使用ansible 管理windows 机器

使用ansible管理linux机器时使用的是ssh协议，管理windows时需要通过winrm服务，使用的是http协议。在ansible执行之前需在windows 上开启winrm服务，并配置好windows 防火墙。

windows 机器配置winrm

和Linux发版版稍有区别，远程主机系统如为Windows需预先如下配置：

• 安装Framework 3.0+

• 更改powershell策略为remotesigned

• 升级PowerShell至3.0+

• 设置Windows远端管理，英文全称WS-Management（WinRM）

（1）安装Framework 3.0+

下载链接为：http://download.microsoft.com/download/B/A/4/BA4A7E71-2906-4B2D-A0E1-80CF16844F5F/dotNetFx45_Full_x86_x64.exe。 下载至本地后双击左键安装即可，期间可能会多次重启，电脑需正常连接Internet。

（2）更改powershell策略为remotesigned

set-executionpolicy remotesigned

img

（3）升级PowerShell至3.0+

Window 7和Windows Server 2008 R2默认安装的有PowerShell，但版本号一般为2.0版本，所以我们需升级至3.0+，如下图中数字1部分表示PowerShell版本过低需3.0+版本，数字2部分表示当前PowerShell版本为2.0。

img

下脚本保存至本地后，右键选择“使用PowerShell运行”，执行完毕重启系统后，在PowerShell执行Get-Host命令结果如下图所示PowerShell版本为3.0为正常。

 1 # Powershell script to upgrade a PowerShell 2.0 system to PowerShell 3.0
 2 # based on http://occasionalutility.blogspot.com/2013/11/everyday-powershell-part-7-powershell.html
 3 #
 4 # some Ansible modules that may use Powershell 3 features, so systems may need
 5 # to be upgraded.  This may be used by a sample playbook.  Refer to the windows
 6 # documentation on docs.ansible.com for details.
 7 # 
 8 # - hosts: windows
 9 #   tasks:
10 #     - script: upgrade_to_ps3.ps1
11 
12 # Get version of OS
13 
14 # 6.0 is 2008
15 # 6.1 is 2008 R2
16 # 6.2 is 2012
17 # 6.3 is 2012 R2
18 
19 
20 if ($PSVersionTable.psversion.Major -ge 3)
21 {
22     write-host "Powershell 3 Installed already; You don't need this"
23     Exit
24 }
25 
26 $powershellpath = "C:\powershell"
27 
28 function download-file
29 {
30     param ([string]$path, [string]$local)
31     $client = new-object system.net.WebClient
32     $client.Headers.Add("user-agent", "PowerShell")
33     $client.downloadfile($path, $local)
34 }
35 
36 if (!(test-path $powershellpath))
37 {
38     New-Item -ItemType directory -Path $powershellpath
39 }
40 
41 
42 # .NET Framework 4.0 is necessary.
43 
44 #if (($PSVersionTable.CLRVersion.Major) -lt 2)
45 #{
46 #    $DownloadUrl = "http://download.microsoft.com/download/B/A/4/BA4A7E71-2906-4B2D-A0E1-80CF16844F5F/dotNetFx45_Full_x86_x64.exe"
47 #    $FileName = $DownLoadUrl.Split('/')[-1]
48 #    download-file $downloadurl "$powershellpath\$filename"
49 #    ."$powershellpath\$filename" /quiet /norestart
50 #}
51 
52 #You may need to reboot after the .NET install if so just run the script again.
53 
54 # If the Operating System is above 6.2, then you already have PowerShell Version > 3
55 if ([Environment]::OSVersion.Version.Major -gt 6)
56 {
57     write-host "OS is new; upgrade not needed."
58     Exit
59 }
60 
61 
62 $osminor = [environment]::OSVersion.Version.Minor
63 
64 $architecture = $ENV:PROCESSOR_ARCHITECTURE
65 
66 if ($architecture -eq "AMD64")
67 {
68     $architecture = "x64"
69 }  
70 else
71 {
72     $architecture = "x86" 
73 } 
74 
75 if ($osminor -eq 1)
76 {
77     $DownloadUrl = "http://download.microsoft.com/download/E/7/6/E76850B8-DA6E-4FF5-8CCE-A24FC513FD16/Windows6.1-KB2506143-" + $architecture + ".msu"
78 }
79 elseif ($osminor -eq 0)
80 {
81     $DownloadUrl = "http://download.microsoft.com/download/E/7/6/E76850B8-DA6E-4FF5-8CCE-A24FC513FD16/Windows6.0-KB2506146-" + $architecture + ".msu"
82 }
83 else
84 {
85     # Nothing to do; In theory this point will never be reached.
86     Exit
87 }
88 
89 $FileName = $DownLoadUrl.Split('/')[-1]
90 download-file $downloadurl "$powershellpath\$filename"
91 
92 Start-Process -FilePath "$powershellpath\$filename" -ArgumentList /quiet

img

img

（4）设置Windows远端管理（WS-Management，WinRM）

winrm service 默认都是未启用的状态，先查看状态；如无返回信息，则是没有启动；

winrm enumerate winrm/config/listener

针对winrm service 进行基础配置：

winrm quickconfig

查看winrm service listener:

winrm e winrm/config/listener

为winrm service 配置auth:

winrm set winrm/config/service/auth @{Basic="true"}
为winrm service 配置加密方式为允许非加密：

winrm set winrm/config/service @{AllowUnencrypted="true"}

（5）设置windows防火墙

通过命令winrm enumerate winrm/config/listener检查winrm服务正确启动之后

添加防火墙信任规则，允许5985端口通过

打开防火墙高级配置，选择入站规则，在点击新建规则

image-20211012182221751.png

填写信任端口5985

image-20211012182252781.png

填写新建规则名称

image-20211012182321152.png

ansible主机配置

主机安装pywinrm

pip install pywinrm

安装ansible.windows 模块

# ansible-galaxy collection install ansible.windows

测试windows连通性

test.host 
[windows]
112.12.1.9 ansible_ssh_user="administrator" ansible_ssh_pass="1111111" ansible_ssh_port="5985" ansible_connection="winrm" ansible_winrm_server_cert_validation=ignore 

# ansible -i test.host windows -m win_ping 
112.12.1.9 | success => {
 "changed": false,
 "ping": "pong"
}

案例

创建windows 用户

test.host 
[windows]
112.12.1.9 ansible_ssh_user="administrator" ansible_ssh_pass="11111111" ansible_ssh_port="5985" ansible_connection="winrm" ansible_winrm_server_cert_validation=ignore 

user.yaml
---
 - hosts: windows
 gather_facts: no 
 vars: 
 - lists:
 user_list: [{'name': '1', 'fullname': 'test1'},{'name': '2', 'fullname': 'test2'}]
 tasks:
 - name: ensure user is present
 ansible.windows.win_user:
 name: "{{ item['name'] }}"
 fullname: "{{ item['fullname'] }}"
 password: abcd@1234
 state: present
 home_directory: c:\
 password_expired: no
 password_never_expires: yes
 groups:
 - Users
 - Remote Desktop Users
 with_items:
 - "{{ lists['user_list'] }}"