[ansible-devel] Re: Switch to Disable Powershell Base64 encoding - WinRM/win_shell

[Jordan Borean]

Hi

There is no plans or action to remove this, using '-EncodedCommand' is a 
valid argument in PowerShell and is used to avoid dealing with quote 
escaping hell when it comes to embedded quotes inside the actual script as 
well as newlines. If you are concerned about not knowing what those 
commands are then PowerShell's implementation to counteract that is 
scriptblock logging as it logs the actual scriptblock we are encoded into 
the event log for anyone to read.

> We are getting jobs stopped by the corporate security tool because of the 
encoded content when automating Windows environment.

There's not much we can do about that, in my opinions tools that just block 
invocations of PowerShell that use '-EncodedCommand' are just being lazy 
and all it ultimately achieves is frustration when people try to use 
builtin features to run PowerShell commands. As mentioned in the PR if you 
were to use the psrp connection plugin you could avoid the general 
'-EncodedCommand' invocation we use for the first command but there will 
still be other times when we use '-EncodedCommand' so it's not a catch all.

The reality is that Ansible is used to remotely run commands in an 
administrative sense, some anti virus tools might flag Ansible's behaviour 
because it sees it as a virus. There's not much we can do to stop this 
short of having some agent that listens and runs the commands and that goes 
against one of the primary tenants of Ansible, agentless connections.



On Tuesday, January 19, 2021 at 3:53:45 AM UTC+10 rcdl...@gmail.com wrote:

>
> Hi Ansible Development Team,
>
> About the subject in this message, I would like to ask you if: Do we have 
> some news about "Switch to Disable Powershell Base64 encoding 
> "?  or the only method 
> we have now is enabling the scriptblock logging on newer versions of 
> PowerShell to log the decoded format of "-EncodedCommand" as well 
> explained into this close RFE purpose?
>
> Maybe some new feature since this RFE purpose was available and I'm 
> missing it. 
>
> Did anyone have missed a feature like this and was able to workaround it 
> by some other way? We are getting jobs stopped by the corporate security 
> tool because of the encoded content when automating Windows environment.
>
> Thank you all!
>
> Best regards,
>
> Roberto Duarte
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/833f700b-9f22-448a-9efa-0c6d0c161e3bn%40googlegroups.com.

[ansible-devel] Re: Will Ansible work in case of Windows Jump Server?

[Jordan Borean]

Unfortunately no, WinRM doesn't support any bastion options. The psrp 
connection plugin does offer a proxy option which you can potentially use 
for a SOCKS proxy as a bastion host but that requires SSH and for you to 
set that up before hand.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/cc84399c-9382-4b5f-af63-a5b570c61b9c%40googlegroups.com.

[ansible-devel] Re: Who triggers the wrapper script generation on a Windows node ?

[Jordan Borean]

complex_args is actually a hashtable where the key is the module option and 
the value is the raw value for that option. You might be confusing the 
ArrayList with the generic list we use to store variable definitions, that 
include complex_args, that are passed to the module_wrapper process.

Anything that uses our exec_wrapper process will use $complex_args even in 
non-pipelined scenarios as pipelining just changes how the payload is 
delivered.

The only reason why we still read from $args is purely for legacy reasons 
and for people manually running the modules outside of our wrapper process, 
i.e. not Ansible.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/76856c43-109a-426a-a8c7-5700056a7945%40googlegroups.com.

[ansible-devel] Re: Who triggers the wrapper script generation on a Windows node ?

[Jordan Borean]

Yep that's correct, the exec_command function doesn't no or care about what 
it is executing, it just has the command to run passed in as cmd and option 
input data to send over the stdin pipe. It's up to the caller of 
exec_command to make sure the command that it wants to run accepts input 
data and the correct input data is sent in. The _execute_module [1] 
function in the action plugin base is where all the logic happens to build 
that script and input data to be run.

[1] - 
https://github.com/ansible/ansible/blob/11862782fff0ef530d44523676b82dfdf596dfea/lib/ansible/plugins/action/__init__.py#L750

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/60af43ce-2b2c-4bb1-a644-075e876d4589%40googlegroups.com.

[ansible-devel] Re: error when running a windows command using 'raw'

[Jordan Borean]

That’s my bad, when you quote the string and want to execute it you need to add 
the call operator like:

- raw: ‘&” C:\Program Files\... “‘


The alternative is to use win_command with the setup you have right now.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/f0bd193a-172c-4a08-b5df-cec1e37c%40googlegroups.com.

[ansible-devel] Re: Who triggers the wrapper script generation on a Windows node ?

[Jordan Borean]

Hi

This particular script is part of the put_file operation for winrm [1] 
which is executed like "PowerShell.exe  -EncodedCommand ScriptB64". 
Part of the put_file method is to read the bytes of the file to transfer 
across and send it over the stdin pipe of the process under the WSMan Send 
operation. There is an automatic trigger in PowerShell where the begin 
block runs then the process block will run for each input that is sent 
until we tell it there is no more until finally the end block runs. The 
'$input' variable is an automatic variable which contains the input from 
the stdin pipe for that process (each byte fragment of the file).

In saying all this, the put_file operation should not be running at all for 
standard module execution. We use pipelining in pretty much all cases to 
execute a module and the only times put_file is used are;

   - An action plugin on the controller needs to put a file for a module to 
   use, e.g. win_copy, win_template, script
   - The ANSIBLE_KEEP_REMOTE_FILES=1 env var is set when running Ansible, 
   this should only be used for debugging purposes and is not the standard 
   operation
   
What normally happens in the pipelining scenario is that we run the 
bootstrap_wrapper.ps1 [2] which takes in data from the stdin pipe to 
execute. This data is a string split by null chars where the first part is 
the exec_wrapper and the second part is the module manifest info which 
drives the wrapper. This way no data touches the disk (unless we need to 
copy a file) making things a lot faster than before.

[1] - 
https://github.com/ansible/ansible/blob/491a47c7c5be8ba5b4cca4e1a5171c15d669a47f/lib/ansible/plugins/connection/winrm.py#L565
[2] - 
https://github.com/ansible/ansible/blob/devel/lib/ansible/executor/powershell/bootstrap_wrapper.ps1

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/7158efd7-65b4-4f0d-86d2-819d4780e22e%40googlegroups.com.

[ansible-devel] Re: error when running a windows command using 'raw'

[Jordan Borean]

Actually if your example is literal and -a is on a newline then that's 
probably your issue, it sounds like you wanted '>' not '|' to folder each 
newline in your string but I still recommend the way above I posted.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/0d34c0d4-2f71-4bfb-9ac2-cc570c930458%40googlegroups.com.

[ansible-devel] Re: error when running a windows command using 'raw'

[Jordan Borean]

Not sure why it is complaining here, maybe an invisble control character. 
Anyway you are best off doing the following;

- name: Installing the license
  raw: '"C:\Program Files\IBM\SQLLIB\BIN\db2licm" -a "{{ temp_area }}\{{ 
db2_lic_file }}"'

Raw in Windows is not truly raw as it is run in a PowerShell shell so the 
standard quoting rules apply. Having C:\'Progam Files'\.. wouldn't work as 
that isn't valid PowerShell. The example above will quote that whole string 
as well as your -a arg in case it has a space in it. You can also consider 
using win_command for this if you want to talk advantage of things like 
become, environment, async and some of the other options it adds.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/eddb6332-07ea-41b0-ae8f-3d7c90c22a7f%40googlegroups.com.

[ansible-devel] ansible-collection commands

[Jordan Borean]

Hi

The Ansible team has recently introduced collections in Ansible 2.8 and as 
part of our ongoing development we have been working on creating a way to 
build, publish, and install collections using the ansible-galaxy command. 
We have recently merged the first iteration of this work with 
https://github.com/ansible/ansible/pull/57106 and I encourage you all to 
try it out and let us know about any issues or other feedback you may have 
around it.

Docs are still forthcoming but I'm currently working on improving that for 
people just picking it up. Starting off, you can view all the relevant 
commands by running 'ansible-galaxy collection --help' as well as help for 
individual commands like 'ansible-galaxy collection  --help'. So 
far we have implemented the following commands;

* init - Create a basic collection skeleton, docs for this still need to be 
fleshed out but it will give you a basic skeleton you can start off with
* build - Create a collection artifact as a .tar.gz file. This artifact can 
be published or stored wherever you like
* publish - Publish the collection to Ansible Galaxy
* install - Install a collection artifact either from Ansible Galaxy, or a 
filepath/url to the tarball

This is still an ongoing development so your feedback is crucial for us to 
produce something nice and polished for the Ansible 2.9 release.

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/0daa150d-56ec-4440-bb42-8f5c197b5128%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] winrm send_input failed. help needed.

[Jordan Borean]

You can’t use Python modules on a Windows host, use win_file and not file.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/fba15520-f1d3-499b-8e6d-38fa0a5581e9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: Cannot import module from ~/.ansible/plugins/module_utils

[Jordan Borean]

Action plugins can reference ansible.module_utils but only for ones in the 
base Ansible package. Module can take advantage of the lookup path as it is 
built for you automatically and sent across to the remote host.

Feel free to raise a PR to the Ansible docs at 
https://github.com/ansible/ansible/tree/devel/docs/docsite/rst if you want 
to clarify it further 
https://github.com/ansible/ansible/tree/devel/docs/docsite/rst.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/06aae189-ca7c-4c3d-80ce-dbfe4a759f38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: How to pass ansible variables to powershell cmdlet using win_shell module

[Jordan Borean]

Your set_fact task is setting 'lookup('dig', inventory_hostname)' as a 
literal string, you will to use braces so it actually interprets the 
lookup, e.g.

- set_fact:
target_ip: '{{ lookup("dig", inventory_hostname) }}'

In the future you are better off posting in the Ansible Project mailing 
like, Ansible Development is for Ansible engine and plugin development 
questions not using Ansible.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/496ae909-178c-4fcd-b59b-0fcff5baf005%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: Ansible over SSH on Windows host type progress status needed

[Jordan Borean]

These question are better suited towards the Ansible Project mailing list 
at https://groups.google.com/forum/#!forum/ansible-project. Ansible 
Development is for development questions inside Ansible, such as modules, 
plugins and so on and not general help.

Using ssh does not mean you can start using Python modules like ping, you 
still need to use the Windows equivalent modules which are written in 
PowerShell (win_ping).

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/0dd3757e-6118-45f3-a127-2e932407d3a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Ansible over SSH on Windows host type progress status needed

[Jordan Borean]

Not sure what you mean by WinRMs lack of security requirements, if you use RDP 
in your org then WinRM is no worse than that. In saying that, SSH support for 
Windows has been added for 2.8 with 
https://github.com/ansible/ansible/pull/47732. It’s experimental and the 
interface can change in the future but it would be enough to get you started.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: win_command with become still doesn't seem to work

[Jordan Borean]

I found some time to play around with this a bit more. It turns out the 
initial installer spawns multiple processes and doesn't actually wait until 
it is finished. This causes the parent WinRM process to close it's shell 
which has the side affect of killing any children it spawns.

It's weird behaviour from the installer as it should be waiting until all 
the installed processes have finish before finishing but this isn't the 
case. The reason why it works when you run locally or through 
'Enter-PSSession' is because those sessions are persistent, whereas Ansible 
and 'Invoke-Command' will close that session as soon as it's command is 
finished.

Luckily using async will allow you to escape this behaviour, using the 
following playbook you can install VS and wait until the installer has 
actually completed. It uses async on the first task so that the spawned 
installer is not killed when WinRM exits and then waits until it is 
complete in the 2nd task. Become isn't needed for this task, you just need 
to escape the WinRM job boundary which is what async is for.

---
- hosts: vagrant-windows
  gather_facts: no
  tasks:
  - name: download installer
win_get_url:
  url: https:
//download.visualstudio.microsoft.com/download/pr/324e8588-c90a-4229-947f-d60efec43018/0baa0fb3754413e8048d3625ddf5d585/vs_enterprise.exe
  dest: C:\temp\vs_enterprise.exe
  force: no

  # Async is required because the installer spawns a detached process and 
doesn't wait until it is complete. Because
  # WinRM exits it kills any child processes including the spawned 
vs_installer. By using async, we can ensure the
  # child process continues to run in the background and is not reaped when 
WinRM exits.
  - name: install VS Enterprise
win_command: c:\temp\vs_enterprise.exe --add Microsoft.VisualStudio.
Component.CoreEditor --quiet
async: 60 # May need a higher timeout if the initial installer download 
takes too long

  # Because the installer is running in the background, we need to wait 
until it is complete before continuing. We also
  # set the exit code of this process to whatever the exit code is of the 
vs_installer process if found. This gives us
  # at least some error reporting in case something went bad
  - name: wait until process is complete
win_shell: |
  $process = Get-Process -Name vs_installer -ErrorAction 
SilentlyContinue
  if ($process) {
  $process | Wait-Process
  $host.SetShouldExit($process.ExitCode)
  } else {
  $host.SetShouldExit(0)  # Clears out any error with Get-Process 
not finding a process
  }
changed_when: False

Ultimately this seems like poor behaviour on the installers part but this 
is all out of Ansible's control.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: win_command with become still doesn't seem to work

[Jordan Borean]

Just a few things to note, you don't need to set the task directory become, 
become_method, become_user if you have set the vars as well. Variable > 
than task directives when it comes to precedence.

If the initial exe is then starting up another executable and exits 
immediately it makes sense that it wuld come back ok but then kill the 
WinRM session and subsequently all child processes, like the newly spawned 
installer.

I would try and add 'async: 600' to the task to see if that works for you. 
Async slightly changes the type of session the module is run in and it may 
be enough to get things working for you but there's no guarantees.

If I get some time I might try this out but I can't do it right now.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: Jenkin Jobs are failing because it is not able to access the mapped n/w drive

[Jordan Borean]

You won't be able to access a mapped drive within an Ansible task or any 
other non-interactive logons in Windows. There is a fundamental security 
barrier between how WinRM processes or scheduled task jobs are started and 
where mapped drives are accessible to the user.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-devel] Does Ansible expose `ansible_become_pass` to modules?

[Jordan Borean]

No ansible_become_pass is not accessible from a module. Only the module 
options set in the task yaml and a few key internal variables are passed 
in, like check mode, diff, verbosity.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-devel] Ansible Tower Windows SSH Support

[Jordan Borean]

We've looked into it and it needs a few changes in Ansible for it to be 
properly implemented. In saying that, the Win32-OpenSSH fork from MS still 
has some warts and is still a beta product and contains a few bugs and 
quirks that makes it less appealing. Honestly you should be pushing back on 
your organisation and asking why WinRM is not allowed and trying to get 
WinRM approved.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: Windows prompt answer

[Jordan Borean]

There's no except module equivalent to Windows unfortunately but you can 
pass characters to the stdin piipe when running shell commands. In Ansible 
2.5, the win_command and win_shell have an stdin argument which allows you 
to pass whatever you want to the stdin pipe of the newly created process. 
This allows you to pass things like "y" on a command that expects you to 
confirm y/n on a command. An example of this in action is

- win_command: some_exe.exe
  args:
stdin: y

The some_exe.exe will be run and y is sent as the input. This is 
rudimentary and doesn't support things like defining different responses 
based on the prompt but it does give you a blanket input option if that 
helps.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-devel] Optimizing Ansible and its WinRM use for speed and profit

[Jordan Borean]

Looking at persisted connections/shells is definitely something we want to 
look at and because 2.6 is going to be a stabilization release from the 
core team 2.7 is where we will start looking into it. WinRM has 2 
components that make it really slow compared to SSH;

* The network latency and number of packets that are required
* The time it takes to startup PowerShell.exe on each task

Having persisted connections/shells will definitely help with the first one 
but it requires some internal work inside Ansible to really achieve 
properly. The latter part is a lot harder but swapping over to PSRP over 
WinRM with persisted connections will definitely improve that story. For 
file transfers there is not much else we can really do. Matt's pretty much 
reached the limit of what you can do with that protocol and to get good 
file transfer speeds we either have to use SMB or the SSH/SFTP 
implementation from Microsoft.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: Diskpart for Windows

[Jordan Borean]

Hi

If you want to use diskpart I believe you need to put each command as a 
line in a text file and then call the diskpart exe and reference that text 
file. This isn't really ideal and you should probably look at the newer 
PowerShell cmdlets to do what you want. I found this is a good place to 
start when looking at them 
https://blogs.msdn.microsoft.com/san/2012/07/03/managing-storage-with-windows-powershell-on-windows-server-2012/,
 
unfortunately we don't have any modules to do this work yet so you will 
have to use some sort of script right now.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: powershell debug with complex_args list

[Jordan Borean]

Yaml is easily converted to some sort of structure, you are mostly dealing 
with dicts or lists, so in your case you can set complex_args to;

$complex_args = @{
add_children = @(
@{
name = "Ansible Brew"
type = "light"
}
)
}

As you can see we are setting the key add_children which is a list of 
dictionary values. In Python a list is expressed in the form of *@("entry", 
"another_entry")* while dictionaries are expressed in the form or *@{key = 
"value"; key2 = "value2"}*. You can mix and match all these but once you 
understand how to convert Ansible to lists and dicts you should be good.

Depending on your version of the Legacy module_utils, Get-AnsibleParams 
just tries to convert the input source to the one that is expected, for a 
list, it will convert a string by splitting it by , but for existing lists 
it should just return that value as is.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: ANSIBALLZ_WRAPPER is not recognized as the name \r\nof a cmdlet

[Jordan Borean]

No worries, when you run the windows-integration tests it will load the 
inventory file I mentioned. You can't use Python modules on Windows hosts 
as it will either fail with a send input error or the one you see with 
ANSIBALLZ.

Glad you got it working though, good luck with the testing.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: ANSIBALLZ_WRAPPER is not recognized as the name \r\nof a cmdlet

[Jordan Borean]

Are you able to share your test/integration/inventory.winrm file as it 
seems like some of the config is breaking the winrm/powershell plugins. 
Here is an example one that I use

[2016]
SERVER2016.domain.local

[windows:children]
2016

[windows:vars]
ansible_user=vagrant-domain@DOMAIN.LOCAL
ansible_password=password
ansible_connection=winrm
ansible_port=5986
ansible_winrm_transport=kerberos
ansible_winrm_server_cert_validation=ignore

[localhost]
127.0.0.1  ansible_connection=local

[winrm:children]
windows

[testhost_binary_modules:children]
windows

I'm no expert on XML but I believe the API that was being used in the 
module wasn't as fully featured as the XPath option in PowerShell and it's 
little support for namespaces may cause issues down the line.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: Where is the webdocs file?

[Jordan Borean]

If you want to just generate the docs for just a single module you can run

MODULES=file make webdocs


This will generate the docs for the file module as well as the rest of the 
rst docs. This will save a lot of time as you don't need to generate the 
docs for every single module.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: Windows Server 2016 and scheduled tasks

[Jordan Borean]

>From my understanding non-Administrators cannot create/modify/remove/view 
Scheduled tasks by default. Each task itself is governed by the NTFS 
security ACL of the XML definition file located in 
C:\Windows\System32\Tasks\*.xml, here are the default permissions set when 
creating a task.




>From these permissions, you can see


* The user who created the task has Read permissions

* All Administrators of the machine have full control over the task 
(inherited from the parent folder)

* SYSTEM has special permissions but is SYSTEM so is god


I can prove this works in a playbook running on Ansible (devel)


- hosts: Adhoc
gather_facts: no
tasks:
- name: remove test file
win_file:
path: C:\temp\test
state: absent
- name: create scheduled task
win_scheduled_task:
name: Test
username: '{{ansible_user}}'
password: '{{ansible_password}}'
logon_type: password
actions:
- path: cmd.exe
arguments: /c mkdir C:\temp\test
- name: check list of groups user is member of
win_command: whoami.exe /groups
register: groups_output
- name: show user's groups
debug:
var: groups_output.stdout_lines

- name: run scheduled task
win_command: schtasks.exe /Run /TN Test

- name: get stat of test file to prove task ran
win_stat:
path: C:\temp\test
register: stat
- name: file folder stat
debug:
var: stat


Here is the output of the main tasks





This works on all OS's I've tested so far but unfortunately I can replicate 
the issue with Server 2016 and non admin users. Usually I can add the user 
account to the XML ACL and then be able to run the task but not on Server 
2016 as you have reported. It seems like Microsoft has restricted the 
permissions that are required to execute a scheduled task that a normal 
user does not have permission for but I cannot find out what that may be. 
Because this is an issue with Windows and not Ansible, I would say there is 
not much we can do about it and the use case is probably quite minimal but 
I've happy to be proven otherwise.


>From an Ansible standpoint, yes it would be nice for a non-admin account to 
run a scheduled task but IMO non-admin users should never be able to modify 
a task. This opens up a pretty big security hole as a non-admin user would 
then have the ability to change what is run by the scheduled task and 
potentially allow a custom script to be executed by a higher account 
without knowing the password.


This begs the question, what are you trying to do as scheduled tasks can be 
fragile and annoying to work with and there may be other options available 
for you in Ansible. Traditionally scheduled tasks are used by tools to 
bypass WinRM restrictions such as no access to WUA and DPAPI. This is how 
the Packer elevated shell process works and is pretty much done everywhere 
that deals with WinRM as it is simple and get's the job done *most of the 
time*. This can still be done in Ansible with an admin account (even on 
2016) but using become is a way better option, in 2.5 we even have an 
example on how to do 
that 
http://docs.ansible.com/ansible/devel/windows_usage.html#creating-and-running-a-scheduled-task.
 
Even so, using become is generally recommended as we don't need to mess 
around with creating the task and ensuring it starts, cleaning it up 
afterwards, and somehow getting the stdout/stderr/rc values from the 
process. Plus with become we can run it with modules whereas scheduled 
tasks can only be used to run individual commands.


Thanks


Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: Custom facts Windows

[Jordan Borean]

According to the setup 
module http://docs.ansible.com/ansible/latest/setup_module.html, you can 
specify a path to a folder where it will execute custom scripts.

- setup:
fact_path: C:\temp

With the example above, it will gather the normal facts but will also run 
each ".ps1" script in C:\temp and add them to the facts. The scripts must 
output a JSON string which Ansible then adds to the facts returned, this 
can be done like so

$facts = @{}
$facts.ansible_custom_fact = "custom fact"

Write-Output (ConvertTo-Json -InputObject $facts -Compress)

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Powershell V2 deprecated soon

[Jordan Borean]

This should affect Ansible, there is a minimum requirement for Powershell V3 or 
newer and this can be met on all supported versions of Windows.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: win_template or win_copy Ansible 2.3 Windows 2008R2 - possible bug.

[Jordan Borean]

Your output seems to indicate you are still using 2.2 and not 2.3. Are you able 
to verify your Ansible versions by running ansible --version and share your 
playbook so we can try and replicate it?

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: debugging modules on ansible => 2.3.0

[Jordan Borean]

2.3 removed this unfortunately with the way the execution wrapper now 
works. I believe Matt was looking at reverting the behavior to what it was 
before when ANSIBLE_KEEP_REMOTE_FILE is set to true but I'm not sure where 
he is at with that. Unfortunately this means in the meantime I'm stuck with 
putting in lots of Fail-Jsons to try and debug what is happening or run the 
module with a 2.2 install.

On Tuesday, April 25, 2017 at 9:59:24 PM UTC+10, Trond Hindenes wrote:
>
> Previously we could configure ansible to leave files in the user's temp 
> dir in order to troubleshoot/debug Powershell modules. In 2.3.0 all of this 
> got rewritten, so it seems that option is gone. 
>
> Being able to troubleshoot the "generated" files is completely crucial (at 
> least for me) when developing and troubleshooting things. What are my 
> options for debug/troubleshooting Powershell with Ansible going forward?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Re: debugging modules on ansible => 2.3.0

[Jordan Borean]

2.3 removed this unfortunately with the way the execution wrapper now 
works. I believe Matt was looking at reverting to the older executor to 
allow this debugging to work but not sure where he is up to. I've had to 
either use Fail-Json statements everywhere and try and debug that way (not 
liking it) or revert to a 2.2 install.

On Tuesday, April 25, 2017 at 9:59:24 PM UTC+10, Trond Hindenes wrote:
>
> Previously we could configure ansible to leave files in the user's temp 
> dir in order to troubleshoot/debug Powershell modules. In 2.3.0 all of this 
> got rewritten, so it seems that option is gone. 
>
> Being able to troubleshoot the "generated" files is completely crucial (at 
> least for me) when developing and troubleshooting things. What are my 
> options for debug/troubleshooting Powershell with Ansible going forward?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-devel] Calling other Powershell Module

[Jordan Borean]

Hi

I was wondering if there was functionality to call another powershell 
module from another similar to how the find module calls the stat module to 
get file information. I am in the middle of building a win_find module and 
having this ability will help to reduce the amount of code I need to write.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.