Ansible+Windows Remote Management: Quo Vadis?

[gildegoma]

This "Feature Request/Brainstorming" issue is raised after receiving some support issues that prove the difficulty to figure out the "most efficient/correct" way to configure Vagrant to provision a Windows machine with fast-evolving Ansible capabilities and Windows-Remoting moving target.

First, I'd like to gather in this thread community feedbacks and perspectives, in order to establish a long-term roadmap for the future developments on the Vagrant side (e.g. add support for psrp connection mode, or recommend OpenSSH-everywhere as of Windows Server 2019,...).

Vagrant version

Any version since 1.8.0 release (when WinRM support was added to the Ansible provisioner).

Host operating system

N/A

Guest operating system

Any recent Windows (Server) Release that supports one or more of following Remoting Management Interfaces:

• WinRM (Windows Remote Management), the Microsoft implementation of DMTF Web Services for Management (WS-Man) specification
• MS-PSRP (PowerShell Remoting Protocol)
• OpenSSH available by default as Windows Server 2019 (and Windows 10), and also easy to install on Server 2012 R2 and Server 2016.

References

• GH-10765
• GH-10444
• A look under the hood at Powershell Remoting through a cross plaform lens, June 2016
• Using the OpenSSH Beta in Windows 10 Fall Creators Update and Windows Server 1709, December 2017
• https://github.com/PowerShell/Win32-OpenSSH/wiki/Project-Status
• PowerShell remoting between Windows and Linux

[agowa]

I would go with ssh only. It should not be any problem to install the latest openssh version on a windows host. And PowerShell core. So also the pwsh Subsystem could be used. And openssh is not only available for windows server 2019, but also works fine with server 2012r2 and 2016 (I'm using that for automated image creation using packer over here.)

Everything that is required to use it:

1. Download and Install the latest msi of powershell core. https://github.com/PowerShell/PowerShell/releases/latest
2. Download the latest release from https://github.com/PowerShell/Win32-OpenSSH/releases/latest and execute .\install-sshd.ps1
3. Write sshd configuration file to: $env:ProgramData/ssh/sshd_config

   Port 22
   AuthorizedKeysFile  .ssh/authorized_keys
   PasswordAuthentication yes
   PubkeyAuthentication yes
   Subsystem   sftp    sftp-server.exe
   Subsystem powershell pwsh.exe -sshs -NoLogo -NoProfile

4. (Optional) Change default Shell to Windows PowerShell HKLM:\SOFTWARE\OpenSSH\DefaultShell = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
5. Enable the Firewall rule:

   New-NetFirewallRule -Name 'sshd' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

6. Enable the services

   Set-Service -Name 'sshd' -StartupType Automatic
   Set-Service -Name 'ssh-agent' -StartupType Automatic

[gildegoma]

@agowa338 Thank you for your feedback, very much apprecidated. Do you have any public Packer resources to recommend (I'd like to take a little time - but as little as possible - to play with this) ?. Thank you again :blue_heart: :+1:

[agowa]

Sadly I cannot publish my packer scripts, as I wrote them for work, but you can take the steps outlined above and there are other public packer scripts. But they had some problems in our environment, so I rewrote most of it.

Basically all you have to do is patch the sysprep script so that the above script is called and put it onto the floppy image. Sadly, the windows-update provisioner only supports winrm in a horrible fashion, so I disable whole winrm security call it and afterwards I have a script that resets it to default. Anyway, just have a look at some windows packer scripts you find on github and if you encounter any problem when using it with ssh, I'm happy to assist you putting it together, but I currently don't have enough time to redo the whole thing so that I can publish it...

[jborean93]

For SSH you only need to do the subsystem/sshd_config work if you want to use PSRP over SSH which is not what happens in pure SSH commands. That's purely so PSCore installs on Linux can do Invoke-Command or Enter-PSSession to a Windows host over SSH. If you are just executing commands over an SSH connection then it isn't needed at all.

If you are talking about Ansible + Windows + SSH, you would need to use Ansible 2.8 which is the upcoming release. Previous versions of Ansible won't work for SSH with Windows and even then this is an experimental feature that could change anytime in the future. Not something you want to try and stabilise around. See for details around the implementation and the docs that were added for 2.8 https://github.com/ansible/ansible/pull/47732.

Using ansible_connection: winrm is definitely the most stable, psrp is close behind but not as thourouhly tested but should work in most cases. In the end this should be done to the end user to specify and I'm not sure where the problem is from an Ansible + Vagrant perspective on Windows. The only outstanding issue is to create a new release of pywinrm to solve the cert validation issue and I'm trying to follow that up. This could also be potentially solved in Vagrant itself to have that env var that forces the validation to not apply but I'm not sure where that is being defined.

Packer on the other hand has a few problems that make things difficult but I'm successfully using Vagrant + Ansible + Windows right now.