Merge remote-tracking branch 'origin/master' into vsphere

# Conflicts: # Makefile
ik-vms-dockers · Dec 11, 2018 · 2aeb9f4 · 2aeb9f4
2 parents d64ca87 + 4f1b915
commit 2aeb9f4
Show file tree

Hide file tree

Showing 16 changed files with 706 additions and 98 deletions.
diff --git a/.gitignore b/.gitignore
@@ -4,4 +4,5 @@ output*/
 packer_cache/
 drivers/
 isos/
-packer.log
+*.log
+*.old
diff --git a/Makefile b/Makefile
@@ -1,90 +1,127 @@
 help:
-	@echo type make build-libvirt or make build-virtualbox
+	@echo for Windows 2012 R2 type make build-windows-2012-r2-libvirt or make build-windows-2012-r2-virtualbox
+	@echo for Windows 2016 type make build-windows-2016-libvirt or make build-windows-2016-virtualbox
+	@echo for Windows 2019 type make build-windows-2019-libvirt or make build-windows-2019-virtualbox
+	@echo for Windows 10 type make build-windows-10-libvirt or make build-windows-10-virtualbox
 
-build-libvirt: windows-2016-amd64-libvirt.box
+build-windows-2012-r2-virtualbox: windows-2012-r2-amd64-virtualbox.box
+build-windows-2012-r2-libvirt: windows-2012-r2-amd64-libvirt.box
 
-build-virtualbox: windows-2016-amd64-virtualbox.box
+build-windows-2016-libvirt: windows-2016-amd64-libvirt.box
+build-windows-2016-virtualbox: windows-2016-amd64-virtualbox.box
 
 build-vsphere: windows-2016-amd64-vsphere.box
 
 build-windows-2019-virtualbox: windows-2019-amd64-virtualbox.box
+build-windows-2019-libvirt: windows-2019-amd64-libvirt.box
 
 build-windows-server-core-1709-libvirt: windows-server-core-1709-amd64-libvirt.box
-
 build-windows-server-core-1709-virtualbox: windows-server-core-1709-amd64-virtualbox.box
 
 build-core-insider-libvirt: windows-core-insider-2016-amd64-libvirt.box
-
 build-core-insider-virtualbox: windows-core-insider-2016-amd64-virtualbox.box
 
 build-windows-10-libvirt: windows-10-amd64-libvirt.box
-
 build-windows-10-virtualbox: windows-10-amd64-virtualbox.box
 
+windows-2012-r2-amd64-libvirt.box: windows-2012-r2.json windows-2012-r2/autounattend.xml Vagrantfile.template *.ps1 drivers
+	rm -f $@
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-2012-r2-amd64-libvirt-packer.log \
+		packer build -only=windows-2012-r2-amd64-libvirt -on-error=abort windows-2012-r2.json
+	@echo BOX successfully built!
+	@echo to add to local vagrant install do:
+	@echo vagrant box add -f windows-2012-r2-amd64 $@
+
+windows-2012-r2-amd64-virtualbox.box: windows-2012-r2.json windows-2012-r2/autounattend.xml Vagrantfile.template *.ps1 drivers
+	rm -f $@
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-2012-r2-amd64-virtualbox-packer.log \
+		packer build -only=windows-2012-r2-amd64-virtualbox -on-error=abort windows-2012-r2.json
+	@echo BOX successfully built!
+	@echo to add to local vagrant install do:
+	@echo vagrant box add -f windows-2012-r2-amd64 $@
+
 windows-2016-amd64-libvirt.box: windows-2016.json autounattend.xml Vagrantfile.template *.ps1 drivers
 	rm -f $@
-	CHECKPOINT_DISABLE=1 packer build -only=windows-2016-amd64-libvirt -on-error=abort windows-2016.json
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-2016-amd64-libvirt-packer.log \
+		packer build -only=windows-2016-amd64-libvirt -on-error=abort windows-2016.json
 	@echo BOX successfully built!
 	@echo to add to local vagrant install do:
 	@echo vagrant box add -f windows-2016-amd64 $@
 
-windows-2016-amd64-virtualbox.box: windows-2016.json autounattend.xml Vagrantfile.template *.ps1
+windows-2016-amd64-virtualbox.box: windows-2016.json autounattend.xml Vagrantfile.template *.ps1 drivers
 	rm -f $@
-	CHECKPOINT_DISABLE=1 packer build -only=windows-2016-amd64-virtualbox -on-error=abort windows-2016.json
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-2016-amd64-virtualbox-packer.log \
+		packer build -only=windows-2016-amd64-virtualbox -on-error=abort windows-2016.json
 	@echo BOX successfully built!
 	@echo to add to local vagrant install do:
 	@echo vagrant box add -f windows-2016-amd64 $@
 
 windows-2016-amd64-vsphere.box: windows-2016.json autounattend.xml Vagrantfile.template *.ps1
 	rm -f $@
-	CHECKPOINT_DISABLE=1 packer build -on-error=abort windows-2016-vsphere.json
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-2016-amd64-vsphere-packer.log \
+		packer build -only=windows-2016-amd64-vsphere -on-error=abort windows-2016-vsphere.json
+	@echo BOX successfully built!
+
+windows-2019-amd64-libvirt.box: windows-2019.json windows-2019/autounattend.xml Vagrantfile.template *.ps1 drivers
+	rm -f $@
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-2019-amd64-libvirt-packer.log \
+		packer build -only=windows-2019-amd64-libvirt -on-error=abort windows-2019.json
 	@echo BOX successfully built!
+	@echo to add to local vagrant install do:
+	@echo vagrant box add -f windows-2019-amd64 $@
 
-windows-2019-amd64-virtualbox.box: windows-2019.json autounattend.xml Vagrantfile.template *.ps1
+windows-2019-amd64-virtualbox.box: windows-2019.json windows-2019/autounattend.xml Vagrantfile.template *.ps1 drivers
 	rm -f $@
-	CHECKPOINT_DISABLE=1 packer build -only=windows-2019-amd64-virtualbox -on-error=abort windows-2019.json
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-2019-amd64-virtualbox-packer.log \
+		packer build -only=windows-2019-amd64-virtualbox -on-error=abort windows-2019.json
 	@echo BOX successfully built!
 	@echo to add to local vagrant install do:
 	@echo vagrant box add -f windows-2019-amd64 $@
 
 windows-server-core-1709-amd64-libvirt.box: windows-server-core-1709.json windows-server-core-1709/autounattend.xml Vagrantfile.template *.ps1 drivers
 	rm -f $@
-	CHECKPOINT_DISABLE=1 packer build -only=windows-server-core-1709-amd64-libvirt -on-error=abort windows-server-core-1709.json
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-server-core-1709-amd64-libvirt-packer.log \
+		packer build -only=windows-server-core-1709-amd64-libvirt -on-error=abort windows-server-core-1709.json
 	@echo BOX successfully built!
 	@echo to add to local vagrant install do:
 	@echo vagrant box add -f windows-server-core-1709-amd64 $@
 
-windows-server-core-1709-amd64-virtualbox.box: windows-server-core-1709.json windows-server-core-1709/autounattend.xml Vagrantfile.template *.ps1
+windows-server-core-1709-amd64-virtualbox.box: windows-server-core-1709.json windows-server-core-1709/autounattend.xml Vagrantfile.template *.ps1 drivers
 	rm -f $@
-	CHECKPOINT_DISABLE=1 packer build -only=windows-server-core-1709-amd64-virtualbox -on-error=abort windows-server-core-1709.json
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-server-core-1709-amd64-virtualbox-packer.log \
+		packer build -only=windows-server-core-1709-amd64-virtualbox -on-error=abort windows-server-core-1709.json
 	@echo BOX successfully built!
 	@echo to add to local vagrant install do:
 	@echo vagrant box add -f windows-server-core-1709-amd64 $@
 
 windows-core-insider-2016-amd64-libvirt.box: windows-core-insider-2016.json windows-core-insider-2016/autounattend.xml Vagrantfile.template *.ps1 drivers
 	rm -f $@
-	CHECKPOINT_DISABLE=1 packer build -only=windows-core-insider-2016-amd64-libvirt -on-error=abort windows-core-insider-2016.json
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-core-insider-2016-amd64-libvirt-packer.log \
+		packer build -only=windows-core-insider-2016-amd64-libvirt -on-error=abort windows-core-insider-2016.json
 	@echo BOX successfully built!
 	@echo to add to local vagrant install do:
 	@echo vagrant box add -f windows-core-insider-2016-amd64 $@
 
-windows-core-insider-2016-amd64-virtualbox.box: windows-core-insider-2016.json windows-core-insider-2016/autounattend.xml Vagrantfile.template *.ps1
+windows-core-insider-2016-amd64-virtualbox.box: windows-core-insider-2016.json windows-core-insider-2016/autounattend.xml Vagrantfile.template *.ps1 drivers
 	rm -f $@
-	CHECKPOINT_DISABLE=1 packer build -only=windows-core-insider-2016-amd64-virtualbox -on-error=abort windows-core-insider-2016.json
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-core-insider-2016-amd64-virtualbox-packer.log \
+		packer build -only=windows-core-insider-2016-amd64-virtualbox -on-error=abort windows-core-insider-2016.json
 	@echo BOX successfully built!
 	@echo to add to local vagrant install do:
 	@echo vagrant box add -f windows-core-insider-2016-amd64 $@
 
 windows-10-amd64-libvirt.box: windows-10.json windows-10/autounattend.xml Vagrantfile.template *.ps1 drivers
 	rm -f $@
-	CHECKPOINT_DISABLE=1 packer build -only=windows-10-amd64-libvirt -on-error=abort windows-10.json
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-10-amd64-libvirt-packer.log \
+		packer build -only=windows-10-amd64-libvirt -on-error=abort windows-10.json
 	@echo BOX successfully built!
 	@echo to add to local vagrant install do:
 	@echo vagrant box add -f windows-10-amd64 $@
 
-windows-10-amd64-virtualbox.box: windows-10.json windows-10/autounattend.xml Vagrantfile.template *.ps1
+windows-10-amd64-virtualbox.box: windows-10.json windows-10/autounattend.xml Vagrantfile.template *.ps1 drivers
 	rm -f $@
-	CHECKPOINT_DISABLE=1 packer build -only=windows-10-amd64-virtualbox -on-error=abort windows-10.json
+	CHECKPOINT_DISABLE=1 PACKER_LOG=1 PACKER_LOG_PATH=windows-10-amd64-virtualbox-packer.log \
+		packer build -only=windows-10-amd64-virtualbox -on-error=abort windows-10.json
 	@echo BOX successfully built!
 	@echo to add to local vagrant install do:
 	@echo vagrant box add -f windows-10-amd64 $@
@@ -93,6 +130,10 @@ drivers:
 	rm -rf drivers.tmp
 	mkdir -p drivers.tmp
 	@# see https://fedoraproject.org/wiki/Windows_Virtio_Drivers
-	wget -P drivers.tmp https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.149-2/virtio-win-0.1.149.iso
+	wget -P drivers.tmp https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.160-1/virtio-win-0.1.160.iso
 	7z x -odrivers.tmp drivers.tmp/virtio-win-*.iso
+	7z a drivers.tmp/virtio-2012-r2.zip drivers.tmp/Balloon/2k12R2/amd64 drivers.tmp/vioserial/2k12R2/amd64
+	7z a drivers.tmp/virtio-10.zip drivers.tmp/Balloon/w10/amd64
+	7z a drivers.tmp/virtio-2016.zip drivers.tmp/Balloon/2k16/amd64
+	7z a drivers.tmp/virtio-2019.zip drivers.tmp/Balloon/2k16/amd64
 	mv drivers.tmp drivers
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-This builds a Windows Server 2016 base Vagrant box using [Packer](https://www.packer.io/).
+This builds Windows 2012R2/10/2016/2019 base Vagrant boxes using [Packer](https://www.packer.io/).
 
 
 # Usage
@@ -13,10 +13,10 @@ choco install -y virtualbox packer packer-provisioner-windows-update vagrant
 To build the base box based on the [Windows Server 2016 Evaluation](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016) ISO run:
 
 ```bash
-packer build -only=windows-2016-amd64-virtualbox windows-2016.json # or make build-libvirt
+make build-windows-2016-libvirt # or make build-windows-2016-virtualbox
 ```
 
-If you want to use your own ISO, run the following instead:
+If you want to use your own ISO, you need to manually run the `packer` command, e.g.:
 
 ```bash
 packer build -var iso_url=<ISO_URL> -var iso_checksum=<ISO_SHA256_CHECKSUM> -only=windows-2016-amd64-virtualbox windows-2016.json
@@ -27,13 +27,7 @@ packer build -var iso_url=<ISO_URL> -var iso_checksum=<ISO_SHA256_CHECKSUM> -onl
 **NB** if you are having trouble building the base box due to floppy drive removal errors try adding, as a
 workaround, `"post_shutdown_delay": "30s",` to the `windows-2016.json` file.
 
-**NB** To troubleshoot, before launching `packer`, you can set the following environment variables:
-
-```bash
-export CHECKPOINT_DISABLE=1
-export PACKER_LOG=1
-export PACKER_LOG_PATH=packer.log
-```
+**NB** the packer logs are saved inside a `*-packer.log` file (e.g. `windows-2016-amd64-libvirt-packer.log`).
 
 You can then add the base box to your local vagrant installation with:
 
@@ -64,7 +58,7 @@ vagrant up --provider=virtualbox # or --provider=libvirt
 Build the base box for the [vagrant-libvirt provider](https://github.com/vagrant-libvirt/vagrant-libvirt) with:
 
 ```bash
-make build-libvirt
+make build-windows-2016-libvirt
 ```
 
 If you want to access the UI run:
@@ -100,13 +94,25 @@ winrs -r:localhost:55985 -u:vagrant -p:vagrant "whoami /all"
 # WinRM and UAC (aka LUA)
 
 This base image uses WinRM. WinRM [poses several limitations on remote administration](http://www.hurryupandwait.io/blog/safely-running-windows-automation-operations-that-typically-fail-over-winrm-or-powershell-remoting),
-those were worked around by disabling User Account Control (UAC) (aka Limited User Account (LUA)) in `autounattend.xml`.
+those were worked around by disabling User Account Control (UAC) (aka [Limited User Account (LUA)](https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-lua-settings-enablelua)) in `autounattend.xml`
+and [UAC remote restrictions](https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows)
+ in `winrm.ps1`.
+
+If needed, you can later enable them with:
+
+```powershell
+Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -Value 1
+Set-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -Value 1
+Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name LocalAccountTokenFilterPolicy
+Restart-Computer
+```
 
-If needed, you can later enable it with:
+Or disable them with:
 
 ```powershell
-Set-ItemProperty -Path 'HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -Value 1
-Set-ItemProperty -Path 'HKLM:SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -Value 1
+Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -Value 0
+Set-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -Value 0
+New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name LocalAccountTokenFilterPolicy -Value 1 -Force
 Restart-Computer
 ```
 

diff --git a/libvirt-fix-cpu-driver.ps1 b/libvirt-fix-cpu-driver.ps1
@@ -0,0 +1,135 @@
+param(
+    [switch]$RunningAsScheduledTask = $false
+)
+
+# this is a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1377155#c12
+
+Set-StrictMode -Version Latest
+$ProgressPreference = 'SilentlyContinue'
+$ErrorActionPreference = 'Stop'
+trap {
+    Write-Host
+    Write-Host "ERROR: $_"
+    Write-Host (($_.ScriptStackTrace -split '\r?\n') -replace '^(.*)$','ERROR: $1')
+    Write-Host (($_.Exception.ToString() -split '\r?\n') -replace '^(.*)$','ERROR EXCEPTION: $1')
+    Exit 1
+}
+
+# NB this fix only applies to qemu.
+if ('SeaBIOS' -ne (Get-WmiObject WIN32_BIOS -Property Manufacturer).Manufacturer) {
+    Exit 0
+}
+
+
+#
+# enable TLS 1.1 and 1.2.
+
+[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol `
+    -bor [Net.SecurityProtocolType]::Tls11 `
+    -bor [Net.SecurityProtocolType]::Tls12
+
+$taskName = 'libvirt-fix-cpu-driver'
+$transcriptPath = "C:\tmp\$taskName.log"
+$devConPath = 'C:\tmp\devcon.exe'
+
+function Get-Devices($filter='*') {
+    # example devcon output:
+    #
+    #   SWD\PRINTENUM\{385C45DF-7B30-4EB4-886E-7EFDD3817A40}
+    #       Name: Microsoft Print to PDF
+    #       Driver is running.
+    #   {6FDE7547-1B65-48AE-B628-80BE62016026}\VIOSERIALPORT\4&176259CF&0&01
+    #       Name: vport0p1
+    #       Driver is running.
+    #   55 matching device(s) found.
+    $devices = @()
+    &$devConPath status $filter | ForEach-Object {$device=$null} {
+        # detect the start of a new device block.
+        if ($_ -match '^[^\d][^\\]+\\.+') {
+            $device = New-Object PSObject -Property @{
+                Id = $_
+                Name = ''
+                State = ''
+            }
+            $devices += $device
+            return
+        }
+        # detect the driver name field.
+        if ($_ -match '^\s+Name: (.+)') {
+            $device.Name = $matches[1].Trim()
+            return
+        }
+        # detect the driver state field.
+        if ($_ -match '^\s+.+') {
+            $device.State = $_.Trim()
+            return
+        }
+    }
+    return $devices
+}
+
+function Get-HidButtonDevice {
+    Get-Devices 'ACPI\ACPI0010*' | Where-Object {$_.Name -eq 'HID Button over Interrupt Driver'}
+}
+
+if ($RunningAsScheduledTask) {
+    Start-Transcript $transcriptPath
+    $device = Get-HidButtonDevice
+    if ($device) {
+        Write-Output "Removing the $($device.Name) ($($device.Id)) device..."
+        &$devConPath remove "@$($device.Id)"
+        # NB touching these registry keys requires us to be running as SYSTEM.
+        Remove-Item (Resolve-Path HKLM:\SYSTEM\DriverDataBase\DriverPackages\hidinterrupt.inf_amd64_*\Descriptors\ACPI\ACPI0010)
+        Remove-ItemProperty -Path HKLM:\SYSTEM\DriverDatabase\DeviceIds\ACPI\ACPI0010 -Name hidinterrupt.inf
+        Write-Output 'Rescanning the devices...'
+        &$devConPath rescan
+    }
+} else {
+    if (!(Test-Path $devConPath)) {
+        $archiveUrl = 'https://github.com/rgl/devcon/releases/download/20181014/devcon.zip'
+        $archiveHash = '64b3380743722c7e72efbd63d35dd5fe4427ee852462299aa334437f244d7ea3'
+        $archiveName = Split-Path -Leaf $archiveUrl
+        $archivePath = "$env:TEMP\$archiveName"
+        Write-Host "Downloading $archiveName..."
+        (New-Object Net.WebClient).DownloadFile($archiveUrl, $archivePath)
+        $archiveActualHash = (Get-FileHash $archivePath -Algorithm SHA256).Hash
+        if ($archiveHash -ne $archiveActualHash) {
+            throw "$archiveName downloaded from $archiveUrl to $archivePath has $archiveActualHash hash witch does not match the expected $archiveHash"
+        }
+        Write-Host "Extracting $archiveName..."
+        Expand-Archive $archivePath (Split-Path -Parent $devConPath)
+    }
+
+    if (Get-HidButtonDevice) {
+        Write-Output 'Registering Scheduled Task...'
+        $action = New-ScheduledTaskAction `
+            -Execute 'PowerShell.exe' `
+            -Argument "-NoProfile -ExecutionPolicy Bypass $PSCommandPath -RunningAsScheduledTask"
+        Register-ScheduledTask `
+            -TaskName $taskName `
+            -Action $action `
+            -User 'SYSTEM' `
+            | Out-Null
+        Start-ScheduledTask `
+            -TaskName $taskName
+
+        Write-Output 'Waiting for the Scheduled Task to complete...'
+        while ((Get-ScheduledTask -TaskName $taskName).State -ne 'Ready') {
+            Start-Sleep -Seconds 1
+        }
+        $taskInfo = Get-ScheduledTaskInfo -TaskName $taskName
+        $taskResult = $taskInfo.LastTaskResult
+
+        Write-Output 'Unregistering Scheduled Task...'
+        Unregister-ScheduledTask `
+            -TaskName $taskName `
+            -Confirm:$false
+
+        Write-Output 'Scheduled Task output:'
+        Get-Content -ErrorAction SilentlyContinue $transcriptPath
+        Write-Output "Scheduled Task result: $taskResult"
+        Remove-Item $transcriptPath
+    }
+
+    Remove-Item $devConPath
+}