I am new to Ansible and trying to use win_ping module to ping a Windows Server 2016 (EC2 instance). Ansible is on RHEL 7.3 control machine, I have pip and pywinrm installed in control machine:
sudo pip install "pywinrm>=0.2.2"
This is my inventory file:
test ansible_connection=winrm ansible_host=34.210.164.63
[test_group]
test
[super_group:children]
test_group
[super_group:vars]
ansible_user=Administrator
ansible_password=XXXX
ansible_port=5986
ansible_winrm_server_cert_validation=ignore
This is the command I tried:
ansible all -i inventory -m win_ping
I am getting this error:
test | UNREACHABLE! => {
"changed": false,
"msg": "ssl: HTTPSConnectionPool(host='34.210.164.63', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x30df350>, 'Connection to 34.210.164.63 timed out. (connect timeout=30)'))",
"unreachable": true
}
In Windows Server 2016, Server Manager Remoting is already enabled by default, I validated it using Configure-SMremoting.exe -enable command. I did not made any configurations at Windows Server since this remoting is already enabled. Please let me know how to resolve this issue.
EDIT:
Not sure if these steps are required or notm but I tried enabling PowerShell Remoting using this command:
Enable-PSRemoting -Force
Then tried powershell.exe -File ConfigureRemotingForAnsible.ps1 and I an getting error:
At C:\Users\Administrator\Desktop\ConfigureRemotingForAnsible.ps1:128 char:13
+ </a> <a href="/business" class="js-selected-navigation-item na ...
+ ~
The '<' operator is reserved for future use.
At C:\Users\Administrator\Desktop\ConfigureRemotingForAnsible.ps1:130 char:13
+ </a> <a href="/explore" class="js-selected-navigation-item nav ...
+ ~
The '<' operator is reserved for future use.
At C:\Users\Administrator\Desktop\ConfigureRemotingForAnsible.ps1:132 char:17
+ </a> <a href="/marketplace" class="js-selected-navigation- ...
+ ~
The '<' operator is reserved for future use.
At C:\Users\Administrator\Desktop\ConfigureRemotingForAnsible.ps1:134 char:13
+ </a> <a href="/pricing" class="js-selected-navigation-item nav ...
+ ~
The '<' operator is reserved for future use.
At C:\Users\Administrator\Desktop\ConfigureRemotingForAnsible.ps1:136 char:11
+ </a> </nav>
+ ~
The '<' operator is reserved for future use.
At C:\Users\Administrator\Desktop\ConfigureRemotingForAnsible.ps1:3221 char:227
+ ... g:0;display:inline"><input name="utf8" type="hidden" value="✓" ...
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At C:\Users\Administrator\Desktop\ConfigureRemotingForAnsible.ps1:3224 char:10
+ </form> </div>
+ ~
The '<' operator is reserved for future use.
At C:\Users\Administrator\Desktop\ConfigureRemotingForAnsible.ps1:3252 char:11
+ <li>© 2017 <span title="0.13767s from github-fe-df0f95a.cp ...
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At C:\Users\Administrator\Desktop\ConfigureRemotingForAnsible.ps1:3252 char:23
+ <li>© 2017 <span title="0.13767s from github-fe-df0f95a.cp ...
+ ~
The '<' operator is reserved for future use.
At C:\Users\Administrator\Desktop\ConfigureRemotingForAnsible.ps1:3252 char:29
+ ... 2017 <span title="0.13767s from github-fe-df0f95a.cp1-iad.github.net ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Unexpected token 'title="0.13767s from github-fe-df0f95a.cp1-iad.github.net">GitHub</span>' in expression or statement.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : RedirectionNotSupported
I guess I need to configure enable Remote Power Shell in my Windows Server to resolve this issue but not sure how to since I get the above erorr - please suggest.
I would go over windows logs. If they do not contain info you need - increase the verbosity.
Ping relies on winrm being up. WinRM needs execution policy changes, service configuration, ssl certificates, etc.
Maybe the safest path is to reconfigure ansible using the documentation.
The powershell remoting must be configured, in ec2 you can do this by adding user-data, running the script there, just paste the commands there.
Also, your ansible master machine must be able to connect to your target host, usually done by allowing it via security group, and creating the instance in that group.
So, in order to debug your stuff you should present the code/actions you did to setup security groups, possibly routes, and instance creation.
This is probably an AWS side issue not an ansible issue. Is your ansible server allowed to talk to your Windows EC2 instance via security group rules? By default everything is denied. You'll need to allow ICMP coming from the ansible server's address in the Windows EC2 instance's security group rules as well as from the windows server in the ansible server security group rules (if your ansible server is also an EC2 instance). If the ansible server is not an EC2 instance, make sure your firewall isn't blocking ICMP in or out for some reason.
Are these two servers on the same subnet/VPC within your account? If not, you'll have to create a VPC peering connection between the VPCs they are located on and edit route tables to point VPCs to the peering connection if traffic is coming from / going to the other VPC. The purpose of this is so that the two instances in separate VPCs can recognize and communicate with each other
I am probably late to the party, but I noticed the error you got when running powershell.exe -File ConfigureRemotingForAnsible.ps1. It's complaining about the syntax, and as far as I can tell you have HTML in that file. Did you maybe save the GitLab HTML page from the script?
Download the raw file here: https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 and try again.
Related
I'm trying to deployement an Openstack infrastracture multi node with kolla-ansible on Ubuntu 20.04.4.
ansible 4.10.0
ansible-core 2.11.11
kolla-ansible 13.0.1
when I execute command:
kolla-ansible -i /etc/kolla/multinode pull
or
kolla-ansible -i /etc/kolla/multinode deploy
I'm getting error:
fatal: [controller]: FAILED! => {"msg": "template error while templating string: No filter named 'select_services_enabled_and_mapped_to_host'.. String: {{ lookup('vars', (kolla_role_name | default(project_name)) + '_services') | select_services_enabled_and_mapped_to_host }}"}
fatal: [compute01]: FAILED! => {"msg": "template error while templating string: No filter named 'select_services_enabled_and_mapped_to_host'.. String: {{ lookup('vars', (kolla_role_name | default(project_name)) + '_services') | select_services_enabled_and_mapped_to_host }}"}
I have 1 deployment Node, 1 controller, 1 compute Node
Doesn't seems like a pull-issue based in the error-message. Seems like another configuration-problem with your Neutron. The default-multi-node config requires 3 controller. I don't exactly know your multi-node config for kolla-ansible, but when you only want 1 controller and 1 compute you can do something different:
Use the all-in-one-file for your setup. Should be in path kolla-ansible/ansible/inventory/all-in-one. Modify this file by replacing the localhost in the [compute]-section with the name of the host, where the compute should be created and remove the ansible_connection=local. This always worked for me, when I created a test-deployment with 1 controller and X compute-nodes.
Only in case you want the controller not on the host, where you execute the kolla-ansible, then replace all other localhost by the name of your controller-node and of course remove the ansible_connection=local everywhere.
Only the be sure: Don't forget to write the name of the host with it's ip-address in the /etc/hosts-file on the node, where you execute the kolla-ansible run.
Firstly, what's the result of kolla-ansible prechecks -i multinode_or_all-in-one command?
Dive into this method select_services_enabled_and_mapped_to_host of kolla-ansible project, you will find some clues. The method's return dependent by service_enabled and service_mapped_to_host
So, there are two step to clear your problem:
1, check the service enabled setting in /etc/kolla/globals.yml and kolla-ansible/ansible/group_vars/all.yml.
You can use this file(globals.yml) to override any variable throughout Kolla. Additional options can be found in the 'kolla-ansible/ansible/group_vars/all.yml' file.
2, check the host inventory in multinode or all-in-one file whether consistent with the really information or not.
Or everything is OK, I think you should redeploy it refer to kolla-ansible quickstar.
Current configuration:
1 SharePoint 2019 farm (single server installation)
3 Workflow Manager Servers
Workflow Manager servers are load balanced
Workflow Manager is set to work only on https
Workflow Manager SSL certificate with DNS=*.domain.com & all 3 server names
Required permissions are in place
URLs (SharePoint web application/site and wfm) are accessible both ways
Running with farm admin account:
Register-SPWorkflowService -SPSite "https://siteurl" -WorkflowHostUri "https://wfmurl:12290/" -Force -Verbose
Throws the following error:
Register-SPWorkflowService : Failed to query the OAuth S2S metadata endpoint at URI 'https://webappurl/_layouts/15/metadata/json/1'. Error details: 'There was an error deserializing
the object of type Microsoft.Workflow.Management.Security.OAuthS2SJsonMetadataDocument+JsonMetadataDocumentContract. Encountered unexpected character '<'.'. HTTP headers received from the server -
ActivityId: 6de1c881-b1ca-411d-9004-ceea397d4453. NodeId: SERVERNAME. Scope: /DEV. Client ActivityId : bdeb429f-7bb1-e0c1-d7d1-f868a175396b.
At line:1 char:1
+ Register-SPWorkflowService -SPSite https://webappurl ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (Microsoft.Share...WorkflowService:RegisterSPWorkflowService) [Register-SPWorkflowService], InvalidRequestException
+ FullyQualifiedErrorId : Microsoft.SharePoint.WorkflowServices.PowerShell.RegisterSPWorkflowService
Any input is appreciated.
it's related with post installing the April 2020 CU KB 4484292 and KB 4484291.
After call with MS premier field engineer it's resolved like http://thewindowsupdate.com/2020/06/04/sharepoint-2019-issue-with-sharepoint-2013-workflows-post-april-2020-cu/
You need to remove the existing SPTrustedSecurityTokenIssuer and the register it like below
Remove-SPTrustedSecurityTokenIssuer -Identity 9854855e-cea8-457f-8293-e405d4055ffb
(id from Get-SPTrustedSecurityTokenIssuer collection)
New-SPTrustedSecurityTokenIssuer -Name "00000005-0000-0000-c000-000000000000" -MetadataEndPoint 'http://server:12291/$System/$Metadata/json/1' -RegisteredIssuerName "00000005-0000-0000-c000-000000000000#*"
or
New-SPTrustedSecurityTokenIssuer -Name "00000005-0000-0000-c000-000000000000" -MetadataEndPoint 'https://server:12290/$System/$Metadata/json/1' -RegisteredIssuerName "00000005-0000-0000-c000-000000000000#*"
PS No any concern here at
Remove-SPTrustedSecurityTokenIssuer
easy to go
thanks!
in the end, it looked like there were some issues with the F5 load balancing. As a test we added in the host files the URL of the WFM and the connection worked fine afterwards. this was handed over after to the team that managed the F5 and they resolved the issue on their end.
I have written a Terraform template that creates an Azure Windows VM. I need to configure the VM to Enable PowerShell Remoting for the release pipeline to be able to execute Powershell scripts. After the VM is created I can RDP to the VM and do everything I need to do to enable Powershell remoting, however, it would be ideal if I could script all of that so it could be executed in a Release pipeline. There are two things that prevent that.
The first, and the topic of this question is, that I have to run "WinRM quickconfig". I have the template working such that when I do RDP to the VM, after creation, that when I run "WinRM quickconfig" I receive the following responses:
WinRM service is already running on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:
Configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.
Make these changes [y/n]?
I want to configure the VM in Terraform so LocalAccountTokenFilterPolicy is set and it becomes unnecessary to RDP to the VM to run "WinRM quickconfig". After some research it appeared I might be able to do that using the resource azure_virtual_machine_extension. I add this to my template:
resource "azurerm_virtual_machine_extension" "vmx" {
name = "hostname"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
virtual_machine_name = "${azurerm_virtual_machine.vm.name}"
publisher = "Microsoft.Azure.Extensions"
type = "CustomScript"
type_handler_version = "2.0"
settings = <<SETTINGS
{
# "commandToExecute": "powershell Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' -Name 'LocalAccountTokenFilterPolicy' -Value 1 -Force"
}
SETTINGS
}
When I apply this, I get the error:
Error: compute.VirtualMachineExtensionsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="OperationNotAllowed" Message="This operation cannot be performed when extension operations are disallowed. To allow, please ensure VM Agent is installed on the VM and the osProfile.allowExtensionOperations property is true."
I couldn't find any Terraform documentation that addresses how to set the allowExtensionOperations property to true. On a whim, I tried adding the property "allow_extension_operations" to the os_profile block in the azurerm_virtual_machine resource but it is rejected as an invalid property. I also tried adding it to the os_profile_windows_config block and isn't valid there either.
I found a statement on Microsoft's documentation regarding the osProfile.allowExtensionOperations property that says:
"This may only be set to False when no extensions are present on the virtual machine."
https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.management.compute.models.osprofile.allowextensionoperations?view=azure-dotnet
This implies to me that the property is True by default but it doesn't actually say that and it certainly isn't acting like that. Is there a way in Terraform to set osProfile.alowExtensionOperations to true?
Running into the same issue adding extensions using Terraform, i created a Windows 2016 custom image,
provider "azurerm" version ="2.0.0"
Terraform 0.12.24
Terraform apply error:
compute.VirtualMachineExtensionsClient#CreateOrUpdate: Failure sending request: StatusCode=0
-- Original Error: autorest/azure: Service returned an error.
Status=<nil>
Code="OperationNotAllowed"
Message="This operation cannot be performed when extension operations are disallowed. To allow, please ensure VM Agent is installed on the VM and the osProfile.allowExtensionOperations property is true."
I ran into same error, possible solution depends on 2 things here.
You have to pass provider "azurerm" version ="2.5.0 and you have to pass os_profile_windows_config (see below) parameter in virtual machine resource as well. So, that terraform will consider the extensions that your are passing. This fixed my errors.
os_profile_windows_config {
provision_vm_agent = true
}
I'm using vagrant on windows 8, with the hyper-v provider starting a windows server 2012 box.
Before I updated to vagrant 1.7.4 I was on version 1.7.2, and everything worked.
But after updating I am getting an error when it is trying to mount the shared folder:
The following WinRM command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!
cmdkey /add:xxx.xxx.xxx.xxx /user:DOMAIN\user /pass:Password
Stdout from the command:
Stderr from the command:
Exception calling "RegisterTaskDefinition" with "7" argument(s): "The user
name or password is incorrect. (Exception from HRESULT: 0x8007052E)"
At C:\tmp\vagrant-elevated-shell.ps1:58 char:1
+ $folder.RegisterTaskDefinition($task_name, $task, 6, $username, $password,
1, $n ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
I have replaced the details from the line:
cmdkey /add:xxx.xxx.xxx.xxx /user:DOMAIN\user /pass:Password
With placeholders for obvious reasons. I did try and run the command above in the VM and I get the following output:
CMDKEY: Credential added successfully.
So I assume it is working correctly. Has something changed or broken in 1.7.4?
I have figured out a fix for this.
Our password contained dollar signs ($), these were being stripped out in the vagrant-elevated-shell.ps1 script.
I have forked the vagrant repo and made the change and made a pull request - https://github.com/mitchellh/vagrant/pull/6452
To patch your local environment, you can find the communicator.rb file on your local machine at:
C:\HashiCorp\Vagrant\embedded\gems\gems\vagrant-1.7.4\plugins\communicators\winrm\communicator.rb
(provided you used the default setting in the installer)
When I try to clone a repo using windows domain credentials the backslashes are removed.
git: repo="http://DOMAIN\\user:password#server/repo"
dest=/srv/clone
version=develop
The error:
failed: [x.x.x.x] => {"cmd": ["/usr/bin/git", "ls-remote", "http://DOMAINuser:password#server/repo", "-h", "refs/heads/develop"], "failed": true, "rc": 128}
stderr: fatal: Authentication failed for 'http://DOMAINuser:password#server/repo/'
msg: fatal: Authentication failed for 'http://DOMAINuser:password#server/repo/'
FATAL: all hosts have already failed -- aborting
It looks like the escape is not working?
As far as I know, active directory authentication is orthogonal to the auth scheme you can use with the HTTP method in git. Thus, DOMAIN\\USER is simply the user string that your HTTP client (in your case, git) sends to the server. \ might look strange to the client, though. Have you tried \\\\?
This may seem funny, but I've lost enough time with Ansible escaping to justify it. Try defining a var (in some constant-appropriate place) like this backslash: "\\" and use it in templates like this, backslash*2.
At the very least you get consistency among direct uses in "{{ .. }}" and indirect uses in filters, like "{{ ... | some_filter('...') }}.