Shulou(Shulou.com)06/03 Report--

I. brief introduction

1. Description

It is inevitable that there will be windows series servers in the daily system automation operation and maintenance process. As far as open source software is concerned, most of them are not compatible with windows batch management. Unlike the convenience of Linux system, in reality, some businesses do need to run on windows; after searching and searching, I found that ansible (which has been acquired by redhat) developed by python has a better solution, which can be sorted out to avoid forgetting communication.

2. Experimental environment

Server side:

CentOS7.4_x64 comes with python 2.7.5 ip:172.16.3.167

Source code installation ansible

Managed windows side:

Win7sp1_x32 needs powershell 3.0 + ip:172.16.3.188 and enable winrm service to enable firewall rules.

3. Experimental objectives

Can transfer files, manage accounts, execute scripts and other batch automatic management of windows through various modules of ansible

II. Ansible configuration

1. Introduction

Ansible supports Windows from version 1.7 +, but the management machine must be a Linux system, and the communication mode of the remote host has also changed from SSH under Linux to PowerShell. The management machine needs to install the pywinrm module of Python, but the PowerShell needs version 3.0 + and Management Framework version 3.0 +. It is measured that Windows 7 SP1 and Windows Server 2008 R2 and above can communicate with Ansible normally after simple configuration.

2. Environmental preparation

The following configurations are under CentOS7.4_x64

Install pip and related dependencies

Download pip#wget https://bootstrap.pypa.io/get-pip.py#python get-pip.py installation dependency # pip install pywinrm paramiko PyYAML Jinja2 httplib2 six

3. Install ansible with source code

# git clone git://github.com/ansible/ansible.git-recursive#cd. / ansible#source. / hacking/env-setup

Running the env-setup script means that Ansible runs based on the source code. The default inventory file is / etc/ansible/hosts

Cat / etc/ansible/hosts

Note: you can add this step to boot.

[win7] 172.16.3.188 ansible_ssh_user= "virtual ansible_ssh_pass=" myself. " Ansible_ssh_port=5985 ansible_connection= "winrm" ansible_winrm_server_cert_validation=ignore

Note that the information is on one line; separated by spaces, [win7] is the title of the host; below is ip and connection information, etc.

The above ansible management side has been configured, and the managed side win7 has not been configured yet, which is a little bit of trouble.

3. Win7 configuration of the managed end

1. Brief introduction to the environment

Slightly different from Linux, if the managed system is Windows series, the following configurations are required in advance:

Install Framework 3.0 + (download may be required)

Configure powershell policy to remotesigned (need to be modified)

Upgrade PowerShell to 3.0 + (win7 defaults to 2.0)

Set up Windows remote management, English full name WS-Management (WinRM)

2. Environment configuration

A. Upgrade or install Framework 4.5

If the Framework version is not satisfied, please download it to Microsoft officially.

B. Change the powershell policy to remotesigned

As shown in the figure:

C. Upgrade PowerShell to 3.0

Save the following script as upgrade_to_ps3.ps1

# Powershell script to upgrade a PowerShell 2.0 system to PowerShell 3.0 # based on http://occasionalutility.blogspot.com/2013/11/everyday-powershell-part-7-powershell.html # some Ansible modules that may use Powershell 3 features, so systems may need # to be upgraded. This may be used by a sample playbook. Refer to the windows # documentation on docs.ansible.com for details. #-hosts: windows # tasks: #-script: upgrade_to_ps3.ps1 # Get version of OS # 6.0is 2008 # 6.1is 2008 R2 # 6.2is 2012 # 6.3 is 2012 R2 if ($PSVersionTable.psversion.Major-ge 3) {write-host "Powershell 3 Installed already You don't need this "Exit} $powershellpath =" C:\ powershell "function download-file {param ([string] $path, [string] $local) $client = new-object system.net.WebClient $client.Headers.Add (" user-agent "," PowerShell ") $client.downloadfile ($path, $local)} if (! (test-path $powershellpath)) {New-Item-ItemType directory-Path $powershellpath} # .NET Framework 4.0 is necessary. # if (($PSVersionTable.CLRVersion.Major)-lt 2) # {# $DownloadUrl = "http://download.microsoft.com/download/B/A/4/BA4A7E71-2906-4B2D-A0E1-80CF16844F5F/dotNetFx45_Full_x86_x64.exe" # $FileName = $DownLoadUrl.Split ('/') [- 1] # download-file $downloadurl" $powershellpath\ $filename "#." $powershellpath\ $filename "/ quiet / norestart #} # You may need to reboot after the .NET install if so just run the script again. # If the Operating System is above 6.2, then you already have PowerShell Version > 3 if ([Environment]:: OSVersion.Version.Major-gt 6) {write-host "OS is new; upgrade not needed." Exit} $osminor = [environment]:: OSVersion.Version.Minor $architecture = $ENV:PROCESSOR_ARCHITECTURE if ($architecture-eq "AMD64") {$architecture = "x64"} else {$architecture = "x86"} if ($osminor-eq 1) {$DownloadUrl = "http://download.microsoft.com/download/E/7/6/E76850B8-DA6E-4FF5-8CCE-A24FC513FD16/Windows6.1-KB2506143-" + $architecture +" .msu "} elseif ( $osminor-eq 0) {$DownloadUrl = "http://download.microsoft.com/download/E/7/6/E76850B8-DA6E-4FF5-8CCE-A24FC513FD16/Windows6.0-KB2506146-" + $architecture +" .msu "} else {# Nothing to do In theory this point will never be reached. Exit} $FileName = $DownLoadUrl.Split ('/') [- 1] download-file $downloadurl "$powershellpath\ $filename" Start-Process-FilePath "$powershellpath\ $filename"-ArgumentList / quiet

The script comes from github upgrade_to_ps3.ps1.

Right-click-- > wait for the administrator to run for a few minutes (depending on the download speed, as long as there is powershell in the task manager, the system will automatically restart the upgrade and install powershell to 3.0).

As shown in the figure:

View powershell information after reboot

D. Set up Windows remote management (WS-Management,WinRM) service

Winrm services are not enabled by default; note that the following operations are performed in cmd, not in powershell

Basic configuration of the winrm service:

Winrm quickconfigC:\ Users\ san02 > winrm quickconfig is already running the WinRM service on this computer. WinRM is not set to manage this computer and allow remote access to it. The following changes must be made: create a WinRM listener on HTTP://* to accept requests from WS-Man for any IP on this machine. Enable WinRM firewall exception. Do you make these changes [yPop]? YWinRM has been updated for remote administration. Create a WinRM listener on HTTP://* to accept requests from WS-Man for any IP on this machine. WinRM Firewall exception is enabled. Check out winrm service listenerwinrm e winrm/config/listenerC:\ Users\ san02 > winrm e winrm/config/listenerListener Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = 127.0.0.1, 172.16.3.137,:: 1, fe80::100:7f:fffe, fe80::5efe:172.16.3.137 Fe80::4865:97de:bb1f:877 configuration auth is true (default is false) winrm set winrm/config/service/auth @ {Basic= "true"} C:\ Users\ san02 > winrm set winrm/config/service/auth @ {Basic= "true"} Auth Basic= true Kerberos = true Negotiate = true Certificate = false CredSSP = false CbtHardeningLevel = Relaxed configuration allows unencrypted mode winrm set winrm/config/service @ {AllowUnencrypted= "true"} C:\ Users\ san02 > winrm set winrm/config/service @ { AllowUnencrypted= "true"} Service RootSDDL = O:NSG:BAD:P (A GA;;;BA) (AU;SA;GXGW;;;WD) MaxConcurrentOperations = 4294967295 MaxConcurrentOperationsPerUser = 1500 EnumerationTimeoutms = 240000 MaxConnections = 300 MaxPacketRetrievalTimeSeconds = 120 AllowUnencrypted = true Auth Basic = true. The following is omitted.

At this point, the environment configuration of the management side win7 is complete!

Fourth, test Ansible management windows

1. Check the connection status

[root@localhost ~] # ansible win7-m win_ping172.16.3.188 | SUCCESS = > {"attempts": 1, "changed": false, "failed": false, "ping": "pong"}

2. Obtain Windows Facts

[root@localhost ~] # ansible win7-m setup172.16.3.188 | SUCCESS = > {"ansible_facts": {"ansible_architecture": "32-bit", "ansible_bios_date": "12Universe 01hand 2006", "ansible_bios_version": "VirtualBox", "ansible_date_time": {"date": "2018-01-24" "day": "24", "epoch": "1516816620.86637", "hour": "17", "iso8601": "2018-01-24T09:57:00Z", "iso8601_basic": "20180124T175700861308", "iso8601_basic_short": "20180124T175700" "iso8601_micro": "2018-01-24T09:57:00.861308Z", "minute": "57", "month": "01", "second": "00" The following is omitted.

3. Execute commands remotely

Remote execution commands are divided into remote execution of windows native commands through raw modules, such as "ipconfig"

The win_command module that remotely executes ansible can also execute commands, that is, ansible extension commands such as "whoami"

The default is garbled, and the winrm module file needs to be modified.

Sed-I "s#tdout_buffer.append (stdout) # tdout_buffer.append (stdout.decode ('gbk'). Encode (' utf-8')) # g" / usr/lib/python2.7/site-packages/winrm/protocol.pysed-I "s#stderr_buffer.append (stderr) # stderr_buffer.append (stderr.decode ('gbk'). Encode (' utf-8')) # g" / usr/lib/python2.7/site-packages/winrm/protocol.pya, Get the ip address [root@localhost ~] # ansible win7-m raw-a "ipconfig" 172.16.3.188 | SUCCESS | rc=0 > > Windows IP ConfigurationEthernet adapter Local connection: Connection-specific DNS Suffix. : Link-local IPv6 Address. . . . . : fe80::c55d:90f1:8d60:5d97 IPv4 Address. . . . . . . . . . . : 172.16.3.188 Subnet Mask. . . . . . . . . . . : 255.255.255.0 Default Gateway. . . . . . . . . : fe80::daae:90ff:fe02:9d81 172.16.3.1. Omit .b, win_command module remote acquisition identity [root@localhost ansible] # ansible win7-m win_command-a "whoami" 172.16.3.188 | SUCCESS | rc=0 > > virtual_san\ virtualc, move file [root@localhost ansible] # ansible win7-m raw-a "cmd / c 'move / y d:\ issue c:\ issue'" 172.16.3.188 | SUCCESS | rc=0 > > 1 file (s) movedd, Create a folder [root@localhost ansible] # ansible win7-m raw-a "mkdir d:\\ tst" 172.16.3.188 | SUCCESS | rc=0 > > Directory: d:\ Mode LastWriteTime Length Name Dmurmuri-16:44 on 2018-1-25 tst e, Delete a file or directory [root@localhost ansible] # ansible win7-m win_file-a "path=D:\ 1.txt state=absent" 172.16.3.188 | SUCCESS = > {"attempts": 1 "changed": true, "failed": false} f. Get the running program information through tasklist after finishing a program [root@localhost ansible] # ansible win7-m raw-a "taskkill / F / IM QQ.exe / T" 172.16.3.188 | SUCCESS | rc=0 > > SUCCESS: The process with PID 3504 (child process of PID 2328) has been terminated

4. The file is transferred to the managed end of win7

Copy the / etc/issue file to the current directory (or directly / etc/issue) and transfer it to the target host disk D (you can change the file name)

[root@localhost ~] # ansible win7-m win_copy-a "src=issue dest=D:\ issue" 172.16.3.188 | SUCCESS = > {"attempts": 1, "changed": true, "checksum": "5c76e3b565c91e21bee303f15c728c71e6b39540", "dest": "D:\\ issue", "failed": false, "operation": "file_copy", "original_basename": "issue", "size": 23 "src": "issue"}

5. Add users

[root@localhost ansible] # ansible win7-m win_user-a "name=san2 passwd=123.c0m groups=Administrators" 172.16.3.188 | SUCCESS = > {"account_disabled": false, "account_locked": false, "attempts": 1, "changed": true, "description": "", "failed": false, "fullname": "san2" "groups": [{"name": "Administrators", "path": "WinNT://WORKGROUP/VIRTUAL_SAN/Administrators"}], "name": "san2", "password_expired": true, "password_never_expires": false, "path": "WinNT://WORKGROUP/VIRTUAL_SAN/san2" "sid": "S Mel 1-5-21-2708087092-4192450616-382865091-1004", "state": "present", "user_cannot_change_password": false}

I have learned from the above practice that in order to manage windows in batches through ansible, the premise is that winrm services should be configured on the windows based on powershell; then ansible refers to management remotely through modules and winrm services; here is a simple list of common management modules; for more useful modules, please refer to the official windows available modules, including automatic configuration, etc.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.