20:02:07 <nitzmahone> #startmeeting Ansible Windows Working Group 20:02:07 <zodbot> Meeting started Tue Jun 19 20:02:07 2018 UTC. 20:02:07 <zodbot> This meeting is logged and archived in a public location. 20:02:07 <zodbot> The chair is nitzmahone. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:02:07 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 20:02:07 <zodbot> The meeting name has been set to 'ansible_windows_working_group' 20:02:15 <jborean93> wow zodbot is back! 20:02:20 <jhawkesworth_> wecome back zodbot 20:02:32 <nitzmahone> hooray 20:02:45 <nitzmahone> #chair jborean93 jhawkesworth_ 20:02:45 <zodbot> Current chairs: jborean93 jhawkesworth_ nitzmahone 20:04:05 * jborean93 checks agenda 20:04:22 * daBONDi sitting in the corner and making the coffe for the table :-) 20:05:16 <jborean93> #topic https://github.com/ansible/community/issues/294#issuecomment-397296168 default become method 20:05:28 <nitzmahone> That's covered by the ansible_platform stuff in 2.7 20:05:43 <nitzmahone> Basically "sane defaults for a given platform" 20:05:59 <jhawkesworth_> great. well that was dealt with pretty quick 20:05:59 <jborean93> sounds good to me 20:06:04 <jborean93> haha yea 20:06:17 <nitzmahone> But you'd have to actually use it- some of my old prototypes tried to work backwards for things that didn't use it 20:06:40 <nitzmahone> But the way we're likely to do it won't do that, so unless you've specified `ansible_platform=windows` somewhere, it'll still fail like that 20:06:55 <jhawkesworth_> I recall some chat long ago about needing to separate concerns better between the connection plugins and the code surrounding them 20:06:58 <nitzmahone> If it works out right, there will be a lot of muscle memory and old content to ditch 20:07:10 <nitzmahone> Yeah, that's sort of related but also a different issue 20:07:20 <jborean93> I'm used to specifying all those extra vars for Windows 20:07:23 <nitzmahone> With the advent of "real" ssh on Windows and (maybe) PSRP 20:07:28 <nitzmahone> we'll have to revisit 20:07:50 <nitzmahone> Platform solves most of those problems on the user side 20:07:57 <jhawkesworth_> tbh I set as much of that stuff as possible in group_vars and then basically modify it ... almost never 20:09:14 <jborean93> yea I personally err on the side of explicit vars but that's because I know/understand most of how they interact in Ansible 20:09:21 <jborean93> for end users that's usually never the case 20:09:21 <jhawkesworth_> sounds great. if you can set ansible_platform=windows on your group_vars that would make it a one-time setup sort of thing 20:09:32 <bcoca> taht is the plan 20:09:33 <nitzmahone> exactly 20:09:49 <bcoca> even better, let aws_ec2 dynamic inventory do it ... 20:09:50 <nitzmahone> Platform won't prevent people from doing that stuff either 20:10:02 <bcoca> it just makes it less neccessary 20:10:07 <jhawkesworth_> ok well I'll update the agenda 20:10:57 <jborean93> #topic open floor 20:11:23 <jhawkesworth_> something that came up earlier on IRC was `setup` doesn't have a default fact path for windows 20:11:35 <bcoca> for ansible_local 20:11:45 <bcoca> i thought there was PR that tried to add it 20:11:56 <nitzmahone> Yeah, I was going to respond to that 20:12:09 <jhawkesworth_> oh I have missed that PR 20:12:36 <jborean93> on Windows though? 20:12:43 <jborean93> or is this something different? 20:12:48 <jhawkesworth_> having a default fact path would be nice and a linux parity thing, but would it be possible to agree on a default location 20:13:03 <jborean93> is this to point to a script that gathers more facts? 20:13:17 <nitzmahone> Yeah, %PROGRAMDATA%\AnsibleFacts or something would probably be the closest to /etc/something 20:13:20 <jhawkesworth_> yes this is that 20:13:24 <bcoca> jborean93: its a dir with either scripts or json files that then get pushed into ansible_local. dict 20:13:28 <nitzmahone> Yeah, custom local facts 20:13:51 <nitzmahone> Windows support for local facts was added ~2.2 IIRC, but it always required explicit call 20:13:58 <nitzmahone> with fact_path specified 20:14:04 <jborean93> I don't see why we can't just default and check the path 20:14:07 <bcoca> ah, that might be what i remember 20:14:29 <nitzmahone> Yeah- I'm not opposed to adding a default path to check 20:14:57 <jhawkesworth_> %PROGRAMDATA%\AnsibleFacts sounds good to me 20:15:00 <bcoca> actual equivalent to /etc/ in windows is the registry ... 20:15:07 <jhawkesworth_> quite 20:15:30 <jhawkesworth_> not sure we'd want a default registry path for local facts 20:15:32 <bcoca> programdata is per user? 20:15:39 <jborean93> C:\ProgramData 20:15:41 <daBONDi> Programdata is not writable per default with user rights, so maybe there will be a problem in the long run, only Creators rights so if you switch with become? 20:15:46 <nitzmahone> Kinda, but orthogonal to this issue- ProgramData is the closest thing to "a filesystem place for stuff to store config" 20:16:06 <nitzmahone> We don't want it to be writable 20:16:07 <jhawkesworth_> yeah /etc files are usually fairly locked down for writes 20:16:09 <bcoca> +1 for programdata 20:16:12 <nitzmahone> We want it as locked down as possible 20:16:19 <nitzmahone> (which ProgramData is) 20:16:37 <nitzmahone> But it's a supported place that admins could drop custom facts modules securely 20:16:54 <jhawkesworth_> sounds like a plan 20:17:06 <nitzmahone> IIRC it is world *readable* though (which we want) 20:17:07 * nitzmahone looks 20:17:12 <jborean93> I'm cool with that 20:17:27 <jborean93> arguably most WinRM connections are with an admin user anyway 20:17:28 <nitzmahone> Yep, Users has read/execute 20:17:38 <jhawkesworth_> I'll make a PR for 2.7 then 20:17:42 <nitzmahone> Yeah- we just want to make sure we don't bomb facts on non-admiin 20:17:49 <nitzmahone> We've fixed some bugs around that, might be some more 20:17:58 <jborean93> wouldn't it be a try and look, ignore if you can't? 20:18:06 <nitzmahone> Yep 20:18:20 * nitzmahone can't remember if we added setup tests for nonadmin 20:18:21 * jhawkesworth_ makes notes 20:19:34 <jborean93> cool 20:19:34 <nitzmahone> howdy dag! 20:19:40 <jborean93> hey 20:19:40 <daBONDi> a non admin user can put a File on %ProgramData%\<SubFolder> with the Creation rights, so this is maybe a security hole, when the Script get created with User Rights, and executed remote over WinRM with Admin rights, this is my only concern 20:19:48 * nitzmahone typed that very carefully today 20:21:35 <jborean93> hmm 20:21:38 <nitzmahone> @daBONDi - I'm not seeing how that's possible without someone explicitly allowing write access to nonadmins on the AnsibleFacts subdir 20:21:40 <jhawkesworth_> that does sound like a security hole 20:22:23 * jborean93 tests it out 20:23:44 <daBONDi> ,@nitzmahone look on the NTFS Policy on a system, it says Creater User: Full Access Subfolder and Files, so when Ansible create the folder "\ansible_facts" and Default Execute a Script on "\ansible_facts\get_facts.ps1" but Script is not there, a User can create it and put his stuff in it, or i'm thinking wrong about this ? 20:24:55 <jborean93> yea he's right, as a standard user I can create the folder and a ps1 script 20:25:44 <jborean93> even if the folder exists I still have rights as a standard user in ProgramData 20:26:26 <nitzmahone> balls 20:26:30 <nitzmahone> Well, good catch there 20:26:39 <jhawkesworth_> yeah, thanks 20:27:18 <jhawkesworth_> I'll play around with it a bit 20:27:18 <daBONDi> think better approche would be the Profile Path of the WinRM User maybe, so there only the User and Admin can write it, or the System Profile 20:27:35 <nitzmahone> So I guess unless we want to default to something that's actually default-secured under %WINDIR% or %ProgramFiles%... 20:27:41 <jborean93> trouble with user based paths is that you need to do it per user 20:27:50 <nitzmahone> Yeah, it needs to be a global path 20:27:54 <nitzmahone> (or both) 20:28:32 <daBONDi> then prbly programFiles\Ansible there only a Admin User can write 20:28:43 <jhawkesworth_> I'd be happy with only a global path 20:29:02 <nitzmahone> Yeah, that's how posix facts does it now IIRC 20:29:04 * nitzmahone looks 20:29:07 <daBONDi> lol don't know that, there is also the "CREATER_OWNER2 rule 20:29:34 <jborean93> standard user can't create folders or files in Program Files 20:29:40 <daBONDi> on Program Files there is also the Same creater/owner rule like in programdata 20:29:41 <jborean93> "by default" 20:30:18 <daBONDi> you can when the User is the Owner of the folder 20:30:27 * jhawkesworth_ thinking user-specific facts should be a different thing from facts about a host, but that's another debate 20:30:35 <dag> o/ 20:30:39 <jborean93> what user would be an owner of the Program Files folder? 20:31:00 <daBONDi> lets hope know one :D 20:31:31 <daBONDi> i would suggest a default location for ansible_facts but only as non executable maybe ? 20:31:53 <jborean93> I feel like you would have a bigger program is a non admin can create/modify in Program Files 20:32:13 <jborean93> I don't think we currently support non executable 20:32:17 <jborean93> just ps scripts right now 20:32:24 <jhawkesworth_> yes, just ps scripts now 20:32:48 <jhawkesworth_> if I was going to have read only facts, I'd pick a registry location 20:33:23 <nitzmahone> Regardless, no longer a slam dunk, so ... *punt* 20:33:31 <jhawkesworth_> but that's going away from just getting to feature parity 20:33:34 <jhawkesworth_> agreed 20:33:50 <jhawkesworth_> anybody got anything else, didn't mean for this to take over! 20:34:13 <jborean93> only wanted to mention that I was working on a psrp connection plugin based on https://github.com/jborean93/pypsrp 20:34:29 <jborean93> no PR ready just yet as I'm trying to iron out the problems 20:35:06 * jhawkesworth_ looks 20:35:23 * daBONDi looks, and add star + fav :D 20:36:38 <daBONDi> Whats the different to pywinrm? 20:37:18 <jborean93> it uses WinRM but through the PowerShell Runspaces, similar to Enter-PSSession or Invoke-Command 20:37:46 <daBONDi> i was thinking pywinrm do this also, then i'm probly missinformed 20:37:49 <jborean93> it's meant to be faster than WinRM as you don't need to start a ps interpreter on each command but it does have more messages to exchange 20:38:01 <nitzmahone> Some potential performance improvements, but only once we implement connection persistence 20:38:19 <jborean93> yep, it is probably dependent on persistance 20:38:21 <nitzmahone> (which we can't turn on by default until we solve the HTTPS wedging issue, lest we brand ourselves as masochists) 20:38:39 <jborean93> There are other benefits it brings but not really relevant to Ansible 20:38:51 <jborean93> nitzmahone: I still don't think we should limit it because of that 20:39:04 <jborean93> I've yet to come across it and rarely see something who is potentially affected by it 20:39:05 <jhawkesworth_> well looking forward to having it as an option 20:39:05 <nitzmahone> Nor do I, just not on by default 20:39:12 <jborean93> even still 20:39:25 <jborean93> why limit ourselves by default when it only affects a tiny subset of users 20:39:25 <nitzmahone> It's more common than you think, but only people that are doing >5M transfers hit it 20:39:50 <jborean93> if it was more common we would have more reproducers 20:39:55 <nitzmahone> Even if it hits 1% (which I think is low, actually), we'd be shooting ourselves in the foot 20:40:14 <nitzmahone> Not necessarily- only people using win_copy or large task loops are likely to hit today 20:40:15 <jhawkesworth_> if file transfer is speedier and everything else balances out speedwise it would be worth all your hard work to have 20:40:31 <jborean93> file transfer is still the same with psrp unfortunately 20:40:36 <jborean93> fetch should be faster though 20:40:41 <nitzmahone> If we turn it on by default, we'll find out pretty quickly I'm sure ;) 20:40:49 <jborean93> yea that's true 20:41:20 <nitzmahone> So long as there's an opt-out, I suppose we could try on-by-default, but makes me really nervous 20:41:40 <jborean93> we shall even see if persistance even gives us better performance anyway 20:42:17 <nitzmahone> It does 20:42:29 <nitzmahone> I've prototyped it before 20:42:29 * jhawkesworth_ slightly wishes I hadn't made win_copy a thing. 20:42:49 <nitzmahone> Depending on various factors, it can give a 5-20% boost 20:42:58 <jborean93> jhawkesworth_: we've pretty much gotten to a point where win_copy is the best we can do with winrm 20:43:00 <jhawkesworth_> all speedups will be appreciated by me 20:43:16 <jborean93> probably some small tweaks here and there but nitzmahone it really pushing the limit of winrm there :) 20:43:41 <jhawkesworth_> yep its as good as it gets now 20:44:05 * nitzmahone is also curious to see how SSH performs over WInRM in side-by-side tests 20:44:19 <jborean93> from tests, standard execution was roughly the same 20:44:27 <jborean93> file copy was a way faster 20:44:36 <jhawkesworth_> I still wonder about doing a stealthy reverse win copy which starts tcp server on ansible and then basically uses win_get_url to fetch the file from the controller 20:44:55 <nitzmahone> DANGER WILL ROBINSON, DANGER! 20:45:05 <nitzmahone> ;) 20:45:07 <jhawkesworth_> yeah I know 20:45:11 <jborean93> I was toying with the idea of having a psexec_copy that uses SMB as a different module 20:45:43 <bcoca> net copy ... 20:45:59 <daBONDi> to be honnest, i never was in the need of win_copy, every normal decent windows shop, got some configuration asset server on https :D 20:46:06 <nitzmahone> --^ 20:46:11 <bcoca> or cifs 20:46:15 <jborean93> decent being the key word 20:46:18 <nitzmahone> That's the reason I think the HTTPS wedging thing is bigger than we think 20:46:45 <jborean93> bcoca: cifs/smb same thing 20:47:11 <daBONDi> @nitzmahone what is that https wedging thing ? never heard about 20:48:15 <jborean93> potentially this https://github.com/ansible/ansible/issues/41145 20:48:35 <jborean93> there's some older issues floating around somewhere as well that has more info 20:48:41 <nitzmahone> Yep, almost certainly 20:48:49 <nitzmahone> I get pingged about it on average at least once a month 20:49:03 <jborean93> but we think it's some incompatibility with OpenSSH, SChannel or something with certain ciphers 20:49:13 <nitzmahone> Sometimes it'll come up 2-3 times in a day from different folks, then I won't hear about it for months 20:49:36 <nitzmahone> But it only occurs once you've sent ~4M of data over the pipe 20:50:00 <nitzmahone> So a typical Ansible task doesn't trigger it, and since each task gets a new connection, win_copy is effectively the only trigger 20:50:14 <nitzmahone> (plus since we reuse connections on looped tasks, a big loop can hit it) 20:50:25 <daBONDi> ok i fall also over this, but thats a restriction on WinRM side and the http.sys in the backend i was thinking, so i never post it, and use win_url to fetch from http asset server from client side :-) 20:51:13 <jborean93> if you get it we should talk and exchange info 20:51:30 <jborean93> we are trying to find a way to replicate it ourselves so we can identify where the problem actually lies and find a fix 20:53:27 <daBONDi> @nitzmahone ahh now i'm having i clue why a decent Block not work, and after i split it up with include tasks it starts working! 20:54:12 <nitzmahone> :) 20:54:51 <nitzmahone> Once it happens, the control-side will almost always fail with a read timeout 20:54:59 <nitzmahone> (and it doesn't matter how long you set the timeout for) 20:55:22 <daBONDi> yes that what i was to try first, but the ps process on the server looked like it hangs 20:55:56 <jhawkesworth_> having never had it, does winrm recover on next connection or do you have to reboot or restart to get it to clear? 20:56:12 <daBONDi> i killed the hanging ps process and try again 20:56:51 <nitzmahone> The PS process may hang, but WinRM is still good 20:57:10 <daBONDi> but maybe winrm has timeout because, powershell process not return anything (Windows Threading thinks it hangs) and tell WinRM hey wi hanging around, and winrm returns timeout 20:57:13 <nitzmahone> But if you do it a bunch in a row, you can end up DoSing WinRM 20:57:31 <nitzmahone> (default maximum session limits, etc) 20:57:43 <nitzmahone> We used to struggle with this a lot when there were shutdown bugs in Ansible 20:57:59 <nitzmahone> (and when win_copy used to spawn a new WinRM session for each chunk, OMG) 20:59:10 <daBONDi> so prbly there will be no workaround, beside trying to make a pywinrm file uploade multithreaded/multisession stuff :D 20:59:14 <jhawkesworth_> that sounds like the version I made! 20:59:38 <daBONDi> cut the files in chunks, pull it over and reassamble 21:00:04 <daBONDi> let the thread always return something 21:00:04 <jhawkesworth_> sounds like rsync! 21:00:08 <daBONDi> yes 21:01:19 <daBONDi> a Powershell WinRM Rsync clone, lol quite a heavy project :D 21:01:19 <jhawkesworth_> I keep meaning to try this https://syncthing.net/ 21:01:57 <jhawkesworth_> there are some .net rsync libraries kicking around but... still sounds like something I couldn't do after work! 21:02:55 <daBONDi> the problem is that you must put the rsync stream into the winrm transport, will be quite a heavy task, if not impossible, and will it be worth it with a nearly timeframe on ssh on windows? 21:03:31 <jhawkesworth_> agreed. ssh on windows seems like a better way to spend your time 21:03:38 <nitzmahone> Regardless, the wedging thing appears to be at the http.sys level, not WinRM- the exact same traffic works fine over HTTP 21:04:25 * jhawkesworth_ wonders if connecting via ssh would also wind up using http.sys 21:04:35 <daBONDi> don't think so 21:05:14 <jhawkesworth_> you'd think it would be more likely to be based on openssl but I've not looked into it 21:05:43 <jborean93> it's a fork of openssl-portable 21:06:10 <nitzmahone> nope 21:06:15 <daBONDi> @nitzmahone maybe it has something todo with a installed IIS on the client side, and it alters the http.sys params 21:06:19 <nitzmahone> It's a usermode process 21:06:48 <nitzmahone> I don't think so- the one repro I had a few years back IIRC had no IIS installed 21:07:31 <nitzmahone> The workaround for most people has been to use (now message-encrypted) HTTP 21:08:36 <nitzmahone> I've gotten it to work/change in some cases by recompiling Python + OpenSSL + pyopenssl on the controller as well, but on the one repro I did have, it failed *very* consistently down to the byte 21:09:00 <daBONDi> i don't have a clue how depending http.sys is on aspnetcore http.sys server but there is a minSendBytesPerSecond Value, and on a File copy, the Client would not send anything back to ansible 21:09:07 <daBONDi> https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.server.httpsys.timeoutmanager?view=aspnetcore-2.1 21:11:04 <nitzmahone> I'd have to decompile it to be sure, but IIRC that class is basically just a wrapper over the http.sys registry stuff. From you experience, it sounds like that setting is global vs. per-listener 21:11:15 <nitzmahone> (as are some other things that wreak havoc like SNI support) 21:11:18 <jhawkesworth_> catch you next time everyone 21:11:31 * jhawkesworth_ afk 21:11:34 <nitzmahone> *most* http.sys config things are pretty well isolated per-listener 21:15:33 <nitzmahone> Anyway, we're over time and I'm hungry- til next week! 21:15:36 <nitzmahone> #endmeeting