Ansible 和 Windows Server 之間的連接超時

我從 Ansible 開始我的學習，並希望將其應用到我工作的實際情況中。我正在從 Ubuntu 實施 Ansible 來管理 Windows Nano Server 2016。我正在配置使用映射到使用者帳戶的證書。我在這裡建立了本教程https://adamtheautomator.com/winrm-https-ansible/

---

錯誤

我使用 win_ping 模組測試了連接，並收到了以下輸出：

**ansible windows -vvvv -i hosts -m win_ping**

NanoServer | UNREACHABLE! => {
   "changed": false,
   "msg": "Failed to connect to the host via ssh: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
   debug1: Reading configuration data /etc/ssh/ssh_config
   debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
   debug1: /etc/ssh/ssh_config line 21: Applying options for 
   *debug1: auto-mux: Trying existing master
   debug1: Control socket \"/home/woliveira/.ansible/cp/6df2d837bc\" does not exist
   debug2: resolving \"nanoserver\" port 5986
   debug2: ssh_connect_direct
   debug1: Connecting to nanoserver [10.11.39.250] port 5986.
   debug2: fd 3 setting O_NONBLOCK
   debug1: fd 3 clearing O_NONBLOCK
   debug1: Connection established.
   debug3: timeout: 25000 ms remain after connect
   debug1: identity file /home/woliveira/.ssh/id_rsa type -1
   debug1: identity file /home/woliveira/.ssh/id_rsa-cert type -1
   debug1: identity file /home/woliveira/.ssh/id_dsa type -1
   debug1: identity file /home/woliveira/.ssh/id_dsa-cert type -1
   debug1: identity file /home/woliveira/.ssh/id_ecdsa type -1
   debug1: identity file /home/woliveira/.ssh/id_ecdsa-cert type -1
   debug1: identity file /home/woliveira/.ssh/id_ecdsa_sk type -1
   debug1: identity file /home/woliveira/.ssh/id_ecdsa_sk-cert type -1
   debug1: identity file /home/woliveira/.ssh/id_ed25519 type -1
   debug1: identity file /home/woliveira/.ssh/id_ed25519-cert type -1
   debug1: identity file /home/woliveira/.ssh/id_ed25519_sk type -1
   debug1: identity file /home/woliveira/.ssh/id_ed25519_sk-cert type -1
   debug1: identity file /home/woliveira/.ssh/id_xmss type -1
   debug1: identity file /home/woliveira/.ssh/id_xmss-cert type -1
   debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
   **Connection timed out during banner exchange",
   "unreachable": true**
}

接下來，我嘗試增加 ansible 配置文件中的超時時間，並收到對等方重置的連接。

NanoServer | UNREACHABLE! => {
       "changed": false,
       "msg": "Failed to connect to the host via ssh: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
       debug1: Reading configuration data /etc/ssh/ssh_config
       debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
       debug1: /etc/ssh/ssh_config line 21: Applying options for 
       *debug1: auto-mux: Trying existing master
       debug1: Control socket \"/home/woliveira/.ansible/cp/6df2d837bc\" does not exist
       debug2: resolving \"nanoserver\" port 5986
       debug2: ssh_connect_direct
       debug1: Connecting to nanoserver [10.11.39.250] port 5986.
       debug2: fd 3 setting O_NONBLOCK
       debug1: fd 3 clearing O_NONBLOCK
       debug1: Connection established.
       debug3: timeout: 3600000 ms remain after connect
       debug1: identity file /home/woliveira/.ssh/id_rsa type -1
       debug1: identity file /home/woliveira/.ssh/id_rsa-cert type -1
       debug1: identity file /home/woliveira/.ssh/id_dsa type -1
       debug1: identity file /home/woliveira/.ssh/id_dsa-cert type -1
       debug1: identity file /home/woliveira/.ssh/id_ecdsa type -1
       debug1: identity file /home/woliveira/.ssh/id_ecdsa-cert type -1
       debug1: identity file /home/woliveira/.ssh/id_ecdsa_sk type -1
       debug1: identity file /home/woliveira/.ssh/id_ecdsa_sk-cert type -1
       debug1: identity file /home/woliveira/.ssh/id_ed25519 type -1
       debug1: identity file /home/woliveira/.ssh/id_ed25519-cert type -1
       debug1: identity file /home/woliveira/.ssh/id_ed25519_sk type -1
       debug1: identity file /home/woliveira/.ssh/id_ed25519_sk-cert type -1
       debug1: identity file /home/woliveira/.ssh/id_xmss type -1
       debug1: identity file /home/woliveira/.ssh/id_xmss-cert type -1
       debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
       kex_exchange_identification: read: **Connection reset by peer",
       "unreachable": true**
   }

環境設置。

Ansible 2.9.6 安裝在 Ubuntu 20.04.1 LTS虛擬機中

我的 Windows 伺服器如下： 作業系統名稱：Microsoft Windows Server 2016 標準評估作業系統版本：10.0.14393 N/A Build 14393

兩個虛擬機都有靜態 IP 並且不在域中。我遵循本教程： https ://vnuggets.com/2019/08/08/ansible-certificate-authentication-to-windows/

我創建了一個名為 ansibleoperator 的 Windows 本地使用者，並將該使用者添加到 Local Admi Group 中。這是我的 Ansible 主機文件：

[windows]
NanoServer

[windows:vars]
ansible_user=ansibleoperator
ansible_password=*********
ansble_connection=winrm
ansible_winrm_cert_pem=/home/woliveira/cert.pem
ansible_winrm_cert_key_pem=/home/woliveira/cert_key.pem
ansible_port=5986
ansible_winrm_scheme=https
ansible_winrm_server_cert_validation=ignore

Windows 防火牆已禁用 TrustedHosts 已為任何主機配置（值 =*）

我檢查過的

如果另一個 Windows 主機能夠使用 winrm 連接：PS C:> Test-WSMan -ComputerName “NanoServer” -UseSSL

wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

在 Linux 端，我可以使用 Netcat 使用以下命令測試 5986 埠中的連接：

nc -z -w1 NanoServer 5986;echo $?

輸出為 0（命令成功）

我已經嘗試從其他 Windows 進行連接，但這次使用 pywinrm 腳本，因為它與 Ansible 使用的庫相同。我執行這個腳本：

import winrm

cert_pem = 'C:/Users/woliveira.adm/Desktop/CertificadoAnsible/cert.pem'
cert_key_pem = 'C:/Users/woliveira.adm/Desktop/CertificadoAnsible/cert_key.pem'


session = winrm.Session('NanoServer:5986', auth=('ansibleoperator', '********'),
                       transport='certificate',
                       cert_pem=cert_pem, 
                       cert_key_pem=cert_key_pem,
                       server_cert_validation='ignore',
                       )
session.run_cmd('ipconfig')

並收到這個：

Traceback (most recent call last):

 File "<ipython-input-56-b902c730fb9c>", line 1, in <module>
   runfile('C:/Users/woliveira.adm/Desktop/testewinrm.py', wdir='C:/Users/woliveira.adm/Desktop')

 File "C:\ProgramData\Anaconda3\lib\site-packages\spyder_kernels\customize\spydercustomize.py", line 786, in runfile
   execfile(filename, namespace)

 File "C:\ProgramData\Anaconda3\lib\site-packages\spyder_kernels\customize\spydercustomize.py", line 110, in execfile
   exec(compile(f.read(), filename, 'exec'), namespace)

 File "C:/Users/woliveira.adm/Desktop/testewinrm.py", line 19, in <module>
   session.run_cmd('ipconfig')

 File "C:\ProgramData\Anaconda3\lib\site-packages\winrm\__init__.py", line 39, in run_cmd
   shell_id = self.protocol.open_shell()

 File "C:\ProgramData\Anaconda3\lib\site-packages\winrm\protocol.py", line 166, in open_shell
   res = self.send_message(xmltodict.unparse(req))

 File "C:\ProgramData\Anaconda3\lib\site-packages\winrm\protocol.py", line 243, in send_message
   resp = self.transport.send_message(message)

 File "C:\ProgramData\Anaconda3\lib\site-packages\winrm\transport.py", line 323, in send_message
   response = self._send_message_request(prepared_request, message)

 File "C:\ProgramData\Anaconda3\lib\site-packages\winrm\transport.py", line 328, in _send_message_request
   response = self.session.send(prepared_request, timeout=self.read_timeout_sec)

 File "C:\ProgramData\Anaconda3\lib\site-packages\requests\sessions.py", line 646, in send
   r = adapter.send(request, **kwargs)

 File "C:\ProgramData\Anaconda3\lib\site-packages\requests\adapters.py", line 529, in send
   raise ReadTimeout(e, request=request)

ReadTimeout: HTTPConnectionPool(host='10.11.39.250', port=5986): Read timed out. (read timeout=30)

我不知道如何調試它。我可以檢查什麼？

對不起我的英語。如果有什麼不清楚的地方，請告訴我。

您的 vars 文件中有錯字：

ansble_connection=winrm

這應該是：

ansible_connection=winrm

（有一個i缺失）。

這就是 Ansible 嘗試通過 SSH 而不是 WinRM 進行連接的原因。

引用自：https://serverfault.com/questions/1044751