

A few others have reported StackOverflow and OutOfMemory exceptions on unpatched Server 2008 machines - see https://github.com/ansible/ansible/pull/8345#issuecomment-52074837 for a hotfix that worked for me.

By the way you can put any custom modules you want to use in your /etc/ansible/library rather than have to insert things into your actual ansible installation.

What ansible version are you using?
Are you connecting as a local user or a domain user?

Also possibly sounds close to this bug report:

https://github.com/ansible/ansible-modules-extras/issues/275

Hope some of the above helps,

Jon

3

Hi, Jon.

I appreciate the response, and certainly will look into your suggestions. I’m using version 1.8.4.

As I’ve continued to hack away, I’ve got this to work, kind of:

ansible somehost -m win_updates -a category:security

The output looks like this:

somehostb | success >> {
“changed”: true,
“updates_already_present”: [
“2506014”,
“2506212”,
“2511455”,
“2509553”,
“2506928”,

4

What happens if you reboot the box? I haven’t tried this myself but I’ve seen windows delay applying updates until shutdown (and I think following a reboot too in some cases).

Might need a bit of work judging by the comments but there is a win_reboot module which you could try.
https://github.com/ansible/ansible/pull/8946/files

Jon

5

Jon,

I would think that, at a minimum, WSUS would show that the updates were downloaded and applied, then would request a reboot. That said, there’s no way of knowing from the Windows servers themselves whether or not the updates occurred. Also, as noted in my last post, Ansible seems to say that the command ran fine, but that no updates were applied, as per the following output:

“updates_installed_count”: 0,
“updates_reboot_needed”: true,
“updates_success”: “true”

Dimitri