Ansible and Windows Dag Wieers @dagwieers CfgMgmtCamp 2018 – Ghent

Who am I ? ● Born as Dag Wieërs in Flanders, Belgium – Freelance Linux consultant ● Doing Linux and Open Source since 1994 ● Working for various companies (IT, Finance, Telco, Gov) – IBM, HP, EMC, Cisco, Punch; Euroclear, AXA, BNP Paribas, ING, KBC – Proximus, Telenet; Belgian Federal Police, Belgian Constitutional Court ● Mostly as engineer/architect, but prefers hands-on too – The past 5 years this involved Ansible in various ways ● Started developing Ansible from the very start (early 2012) ● Wrote core functionality and basic modules: debug, fail, set_fact, mail, ... – Maintainer of: unarchive, xml, filetree, dense, hpilo, vmware_guest, Cisco ACI, IMC, … – Involved in: Core, Windows, VMware and Network/ACI communities

Ansible & Windows

No content

My Windows use-cases ● Managing Windows desktops/laptops – at elementary school – for friends and family ● Managing lab infrastructure at Cisco ACI TAC support (EMEA, US, ...) – automating complex scenarios for reproducing customer cases, incl: ● Provisioning: VM and bare-metal provisioning (Windows, Linux, OpenStack), Cisco IMC ● Windows: MDT, AD, MSSQL, SCVMM ● Virtualisation: VMware, ESXi, VCSA, HyperV, SCVMM ● Networking: Cisco ACI and Nexus 9k

How does it work ?

Why is Ansible a good fit for Windows? ● Uses native WinRM* and Powershell – Philosophy: Agentless, using existing standards ● Works from Windows 7 or Windows Server 2008 – Requires at least Powershell 3.0 (better upgrade to PS5+ ?) ● Authenticate with local accounts or AD/Kerberos ● Introduces idempotency, check-mode and dif support ● Requires a Linux control system (incl. WSL now !)

Bootstrapping Ansible on Windows ● Upgrade PowerShell and enable WinRM by hand – we provide PowerShell scripts and tools for this ● Use win_psexec (requires one Windows system) – to upgrade PowerShell remotely – to enable WinRM remotely ● Future: Implement python-based psexec ! – see: https://github.com/ansible/ansible/issues/30972

Windows support was maturing fast ● Ansible v2.3 – Pipeling support – WinRM Kerberos support – Improved Windows API for modules – Refactored most modules (check-mode and dif) ● Ansible v2.4 – DSC support (win_dsc) ! – Become support (runas) – Shared PS module_utils support – Integration tests for most modules

On-par now with other platforms ● Ansible v2.5 – Improved privilege escalation (become_flags support) ● e.g. runas System, LocalService, NetworkService, any user (password-less) – “Platform” support enables Windows with SSH transport – Improvements and feature-parity to more modules ● Important improvements to DSC support (win_dsc) ● win_updates now can do reboots on demand (and continue) – WinRM stability improvements (more to come) – Windows gather_subset support – Rewrite of Windows documentation ● http://docs.ansible.com/ansible/devel/windows.html

Module development ● Growing list of Windows modules v1.8: 10 → v1.9: 14 → v2.0: 30 → v2.1: 37 → v2.2: 42 → v2.3: 56 → v2.4: 76 → v2.5: 83 ● DSC support ● 95% of Windows modules have integration tests and are idempotent ● More niche functionality being added – e.g. win_product_facts, win_disk_facts, win_wakeonlan ● PSLint (Powershell static analyzer) ● Windows 2016 support in CI testing

What’s next ? ● Windows specific – PowerShell v6 support (Unix-ified) – Native PSEXEC support for bootstrapping – Windows Nano server support – PSScriptAnalyzer for enforcing PowerShell style – Backup support (feature-parity) ● Core – Support aggregates and “pure” support (proposals#71) – Native type support enabled by default (ansible#32738) – Multi-threaded Ansible (ansible/tree/threading_plus_forking) – Support for multiple streams and real-time output (proposals#92)

Windows modules Standard modules (15+) – add_host / group_by – assemble / template – assert – async – debug – fail – fetch / slurp – include_vars / set_fact – meta – pause / wait_for – raw – script – setup Windows modules (80+) – win_ping – win_command / win_shell – win_copy / win_robocopy – win_template – win_stat / win_file_version – win_file / win_shortcut – win_service / win_nssm – win_user / win_group – win_path / win_environment – win_feature – win_updates – win_reboot – win_lineinfile – win_acl* – win_package / win_msi – win_chocolatey – win_webpicmd – win_regedit / win_regmerge – win_firewall / _rule – win_get_url / win_uri – win_psexec – win_unzip – win_owner – win_share – win_scheduled_task – win_dotnet_ngen – win_iis_* – win_defrag – win_dsc – win_domain_user / _group – win_eventlog / _entry – win_group_membership – win_hotfix – win_mapped_drive – win_pagefile – win_power_plan – win_psmodule – win_route – win_security_policy – win_wait_for – win_wakeonlan

Use-case 1: Managing laptops and desktops

Who am I ?

Computer classroom

Individual classrooms

Individual classrooms

Preschool / elementary school in Ghent ● About 60 unmanaged Windows computers – Teachers and students had admin rights – All kinds of Windows versions (XP, Vista, 7, 8, Home, Pro) – All kinds of sofware installed (old, dodgy, trojans ?) ● One volunteer (Mr. Willy) taking care of everything ! – Fixing hardware, cabling, sofware, end-user problems ● Twice a year parents help fixing things at school

Big reorganization in 2016 ● Formed ICT Working Group with parents/teachers ● Cleaned up infrastructure – Inventory of everything, labeling devices, etc. – Complete upgrade to Windows 10 (for consistency) – Gigabit network and wireless connectivity – NAS for sharing documents, video and audio – Ansible for managing classroom/teacher desktops – VPN and remote desktop (for testing and support) ● Now we are looking at managing tablets too (Help!)

Windows desktops !

Playbooks at work – hosts.ini – Manually managed inventory – collect.yml – Automatic asset database – cleanup.yml – Automated cleanup of systems prior to upgrade – wakeonlan.yml – Wake systems prior to access – users.yml – User and group management – config.yml – Configuration management (shares, file assoc., power) – desktop.yml – Desktop-related stuf (shortcuts, look-and-feel) – sofware.yml – Sofware management – update.yml – Patch management – rdesktop.yml & tigervnc.yml – Remote Access via RDP & VNC – onedrive.yml – Disable OneDrive – winrm.yml – Update WinRM config https://github.com/crombeen/ansible

School IT roadmap for 2017 onward ● Running Ansible from Docker on Synology NAS ● Automate more – Managed tiles (now disabled) and start-menu – Disable Intel hotkeys – Bigger mouse pointer – Remove Windows Store + Apps – Printer installation (installer doesn’t allow silent install...) – Group policies solution ? ● Management of tablets ● Technology choices ● STEM-related courses (Scratch, Arduino, ...)

Use-case 2: Automating labs for reproducing support cases

Cisco ACI TAC support labs ● Reproducing complex customer cases is very costly – It can take up multiple days to complete ● Without automation, engineers try to avoid it – With sometimes great consequences ● Ansible ofers repeatable setups from scratch (incl. permutations) – Now it takes 1 hour to 3 hours to build one of X scenarios – Engineers can handle other cases while Ansible builds – Engineers no longer need intimate knowledge of how this was build – Immediate cost savings: eficient use of HW, better support quality/performance

Windows community (Windows working group)

Community building ● Weekly meetings – Tuesdays at 20:00 UTC – Discuss ongoing development, open issues, ideas → Meeting agenda – IRC channel #ansible-windows on FreeNode ● Community wiki – https://github.com/ansible/community/wiki – Collaborate on ideas, plans and progress – Matt Davis*, Jordan Borean*, Jon Hawkesworth, Matt Clay*, Tron Hindenes ● Windows sprints – Whenever we find the time – Focus on fixing issues and reviewing PRs – While improving documentation and assign TODO tasks

Links ● Windows documentation – http://docs.ansible.com/ansible/latest/intro_windows.html – http://docs.ansible.com/ansible/latest/list_of_windows_modules.html ● Example playbooks (elementary school) – https://github.com/crombeen/ansible ● Windows development – module_utils/powershell.ps1 – modules/windows/setup.ps1 – modules/windows/win_service.ps1

Tell me your stories (or talk to me afterwards) https://github.com/crombeen/ansible