Ansible
apt -y update && apt -y upgrade
apt -y install ansible
v2.10.8
apt -y install ansible-core
v2.12.0
apt -y install sshpass
ansible-galaxy collection install ansible.windows
установить коллекцию модулей
ansible-galaxy collection install community.windows
ansible-galaxy collection list | grep windows
ansible-config dump | grep DEFAULT_MODULE_PATH
путь хранения модулей
apt-get -y install python-dev libkrb5-dev krb5-user
пакеты для Kerberos аутентификации
apt install python3-pip
pip3 install requests-kerberos
nano /etc/krb5.conf
настроить [realms] и [domain_realm]
kinit -C support4@domail.local
klist
ansible --version
config file = None
nano /etc/ansible/ansible.cfg
файл конфигурации
[defaults]
inventory = /etc/ansible/hosts
# uncomment this to disable SSH key host checking
# Отключить проверку ключа ssh (для подключения используя пароль)
host_key_checking = False
Hosts¶
nano /etc/ansible/hosts
[us]
pi-hole-01 ansible_host=192.168.3.101
zabbix-01 ansible_host=192.168.3.102
grafana-01 ansible_host=192.168.3.103
netbox-01 ansible_host=192.168.3.104
[all:vars]
ansible_ssh_port=2121
ansible_user=lifailon
ansible_password=123098
path_user=/home/lifailon
ansible_python_interpreter=/usr/bin/python3
[ws]
huawei-book-01 ansible_host=192.168.3.99
plex-01 ansible_host=192.168.3.100
[ws:vars]
ansible_port=5985
#ansible_port=5986
ansible_user=Lifailon
#ansible_user=support4@DOMAIN.LOCAL
ansible_password=123098
ansible_connection=winrm
ansible_winrm_scheme=http
ansible_winrm_transport=basic
#ansible_winrm_transport=kerberos
ansible_winrm_server_cert_validation=ignore
validate_certs=false
[win_ssh]
huawei-book-01 ansible_host=192.168.3.99
plex-01 ansible_host=192.168.3.100
[win_ssh:vars]
ansible_python_interpreter=C:\Users\Lifailon\AppData\Local\Programs\Python\Python311\` добавить переменную среды интерпритатора Python в Windows
ansible_connection=ssh
#ansible_shell_type=cmd
ansible_shell_type=powershell
ansible-inventory --list
проверить конфигурацию (читает в формате JSON) или YAML (-y) с просмотром все применяемых переменных
Win_Modules¶
ansible us -m ping
ansible win_ssh -m ping
ansible us -m shell -a "uptime && df -h | grep lv"
ansible us -m setup | grep -iP "mem|proc"
информация о железе
ansible us -m apt -a "name=mc" -b
повысить привилегии sudo (-b)
ansible us -m service -a "name=ssh state=restarted enabled=yes" -b
перезапустить службу
echo "echo test" > test.sh
ansible us -m copy -a "src=test.sh dest=/root mode=777" -b
ansible us -a "ls /root" -b
ansible us -a "cat /root/test.sh" -b
ansible-doc -l | grep win_
список всех модулей Windows
ansible ws -m win_ping
windows модуль
ansible ws -m win_ping -u WinRM-Writer
указать логин
ansible ws -m setup
собрать подробную информацию о системе
ansible ws -m win_whoami
информация о правах доступах, группах доступа
ansible ws -m win_shell -a '$PSVersionTable'
ansible ws -m win_shell -a 'Get-Service | where name -match "ssh|winrm"'
ansible ws -m win_service -a "name=sshd state=stopped"
ansible ws -m win_service -a "name=sshd state=started"
win_shell (vars/debug)¶
nano /etc/ansible/PowerShell-Vars.yml
- hosts: ws
` Указать коллекцию модулей
collections:
- ansible.windows
` Задать переменные
vars:
SearchName: PermitRoot
tasks:
- name: Get port ssh
win_shell: |
Get-Content "C:\Programdata\ssh\sshd_config" | Select-String "{{SearchName}}"
` Передать вывод в переменную
register: command_output
- name: Output port ssh
` Вывести переменную на экран
debug:
var: command_output.stdout_lines
ansible-playbook /etc/ansible/PowerShell-Vars.yml
ansible-playbook /etc/ansible/PowerShell-Vars.yml --extra-vars "SearchName='LogLevel|Syslog'"
передать переменную
win_powershell¶
nano /etc/ansible/powershell-param.yml
- hosts: ws
tasks:
- name: Run PowerShell script with parameters
ansible.windows.win_powershell:
parameters:
Path: C:\Temp
Force: true
script: |
[CmdletBinding()]
param (
[String]$Path,
[Switch]$Force
)
New-Item -Path $Path -ItemType Directory -Force:$Force
ansible-playbook /etc/ansible/powershell-param.yml
win_chocolatey¶
nano /etc/ansible/setup-adobe-acrobat.yml
- hosts: ws
tasks:
- name: Install Acrobat Reader
win_chocolatey:
name: adobereader
state: present
ansible-playbook /etc/ansible/setup-adobe-acrobat.yml
nano /etc/ansible/setup-openssh.yml
- hosts: ws
tasks:
- name: install the Win32-OpenSSH service
win_chocolatey:
name: openssh
package_params: /SSHServerFeature
state: present
ansible-playbook /etc/ansible/setup-openssh.yml
win_regedit¶
nano /etc/ansible/win-set-shell-ssh-ps7.yml
- hosts: ws
tasks:
- name: Set the default shell to PowerShell 7 for Windows OpenSSH
win_regedit:
path: HKLM:\SOFTWARE\OpenSSH
name: DefaultShell
` data: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
data: 'C:\Program Files\PowerShell\7\pwsh.exe'
type: string
state: present
ansible-playbook /etc/ansible/win-set-shell-ssh-ps7.yml
win_service¶
nano /etc/ansible/win-service.yml
- hosts: ws
tasks:
- name: Start service
win_service:
name: sshd
state: started
# state: stopped
# state: restarted
# start_mode: auto
ansible-playbook /etc/ansible/win-service.yml
win_service_info¶
nano /etc/ansible/get-service.yml
- hosts: ws
tasks:
- name: Get info for a single service
win_service_info:
name: sshd
register: service_info
- name: Print returned information
ansible.builtin.debug:
var: service_info.services
ansible-playbook /etc/ansible/get-service.yml
fetch/slurp¶
nano /etc/ansible/copy-from-win-to-local.yml
- hosts: ws
tasks:
- name: Retrieve remote file on a Windows host
# Скопировать файл из Windows-системы
ansible.builtin.fetch:
# Прочитать файл (передать в память в формате Base64)
# ansible.builtin.slurp:
src: C:\Telegraf\telegraf.conf
dest: /root/telegraf.conf
flat: yes
register: telegraf_conf
- name: Print returned information
ansible.builtin.debug:
msg: "{{ telegraf_conf['content'] | b64decode }}"
ansible-playbook /etc/ansible/copy-from-win-to-local.yml
win_copy¶
echo "Get-Service | where name -eq vss | Start-Service" > /home/lifailon/Start-Service-VSS.ps1
nano /etc/ansible/copy-file-to-win.yml
- hosts: ws
tasks:
- name: Copy file to win hosts
win_copy:
src: /home/lifailon/Start-Service-VSS.ps1
dest: C:\Users\Lifailon\Desktop\Start-Service-VSS.ps1
ansible-playbook /etc/ansible/copy-file-to-win.yml
curl -OL https://github.com/PowerShell/PowerShell/releases/download/v7.3.6/PowerShell-7.3.6-win-x64.msi
nano /etc/ansible/copy-file-to-win.yml
- hosts: ws
tasks:
- name: Copy file to win hosts
win_copy:
src: /home/lifailon/PowerShell-7.3.6-win-x64.msi
dest: C:\Install\PowerShell-7.3.6.msi
ansible-playbook /etc/ansible/copy-file-to-win.yml
win_command¶
nano /etc/ansible/run-script-ps1.yml
- hosts: ws
tasks:
- name: Run PowerShell Script
win_command: powershell -ExecutionPolicy ByPass -File C:\Users\Lifailon\Desktop\Start-Service-VSS.ps1
ansible-playbook /etc/ansible/run-script-ps1.yml
win_package¶
nano /etc/ansible/setup-msi-package.yml
- hosts: ws
tasks:
- name: Install MSI Package
win_package:
# path: C:\Install\7z-23.01.msi
path: C:\Install\PowerShell-7.3.6.msi
arguments:
- /quiet
- /passive
- /norestart
ansible-playbook /etc/ansible/setup-msi-package.yml
win_firewall_rule¶
nano /etc/ansible/win-fw-open.yml
- hosts: ws
tasks:
- name: Open RDP port
win_firewall_rule:
name: Open RDP port
localport: 3389
action: allow
direction: in
protocol: tcp
state: present
enabled: yes
ansible-playbook /etc/ansible/win-fw-open.yml
win_group¶
nano /etc/ansible/win-creat-group.yml
- hosts: ws
tasks:
- name: Create a new group
win_group:
name: deploy
description: Deploy Group
state: present
ansible-playbook /etc/ansible/win-creat-group.yml
win_group_membership¶
nano /etc/ansible/add-user-to-group.yml
- hosts: ws
tasks:
- name: Add a local and domain user to a local group
win_group_membership:
name: deploy
members:
- WinRM-Writer
state: present
ansible-playbook /etc/ansible/add-user-to-group.yml
win_user¶
nano /etc/ansible/creat-win-user.yml
- hosts: ws
tasks:
- name: Creat user
win_user:
name: test
password: 123098
state: present
groups:
- deploy
ansible-playbook /etc/ansible/creat-win-user.yml
nano /etc/ansible/delete-win-user.yml
- hosts: ws
tasks:
- name: Delete user
ansible.windows.win_user:
name: test
state: absent
ansible-playbook /etc/ansible/delete-win-user.yml
win_feature¶
nano /etc/ansible/install-feature.yml
- hosts: ws
tasks:
- name: Install Windows Feature
win_feature:
name: SNMP-Service
state: present
ansible-playbook /etc/ansible/install-feature.yml
win_reboot¶
nano /etc/ansible/win-reboot.yml
- hosts: ws
tasks:
- name: Reboot a slow machine that might have lots of updates to apply
win_reboot:
reboot_timeout: 3600
ansible-playbook /etc/ansible/win-reboot.yml
win_find¶
nano /etc/ansible/win-ls.yml
- hosts: ws
tasks:
- name: Find files in multiple paths
ansible.windows.win_find:
paths:
- D:\Install\OpenSource
patterns: ['*.rar','*.zip','*.msi']
` Файл созданный менее 7 дней назад
age: -7d
` Размер файла больше 10MB
size: 10485760
` Рекурсивный поиск (в дочерних директориях)
recurse: true
register: command_output
- name: Output
debug:
var: command_output
ansible-playbook /etc/ansible/win-ls.yml
win_uri¶
nano /etc/ansible/rest-get.yml
- hosts: ws
tasks:
- name: REST GET request to endpoint github
ansible.windows.win_uri:
url: https://api.github.com/repos/Lifailon/pSyslog/releases/latest
register: http_output
- name: Output
debug:
var: http_output
ansible-playbook /etc/ansible/rest-get.yml
win_updates¶
nano /etc/ansible/win-update.yml
- hosts: ws
tasks:
- name: Install only particular updates based on the KB numbers
ansible.windows.win_updates:
category_names:
- SecurityUpdates
- CriticalUpdates
- UpdateRollups
- Drivers
` Фильтрация
` accept_list:
` - KB2267602
` Поиск обновлений
` state: searched
` Загрузить обновления
` state: downloaded
` Установить обновления
state: installed
log_path: C:\Ansible-Windows-Upadte-Log.txt
reboot: false
register: wu_output
- name: Output
debug:
var: wu_output
ansible-playbook /etc/ansible/win-update.yml
win_chocolatey¶
- name: Ensure Chocolatey installed from internal repo
win_chocolatey:
name: chocolatey
state: present
# source: URL-адрес внутреннего репозитория
source: https://community.chocolatey.org/api/v2/ChocolateyInstall.ps1