Getting started with Ansible and configuring Windows hosts
Ansible is well-known tool in the IT operations fields with its fantastic automation capabilities. The tool is classified under the group of state management systems known as "Desired State Configuration" (DSC) systems. In Desired State Configuration, the system's desired state, in terms of configurations and settings, is defined, and the DSC tool is responsible for ensuring that the actual state of the system matches this desired state.
What makes Ansible stand out of other configuration management tools is that it’s agentless. Ansible uses SSH for
communication with Unix based hosts and WinRM for Windows hosts.
Recent announcement from Microsoft’s team is an upcoming fork of OpenSSH for Windows, which would make things ever smoother for DevOps teams managing Windows infrastructure.
The agenda for this post is:
- Setup of the control Ansible machine.
- Configure the controlled Windows servers in order to receive commands from Ansible..
- Create Ansible playbook and install Chocolatey and SQL Server.
Ansible requires PowerShell version 3.0 and .NET Framework 4.0 or newer to function on older operating systems like Server 2008 and Windows 7.
If you covered the requirements, let’s get started.
As previously mentioned Ansible is agentless, but we need control machine — machine which talks to all of our hosts.
Ansible can’t run on Windows but there’s a trick.
Currently Ansible can only be installed on Unix based machines, but if you are using Windows as your primary OS, you can install Ubuntu subsystem. Read this for further installation details. If you are non Windows user please continue reading.
After the installation of Ubuntu subsystem on Windows (if you had so), lets proceed with the installation of Ansible by opening terminal.
Install Ubuntu repository management:
$ sudo apt-get install software-properties-common
Lets update our system:
$ sudo apt-get update
Add Ansible repository:
$ sudo apt-add-repository ppa:ansible/ansible
Then install Ansible:
$ apt-get install ansible
Add Python package manager:
$ apt install python-pip
Add Python WinRM client:
$ pip install pywinrm
Install XML parser:
$ pip install xmltodict
You can verify the installation by checking the current Ansible version:
$ ansible --version
So far, so good. Lets continue with configuration of the tool.
Inventory — the list of hosts
Inventory.yml is the main configuration file of your hosts addresses separated in groups with descriptive names.
Let’s create the file:
$ vim inventory.yml
Enter the IP/DNS addresses for your groups:
[dbservers] mydbserver1.dns.example 126.96.36.199 [webservers] mywebserver1.dns.example 188.8.131.52
We are a few steps away from establish connection to the remote servers. Let’s configure the connection itself — credentials, ports and type of connection. The convention is to name the config file based on your group of hosts.
If you want all of your inventory hosts to use that same configuration file you can name it as
all.yml. We will use
it since all the hosts will share same credentials and connection type.
Let’s begin by creating folder:
$ mkdir group_vars
Create the file and edit it:
$ vim group_vars/all.yml
Add the configuration details:
ansible_user: ansible_user ansible_password: your_password_here ansible_port: 5985 ansible_connection: winrm ansible_winrm_transport: basic ansible_winrm_operation_timeout_sec: 60 ansible_winrm_read_timeout_sec: 70
The credentials provided will be used to access the remote hosts with connection set to WinRM basic authentication. We will create them in the next section. In this example basic authentication will be used but for your production workloads you probably want to use more secure schema. See this article for more info.
Our Windows hosts need to be pre-configured before we are able to execute any commands on them. The following PowerShell script will do:
Create the Ansible user we defined in all.yml.
Add the user to the Administrators group.
Set WinRM authentication to basic and allow unencrypted connections.
Add Firewall rule for WinRM with your control machine IP address.
Open PowerShell on the host and execute the script:
NET USER ansible_user "your_password_here" /ADD NET LOCALGROUP "Administrators" "ansible_user" /ADD Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $true netsh advfirewall firewall add rule name="WinRM" dir=in action=allow protocol=TCP localport=5985 remoteip=10.10.1.2
After the execution is completed we can try to ping our host from the control machine to verify that connection is OK.
We can ping only the DB servers:
$ ansible dbservers -i inventory.yml -m win_ping
Getting back to our Ansible control machine to add a playbook — set of tasks or plays which together form the playbook.
Our target here is to install Chocolatey which is the community driven package manager for Windows. After that we will install SQL Server and reboot the server.
Ansible come with many modules for Windows with a lot of functionalities out of the box. They are prefixed with “win_” like for example win_feature. You can check more here for your specific needs.
Let’s continue with the creation of the playbook file:
$ vim configure-win-server-playbook.yml
In the file describe the playbook as follows:
--- - hosts: dbservers tasks: - name: Install Chocolatey raw: Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) - name: Install SQL Server win_chocolatey: name: sql-server-2017 state: present - name: Reboot to apply changes win_reboot: reboot_timeout: 3600
- Execute the playbook by executing the following:
$ ansible-playbook dbservers -i inventory.yml configure-win-server-playbook.yml
Each task running and returning status of execution and after reboot we are all ready!
Ansible is really powerful tool and Microsoft and the community is doing really fantastic work for porting Ansible modules to Windows which are written in PowerShell. Yet the plan to have SSH feature on Windows is great too. No matter if your inventory is of physical or virtual servers, you should definitely try out Ansible on your infrastructure for saving time, money and of course avoid human mistakes by manually configure, deploy or provision those environments.