Skip to content

Commit

Permalink
Merge pull request StefanScherer#217 from qmfrederik/fixes/windows-7-…
Browse files Browse the repository at this point in the history 
…updates

Windows 7: Manually install SP1, Servicing Stack Update,  Update Rollup & Cumulative Update
  • Loading branch information
@StefanScherer
StefanScherer authored Dec 29, 2019
2 parents 8f37f28 + 240152f commit cb732c6
Show file tree
Hide file tree
Showing 19 changed files with 598 additions and 29 deletions.
19 changes: 19 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,25 @@ uncommenting the `WITHOUT WINDOWS UPDATES` section in `Autounattend.xml`:

Doing so will give you hours back in your day, which is a good thing.

### Windows 7 support

Windows 7 is going out of support in January 2020, and the scripts for building Windows 7 machines are only
sporadically maintained.

Windows 7 was first released in 2009. This means there are a lot of updates available for Windows 7,
and running Windows Updates on a Windows 7 box using the mechanism described above takes an extremely long time.

The Windows 7 templates therefore take a slightly different approach, first installing Service Pack 1,
updating the servicing stack and then installing the latest update rollup, .NET 4.8 and PowerShell 5.1.
Finally, any missing updates are installed using Ansible.

This means you'll need to install Ansible on your machine if you want to run the Windows 7 scripts.
You can [install ansible on a Linux machine](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).

If you want to run these scripts on a Windows machine, you can try to run Ansible in cygwin or Bash on Ubuntu on Windows.
Alternatively, you can disable the `ansible` steps in the `windows_7.json` file. Make sure to manually run
Windows Update if you do!

### WinRM

These boxes use WinRM. There is no OpenSSH installed.
Expand Down
218 changes: 218 additions & 0 deletions ansible/connection_plugins/packer.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,218 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

from ansible.plugins.connection.ssh import Connection as SSHConnection

DOCUMENTATION = '''
connection: packer
short_description: ssh based connections for powershell via packer
description:
- This connection plugin allows ansible to communicate to the target packer machines via ssh based connections for powershell.
author: Packer Community
version_added: na
options:
host:
description: Hostname/ip to connect to.
default: inventory_hostname
vars:
- name: ansible_host
- name: ansible_ssh_host
host_key_checking:
description: Determines if ssh should check host keys
type: boolean
ini:
- section: defaults
key: 'host_key_checking'
- section: ssh_connection
key: 'host_key_checking'
version_added: '2.5'
env:
- name: ANSIBLE_HOST_KEY_CHECKING
- name: ANSIBLE_SSH_HOST_KEY_CHECKING
version_added: '2.5'
vars:
- name: ansible_host_key_checking
version_added: '2.5'
- name: ansible_ssh_host_key_checking
version_added: '2.5'
password:
description: Authentication password for the C(remote_user). Can be supplied as CLI option.
vars:
- name: ansible_password
- name: ansible_ssh_pass
ssh_args:
description: Arguments to pass to all ssh cli tools
default: '-C -o ControlMaster=auto -o ControlPersist=60s'
ini:
- section: 'ssh_connection'
key: 'ssh_args'
env:
- name: ANSIBLE_SSH_ARGS
ssh_common_args:
description: Common extra args for all ssh CLI tools
vars:
- name: ansible_ssh_common_args
ssh_executable:
default: ssh
description:
- This defines the location of the ssh binary. It defaults to ``ssh`` which will use the first ssh binary available in $PATH.
- This option is usually not required, it might be useful when access to system ssh is restricted,
or when using ssh wrappers to connect to remote hosts.
env: [{name: ANSIBLE_SSH_EXECUTABLE}]
ini:
- {key: ssh_executable, section: ssh_connection}
#const: ANSIBLE_SSH_EXECUTABLE
version_added: "2.2"
sftp_executable:
default: sftp
description:
- This defines the location of the sftp binary. It defaults to ``sftp`` which will use the first binary available in $PATH.
env: [{name: ANSIBLE_SFTP_EXECUTABLE}]
ini:
- {key: sftp_executable, section: ssh_connection}
version_added: "2.6"
scp_executable:
default: scp
description:
- This defines the location of the scp binary. It defaults to `scp` which will use the first binary available in $PATH.
env: [{name: ANSIBLE_SCP_EXECUTABLE}]
ini:
- {key: scp_executable, section: ssh_connection}
version_added: "2.6"
scp_extra_args:
description: Extra exclusive to the ``scp`` CLI
vars:
- name: ansible_scp_extra_args
sftp_extra_args:
description: Extra exclusive to the ``sftp`` CLI
vars:
- name: ansible_sftp_extra_args
ssh_extra_args:
description: Extra exclusive to the 'ssh' CLI
vars:
- name: ansible_ssh_extra_args
retries:
# constant: ANSIBLE_SSH_RETRIES
description: Number of attempts to connect.
default: 3
type: integer
env:
- name: ANSIBLE_SSH_RETRIES
ini:
- section: connection
key: retries
- section: ssh_connection
key: retries
port:
description: Remote port to connect to.
type: int
default: 22
ini:
- section: defaults
key: remote_port
env:
- name: ANSIBLE_REMOTE_PORT
vars:
- name: ansible_port
- name: ansible_ssh_port
remote_user:
description:
- User name with which to login to the remote server, normally set by the remote_user keyword.
- If no user is supplied, Ansible will let the ssh client binary choose the user as it normally
ini:
- section: defaults
key: remote_user
env:
- name: ANSIBLE_REMOTE_USER
vars:
- name: ansible_user
- name: ansible_ssh_user
pipelining:
default: ANSIBLE_PIPELINING
description:
- Pipelining reduces the number of SSH operations required to execute a module on the remote server,
by executing many Ansible modules without actual file transfer.
- This can result in a very significant performance improvement when enabled.
- However this conflicts with privilege escalation (become).
For example, when using sudo operations you must first disable 'requiretty' in the sudoers file for the target hosts,
which is why this feature is disabled by default.
env:
- name: ANSIBLE_PIPELINING
#- name: ANSIBLE_SSH_PIPELINING
ini:
- section: defaults
key: pipelining
#- section: ssh_connection
# key: pipelining
type: boolean
vars:
- name: ansible_pipelining
- name: ansible_ssh_pipelining
private_key_file:
description:
- Path to private key file to use for authentication
ini:
- section: defaults
key: private_key_file
env:
- name: ANSIBLE_PRIVATE_KEY_FILE
vars:
- name: ansible_private_key_file
- name: ansible_ssh_private_key_file
control_path:
description:
- This is the location to save ssh's ControlPath sockets, it uses ssh's variable substitution.
- Since 2.3, if null, ansible will generate a unique hash. Use `%(directory)s` to indicate where to use the control dir path setting.
env:
- name: ANSIBLE_SSH_CONTROL_PATH
ini:
- key: control_path
section: ssh_connection
control_path_dir:
default: ~/.ansible/cp
description:
- This sets the directory to use for ssh control path if the control path setting is null.
- Also, provides the `%(directory)s` variable for the control path setting.
env:
- name: ANSIBLE_SSH_CONTROL_PATH_DIR
ini:
- section: ssh_connection
key: control_path_dir
sftp_batch_mode:
default: 'yes'
description: 'TODO: write it'
env: [{name: ANSIBLE_SFTP_BATCH_MODE}]
ini:
- {key: sftp_batch_mode, section: ssh_connection}
type: bool
scp_if_ssh:
default: smart
description:
- "Prefered method to use when transfering files over ssh"
- When set to smart, Ansible will try them until one succeeds or they all fail
- If set to True, it will force 'scp', if False it will use 'sftp'
env: [{name: ANSIBLE_SCP_IF_SSH}]
ini:
- {key: scp_if_ssh, section: ssh_connection}
use_tty:
version_added: '2.5'
default: 'yes'
description: add -tt to ssh commands to force tty allocation
env: [{name: ANSIBLE_SSH_USETTY}]
ini:
- {key: usetty, section: ssh_connection}
type: bool
yaml: {key: connection.usetty}
'''

class Connection(SSHConnection):
''' ssh based connections for powershell via packer'''

transport = 'packer'
has_pipelining = True
become_methods = []
allow_executable = False
module_implementation_preferences = ('.ps1', '')

def __init__(self, *args, **kwargs):
super(Connection, self).__init__(*args, **kwargs)
9 changes: 9 additions & 0 deletions ansible/windows_update.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
- hosts: all
tasks:
- name: Install only security updates
win_updates:
category_names:
- SecurityUpdates
- CriticalUpdates
- UpdateRollups
use_scheduled_task: yes
7 changes: 7 additions & 0 deletions ansible/windows_update_security_updates.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
- hosts: all
tasks:
- name: Install only security updates
win_updates:
category_names:
- SecurityUpdates
use_scheduled_task: yes
76 changes: 58 additions & 18 deletions answer_files/7/Autounattend.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,64 @@
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<servicing/>
<settings pass="windowsPE">
<component name="Microsoft-Windows-PnpCustomizationsWinPE"
publicKeyToken="31bf3856ad364e35" language="neutral"
versionScope="nonSxS" processorArchitecture="amd64"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">

<!--
This makes the VirtIO drivers available to Windows, assuming that
the VirtIO driver disk at https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso
(see https://docs.fedoraproject.org/en-US/quick-docs/creating-windows-virtual-machines-using-virtio-drivers/index.html#virtio-win-direct-downloads)
is available as drive E:
-->
<DriverPaths>
<PathAndCredentials wcm:action="add" wcm:keyValue="2">
<Path>E:\viostor\w7\amd64</Path>
</PathAndCredentials>

<PathAndCredentials wcm:action="add" wcm:keyValue="3">
<Path>E:\NetKVM\w7\amd64</Path>
</PathAndCredentials>

<PathAndCredentials wcm:action="add" wcm:keyValue="4">
<Path>E:\Balloon\w7\amd64</Path>
</PathAndCredentials>

<PathAndCredentials wcm:action="add" wcm:keyValue="5">
<Path>E:\pvpanic\w7\amd64</Path>
</PathAndCredentials>

<PathAndCredentials wcm:action="add" wcm:keyValue="6">
<Path>E:\qemupciserial\w7\amd64</Path>
</PathAndCredentials>

<PathAndCredentials wcm:action="add" wcm:keyValue="7">
<Path>E:\qxl\w7\amd64</Path>
</PathAndCredentials>

<PathAndCredentials wcm:action="add" wcm:keyValue="8">
<Path>E:\vioinput\w7\amd64</Path>
</PathAndCredentials>

<PathAndCredentials wcm:action="add" wcm:keyValue="9">
<Path>E:\viorng\w7\amd64</Path>
</PathAndCredentials>

<PathAndCredentials wcm:action="add" wcm:keyValue="10">
<Path>E:\vioscsi\w7\amd64</Path>
</PathAndCredentials>

<PathAndCredentials wcm:action="add" wcm:keyValue="11">
<Path>E:\vioserial\w7\amd64</Path>
</PathAndCredentials>

<PathAndCredentials wcm:action="add" wcm:keyValue="12">
<Path>K:\kaboom\w7\amd64</Path>
</PathAndCredentials>
</DriverPaths>
</component>

<component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<DiskConfiguration>
<Disk wcm:action="add">
Expand Down Expand Up @@ -160,8 +218,6 @@
<Order>22</Order>
<Description>Disable password expiration for vagrant user</Description>
</SynchronousCommand>
<!-- WITHOUT WINDOWS UPDATES -->
<!--
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\dis-updates.ps1</CommandLine>
<Description>Disable Automatic Updates</Description>
Expand All @@ -173,22 +229,6 @@
<Description>Enable WinRM</Description>
<Order>99</Order>
</SynchronousCommand>
-->
<!-- END WITHOUT WINDOWS UPDATES -->
<!-- WITH WINDOWS UPDATES -->
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\dis-updates.ps1</CommandLine>
<Description>Disable Automatic Updates</Description>
<Order>97</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\win-updates.ps1 -MaxUpdatesPerCycle 30</CommandLine>
<Description>Install Windows Updates</Description>
<Order>100</Order>
<RequiresUserInput>true</RequiresUserInput>
</SynchronousCommand>
<!-- END WITH WINDOWS UPDATES -->
</FirstLogonCommands>
<ShowWindowsLive>false</ShowWindowsLive>
</component>
Expand Down
2 changes: 1 addition & 1 deletion scripts/chocolatey.bat
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" <NUL
powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))"
8 changes: 5 additions & 3 deletions scripts/chocopacks.bat
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
:: Ensure C:\Chocolatey\bin is on the path
set /p PATH=<C:\Windows\Temp\PATH
set /p PATH=%PATH%;C:\ProgramData\chocolatey\
echo %PATH%

:: Install all the things; for example:
cmd /c choco install 7zip
cmd /c choco install notepadplusplus
choco install /y 7zip
choco install /y notepadplusplus
choco install /y boxstarter.winconfig
1 change: 1 addition & 0 deletions scripts/enable-winrm.bat
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
rem Enable-NetFirewallRule for WinRM
netsh advfirewall firewall add rule name="Port 5985" dir=in action=allow protocol=TCP localport=5985
sc.exe config winrm start= auto
Loading

0 comments on commit cb732c6

Please sign in to comment.