在 Ansible 中,如何将 Execution-Policy 设置为 RemoteSigned?
我有一个执行 Powershell 脚本的 Ansible 角色。我这样做
- name: Set the execution policy to Unrestricted first
win_shell: Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine -Force
tags: always
- name: Start the services
win_shell: C:\Users\Administrator\Desktop\Start_Services.ps1
args:
chdir: C:\Users\Administrator\Desktop\
when: exa_services_state == "started"
tags: always
- name: Stop the services
win_shell: C:\Users\Administrator\Desktop\Stop_Services.ps1
args:
chdir: C:\Users\Administrator\Desktop\
when: exa_services_state == "stopped"
tags: always
- name: Set the execution policy to RemoteSigned
win_shell: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force
tags: always
但是,当最后一个任务执行时,我得到以下信息
fatal: [10.227.26.97]: FAILED! => {"changed": true, "cmd": "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force", "delta": "0:00:00.640619", "end": "2022-03-04 05:33:29.496843", "msg": "non-zero return code", "rc": 1, "start": "2022-03-04 05:33:28.856224", "stderr": "Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by \r\na policy defined at a more specific scope. Due to the override, your shell will retain its current effective \r\nexecution policy of Unrestricted. Type \"Get-ExecutionPolicy -List\" to view your execution policy settings. For more \r\ninformation please see \"Get-Help Set-ExecutionPolicy\".\r\nAt line:1 char:65\r\n+ ... ing $false; Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException\r\n + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand", "stderr_lines": ["Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by ", "a policy defined at a more specific scope. Due to the override, your shell will retain its current effective ", "execution policy of Unrestricted. Type \"Get-ExecutionPolicy -List\" to view your execution policy settings. For more ", "information please see \"Get-Help Set-ExecutionPolicy\".", "At line:1 char:65", "+ ... ing $false; Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope ...", "+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~", " + CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException", " + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand"], "stdout": "", "stdout_lines": []}
如果我进入节点并执行 Get-ExecutionPolicy 我看到
PS: C:\Users\myuser>Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned
如何避免该错误?谢谢!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
原则上,您的命令实际上成功了(!),正如错误消息的措辞所证明的那样。
如果您只想为未来会话设置本地计算机策略,则可以通过将语句括在
try忽略错误代码> / <代码>捕获;另请注意尾随的; exit 0以确保退出代码0报告回 Ansible:注意:如果您确信自己正在使用海拔高度运行(这会设置机器< /em> 策略要求),一个空的
catch块(如上所述)可能就足够了。一个强大的解决方案需要做更多的工作:
这会选择性地忽略预期的错误,同时重新抛出任何其他错误。
顺便说一句:不幸的是,错误消息所描述的情况(如下所述)以错误的形式出现,更不用说作为(语句)-终止了。 GitHub 问题 #12032 中对此进行了讨论,但决定保留此行为为了向后兼容。
该消息试图告诉您的是,您的执行策略不会生效 - 在您的情况下在当前会话中 - 因为它被限制较少的策略抢占具有更高优先级的范围 - 请参阅概念性的 about_Execution_Policies 帮助主题。
不幸的是,该错误也会通过 powershell.exe 针对临时、特定于进程的覆盖(
Process范围)触发。 CLI 的-ExecutionPolicy参数,以便如下命令触发它:也就是说,执行
Set-ExecutionPolicy命令的会话具有 < em>特定于流程的执行策略Bypass的,并且因为Process范围的优先级高于CurrentUser范围,并且因为Bypass策略是限制少于RemoteSigned,则会发生错误。从技术上讲,在该特定会话本身中,
Set-ExecutionPolicy不会生效(因为特定于进程的Bypass会覆盖它),但它将在未来会话中(除非再次被覆盖) - 并且如果 CLI 调用的唯一目的是为未来会话设置持久执行策略,这个错误只不过是一个令人困惑的错误烦恼。我猜您看到此错误是因为 Ansible 在处理
win_shell命令时在幕后使用powershell -ExecutionPolicy Bypass(或Unrestricted)。Your command actually succeeded(!) in principle, as evidenced by the wording of the error message.
If all you want to do is to set the local-machine policy for future sessions, you can simply ignore the error, by enclosing the statement in
try/catch; also note the trailing; exit 0so as to ensure that exit code0is reported back to Ansible:Note: If you're confident that you're running with elevation (which setting the machine policy requires), an empty
catchblock, as above, is probably sufficient.A robust solution requires a bit more work:
This selectively ignores the anticipated error while re-throwing any others.
As an aside: It is unfortunate that the situation described by the error message, explained below, is surfaced as an error, let alone as a (statement)-terminating one. This is discussed in GitHub issue #12032, but a decision was made to retain this behavior for the sake of backward compatibility.
What the message is trying to tell you is that your execution policy will not take effect - in your case in the current session - because it is preempted by a less restrictive policy in a scope with higher precedence - see the conceptual about_Execution_Policies help topic.
Unfortunately, the error is also triggered for ad hoc, process-specific overrides (the
Processscope), via thepowershell.exeCLI's-ExecutionPolicyparameter, so that a command such as the following triggers it:That is, the session in which the
Set-ExecutionPolicycommand executes has a process-specific execution policy ofBypass, and because theProcessscope has higher precedence than theCurrentUserscope, and because theBypasspolicy is less restrictive thanRemoteSigned, the error occurs.Technically, in that specific session itself the
Set-ExecutionPolicydoesn't take effect (because the process-specificBypassoverrides it), but it will in future sessions (unless overridden again) - and if the sole intent of the CLI call was to set the persistent execution policy for future sessions, the error is nothing but a confusing annoyance.I presume you're seeing this error because Ansible is using
powershell -ExecutionPolicy Bypass(orUnrestricted) behind the scenes when it processeswin_shellcommands.