180 lines
6.3 KiB
YAML
180 lines
6.3 KiB
YAML
|
# Copyright 2020 The Kubernetes Authors.
|
||
|
|
||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
# you may not use this file except in compliance with the License.
|
||
|
# You may obtain a copy of the License at
|
||
|
|
||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||
|
|
||
|
# Unless required by applicable law or agreed to in writing, software
|
||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
# See the License for the specific language governing permissions and
|
||
|
# limitations under the License.
|
||
|
---
|
||
|
# This file was adapted from https://github.com/Azure/aks-engine/blob/master/vhd/packer/configure-windows-vhd.ps1 for ansible
|
||
|
- name: Remove Windows updates default registry settings
|
||
|
win_regedit:
|
||
|
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
|
||
|
state: absent
|
||
|
delete_key: yes
|
||
|
|
||
|
- name: Add Windows update registry path
|
||
|
win_regedit:
|
||
|
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
|
||
|
state: present
|
||
|
|
||
|
- name: Add Windows automatic update registry path
|
||
|
win_regedit:
|
||
|
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
|
||
|
state: present
|
||
|
|
||
|
# https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry
|
||
|
- name: Disable Windows automatic updates in registry
|
||
|
win_regedit:
|
||
|
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
|
||
|
state: present
|
||
|
name: NoAutoUpdate
|
||
|
data: 1
|
||
|
type: dword
|
||
|
|
||
|
- name: Set Windows automatic updates to notify only in registry
|
||
|
win_regedit:
|
||
|
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
|
||
|
state: present
|
||
|
name: AUOptions
|
||
|
data: 2
|
||
|
type: dword
|
||
|
|
||
|
# Hyper-V messes with networking components on startup after the feature is enabled
|
||
|
# causing issues with communication over winrm and setting winrm to delayed start
|
||
|
# gives Hyper-V enough time to finish configuration before having packer continue.
|
||
|
- name: Set WinRm Service to delayed start
|
||
|
win_command: sc.exe config winrm start=delayed-auto
|
||
|
|
||
|
# Best effort to update defender signatures
|
||
|
# This can fail if there is already a signature
|
||
|
# update running which means we will get them anyways
|
||
|
# Also at the time the VM is provisioned Defender will trigger any required updates
|
||
|
- name: Update Windows Defender signatures
|
||
|
win_shell: |
|
||
|
$service = Get-Service "Windefend"
|
||
|
$service.WaitForStatus("Running","00:5:00")
|
||
|
Update-MpSignature
|
||
|
ignore_errors: yes
|
||
|
|
||
|
# Find KB Article numbers:
|
||
|
# - WS 2019 https://support.microsoft.com/en-us/help/4464619
|
||
|
# - WS 2022 https://support.microsoft.com/topic/windows-server-2022-update-history-e1caa597-00c5-4ab9-9f3e-8212fe80b2ee
|
||
|
# Task to install specific updates by KB. All categories are specified as the module
|
||
|
# won't install the update unless the category matches. Setting windows_updates_kbs_numbers to []
|
||
|
# will skip this task.
|
||
|
- name: Install Windows updates based on KB numbers
|
||
|
win_updates:
|
||
|
whitelist: "{{ windows_updates_kbs_numbers }}"
|
||
|
reboot: yes
|
||
|
category_names:
|
||
|
- Application
|
||
|
- Connectors
|
||
|
- CriticalUpdates
|
||
|
- DefinitionUpdates
|
||
|
- DeveloperKits
|
||
|
- Drivers
|
||
|
- FeaturePacks
|
||
|
- Guidance
|
||
|
- SecurityUpdates
|
||
|
- ServicePacks
|
||
|
- Tools
|
||
|
- UpdateRollups
|
||
|
- Updates
|
||
|
when: windows_updates_kbs_numbers|length > 0
|
||
|
|
||
|
# Task to install any outstanding updates that belong to specific categories. Setting
|
||
|
# windows_updates_category_names to [] will skip this task.
|
||
|
- name: Install Windows updates based on Categories
|
||
|
win_updates:
|
||
|
category_names: "{{ windows_updates_category_names }}"
|
||
|
reboot: yes
|
||
|
when: windows_updates_category_names|length > 0
|
||
|
|
||
|
- import_tasks: ssh-feature.yml
|
||
|
when: ssh_source_url == ""
|
||
|
|
||
|
- import_tasks: ssh-archive.yml
|
||
|
when: ssh_source_url != ""
|
||
|
|
||
|
- name: Set default SSH shell to Powershell
|
||
|
win_regedit:
|
||
|
path: HKLM:\SOFTWARE\OpenSSH
|
||
|
state: present
|
||
|
name: DefaultShell
|
||
|
data: '{{ systemdrive.stdout | trim }}\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
|
||
|
type: string
|
||
|
|
||
|
- name: Create SSH program data folder
|
||
|
win_shell: If (-Not (Test-Path -Path "$env:ProgramData\ssh")) { mkdir "$env:ProgramData\ssh" }
|
||
|
|
||
|
- name: Enable ssh login without a password
|
||
|
win_shell: Add-Content -Path "$env:ProgramData\ssh\sshd_config" -Value "PasswordAuthentication no`nPubkeyAuthentication yes"
|
||
|
|
||
|
- name: Set SSH service startup mode to auto and ensure it is started
|
||
|
win_service:
|
||
|
name: sshd
|
||
|
start_mode: auto
|
||
|
state: started
|
||
|
|
||
|
# Apply HNS flags for fixes that need to be enabled via Registry
|
||
|
# these eventually get turned on automatically and can be removed in future releases
|
||
|
- name: Apply HNS control Flags 0x40 and 0x10 in 2022-11B patches
|
||
|
win_regedit:
|
||
|
path: HKLM:\SYSTEM\CurrentControlSet\Services\hns\State
|
||
|
state: present
|
||
|
name: HNSControlFlag
|
||
|
data: 0x50
|
||
|
type: dword
|
||
|
when: distribution_version == "2019"
|
||
|
|
||
|
- name: Apply WCIFS fix
|
||
|
win_regedit:
|
||
|
path: HKLM:\SYSTEM\CurrentControlSet\Services\wcifs
|
||
|
state: present
|
||
|
name: WcifsSOPCountDisabled
|
||
|
data: 0
|
||
|
type: dword
|
||
|
when: distribution_version == "2019"
|
||
|
|
||
|
- name: Expand dynamic port range to 34000-65535 to avoid port exhaustion
|
||
|
win_shell: netsh int ipv4 set dynamicportrange tcp 34000 31536
|
||
|
|
||
|
- name: Add required Windows Features
|
||
|
win_feature:
|
||
|
name:
|
||
|
- Containers
|
||
|
- Hyper-V-PowerShell
|
||
|
state: present
|
||
|
register: win_feature
|
||
|
|
||
|
# Due to a limitation in some CNI plugins the Hyper-V role needs to be installed in order
|
||
|
# to use the VMSwitch Powershell Cmdlets.
|
||
|
# An issue has been logged to have the networking components to be split out but until
|
||
|
# that is complete, environments that do not support running a hypervisor require the
|
||
|
# below which skips the CPU check for Hypervisor support and still installs the VMSwitch Cmlets
|
||
|
# when disable_hypervisor is set to true
|
||
|
# https://github.com/microsoft/Windows-Containers/issues/80
|
||
|
|
||
|
- name: Add Hyper-V
|
||
|
win_shell: |
|
||
|
dism /online /enable-feature /featurename:Microsoft-Hyper-V /all /NoRestart
|
||
|
register: hyperv_installed
|
||
|
failed_when: hyperv_installed.rc != 1 and hyperv_installed.rc != 0
|
||
|
|
||
|
- name: Disable Hypervisor
|
||
|
win_shell: |
|
||
|
dism /online /disable-feature /featurename:Microsoft-Hyper-V-Online /NoRestart
|
||
|
when: (disable_hypervisor | default(false) | bool)
|
||
|
register: hypervisor_disabled
|
||
|
failed_when: hypervisor_disabled.rc != 1 and hypervisor_disabled.rc != 0
|
||
|
|
||
|
- name: Reboot
|
||
|
win_reboot:
|