I feel frustated to find out if ansible module vmware_vm_shell is possible to run powershell as administrator? because few command that need to run with powershell has to be elevated to administrator role.
Why i didn't use win_shell, or win_psexec? Because i want to try run the command in Windows VM Guest, without WinRM, so i don't need to access the VM using IPaddr, otherwise we can utilize vmtools as a connection in this case.
- name: Initiate New Disk
vmware_vm_shell:
hostname: "{{ lookup ('env', 'VMWARE_HOST' )}}"
username: "{{ lookup ('env', 'VMWARE_USER' )}}"
password: "{{ lookup ('env', 'VMWARE_PASSWORD' )}}"
vm_id: "{{ vmname }}"
vm_username: "administrator"
vm_password: "password123"
vm_shell: 'C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe'
vm_shell_args: '-ExecutionPolicy Bypass -command "Initialize-Disk -Number {{newdisk_osnum}}"'
vm_shell_cwd: 'C:\Users\administrator\Desktop'
wait_for_process: yes
validate_certs: no
delegate_to: localhost
register: initdisk_shell
Finally, after few days full of pain, I found the way out, in ansible tower has feature to Privilege Escalation option in the job template configuration. after I enabled this option, finally vmware_vm_shell is able to run powershell command as administrator. So, I don't need to run command using winRM which have to disable few option that cause few vulnerability
Related
Good day,
I'm attempting to execute a PowerShell script on a Windows host to create a Windows Server Failover Cluster. Running the script on node1 works without issue when logged in as a service account with appropriate AD permissions and using a PowerShell terminal ran as Administrator.
Executing the same script via Ansible (using the service account mentioned above) results in an error stating I do not have permissions to edit the the node1's registry. Adding the "become" statements below get past this error, but then I receive an error that node2 cannot be added to the cluster as I don't have permissions to its registry.
- name: Execute configure_wsfc.ps1
win_shell: .\configure_wsfc.ps1
args:
chdir: '{{ temp_dir }}'
become: true
become_method: runas
become_user: '{{ service_account }}'
configure_wsfc.ps1:
New-Cluster -Name $WSFCClusterName -Node ("node1", "node2") -AdministrativeAccessPoint ActiveDirectoryAndDNS -StaticAddress ("192.168.0.1", "192.168.0.2" -NoStorage
What am I missing?
Thank you.
Per the below note in the Ansible documentation I needed to add become_password.
Because there are no guarantees an existing token will exist for a
user when Ansible runs, there’s a high change the become process will
only have access to local resources. Use become with a password if the
task needs to access network resources
- name: Execute configure_wsfc.ps1
ansible.windows.win_shell: .\configure_wsfc.ps1
args:
chdir: '{{ temp_dir }}'
when: service_info.start_mode == 'disabled'
vars:
ansible_become: true
ansible_become_method: runas
ansible_become_user: '{{ service_account }}'
ansible_become_password: '{{ service_account_password }}'
I am newish to Ansible and their playbooks so please forgive me if this is something simple that I am just overlooking. My goal here is to create a Windows Server 2016/19, when that is created I need the hostname to be added to a specific AD group. So in my role this is what I have...
- name: Run PowerShell script to add AD PowerShell
ansible.windows.win_powershell:
script: |
Import-Module ServerManager
Add-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature
- name: Add a domain user/group to a domain group
community.windows.win_domain_group_membership:
domain_server: "{{ domain_server_name }}"
domain_username: "{{ domain_admin_user }}"
domain_password: "{{ domain_admin_password }}"
name: hps-winRM
members:
- "{{ inventory_hostname }}"
state: present
I need to ensure that the server has the AD PowerShell module which is what the first task is doing.
The second task is where I add it to the AD group.
When I run this the second task doesn't work and I get this error...
"msg": "Could not find domain user, group, service account or computer named HOSTNAME"
This host does exist. I am actually logged into it right now. So I am not sure where the disconnect is. Any help would be greatly appreciated. Thank you.
I am working on a simple playbook that will ultimately be able to start/stop/restart windows services and I ran into an issue:
fatal: [mspdbwn1w01]: FAILED! => {
"msg": "The powershell shell family is incompatible with the sudo become plugin"
}
Below is the playbook:
- name: Add Host
hosts: localhost
connection: local
strategy: linear
tasks:
- name: Add Temp Host
add_host:
name: "{{ win_client }}"
group: temp
- name: Target Server
connection: winrm
hosts: temp
tasks:
- name: Stop a service
win_service:
name: "{{ service }}"
state: stopped
Google hasn't been much help, and I've tried everything I could find, every variation of become*.
I don't know if it matters, but due to the nature of the environment I work in, I have 2 separate users to log into *nix hosts vs. windows hosts.
Any assistance or guideance would be greatly appreciated.
Your system seems to use sudo as the default become method, which is not compatible with PowerShell. For Windows (and PowerShell), you can use runas as the become method. Add:
become_method: runas
to your playbook or task. You can get a list of all available become methods with:
ansible-doc -t become -l
Example:
doas Do As user
dzdo Centrify's Direct Authorize
enable Switch to elevated permissions on a network device
ksu Kerberos substitute user
machinectl Systemd's machinectl privilege escalation
pbrun PowerBroker run
pfexec profile based execution
pmrun Privilege Manager run
runas Run As user
sesu CA Privileged Access Manager
su Substitute User
sudo Substitute User DO
You can view the documentation for a particular become method with:
ansible-doc -t become runas
If you still get erros, pay attention to the error message, as it most probably is a different one. Using privilege escalation requires the definition of a username and a password for this purpose, for example.
In my ansible playbook i am taking 2 inputs from user and i also wanted to take a third input which should be optional at times and if user provides the value for var3 then playbook must execute a task otherwise it should not, so what is the way to achieve this?
Also i wanted to know that i am using awx open-source UI for ansible so i choose the hosts to run the playbook in ansible awx inventory, after that what should i write in 'hosts' of my playbook or it can be left alone.
- name: Updating "{{ service_name }}" server codebase and starting its service.
hosts: all
tasks:
- name: Stopping nginx service
command: sudo service nginx stop
- name: Performing git checkout in the specified directory "{{ path }}"
command: git checkout .
args:
chdir: "{{ path }}"
- name: Running npm install in the directory "{{ path }}"
command: npm install
args:
chdir: "{{ path }}/node_modules"
- name: Restarting the "{{ service_name }}" service
command: sudo service "{{ service_name }}" restart
- name: Restarting the nginx service
command: sudo service nginx restart
Who is the user in this instance? you? if you are the user then you can run
ansible-playbook -i hosts <your-playbook> -e "service_name=<yourservice>"
to dynamically change the service_name variable upon playbook excecution.
you can then add the second variable to the command also, but be aware with the 'optional' third variable as i'm sure if you do not reference all variables in your playbook you will get an error.
EDIT: You will need to ref both service_name and path variables when you execute the ansible-playbook command, where is the 3rd variable as it doesnt appear to be in your provided code sample?
I am running ansible v 2.5 and trying to run a basic "show clock" command on my switch.
How ever it errors out saying that it is unable to set terminal parameters,
following is my yml File:
---
- hosts: ios_devices
gather_facts: no
connection: local
vars_prompt:
- name: "mgmt_username"
prompt: "Username"
private: no
- name: "mgmt_password"
prompt: "Password"
tasks:
- name: SYS | Define provider
set_fact:
provider:
host: "{{ inventory_hostname }}"
username: "{{ mgmt_username }}"
password: "{{ mgmt_password }}"
- name: IOS | Show clock
ios_command:
provider: "{{ provider }}"
commands:
- show clock
register: clock
- debug: msg="{{ clock.stdout }}"
and on running the playbook i receive the following error:
fatal: [x.x.x.x]: FAILED! => {"msg": "unable to set terminal parameters"}
The error unable to set terminal parameters means that one (or both) of the following commands failed:
terminal length 0
terminal width 512
Try running those commands manually on your Cisco IOS switch to check they are supported.
I have faced the same problem but solved it after using "asa_command" module:
- hosts: ASA
connection: local
gather_facts: no
vars:
cli:
host: "{{ ansible_host }}"
username: "{{ ansible_user }}"
password: "{{ ansible_password }}"
authorize: yes
auth_pass: "{{ ansible_password }}"
tasks:
- name: run multiple commands and evaluate the output
asa_command:
commands:
- show service-policy
- show running-config
provider: "{{ cli }}"
register: output
- debug:
msg: "{{ output.stdout_lines }}"
Yes, have to be able to set the following two command:
terminal length 0
and
terminal width 512
You don't need specific privileges to be able to issue these commands. Both can be issued from the Cisco's regular CLI exec mode.
Check your username "commands" authorization privileges, that could be the issue. You may have a limited command authorization configured on your IOS device. If you have access to "show running" command, try checking aaa authorization using the following:
show run | i aaa authorization commands
If you see it defined on your router/switch, you'll need to talk to your network admin and make sure they allow you or the ansible user you are using to be able to issue "terminal length" and "terminal width" commands. I am not aware of any other way around this.
Just FYI, the "terminal" command is only limited to the user current active session, and will NOT affect any router operational parameters in any way. Once you logout, the terminal parameters will reset to its default.
As for the asa_command workaround, that's not recommended really. asa and ios have different output formatting, so, although may work for some cases, it is guaranteed to fail in other cases.
If you are using an ASA with PIXOS and having the same problem, use the "Pager" command to set the length of your terminal.
Please check out the following Cisco Community link for more information on setting terminal length on different Cisco devices:
Show the Complete Configuration without Breaks/Pauses on Cisco Router/Switches, ASA Firewall and WLC (Wireless LAN Controller)
I just happened to get this issue as well but for IOS XR. the problem for me is that i have created a set of new and unique credentials just for Ansible to access my devices and did not set the proper privileges for these. In my specific case, configuring the new set of credentials to be part of the "sysadmin" group solved the problem for me:
Cisco-IOS-XR Device
username ansible
secret ansible
**group sysadmin**
In case of the IOS / IOS XE devices should check the aaa configuration for the proper privileges as well.
Last but not least, for ASA, i assume it would be the exact same.