使用 Ansible 执行 Powershell DSC [英] Using Ansible to execute Powershell DSC
问题描述
我的最终目标是使用 Ansible 在 Server 2016 服务器上配置 AdcsCertificationAuthority.
My end goal is to configure AdcsCertificationAuthority on a Server 2016 Server using Ansible.
- name: Install ADCS with sub features and management tools
win_feature:
name: Adcs-Cert-Authority
state: present
include_management_tools: yes
register: win_feature
- name: reboot if installing Adcs-Cert-Authority feature requires it
win_reboot:
when: win_feature.reboot_required
- name: Add ActiveDirectoryCSDsc
win_psmodule:
name: ActiveDirectoryCSDsc
state: present
- name: Configure AdcsCertificationAuthority Powershell DSC
win_dsc:
resource_name: AdcsCertificationAuthority
IsSingleInstance: 'Yes'
CAType: 'EnterpriseRootCA'
CryptoProviderName: 'RSA#Microsoft Software Key Storage Provider'
KeyLength: 2048
HashAlgorithmName: 'SHA256'
ValidityPeriod: 'Years'
ValidityPeriodUnits: 99
PsDscRunAsCredential_username: ' {{ ansible_user }}'
PsDscRunAsCredentual_password: '{{ ansible_password }}'
DSC 部分失败,但我不确定如何确定错误的来源及其含义.
The DSC portion fails, but I am not sure how to determine where the error is coming from, and what it means.
TASK [internal/qa_env_dc : Configure AdcsCertificationAuthority Powershell DSC] *************************************************************************************************************************************************************
fatal: [10.0.136.5]: FAILED! => {"changed": false, "module_stderr": "Exception calling \"Run\" with \"1\" argument(s): \"Exception calling \"Invoke\" with \"0\" argument(s): \"The running command \r\nstopped because the preference variable \"ErrorActionPreference\" or common parameter is set to Stop: Cannot bind \r\nargument to parameter 'String' because it is null.\"\"\r\nAt line:65 char:5\r\n+ $output = $entrypoint.Run($payload)\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordException\r\n + FullyQualifiedErrorId : ScriptMethodRuntimeException\r\n \r\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
我基本上是在尝试重新创建我直接使用 powershell 所做的事情.
Im essentially trying to re-create what I have been doing directly with powershell.
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 99 -Credential $mycreds -Force:$true
我的 ansible_user 和 ansible_password 用于域管理员帐户,所以我相信我的权限应该没问题.
My ansible_user and ansible_password are for the Domain Administrator account, so I believe my permissions should be OK.
我使用的 DSC 模块的 github 存储库并不真正直接与 ansible 相关,所以那里没有任何帮助,但这是我获取参数的地方.
The github repo for the DSC module im using doesnt really pertain to ansible directly, so there isnt anything there that would help but it is where Im getting the parameters.
https://github.com/PowerShell/ActiveDirectoryCSDsc
我也试图从 ansible 示例中复制我的部署.
Im also attempting to copy my deployment from the ansible examples.
https://docs.ansible.com/ansible/2.5/modules/win_dsc_module.html
推荐答案
不幸的是,Ansible 不会在这种情况下帮助您.
Ansible will not help you in this situation, unfortunately.
最好的方法是单独调试 DSC 部分,使用相同的参数.在这种情况下,这有点糟糕,因为这是一个很大的问题.如果成功,您将设置您的 CA.如果可以,为了理智起见,部署一个可以不断拆除和建立的测试环境.
The best way to go is to debug the DSC part separately, with the same parameters. In this case, it kind of sucks because this is a big ask. If it succeeds, you're going to have your CA set up. If you can, deploy a test environment that you can keep tearing down and bringing up, for sanity's sake.
如果幸运的话,您会在 Test 方法中发现问题,该方法不会改变任何东西.
If you're lucky you'll find the problem in the Test method that doesn't change anything.
第一步,进入您正在运行 win_dsc 的主机.打开 PowerShell.
First step, go onto the host that you are running win_dsc against. Open PowerShell.
创建一个 [hashtable],其中包含 DSC 模块的所有参数,如下所示:
Create a [hashtable] that contains all of the parameters to your DSC module, so something like this:
if (-not $cred) {
$cred = Get-Credential # maybe just run this once in your session?
}
$params = @{
IsSingleInstance = $true
CAType = 'EnterpriseRootCA'
CryptoProviderName = 'RSA#Microsoft Software Key Storage Provider'
KeyLength = 2048
HashAlgorithmName = 'SHA256'
ValidityPeriod = 'Years'
ValidityPeriodUnits = 99
PsDscRunAsCredential = $cred
}
接下来直接调用DSC资源,我们使用Test方法:
Next, invoke the DSC resource directly, let's use the Test method:
Invoke-DscResource -Name AdcsCertificationAuthority -ModuleName ActiveDirectoryCSDsc -Property $params -Verbose -Method Test
看看它吐出什么.它可能会因类似的错误而失败.希望它确实如此.如果没有,请尝试 Get 方法,以防 Set 使用它但 Test 没有.这不太可能,但您希望尽可能避免 Set.
See what it spits out. It will probably fail with a similar error. Hope that it does. If it doesn't, try the Get method in case Set uses it but Test doesn't. It's unlikely, but you want to avoid Set if possible.
如果一切顺利,请使用方法 Set 运行.如果成功,请返回 ansible 并找出不同之处(用户 ansible 是否正在验证是否有权调用 DSC?).
If all that runs smoothly, run with method Set. If it succeeds, go back to ansible and figure out what's different (does the user ansible is authenticating as have permission to invoke DSC?).
如果您在任何时候遇到故障并想深入挖掘,您可以调试实际的 DSC 调用.有点复杂.
If you get a failure at any point and want to dig deeper, you can debug the actual DSC invocation. It's a little convoluted.
首先,Enable-DscDebug -BreakAll.
接下来,打开一个单独的 PowerShell ISE 窗口(这是我的偏好,让事情变得更容易).然后,在同一个原始窗口(不是新的 ISE 窗口)中重新运行您之前执行的 Invoke-DscResource 命令.
Next, open a separate PowerShell ISE window (this is my preference, makes things easier). Then, re-run the Invoke-DscResource command you did before, in the same original window (not the new ISE window).
它会中断,并且会为您提供一系列命令以运行以连接到调试会话.该列表将包括 Enter-PSHostProcess.在 ISE 窗口的终端中运行这些命令.
It will break, and it will give you a series of commands to run to connect to the debug session. The list will include Enter-PSHostProcess. Run those commands in the terminal in the ISE window.
您将进入正在运行的 DSC 流程,您将看到模块的源代码,并能够逐步完成并找出问题所在.
You'll be entered into the running DSC process, and you will see the source code of the module and be able to step through it and figure out what's going wrong.
此时,您可能会发现您传递的参数不太正确,您可以通过调整它来修复调用.那很好.
At this point, you may find that a parameter you passed is not quite right, and that you can fix the invocation by tweaking it. That's good.
您可能会发现模块中存在错误,在这种情况下,您可以报告该错误,甚至可以通过拉取请求提供修复;这需要时间.
You may find there's a bug in the module, in which case you can report it or even offer a fix with a pull request; this will take time.
与此同时,您可以自己克隆模块并将其分发到您的服务器,并使用不符合 PR 要求的快速修复.
In the meantime, you can clone the module yourself and distribute it to your servers with a quick fix that wouldn't meet the requirements for a PR.
这里有很多可能性,但如果您发现实际错误,则可能需要提出一个关于如何处理该特定问题的新问题.
There's a lot of possibilities here but if you find the actual error it may warrant a new question as to how to deal with that specific problem.
我发现在调试过程中,大约有一半的时间连接到会话会导致完全卡住的调试会话不起作用.在这种情况下,使用他们给你的 PID 并终止进程.无论如何,您可能必须在运行之间执行此操作,不要害怕.
I've found that during the debug process, about half the time connecting to the session leads to a complete stuck debug session that doesn't work. In that case, use the PID they gave you and kill the process. You may have to do this between runs anyway, don't be afraid of it.
最后,在再次尝试使用 DSC(如 Ansible)之前,不要忘记禁用调试!
And finally, before attempting to use DSC again (like from Ansible), don't forget to disable debugging!
Disable-DscDebug
(强烈建议您在禁用调试后也终止进程)
(strongly encourage you to kill the process after disabling the debugging as well)
这篇关于使用 Ansible 执行 Powershell DSC的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
