win_updates not working

Archives Ansible Project
1

I’m trying to use the extras module win_updates to update my Windows servers. The play runs without failure, but no updates are applied.

Ideally, I want the install all available updates (e.g. critical, important, optional, etc.). I’ve created a play to look like this:

2

According to the docs, you need to install PSWindowsUpdate first.

http://docs.ansible.com/ansible/win_updates_module.html

However, the module should ideally fail if you haven’t done that. I would recommend that you file a bug for that in the ansible-modules-extra github repo if this is the case.

3

Trond,

Thanks so much for your post.

Let me start by posting some info:

Ansible host: CentOS 6.x

Ansible ver.: 1.9.1

Windows servers: 2008 R2

PSWindowsUpdate: previously installed.

Oddly, I found that I had to re-register PSWindowsUpdate with Powershell (it’s possible I forgot this step when I first installed PSWU, but not probable. Anyway, …). The first win_updates module I used was the one suggested by a respondent in another post: https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fansible%2Fansible-modules-extras%2Fpull%2F854&sa=D&sntz=1&usg=AFQjCNFBl08j8HcDvgqXl5hTrtZWWyyh3A. True, this may be for Ansible v. 2.0, and I’m using 1.9, but I thought I’d give it a try. Well, it worked, sort of. The play fired off the appropriate processes on the Windows servers, but the updates to a very long time (using the Windows Update client on the server took a fairly short time to install the updates, and prompt for a reboot). It appears as if they were being installed serially. In addition, the play terminated successfully, but only 21 of the 32 available updates were installed. I had to run my play again for the remainder of the updates to be installed. There was never an indication via the play that a reboot might be necessary, nor via the Windows Update client.

I then rolled back to the original win_updates module, and tried again. It, too, worked, and much more quickly. However, about two-thirds of the way through the update, the server rebooted and, of course, the play aborted. A check of the Windows Update client showed that, again, 21 of the 32 updates had been installed. Once again, I had to re-run the play. If the systems hadn’t rebooted, I might have considered this a success, as long as all of the updates were applied in one go. In my case, at least, I don’t want the servers to automatically reboot after updates have been applied. I have a couple of services, for example, to stop gracefully before the update is done.

I don’t know if any of what I’ve mentioned constitutes a bug, or if there’s a tweak I can make to the module (I’m no programmer, so I wouldn’t know how, anyway). Your continued advice is appreciated.

Dimitri

4

I think the problem relates to the PsWindowsUpdate module that Ansible uses. I haven’t played much with it, but it may have some bugs.

According to the code in the ansible module, it should never reboot without warning, but instead report back to Ansible wether a reboot is required or not (and then from there you could use my win_reboot role to invoke a controlled reboot if needed).

Anyways, what I’d recommend you to do is to use the logPath parameter to write information to a local logfile and then post that. I can’t promise that we’ll be able to sort this out, but at least with the log file we could try and find out what’s going on. I’ll also ping Pete who wrote the Ansible module and see if he has seen the behaviour you’re experiencing.

-Trond

5

Many thanks. I’ll set up the logPath parameter, and post my findings early next week. I’m hopeful about the module’s use. I, like many others, work in a heterogeneous (Win/Linux) environment, so having Ansible work well with both OSs would be a great thing.

Dimitri

6

Hi - I’ve not seen what you’re experiencing, but I’ve only used this against Windows 2012r2 servers. Perhaps PSWindowsUpdate behaves differently there?

Alternatively, it may be that the surface area for my windows update exposure is smaller than yours - each month I trigger a build of an AWS AMI based on the new one that AWS release. They apply the updates that are current when they release the new AMI, so at any given point I only have a small increment to apply.

Sorry that that’s not a solution!

7

All,

After lots of testing, I can only report that I have results all over the place.

  • I ran the playbook against a group containing two servers. The first one reported: “updates_installed_count”: 11, “updates_reboot_needed”: true, “updates_success”: “true”, but no updates were applied. The second one rebooted during the run of the play and, subsequently, the play failed due to a timeout. When I then logged into the machine, and did any task, it rebooted by itself. After coming back up, I noted that sometimes all of the updates had been applied, and sometimes most, but not all, had been applied.

  • On machines that are fully updated and rebooted and checked for updates again [none found], I run the playbook, and get back the following results: “updates_installed_count”: 0, “updates_reboot_needed”: true, “updates_success”: “true”. Why do I get an “updates_reboot_needed”: true? There’s no need.

  • If I run “Get-WUInstall -Acceptall -IgnoreReboot -Verbose” in Powershell, all updates are applied correctly, and was prompted to reboot.

So, it appears that something about running Get-WUInstall remotely doesn’t seem to work properly.

Trond, I apologize, but I’m not sure what the logPath parameter is. Do you mean setting log_path in ansible.cfg? Otherwise, I’m not sure what the parameter is or how to use it (couldn’t find any documentation).

Dimitri

8

According to http://docs.ansible.com/ansible/win_updates_module.html “logPath” is an option for the win_updates module.

What OS are your Windows nodes running?

9

Ah, yes, logPath is set (I really need to read more carefully). This is what’s recorded in c:\ansible-playbook.log:

2015-09-08 05:17:20.-04 Looking for updates in ‘security’
2015-09-08 05:17:38.-04 Installing 3080333 - Security Update for Microsoft Silverlight (KB3080333)
2015-09-08 05:17:53.-04 Installing 3078071 - Cumulative Security Update for Internet Explorer 11 for Windows Server 2008 R2 for x64-based Systems (KB3078071)
2015-09-08 05:18:07.-04 Installing 3075226 - Security Update for Windows Server 2008 R2 x64 Edition (KB3075226)
2015-09-08 05:18:21.-04 Installing 3079757 - Security Update for Windows Server 2008 R2 x64 Edition (KB3079757)
2015-09-08 05:18:35.-04 Installing 3072305 - Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 SP1 and Windows Server 2008 R2 SP1 for x64 (KB3072305)
2015-09-08 05:18:49.-04 Installing 3046017 - Security Update for Windows Server 2008 R2 x64 Edition (KB3046017)
2015-09-08 05:19:02.-04 Installing 3060716 - Security Update for Windows Server 2008 R2 x64 Edition (KB3060716)
2015-09-08 05:19:16.-04 Installing 3071756 - Security Update for Windows Server 2008 R2 x64 Edition (KB3071756)
2015-09-08 05:19:31.-04 Installing 3076895 - Security Update for Windows Server 2008 R2 x64 Edition (KB3076895)
2015-09-08 05:19:45.-04 Installing 3076949 - Security Update for Windows Server 2008 R2 x64 Edition (KB3076949)
2015-09-08 05:19:58.-04 Installing 3078601 - Security Update for Windows Server 2008 R2 x64 Edition (KB3078601)
2015-09-08 05:20:12.-04 Installed: 11
2015-09-08 05:20:32.-04
2015-09-08 05:20:32.-04 Reboot required

The bulk of my test servers are running Windows Server 2008 R2.

10

Any more ideas on this?

11

Anyone have any updates on this? It looks like the issue is because Ansible is calling the remote PowerShell Session, but isn’t doing it as a “Run As Administrator”. I was able to take the script and run it, but unless I do it from a Administrator session it doesn’t actually install. Does anyone see a way to have Ansible call the PowerShell session with the run as? Do you know if it works if I do it with Kerberos rather than the local Administrator account?

12

Currently Ansible does not support 'run as' so you have to login with
a user with admin privileges if you need them.

13

I am logging with the local administrator account does that not suffice to get an administrator shell?

Joe

14

Which ansible version are you using?

If I recall 1.9.1 didn’t always set correct execution policy.

I would recommend 1.9.4 at least and try 2.0 if you can.

15

I am running 1.9.4. I also as a test setup kerberos auth and ran the process with a Domain Admin account, but that didn’t work either. Same issue. Let me try getting 2.0 and see if that solves it.

16

So I updated to Ansible 2.0 had to fix a few things like log_path is now required, but I am getting this error when running:

An exception occurred during task execution. The full traceback is:
At C:\Users\jjenkins_da\AppData\Local\Temp\ansible-tmp-1452099077.0-277924138780563\win_updates.ps1:536 char:6

  • if($schedjob.RunAsTask) {

fatal: [caveeam3.hottopic.com]: FAILED! => {“changed”: false, “failed”: true, “msg”: "Property ‘RunAsTask’ cannot be found on this object. Make sure that it exists.”}

17

Windows 2008R2
Powershell 3
WMF 3

18

Figure it out, when I upgraded to 2.0 I didn’t go to RC1. This is now working at RC1 and applying updates correctly.
Thanks for you help.