使用Ansible管理Windows

前言

本文主要介绍在如何使用Ansible管理Windows客户端，Ansible官方提供了一个很方便的安装脚本，对于外网用户来说安装真的很轻松，可惜我遇到的问题是如何在内网部署，有相同烦恼的小伙伴不妨参考下

轻轻松松使用Ansible管理Windows客户端

更新历史

2018年05月21日 - 初稿

阅读原文 - https://wsgzao.github.io/post/ansible-windows/

扩展阅读

Ansible Windows Guides - http://docs.ansible.com/ansible/latest/user_guide/windows.html

---

Ansible Windows Support

Ansible在2.3版本之前对于Windows支持的并不算很友好，从2.4版本开始已经可以使用原生模块实现很多需求

Because Windows is a non-POSIX-compliant operating system, there are differences between how Ansible interacts with them and the way Windows works. These guides will highlight some of the differences between Linux/Unix hosts and hosts running Windows.

• Ansible’s supported Windows versions generally match those under current and extended support from Microsoft. Supported desktop OSs include Windows 7, 8.1, and 10, and supported server OSs are Windows Server 2008, 2008 R2, 2012, 2012 R2, and - 2016.
• Ansible requires PowerShell 3.0 or newer and at least .NET 4.0 to be installed on the Windows host.
• A WinRM listener should be created and activated. More details for this can be found below.

image

Ansible does not support managing Windows XP or Server 2003 hosts. The supported operating system versions are:

Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows 7
Windows 8.1
Windows 10

1. 在官方文档中已经提到了在Windows中使用Ansible的最要前提，WinRM
2. WinRM依赖Powershell 3.0以上版本的支持，牵扯出PowerShell 2.0 to PowerShell 3.0/5.0的问题
3. 而Powershell升级则带来.Net Framework是否跟随升级至4.6.2/4.7.2的选择
4. 关于WinRM的参数配置可以参考下面的链接Setting up a Windows Host

https://github.com/ansible/ansible/blob/devel/examples/scripts/upgrade_to_ps3.ps1
https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1

Setting up a Windows Host
http://docs.ansible.com/ansible/latest/user_guide/windows_setup.html

.NET Framework 4.7.2/4.6.2
https://www.microsoft.com/net/download/dotnet-framework-runtime

Powershell 3.0
https://www.microsoft.com/en-us/download/details.aspx?id=34595

Powershell 5.1
https://www.microsoft.com/en-us/download/details.aspx?id=54616

我个人目前的建议是Win7/2008升级至Powershell 3.0，.Net Framework升级至4.6.2，其他情况需要可以参考官方文档后做决定

Ansible Windows Guides - http://docs.ansible.com/ansible/latest/user_guide/windows.html

客户端

1.客户端配置windows主机,以管理员身份打开powershell, 并查看当前ps版本
get-host
2.系统自带的powershell版本是2.0，需要更新至powershell 3 以上版本
https://www.microsoft.com/net/download/dotnet-framework-runtime
https://www.microsoft.com/en-us/download/details.aspx?id=34595
3.安装完重启服务器查看powershell版本

.NET Framework 4.6以上版本无法建立到信任根颁发机构的证书链
原因：系统缺少信任 Microsoft Root Certificate Authority 2011 根证书
下载：MicrosoftRootCertificateAuthority2011.cer
http://go.microsoft.com/fwlink/?LinkID=747875&clcid=0x409
运行 certmgr.msc
导入证书到“受信任的根证书颁发机构”

image

# 配置winrm
mkdir C:\temp
cd C:\temp
# 下载ConfigureRemotingForAnsible.ps1
https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
# 开启WinRM服务
powershell -ExecutionPolicy RemoteSigned .\ConfigureRemotingForAnsible.ps1 -SkipNetworkProfileCheck

服务端

# 服务端使用pip安装pywinrm
pip install pywinrm

# 功能测试，配置ansible控制机
vi /etc/ansible/hosts

[windows]
192.168.67.139
[windows:vars]
ansible_user=Administrator
ansible_password=Admin123
ansible_port=5986
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore  

# 要注意的是端口方面ssl即https方式的使用5986，http使用5985

# 测试ping通信
ansible windows -m win_ping 
# 查看ip地址 
ansible windows -m win_command -a "ipconfig"

网盘下载

Windows作为客户端所需的软件包我上传到百度网盘，.Net Framework安装失败提示证书错误记得手动导入MicrosoftRootCertificateAuthority2011.cer

https://pan.baidu.com/s/1JNV2pXjwUn14ojAtdEH_Sg

1. 安装 .Net Framework 4.6.2（NDP462-KB3151800-x86-x64-AllOS-ENU.exe）

2. 升级 Windows 7 SP1 和 Windows 2008 R2 SP1 的 PowerShell版本从2.0至3.0（Windows6.1-KB2506143-x64.msu）

3. 执行.\ConfigureRemotingForAnsible.ps1脚本开启WinRM远程管理服务

   powershell -ExecutionPolicy RemoteSigned .\ConfigureRemotingForAnsible.ps1 -SkipNetworkProfileCheck