- How To Open Windows Terminal
- Windows Terminal Docsis
- Windows Terminal Documentation
- Windows Terminal Software
This document discusses the setup that is required before Ansible can communicate with a Microsoft Windows host.
- Steak's Docs The site with random knowledge Home Twitter View on GitHub Things I did or made. Adding AWS Shell to Windows Terminal. If you are a user of the Windows Terminal and you also usually use AWS CLI or AWS Shell, you might be happy to hear that you can directly add it as its own selectable shell.
- Download this app from Microsoft Store for Windows 10, Windows 10 Mobile, Windows 10 Team (Surface Hub), HoloLens. See screenshots, read the latest customer reviews,.
- This is a small servicing release for Windows Terminal's stable channel. As is custom for all stable channel releases after v1.1, a preinstallation kit is available for system integrators and OEMs interested in prepackaging Windows Terminal with a Windows image.
- Windows Terminal is a modern and feature-rich terminal application by Microsoft for command-line users on Windows 10. It supports all the available Windows shells such as Cmd, PowerShell, Linux and many others. Additionally, Windows Terminal includes many features such as support for tabs, rich text, theming and styling.
Windows Terminal is a Univeral Windows Platform (UWP) app, so it prefers to use its own AppData folder. AppData is a folder you usually find in the User Profile and is used for storing program settings. UWP apps create a custom AppData folder and use that instead. Windows Terminal's AppData folder is located in.
For Ansible to communicate to a Windows host and use Windows modules, theWindows host must meet these requirements:
Ansible can generally manage Windows versions under currentand extended support from Microsoft. Ansible can manage desktop OSs includingWindows 7, 8.1, and 10, and server OSs including Windows Server 2008,2008 R2, 2012, 2012 R2, 2016, and 2019.
Ansible requires PowerShell 3.0 or newer and at least .NET 4.0 to beinstalled on the Windows host.
A WinRM listener should be created and activated. More details for this can befound below.
Note
While these are the base requirements for Ansible connectivity, some Ansiblemodules have additional requirements, such as a newer OS or PowerShellversion. Please consult the module's documentation pageto determine whether a host meets those requirements.
Ansible requires PowerShell version 3.0 and .NET Framework 4.0 or newer to function on older operating systems like Server 2008 and Windows 7. The base image does not meet thisrequirement. You can use the Upgrade-PowerShell.ps1 script to update these.
This is an example of how to run this script from PowerShell:
Once completed, you will need to remove auto logonand set the execution policy back to the default of Restricted
. You cando this with the following PowerShell commands:
The script works by checking to see what programs need to be installed(such as .NET Framework 4.5.2) and what PowerShell version is required. If a rebootis required and the username
and password
parameters are set, thescript will automatically reboot and logon when it comes back up from thereboot. The script will continue until no more actions are required and thePowerShell version matches the target version. If the username
andpassword
parameters are not set, the script will prompt the user tomanually reboot and logon when required. When the user is next logged in, thescript will continue where it left off and the process continues until no moreactions are required.
Note
If running on Server 2008, then SP2 must be installed. If running onServer 2008 R2 or Windows 7, then SP1 must be installed.
Note
Windows Server 2008 can only install PowerShell 3.0; specifying anewer version will result in the script failing.
Note
The username
and password
parameters are stored in plain textin the registry. Make sure the cleanup commands are run after the script finishesto ensure no credentials are still stored on the host.
When running on PowerShell v3.0, there is a bug with the WinRM service thatlimits the amount of memory available to WinRM. Without this hotfix installed,Ansible will fail to execute certain commands on the Windows host. Thesehotfixes should be installed as part of the system bootstrapping orimaging process. The script Install-WMF3Hotfix.ps1 can be used to install the hotfix on affected hosts.
The following PowerShell command will install the hotfix:
For more details, please refer to the Hotfix document from Microsoft.
Once Powershell has been upgraded to at least version 3.0, the final step is for theWinRM service to be configured so that Ansible can connect to it. There are twomain components of the WinRM service that governs how Ansible can interface withthe Windows host: the listener
and the service
configuration settings.
Details about each component can be read below, but the scriptConfigureRemotingForAnsible.ps1can be used to set up the basics. This script sets up both HTTP and HTTPSlisteners with a self-signed certificate and enables the Basic
authentication option on the service.
Rhinoceros 5 4 – versatile 3d modeler free. To use this script, run the following in PowerShell:
There are different switches and parameters (like -EnableCredSSP
and-ForceNewSSLCert
) that can be set alongside this script. The documentationfor these options are located at the top of the script itself.
Note
The ConfigureRemotingForAnsible.ps1 script is intended for training anddevelopment purposes only and should not be used in aproduction environment, since it enables settings (like Basic
authentication)that can be inherently insecure.
The WinRM services listens for requests on one or more ports. Each of these ports must have alistener created and configured.
To view the current listeners that are running on the WinRM service, run thefollowing command:
This will output something like:
In the example above there are two listeners activated; one is listening onport 5985 over HTTP and the other is listening on port 5986 over HTTPS. Some ofthe key options that are useful to understand are:
Transport
: Whether the listener is run over HTTP or HTTPS, it isrecommended to use a listener over HTTPS as the data is encrypted withoutany further changes required.Port
: The port the listener runs on, by default it is5985
for HTTPand5986
for HTTPS. This port can be changed to whatever is required andcorresponds to the host varansible_port
.URLPrefix
: The URL prefix to listen on, by default it iswsman
. Ifthis is changed, the host varansible_winrm_path
must be set to the samevalue.CertificateThumbprint
: If running over an HTTPS listener, this is thethumbprint of the certificate in the Windows Certificate Store that is usedin the connection. To get the details of the certificate itself, run thiscommand with the relevant certificate thumbprint in PowerShell:
There are three ways to set up a WinRM listener:
Using
winrmquickconfig
for HTTP orwinrmquickconfig-transport:https
for HTTPS. This is the easiest optionto use when running outside of a domain environment and a simple listener isrequired. Unlike the other options, this process also has the added benefit ofopening up the Firewall for the ports required and starts the WinRM service.Using Group Policy Objects. This is the best way to create a listener when thehost is a member of a domain because the configuration is done automaticallywithout any user input. For more information on group policy objects, see theGroup Policy Objects documentation.
Using PowerShell to create the listener with a specific configuration. Thiscan be done by running the following PowerShell commands:
To see the other options with this PowerShell cmdlet, seeNew-WSManInstance.
Note
When creating an HTTPS listener, an existing certificate needs to becreated and stored in the LocalMachineMy
certificate store. Without acertificate being present in this store, most commands will fail.
Magic photo eraser 1 61 – erase elements from photos. To remove a WinRM listener:
Note
The Keys
object is an array of strings, so it can contain differentvalues. By default it contains a key for Transport=
and Address=
which correspond to the values from winrm enumerate winrm/config/Listeners.
There are a number of options that can be set to control the behavior of the WinRM service component,including authentication options and memory settings.
To get an output of the current service configuration options, run thefollowing command:
How To Open Windows Terminal
This will output something like:
While many of these options should rarely be changed, a few can easily impactthe operations over WinRM and are useful to understand. Some of the importantoptions are:
ServiceAllowUnencrypted
: This option defines whether WinRM will allowtraffic that is run over HTTP without message encryption. Message levelencryption is only possible whenansible_winrm_transport
isntlm
,kerberos
orcredssp
. By default this isfalse
and should only beset totrue
when debugging WinRM messages.ServiceAuth*
: These flags define what authenticationoptions are allowed with the WinRM service. By default,Negotiate(NTLM)
andKerberos
are enabled.ServiceAuthCbtHardeningLevel
: Specifies whether channel binding tokens arenot verified (None), verified but not required (Relaxed), or verified andrequired (Strict). CBT is only used when connecting with NTLM or Kerberosover HTTPS.ServiceCertificateThumbprint
: This is the thumbprint of the certificateused to encrypt the TLS channel used with CredSSP authentication. By defaultthis is empty; a self-signed certificate is generated when the WinRM servicestarts and is used in the TLS process.WinrsMaxShellRunTime
: This is the maximum time, in milliseconds, that aremote command is allowed to execute.WinrsMaxMemoryPerShellMB
: This is the maximum amount of memory allocatedper shell, including the shell's child processes.
To modify a setting under the Service
key in PowerShell:
To modify a setting under the Winrs
key in PowerShell:
Note
If running in a domain environment, some of these options are set byGPO and cannot be changed on the host itself. When a key has beenconfigured with GPO, it contains the text [Source='GPO']
next to the value.
Because WinRM has a wide range of configuration options, it can be difficultto setup and configure. Because of this complexity, issues that are shown by Ansiblecould in fact be issues with the host setup instead.
One easy way to determine whether a problem is a host issue is torun the following command from another Windows host to connect to thetarget Windows host:
If this fails, the issue is probably related to the WinRM setup. If it works, the issue may not be related to the WinRM setup; please continue reading for more troubleshooting suggestions.
Windows Terminal Docsis
A HTTP 401 error indicates the authentication process failed during the initialconnection. Some things to check for this are:
Verify that the credentials are correct and set properly in your inventory with
ansible_user
andansible_password
Ensure that the user is a member of the local Administrators group or has been explicitlygranted access (a connection test with the
winrs
command can be used torule this out).Make sure that the authentication option set by
ansible_winrm_transport
is enabled underServiceAuth*
If running over HTTP and not HTTPS, use
ntlm
,kerberos
orcredssp
withansible_winrm_message_encryption:auto
to enable message encryption.If using another authentication option or if the installed pywinrm version cannot beupgraded, theServiceAllowUnencrypted
can be set totrue
but this isonly recommended for troubleshootingEnsure the downstream packages
pywinrm
,requests-ntlm
,requests-kerberos
, and/orrequests-credssp
are up to date usingpip
.If using Kerberos authentication, ensure that
ServiceAuthCbtHardeningLevel
isnot set toStrict
.When using Basic or Certificate authentication, make sure that the user is a local account andnot a domain account. Domain accounts do not work with Basic and Certificateauthentication.
These indicate an error has occurred with the WinRM service. Some thingsto check for include:
Verify that the number of current open shells has not exceeded either
WinRsMaxShellsPerUser
or any of the other Winrs quotas haven't beenexceeded.
These usually indicate an error with the network connection whereAnsible is unable to reach the host. Some things to check for include:
Make sure the firewall is not set to block the configured WinRM listener ports
Ensure that a WinRM listener is enabled on the port and path set by the host vars
Ensure that the
winrm
service is running on the Windows host and configured forautomatic start
These usually indicate an error when trying to communicate with theWinRM service on the host. Some things to check for:
Ensure that the WinRM service is up and running on the host. Use
(Get-Service-Namewinrm).Status
to get the status of the service.Check that the host firewall is allowing traffic over the WinRM port. By defaultthis is
5985
for HTTP and5986
for HTTPS.
Sometimes an installer may restart the WinRM or HTTP service and cause this error. Thebest way to deal with this is to use win_psexec
from anotherWindows host.
Windows Terminal Documentation
If powershell fails with an error message similar to The'Out-String'commandwasfoundinthemodule'Microsoft.PowerShell.Utility',butthemodulecouldnotbeloaded.
then there could be a problem trying to access all the paths specified by the PSModulePath
environment variable.A common cause of this issue is that the PSModulePath
environment variable contains a UNC path to a file share andbecause of the double hop/credential delegation issue the Ansible process cannot access these folders. The way aroundthis problems is to either:
Remove the UNC path from the
PSModulePath
environment variable, orUse an authentication option that supports credential delegation like
credssp
orkerberos
with credential delegation enabled
See KB4076842 for more information on this problem.
Ansible 2.8 has added an experimental SSH connection for Windows managed nodes.
Warning
Use this feature at your own risk!Using SSH with Windows is experimental, the implementation may makebackwards incompatible changes in feature releases. The server sidecomponents can be unreliable depending on the version that is installed.
The first step to using SSH with Windows is to install the Win32-OpenSSHservice on the Windows host. Microsoft offers a way to install Win32-OpenSSH
through a Windowscapability but currently the version that is installed through this process istoo old to work with Ansible. To install Win32-OpenSSH
for use withAnsible, select one of these three installation options:
Manually install the service, following the install instructionsfrom Microsoft.
Install the openssh package using Chocolatey:
Use
win_chocolatey
to install the service:Use an existing Ansible Galaxy role like jborean93.win_openssh:
Note
Win32-OpenSSH
is still a beta product and is constantlybeing updated to include new features and bugfixes. If you are using SSH asa connection option for Windows, it is highly recommend you install thelatest release from one of the 3 methods above.
By default Win32-OpenSSH
will use cmd.exe
as a shell. To configure adifferent shell, use an Ansible task to define the registry setting:
Win32-OpenSSH authentication with Windows is similar to SSHauthentication on Unix/Linux hosts. You can use a plaintext password orSSH public key authentication, add public keys to an authorized_key
filein the .ssh
folder of the user's profile directory, and configure theservice using the sshd_config
file used by the SSH service as you would ona Unix/Linux host.
When using SSH key authentication with Ansible, the remote session won't have access to theuser's credentials and will fail when attempting to access a network resource.This is also known as the double-hop or credential delegation issue. There aretwo ways to work around this issue:
Use plaintext password auth by setting
ansible_password
Use
become
on the task with the credentials of the user that needs access to the remote resource
To configure Ansible to use SSH for Windows hosts, you must set two connection variables:
Lightwave 3d 2018 0 2 – 3d animation software. set
ansible_connection
tossh
set
ansible_shell_type
tocmd
orpowershell
The ansible_shell_type
variable should reflect the DefaultShell
configured on the Windows host. Set to cmd
for the default shell or set topowershell
if the DefaultShell
has been changed to PowerShell.
Using SSH with Windows is experimental, and we expect to uncover more issues.Here are the known ones:
Win32-OpenSSH versions older than
v7.9.0.0p1-Beta
do not work whenpowershell
is the shell typeWhile SCP should work, SFTP is the recommended SSH file transfer mechanism to use when copying or fetching a file
See also
An introduction to playbooks
Tips and tricks for playbooks
Windows specific module list, all implemented in PowerShell
Windows Terminal Software
Have a question? Stop by the google group!
#ansible IRC chat channel