#ansible-windows log

20:00:08 <nitzmahone> #startmeeting Windows Working Group
20:00:08 <zodbot> Meeting started Tue Jul 25 20:00:08 2017 UTC.  The chair is nitzmahone. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:08 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
20:00:08 <zodbot> The meeting name has been set to 'windows_working_group'
20:01:03 <jhawkesworth_> hey
20:01:15 <nitzmahone> greetings!
20:01:28 <jborean93> hey all
20:01:36 <jhawkesworth_> heya
20:01:56 <nitzmahone> #chair jborean93 jhawkesworth_
20:01:56 <zodbot> Current chairs: jborean93 jhawkesworth_ nitzmahone
20:02:58 <nitzmahone> #info Agenda: https://github.com/ansible/community/issues/195
20:03:15 <nitzmahone> Most of these are still waiting on me to review/merge stuff
20:04:11 <nitzmahone> #topic https://github.com/ansible/community/issues/195#issuecomment-317292274
20:04:19 <nitzmahone> (What do we want to get done for 2.4?)
20:04:24 <jborean93> I believe so, there are a few new modules out there. I'm trying to set up a proxy to test Dag's win_get_url changes as I still think something is up
20:04:59 <nitzmahone> Yeah, I'd like to see all those scenarios at least smoke-tested before we merge- I agree there may be some other issues there
20:05:26 <jborean93> I think it would be nice to get the documentation done but think we should focus on that during the freeze
20:05:36 <jborean93> is there a freeze on doc updates during that time?
20:05:45 <jborean93> apart from that it is really get as much done as possible
20:05:46 <nitzmahone> No, docs are "living"
20:06:13 <bcoca> docs are not 'new features' ... they are normally ' ... we should have written thse 2 versions ago ...'
20:06:18 <nitzmahone> Yeah- Windows coverage support will probably be sometime between 2.4 freeze and 2.5.
20:06:39 <nitzmahone> We'll pretty much always merge docs changes
20:07:19 <jborean93> sounds good, I've gone through as much as I can on the issues and PR's and either they are waiting for the user to come back with changes or a final review
20:07:39 <jborean93> I haven't checked for changes this morning though
20:08:31 <nitzmahone> Time's growing short for 2.4 core engine freeze- I've got a couple other things I need to wrap up before that, and still need to do a big pass over pywinrm to get message encryption (and a bunch of other PRs/issues that have stacked up) resolved and released.
20:09:20 <jhawkesworth_> sounds like your time is fully allocated then nitzmahone.  Should be what community can do though
20:09:30 <nitzmahone> So I guess kinda business as usual for non-core-engine stuff- we'll make sure to get all the outstanding module PRs merged before the module freeze
20:10:11 <nitzmahone> Not sure we need to get more specific ATM
20:10:22 <nitzmahone> On to next topic?
20:10:32 <nitzmahone> #topic https://github.com/ansible/community/issues/195#issuecomment-317791949
20:10:35 <jhawkesworth_> yeah, unless others are champing at the bit for things to do - look at action list anyway
20:10:41 <nitzmahone> yup
20:10:57 <jhawkesworth_> dunno if you've seen the chat about debugging.
20:11:15 <nitzmahone> I don't know if I did or not- can you give some context?
20:11:50 <jhawkesworth_> trond was saying its still a multi step process to actually get set up to debug your modules on windows.
20:12:07 <nitzmahone> I haven't decided if I'm going to include Windows module build/debug in my SF 'fest talk or not. I think I could easily fill the 45m with just Python stuff, so I want to make sure I don't go too broad
20:12:48 <jborean93> Basically it would be good if we could get the pre 2.3 process where it copied a single file to the server so that people could run it
20:12:55 <nitzmahone> I dunno- if you set it up where your Windows host can see your Ansible source checkout, it's "open module code, open module_utils code, run to create module, run module code repeatedly"
20:13:55 <jborean93> I find I'm usually doing large changes on the WIndows host itself where I can debug it and then finally bring it back to Ansible
20:14:25 <nitzmahone> I sorta already exposed KEEP_REMOTE_FILES to the module in 2.2, so we could probably use it to have the wrapper persist the module code, but I don't know why folks would want to debug that way instead of hacking the module source directly.
20:14:59 <jhawkesworth_> iirc trond wanted to preserve the module params as passed by ansible
20:15:01 <nitzmahone> (via a shared filesystem between Windows guest and Linux/Mac host)
20:15:14 <nitzmahone> That part's already there
20:15:38 <jborean93> You can't run the module directly as is, you need to either add extra fluff or manually import the other stuff
20:15:48 <nitzmahone> If we did the "exploded persistence" thing we could drop those to an argfile so you don't have to dig it out of the wrapper manifest, but it's a top-level var there already.
20:16:22 <nitzmahone> Yeah, all you have to do is run the module_utils code once in ISE and it's there- no need to add setup code to the modules
20:16:34 <nitzmahone> (I run/debug the original module source exclusively)
20:17:17 <jhawkesworth_> thanks, I'll have another play.  made mistake of running the file left by keep remote files this morning thinking it was the module code - it crashes ISE.
20:17:29 <nitzmahone> Doesn't crash it, but it calls exit
20:17:52 <jborean93> in the end I think it's something we just need to document
20:17:53 <nitzmahone> (which closes ISE)
20:17:54 <jhawkesworth_> not so bad.
20:18:25 <nitzmahone> I had some prototype stuff that would detect ISE in Exit/Fail-Json and "soft-exit" instead
20:18:29 <nitzmahone> But it wasn't 100%
20:18:52 <jhawkesworth_> ok I'll have another run at it, sharing source should be easy enough between WSL and win10
20:19:03 <nitzmahone> jborean93: agreed- I just assume everyone's figured it out the same way I did, but that's clearly not the case
20:19:16 <jborean93> yea everyone seems to have a different way of doing things
20:19:31 <jborean93> mine is arguably manual and probably isn't the best way
20:19:46 <nitzmahone> Same for python debugging- I still see people using test-module, which is kinda the hard way
20:19:46 <jhawkesworth_> true.  everyone else seems to debug more than me!  probably why your code is better :-)
20:20:18 <nitzmahone> #topic Open Floor
20:20:25 <nitzmahone> (mind the gap)
20:20:27 <jborean93> jhawkesworth_ I used to not debug and just run things from Ansible, took forever and was painful :)
20:20:47 <jborean93> I'm wondering if people (only one here) could try out the CredSSP with message encryption changes before I merge it in
20:20:49 <nitzmahone> Yeah, using adhoc runner as your debug harness is definitely the hard way ;)
20:21:38 <nitzmahone> I don't think I've tried the latest commit- you changed the calculation for the length field again, right?
20:22:00 <jborean93> yea it does it based on the cipher type but I'm hoping a wider audience would pick up any issues I've got with the calculation
20:22:17 <jborean93> I think I've got it but the docs are really vague and nothing seems to specifically mention it
20:22:29 * nitzmahone shakes fist at OpenSSL
20:22:53 <jborean93> It works for me on Server 2008 -> 2016 using the default cipher suites but would be good to know how it works in people's environments
20:23:14 <jborean93> NTLM seems fairly solid, I haven't had any issues so far
20:24:04 <nitzmahone> Yeah, I'm not going to be much additional help there probably, since I'd just be testing default cipher suites as well
20:24:27 <jborean93> jhawkesworth_ how about yourself, do you have CredSSP setup in your environment?
20:24:53 <jhawkesworth_> I don't I'm afraid.  Its kerberos everywhere.  I don't think we do any tweaking to cipher suites either.
20:25:02 <nitzmahone> Have you played around with IISCrypto? You can really bork up a server's encryption in a nice point/click fashion- might be good to put together some more exotic scenarios with that
20:25:25 <jborean93> I used it to see what is supported, probably should try out some different ciphers
20:25:42 <jborean93> I can also manually set them in the requests-credssp side instead of just negotiating all
20:25:46 <nitzmahone> That's what I usually use when I'm trying to repro the wedging SSL tunnel thing
20:26:13 <jhawkesworth_> If I recall there's a 'paranoid' setting in IISCrypto that is good for messing stuff up.
20:26:28 <nitzmahone> I'm guessing if it works with the couple of IISCrypto canned settings and the defaults, should be fine for mos until we get into government stfuf
20:26:33 <nitzmahone> *most
20:26:39 <jborean93> ok, I'll play around and restrict some of the cipher suites some more
20:26:58 <jborean93> I'm ok with it and believe it works just wanting to be sure
20:26:58 <nitzmahone> Had a question about Windows support for FIPS mode come through last week
20:27:01 <jhawkesworth_> so long since I looked at it.  I'm sure we aren't the only place that offloads elsewhere for the most part
20:27:12 <nitzmahone> "Uh, no, not gonna happen" (esp now that MS says "don't do that")
20:28:03 <jhawkesworth_> iirc changing the file checksums away from md5 was driven by FIPS
20:28:04 <nitzmahone> Any other topics, or shall we call it a meeting?
20:28:23 <jhawkesworth_> lets call it, everyone got plenty to do.
20:28:34 <nitzmahone> WFM- thanks all!
20:28:35 <jborean93> sounds good
20:28:38 <nitzmahone> #endmeeting