windows winrm environment does not allow some kinds of execution

I was trying to script the usage of the windows DISM utilities via ansible – and ran into an issue with being unable to execute dism from within the winrm context. Apparently some varieties of rpc (which DISM uses internally) are prevented from running from within the winrm execution context … What this amounts to with regard to dism is that you can execute the dism commands and they appear to work - but due to the obscure way that some component within the process fail, mounting an image always produces a corrupt/unusable mount point (Get-WinImages -Mounted always displays that the mounted image “requires remount”)

I actually couldn’t find any good details on the topic – other than this blog post from someone who discusses the fun unnecessarily annoying details associated with automating windows via winrm within the context of puppet:

http://www.hurryupandwait.io/blog/safely-running-windows-automation-operations-that-typically-fail-over-winrm-or-powershell-remoting

And the workaround for the issue he came up with was to create a scheduled task from within winrm, then manually trigger the running of the newly created scheduled task stashing away the stdout/stderr of the scheduled task execution, then poll for the ending of the process created by the triggered scheduled task, then lift the stashed output data back into winrm context for continued use in the winrm context.

I adapted his script (https://github.com/mwrock/boxstarter/blob/master/BoxStarter.Common/Invoke-FromTask.ps1) into an ansible module – which works something like this:

(from within winrm context)

(1) generate a wrapper powershell script to invoke the module’s command argument and redirect stdout/stderr to magic file paths (module’s command argument is assumed to invoke commands which can’t execute properly from within winrm environment)

(2) create a scheduled task as a particular user configured to invoke the powershell wrapper script created in step 1

(3) manually trigger the running of the scheduled task

→ causes a scheduled task to launch a process which doesn’t have the winrm execution restrictions
(4) poll for the end of the process launched by the scheduled task manager
(5) when the scheduled task process ends, ingest the stdout/stderr results that were stashed away
(6) cleanup the scheduled task and generated files

Usage looks like this:

win_invoke_from_task:
command: ‘dism.exe /Mount-Wim /WimFile:{{sts_windows_image_build_dir}}{{image}}.{{variant}}.wim /MountDir:{{sts_windows_image_mount_dir}} /index:1’
user: “{{ ansible_ssh_user }}”

credential: “{{ credential }}”
register: image_contents
tags: test

I wondered if anyone encountered this and solved the problem in a different way or would be interested in this module …?

Thanks for this.

There’s a PR around for a re-write of the win_updates module which uses the local scheduled task trick. The author of the PR was, if I recall, reluctant to generalise it as he felt there were a lot of edge cases to handle.

If you are willing to create a PR for your module people would want it I think - that article http://www.hurryupandwait.io/blog/safely-running-windows-automation-operations-that-typically-fail-over-winrm-or-powershell-remoting clearly illustrates there’s a need to automate some things that powershell doesn’t currently allow.

Jon

It turns out that after powershell 3 microsoft added a nice powershell api for basically exactly the process I described (Register-ScheduledJob, Receive-Job). I re-implemented this ansible module using these powershell api’s and its relatively clean seeming – I’m gonna go ahead and submit a pull request to ansible-module-extras and see if anyone finds a use …

Thank you. Looking forward to seeing your PR.

Jon

Thank you. Looking forward to seeing your PR.

Jon

It’s here if you want to take a look … I’ll try and make any changes needed …

https://github.com/ansible/ansible-modules-extras/pull/1007