环境准备
Ansible通过WinRM(Windows Remote Management)和PowerShell管理Windows服务器:
WinRM is a management protocol used by Windows to remotely communicate
with another server. It is a SOAP-based protocol that communicates
over HTTP/HTTPS, and is included in all recent Windows operating
systems. Since Windows Server 2012, WinRM has been enabled by default,
but in most cases extra configuration is required to use WinRM with
Ansible.Ansible uses the pywinrm package to communicate with Windows servers
over WinRM. It is not installed by default with the Ansible package,
but can be installed by running the following:pip install “pywinrm>=0.3.0”
所以如果要管理windows,那么Ansible需要新增依赖pywinrm,用于支持winrm类型的连接
(见lib/ansible/plugins/connection/winrm.py)
根据目前查到的资料,Powershell4.0才能够完整支持Ansible的管理,应该是Ansible提供的Windows管理相关模块是以特定PowerShell标准编写的。如ConvertFrom-Json在PowerShell2.0就是不支持的。
各版本的WMF(Windows Management Framework)对各版本的Windows支持情况如下(Windows Management Framework):
可知WMF 4.0支持的最低的Windows Server版本是Windows Server 2008 R2 SP1。
WMF 4.0 can only be installed on the following operating systems.
Windows 7 with Service Pack 1Windows Server 2008 R2 with Service Pack 1 Windows Server 2012
WMF 4.0依赖.NET Framework 4.5(及以上),此两者均可从微软官网下载。WMF 4.0下载 所以Ansible能够管理的Windows最低为以上列出的版本,且这几个版本需要进行WMF的升级。Windows8.1及Windows Server 2012R2之后的版本无需升级默认就是WMF4.0了。
WinRM配置
相当于默认的快速配置使用以下命令(含启动WinRM服务,并设置服务为自动启动):
winrm quickconfig
认证配置,默认是Kerberos,本文采用Basic:
Kerberos is the default method of authentication when the client is in
a domain and the remote destination string is not one of the
following: localhost, 127.0.0.1, or [::1]. Negotiate is the default
method when the client is not in a domain, but the remote destination
string is one of the following: localhost, 127.0.0.1, or [::1].
winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
设置为Basic=true,Basic是最低安全性的认证方式:
Basic authentication
The user name and password sent in the authentication exchange.
Basic authentication can be configured to use either HTTP or HTTPS
transport in a domain or workgroup. This method is the least secure
method of authentication.
其他认证方式详见官方文档:Authentication for Remote Connections 及术语解释:Windows Remote Management Glossary
加密设置为允许无加密:
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
如果不设置AllowUnencrypted=“true”,走http的时候会报服务器拒绝凭证:
plaintext: the specified credentials were rejected by the server
修改WinRM的http端口(非必须):
winrm set winrm/config/listener?Address=*+Transport=HTTP '@{Port="15985"}'
WinRM默认的Http端口是5985,https端口5986(quickconfig后可见,第一张图)。本文举例修改http端口为15985。
查看修改端口的效果:
winrm e winrm/config/listener
至此WinRM常用配置完成。
Ansible 调用举例
ansible 192.168.0.1 -i ‘192.168.0.1,’ -m win_ping -e 'ansible_connection=winrm ansible_ssh_port=15985 ansible_ssh_user=administrator ansible_ssh_pass=123456 ansible_winrm_scheme=http'
重点针对extra_vars选项值做一些解释:
- ansible_connection: 指定调用哪个connection plugin。如不指定,默认是调用ssh的。
- ansible_winrm_scheme:指定使用什么协议访问。默认是https。如果指定为http,默认访问5985端口。当且仅当ansible_ssh_port被设置为5985时,默认走http。
- ansible_ssh_port:默认值5986。当此选项被设置为除5985外的任意值且未指定ansible_winrm_scheme时,默认走https协议。也就是说如果修改了http端口,则必须在调用ansible时显示指定ansible_winrm_scheme为http。
Ansible 2.0以后,选项名称有变化:
Ansible 2.0 has deprecated the “ssh” from ansible_ssh_user,
ansible_ssh_pass, ansible_ssh_host, and ansible_ssh_port to become
ansible_user, ansible_password, ansible_host, and ansible_port. If
using a version of Ansible prior to 2.0, the older style
(ansible_ssh_*) should be used instead. The shorter variables are
ignored, without warning, in older versions of Ansible.
也就是说,使用Ansible 2.0以后的版本时,上面的命令也可以写成这样:
ansible 192.168.0.1 -i ‘192.168.0.1,’ -m win_ping -e 'ansible_connection=winrm ansible_port=15985 ansible_user=administrator ansible_password=123456 ansible_winrm_scheme=http'
详见Ansible官方文档:Windows Remote Management