Ansible使用PsExec远程控制Windows
概要
-
无需设置 WinRM 即可从 Linux 主机向 Windows 主机运行远程命令。
-
可以在 Ansible 控制器上运行,以引导 Windows 主机,使其为 WinRM 做好准备。
ansible控制端环境
yum install krb5-devel krb5-workstation
pip install pypsexec smbprotocol[kerberos]
/etc/ansible/ansible.cfg
[defaults]
host_key_checking=False
/etc/ansible/hosts
[win]
192.168.32.20
[win:vars]
ansible_user=administrator
ansible_password=123456
system=win7
被控windows
必须放开445端口 防火墙名称-Netlogon 服务(NP-In)
playbook
配置winrm
---
- hosts: win
gather_facts: no
tasks:
- name: config winrm
local_action:
module: community.windows.psexec
hostname: '{{ hostvars[inventory_hostname]["ansible_host"] | default(inventory_hostname) }}'
connection_username: '{{ ansible_user }}'
connection_password: '{{ ansible_password }}'
encrypt: "{{ 'false' if system == 'win7' else 'true' }}"
executable: powershell.exe
arguments: '-'
stdin: |
#提前设置系统密码,修改网络位置不要选择公用网络
#查看winrm启动状态 winrm enumerate winrm/config/listener
winrm quickconfig -quiet -force
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
exit
更新powershell(ansible后续通过winrm或openssh控制windwos必须升级)
---
- hosts: win
gather_facts: no
vars:
fileurl: http://192.168.8.192:8888
tasks:
- name: install .NET 4.6.1
register: install_net_result
local_action:
module: community.windows.psexec
hostname: '{{ hostvars[inventory_hostname]["ansible_host"] | default(inventory_hostname) }}'
connection_username: '{{ ansible_user }}'
connection_password: '{{ ansible_password }}'
encrypt: "{{ 'false' if system == 'win7' else 'true' }}" #win7需要设置false 不使用加密
executable: powershell.exe
arguments: '-'
stdin: |
$url = "{{ fileurl }}/NDP461-KB3102436-x86-x64-AllOS-ENU.exe"
$file = "$env:temp\NDP461-KB3102436-x86-x64-AllOS-ENU.exe"
(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
if (-not (Test-Path -Path $file)) {echo "download $url failed";exit 1}
Start-Process -FilePath $file -ArgumentList "/q /norestart" -Wait
exit
- name: install PowerShell 5.1
#win7远程安装更新限制 https://learn.microsoft.com/zh-cn/troubleshoot/windows-server/installing-updates-features-roles/windows-update-standalone-installer-returns-error
register: install_powershell_result
when: install_net_result.rc == 0
local_action:
module: community.windows.psexec
hostname: '{{ hostvars[inventory_hostname]["ansible_host"] | default(inventory_hostname) }}'
connection_username: '{{ ansible_user }}'
connection_password: '{{ ansible_password }}'
encrypt: "{{ 'false' if system == 'win7' else 'true' }}"
executable: powershell.exe
arguments: '-'
stdin: |
$url = "{{ fileurl }}/Win7AndW2K8R2-KB3191566-x64.msu"
$file = "$env:temp\Win7AndW2K8R2-KB3191566-x64.msu"
$extpath = "$env:temp\Win7AndW2K8R2-KB3191566"
(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
if (-not (Test-Path -Path $file)) {echo "download $url failed";exit 1}
Start-Process -FilePath $file -ArgumentList "/extract:$extpath" -Wait
$cabfiles = Get-ChildItem -Path "$extpath" -Filter "*.cab"
foreach($f in $cabfiles){Start-Process -FilePath "dism.exe" -ArgumentList "/online /add-package /PackagePath:$extpath/$f /IgnoreCheck /quiet /norestart" -Wait}
Restart-Computer -Force
exit
安装openssh(win10系统以上可以在系统设置功能里直接启用)
---
- hosts: win
gather_facts: no
vars:
fileurl: http://192.168.8.192:8888
tasks:
- name: download Win32-OpenSSH
local_action:
module: community.windows.psexec
hostname: '{{ hostvars[inventory_hostname]["ansible_host"] | default(inventory_hostname) }}'
connection_username: '{{ ansible_user }}'
connection_password: '{{ ansible_password }}'
encrypt: "{{ 'false' if system == 'win7' else 'true' }}"
executable: powershell.exe
arguments: '-'
stdin: |
$url = "{{ fileurl }}/OpenSSH-Win64.zip"
$file = "$env:temp\OpenSSH-Win64.zip"
$expath = "C:\Program Files"
(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
if (-not (Test-Path -Path $file)) {echo "download $url failed";exit 1}
(new-object -com shell.application).NameSpace($expath).CopyHere((new-object -com shell.application).NameSpace($file).Items())
exit
- name: install Win32-OpenSSH
register: install_openssh_result
local_action:
module: community.windows.psexec
hostname: '{{ hostvars[inventory_hostname]["ansible_host"] | default(inventory_hostname) }}'
connection_username: '{{ ansible_user }}'
connection_password: '{{ ansible_password }}'
encrypt: "{{ 'false' if system == 'win7' else 'true' }}"
interactive: true
executable: powershell.exe
arguments: '-ExecutionPolicy Bypass -File "C:\Program Files\OpenSSH-Win64\install-sshd.ps1"'
- name: start Win32-OpenSSH
when: install_openssh_result.rc == 0
local_action:
module: community.windows.psexec
hostname: '{{ hostvars[inventory_hostname]["ansible_host"] | default(inventory_hostname) }}'
connection_username: '{{ ansible_user }}'
connection_password: '{{ ansible_password }}'
encrypt: "{{ 'false' if system == 'win7' else 'true' }}"
executable: powershell.exe
arguments: '-'
stdin: |
netsh advfirewall firewall add rule name=sshd dir=in action=allow protocol=TCP localport=22
net start sshd
Set-Service sshd -StartupType Automatic
exit
- debug:
var: install_openssh_result
打开软件(要弹出窗口必须先获取到windows登录用户的session)
---
- hosts: win
gather_facts: no
tasks:
- name: open notepad
local_action:
module: community.windows.psexec
hostname: '{{ hostvars[inventory_hostname]["ansible_host"] | default(inventory_hostname) }}'
connection_username: '{{ ansible_user }}'
connection_password: '{{ ansible_password }}'
encrypt: "{{ 'false' if system == 'win7' else 'true' }}"
executable: notepad.exe
#arguments: /c
working_directory: C:\Users\Administrator\Desktop
interactive: true
interactive_session: 2 #在windows上执行qwinsta命令查看session 或者执行命令query session %username%
process_username: system
asynchronous: true