19:59:15 #startmeeting Ansible Windows Working Group 19:59:15 Meeting started Tue Jul 2 19:59:15 2019 UTC. 19:59:15 This meeting is logged and archived in a public location. 19:59:15 The chair is nitzmahone. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:59:15 Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:59:15 The meeting name has been set to 'ansible_windows_working_group' 19:59:24 #chair jborean93 19:59:24 Current chairs: jborean93 nitzmahone 19:59:31 too quick :) 19:59:38 o/ 19:59:39 I did it early :) 20:00:25 hey 20:00:36 howdy 20:01:04 hey 20:01:28 #topic https://github.com/ansible/community/issues/420#issuecomment-505895637 20:01:50 Multiple things, going down the list: 20:01:57 #topic AD in CI 20:02:08 right 20:02:11 heh, this is a fun one 20:02:21 possible? 20:02:27 We've poked at it before- it's technically possible, but would add an arguably unacceptable amount of time to the CI runs 20:02:36 I know nitzmahone and mattclay have been talking about it but a lot of hurdles to overcome 20:02:55 or if we have a persistent DC then it would be costly and unreliable over time 20:02:58 yep 20:03:00 any way to make a CI group taht would take longer? 20:03:14 The problem is that the workers are independent 20:03:24 for each server? 20:03:44 Sort of. Our CI does a lot of "interesting" things to prevent abuse 20:04:10 each node is independent and does not know about the other nodes. It talks to a host in AWS/Azure for the Windows tests but they also don't know about each other 20:04:11 We don't currently have the concept of a "resource server" (like a DC) 20:04:15 if there was no 60 min limit we could have a server promote to DC and the others wait for it 20:04:43 It's more complicated than that 20:04:55 it's already annoying enough to wait the 5-10 minutes for the host to come online. Adding another step would just make that worse 20:05:01 (that too) 20:05:23 But right now, the jobs are all independent, and they can be run one at a time. 20:05:37 Shippable doesn't have the concept of "this job needs this one to be running first" 20:05:37 Oh i see what you mean now 20:05:57 we could run the tests on the server locally... 20:06:02 We pay for enough concurrent nodes that *most* of the time they run together, but it's not guaranteed 20:06:15 not perfect but could at least give some testing to return values and stuff 20:06:19 That works for some things, but can actually fail and/or mask other problems 20:06:36 (and still the problem of waiting for promotion, which can take 5-10min on its own) 20:06:39 I am looking into unit tests that could help make things a bit better but mocks only get you so far 20:06:41 but doesn't it worth it for the tests it could help with? 20:07:07 like users, groups? 20:07:09 it would help but the effort/cost to get there is a bit too high right now 20:07:24 even with a DC promotion every time? 20:07:25 It's been a cost-benefit tradeoff- I agree that as we get more domain-specific modules, it's becoming more important 20:07:49 i mean, not having a single DC 24/7 but for the test 20:08:04 as part of the test 20:08:24 We'd have to dedicate at least one worker to that to have any hope of the "run everything" runs not breaking the 60min 20:08:28 still takes time to promote it but we could look at moving the AD based modules to their won group 20:08:45 but then yes we come across the issue when it inevitably goes longer than 60 minutes 20:08:52 IIRC it's even 45 minutes now 20:09:06 because 5-10 of those minutes is starting the instance 20:09:17 Self-promotion/test-against-self would be OK so long as we can keep the run for the stuff we're testing under 60min 20:09:19 then 5 is padding to make sure we don't breach the hour 20:09:41 umm, if i take the local tests cases it should stay in the limit if the tests are only the domain tests 20:09:48 @Shachaf92- if you want to experiment with it, you can do your own shippable config in a PR 20:10:07 yeah ill add it to the list of stuff to play with and ill update 20:11:11 Basically go add a new Windows worker and have a really fast domain prereq test for all the domain module targets that will self-promote if necessary and just continue if already a DC 20:12:20 Ill try it first on my own shippable i think, then come with conclusions here 20:12:48 you will probably need to use our Shippable. There's some integrations with ansible-test so it can actually create the WIndows host 20:13:14 maybe ill take the chance and learn to integrate them on the fly 20:14:16 If you are testing I would remove most of the other groups in `shippable.yml`. Would just reduce the noise as touching that file runs all tests 20:14:27 k 20:15:18 anything more for that topic? 20:15:23 nope 20:15:41 #topic https://github.com/ansible/ansible/issues/53402 use of regex options 20:15:49 Not much we can decide here for that 20:16:03 it would need to go to the wider Ansible community meetings to see what the end result is 20:16:11 it was opened a while back and haven't seen much comments there 20:16:23 typically that's just involves a group decision on the name we want and then we can go from there 20:16:33 i see 20:16:58 and meh, alias if we want 20:17:20 yea actually doing the work is fine, it's really just deciding what we want to align on 20:17:25 (so either regex or regexp will work, or decide which one's "right" and make sure it's supported everywhere 20:17:48 so should i add it to the public agenda? or just leave it be? 20:18:49 if you would like to persue it then adding it to the agenda would be great 20:18:52 You can bring it up at the big meeting if you care enough :) 20:19:05 k 20:20:01 #topic feature parity for win_stat 20:20:21 I don't see an issue with adding a get_attr flag to control whether we get those values 20:20:36 Probably wouldn't want a get_mime as I don't know of any equivalent to `file` in Windows 20:20:47 if there was then that could change my mind 20:20:47 * nitzmahone doesn't care either way- what's the reason for wanting a flag besides "stat" has it? 20:21:07 There technically is- the shell type detection does that, but I think it's deprecated 20:21:11 no file equiv. 20:21:32 most options you find online use winapi which uses extensions not content 20:22:04 do we really need teh get_attr flag? 20:22:31 Just "because the Linux module does it" isn't necessarily a great reason 20:22:33 honestly I don't think so 20:22:54 I don't know why you'd want to skip that, it's cheap 20:22:58 I have never seen any performance overhead for getting the attributes. Mainly because the object we create already have them 20:23:00 so im marking that parity as done for now 20:23:05 cool 20:23:25 #topic feature parity for win_user and win_group 20:23:34 is this parity with user/group or something else? 20:23:59 yes 20:24:28 yes for which one :) 20:24:39 both lol 20:24:43 each on its own 20:25:05 so nothing to discuss there, right? 20:25:11 for the user/group comparison if the feature makes sense on Windows then I don't see why not 20:25:23 but Windows does have things not present on linux and vice versa 20:25:44 for the something else I can't read minds so you will have to explain it some more :) 20:25:46 yep, i looked at the lists and nothing relevant that we don't have 20:26:18 oh i just figured what you meant with "which one" 20:26:41 the former in the question 20:26:57 it's late here, i'm a bit fuzzy today 20:27:03 that's ok, it's early here 20:27:10 cool so sounds like nothing else to add for that 20:27:11 it's lunchtime here :D 20:27:20 * nitzmahone looks longingly at kitchen 20:27:28 OK, agowa338, you here? 20:27:28 a full day between the three of us 20:27:32 yes 20:27:51 #topic plaintext credential fun 20:28:01 So a little background: 20:28:47 Module args are included in the archive shipped to targets 20:29:22 In the normal winrm/psrp cases where this stuff was built, it never hits the disk (due to pipelining, where we shove the content directly into powershell over stdin) 20:29:39 On connections that don't support pipelining, though (eg vmware_tools)... 20:29:50 The archive can be written to disk 20:30:09 There's been questions about whether we can support encryption 20:30:32 The short answer is "yes, it's possible", but not without a *lot* of change to the way modules execute 20:30:44 (and some architectural changes to connections) 20:31:13 We're doing some long-term work on some of that for other reasons, and it's something we've discussed before 20:31:21 I can try to include it with that work 20:31:33 But I don't think there's going to be a short-term solution here 20:31:55 There is one thing we could do to potentially mitigate the risk of a sensitive archive being recovered, though... 20:32:32 We could make a "secure_delete" option that would scrub out the file's contents before deleting the tempdir 20:32:50 It would slow down module exec on non-pipelined connections even more 20:33:34 and is not 100% secure, because of ware leveling and other low level stuff that we have no control over. 20:33:38 exactly 20:33:39 nitzmahone: i thought we had that already ...forget name 20:33:56 bcoca: not that I'm aware of 20:34:06 might be python only 'shred' iirc 20:34:15 Yeah, shred is a Linux thing 20:34:18 i remember updating shred_file 20:34:25 * nitzmahone looks 20:34:33 wasn't that a proposed state to file? 20:34:44 ah yeah, I do recall that 20:35:15 But IIRC it had nothing to do with, eg, "securely" cleaning up after non-pipelined exec 20:35:30 `remove` in the shell plugin doesn't have a shred like kwarg 20:35:30 vault does it 20:35:42 just calls `rm -rf` 20:36:10 vault _shred_file_custom 20:36:55 but anyway it sounds like we could add a shred function to the shell plugin but there's no guarantee that will actually "shred" the file 20:37:21 Exactly 20:37:23 adding encryption to the payload would require some deeper changes in the module common loader but hard to tell what without really implementing it 20:37:37 then we have the problem is sharing the secret to decrypt it 20:37:46 yep, that's the bigger problem 20:37:57 I think there is no need for shred, as it is not guaranteed to work anyway. We should focus on only writing the file encrypted to disk. 20:38:02 the easiest option would be for an individual connection plugin to implement something right now but that doesn't help Ansible overall 20:38:28 Can't even do it connection level 20:38:51 the secred could be shared by parameter to the executed program, so it would not end up on disk and vanish after execution. 20:39:04 The connection primitives are too low level- how would you tell the diff between a module that needs encryption and a data file being sent for like win_copy 20:39:12 ahh because we copy the file separately 20:39:25 Parameter secrets aren't secret- just moves the problem around 20:39:45 Like I said, there's *not* a quick and easy solution here that I can see 20:40:01 parameters don't end up on disk, they are only in memory. 20:40:28 and on the command line while the module's running, which means they're visible to anyone on the machine, and also logged 20:40:36 I agree, it is neither quick nor easy. But it is the most covering solution I can think of. 20:41:01 It's probably not going to happen anytime soon, since the "supported" combo is pipelined 20:41:30 but what is the fallback if pipelining is not supported? 20:41:49 I'm more for a good than a fast solution. 20:42:29 The current behavior. We can include the request in the next-gen-connection/module research that's going on, where it should be much easier to accommodate, but there's not a robust or generic way to implement it on the current connection stack 20:43:23 +1 20:44:04 you could also Pester VMWare to include an stdin option to their API 20:44:15 but I can only imagine how that would go 20:44:19 heh 20:44:36 #topic https://github.com/ansible/ansible/pull/58383 20:44:46 (win_domain_user idem password support) 20:45:35 This one should be quick, can someone review this change? I just saw that I have to rebase it again, so maybe skip it for now? 20:45:36 I need to have a closer look but I think we can remove some of the work you've done to hide the password 20:45:52 but I'll have a look at this sometime today 20:46:07 Yeah, MS has basically declared SecureString dead 20:46:26 they've actually ressurected it for PSv7 20:46:30 (and kinda pointless considering how it got there) 20:46:35 does plaintext though so not secure on Linux 20:46:38 ... did they actually implement it? 20:46:52 Yeah, I thought it wasn't even secure on Windows in PS Core 20:46:53 not yet, not sure if they are planning anything before v7 is officially out though 20:47:21 PSCore on Windows is fine, it uses the same codebase as PS Desktop 20:47:22 regardless, it's passed through a dozen places already 20:47:36 yep I think we can just simplify it back to how it was before 20:48:10 anyway to tell the linter to always ignore that rule? 20:48:16 it should already be 20:48:30 ok, I'll reverte the change. 20:48:38 Also, dunno if we want to move the validation into one of the other existing module_utils rather than inlining the PInvoke stuff 20:48:38 https://github.com/ansible/ansible/blob/devel/test/sanity/pslint/settings.psd1#L6 20:49:03 potentially, I didn't for win_user because only that used it 20:49:18 oh then we can remove those from teh ignore.txt 20:49:46 it might actually be missing one 20:49:55 I think the use PSCredential as parameter one 20:50:01 which yes we should probably ignore 20:50:27 Ah didn't realize that was just copypasted from win_user - definitely don't want to duplicate that 20:50:51 it's slightly different in win_user 20:50:59 that just takes in a string for username/password 20:51:05 nitzmahone: not fully c'n'p ed, but mostly yea ;-) 20:51:38 and if you're zapping the securestring stuff, it *can* be the same, yeah? 20:52:05 should be fine 20:52:09 mostly, except for the pass domain. 20:53:12 https://github.com/ansible/ansible/pull/58383/files#diff-a814da53b65fce105cb5fb909b79b267R52 20:53:15 cool, feel free to ping me when you are ready for the review 20:53:34 #topic https://github.com/ansible/ansible/pull/57577 20:53:59 any question for this one or just asking for a review? 20:54:00 I'd suggest keeping the IPv4 and IPv6 values separated 20:54:29 also just asking for review. And the other ones also just review. 20:55:19 windows does not keep them separate, it causes issues if we do, as we would have to fetch the ipv6 values when setting the ipv4 values and set them together. 20:55:41 IIRC, Windows does, but the PS cmdlets don't 20:56:39 yeah in the OS it's diffrent 20:56:54 diffreant 20:57:09 differeant 20:57:16 but as we use the powershell api, we're limited there, or not? 20:57:19 IIRC it's pretty easy to split them out though- they come back as different types 20:58:22 https://www.irccloud.com/pastebin/gAiN980L/ 20:58:58 They come back tagged by type, and IIRC the actual address values are also of different types 20:59:24 So you'd combine on the set 20:59:25 but try to set them, you have to pass in both ipv4 and ipv6 ones, ... 20:59:37 which should be fine? 21:00:24 I don't know. I kinda prefer not differentiating between IPv4 and IPv6 though. 21:00:56 powershell wise, unless you talk about address validation there is no difference 21:01:05 The existing module UI already does, so that die has sorta been cast 21:01:48 the current module also accepts ipv6 addresses in the ipv4 value... But only partly and silently errors out... 21:02:03 as reported by others 21:02:26 personally im +1 to merging and making it work with both in the same list 21:03:28 I honestly don't know enough about this module to really make a decision sorry 21:04:26 but considering the addresses are set in different areas in the GUI I would be more inclined to have them as separate arguments 21:05:31 Did you test on 2008/R2? I remember there was a non-PS WMI hack I had to do, but can't remember if that layer treats them separately for setting or not 21:05:34 maybe the common ground is the module have it as a single array but accept both ipv2 and ipv4 paramters and a dns_servers one 21:06:38 I don't have really strong feelings- I also don't remember offhand if I coded in support for preserving IPv6 DNS servers or not- if I *did*, that could be an (admittedly small) problem... 21:06:50 Like this? https://github.com/ansible/ansible/pull/57577/files#diff-7eddb99b86d85d31f8b675dc31bae170R32 21:07:30 IPv6 dns is preserved in the current module. 21:07:49 at least the one learned from router broadcasts... 21:07:53 Nah, I just meant if I preserved existing ipv6 addresses that were set- it doesn't look like I did 21:08:15 (eg it would blow them away today, so that problem doesn't get worse) 21:08:51 does it? I had problems with it not removing them. But as I said they were broadcasted by the router... 21:09:01 Yeah, I'm talking about manually set 21:09:21 Ok, have not tested that. 21:09:39 The "reset" case could be interesting too though, if for some reason v6 and v4 needed different behaviors 21:10:05 what do you mean with different? 21:10:23 in the current impl can you say remove IPv4 DNS IPs but keep IPv6 ones? 21:10:27 * jborean93 is that even valid 21:11:15 No 21:11:22 Powershell doesn't appear to support that (just a single "-ResetServerAddresses" arg), but the UI does 21:12:06 you need to hack around that by get-ing the values and setting them in the same call as you specify -ResetServerAddresses... 21:14:30 Well anyway, I don't have really strong feelings, so if others want to merge them together and change it up too, WFM 21:15:08 I can't think of a case where it's really problematic to do so 21:16:23 We're about 15min over time, shall we punt the rest to next week? 21:16:32 looks like we are out of time, most of the remaining items looks like reviews so I'm good to go 21:17:00 OK- thanks for all the discussion... Til next week! 21:17:00 yes, we could put that onto the list for the next meeting. 21:17:10 thanks all 21:17:13 #endmeeting