Connect to the Environment

Ansible is an agentless configuration management tool. Instead of relying on an installed agent, it uses remote management protocols to communicate with remote hosts.

Ansible uses SSH to connect to Linux hosts and network devices, and WinRM to connect to Windows.

Host connection options#

The following are options available to connect to Linux and Windows hosts:

Linux#

1. SSH keys over SSH(22)
2. Username & password over SSH (22)

Windows#

1. WinRM over HTTPS (5986)
2. WinRM over HTTP (5985)

Windows authentication options#

You can authenticate with Windows hosts using the following methods:

The table is taken from docs.ansible.com.

How you set up the remote management is dependent on the environment.

Connect to a Windows Host#

Ansible uses PowerShell remoting over WinRM to connect to Windows hosts. Ansible will attempt to connect to a Windows host using WinRM over HTTPS on port 5986. Windows Server does not have PowerShell remoting via HTTPS preconfigured.

We think it best to use Ansible for all the configurations. Having to configure something before you can use Ansible is a chicken and egg scenario. You can deal with this problem in one of three ways:

1. Bootstrap the WinRM configuration;
   • AWS and Azure provide features that allow you to run scripts at startup.
2. Embed the changes into an image;
   • Build a custom image that has WinRM configured.
3. Use WinRM over HTTP on port 5985;
   • Windows Server 2012r2 and later have PowerShell remoting configured on port 5985.

We solved this problem by executing the Ansible playbooks Create Windows Virtual Machine in Azure and AWS. Each of the playbooks contained a configuration for bootstrapping the WinRM configuration with a PowerShell script, ConfigureRemotingForAnsible.ps1.

The script generates self-signed certificates for using HTTPS and modifies the firewall rules to allow HTTPS traffic on port 5896.

Let’s review the sections for bootstrapping in both AWS and Azure playbooks.

Azure#

The azure_create_windows_vm.yaml playbook uses a CustomScriptExtension to download and execute the PowerShell script, ConfigureRemotingForAnsible.ps1. Review Line 7 and 9 in the playbook below:

AWS#

Review the playbook below:

Here is the breakdown of the highlighted lines:

• Line-10: With AWS instance user data, you can run configuration scripts during the launch.
• Line-12: Get contents of ConfigureRemotingForAnsible.ps1.
• Line-13: Run ConfigureRemotingForAnsible.ps1.
• Line-14: Create an Ansible user & add to the local Administrators group.

Within the aws_create_windows_ec2_instance.yaml playbook, user data is used to run a PowerShell cmdlet to store the contents of ConfigureRemotingForAnsible.ps1 in a variable. It then uses Invoke-Expression to execute the script.

Test Windows Host Connectivity#

Use the win_ping.yaml playbook to test the Windows virtual machine’s connectivity. Review the playbook below:

Ansible communicates with the Windows host over WinRM using NTLM authentication. For this course, you will use the self-signed certificates; that’s why the certificate validation is turned off. The playbook contains a single task that uses the win_ping Ansible module to test the connectivity to remote Windows hosts.

Click on the Run button, and wait for the environment to set up. Once run, you can execute the playbook by running the following command in the terminal of the widget above:

Replace the <Public Ip Address> with the Public IP address associated with the Azure virtual machine or AWS EC2 instance. When you run the command, a prompt for the password will be displayed; use the same password as in the previous lessons.

The , at the end of the IP address bypasses the Ansible inventory parser. This allows you to pass a list of hostnames or IP addresses instead of an inventory file.

The output will look like the one below in case of failure or success:

Test Linux Host Connectivity#

Use the ping.yaml playbook to test the Linux virtual machine’s connectivity. Review the playbook below:

The playbook defines a few variables that configure the SSH username and password. Line-12 disables host key checking. It contains a single task that uses the ping Ansible module to test the remote Linux host’s connectivity.

Click on the Run button, and wait for the environment to set up. Once run, you can execute the playbook by running the following command in the terminal of the widget above:

Replace the <Public Ip Address> with the Public IP address associated with the Azure virtual machine or AWS EC2 instance. When you run the command, a prompt for the password will be displayed; use the same password as in the previous lessons.

Troubleshooting tips#

Missing module winrm
FAILED! winrm or requests is not installed: No module named winrm.

After running the win_ping.yaml playbook, you will encounter the error winrm or requests is not installed. The Python module that supports WinRM connections is not installed by default.

In that case, you can use pip3 to install the missing module pywinrm.

Missing program sshpass
FAILED! to use the 'ssh' connection type with passwords, you must install the sshpass program.

Ansible has two methods for connecting to a Linux host:

1. SSH keys
2. Username and password

By default, Ansible will opt for ssh keys. You can choose to use a username and password by defining the variable ansible_password. This requires the sshpass package to be installed. You can do that by executing the following command:

In this lesson, we looked at the following tools and options to connect to Linux and Windows virtual machines:

1. WinRM to connect to Windows.
2. SSH to connect to Linux hosts.
3. Bootstrapping the WinRM configuration with a PowerShell script. ConfigureRemotingForAnsible.ps1 for Windows’ hosts.

You learned how to install the following two programs in your environment:

• sshpass for Linux
• winrm for Windows