diff --git a/.gitignore b/.gitignore index ce5474d..a59093a 100644 --- a/.gitignore +++ b/.gitignore @@ -11,6 +11,9 @@ Vagrantfile hosts-* *.retry +# Galaxy files +roles/jborean.* + # Temp Packer files 2008-x86/ 2008-x64/ @@ -18,6 +21,7 @@ hosts-* 2012 2012r2/ 2016/ +2019/ 1709/ 1803/ 10-x86/ diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b8ccb3..c4632b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,16 @@ changelog entries to `roles/packer-setup/vars/main.yml` to modify this file_ This is the changelog of each image version uploaded to the Vagrant Cloud. It contains a list of changes that each incorporate. +### v0.6.0 - TBD + +* Fix logic when setting the `LocalAccountTokenFilterPolicy` value when setting up the WinRM listener +* Added ability to override the base Chocolatey packages that are installed with the image, use the `opt_package_setup_packages` variable with `-e` when generating the template to configure +* Moved away from custom role to install the Win32-OpenSSH components, now using the [jborean93.win_openssh](https://galaxy.ansible.com/jborean93/win_openssh) role +* Updated OpenSSH version [7.9.0.0p1-Beta](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v7.9.0.0p1-Beta) +* Installed the [virtio-network](https://stg.fedoraproject.org/wiki/Windows_Virtio_Drivers) driver on VirtualBox images +* 2016 + * Changed the default Windows Explorer window to show `This PC` instead of `Quick access` + ### v0.5.0 - 2018-08-08 * Disabled automatic Windows Update to eliminate post-startup thrash on older images - https://github.com/jborean93/packer-windoze/issues/10 diff --git a/README.md b/README.md index 8c8517f..5730025 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,9 @@ ansible-playbook packer-setup.yml -e man_packer_setup_host_type= # see below what can be used for but to create the Packer files for a Server 2012 R2 image run ansible-playbook packer-setup.yml -e man_packer_setup_host_type=2012r2 +# specify custom Chocolatey packages to install instead of vim and sysinternals on the image +ansible-playbook packer-setup.yml -e opt_packer_setup_packages='["pstools", "notepadplusplus"]' + # when running on Windows, you can run this from PowerShell like bash.exe -ic "ansible-playbook packer-setup.yml -e man_packer_setup_host_type=2012r2 -e opt_packer_setup_builder=hyperv" ``` @@ -127,7 +130,14 @@ You can set the host type to the following values * `2012`: Windows Server 2012 Standard * `2012r2`: Windows Server 2012 R2 Standard * `2016`: Windows Server 2016 Standard -* `1709`: Windows Server Build 1709 Standard (Requires ISO to be manually downloaded) + +The following host types can also be used but it requires the ISO to be +manually downloaded and set with `opt_packager_setup_iso_path`. Microsoft does +not offer evaluation ISOs for these builds so it won't be part of the public +facing images + +* `1709`: Windows Server Build 1709 Standard +* `1803`: Windows Server Build 1803 Standard #### Optional Variables @@ -141,6 +151,7 @@ change the way Packer builds the images in the next step; * `opt_packer_setup_password`: (Default: `vagrant`) The password for `opt_packer_setup_username`, this password is also set for the builtin Administrator account even though it is disabled in the image. * `opt_packer_setup_product_key`: The product key to use when installing Windows, do not set this unless you know what you are doing. * `opt_packer_setup_hyperv_switch`: (Default: `packer-windoze`) The name of the Hyper-V switch to create. There shouldn't be a need to change this unless you know what you're doing. +* `opt_packer_setup_packages`: (Default: `vim`, `sysinternals`) Override the default Chocolatey packages that are installed on each image. This should be a list of valid Chocolatey package names that are packes to the `win_chocolatey` module, see the examples for more details. To add a post-processor to upload to Vagrant Cloud, add in the following 3 variables; diff --git a/main.yml b/main.yml index 3744467..7c0fb08 100644 --- a/main.yml +++ b/main.yml @@ -15,6 +15,7 @@ - man_is_longhorn is defined - man_packer_windoze_version is defined - man_skip_feature_removal is defined + - man_personalize_choco_packages is defined - name: make sure the WinRM service is set to auto win_service: @@ -24,8 +25,11 @@ roles: - update - personalise - - openssh - #- cleanup-win10 + - role: jborean93.win_openssh + opt_openssh_firewall_profiles: domain,private,public + opt_openssh_skip_start: True + opt_openssh_version: v7.9.0.0p1-Beta + when: not man_is_longhorn - cleanup-winsxs - cleanup-features - cleanup diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..4d614a2 --- /dev/null +++ b/requirements.yml @@ -0,0 +1 @@ +- src: jborean93.win_openssh diff --git a/roles/cleanup-winsxs/tasks/main.yml b/roles/cleanup-winsxs/tasks/main.yml index 106ac99..6d8779b 100644 --- a/roles/cleanup-winsxs/tasks/main.yml +++ b/roles/cleanup-winsxs/tasks/main.yml @@ -48,7 +48,7 @@ - name: setup and run cleanmgr if DISM reset base wasn't supported or cleanmgr is available include_tasks: cleanmgr.yml - when: pri_cleanup_winsxs_dism_supported.stdout_lines[0] == "false" or pri_cleanup_winsxs_cleanmgr_available.stat.exists == True + when: pri_cleanup_winsxs_dism_supported.stdout_lines[0] == "false" and pri_cleanup_winsxs_cleanmgr_available.stat.exists == True - name: check if the SoftwareDistribution folder exists win_stat: diff --git a/roles/cleanup/tasks/main.yml b/roles/cleanup/tasks/main.yml index 893270d..629e708 100644 --- a/roles/cleanup/tasks/main.yml +++ b/roles/cleanup/tasks/main.yml @@ -45,26 +45,3 @@ - name: defrag C with legacy exe win_command: 'Defrag.exe C:' when: pri_cleanup_defrag_cmdlet.rc != 0 - -- name: 0 out empty space for later compression - win_shell: | - $path = "C:\zero" - $volume = Get-WmiObject -Class Win32_LogicalDisk -Filter "DeviceID='C:'" - $block_size = 64kb - $leftover_size = $volume.Size * 0.05 - $file_size = $volume.FreeSpace - $leftover_size - $data_array = New-Object -TypeName byte[]($block_size) - - $stream = [System.IO.File]::OpenWrite($path) - try { - $current_file_size = 0 - while ($current_file_size -lt $file_size) { - $stream.Write($data_array, 0, $data_array.Length) - $current_file_size += $data_array.Length - } - } finally { - if ($stream) { - $stream.Close() - } - } - Remove-Item -Path $path -Force | Out-Null diff --git a/roles/openssh/tasks/main.yml b/roles/openssh/tasks/main.yml deleted file mode 100644 index 6f90900..0000000 --- a/roles/openssh/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: setup Win32-OpenSSH on all hosts but Server 2008 - include_tasks: setup.yml - when: not man_is_longhorn diff --git a/roles/openssh/tasks/setup.yml b/roles/openssh/tasks/setup.yml deleted file mode 100644 index 094aeaf..0000000 --- a/roles/openssh/tasks/setup.yml +++ /dev/null @@ -1,63 +0,0 @@ -# While this install the OpenSSH service more work needs to be done to set up -# the host keys, this is done after sysprep and not in the role ---- -- name: set openssh version to install - set_fact: - pri_openssh_version: v7.7.2.0p1-Beta - -- name: set install path for 64 bit Windows - set_fact: - pri_openssh_install_path: C:\Program Files\OpenSSH-Win64 - when: man_host_architecture == 'amd64' - -- name: set install path for 32 bit Windows - set_fact: - pri_openssh_install_path: C:\Program Files\OpenSSH-Win32 - when: man_host_architecture == 'x86' - -- name: check if OpenSSH has been downloaded and extracted - win_stat: - path: '{{pri_openssh_install_path}}' - register: pri_openssh_folder - -- block: - - name: download Win32-OpenSSH {{pri_openssh_version}} from GitHub - x64 - win_get_url: - url: https://github.com/PowerShell/Win32-OpenSSH/releases/download/{{pri_openssh_version}}/OpenSSH-Win64.zip - dest: C:\temp\OpenSSH-Win.zip - when: man_host_architecture == 'amd64' - - - name: download Win32-OpenSSH {{pri_openssh_version}} from GitHub - x86 - win_get_url: - url: https://github.com/PowerShell/Win32-OpenSSH/releases/download/{{pri_openssh_version}}/OpenSSH-Win32.zip - dest: C:\temp\OpenSSH-Win.zip - when: man_host_architecture == 'x86' - - - name: extract the Win32-OpenSSH folder - win_unzip: - src: C:\temp\OpenSSH-Win.zip - dest: C:\Program Files - when: pri_openssh_folder.stat.exists == False - -- name: check if the sshd and ssh-agent services are installed - win_service: - name: '{{item}}' - register: pri_openssh_service - changed_when: pri_openssh_service.exists == False # we want to register a change for the steps below - loop: - - sshd - - ssh-agent - -- name: install the sshd and ssh-agent service - win_command: powershell.exe -ExecutionPolicy ByPass -File "{{pri_openssh_install_path}}\install-sshd.ps1" - when: pri_openssh_service is changed - -- name: open port 22 for inbound SSH connections - win_firewall_rule: - name: Win32-OpenSSH inbound - protocol: tcp - localport: 22 - direction: in - action: allow - state: present - enabled: yes diff --git a/roles/packer-setup/tasks/main.yml b/roles/packer-setup/tasks/main.yml index 4af8d19..a25c010 100644 --- a/roles/packer-setup/tasks/main.yml +++ b/roles/packer-setup/tasks/main.yml @@ -4,12 +4,17 @@ that: - man_packer_setup_host_type is defined +- name: ensure Galaxy requirements have been downloaded + command: ansible-galaxy install -r requirements.yml -p roles + args: + chdir: '{{ playbook_dir }}' + - name: check that the host type specified is valid fail: msg: man_packer_setup_host_type {{man_packer_setup_host_type}} is not a valid host type, expecting {{pri_packer_setup_host_config.keys()}} when: pri_packer_setup_host_config[man_packer_setup_host_type] is not defined -- name: verify that a non support Hyper-V configuration isn't set +- name: verify that a non supported Hyper-V configuration isn't set fail: msg: man_packer_setup_host_type {{man_packer_setup_host_type}} is not supported with the Hyper-V builder when: opt_packer_setup_builder == 'hyperv' and man_packer_setup_host_type in ["2008-x86", "2008-x64"] @@ -29,6 +34,12 @@ include_tasks: download_extract_iso.yml when: pri_packer_setup_config.iso_url.endswith('.exe') and opt_packer_setup_iso_path is not defined +- name: download Virtio ISO for VirtualBox build + get_url: + url: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso + dest: '{{man_packer_setup_host_type}}/virtio.iso' + when: opt_packer_setup_builder == 'virtualbox' + - name: create Hyper-V External Network switch block: - name: check if the swtch already exists diff --git a/roles/packer-setup/templates/bootstrap.ps1.j2 b/roles/packer-setup/templates/bootstrap.ps1.j2 index dccb23f..defc5fd 100644 --- a/roles/packer-setup/templates/bootstrap.ps1.j2 +++ b/roles/packer-setup/templates/bootstrap.ps1.j2 @@ -35,7 +35,7 @@ Function Run-Process($executable, $arguments) { $psi.Arguments = $arguments Write-Log -message "starting new process '$executable $arguments'" $process.Start() | Out-Null - + $process.WaitForExit() | Out-Null $exit_code = $process.ExitCode Write-Log -message "process completed with exit code '$exit_code'" @@ -72,6 +72,15 @@ Function Extract-Zip($zip, $dest) { } } +Function Get-NetKVMDriverPath { + $drive = (Get-PSDrive -PSProvider FileSystem).Name | Where-Object { Test-Path -LiteralPath "$($_):\NetKVM" } + + $host_key = "{{ pri_packer_setup_config.driver_host_string }}" + $architecture = $env:PROCESSOR_ARCHITECTURE + $inf_path = "$($drive):\NetKVM\$host_key\$architecture\netkvm.inf" + return $inf_path +} + $action = $args[0] if (-not (Test-Path -Path $tmp_dir)) { New-Item -Path $tmp_dir -ItemType Directory | Out-Null @@ -89,6 +98,13 @@ $bootstrap_actions = @( arguments = "{{action.arguments|default("/quiet /norestart")}}" }, {% endfor %} +{% if opt_packer_setup_builder == 'virtualbox' %} + @{ + name = "Red Hat Virtio Network Driver" + path = Get-NetKVMDriverPath + action = "driver" + }, +{% endif %} @{ name = "Configure WinRM" action = "winrm" @@ -161,6 +177,60 @@ for ($i = 0; $i -lt $actions.Count; $i++) { throw $error_message } } + "driver" { + Write-Log -message "Installing driver $($current_action.name)" + Add-Type -TypeDefinition @' +using System; +using System.Runtime.InteropServices; + +namespace PackerWindoze +{ + public class NativeMethods + { + [DllImport("Newdev.dll", SetLastError = true, CharSet = CharSet.Unicode)] + public static extern bool DiInstallDriverW( + IntPtr hwndParent, + string InfPath, + UInt32 Flags, + out bool NeedReboot); + } +} +'@ + + $sys_path = Get-ChildItem -Path (Split-Path -Path $current_action.path -Parent) -Filter "*.sys" -File + $driver_cert = (Get-AuthenticodeSignature -LiteralPath $sys_path.FullName).SignerCertificate + + $trusted_certs = (Get-ChildItem -Path Cert:\LocalMachine\TrustedPublisher).Thumbprint + if ($driver_cert.Thumbprint -notin $trusted_certs) { + Write-Log -message "Certificate $($driver_cert.Thumbprint) not in TrustedPublisher store" + $store_name = [System.Security.Cryptography.X509Certificates.StoreName]::TrustedPublisher + $store_location = [System.Security.Cryptography.X509Certificates.Storelocation]::LocalMachine + + $store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $store_name, $store_location + $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite) + try { + $store.Add($driver_cert) + } finally { + $store.Dispose() + } + } + + $needs_reboot = $false + $res = [PackerWindoze.NativeMethods]::DiInstallDriverW([IntPtr]::Zero, $current_action.path, 0, [ref]$needs_reboot) + if (-not $res) { + $err = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() + try { + throw [System.ComponentModel.Win32Exception]$err + } catch [System.ComponentModel.Win32Exception] { + $error_msg = "failed to install driver $($current_action.name) - {0} (Win32 Error Code {1} - 0x{1:X8})" -f $_.Exception.Message, $err + } + Write-Log -message $error_message -level "ERROR" + throw $error_message + } + if ($needs_reboot) { + Reboot-AndResume -action $next_action.name + } + } "winrm" { Write-Log -message "configuring WinRM listener to work over 5985 with Basic auth" &winrm.cmd quickconfig -q @@ -176,7 +246,7 @@ for ($i = 0; $i -lt $actions.Count; $i++) { throw $error_message } } - + Write-Log -message "enabling RDP" $rdp_wmi = Get-CimInstance -ClassName Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalServices $rdp_enable = $rdp_wmi | Invoke-CimMethod -MethodName SetAllowTSConnections -Arguments @{ AllowTSConnections = 1; ModifyFirewallException = 1 } @@ -185,7 +255,7 @@ for ($i = 0; $i -lt $actions.Count; $i++) { Write-Log -message $error_message -level "ERROR" throw $error_message } - + Write-Log -message "enabling NLA authentication for RDP" $nla_wmi = Get-CimInstance -ClassName Win32_TSGeneralSetting -Namespace root\CIMV2\TerminalServices $nla_wmi | Invoke-CimMethod -MethodName SetUserAuthenticationRequired -Arguments @{ UserAuthenticationRequired = 1 } | Out-Null @@ -199,4 +269,4 @@ for ($i = 0; $i -lt $actions.Count; $i++) { } } -Write-Log -message "bootstrap.ps1 complete" \ No newline at end of file +Write-Log -message "bootstrap.ps1 complete" diff --git a/roles/packer-setup/templates/hosts.ini.j2 b/roles/packer-setup/templates/hosts.ini.j2 index 20bc0af..d75fb11 100644 --- a/roles/packer-setup/templates/hosts.ini.j2 +++ b/roles/packer-setup/templates/hosts.ini.j2 @@ -16,3 +16,4 @@ man_host_architecture={{pri_packer_setup_config.architecture}} man_is_longhorn={{pri_packer_setup_config.answer_longhorn}} man_packer_windoze_version={{opt_packer_setup_version|default(pri_packer_setup_changelog[0].version)}} man_skip_feature_removal={{pri_packer_setup_config.skip_feature_removal|default(False)}} +man_personalize_choco_packages={{opt_packer_setup_packages|default('["vim", "sysinternals"]')}} diff --git a/roles/packer-setup/templates/vagrantfile.template.j2 b/roles/packer-setup/templates/vagrantfile.template.j2 index 59d593f..4ccd2d0 100644 --- a/roles/packer-setup/templates/vagrantfile.template.j2 +++ b/roles/packer-setup/templates/vagrantfile.template.j2 @@ -11,6 +11,7 @@ Vagrant.configure(2) do |config| config.vm.network :forwarded_port, guest: 22, host: 2222, id: 'ssh', auto_correct: true config.vm.provider "virtualbox" do |vb| + vb.default_nic_type = "virtio" vb.gui = false vb.memory = 2048 vb.cpus = 2 diff --git a/roles/packer-setup/vars/main.yml b/roles/packer-setup/vars/main.yml index a7c549a..159d007 100644 --- a/roles/packer-setup/vars/main.yml +++ b/roles/packer-setup/vars/main.yml @@ -1,5 +1,16 @@ # this creates the changelog in the description for the Vagrant box pri_packer_setup_changelog: +- version: '0.6.0' + date: TBD # waiting on Microsoft to release the 2019 evaluation ISO + changes: + - Fix logic when setting the `LocalAccountTokenFilterPolicy` value when setting up the WinRM listener + - Added ability to override the base Chocolatey packages that are installed with the image, use the `opt_package_setup_packages` variable with `-e` when generating the template to configure + - Moved away from custom role to install the Win32-OpenSSH components, now using the [jborean93.win_openssh](https://galaxy.ansible.com/jborean93/win_openssh) role + - Updated OpenSSH version [7.9.0.0p1-Beta](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v7.9.0.0p1-Beta) + - Installed the [virtio-network](https://stg.fedoraproject.org/wiki/Windows_Virtio_Drivers) driver on VirtualBox images + host_specific_changes: + 2016: + - Changed the default Windows Explorer window to show `This PC` instead of `Quick access` - version: '0.5.0' date: 2018-08-08 changes: @@ -117,6 +128,19 @@ pri_packer_setup_builders_info: - dvddrive - --medium - '{{man_packer_setup_host_type}}/secondary.iso' + - + - storageattach + - "{% raw %}{{'{{'}}.Name{{'}}'}}{% endraw %}" + - --storagectl + - Sata Controller + - --port + - "2" + - --device + - "0" + - --type + - dvddrive + - --medium + - '{{man_packer_setup_host_type}}/virtio.iso' vboxmanage_post: - - storagectl @@ -201,6 +225,7 @@ pri_packer_setup_json: # answer_longhorn: Whether the host type will use the older Server 2008 answer file # product_key: The KMS product key required in setup, only used in Server 2008 answer file # box_tag: This is the box tag that I use, this can be overriden with opt_packer_setup_box_tag +# driver_host_string: The host string name used for the Virtio drivers # bootstrap_files: A list of dictionaries that contains files to download for use in the bootstrapping process, this also modifies the bootstrapping script pri_packer_setup_host_config: # host pattern where architecture and option @@ -218,6 +243,7 @@ pri_packer_setup_host_config: architecture: x86 answer_longhorn: yes product_key: TM24T-X9RMF-VWXK6-X8JC9-BFGM2 + driver_host_string: 2k8 bootstrap_files: - name: Server 2008 SP2 url: https://download.microsoft.com/download/E/7/7/E77CBA41-0B6B-4398-BBBF-EE121EEC0535/Windows6.0-KB948465-X86.exe @@ -252,6 +278,7 @@ pri_packer_setup_host_config: architecture: amd64 answer_longhorn: yes product_key: TM24T-X9RMF-VWXK6-X8JC9-BFGM2 + driver_host_string: 2k8 bootstrap_files: - name: Server 2008 SP2 url: https://download.microsoft.com/download/4/7/3/473B909B-7B52-49FE-A443-2E2985D3DFC3/Windows6.0-KB948465-X64.exe @@ -285,6 +312,7 @@ pri_packer_setup_host_config: iso_wim_label: Windows Server 2008 R2 SERVERSTANDARD architecture: amd64 answer_longhorn: no + driver_host_string: 2k8R2 bootstrap_files: - name: .NET v4.5 url: http://download.microsoft.com/download/B/A/4/BA4A7E71-2906-4B2D-A0E1-80CF16844F5F/dotNetFx45_Full_x86_x64.exe @@ -314,6 +342,7 @@ pri_packer_setup_host_config: iso_wim_label: Windows Server 2012 SERVERSTANDARD architecture: amd64 answer_longhorn: no + driver_host_string: 2k12 bootstrap_files: - name: TiWorker Slow Performance Fix url: https://download.microsoft.com/download/D/D/C/DDC353A0-A56D-48E8-B2C0-97615C503145/Windows8-RT-KB2771431-x64.msu @@ -336,6 +365,7 @@ pri_packer_setup_host_config: iso_wim_label: Windows Server 2012 R2 SERVERSTANDARD architecture: amd64 answer_longhorn: no + driver_host_string: 2k12R2 bootstrap_files: [] '2016': box_tag: jborean93/WindowsServer2016 @@ -350,6 +380,7 @@ pri_packer_setup_host_config: architecture: amd64 answer_longhorn: no skip_feature_removal: yes + driver_host_string: 2k16 # to speed the process up, you can manually find the latest KB for the # following updates and put them here. Installing in the bootstrapping # process is a lot faster than through the WUA. Open up @@ -361,10 +392,10 @@ pri_packer_setup_host_config: # * Cumulative Update for Windows Server 2016 for x64-based Systems - Security Updates # https://www.catalog.update.microsoft.com/Search.aspx?q=Cumulative%20Update%20for%20Windows%20Server%202016%20for%20x64-based%20Systems%20-%20Security%20Updates bootstrap_files: - - name: KB4132216 - url: http://download.windowsupdate.com/c/msdownload/update/software/crup/2018/05/windows10.0-kb4132216-x64_9cbeb1024166bdeceff90cd564714e1dcd01296e.msu - - name: KB4338814 - url: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/06/windows10.0-kb4338814-x64_f4a1df3470cc06192c5157c3f574ffdc4edadabd.msu + - name: KB4456655 + url: http://download.windowsupdate.com/d/msdownload/update/software/crup/2018/09/windows10.0-kb4456655-x64_fca3f0c885da48efc6f9699b0c1eaf424e779434.msu + - name: KB4480961 + url: http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/01/windows10.0-kb4480961-x64_ada63f8d66b2c9994e03c3f5bffe56aff77edeb6.msu '1709': box_tag: WindowsServer1709 @@ -378,6 +409,7 @@ pri_packer_setup_host_config: architecture: amd64 answer_longhorn: no skip_feature_removal: yes + driver_host_string: 2k16 bootstrap_files: [] '1803': box_tag: WindowsServer1803 @@ -392,34 +424,52 @@ pri_packer_setup_host_config: architecture: amd64 answer_longhorn: no skip_feature_removal: yes - bootstrap_files: - - name: KB4343669 - url: http://download.windowsupdate.com/d/msdownload/update/software/crup/2018/07/windows10.0-kb4343669-x64_2a58320e44d3ff803bc7016b5d02f3e85482b46f.msu - - name: KB4338819 - url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/07/windows10.0-kb4338819-x64_73cef45cbee3c689ddddf596aed7cb6a61092180.msu - '10-x86': - box_tag: jborean93/Windows10-x86 - - iso_url: http://care.dlservice.microsoft.com/dl/download/6/5/D/65D18931-F626-4A35-AD5B-F5DA41FE6B76/16299.15.170928-1534.rs3_release_CLIENTENTERPRISEEVAL_OEMRET_x86FRE_en-us.iso - iso_checksum: f2c39358d7186adae6825096c514edd6 - vb_guest_os_type: Windows10 - vb_forwarded_port: 55989 - hv_generation: 2 - - iso_wim_label: Windows 10 Enterprise Evaluation - architecture: x86 - answer_longhorn: no + driver_host_string: 2k16 bootstrap_files: [] - '10-x64': - box_tag: jborean93/Windows10-x64 +# bootstrap_files: +# - name: KB4343669 +# url: http://download.windowsupdate.com/d/msdownload/update/software/crup/2018/07/windows10.0-kb4343669-x64_2a58320e44d3ff803bc7016b5d02f3e85482b46f.msu +# - name: KB4338819 +# url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/07/windows10.0-kb4338819-x64_73cef45cbee3c689ddddf596aed7cb6a61092180.msu + '2019': + box_tag: jborean93/WindowsServer2019 - iso_url: http://care.dlservice.microsoft.com/dl/download/6/5/D/65D18931-F626-4A35-AD5B-F5DA41FE6B76/16299.15.170928-1534.rs3_release_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso - iso_checksum: f4f85d77516721d9a19ca866172a5ecb - vb_guest_os_type: Windows10_64 - vb_forwarded_port: 55990 + iso_url: https://software-download.microsoft.com/download/sg/17763.253.190108-0006.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso + iso_checksum: 48cd91270581d1be10c3ff3ad6c41cce + vb_guest_os_type: Windows2016_64 + vb_forwarded_port: 55989 hv_generation: 2 - iso_wim_label: Windows 10 Enterprise Evaluation + iso_wim_label: Windows Server 2019 SERVERSTANDARD architecture: amd64 answer_longhorn: no + skip_feature_removal: yes + driver_host_string: 2k16 bootstrap_files: [] + +# '10-x86': +# box_tag: jborean93/Windows10-x86 +# +# iso_url: http://care.dlservice.microsoft.com/dl/download/6/5/D/65D18931-F626-4A35-AD5B-F5DA41FE6B76/16299.15.170928-1534.rs3_release_CLIENTENTERPRISEEVAL_OEMRET_x86FRE_en-us.iso +# iso_checksum: f2c39358d7186adae6825096c514edd6 +# vb_guest_os_type: Windows10 +# vb_forwarded_port: 55989 +# hv_generation: 2 +# +# iso_wim_label: Windows 10 Enterprise Evaluation +# architecture: x86 +# answer_longhorn: no +# bootstrap_files: [] +# '10-x64': +# box_tag: jborean93/Windows10-x64 +# +# iso_url: http://care.dlservice.microsoft.com/dl/download/6/5/D/65D18931-F626-4A35-AD5B-F5DA41FE6B76/16299.15.170928-1534.rs3_release_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso +# iso_checksum: f4f85d77516721d9a19ca866172a5ecb +# vb_guest_os_type: Windows10_64 +# vb_forwarded_port: 55990 +# hv_generation: 2 +# +# iso_wim_label: Windows 10 Enterprise Evaluation +# architecture: amd64 +# answer_longhorn: no +# bootstrap_files: [] diff --git a/roles/personalise/tasks/main.yml b/roles/personalise/tasks/main.yml index 75eb2ee..5fff164 100644 --- a/roles/personalise/tasks/main.yml +++ b/roles/personalise/tasks/main.yml @@ -37,11 +37,6 @@ type: dword state: present hive: C:\Users\Default\NTUSER.dat - register: pri_personalise_profile_reg_change - # seems like this fails to unload in Packer for whatever reason, we don't want to fail if we got that error - failed_when: - - pri_personalise_profile_reg_change is failed - - '"Failed to unload registry hive at ANSIBLE" not in pri_personalise_profile_reg_change.msg' loop: - name: Hidden data: 1 @@ -56,10 +51,6 @@ type: string state: '{{item.state}}' hive: C:\Users\Default\NTUSER.dat - register: pri_personalise_screensaver_reg_change - failed_when: - - pri_personalise_screensaver_reg_change is failed - - '"Failed to unload registry hive at ANSIBLE" not in pri_personalise_screensaver_reg_change.msg' when: man_host_type == '2008-x86' or man_host_type == '2008-x64' loop: - name: ScreenSaveActive @@ -68,14 +59,20 @@ - name: SCRNSAVE.EXE state: absent -- name: check if ANSIBLE key was successfully unloaded - win_reg_stat: - path: HKLM:\ANSIBLE - register: pri_personalise_reg_ansible_stat - -- name: unload ANSIBLE key - win_command: reg.exe unload HKLM\ANSIBLE - when: pri_personalise_reg_ansible_stat.exists == True +- name: set This PC as the default view for Windows Explorer for the default user profile + win_regedit: + path: HKLM:\ANSIBLE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced + name: LaunchTo + data: 1 + type: dword + state: present + hive: C:\Users\Default\NTUSER.dat + when: # this is only valid for 2016/10+ + - man_host_type != '2008-x86' + - man_host_type != '2008-x64' + - man_host_type != '2008r2' + - man_host_type != '2012' + - man_host_type != '2012r2' - name: set show hidden files/folders and file extensions for the current user profile win_regedit: @@ -105,6 +102,20 @@ - name: SCRNSAVE.EXE state: absent +- name: set This PC as the default view for Windows Explorer for the current user profile + win_regedit: + path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced + name: LaunchTo + data: 1 + type: dword + state: present + when: + - man_host_type != '2008-x86' + - man_host_type != '2008-x64' + - man_host_type != '2008r2' + - man_host_type != '2012' + - man_host_type != '2012r2' + - name: disable automatic updates (prevents TrustedInstaller startup thrash on older images) win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU @@ -113,13 +124,18 @@ type: dword state: present -- name: install sysinternals and vim +- name: install set Chocolatey packages win_chocolatey: - name: '{{item}}' + name: '{{item}}' # TODO: set list directly here when 2.7 is the min version state: present - loop: - - sysinternals - - vim + when: + - man_personalize_choco_packages|count > 0 + - item != '' + loop: '{{man_personalize_choco_packages}}' + become: yes + vars: # run with become as we aren't sure what packages the user has specified + ansible_become_user: '{{ansible_user}}' + ansible_become_pass: '{{ansible_password}}' - name: install the VirtualBox Guest Additions include_tasks: virtualbox.yml diff --git a/roles/sysprep/files/PackerWindoze.psm1 b/roles/sysprep/files/PackerWindoze.psm1 index 5c03c3d..a868358 100644 --- a/roles/sysprep/files/PackerWindoze.psm1 +++ b/roles/sysprep/files/PackerWindoze.psm1 @@ -72,7 +72,7 @@ Function New-FirewallRule { [Parameter()][Switch]$Deny ) $fw = New-Object -ComObject HNetCfg.FWPolicy2 - + $rules = $fw.Rules | Where-Object { $_.Name -eq $Name } if (-not $rules) { Write-Verbose -Message "Creating new firewall rule - $Name" @@ -99,7 +99,7 @@ Function New-FirewallRule { ApplicationName = "System" } $rule.Protocol = 6 - + $changed = $false foreach ($detail in $rule_details.GetEnumerator()) { $original_value = $rule.$($detail.Name) @@ -111,7 +111,7 @@ Function New-FirewallRule { $changed = $true } } - + if ($changed) { Write-Verbose -Message "Firewall rule $($rule.Name) needs to be (re)created as config does not match expectation" try { @@ -136,7 +136,7 @@ Function Remove-FirewallRule { [Parameter(mandatory=$true)][String]$Name ) $fw = New-Object -ComObject HNetCfg.FWPolicy2 - + $rules = $fw.Rules | Where-Object { $_.Name -eq $Name } foreach ($rule in $rules) { Write-Verbose -Message "Removing firewall rule $($rule.Name)" @@ -170,10 +170,10 @@ Function Reset-WinRMConfig { Param( [string]$CertificateThumbprint ) - + Write-Verbose "Removing all existing WinRM listeners" Remove-Item -Path WSMan:\localhost\Listener\* -Force -Recurse - + if (-not $CertificateThumbprint) { Write-Verbose "Removing all existing certificate in the personal store" Remove-Item -Path Cert:\LocalMachine\My\* -Force -Recurse @@ -190,24 +190,24 @@ Function Reset-WinRMConfig { Write-Verbose -Message "Enabling Basic authentication" Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true - + Write-Verbose -Message "Enabling CredSSP authentication" Enable-WSManCredSSP -role server -Force > $null - + Write-Verbose -Message "Setting AllowUnencrypted to False" Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $false Write-Verbose -Message "Setting the LocalAccountTokenFilterPolicy registry key for remote admin access" - $reg_path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" - $reg_prop_name = "LocalAccountTokenFilterPolicy" - - $reg_key = Get-Item -Path $reg_path - $reg_prop = $reg_key.GetValue($reg_prop_name) - if ($reg_prop -ne 1) { - if ($null -eq $reg_prop) { - Remove-ItemProperty -Path $reg_path -Name $reg_prop_name + $token_path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" + $token_prop_name = "LocalAccountTokenFilterPolicy" + $token_key = Get-Item -Path $token_path + $token_value = $token_key.GetValue($token_prop_name, $null) + if ($token_value -ne 1) { + Write-Verbose -Message "Setting LocalAccountTOkenFilterPolicy to 1" + if ($null -ne $token_value) { + Remove-ItemProperty -Path $token_path -Name $token_prop_name } - New-ItemProperty -Path $reg_path -Name $reg_prop_name -Value 1 -PropertyType DWord > $null + New-ItemProperty -Path $token_path -Name $token_prop_name -Value 1 -PropertyType DWORD > $null } Write-Verbose -Message "Creating HTTP listener" @@ -219,7 +219,7 @@ Function Reset-WinRMConfig { Enabled = $true } New-WSManInstance -ResourceURI winrm/config/listener -SelectorSet $selector_set -ValueSet $value_set > $null - + Write-Verbose -Message "Creating HTTPS listener" if ($CertificateThumbprint) { $thumbprint = $CertificateThumbprint @@ -252,7 +252,7 @@ Function Reset-WinRMConfig { Write-Verbose -Message "Removing WinRM deny firewall rules as config is complete" Remove-FirewallRule -Name $http_deny_rule Remove-FirewallRule -Name $https_deny_rule - + Write-Verbose -Message "Testing out WinRM communication over localhost" $session_option = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $invoke_args = @{ @@ -262,7 +262,7 @@ Function Reset-WinRMConfig { } Invoke-Command @invoke_args > $null Invoke-Command -UseSSL @invoke_args > $null - + Write-Verbose -Message "WinRM and PS Remoting have been set up successfully" } diff --git a/roles/sysprep/tasks/main.yml b/roles/sysprep/tasks/main.yml index 1fb206f..c3eab7f 100644 --- a/roles/sysprep/tasks/main.yml +++ b/roles/sysprep/tasks/main.yml @@ -61,3 +61,26 @@ $system.AutomaticManagedPagefile = $true $system.Put() } + +- name: 0 out empty space for later compression + win_shell: | + $path = "C:\zero" + $volume = Get-WmiObject -Class Win32_LogicalDisk -Filter "DeviceID='C:'" + $block_size = 64kb + $leftover_size = $volume.Size * 0.05 + $file_size = $volume.FreeSpace - $leftover_size + $data_array = New-Object -TypeName byte[]($block_size) + + $stream = [System.IO.File]::OpenWrite($path) + try { + $current_file_size = 0 + while ($current_file_size -lt $file_size) { + $stream.Write($data_array, 0, $data_array.Length) + $current_file_size += $data_array.Length + } + } finally { + if ($stream) { + $stream.Close() + } + } + Remove-Item -Path $path -Force | Out-Null diff --git a/roles/update/tasks/update_task.yml b/roles/update/tasks/update_task.yml index 597d4fa..708517b 100644 --- a/roles/update/tasks/update_task.yml +++ b/roles/update/tasks/update_task.yml @@ -1,6 +1,6 @@ --- - block: - - name: check if there are missing updates - {{category_info.name}} + - name: check if there are missing updates - {{category_info.name}} - round {{loop_number}} win_updates: category_names: - '{{category_info.name}}' @@ -19,7 +19,7 @@ win_reboot: reboot_timeout: 1200 - - name: check if there are missing updates - {{category_info.name}} ATTEMPT 2 + - name: check if there are missing updates - {{category_info.name}} - round {{loop_number}} ATTEMPT 2 win_updates: category_names: - '{{category_info.name}}' @@ -32,7 +32,7 @@ update_stat: '{{update_stat|update_merge(category_info.name, True)}}' when: pri_update_count.found_update_count is defined and pri_update_count.found_update_count == 0 and (loop_number != 1 and loop_number != 2) -- name: install windows updates - {{category_info.name}} +- name: install windows updates - {{category_info.name}} - round {{loop_number}} win_updates: category_names: - '{{category_info.name}}'