Ansible is a configuration management, provisioning and deployment tool which is quickly gaining popularity in the DevOps areas. Managing and working on various platforms including Microsoft Windows.
What makes Ansible stand out of other configuration management tools is that it’s agentless. Which means no software is required on the target host. Ansible uses SSH for communication with Unix based hosts and WinRM for Windows hosts.
Recent announcement from Microsoft’s team is an upcoming fork of OpenSSH for Windows, which would make things ever smoother for DevOps teams managing Windows infrastructure.
In this post we will get started with Ansible by:
- Setup of the control host
- Configure Windows server in order to receive commands from Ansible
- Install Chocolatey and SQL Server on the target host
Ansible requires PowerShell version 3.0 and .NET Framework 4.0 or newer to function on older operating systems like Server 2008 and Windows 7.
If you covered the requirements, let’s get started with the first step.
Setup Ansible control host
As previously mentioned Ansible is agentless, but we need control host, typically Linux which talks to all of our hosts.
Ansible can’t run on Windows but there’s a trick
Currently Ansible can only be installed on Unix based machines, but If you are using Windows as your primary OS, you can install Ubuntu subsystem. Read this for further installation details. If you are non Windows user please continue reading.
After the installation of Ubuntu subsystem on Windows (if you had so), lets proceed with the installation of Ansible by opening terminal.
Install Ubuntu repository management:
$ sudo apt-get install software-properties-common
Lets update our system:
$ sudo apt-get update
Add Ansible repository:
$ sudo apt-add-repository ppa:ansible/ansible
Then Install Ansible:
$ apt-get install ansible
Add Python package manager:
$ apt install python-pip
Add Python WinRM client:
$ pip install pywinrm
Install XML parser:
$ pip install xmltodict
If every thing went OK you should be able to get the current version:
$ ansible --version
So far, so good. Lets continue with configuration of the tool.
Inventory – list of the hosts
Inventory.yml is the main configuration file of your hosts addresses separated in groups with descriptive names.
Let’s create that file and set the example below:
$ vim inventory.yml
Enter the IP/DNS addresses for your group:
[dbservers] mydbserver1.dns.example 126.96.36.199 [webservers] mywebserver1.dns.example 188.8.131.52
Configure the connection
We are a few steps away from establish connection to the remote servers. Let’s configure the connection itself – credentials, ports, type of connection. The convention is to name the config file based on your group of hosts.
If you want all of your inventory to use that same configuration file you can name it all.yml. We will use all.yml as all servers will have same credentials and connection type.
Let’s begin by creating folder:
$ mkdir group_vars
Create the file and edit it:
$ vim group_vars/all.yml
Add the configuration details:
ansible_user: ansible_user ansible_password: your_password_here ansible_port: 5985 ansible_connection:winrm ansible_winrm_transport: basic ansible_winrm_operation_timeout_sec: 60 ansible_winrm_read_timeout_sec: 70
This credentials will be used to access the remote hosts with connection set to WinRM basic authentication. We will create them in the next section.
We use basic authentication but for your production environment you probably want to use more secure schema. See this article for more info.
Configure Windows hosts
Our Windows hosts need to be configured before execute any commands on it. The following PowerShell script will do:
- Create the Ansible user we defined in all.yml
- Add the user to the Administrators group
- Set WinRM authentication to basic and allow unencrypted connections
- Add Firewall rule for WinRM with your control host IP address
Open PowerShell on the host and execute the script:
NET USER ansible_user "your_password_here" /ADD NET LOCALGROUP "Administrators" "ansible_user" /ADD Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $true netsh advfirewall firewall add rule name="WinRM" dir=in action=allow protocol=TCP localport=5985 remoteip=10.10.1.2
After the execution is completed we can try to ping our host from the control host to check that connection is OK. We ping only the DB servers:
$ ansible dbservers -i inventory.yml -m win_ping
Write our first playbook
Getting back to our Ansible control host to add a playbook – set of tasks or plays which together form the playbook.
The target is to install Chocolatey which is the community driven package manager for Windows. After that we will install SQL Server and reboot the server.
Ansible come with many modules for Windows with a lot of functionalities out of the box. They are prefixed with “win_” like for example. win_feature. You can check more here for your specific needs.
Let’s continue with the creation of the playbook file:
$ vim configure-win-server-playbook.yml
In the file describe the playbook as follows:
--- - hosts: dbservers tasks: - name: Install Chocolatey raw: Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) - name: Install SQL Server win_chocolatey: name: sql-server-2017 state: present - name: Reboot to apply changes win_reboot: reboot_timeout: 3600
Execute the playbook by typing:
$ ansible-playbook dbservers -i inventory.yml configure-win-server-playbook.yml
You can see Ansible’s nice descriptive logging. After reboot Ansible should give you the report and we are done.
Ansible is really powerful tool. Microsoft and the community is doing really fantastic work for porting Ansible modules to Windows which are written in PowerShell. Yet the plan to have SSH feature on Windows is great too. No matter if your inventory is of physical or virtual servers, you should definitely try out Ansible on your infrastructure for saving time, money and of course avoid human mistakes by manually configure, deploy or provision those environments.