Test dependencies

ansible/windows/roles/systemprep/defaults/main.yml

@@ -0,0 +1,17 @@
+# Copyright 2020 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+windows_updates_kbs_numbers: "{{ windows_updates_kbs.split() if (windows_updates_kbs is defined) and (windows_updates_kbs|length > 0) else [] }}"
+windows_updates_category_names: "{{ windows_updates_categories.split() if (windows_updates_categories is defined) and (windows_updates_categories|length > 0) else [] }}"
+ssh_source_url: "{{ ssh_source_url if ssh_source_url is defined else ''}}"

ansible/windows/roles/systemprep/tasks/main.yml

@@ -0,0 +1,179 @@
+# Copyright 2020 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# This file was adapted from https://github.com/Azure/aks-engine/blob/master/vhd/packer/configure-windows-vhd.ps1 for ansible
+- name: Remove Windows updates default registry settings
+  win_regedit:
+    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
+    state: absent
+    delete_key: yes
+
+- name: Add Windows update registry path
+  win_regedit:
+    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
+    state: present
+
+- name: Add Windows automatic update registry path
+  win_regedit:
+    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
+    state: present
+
+# https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry
+- name: Disable Windows automatic updates in registry
+  win_regedit:
+    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
+    state: present
+    name: NoAutoUpdate
+    data: 1
+    type: dword
+
+- name: Set Windows automatic updates to notify only in registry
+  win_regedit:
+    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
+    state: present
+    name: AUOptions
+    data: 2
+    type: dword
+
+# Hyper-V messes with networking components on startup after the feature is enabled
+# causing issues with communication over winrm and setting winrm to delayed start
+# gives Hyper-V enough time to finish configuration before having packer continue.
+- name: Set WinRm Service to delayed start
+  win_command: sc.exe config winrm start=delayed-auto
+
+# Best effort to update defender signatures
+# This can fail if there is already a signature
+# update running which means we will get them anyways
+# Also at the time the VM is provisioned Defender will trigger any required updates
+- name: Update Windows Defender signatures
+  win_shell: |
+    $service = Get-Service "Windefend"
+    $service.WaitForStatus("Running","00:5:00")
+    Update-MpSignature
+  ignore_errors: yes
+
+# Find KB Article numbers:
+#  - WS 2019 https://support.microsoft.com/en-us/help/4464619
+#  - WS 2022 https://support.microsoft.com/topic/windows-server-2022-update-history-e1caa597-00c5-4ab9-9f3e-8212fe80b2ee
+# Task to install specific updates by KB. All categories are specified as the module
+# won't install the update unless the category matches. Setting windows_updates_kbs_numbers to []
+# will skip this task.
+- name: Install Windows updates based on KB numbers
+  win_updates:
+    whitelist: "{{ windows_updates_kbs_numbers }}"
+    reboot: yes
+    category_names:
+      - Application
+      - Connectors
+      - CriticalUpdates
+      - DefinitionUpdates
+      - DeveloperKits
+      - Drivers
+      - FeaturePacks
+      - Guidance
+      - SecurityUpdates
+      - ServicePacks
+      - Tools
+      - UpdateRollups
+      - Updates
+  when: windows_updates_kbs_numbers|length > 0
+
+# Task to install any outstanding updates that belong to specific categories. Setting
+# windows_updates_category_names to [] will skip this task.
+- name: Install Windows updates based on Categories
+  win_updates:
+    category_names: "{{ windows_updates_category_names }}"
+    reboot: yes
+  when: windows_updates_category_names|length > 0
+
+- import_tasks: ssh-feature.yml
+  when: ssh_source_url == ""
+
+- import_tasks: ssh-archive.yml
+  when: ssh_source_url != ""
+
+- name: Set default SSH shell to Powershell
+  win_regedit:
+    path: HKLM:\SOFTWARE\OpenSSH
+    state: present
+    name: DefaultShell
+    data: '{{ systemdrive.stdout | trim }}\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
+    type: string
+
+- name: Create SSH program data folder
+  win_shell: If (-Not (Test-Path -Path "$env:ProgramData\ssh")) { mkdir "$env:ProgramData\ssh" }
+
+- name: Enable ssh login without a password
+  win_shell: Add-Content -Path "$env:ProgramData\ssh\sshd_config" -Value "PasswordAuthentication no`nPubkeyAuthentication yes"
+
+- name: Set SSH service startup mode to auto and ensure it is started
+  win_service:
+    name: sshd
+    start_mode: auto
+    state: started
+
+# Apply HNS flags for fixes that need to be enabled via Registry 
+# these eventually get turned on automatically and can be removed in future releases
+- name: Apply HNS control Flags 0x40 and 0x10 in 2022-11B patches
+  win_regedit:
+    path: HKLM:\SYSTEM\CurrentControlSet\Services\hns\State
+    state: present
+    name: HNSControlFlag
+    data: 0x50
+    type: dword
+  when: distribution_version == "2019"
+
+- name: Apply WCIFS fix
+  win_regedit:
+    path: HKLM:\SYSTEM\CurrentControlSet\Services\wcifs
+    state: present
+    name: WcifsSOPCountDisabled
+    data: 0
+    type: dword
+  when: distribution_version == "2019"
+
+- name: Expand dynamic port range to 34000-65535 to avoid port exhaustion
+  win_shell: netsh int ipv4 set dynamicportrange tcp 34000 31536
+
+- name: Add required Windows Features
+  win_feature:
+    name:
+    - Containers
+    - Hyper-V-PowerShell
+    state: present
+  register: win_feature
+
+# Due to a limitation in some CNI plugins the Hyper-V role needs to be installed in order
+# to use the VMSwitch Powershell Cmdlets.  
+# An issue has been logged to have the networking components to be split out but until
+# that is complete, environments that do not support running a hypervisor require the 
+# below which skips the CPU check for Hypervisor support and still installs the VMSwitch Cmlets
+# when disable_hypervisor is set to true
+# https://github.com/microsoft/Windows-Containers/issues/80
+
+- name: Add Hyper-V
+  win_shell: |
+    dism /online /enable-feature /featurename:Microsoft-Hyper-V /all /NoRestart
+  register: hyperv_installed
+  failed_when: hyperv_installed.rc != 1 and hyperv_installed.rc != 0
+
+- name: Disable Hypervisor
+  win_shell: |
+    dism /online /disable-feature /featurename:Microsoft-Hyper-V-Online /NoRestart
+  when: (disable_hypervisor | default(false) | bool)
+  register: hypervisor_disabled
+  failed_when: hypervisor_disabled.rc != 1 and hypervisor_disabled.rc != 0
+
+- name: Reboot
+  win_reboot:

ansible/windows/roles/systemprep/tasks/ssh-archive.yml

@@ -0,0 +1,73 @@
+# Copyright 2021 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Create OpenSSH directory structure
+  win_file:
+    path:  "{{ item }}"
+    state: directory
+  loop: 
+    - '{{ programfiles.stdout | trim }}\OpenSSH'
+    - '{{ alluserprofile.stdout | trim }}\ssh'
+
+# Win32-OpenSSH requires SYSTEM and Administrator groups having Write
+# permissions on directory 'C:\Program Files\OpenSSH', authenticated
+# users having only Read and Execute permissions on it, see:
+#   https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH
+#
+#   "Make sure binary location has the Write permissions to just to SYSTEM,
+#   Administrator groups. Authenticated users should and only have Read and
+#   Execute."
+#
+# Folder 'C:\Program Files\OpenSSH' inherits users and permissions from its
+# parent folder when it is created, by default, SYSTEM and Administrator
+# already have Write permissions on it, the only exception is the inherited
+# user BUILTIN\Users has ReadAndExecute permission but only authenticated
+# users are allowed to have such permission, this prevent us from connecting
+# to the sshd server, just remove it.
+- name: Disable inheritance of OpenSSH directory
+  win_acl_inheritance:
+    path: '{{ programfiles.stdout | trim }}\OpenSSH'
+    state: absent
+    reorganize: yes
+- name: Remove permission for Users
+  win_acl:
+    path: '{{ programfiles.stdout | trim }}\OpenSSH'
+    user: BUILTIN\Users
+    rights: ReadAndExecute,Synchronize
+    type: allow
+    state: absent
+    inherit: 'None'
+    propagation: 'None'
+
+- name: Download OpenSSH Archive
+  win_get_url:
+    url: '{{ ssh_source_url }}'
+    dest: '{{ tempdir.stdout | trim }}\OpenSSH.zip'
+  register: ssh
+  retries: 5
+  delay: 3
+  until: ssh is not failed
+
+- name: Unzip OpenSSH Archive
+  win_unzip:
+    src: '{{ ssh.dest }}'
+    dest: '{{ tempdir.stdout | trim }}' 
+    recurse: no
+    delete_archive: yes
+
+- name: Install OpenSSH
+  win_shell: |
+    Get-ChildItem -Path "{{ tempdir.stdout | trim }}\OpenSSH-Win64\*" -Recurse | Move-Item -Destination "{{ programfiles.stdout | trim }}\OpenSSH"
+    Get-ChildItem -Path "{{ programfiles.stdout | trim }}\OpenSSH" | Unblock-File
+    & 'C:\Program Files\OpenSSH\install-sshd.ps1'

ansible/windows/roles/systemprep/tasks/ssh-feature.yml

@@ -0,0 +1,21 @@
+# Copyright 2021 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Requires admin rights to install 
+# https://docs.ansible.com/ansible/latest/user_guide/become.html#become-and-windows
+- name: Install OpenSSH
+  win_shell: Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
+  become: yes
+  become_method: runas
+  become_user: SYSTEM