Ansible+Windows, one year later (cfgmgmtcamp 2018)

Transcript

1. Ansible and Windows Dag Wieers @dagwieers CfgMgmtCamp 2018 – Ghent

2. Who am I ? • Born as Dag Wieërs in

   Flanders, Belgium – Freelance Linux consultant • Doing Linux and Open Source since 1994 • Working for various companies (IT, Finance, Telco, Gov) – IBM, HP, EMC, Cisco, Punch; Euroclear, AXA, BNP Paribas, ING, KBC – Proximus, Telenet; Belgian Federal Police, Belgian Constitutional Court • Mostly as engineer/architect, but prefers hands-on too – The past 5 years this involved Ansible in various ways • Started developing Ansible from the very start (early 2012) • Wrote core functionality and basic modules: debug, fail, set_fact, mail, ... – Maintainer of: unarchive, xml, filetree, dense, hpilo, vmware_guest, Cisco ACI, IMC, … – Involved in: Core, Windows, VMware and Network/ACI communities

3. Ansible & Windows

4. None

5. My Windows use-cases • Managing Windows desktops/laptops – at elementary

   school – for friends and family • Managing lab infrastructure at Cisco ACI TAC support (EMEA, US, ...) – automating complex scenarios for reproducing customer cases, incl: • Provisioning: VM and bare-metal provisioning (Windows, Linux, OpenStack), Cisco IMC • Windows: MDT, AD, MSSQL, SCVMM • Virtualisation: VMware, ESXi, VCSA, HyperV, SCVMM • Networking: Cisco ACI and Nexus 9k

6. How does it work ?

7. Why is Ansible a good fit for Windows? • Uses

   native WinRM* and Powershell – Philosophy: Agentless, using existing standards • Works from Windows 7 or Windows Server 2008 – Requires at least Powershell 3.0 (better upgrade to PS5+ ?) • Authenticate with local accounts or AD/Kerberos • Introduces idempotency, check-mode and dif support • Requires a Linux control system (incl. WSL now !)

8. Bootstrapping Ansible on Windows • Upgrade PowerShell and enable WinRM

   by hand – we provide PowerShell scripts and tools for this • Use win_psexec (requires one Windows system) – to upgrade PowerShell remotely – to enable WinRM remotely • Future: Implement python-based psexec ! – see: https://github.com/ansible/ansible/issues/30972

9. Windows support was maturing fast • Ansible v2.3 – Pipeling

   support – WinRM Kerberos support – Improved Windows API for modules – Refactored most modules (check-mode and dif) • Ansible v2.4 – DSC support (win_dsc) ! – Become support (runas) – Shared PS module_utils support – Integration tests for most modules

10. On-par now with other platforms • Ansible v2.5 – Improved

    privilege escalation (become_flags support) • e.g. runas System, LocalService, NetworkService, any user (password-less) – “Platform” support enables Windows with SSH transport – Improvements and feature-parity to more modules • Important improvements to DSC support (win_dsc) • win_updates now can do reboots on demand (and continue) – WinRM stability improvements (more to come) – Windows gather_subset support – Rewrite of Windows documentation • http://docs.ansible.com/ansible/devel/windows.html

11. Module development • Growing list of Windows modules v1.8: 10

    → v1.9: 14 → v2.0: 30 → v2.1: 37 → v2.2: 42 → v2.3: 56 → v2.4: 76 → v2.5: 83 • DSC support • 95% of Windows modules have integration tests and are idempotent • More niche functionality being added – e.g. win_product_facts, win_disk_facts, win_wakeonlan • PSLint (Powershell static analyzer) • Windows 2016 support in CI testing

12. What’s next ? • Windows specific – PowerShell v6 support

    (Unix-ified) – Native PSEXEC support for bootstrapping – Windows Nano server support – PSScriptAnalyzer for enforcing PowerShell style – Backup support (feature-parity) • Core – Support aggregates and “pure” support (proposals#71) – Native type support enabled by default (ansible#32738) – Multi-threaded Ansible (ansible/tree/threading_plus_forking) – Support for multiple streams and real-time output (proposals#92)

13. Windows modules Standard modules (15+) – add_host / group_by –

    assemble / template – assert – async – debug – fail – fetch / slurp – include_vars / set_fact – meta – pause / wait_for – raw – script – setup Windows modules (80+) – win_ping – win_command / win_shell – win_copy / win_robocopy – win_template – win_stat / win_file_version – win_file / win_shortcut – win_service / win_nssm – win_user / win_group – win_path / win_environment – win_feature – win_updates – win_reboot – win_lineinfile – win_acl* – win_package / win_msi – win_chocolatey – win_webpicmd – win_regedit / win_regmerge – win_firewall / _rule – win_get_url / win_uri – win_psexec – win_unzip – win_owner – win_share – win_scheduled_task – win_dotnet_ngen – win_iis_* – win_defrag – win_dsc – win_domain_user / _group – win_eventlog / _entry – win_group_membership – win_hotfix – win_mapped_drive – win_pagefile – win_power_plan – win_psmodule – win_route – win_security_policy – win_wait_for – win_wakeonlan

14. Use-case 1: Managing laptops and desktops

15. Who am I ?

16. Computer classroom

17. Individual classrooms

18. Individual classrooms

19. Preschool / elementary school in Ghent • About 60 unmanaged

    Windows computers – Teachers and students had admin rights – All kinds of Windows versions (XP, Vista, 7, 8, Home, Pro) – All kinds of sofware installed (old, dodgy, trojans ?) • One volunteer (Mr. Willy) taking care of everything ! – Fixing hardware, cabling, sofware, end-user problems • Twice a year parents help fixing things at school

20. Big reorganization in 2016 • Formed ICT Working Group with

    parents/teachers • Cleaned up infrastructure – Inventory of everything, labeling devices, etc. – Complete upgrade to Windows 10 (for consistency) – Gigabit network and wireless connectivity – NAS for sharing documents, video and audio – Ansible for managing classroom/teacher desktops – VPN and remote desktop (for testing and support) • Now we are looking at managing tablets too (Help!)

21. Windows desktops !

22. Playbooks at work – hosts.ini – Manually managed inventory –

    collect.yml – Automatic asset database – cleanup.yml – Automated cleanup of systems prior to upgrade – wakeonlan.yml – Wake systems prior to access – users.yml – User and group management – config.yml – Configuration management (shares, file assoc., power) – desktop.yml – Desktop-related stuf (shortcuts, look-and-feel) – sofware.yml – Sofware management – update.yml – Patch management – rdesktop.yml & tigervnc.yml – Remote Access via RDP & VNC – onedrive.yml – Disable OneDrive – winrm.yml – Update WinRM config https://github.com/crombeen/ansible

23. School IT roadmap for 2017 onward • Running Ansible from

    Docker on Synology NAS • Automate more – Managed tiles (now disabled) and start-menu – Disable Intel hotkeys – Bigger mouse pointer – Remove Windows Store + Apps – Printer installation (installer doesn’t allow silent install...) – Group policies solution ? • Management of tablets • Technology choices • STEM-related courses (Scratch, Arduino, ...)

24. Use-case 2: Automating labs for reproducing support cases

25. Cisco ACI TAC support labs • Reproducing complex customer cases

    is very costly – It can take up multiple days to complete • Without automation, engineers try to avoid it – With sometimes great consequences • Ansible ofers repeatable setups from scratch (incl. permutations) – Now it takes 1 hour to 3 hours to build one of X scenarios – Engineers can handle other cases while Ansible builds – Engineers no longer need intimate knowledge of how this was build – Immediate cost savings: eficient use of HW, better support quality/performance

26. Windows community (Windows working group)

27. Community building • Weekly meetings – Tuesdays at 20:00 UTC

    – Discuss ongoing development, open issues, ideas → Meeting agenda – IRC channel #ansible-windows on FreeNode • Community wiki – https://github.com/ansible/community/wiki – Collaborate on ideas, plans and progress – Matt Davis*, Jordan Borean*, Jon Hawkesworth, Matt Clay*, Tron Hindenes • Windows sprints – Whenever we find the time – Focus on fixing issues and reviewing PRs – While improving documentation and assign TODO tasks

28. Links • Windows documentation – http://docs.ansible.com/ansible/latest/intro_windows.html – http://docs.ansible.com/ansible/latest/list_of_windows_modules.html • Example

    playbooks (elementary school) – https://github.com/crombeen/ansible • Windows development – module_utils/powershell.ps1 – modules/windows/setup.ps1 – modules/windows/win_service.ps1

29. Tell me your stories (or talk to me afterwards) https://github.com/crombeen/ansible