Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix put_file to work on Windows servers with JEA enabled #71419

Closed
wants to merge 1 commit into from
Closed

Fix put_file to work on Windows servers with JEA enabled #71419

wants to merge 1 commit into from

Conversation

egmar
Copy link
Contributor

@egmar egmar commented Aug 24, 2020

SUMMARY

This PR changes put_file method in PSRP in order to add support for JEA feature in Windows.
Mainly looking for feedback as this changes radically how a file is transferred, and in my tests may lead to slower transfer speeds.

Potentially fixes #59795

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

psrp

ADDITIONAL INFORMATION
  1. Add a normal user to a Windows system, e.g.: jea-admin (auto-generated name by vagrant box for development of ansible modules for Windows)
  2. Add the user to a group without any privileges, e.g.: Ansible
  3. Create PS Session Configuration file, e.g. .\MyJEAEndpoint.pssc:
@{

# Version number of the schema used for this document
SchemaVersion = '2.0.0.0'

# ID used to uniquely identify this document
GUID = '40eac0d0-d9c0-4822-adb3-8dec50f49481'

# Author of this document
Author = 'vagrant'

# Description of the functionality provided by these settings
# Description = ''

# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'Default'

# Directory to place session transcripts for this session configuration
# TranscriptDirectory = 'C:\Transcripts\'

# Whether to run this session configuration as the machine's (virtual) administrator account
RunAsVirtualAccount = $true

# Scripts to run when applied to a session
# ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'

# User roles (security groups), and the role capabilities that should be applied to them when applied to a session
RoleDefinitions = @{ 
    'WIN-JPB0UJBQOE3\Ansible' = @{ 
        VisibleCmdlets = 'Get-Process', 'Get-FileHash', 'Write-Error', "Clear-Variable", 'exit', 'Out-String', 'New-Object', 'Set-Variable', 'Set-StrictMode', 'Test-Path', 'Out-Null', 'New-Item' , 'Write-Output', 'Remove-Item', 'Get-Variable'
        VisibleExternalCommands = 'C:\Windows\system32\chcp.com'
        EnvironmentVariables = @{ TEMP = 'C:\Windows\TEMP';}
    } 
  }
}
  1. Register PS Session Configuration
New-PSSessionConfigurationFile -SessionType RestrictedRemoteServer -Path .\MyJEAEndpoint.pssc
  1. Create an inventory with JEA configuration in place
[windows]
WindowsServer  ansible_host=127.0.0.1

[windows:vars]
ansible_user=jea-admin
ansible_password=<password>
ansible_port=55986
ansible_connection=psrp
ansible_psrp_auth=ntlm
ansible_psrp_configuration_name=JEA-Ansible
ansible_psrp_cert_validation=ignore
  1. Create a basic playbook which copies a file
---
- name: test out windows module
  hosts: windows
  gather_facts: no
  tasks:
    - win_copy:
        src: /home/egor/github-project-management.pdf
        dest: C:\Windows\Temp\github-project-management.pdf

Before fix:

 ➜ ansible-playbook -i inventory.jea test.yml     

PLAY [test out windows module] ************************************************************************************************************************************************************************************************************************

TASK [win_copy] ***************************************************************************************************************************************************************************************************************************************
Monday 24 August 2020  12:41:09 +0200 (0:00:00.022)       0:00:00.022 ********* 
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: pypsrp.exceptions.WSManFaultError: Received a WSManFault message. (Code: 5, Machine: 127.0.0.1, Reason: Access is denied.)
fatal: [WindowsServer]: FAILED! => {"msg": "Unexpected failure during module execution.", "stdout": ""}

PLAY RECAP ********************************************************************************************************************************************************************************************************************************************
WindowsServer              : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

Monday 24 August 2020  12:41:10 +0200 (0:00:01.148)       0:00:01.170 ********* 
=============================================================================== 
win_copy --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1.15s

After fix:

ansible-playbook -i inventory.jea test.yml     

PLAY [test out windows module] ************************************************************************************************************************************************************************************************************************

TASK [win_copy] ***************************************************************************************************************************************************************************************************************************************
Monday 24 August 2020  12:44:00 +0200 (0:00:00.017)       0:00:00.017 ********* 
changed: [WindowsServer]

PLAY RECAP ********************************************************************************************************************************************************************************************************************************************
WindowsServer              : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Monday 24 August 2020  12:44:42 +0200 (0:00:42.051)       0:00:42.069 ********* 
=============================================================================== 
win_copy -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 42.05s

As stated in summary, while this fixes the problem, I'm not 100% sure it is the most correct way, hence why opening this as Draft and the issue can be fixed temporarily by creating connection_plugins\psrp.py which includes this fix in folder from where the ansible-playbook command is executed

@ansibot ansibot added affects_2.11 bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. needs_triage Needs a first human triage before being processed. new_contributor This PR is the first contribution by a new community member. support:core This issue/PR relates to code supported by the Ansible Engineering Team. traceback This issue/PR includes a traceback. windows Windows community labels Aug 24, 2020
@jborean93
Copy link
Contributor

I've just created a PR to address this problem #71409. It bypasses the max object size that can be received in a process by using some .NET reflection methods which isn't the best but it does reduce the performance hit by a lot compared to the run a new pipeline per block.

@egmar
Copy link
Contributor Author

egmar commented Aug 24, 2020
edited

Thanks. Just tested the other PR and is definitely faster than this. I'll close this one then.

@egmar egmar closed this Aug 24, 2020
@mkrizek mkrizek removed the needs_triage Needs a first human triage before being processed. label Aug 25, 2020
@ansible ansible locked and limited conversation to collaborators Sep 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
affects_2.11 bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. new_contributor This PR is the first contribution by a new community member. support:core This issue/PR relates to code supported by the Ansible Engineering Team. traceback This issue/PR includes a traceback. windows Windows community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

put_file method in psrp connection plugin breaks JEA
4 participants
@egmar @jborean93 @mkrizek @ansibot