ClusterAPI.imageBuilder/ansible/windows/roles/systemprep/tasks/main.yml

180 lines
6.3 KiB
YAML
Raw Permalink Normal View History

2023-02-22 20:24:42 +00:00
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# This file was adapted from https://github.com/Azure/aks-engine/blob/master/vhd/packer/configure-windows-vhd.ps1 for ansible
- name: Remove Windows updates default registry settings
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
state: absent
delete_key: yes
- name: Add Windows update registry path
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
state: present
- name: Add Windows automatic update registry path
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
state: present
# https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry
- name: Disable Windows automatic updates in registry
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
state: present
name: NoAutoUpdate
data: 1
type: dword
- name: Set Windows automatic updates to notify only in registry
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
state: present
name: AUOptions
data: 2
type: dword
# Hyper-V messes with networking components on startup after the feature is enabled
# causing issues with communication over winrm and setting winrm to delayed start
# gives Hyper-V enough time to finish configuration before having packer continue.
- name: Set WinRm Service to delayed start
win_command: sc.exe config winrm start=delayed-auto
# Best effort to update defender signatures
# This can fail if there is already a signature
# update running which means we will get them anyways
# Also at the time the VM is provisioned Defender will trigger any required updates
- name: Update Windows Defender signatures
win_shell: |
$service = Get-Service "Windefend"
$service.WaitForStatus("Running","00:5:00")
Update-MpSignature
ignore_errors: yes
# Find KB Article numbers:
# - WS 2019 https://support.microsoft.com/en-us/help/4464619
# - WS 2022 https://support.microsoft.com/topic/windows-server-2022-update-history-e1caa597-00c5-4ab9-9f3e-8212fe80b2ee
# Task to install specific updates by KB. All categories are specified as the module
# won't install the update unless the category matches. Setting windows_updates_kbs_numbers to []
# will skip this task.
- name: Install Windows updates based on KB numbers
win_updates:
whitelist: "{{ windows_updates_kbs_numbers }}"
reboot: yes
category_names:
- Application
- Connectors
- CriticalUpdates
- DefinitionUpdates
- DeveloperKits
- Drivers
- FeaturePacks
- Guidance
- SecurityUpdates
- ServicePacks
- Tools
- UpdateRollups
- Updates
when: windows_updates_kbs_numbers|length > 0
# Task to install any outstanding updates that belong to specific categories. Setting
# windows_updates_category_names to [] will skip this task.
- name: Install Windows updates based on Categories
win_updates:
category_names: "{{ windows_updates_category_names }}"
reboot: yes
when: windows_updates_category_names|length > 0
- import_tasks: ssh-feature.yml
when: ssh_source_url == ""
- import_tasks: ssh-archive.yml
when: ssh_source_url != ""
- name: Set default SSH shell to Powershell
win_regedit:
path: HKLM:\SOFTWARE\OpenSSH
state: present
name: DefaultShell
data: '{{ systemdrive.stdout | trim }}\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
type: string
- name: Create SSH program data folder
win_shell: If (-Not (Test-Path -Path "$env:ProgramData\ssh")) { mkdir "$env:ProgramData\ssh" }
- name: Enable ssh login without a password
win_shell: Add-Content -Path "$env:ProgramData\ssh\sshd_config" -Value "PasswordAuthentication no`nPubkeyAuthentication yes"
- name: Set SSH service startup mode to auto and ensure it is started
win_service:
name: sshd
start_mode: auto
state: started
# Apply HNS flags for fixes that need to be enabled via Registry
# these eventually get turned on automatically and can be removed in future releases
- name: Apply HNS control Flags 0x40 and 0x10 in 2022-11B patches
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\hns\State
state: present
name: HNSControlFlag
data: 0x50
type: dword
when: distribution_version == "2019"
- name: Apply WCIFS fix
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\wcifs
state: present
name: WcifsSOPCountDisabled
data: 0
type: dword
when: distribution_version == "2019"
- name: Expand dynamic port range to 34000-65535 to avoid port exhaustion
win_shell: netsh int ipv4 set dynamicportrange tcp 34000 31536
- name: Add required Windows Features
win_feature:
name:
- Containers
- Hyper-V-PowerShell
state: present
register: win_feature
# Due to a limitation in some CNI plugins the Hyper-V role needs to be installed in order
# to use the VMSwitch Powershell Cmdlets.
# An issue has been logged to have the networking components to be split out but until
# that is complete, environments that do not support running a hypervisor require the
# below which skips the CPU check for Hypervisor support and still installs the VMSwitch Cmlets
# when disable_hypervisor is set to true
# https://github.com/microsoft/Windows-Containers/issues/80
- name: Add Hyper-V
win_shell: |
dism /online /enable-feature /featurename:Microsoft-Hyper-V /all /NoRestart
register: hyperv_installed
failed_when: hyperv_installed.rc != 1 and hyperv_installed.rc != 0
- name: Disable Hypervisor
win_shell: |
dism /online /disable-feature /featurename:Microsoft-Hyper-V-Online /NoRestart
when: (disable_hypervisor | default(false) | bool)
register: hypervisor_disabled
failed_when: hypervisor_disabled.rc != 1 and hypervisor_disabled.rc != 0
- name: Reboot
win_reboot: