Hi All, hope this question makes sense. Here goes:
Context: I have several automated patching playbooks that rely on
stopping/starting services on windows before patching a database on Linux.
We are using a python script to generate a dynamic inventory. We are
leveraging a powershell script on a windows host to remotely start/stop
services on various other windows hosts, so we only need to delegate to the
one single windows host that houses the powershell scripts. We are NOT
naming the windows host in the python script for dynamic inventory, and
instead delegating to the FQDN of the windows host, backed by a
host_vars/<windows_server>.yml for connection info for ansible to use. Oh
and we are using psexec because I can't get win_shell to work to save my
life.
Tasks:
*- name: Pre-patching - Copy powershell script to stop service (windows)*
* run_once: true*
* become: false*
* win_copy:*
* src: ../supporting_tools/scripts/serviceshutdown{{ vmenv_result.stdout
}}*
* dest: C:\temp\serviceshutdown{{ vmenv_result.stdout }}.ps1*
* force: no*
* delegate_to: windows_server*
*- name: Pre-patching - Copy psexec to stop service (windows)*
* run_once: true*
* become: false*
* win_copy:*
* src: ../supporting_tools/scripts/PsExec.exe*
* dest: C:\temp\PsExec.exe*
* force: no*
* delegate_to: windows_server*
*- name: Pre-patching - Stop service (windows)*
* become: false*
* run_once: true*
* win_psexec:*
* command: powershell.exe -executionpolicy bypass -noninteractive
-nologo -file "C:\temp\serviceshutdown{{ vmenv_result.stdout }}.ps1"*
* executable: C:\temp\PsExec.exe*
* elevated: yes*
* nobanner: yes*
* username: "{{ansible_user}}"*
* password: "{{ansible_password}}"*
* interactive: no*
* vars:*
* ansible_become_method: runas*
* delegate_to: windows_server*
host_vars/windows_server.yml:
*ansible_user: ad_useransible_password: passwordansible_connection:
winrmansible_winrm_transport: ntlmansible_winrm_server_cert_validation:
ignore*
*ansible_port: 5986*
--------------------
The above role tasks run fine. Services get stopped as expected and the
playbook moves on. However the next role is to gather the current repo
information from the linux server that is to be patched and is a block that
is a mix of delegate_to: 127.0.0.1 tasks and non delegated tasks (i.e.:
they run on the target linux server). This is where the playbook falls down
and goes boom. The first non-delegated task after delegating to the windows
server above fails with the following error:
fatal: [linux_server]: FAILED! => msg: The powershell shell family is
incompatible with the sudo become plugin
The role in question is:
- name: Pre-patching - Update sw.repo
block:
- name: Pre-patching - gather minor OS target version
shell: curl -sk -u user:pass
"https://server.fqdn.com/cgi-bin/patchmm?major={{
ansible_distribution_major_version }}&os={{ os_shorthand }}"
args:
warn: false
register: minor_version
changed_when: false
become: false
delegate_to: 127.0.0.1 - name: Pre-patching - gather local errata repo
name
shell: yum repolist | grep ERRATA_ | awk '{print $1}'
register: current_errata_repo
args:
warn: false
changed_when: false
when: ansible_distribution != 'Debian' and ansible_distribution != 'Ubuntu'
and not (facter_os.family == "RedHat" and ansible_distribution_major_version ==
"8")
The task in red is what is failing. I'm not sure why I'm getting this failure
message since I'm not trying to use any powershell commands or even target a
windows server. I've tried putting ansible_become_method in the host_vars file
with no difference in results. Using win_shell to run a command to turn on or
off a service seems to work, but I do not want to have to target 8 or 9 windows
servers individually (for this one application alone. there are others with
more servers behind them).
Has anyone run across this before? What is the resolution here? Is it because I
am not targeting the windows host in inventory? I'd like to not do that because
the entire playbook and all 50 or so included roles are geared to linux only
and I do not want to have to add when clauses everywhere.
TIA,
Andrew
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/8460a481-ef9d-4811-9cf9-e6ad40255361o%40googlegroups.com.
