\u6700\u8fd1\u6709\u673a\u4f1a\u4f7f\u7528 Ansible \u5e76\u89e6\u6478 Windows Server\uff0c\u6240\u4ee5\u4e3a\u4e86\u5907\u5fd8\u8d77\u89c1\uff0c\u6211\u51b3\u5b9a\u5199\u4e00\u7bc7\u6587\u7ae0\u3002\u5177\u4f53\u6765\u8bf4\uff0c\u6211\u5c06\u4f7f\u7528 Azure Cloudshell \u4e0a\u7684 Ansible \u901a\u8fc7 WinRM\uff08\u901a\u8fc7https\uff1a5986\u7aef\u53e3\uff09\u8fde\u63a5\u5230 Azure \u4e0a\u7684 Windows Server 2019\uff0c\u5e76\u4ecb\u7ecd\u5982\u4f55\u4f7f\u7528 win_shell \u6a21\u5757\u6267\u884c\u4e3b\u673a\u540d\u548c\u7b80\u5355\u7684 PowerShell\u3002\u6b64\u5916\uff0c\u6211\u5c06\u4f7f\u7528\u8bc1\u4e66\u4f5c\u4e3a WinRM \u7684\u8eab\u4efd\u9a8c\u8bc1\u65b9\u6cd5\u3002<\/p>\n
Windows (Windows Server 2019 Datacenter)
\n\u30d1\u30d6\u30ea\u30c3\u30af IP \u30a2\u30c9\u30ec\u30b9\u4ed8\u4e0e
\n\u30e6\u30fc\u30b6\u30fc\u306fazureuser\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u306fP@ssword1234<\/p>\n
Azure NSG\uff08 network security group \uff09\u306b\u3066 Ansible \u5b9f\u884c\u74b0\u5883\u3088\u308a\u3001\u5bfe\u8c61 VM \u3078 TCP\uff1a5986 \u306e\u63a5\u7d9a\u3092\u8a31\u53ef<\/p>\n
curl ifconfig.io \u7b49\u3067\u9001\u4fe1\u5143\u306e\u30b0\u30ed\u30fc\u30d0\u30eb IP \u3092\u53d6\u5f97\u3057\u3001\u4e8b\u524d\u306b\u63a5\u7d9a\u53ef\u80fd\u306a\u3088\u3046\u306b\u8a2d\u5b9a<\/p>\n
Ansible \u53ca\u3073 OpenSSL \u5b9f\u884c\u74b0\u5883\u306f\u3001Azure Cloudshell \u3092\u5229\u7528<\/p>\n
Ansible \u3084\u3001pywinrm \u7b49\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u306b\u3064\u3044\u3066\u306f\u3001\u3053\u306e\u8a18\u4e8b\u3067\u306f\u89e6\u308c\u307e\u305b\u3093
\nWinRM \u306e\u8a8d\u8a3c\u65b9\u6cd5\u3068\u3057\u3066\u3001Certificate \u3092\u5229\u7528<\/p>\n
$ <\/span>ansible --version<\/span>\r\nansible 2.10.2\r\n config file =<\/span> None\r\n configured module search path =<\/span> [<\/span>'\/home\/takuya\/.ansible\/plugins\/modules'<\/span>, '\/usr\/share\/ansible\/plugins\/modules'<\/span>]<\/span>\r\n ansible python module location =<\/span> \/opt\/ansible\/lib\/python3.7\/site-packages\/ansible\r\n executable location =<\/span> \/opt\/ansible\/bin\/ansible\r\n python version =<\/span> 3.7.3 (<\/span>default, Jul 25 2020, 13:03:44)<\/span> [<\/span>GCC 8.3.0]\r\n$ <\/span>\r\n$ <\/span>openssl version\r\nOpenSSL 1.1.1d 10 Sep 2019\r\n$ <\/span>\r\n<\/code><\/pre>\n3.\u9884\u5148\u51c6\u5907<\/h2>\n
\u5728\u4e8b\u524d\u51c6\u5907\u9636\u6bb5\uff0c\u6211\u4eec\u5c06\u8fdb\u884c\u4ee5\u4e0b\u64cd\u4f5c\u3002<\/p>\n
\u5728Windows Server\uff08\u53d7\u63a7\u865b\u64ec\u6a5f\uff09\u4e0a\u9032\u884c\u5404\u7a2e\u8a2d\u5b9a\uff0c\u4ee5\u5275\u5efa\u7528\u65bc\u5c07\u6191\u8b49\u6620\u5c04\u5230\u672c\u5730\u7528\u6236\u7684\u8a8d\u8b49\u8b49\u66f8\u3002<\/ol>\n3.1. \u521b\u5efa\u7528\u4e8e\u5c06\u8bc1\u4e66\u6620\u5c04\u5230\u672c\u5730\u7528\u6237\u7684\u8bc1\u660e\u4e66\uff0c\u4ee5\u8fdb\u884c\u8ba4\u8bc1\u3002<\/h3>\n
\u9996\u5148\uff0c\u5728Azure Cloud Shell\u4e2d\uff0c\u6839\u636eAnsible\u5b98\u65b9\u6587\u6863\u7684\u53c2\u8003\uff0c\u4f7f\u7528OpenSSL\u521b\u5efa\u7528\u4e8e\u8bc1\u4e66\u8ba4\u8bc1\u7684\u8bc1\u4e66\u5bf9\u3002<\/p>\n
\u8bf7\u6ce8\u610f\uff0c\u5728\u6620\u5c04\u76ee\u6807\u4e2d\u5c06\u7528\u6237\u540dazureuser\u66ff\u6362\u4e3a\u5b9e\u9645\u73af\u5883\u4e2d\u7684\u7528\u6237\u540d\u3002<\/div>\n# Set the name of the local user that will have the key mapped to\r\nUSERNAME=\"azureuser\"\r\n\r\ncat > openssl.conf << EOL\r\ndistinguished_name = req_distinguished_name\r\n[req_distinguished_name]\r\n[v3_req_client]\r\nextendedKeyUsage = clientAuth\r\nsubjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:$USERNAME@localhost\r\nEOL\r\n\r\nexport OPENSSL_CONF=openssl.conf\r\nopenssl req -x509 -nodes -days 3650 -newkey rsa:2048 -out cert.pem -outform PEM -keyout cert_key.pem -subj \"\/CN=$USERNAME\" -extensions v3_req_client\r\nrm openssl.conf\r\n# \u8a3c\u660e\u66f8\u306e\u30da\u30a2(`cert_key.pem`,`cert.pem`)\u304c\u4f5c\u6210\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\r\nls -altr\r\n# \u6b21\u306e Windows Server \u5074\u3067\u306e\u30de\u30c3\u30d4\u30f3\u30b0\u3067\u5229\u7528\u3059\u308b\u305f\u3081\u3001pem \u30d5\u30a1\u30a4\u30eb\u3092ZIP\u3067\u5727\u7e2e\u3057\u3066\u3001Cloudshell \u304b\u3089\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u304a\u304f\r\nzip pem.zip *.pem\r\n<\/code><\/pre>\n$ USERNAME<\/span>=<\/span>\"azureuser\"<\/span>\r\n$ <\/span>\r\n$ <\/span>cat<\/span> ><\/span> openssl.conf <<<\/span> EOL<\/span>\r\n> distinguished_name = req_distinguished_name\r\n> [req_distinguished_name]\r\n> [v3_req_client]\r\n> extendedKeyUsage = clientAuth\r\n> subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:<\/span>$USERNAME<\/span>@localhost\r\n> EOL\r\n<\/span>$ <\/span>\r\n$ <\/span>export OPENSSL_CONF=openssl.conf\r\ntakuya@Azure:~\/wwwwork<\/span>$ <\/span>openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -out cert.pem -outform PEM -keyout cert_key.pem -subj \"\/CN=<\/span>$USERNAME<\/span>\" -extensions v3_req_client\r\nGenerating a RSA private key\r\n...............+++++\r\n............+++++\r\nwriting new private key to 'cert_key.pem'\r\n-----\r\n<\/span>$ <\/span>rm openssl.conf\r\n<\/span>$ <\/span>ls -altr\r\ntotal 16\r\ndrwxr-xr-x 39 takuya takuya 4096 Mar 16 03:29 ..\r\n-rw-r--r-- 1 takuya takuya 1099 Mar 16 03:38 cert.pem\r\n-rw------- 1 takuya takuya 1708 Mar 16 03:38 cert_key.pem\r\ndrwxr-xr-x 2 takuya takuya 4096 Mar 16 03:38 .\r\n<\/span>$ <\/span>zip pem.zip *.pem\r\n adding: cert_key.pem (deflated 23%)\r\n adding: cert.pem (deflated 25%)\r\n$\r\n<\/span><\/code><\/pre>\n3.2 \u5728 Windows Server\uff08\u53d7\u63a7\u5236\u7684\u865a\u62df\u673a\uff09\u4e0a\u8fdb\u884c\u5404\u79cd\u8bbe\u7f6e\u3002<\/h3>\n
\u4e0b\u4e00\u6b65\uff0c\u60a8\u53ef\u4ee5\u4f7f\u7528RDP\u7b49\u65b9\u5f0f\uff0c\u8fde\u63a5\u5230Azure\u4e0a\u7684Windows Server\uff0c\u5e76\u8fdb\u884c\u4ee5\u4e0b\u8bbe\u7f6e\u3002<\/p>\n
\n- \n
\u542f\u7528WinRM<\/ol>\n<\/li>\n<\/ol>\n <\/p>\n
\n- \n
\u5173\u8054\u8bc1\u4e66\u548c\u672c\u5730\u8d26\u6237<\/ol>\n<\/li>\n<\/ol>\n <\/p>\n
\u542f\u7528WinRM\u7684\u8bc1\u4e66\u8ba4\u8bc1<\/ol>\n3.2.1. \u6fc0\u6d3bWinRM\u7b49<\/h4>\n
\u6839\u636e Ansible \u5b98\u65b9\u6587\u6863\uff0c\u5728 Windows Server \u4e0a\u7684 Powershell\uff08\u4ee5\u4e0b\u7b80\u79f0 Powershell\uff0c\u5fc5\u987b\u4ee5\u7ba1\u7406\u5458\u6a21\u5f0f\u8fd0\u884c\uff09\u4e2d\u8fd0\u884c ConfigureRemotingForAnsible.ps1\uff0c\u4ee5\u4f7f\u5176\u80fd\u901a\u8fc7 https\uff08\u7aef\u53e3\uff1a5896\uff09\u8fdb\u884c WinRM \u8fde\u63a5\u53ef\u7528\u3002<\/p>\n
$url<\/span> =<\/span> \"https:\/\/raw.githubusercontent.com\/ansible\/ansible\/devel\/examples\/scripts\/ConfigureRemotingForAnsible.ps1\"<\/span>\r\n$file<\/span> =<\/span> \"<\/span>$<\/span>env<\/span>:<\/span>temp<\/span>\\ConfigureRemotingForAnsible.ps1\"<\/span>\r\n\r\n(<\/span>New-Object<\/span> -TypeName<\/span> System.Net.WebClient<\/span>)<\/span>.<\/span>DownloadFile<\/span>(<\/span>$url<\/span>,<\/span> $file<\/span>)<\/span>\r\n\r\npowershell.exe<\/span> -ExecutionPolicy<\/span> ByPass<\/span> -File<\/span> $file<\/span>\r\n\r\nwinrm<\/span> enumerate<\/span> winrm\/config\/Listener<\/span>\r\n<\/code><\/pre>\n3.2.2. \u8bc1\u660e\u4e66\u4e0e\u672c\u5730\u8d26\u6237\u7684\u5173\u8054<\/h4>\n
\u63a5\u4e0b\u6765\uff0c\u5c06\u5df2\u521b\u5efa\u7684\u8bc1\u4e66\u914d\u5bf9 ZIP \u6587\u4ef6pem.zip\u4e0a\u4f20\u81f3Windows Server\uff0c\u5e76\u5728\u684c\u9762\u4e0a\u89e3\u538bZIP\u6587\u4ef6\u3002<\/p>\n
C:\\Users\\azureuser\\Desktop\\pem\\\u3078\u8a3c\u660e\u66f8\u306e\u30da\u30a2(cert_key.pem,cert.pem)\u3092\u914d\u7f6e<\/p>\n
\u63a5\u4e0b\u6765\uff0c\u8fd0\u884c\u4ee5\u4e0b PowerShell \u547d\u4ee4\uff0c\u5bf9\u8bc1\u4e66\u5bf9\u8fdb\u884c\u5bfc\u5165\uff0c\u5e76\u8fdb\u884c\u4e0e\u672c\u5730\u5e10\u6237\u7684\u6620\u5c04\u3002\uff08Ansible \u5b98\u65b9\u6587\u6863\uff09<\/p>\n
\u8bf7\u66ff\u6362\u76ee\u6807\u6620\u5c04\u7528\u6237\u540dazureuser\u548c\u5bc6\u7801P@ssword1234\u4e3a\u5b9e\u9645\u73af\u5883\u4e2d\u7684\u51ed\u8bc1\u3002<\/div>\n$cert<\/span> =<\/span> New-Object<\/span> -TypeName<\/span> System.Security.Cryptography.X509Certificates.X509Certificate2<\/span>\r\n$cert<\/span>.<\/span>Import<\/span>(<\/span>\"C:\\Users\\azureuser\\Desktop\\pem\\cert.pem\"<\/span>)<\/span>\r\n$store_name<\/span> =<\/span> [<\/span>System.Security.Cryptography.X509Certificates.StoreName<\/span>]::<\/span>Root<\/span>\r\n$store_location<\/span> =<\/span> [<\/span>System.Security.Cryptography.X509Certificates.StoreLocation<\/span>]::<\/span>LocalMachine<\/span>\r\n$store<\/span> =<\/span> New-Object<\/span> -TypeName<\/span> System.Security.Cryptography.X509Certificates.X509Store<\/span> -ArgumentList<\/span> $store_name<\/span>,<\/span> $store_location<\/span>\r\n$store<\/span>.<\/span>Open<\/span>(<\/span>\"MaxAllowed\"<\/span>)<\/span>\r\n$store<\/span>.<\/span>Add<\/span>(<\/span>$cert<\/span>)<\/span>\r\n$store<\/span>.<\/span>Close<\/span>()<\/span>\r\n\r\n$cert<\/span> =<\/span> New-Object<\/span> -TypeName<\/span> System.Security.Cryptography.X509Certificates.X509Certificate2<\/span>\r\n$cert<\/span>.<\/span>Import<\/span>(<\/span>\"C:\\Users\\azureuser\\Desktop\\pem\\cert.pem\"<\/span>)<\/span>\r\n$store_name<\/span> =<\/span> [<\/span>System.Security.Cryptography.X509Certificates.StoreName<\/span>]::<\/span>TrustedPeople<\/span>\r\n$store_location<\/span> =<\/span> [<\/span>System.Security.Cryptography.X509Certificates.StoreLocation<\/span>]::<\/span>LocalMachine<\/span>\r\n$store<\/span> =<\/span> New-Object<\/span> -TypeName<\/span> System.Security.Cryptography.X509Certificates.X509Store<\/span> -ArgumentList<\/span> $store_name<\/span>,<\/span> $store_location<\/span>\r\n$store<\/span>.<\/span>Open<\/span>(<\/span>\"MaxAllowed\"<\/span>)<\/span>\r\n$store<\/span>.<\/span>Add<\/span>(<\/span>$cert<\/span>)<\/span>\r\n$store<\/span>.<\/span>Close<\/span>()<\/span>\r\n\r\n$username<\/span> =<\/span> \"azureuser\"<\/span>\r\n$password<\/span> =<\/span> ConvertTo-SecureString<\/span> -String<\/span> \"P@ssword1234\"<\/span> -AsPlainText<\/span> -Force<\/span>\r\n$credential<\/span> =<\/span> New-Object<\/span> -TypeName<\/span> System.Management.Automation.PSCredential<\/span> -ArgumentList<\/span> $username<\/span>,<\/span> $password<\/span>\r\n\r\n$thumbprint<\/span> =<\/span> (<\/span>Get-ChildItem<\/span> -Path<\/span> cert:\\LocalMachine\\root<\/span> |<\/span> Where-Object<\/span> {<\/span> $_<\/span>.<\/span>Subject<\/span> -eq<\/span> \"CN=<\/span>$username<\/span>\"<\/span> })<\/span>.<\/span>Thumbprint<\/span>\r\nNew-Item<\/span> -Path<\/span> WSMan:\\localhost\\ClientCertificate<\/span> `\r\n<\/span> -Subject<\/span> \"<\/span>$username<\/span>@localhost\"<\/span> `\r\n<\/span> -URI<\/span> *<\/span> `\r\n<\/span> -Issuer<\/span> $thumbprint<\/span> `\r\n<\/span> -Credential<\/span> $credential<\/span> `\r\n<\/span> -Force<\/span>\r\n<\/code><\/pre>\n