使用Ansible执行Powershell DSC [英] Using Ansible to execute Powershell DSC
问题描述
我的最终目标是使用Ansible在Server 2016服务器上配置AdcsCertificationAuthority.
My end goal is to configure AdcsCertificationAuthority on a Server 2016 Server using Ansible.
- name: Install ADCS with sub features and management tools
win_feature:
name: Adcs-Cert-Authority
state: present
include_management_tools: yes
register: win_feature
- name: reboot if installing Adcs-Cert-Authority feature requires it
win_reboot:
when: win_feature.reboot_required
- name: Add ActiveDirectoryCSDsc
win_psmodule:
name: ActiveDirectoryCSDsc
state: present
- name: Configure AdcsCertificationAuthority Powershell DSC
win_dsc:
resource_name: AdcsCertificationAuthority
IsSingleInstance: 'Yes'
CAType: 'EnterpriseRootCA'
CryptoProviderName: 'RSA#Microsoft Software Key Storage Provider'
KeyLength: 2048
HashAlgorithmName: 'SHA256'
ValidityPeriod: 'Years'
ValidityPeriodUnits: 99
PsDscRunAsCredential_username: ' {{ ansible_user }}'
PsDscRunAsCredentual_password: '{{ ansible_password }}'
DSC部分失败,但是我不确定如何确定错误的来源以及它的含义.
The DSC portion fails, but I am not sure how to determine where the error is coming from, and what it means.
TASK [internal/qa_env_dc : Configure AdcsCertificationAuthority Powershell DSC] *************************************************************************************************************************************************************
fatal: [10.0.136.5]: FAILED! => {"changed": false, "module_stderr": "Exception calling \"Run\" with \"1\" argument(s): \"Exception calling \"Invoke\" with \"0\" argument(s): \"The running command \r\nstopped because the preference variable \"ErrorActionPreference\" or common parameter is set to Stop: Cannot bind \r\nargument to parameter 'String' because it is null.\"\"\r\nAt line:65 char:5\r\n+ $output = $entrypoint.Run($payload)\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordException\r\n + FullyQualifiedErrorId : ScriptMethodRuntimeException\r\n \r\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
我本质上是在尝试重新创建我一直在用powershell直接做的事情.
Im essentially trying to re-create what I have been doing directly with powershell.
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 99 -Credential $mycreds -Force:$true
我的ansible_user和ansible_password用于域管理员帐户,因此我认为我的权限应该可以.
My ansible_user and ansible_password are for the Domain Administrator account, so I believe my permissions should be OK.
im使用的DSC模块的github存储库并没有直接与ansible直接相关,因此那里没有任何可以帮助的东西,但这是Im获取参数的地方.
The github repo for the DSC module im using doesnt really pertain to ansible directly, so there isnt anything there that would help but it is where Im getting the parameters.
https://github.com/PowerShell/ActiveDirectoryCSDsc
我还尝试从上述示例中复制我的部署.
Im also attempting to copy my deployment from the ansible examples.
https://docs.ansible.com/ansible/2.5/modules/win_dsc_module.html
推荐答案
在这种情况下,Ansible不能为您提供帮助.
Ansible will not help you in this situation, unfortunately.
最好的方法是使用相同的参数分别调试DSC部件.在这种情况下,这很烂,因为这是一个很大的问题.如果成功,则将建立CA.如果可以的话,出于理智的考虑,请部署一个可以持续拆除和启动的测试环境.
The best way to go is to debug the DSC part separately, with the same parameters. In this case, it kind of sucks because this is a big ask. If it succeeds, you're going to have your CA set up. If you can, deploy a test environment that you can keep tearing down and bringing up, for sanity's sake.
如果幸运的话,您会在Test方法中发现问题,而该问题不会改变任何内容.
If you're lucky you'll find the problem in the Test method that doesn't change anything.
第一步,转到正在运行win_dsc的主机.打开PowerShell.
First step, go onto the host that you are running win_dsc against. Open PowerShell.
创建一个[hashtable],其中包含DSC模块的所有参数,如下所示:
Create a [hashtable] that contains all of the parameters to your DSC module, so something like this:
if (-not $cred) {
$cred = Get-Credential # maybe just run this once in your session?
}
$params = @{
IsSingleInstance = $true
CAType = 'EnterpriseRootCA'
CryptoProviderName = 'RSA#Microsoft Software Key Storage Provider'
KeyLength = 2048
HashAlgorithmName = 'SHA256'
ValidityPeriod = 'Years'
ValidityPeriodUnits = 99
PsDscRunAsCredential = $cred
}
接下来,直接调用DSC资源,让我们使用Test方法:
Next, invoke the DSC resource directly, let's use the Test method:
Invoke-DscResource -Name AdcsCertificationAuthority -ModuleName ActiveDirectoryCSDsc -Property $params -Verbose -Method Test
看看它吐出的是什么.它可能会因类似的错误而失败.希望能做到.如果不是,请尝试使用Get方法,以防万一Set使用它,但Test不使用它.不太可能,但是如果可能的话,您要避免使用Set.
See what it spits out. It will probably fail with a similar error. Hope that it does. If it doesn't, try the Get method in case Set uses it but Test doesn't. It's unlikely, but you want to avoid Set if possible.
如果一切运行顺利,请使用方法Set运行.如果成功,请返回到ansible并找出有什么不同(ansible用户是否正在进行身份验证,因为它具有调用DSC的权限?).
If all that runs smoothly, run with method Set. If it succeeds, go back to ansible and figure out what's different (does the user ansible is authenticating as have permission to invoke DSC?).
如果您在任何时候都遇到了故障并且想要更深入地进行研究,则可以调试实际的DSC调用.这有点令人费解.
If you get a failure at any point and want to dig deeper, you can debug the actual DSC invocation. It's a little convoluted.
首先,Enable-DscDebug -BreakAll.
接下来,打开一个单独的PowerShell ISE窗口(这是我的偏好,使事情变得更容易).然后,在相同的原始窗口(而不是新的ISE窗口)中重新运行之前执行的Invoke-DscResource命令.
Next, open a separate PowerShell ISE window (this is my preference, makes things easier). Then, re-run the Invoke-DscResource command you did before, in the same original window (not the new ISE window).
它将中断,并且将为您提供一系列要运行的命令以连接到调试会话.该列表将包含Enter-PSHostProcess.在ISE窗口的终端中运行这些命令.
It will break, and it will give you a series of commands to run to connect to the debug session. The list will include Enter-PSHostProcess. Run those commands in the terminal in the ISE window.
您将进入正在运行的DSC流程,您将看到该模块的源代码,并能够逐步解决该问题并找出问题所在.
You'll be entered into the running DSC process, and you will see the source code of the module and be able to step through it and figure out what's going wrong.
这时,您可能会发现传递的参数不太正确,并且可以通过对其进行调整来修复调用.很好.
At this point, you may find that a parameter you passed is not quite right, and that you can fix the invocation by tweaking it. That's good.
您可能会发现模块中存在错误,在这种情况下,您可以报告该错误,甚至可以通过请求请求提供修复;这将需要时间.
You may find there's a bug in the module, in which case you can report it or even offer a fix with a pull request; this will take time.
同时,您可以自己克隆该模块,然后使用不满足PR要求的快速修复程序将其分发到服务器.
In the meantime, you can clone the module yourself and distribute it to your servers with a quick fix that wouldn't meet the requirements for a PR.
这里有很多可能性,但是如果您发现实际错误,则可能会提出有关如何处理该特定问题的新问题.
There's a lot of possibilities here but if you find the actual error it may warrant a new question as to how to deal with that specific problem.
我发现在调试过程中,连接到会话的时间大约有一半导致无法完成的完全卡住的调试会话.在这种情况下,请使用他们给您的PID终止进程.无论如何,您可能必须在两次运行之间进行此操作,不要担心.
I've found that during the debug process, about half the time connecting to the session leads to a complete stuck debug session that doesn't work. In that case, use the PID they gave you and kill the process. You may have to do this between runs anyway, don't be afraid of it.
最后,在再次尝试使用DSC(例如从Ansible)之前,不要忘记禁用调试!
And finally, before attempting to use DSC again (like from Ansible), don't forget to disable debugging!
Disable-DscDebug
(强烈建议您在禁用调试后也终止该过程)
(strongly encourage you to kill the process after disabling the debugging as well)
这篇关于使用Ansible执行Powershell DSC的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
