我的书签
添加书签
移除书签- Windows Frequently Asked Questions
- Does Ansible work with Windows XP or Server 2003?
- Can I Manage Windows Nano Server?
- Can Ansible run on Windows?
- Can I use SSH keys to authenticate?
- Why can I run a command locally that does not work under Ansible?
- This program won’t install with Ansible
- What modules are available?
- Can I run Python modules?
- Can I connect over SSH?
- Why is connecting to the host via ssh failing?
- Why are my credentials are being rejected?
- Why am I getting an error SSL CERTIFICATE_VERIFY_FAILED?
- ansible IRC chat channel
Windows Frequently Asked Questions
Here are some commonly asked questions in regards to Ansible and Windows andtheir answers.
Note
This document covers questions about managing Microsoft Windows servers with Ansible.For questions about Ansible Core, please see theFAQ page.
Does Ansible work with Windows XP or Server 2003?
Ansible does not support managing Windows XP or Server 2003 hosts. Thesupported operating system versions are:
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows 7
- Windows 8.1
- Windows 10
Ansible also has minimum PowerShell version requirements - please seeSetting up a Windows Host for the latest information.
Can I Manage Windows Nano Server?
Windows Nano Server is not currently supported by Ansible, since it doesnot have access to the full .NET Framework that is used by the majority of themodules and internal components.
Can Ansible run on Windows?
No, Ansible cannot run on a Windows host and can only manage Windows hosts, butAnsible can be run under the Windows Subsystem for Linux (WSL).
Note
The Windows Subsystem for Linux is not supported by Microsoft orAnsible and should not be used for production systems.
To install Ansible on WSL, the following commandscan be run in the bash terminal:
- sudo apt-get update
- sudo apt-get install python-pip git libffi-dev libssl-dev -y
- pip install ansible pywinrm
To run Ansible from source instead of a release on the WSL, simply uninstall the pipinstalled version and then clone the git repo.
- pip uninstall ansible -y
- git clone https://github.com/ansible/ansible.git
- source ansible/hacking/env-setup
- # to enable Ansible on login, run the following
- echo ". ~/ansible/hacking/env-setup -q' >> ~/.bashrc
Can I use SSH keys to authenticate?
Windows uses WinRM as the transport protocol. WinRM supports a wide range ofauthentication options. The closet option to SSH keys is to use the certificateauthentication option which maps an X509 certificate to a local user.
The way that these certificates are generated and mapped to a user is differentfrom the SSH implementation; consult the Windows Remote Management documentation formore information.
Why can I run a command locally that does not work under Ansible?
Ansible executes commands through WinRM. These processes are different fromrunning a command locally in these ways:
- Unless using an authentication option like CredSSP or Kerberos withcredential delegation, the WinRM process does not have the ability todelegate the user’s credentials to a network resource, causing
Access isDeniederrors. - All processes run under WinRM are in a non-interactive session. Applicationsthat require an interactive session will not work.
- When running through WinRM, Windows restricts access to internal WindowsAPIs like the Windows Update API and DPAPI, which some installers andprograms rely on.
Some ways to bypass these restrictions are to:
- Use
become, which runs a command as it would when run locally. This willbypass most WinRM restrictions, as Windows is unaware the process is runningunder WinRM whenbecomeis used. See the Understanding Privilege Escalation documentation for moreinformation. - Use a scheduled task, which can be created with
win_scheduled_task. Likebecome, it will bypass all WinRM restrictions, but it can only be used to runcommands, not modules. - Use
win_psexecto run a command on the host. PSExec does not use WinRMand so will bypass any of the restrictions. - To access network resources without any of these workarounds, anauthentication option that supports credential delegation can be used. BothCredSSP and Kerberos with credential delegation enabled can support this.
See Understanding Privilege Escalation more info on how to use become. The limitations section atWindows Remote Management has more details around WinRM limitations.
This program won’t install with Ansible
See this question for more information about WinRM limitations.
What modules are available?
Most of the Ansible modules in Ansible Core are written for a combination ofLinux/Unix machines and arbitrary web services. These modules are written inPython and most of them do not work on Windows.
Because of this, there are dedicated Windows modules that are written inPowerShell and are meant to be run on Windows hosts. A list of these modulescan be found here.
In addition, the following Ansible Core modules/action-plugins work with Windows:
- add_host
- assert
- async_status
- debug
- fail
- fetch
- group_by
- include
- include_role
- include_vars
- meta
- pause
- raw
- script
- set_fact
- set_stats
- setup
- slurp
- template (also: win_tempate)
- wait_for_connection
Can I run Python modules?
No, the WinRM connection protocol is set to use PowerShell modules, so Pythonmodules will not work. A way to bypass this issue to usedelegate_to: localhost to run a Python module on the Ansible controller.This is useful if during a playbook, an external service needs to be contactedand there is no equivalent Windows module available.
Can I connect over SSH?
Microsoft has announced and is developing a fork of OpenSSH for Windows thatallows remote manage of Windows servers through the SSH protocol instead ofWinRM. While this can be installed and used right now for normal SSH clients,it is still in beta from Microsoft and the required functionality has not beendeveloped within Ansible yet.
There are future plans on adding this feature and this page will be updatedonce more information can be shared.
Why is connecting to the host via ssh failing?
When trying to connect to a Windows host and the output error indicates thatSSH was used, then this is an indication that the connection vars are not setproperly or the host is not inheriting them correctly.
Make sure ansible_connection: winrm is set in the inventory for the Windowshost.
Why are my credentials are being rejected?
This can be due to a myriad of reasons unrelated to incorrect credentials.
See HTTP 401/Credentials Rejected at Setting up a Windows Host for a more detailedguide of this could mean.
Why am I getting an error SSL CERTIFICATE_VERIFY_FAILED?
When the Ansible controller is running on Python 2.7.9+ or an older version of Python thathas backported SSLContext (like Python 2.7.5 on RHEL 7), the controller will attempt tovalidate the certificate WinRM is using for an HTTPS connection. If thecertificate cannot be validated (such as in the case of a self signed cert), it willfail the verification process.
To ignore certificate validation, addansible_winrm_server_cert_validation: ignore to inventory for the Windowshost.
See also
- User Guide
- The documentation index
- Windows Guides
- The Windows documentation index
- Working With Playbooks
- An introduction to playbooks
- Best Practices
- Best practices advice
- User Mailing List
- Have a question? Stop by the google group!
- irc.freenode.net
ansible IRC chat channel
