Ansible中如何设置Execution-Policy为RemoteSigned?
In Ansible, how to set Execution-Policy to RemoteSigned?
我有一个执行 Powershell 脚本的 Ansible 角色。我这样做
- name: Set the execution policy to Unrestricted first
win_shell: Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine -Force
tags: always
- name: Start the services
win_shell: C:\Users\Administrator\Desktop\Start_Services.ps1
args:
chdir: C:\Users\Administrator\Desktop\
when: exa_services_state == "started"
tags: always
- name: Stop the services
win_shell: C:\Users\Administrator\Desktop\Stop_Services.ps1
args:
chdir: C:\Users\Administrator\Desktop\
when: exa_services_state == "stopped"
tags: always
- name: Set the execution policy to RemoteSigned
win_shell: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force
tags: always
然而,当最后一个任务执行时,我得到以下信息
fatal: [10.227.26.97]: FAILED! => {"changed": true, "cmd": "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force", "delta": "0:00:00.640619", "end": "2022-03-04 05:33:29.496843", "msg": "non-zero return code", "rc": 1, "start": "2022-03-04 05:33:28.856224", "stderr": "Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by \r\na policy defined at a more specific scope. Due to the override, your shell will retain its current effective \r\nexecution policy of Unrestricted. Type \"Get-ExecutionPolicy -List\" to view your execution policy settings. For more \r\ninformation please see \"Get-Help Set-ExecutionPolicy\".\r\nAt line:1 char:65\r\n+ ... ing $false; Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException\r\n + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand", "stderr_lines": ["Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by ", "a policy defined at a more specific scope. Due to the override, your shell will retain its current effective ", "execution policy of Unrestricted. Type \"Get-ExecutionPolicy -List\" to view your execution policy settings. For more ", "information please see \"Get-Help Set-ExecutionPolicy\".", "At line:1 char:65", "+ ... ing $false; Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope ...", "+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~", " + CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException", " + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand"], "stdout": "", "stdout_lines": []}
如果我在节点上执行 Get-ExecutionPolicy 我会看到
PS: C:\Users\myuser>Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned
如何避免错误?谢谢!
原则上,您的命令实际上成功了(!),错误消息的措辞证明了这一点。
如果您只想为未来的会话设置local-machine策略,您只需忽略错误,通过将语句包含在 try / catch 中;还要注意尾随 ; exit 0 以确保将退出代码 0 报告回 Ansible:
win_shell: try { Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force } catch { }; exit 0
注意:如果您确信自己处于 运行 提升(设置 machine 策略需要),一个空的 catch 块,如上所述,可能就足够了。
一个强大的解决方案需要更多的工作:
win_shell: try { Set-ExecutionPolicy -Scope LocalMachine allSigned -force } catch { if ($_.FullyQualifiedErrorId -ne 'ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand') { throw } }; exit 0
这会选择性地忽略预期的错误,而 re-throwing 任何其他错误。
顺便说一句:不幸的是,下面解释的错误消息所描述的情况显示为 error,更不用说(语句)-终止一个。 GitHub issue #12032 中对此进行了讨论,但为了向后兼容,决定保留此行为。
该消息试图告诉您的是您的执行策略不会生效 - 在您的情况下 在当前会话 - 因为它被 较少限制 具有 更高优先级 范围内的策略 - 请参阅概念性 about_Execution_Policies 帮助主题。
不幸的是,临时、process-specific 覆盖(Process 范围),通过 powershell.exe CLI 的 -ExecutionPolicy 参数,以便如下命令触发它:
powershell -ExecutionPolicy Bypass -c Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
也就是说,执行 Set-ExecutionPolicy 命令的会话具有 process-specific 的 Bypass 执行策略,并且因为 Process 范围比 CurrentUser 范围具有更高的优先级,并且由于 Bypass 策略比 RemoteSigned 的限制更少,因此发生错误。
从技术上讲,在该特定会话本身 中 Set-ExecutionPolicy 不会生效(因为 process-specific Bypass 会覆盖它),但它将在 未来 会话中(除非再次覆盖)- 如果 CLI 调用的唯一目的是为 persistent 设置执行策略=56=]future sessions,这个错误只不过是一个令人困惑的烦恼。
我假设您看到此错误是因为 Ansible 在处理 win_shell 命令时在幕后使用 powershell -ExecutionPolicy Bypass(或 Unrestricted)。
我有一个执行 Powershell 脚本的 Ansible 角色。我这样做
- name: Set the execution policy to Unrestricted first
win_shell: Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine -Force
tags: always
- name: Start the services
win_shell: C:\Users\Administrator\Desktop\Start_Services.ps1
args:
chdir: C:\Users\Administrator\Desktop\
when: exa_services_state == "started"
tags: always
- name: Stop the services
win_shell: C:\Users\Administrator\Desktop\Stop_Services.ps1
args:
chdir: C:\Users\Administrator\Desktop\
when: exa_services_state == "stopped"
tags: always
- name: Set the execution policy to RemoteSigned
win_shell: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force
tags: always
然而,当最后一个任务执行时,我得到以下信息
fatal: [10.227.26.97]: FAILED! => {"changed": true, "cmd": "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force", "delta": "0:00:00.640619", "end": "2022-03-04 05:33:29.496843", "msg": "non-zero return code", "rc": 1, "start": "2022-03-04 05:33:28.856224", "stderr": "Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by \r\na policy defined at a more specific scope. Due to the override, your shell will retain its current effective \r\nexecution policy of Unrestricted. Type \"Get-ExecutionPolicy -List\" to view your execution policy settings. For more \r\ninformation please see \"Get-Help Set-ExecutionPolicy\".\r\nAt line:1 char:65\r\n+ ... ing $false; Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException\r\n + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand", "stderr_lines": ["Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by ", "a policy defined at a more specific scope. Due to the override, your shell will retain its current effective ", "execution policy of Unrestricted. Type \"Get-ExecutionPolicy -List\" to view your execution policy settings. For more ", "information please see \"Get-Help Set-ExecutionPolicy\".", "At line:1 char:65", "+ ... ing $false; Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope ...", "+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~", " + CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException", " + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand"], "stdout": "", "stdout_lines": []}
如果我在节点上执行 Get-ExecutionPolicy 我会看到
PS: C:\Users\myuser>Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned
如何避免错误?谢谢!
原则上,您的命令实际上成功了(!),错误消息的措辞证明了这一点。
如果您只想为未来的会话设置local-machine策略,您只需忽略错误,通过将语句包含在 try / catch 中;还要注意尾随 ; exit 0 以确保将退出代码 0 报告回 Ansible:
win_shell: try { Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force } catch { }; exit 0
注意:如果您确信自己处于 运行 提升(设置 machine 策略需要),一个空的 catch 块,如上所述,可能就足够了。
一个强大的解决方案需要更多的工作:
win_shell: try { Set-ExecutionPolicy -Scope LocalMachine allSigned -force } catch { if ($_.FullyQualifiedErrorId -ne 'ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand') { throw } }; exit 0
这会选择性地忽略预期的错误,而 re-throwing 任何其他错误。
顺便说一句:不幸的是,下面解释的错误消息所描述的情况显示为 error,更不用说(语句)-终止一个。 GitHub issue #12032 中对此进行了讨论,但为了向后兼容,决定保留此行为。
该消息试图告诉您的是您的执行策略不会生效 - 在您的情况下 在当前会话 - 因为它被 较少限制 具有 更高优先级 范围内的策略 - 请参阅概念性 about_Execution_Policies 帮助主题。
不幸的是,临时、process-specific 覆盖(Process 范围),通过 powershell.exe CLI 的 -ExecutionPolicy 参数,以便如下命令触发它:
powershell -ExecutionPolicy Bypass -c Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
也就是说,执行 Set-ExecutionPolicy 命令的会话具有 process-specific 的 Bypass 执行策略,并且因为 Process 范围比 CurrentUser 范围具有更高的优先级,并且由于 Bypass 策略比 RemoteSigned 的限制更少,因此发生错误。
从技术上讲,在该特定会话本身 中 Set-ExecutionPolicy 不会生效(因为 process-specific Bypass 会覆盖它),但它将在 未来 会话中(除非再次覆盖)- 如果 CLI 调用的唯一目的是为 persistent 设置执行策略=56=]future sessions,这个错误只不过是一个令人困惑的烦恼。
我假设您看到此错误是因为 Ansible 在处理 win_shell 命令时在幕后使用 powershell -ExecutionPolicy Bypass(或 Unrestricted)。