Manage Windows like Linux with Ansible

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

oh thanks thanks for being here you guys hopefully if you're if you're getting the late late afternoon food coma thing from lunch hopefully this will wake you up a little bit like talking about windows for 45 minutes just a little bit about me my name is Matt Davis I'm gonna senior principal software engineer on ansible core and I spend a fair amount of my time dealing with Windows Windows has been putting food on my table for a really long time I've I've been I've spent some time in the Linux world I've spent some time as a Mac user I've spent a lot of time in the windows world and you know it's a it's a really great thing it's it's something that that I like a lot I I came I came to ansible through a startup that we got a mandate from our CTO to to automate a bunch of AWS stuff that was really expensive we had running a dev stack in our AWS stuff we used at the time they were a c28 Excel so if you know how big that is that's a really expensive AWS machine and we we would run a whole bunch of them and so people would just spin up a dev stack and it'd take you like a day to do it manually and then nobody wanted to tear it down so they'd just sit out there so this little startup of you know like 10 people or so we got our first AWS bill for 20 grand and there was there was a little bit of angst about that so the CTO said you know what I'm gonna write a thing that's gonna go out every night and nuke everything that's not marked production so you guys probably better start working on some automation so nothing like baptism by fire right so you know I went out and took a look and this this kind of this task for whatever reason ended up falling to me so I went out and looked at and I'd looked at puppet I looked at chef I looked at a few other things and just kind of like you know this this is this is too hard there's alerts a lot of stuff I don't want to own this forever I want to get like kind of build this thing and I want to move on get back to doing the stuff that I normally do as a developer I don't want to like have to own and babysit this automation stuff all the time so somebody pointed me at ansible I got ahold of it and you know within about 15 minutes I was doing real stuff and I I was converted I was singing the praises of ansible going forward and you know long story short like that startup didn't do really well for reasons that had nothing to do with ansible and after it folded I had a friend that said you know I got a friend that works at ansible like you you guys should talk because by that by that point I had actually started like making some contributions to the open-source side of ansible and it just I really enjoyed it so that was actually where I ended up going from that startup I came over to ansible spent about a year out in the field doing services work with ansible select helping customers kind of apply DevOps things figure out how ansible should fit into their into their workflow and into their into the things that they do every day and you know you get to see you get to see the whole the whole gamut there from from people that that really get it and and are like extending ansible and doing all these things - like what's DevOps I don't understand so it's it's it's a it's been a fun ride but I got to the point where on the days off were where I was not doing consulting gigs I would start working on the the fairly rudimentary windows support that ansible had at the time and it got to a point where I missed kind of doing product engineering stuff every day so I came back and I it right around the time of the Red Hat acquisition that there were resources available to like allow me to start working on this full-time the core team was all like we don't have to touch the window stuff anymore great please take it so it was a it was not a hard sell to move on to the core team and and that's where I've been ever since and I love it so as you may have gathered I I kind of loved Windows like I don't maybe love it quite as much as these guys but I really do I really do like Windows so before we get going here too fast kind of just a couple of quick poll questions for the room how many people in here hate Windows really are you being honest that's that's actually a really small number I'm amazed because usually when I when I do this talk other places about two-thirds or more of the room raises their hand okay how many of you are using ansible today alright sweet how many of you are using ansible to manage windows today okay good a roomful of people to convert there's there's a you know it's looking like maybe about a third to a third of you are doing that for the people in the front that couldn't see back there one more poll question then real quick how many of you know this movie okay well for those of you that don't let me give you a quick summary because it'll it'll be relevant later so this is a 90s teeny bopper flick it's a remake of takes Pierre Shakespeare's Taming of the Shrew it stars our cat and Patrick and cats kind of a man-hating you know just she she doesn't like guys and her little sister isn't allowed to date until she is the kind of a ploy by her father to try and preserve her little sister's innocence and so somebody ends up paying Patrick to take to take her out and she initially hates him and all of his bad habits and but eventually she kind of falls for him and at the end of the movie she reads him a poem describing a whole bunch of things that she hates about him but then kind of how she's changed her tune about him so I'll have my own version of that poem for you guys at the end of today's presentation so with that let's get into this the first thing that people usually hate about windows is it's not SSH so if you're coming at this from a linux management thing especially if you've been using ansible ansible speaks SSH by default right if you need to go in and manage something SSH is a really great protocol it's got lots of really nice flexible things around authentication it's it's it's pretty resilient to crummy connections it's it's a it's a pretty great thing windows on the other hand uses win RM which is this HTTP soap based you know XML remote shell protocol that's obviously a product of the early 2000s and it's it's pretty funny if you ever actually have to look at it and you know down at that layer where I do sometimes but it gets the job done you don't have to care about that as a user because when RM gets the job done okay it's a remote shell protocol you can do all the same kinds of things you can do through SSH it's a non interactive logon which causes some problems sometimes because you don't have the you don't have all the things like credential caches and the data protection API doesn't work there's a few things that don't work for you in a non-interactive login we add in ansible we have ways of taking care of some of those things it uses a different connection plug-in so you know again ansible by default speaks SSH but if you weren't aware of this there's a pluggable connection transport layer that we can switch out the protocol that ansible uses so that you can use SSH you can talk over docker you can talk over AWS run you can talk over true you can talk over there's a whole bunch of different things that you can where you can kind of switch that out so one of the other ones that we ship in the box is win RM another thing that we get asked about a lot around SSH on the windows side is you know hey Microsoft's been working on this this open SSH port like when are you guys going to work with that Microsoft is actually finally I think they've shipped a 1.0 of that thing finally and well they aren't shipping it in the box with Windows yet they sort of are the it's it's an installable feature on I think the server 1709 and a couple of the the latest wind 10 builds but the rumor is that Server 2019 will actually ship this thing in the box so that's around the time where we're gonna start you know we actually do have a proof-of-concept of this working already to do ansible management of Windows over that OpenSSH you know using Microsoft's OpenSSH server so it's it's a thing we're paying attention to and the the proof of concept kind of brought out a couple of things that we knew we're gonna be issues and there are things that we need to change some little architectural rough edges on ansible that there's some kind of SSH isms and POSIX isms that are a little too tightly ingrained in there some things we need to move around to make that really work you know as something that's very seamless to just be like sure use win RM use what use SSH whatever but so today if you want to do this it's gonna be win RM so let me show you how quick and easy it is to get connected up to a Windows machine we're gonna do to just do it from scratch right here I have a brand new windows vagrant VM here this machine has never been set up for win RM on so pretty much all modern version of Windows versions of Windows ship with win RM in the box but it is not turned on except on the very latest ones so we have to do something to turn it on now when RM supports a couple of different models it's HTTP so the the default stuff if you just use there's a tool called winner and quick config that you can run that will go and just kind of light up when RM on an HTTP listener it expects to be it expects to use message encryption so it's still it's still a pretty secure way to do things because the actual payloads and everything are encrypted but we also ship a script that will turn it on and set up some user you know set up the user stuff and make sure everything's working right and it'll set it up with HTTPS and a self-signed certificate so I'll demo that for you today but just know that message encryption is also an option it's a fairly recent option because it's much more complex to deal with on the PI 1rm library that that actually is doing all of the win RM communication so I'm just gonna run this I have a local copy of it here because we don't trust conference Wi-Fi it's just called configure remoting for ansible and if you look in the ansible windows docs on how to get started like we point you to this script but again if you're doing message encryption when our in quick config works just as well so this is going to go out it's going to create a self-signed cert set up an HTTP listener make sure everything's turned on and configured it'll take it'll run for a couple seconds check out some stuff now this Windows machine is ready to be managed by winner Evan so from the ansible side the very first thing we need to do so I told you that ansible ships with the win RM connection plug-in that's true it does not however ship with the the PI win RM dependency that is used by when are the winner arm connection plug-in so that's something you need to install it is available in Apple I believe if you're doing it that way I'm gonna just do PIP so we'll just do pip install ram ok poof we have pi win right now we're gonna create an inventory from scratch to talk to this Windows machine so we'll just create a host file and we'll say give me that and we'll go ahead and put it in a group called win will just make a group called win and then we'll set some VARs for everything that's going to be in the wind' group so the very first thing we need to give it a username and password and I just happen to know since this is a vagrant box now if this were a Linux machine and you had password authentication turned on you'd be done right like ansible speaks SSH everything's cool if you try to speak SSH to a Windows machine that doesn't have SSH installed you're gonna be talking to dead air so the first thing we need to do is tell ansible hey this thing's speaking win RM so we'll say ansible connection equals win RM and there's a remember I said like there's a couple ways we can talk to this thing if you're doing the HTTP message encryption stuff again because we do because the the message encryption stuff didn't exist back when we first did all of this and so we'll defaults to expecting to talk over HTTP so we either need to tell it hey we're using a self site insert don't try to validate it because you're not going to get there or we need to tell it use use HTTP on port five nine eighty five so we're gonna go with the SSH route or the the SSL route today so we'll say ansible win RM server cert validation equals ignore so the the default on that is again we default to secure so we assume that you've actually like distributed Perino properly validated all certs this is just a switch that lets you turn that off so if I've done everything right here that's a big if live demos and alright so if I've done everything right here I should be able to ping this machine now now you'll notice when I do this I'm gonna say ansible we want to target the wind' group that we just created it just has that one host in it but as with SSH or anything else you can talk to Windows hosts in parallel the exact same way you can talk to five hosts 100 hosts as long as you've got a beefy enough control machine we want to tell that we're gonna use the hosts file that we just created and we're gonna tell it we want to run the wind ping module now a common mistake that people make here is assuming that the modules are the same between the Linux and the the windows side now we try to keep the UI is as similar as possible on modules that do the same thing so on the S on the POSIX side you have a ping module on the windows side we preface almost all of the modules with win underscore - you know differentiate because the implementations are very different as we'll talk about here in just a minute so if I've done everything right okay now this doesn't look too Windows II does it like this looks pretty much the same as if you were talking to a Linux machine I think that's there's there's nothing too too scary about that so so that's really that's that's all it takes to get that going it's it's it's pretty easy to talk to a Windows machine and and now you know this thing is manageable we can run all the Windows modules we want everything's gonna work just just pretty much exactly as we expect okay so the next thing people hate about Windows PowerShell if you like my personal first experience with PowerShell I hated it it's so verbose it's just it's just kind of clunky like there was something I just didn't like about it I couldn't explain it but you know after spending many years in in a POSIX II command line environment I just I just didn't like PowerShell once I started actually coding you know like doing real work in PowerShell and stringing things together I kind of fell in love with it it the the I guess if you're not familiar with the object pipeline in PowerShell it's it's magic I mean compared to when you get structured output from all of the commands and you can just dot into things and you you have you have like full object graphs coming out of something instead of like a bunch of a big stream of text that you're cutting and setting and ocking and doing all sorts of nasty things to pluck little bits out of it and then good luck if you know somebody revs the output of the tool and it changes a little bit and all your SEDs and ox and cuts need to be hacked up PowerShell doesn't have that problem because you have structured output coming in you're just dotting into it like give me give me the interface idea of that NIC or whatever from from you know it doesn't matter it's very stable and the the other big reason that PowerShell was chosen as the implementation language for ansible modules which so all of the modules that we ship inside ansible for Windows are written in PowerShell and the reason that that was done is because we wanted to choose the thing that's just there right win RM ships in the box PowerShell ships in the box it it would be really easy and actually in the very early days of ansible there were people that were actually doing Windows management using Python modules either you know hacked up versions of the Linux Python modules that existed or people were making like wind specific Python modules but now you have to go install Python on all those machines before you can manage them it's really nice to just deal with the stuff that's in the box so that's that's the reason that PowerShell was chosen there the other great thing about using PowerShell for this is that we can use dotnet dotnet has a huge amount of stuff available to us for machine management and and very you know complex data handling and just dotnet is very very powerful and it's great to have access to that when we're when we're building modules to do things so ansible requirements for powershell we need PowerShell 3 and higher on Windows 7 or Server 2008 and higher so this if you have a Vista machine please don't tell me you're trying to manage Vista machines but if you have Vista or if you have you know I get occasionally people ask us about XP or Server 2003 sorry like it you can't manage that this way there are some kind of limited ways that you can use ansible to manage those things you can use things like the wind PS exec module you can do you can do multi hop stuff through PowerShell remoting and there so there there are some there are some options there but they're not great like hopefully you're managing more modern stuff the other really cool thing that's happening with PowerShell is that by by having PowerShell available and we have access to the entire universe of DSC module DSC resources that are being built so there's a very active community on the Microsoft side that builds these DSC management resources and ansible has a module called win DSC that ships in the box that allows you to call any of those DSC resources as if they were an ansible module so you can use them from a playbook and it just kind of it just works so that's if there's something that you that you can't do in ansible but there's a DSC resource for it as long as you've got PowerShell 5 1 or better on those target machines you can use the DSC resource so do do be aware of what's going on out there in the in the DSC world as well because those things play nicely when ansible 2 next thing everybody hates dealing with Windows app installation and maintenance so you know on analytics system on pretty much any anything modern these days there's a package manager of some kind I don't have to care where the thing lives it has package you has version metadata I can tell if I've got the latest without just going in like reading a website I can you know I can do things like you know have the app update yum update like just give me up to date on what's whatever's here so Windows has historically been kind of missing that you know you have the Windows Store but it's not really all that automatable and and most things still aren't available in the Windows Store so the best thing that we've got there and it's a great thing there's a community project that started a few years ago called chocolaty and chocolaty actually gives you it gives you a package manager for Windows and a community resource to that hosts them and then people can go and manage and create packages that wrap X's and MS is and things like that and they don't necessarily have to be hosted on the chocolaty site they can just be a pointer so that you know chocolaty is basically just kind of a metadata broker for these things but what the great thing about having chocolaty available to us now is it gives us that metadata that's important like is this thing installed and is it the latest version or is it this specific version so we have a module and ansible that wraps up chocolaty kaldwin chocolaty if at all possible when you're doing app installation maintenance things use chocolaty it's really easy to build your own as well you can host a chocolaty server behind your firewall it's based on nougat so I mean if you're if you're used to the kind of dealing with things in the Windows dev world and you get at something that you're probably aware of so it's it's based on nougat you just host a nougat server behind your behind your firewall you can put you can post your own private packages to the to your own server if you don't want to you know you're not using stuff that's in the public one so we you know use chocolaty if at all possible because that's what gives you that the capability to do idempotent package installations on Windows now if for whatever reason chocolaty is not an option for you but you've got X's and MS is hanging out on file shares and things we also have the wind package module now it tries to be item potent if you do a little bit of work so for things that you know for MS is it just kind of works like you can you can give an MSI and say like I want to make sure that this package is installed and it'll do the right thing for eggsy's you know set up about exe kind of things it's a little harder you have to go like look up the product code and so that we can tell if the thing is install they're not you actually have to specify the product code because there's no standard way of doing that in the eggsy so again if you look in the module instructions like but it'll tell you kind of where to look for that stuff and how to figure it out but we also ship there's one in the Box called win MSI that's been in there since like ansible one seven was one of the very first Windows modules don't use that it's been deprecated when package has superseded it in every way so use win package if you can't use win chocolaty so I'm just going to give you a real quick demo of the wind chocolaty module and this is this is the one part of my demo that does require the Internet so hopefully nobody is like you know streaming cat videos or anything right now on the conference Wi-Fi so let's take a look at this so this is a really simple playbook that just drives the wind chocolaty module again you know you're seeing the standard ansible playbook syntax here right I mean the module name is different but everything else this is all normal like ansible stuff there's no there's no windows and you're ansible here it's all just ansible so all we're doing is we're just executing the wind chocolaty module and we're saying we want to see the proc X package and its state should be present so that's a really simple thing so if I just do ansible playbook use my host file that we created earlier and then run chocolate out yml now the very first thing this is gonna do this is a brand new machine I've never installed chocolaty on it the module knows that it's gonna go out and say oh chocolate he's not here or it's not up-to-date let's go ahead and install chocolaty first so the module right now is downloading and installing chocolaty on that target and so it'll take a little longer the first time because there's there's a bunch of extra stuff that's going on it's it's quite a bit faster once once chocolate he's been installed and so we'll see how slow the conference Wi-Fi is today oh that's not bad okay so it comes back there's a warning that says like you know we had to we had to we had to do a chocolaty upgrade because it wasn't there before and then we see that it was that it's changed so if I run this again it should come back very quickly because chocolate is already installed and the package that we asked for is already there so again idempotent operation just like you would expect from ansible and everything's there so you know just to show you there's nothing up my sleeve here we'll go back to our Windows machine here and if I go rock X we should see process Explorer come up yay ok it works so the next thing everybody loves to hate about Windows you can't do anything on Windows without rebooting in that am i right so the rebooting things in when you're doing configuration management is is kind of painful especially push mode configuration management right where I'm reaching out to a thing and and somewhere in somewhere in the management of this thing the Machine disappears on me because it got rebooted so this is this is a hard problem to solve I've actually I've had this discussion with a couple of people here that we're kind of begging for a Linux version of a reboot module so we ship a thing in in ansible called win reboot that takes care of all of that stuff for you it takes care of the the nastiness of like you know did this machine go down and and did the reboot succeed do I actually have rights to reboot it like it takes care of all of that nastiness in a single task so you just say win reboot and you're putley your playbook basically will pause until the machine is responding again to two management requests on whatever your protocol happens to be whether it's win or MS Sh whatever it makes it it makes that it makes that trivial trivial to do so you know when you're doing any kind of you're doing some kind of a complex orchestration if you're doing software updates if you're doing nic updates if you're doing things that need to reboot the machine it's okay like we can deal with it and there was a community guy that actually pulled out a bunch about half the code out of the back end of the win reboot module and made his own thing called wait for connections so any of you that have seen that that action before it's basically the second half of the reboot it's like you know poke at this thing until it answers on the management protocol on the on the management protocol and is and is properly X you know available for management so this is a nice thing if you're doing things with clouds you know you're standing up something in the cloud and you want to kind of bang on it until it's ready like wait for connection is a great way to do that and that one wait for connection is agnostic like it will work on Linux machines as you know windows anything the next one everybody loves to hate and actually we'll also see a demo of the the reboot stuff later but the next thing everybody loves to hate about Windows of course is Windows Update so I don't know about you but with when I was when I owned a bunch of Windows machines and we had to do things within a maintenance window it was always kind of a nightmare we'd use SCCM we'd use some other you know the third-party products to try and do patch management but hardly any of them do anything kind of synchronously it's all like I've got an agent running over there and like you know maybe you can poke the agent and it'll do some stuff but you know as much automation as we tried to throw at this thing there were always cases where we'd end up logging into the Machine and like clicking the Windows Update button and just waiting for it to run I mean I'm sure people here have had the same experience Windows Update the wind updates module that we ship in ansible is like basic synchronous updates it's again kind of like the win reboot there's a bunch of there's a bunch of complexity under the covers there around download stuff apply things if the machine needs to reboot it will go ahead and reboot it if you need to do three or four cycles of that it's fine it's all completely hidden from you so all you have to do is say win updates give it a category tell it what you want and it'll use whatever you're configured update sources so you know and out-of-the-box Windows machine is going to use like the public windows update server but if you're using wsus in your org or using some other software update source whatever the configured source is on the machine that's what when updates is going to use now the other nice thing that's really new in ansible 2 5 so it used to be one of the things that remember I said there's things that you can't do in win RM one of the things amazing ly one of the things you can't do in win RM is use Windows updates you can't apply Windows updates you can't apply hot fixes so there's some there's some really weird little tricks that we had to do to make that work so before 2 5 it was like run those things in a scheduled task so you know it's like start a scheduled task that does all these things and then kind of report back and the scheduled tasks thing was kind of janky sometimes and like if you you know if you ran it as two different users that would get upset and there were just some weird cases in there so in 2/5 that stuff is gone it will actually transparently run the stuff in under an interactive session as system and then we also added as I mentioned the auto reboot capability so this is what a win updates task looks like this one task will update a machine with every that's that's sitting out there for critical updates it will reboot it as many times as it needs to and then you can also do things like blacklist KB's you know so if there's a brand new KB or you know there's one that's problematic you can give it a black list to say like you know don't don't don't install this you can also go the other way with it there's also a whitelist that was added into five so you can say only oh you know I'm there are these three really critical things that we need only install those don't worry about any others right now so blacklist whitelist lots more flexibility there that was added into five very nice stuff everybody hates iOS right it's a it's it's to be fair it is has gotten a whole lot better I mean I used to I was doing things back in like I asked to I is three time and and like IAS six seven eight like it's it's gotten a whole lot better it's it's a lot more Apache like but still is can be a pain to deal with sometimes ansible gives you some very basic modules for dealing with the things that you need to do to deploy stuff into is so you can create websites you can configure listeners you can do basic web app stuff you know creating an app pool managing a pool identities like setting up virtual directories all those kinds of things just the basics but again there's also a bunch more stuff in in DSC if you if you need to do something that we don't provide it so it can make dealing with is a lot less painful you're not dealing with XML you're not dealing with meta bases you're not you're not doing all the the things that make people lose hair dealing with is so just a couple of samples here again so this creates the the web this is basically like ensures that the website that ships with is if you you know as soon as you install is it's going to create a site called default website that sits at CI net pub triple double root so this just says make sure that's there and then the next task here we're just creating a web app called orchard CMS and we're putting it underneath eye net pub triple double root orchard and it'll go and make sure that that's all there and then configured properly for the users that need to access it our registry so this is one of the very common windows problems that you know people the registry seems to be really scary to people who who don't know what it is but you know it's just it is the windows configuration store pretty much anything that needs to store settings the registry where is where it lives on Windows unless it's a cross-platform thing and then you know maybe I'd have a config file but pretty much anything that's Windows native it's gonna live in the registry so ansible provides you the basic tools that you need to manage individual key values in an idempotent fashion and that's the wind regedit module and there's also a bulk import that can do idempotent bulk import set up and that's what wynn reg merge so if you've you know exported a set of crypto settings or some other thing like that or your template of you've got a whole bunch of files and you don't start a whole bunch of reg keys that you need to manage and you don't want to do it in a loop you can just you can either template the thing out into a registry file and use ret win reg merge or you can export it from kind of you know a golden master machine or whatever you need to do so just a couple of samples what that looks like again just when regedit we're gonna give it a path to a key and we're gonna give it the name and the name of the value and then the actual value we're gonna stick in there and then win reg merge obviously very simple you just give it a path to a file and say like make sure this stuff is in the registry and it's again idempotent just like normal if there's nothing to do it'll come back and say I didn't do anything so services is another kind of unique Windows thing although you know feels like system D like kind of borrowed a lot of ideas from the windows Service Control Manager but you'll notice that like when you're dealing with this in ansible we make we make this look very much like the service module that kind of abstracts it tries to abstract at least the basics of the various init systems the wind' service module looks very similar to those then I'll show you that example in a second but it does the things that you need to do though it gives you access it gives you really fine control over all of the service behaviors that you can do in Windows so the kind of who what when how like when should this service start like who's the service you know what's the service identity is the service enabled or not like does it have a delayed start what do I do when when the service dies those kinds of things service when service module gives you control over all that so a couple examples of this one so the first one is just make sure I asked the is service is running we just give it the service name and state running like doesn't get much simpler than that and then the second one's a little more complex so we're saying make sure that the firewall service is not running and then we set the start mode on it to disabled so we could have done you know this is another one of those places where like we diverged a little bit from the linux service module UI because the linux service module says instead of start mode it has enabled so you can say enabled yes no but Windows is a little more complex than that right because you have you have manual start Auto Start disabled delayed start and I think there's even one new one now in one of the newer versions so there's there's a lot more options that you have to deal with so this is a choice where you know we we made the choice to actually diverge the UI a little bit from the service module to make sure that that we could support those extra things instead of just a boolean enabled or not domains so domains can be kind of the bane of people's existence I know back when I was doing things we needed we needed to do Ted like software testing where we actually add software that ran under a domain environment and it was a real pain because like standing up a domain in a test environment like a throw away domain is kind of a hard thing so we'd end up having this like domain controller that would get slower and slower and slower the more tests we ran against and so we'd have to go in every few months blow the thing away and start it over so ansible makes this like a non-issue like in ansible you can stand up a domain can you can stand up an entire new domain and domain controller and in a new forest with a single task so I'll show you that in a second domains make off kind of complicated on the ansible side we support all of the options that when RM mades makes available so you can off with ntlm you can offer Kerberos you can do credits SP you can do and then for non domain stuff you can do basic off and certificate off so all those options are available to you if you have a domain environment and as I said ansible makes throwaway domains really easy I've got a task that will show that in a second it's easy also to promote and D promote domain controllers and then it also makes like leaving and joining a domain very easy from you know for for domain member servers and and for workstations and then we also are starting to bring in some modules for doing basic domain domain object management so things like users and oh use and machine accounts and things like that so those things are just starting to filter in expect more of those in the next couple of releases so creating a brand new domain from scratch one task so we give it the domain name the DNS domain name and it goes out and talks to the target machine and says hey target machine do you see a domain here and if it doesn't it's like okay I'm gonna make you a domain controller then and then the only thing we need to know the minimum thing we need to know to create a new domain in new forest is just what's the safe mode password gonna be that's it so that thing will that thing takes care of it and then the next one is just to create a domain user you know we're creating somebody we're giving him a we're giving the user principal name in that you know user @ domain format and then we're telling it what groups the guy should be in pretty easy so I'm going to show you I'm actually gonna do a domain unjoin domain join demo here real quick so I have a playbook here called join domain so the very first thing we have to do again this is using my machine that I just stood up here and so if you're if you've got DHCP and everything's working you know then you don't need this part of it you know if the machine already comes up and is using the domain controller or the thing to be the domain controller as its DNS server you don't have to do this part but since these are just a couple of vagrant boxes I need to tell it like hey use the use the domain controller as your DNS server so that you can find all the you know that you can locate the domain controller basically when I ask you for it so the real meat of it though is this middle task the wind' domain membership task so again we tell it what's the dns domain name we want to join ansible about vagrant we give it a whole we can optionally change the host name if we want I'm gonna just make it new host 3 and then we put the domain admin user and password in plain text don't do it this way please this is this is for demo purposes only if you were doing this for real you would use like ansible vault or you would look it up out of a password you know password vault something like that so you would you would have that be a variable that is sourced from something but not sitting in plain text but this is a demo and like I'm not worried about you guys breaking into my machine with my super secure password there so and then the last thing we do is we say we want the thing to be in the domain state so the other option there is workgroup so if we switch that to workgroup then it would you know put us in a workgroup named whatever we have to specify a workgroup name that we want it to be now the last thing we do here is we register the output from the window main membership and the reason we do that is because what do you have to do a try to join a domain got a reboot right so we only do that when we need to though right so we want this to be idempotent we want to be able to rerun this over and over again I don't want to have to reboot the dumb machine every time I run the PlayBook like I don't need to do that that's not necessary so the window main membership module will tell us if we need to reboot or not so and so we just checked that we do a conditional win reboot and we only do it when we win reboot required is true so we're gonna run that joined domain playbook this one actually like I've had I've had it crap out on me a couple times because the domain controller VM kind of goes to sleep on me but usually it works pretty well so we noticed that our win DNS client reported a change because we were using whatever the conference Wi-Fi DNS was before so we've switched it now to a static DNS entry that says hey talk to the domain controller domain membership module came back and reported a change because we had to join the domain and now that we can see that the win reboot task is running so notice that my remote desktop window went away there so as soon as this comes back okay it's finished so my win reboot reported a change because it rebooted and playbooks done so if I come and connect back to my Windows machine now we can see that it has joined the domain so by looking at this we can see that we are now a member of the ansible vagrant domain just as we asked it to be and the machine came back now the cool thing about this again because this is idempotent right so I should be able to run this again and have it report no changes because it's already in the right state so the DNS servers already pointed the right place we're already a member of the domain so and since the we win reboot task was conditional on the output of that module telling us we needed to reboot which we don't it was skipped so completely idempotent very nice and easy ways to deal with getting machines on and off a domain ACLs so Windows ACLs are kind of the stuff of nightmares although SELinux is right behind it so it's a-you know they're they're a little more granular in general than Linux permissions like everything in Windows is secured by an ACL you know whether you knew it or not like it's not just the file system like services system objects like all these things have ACLs on them and usually they're just kind of set for the administrator group but you can do whatever you want with them show of hands in the room who has written s DDL masochists masochists I tell you okay so this this is STD oh this this is not this is not a human readable format don't don't do this like this is you know this is this is Assyria this is serialization of a binary format that you don't have to care about this was this is much nicer so this is this is a couple these are a couple of the ansible modules that can that can manage ACLs so Wynn owner very simple we're just saying like you know I've got this directory called some apps on a program some app on her Program Files I want the administrator to be the owner and I want you to recurse through the entire structure and make administrator the owner of everything underneath it nice and simple you know you could do the same thing with cackles or whatever but it wouldn't be idempotent it's gonna run through and like and do that whole thing every time this this is a little a little snappier once it's already in the right state now same thing when ACL we're saying okay see temp I want to add these right I'm gonna add the read execute write and delete rights for the users group and I want those to be inherited by both the containers and the individual things down underneath there this is a whole lot simpler than that in my mind that's a whole lot it's a lot more readable and it really follows the ansible philosophy of human readable playbooks right like that's pretty self-explanatory you can see what's going on and you know anybody can look at that and see what's happening and that's that's really the goal there whether it's Linux whether it's a network device whether it's Windows anything that that that underlying philosophy of like human readable I think we've achieved it here so I promise you guys a poem so let's I'll give you my version of cats poem to Patrick about how she feels and this is you know how you might feel about about Windows after learning to use ansible with it I hate that you're not SSH and the shell that you call power I hate the way you install your apps Windows Update makes me glower I hate the way you must reboot and your web server is I hate your complex registry it always is a mess I hate your janky services and your stupid domain auth and managing your ACLs is sure to leave me Roth I hate that you're not Linux that I have to learn you at all but with ansible on my tool belt I don't hate you not even close not even a little bit not even at all [Applause]

Info

Channel: Red Hat Summit

Views: 76,429

Rating: 4.9329805 out of 5

Keywords:

Id: FEdXUv02Dbg

Channel Id: undefined

Length: 41min 38sec (2498 seconds)

Published: Thu May 10 2018