The purpose of this hands-on training is to give students the knowledge of how to manage Windows machines with Ansible.
At the end of this hands-on training, students will be able to;
-
Explain what are the requirments to connect to Windows nodes.
-
What are the differences between managing linux nodes and windows nodes.
-
Explain how to manage windows nodes.
-
Part 1 - Build the Infrastructure
-
Part 2 - Configure Windows Nodes
-
Part 3 - Install Ansible on the Controller Node
-
Part 3 - Pinging the Target Nodes
-
Part 4 - Managing the Windows nodes.
-
Get to the AWS Console and spin-up 3 EC2 Instances (with two
Amazon Linux 2and oneMicrosoft Windows Server 2019 BaseAMI.) -
Configure the security groups as shown below:
-
Control-Node (Amazon Linux 2) --> Port 22 (SSH), 5986 (winrm for HTTPS)
-
Target-Node1 (Linux) -------> Port 22 (SSH)
-
Target-Node2 (Windows) -------> Port 3389 (RDP), 5986 (winrm for HTTPS)
-
-
For Ansible to communicate to a Windows host and use Windows modules, the Windows host must meet these requirements:
-
Ansible can generally manage Windows versions under current and extended support from Microsoft. Ansible can manage desktop OSs including Windows 7, 8.1, and 10, and server OSs including Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019.
-
Ansible requires PowerShell 3.0 or newer and at least .NET 4.0 to be installed on the Windows host.
-
A WinRM listener should be created and activated.
-
-
Connect to your
Windows Nodevia remote desktop client. -
Check the PowerShell Version.
$PSVersionTable- Check the version of .NET installed.
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | Select PSChildName, version- To view the current listeners that are running on the WinRM service, run the following command:
winrm enumerate winrm/config/Listener- Note: If you do not see the information of the listeners, run following script in PowerShell to configure listener and service for the WinRM. (This script script sets up both HTTP and HTTPS listeners with a self-signed certificate and enables the Basic authentication option on the service.)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"
$file = "$env:temp\ConfigureRemotingForAnsible.ps1"
(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
powershell.exe -ExecutionPolicy ByPass -File $file-
Connect to your
Controller Node. -
Optionally you can connect to your instances using VS Code.
-------------------- OPTIONAL BELOW ---------------------- -
You can also use connect to the Controller Node via VS Code's
Remote SSHExtension. -
Open up your VS Code editor.
-
Click on the
Extensionsicon. -
Write down
Remote - SSHon the search bar. -
Click on the first option on the list.
-
Click on the install button.
-
When the extension is installed, restart your editor.
-
Click on the green button (
Open a Remote Windowbutton) at the most bottom left. -
Hit enter. (
Connect Current Window to Host...) -
Enter a name for your connection on the input field and click on
Add New SSH Hostoption. -
Enter your ssh connection command (
ssh -i <YOUR-PEM-FILE> ec2-user@<YOUR SERVER IP>) on the input field and hit enter. -
Hit enter again.
-
Click on the
connectbutton at the bottom right. -
Click on
continueoption. -
Click on the
Open Folderbutton and then click on theOkbutton. -
Lastly, open up a new terminal on the current window.
-------------------- OPTIONAL ABOVE ---------------------- -
Run the commands below to install Ansible.
sudo hostnamectl set-hostname control-node
sudo yum update -y
pip3 install --user ansible- Check Ansible's installation with the command below.
ansible --version- Run the command below to transfer your pem key to your Ansible Controller Node.
$ scp -i <PATH-TO-PEM-FILE> <PATH-TO-PEM-FILE> ec2-user@<CONTROLLER-NODE-IP>:/home/ec2-usersudo chmod 400 tyler-team.pem-
Install
pywinrmpackage.WinRM is a management protocol used by Windows to remotely communicate with another server. It is a SOAP-based protocol that communicates over HTTP/HTTPS, and is included in all recent Windows operating systems. Since Windows Server 2012, WinRM has been enabled by default, but in most cases extra configuration is required to use WinRM with Ansible.
Ansible uses the pywinrm package to communicate with Windows servers over WinRM. It is not installed by default with the Ansible package, but can be installed by running the following:
pip3 install "pywinrm>=0.3.0" --userhttps://github.com/diyan/pywinrm
- Create a directory named
project-1under the home directory and cd into it.
mkdir project-1
cd project-1- Create a file named
inventory.txtwith the command below.
vi inventory.txt-
Paste the content below into the inventory.txt file.
-
Along with the hands-on, public or private IPs can be used.
[linux_servers]
Node-1 ansible_host=<YOUR-WEB-SERVER-IP> ansible_user=ec2-user ansible_ssh_private_key_file=~/<YOUR-PEM-FILE>- Create file named
ansible.cfgunder the theproject-1directory.
[defaults]
# host_key_checking = False
inventory=inventory.txt
# interpreter_python=auto_silent
# deprecation_warnings=False- Run the command below for pinging the linux server.
ansible linux_servers -m ping- Explain the output of the above command.
- Copy the
project-1directory as aproject-2directory under the home directory and cd into it.
cd ..
cp -r ~/project-1/ ~/project-2/
cd project-2- Create a file named
inventory.iniunder theproject-2directory with the command below.
vi inventory.ini- Paste the content below into the inventory.txt file.
[windows_servers]
node-2 ansible_host=18.188.118.42
[all:vars]
ansible_user= Administrator
ansible_password= U.@65W)szlA5DrVF*;HyuGy5J8$M%3Wh
ansible_connection= winrm
ansible_winrm_server_cert_validation= ignore- Create a file named
ping.ymlunder theproject-2directory with the command below.
vi ping.yml- Paste the content below into the ping.yml file.
- name: ping
hosts: windows_servers
tasks:
- name: Check the connectivity for windows server
win_ping:- Run the ping.yml playbook
ansible-playbook ping.yml -i inventory.ini- Copy the
project-2directory as aproject-3directory under the home directory and cd into it.
cd ..
cp -r project-2/ project-3/
cd project-3- Delete
inventory.txtandinventory.inifiles.
rm inventory.txt inventory.ini- Create a file named
inventory.ymlunder theproject-3directory with the command below.
vi inventory.ymlwindows_servers:
hosts:
18.188.118.42
vars:
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_user: Administrator
ansible_password: 3j6zz;-C)AfzCyvLoW%L6)S&WawzPoYw
linux_servers:
hosts:
3.144.191.123
vars:
ansible_ssh_private_key_file: ~/tyler-team.pem
ansible_user: ec2-user- Modify the ansible.cfg file with the following line.
inventory=inventory.yml- Modify the ping.yml file with the following playbook.
- name: ping
hosts: windows_servers
tasks:
- name: Check the connectivity for windows server
win_ping:
- name: ping
hosts: linux_servers
tasks:
- name: Check the connectivity for Linux server
ping:- Run the ping.yml playbook.
ansible-playbook ping.yml- Copy the
project-3directory as aproject-4directory under the home directory and cd into it.
cd ..
cp -r project-3/ project-4/
cd project-4- Create a playbook named
configure-windows.ymlunder theproject-4directory with the command below.
vi configure-windows.yml- Paste the content below into the configure-windows.yml file.
- name: windows server configuration
hosts: windows_servers
tasks:
- name: Set timezone to 'Romance Standard Time' (GMT+01:00)
win_timezone:
timezone: Romance Standard Time
- name: Change the hostname to webserver-2
win_hostname:
name: windows-hostname
register: res
- name: Reboot
win_reboot:
when: res.reboot_required- Run the configure-windows.yml playbook.
ansible-playbook configure-windows.yml- Copy the
project-4directory as aproject-5directory under the home directory and cd into it.
cd ..
cp -r project-4/ project-5/
cd project-5- Create
group_varsdirectory under the project-5 folder and cd into it.
mkdir group_vars
cd group_vars- Create an encypted file using "ansible-vault" command named
windows_servers.ymlunder the group_vars directory.
ansible-vault create windows_servers.ymlNew Vault password: xxxx Confirm Nev Vault password: xxxx
ansible_user: Administrator
ansible_password: 3j6zz;-C)AfzCyvLoW%L6)S&WawzPoYw- Modify the
configure-windows.ymlfile with the following line.
win_timezone:
timezone: Central Standard Time
------
win_hostname:
name: tyler-hostname-
Comment out
ansible_userandansible_passwordlines from inventory.yml file. -
Run the playbook.
ansible-playbook configure-windows.yml --ask-vault-pass- Copy the
project-5directory as aproject-6directory under the home directory and cd into it.
cd ..
cp -r project-5/ project-6/
cd project-6- Modify the
configure-windows.ymlfile with following:
- name: win_chocolatey module example
hosts: windows_servers
gather_facts: false
vars:
- packages:
- git
- sublimetext4
- nodepadplusplus
- googlechrome
- docker-desktop
tasks:
- name: install packages
win_chocolatey:
name: "{{ packages }}"
state: present- Run the playbook.
ansible-playbook configure-windows.yml --ask-vault-pass- Copy the
project-6directory as aproject-7directory under the home directory and cd into it.
cd ..
cp -r project-6/ project-7/
cd project-7- Modify the
configure-windows.ymlfile with following:
- name: DSC module example
hosts: windows_servers
gather_facts: false
tasks:
- name: Create file with some text
win_dsc:
resource_name: File
DestinationPath: C:\temp\file
Contents: |
Hello
World
Ensure: Present
Type: File- create a file named
open_vault.txtand type yourvault passwordin it.
vi open_vault.txt- Add the following line into the
ansible.cfgfile.
vault_password_file= open_vault.txt- Run the playbook.
ansible-playbook configure-windows.yml