diff --git a/collections/requirements.yml b/collections/requirements.yml index 8ada595..0f9f4ba 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -34,5 +34,5 @@ collections: - name: community.crypto source: https://galaxy.ansible.com - - name: onepassword.connect - - name: ansible.posix +## - name: onepassword.connect +# - name: ansible.posix diff --git a/context/Containerfile b/context/Containerfile index 3dfc9aa..8361b4d 100644 --- a/context/Containerfile +++ b/context/Containerfile @@ -1,4 +1,4 @@ -ARG EE_BASE_IMAGE=quay.io/ansible/ansible-runner:stable-2.10-devel +ARG EE_BASE_IMAGE=registry.redhat.io/ansible-automation-platform-20-early-access/ee-supported-rhel8:latest ARG EE_BUILDER_IMAGE=quay.io/ansible/ansible-builder:latest FROM $EE_BASE_IMAGE as galaxy diff --git a/context/_build/ansible.cfg b/context/_build/ansible.cfg index 3d65d35..aab5095 100644 --- a/context/_build/ansible.cfg +++ b/context/_build/ansible.cfg @@ -1,6 +1,5 @@ [defaults] # Use the YAML callback plugin. -#stdout_callback = yaml stdout_callback = community.general.yaml callback_enabled = community.general.yaml # Profile diff --git a/context/_build/requirements.yml b/context/_build/requirements.yml index 8ada595..0f9f4ba 100644 --- a/context/_build/requirements.yml +++ b/context/_build/requirements.yml @@ -34,5 +34,5 @@ collections: - name: community.crypto source: https://galaxy.ansible.com - - name: onepassword.connect - - name: ansible.posix +## - name: onepassword.connect +# - name: ansible.posix diff --git a/cvpublish.yml b/cvpublish.yml index da51a1d..404147c 100644 --- a/cvpublish.yml +++ b/cvpublish.yml @@ -25,7 +25,7 @@ - name: Pre-tasks | Extract list of content views set_fact: sat6_content_views_list: "{{ sat6_content_views_list|default([]) }} + ['{{ item.name }}' ]" - loop: "{{ list_all_cvs | reject('search', 'Default_Organization_View') | list }}" + loop: "{{ list_all_cvs | reject('search', 'Default Organization View') | list }}" when: item.composite == false - name: Publish content diff --git a/execution-environment.yml b/execution-environment.yml index 0991621..2d386d0 100644 --- a/execution-environment.yml +++ b/execution-environment.yml @@ -2,11 +2,10 @@ version: 1 build_arg_defaults: - EE_BASE_IMAGE: 'quay.io/ansible/ansible-runner:stable-2.10-devel' + EE_BASE_IMAGE: 'registry.redhat.io/ansible-automation-platform-20-early-access/ee-supported-rhel8:latest' ansible_config: '../../../.ansible.cfg' dependencies: galaxy: collections/requirements.yml python: requirements.txt - system: bindep.txt diff --git a/rhv_setup.yml b/rhv_setup.yml index 0039d2d..44e2d4b 100644 --- a/rhv_setup.yml +++ b/rhv_setup.yml @@ -13,6 +13,8 @@ ignore_errors: yes register: key_info + - set_fact: have_valid_cert=false + - set_fact: have_valid_cert: "{{ (key_info.not_after|to_datetime('%Y%m%d%H%M%SZ')).timestamp() > ansible_date_time.epoch|int + 2592000 }}" when: @@ -24,8 +26,8 @@ connection: local gather_facts: false # This doesn't belong here - vars: - acme_certificate_root_certificate: https://letsencrypt.org/certs/trustid-x3-root.pem.txt + #vars: + # acme_certificate_root_certificate: https://letsencrypt.org/certs/trustid-x3-root.pem.txt pre_tasks: @@ -56,7 +58,7 @@ roles: - name: felixfontein.acme_certificate - when: not have_valid_cert + when: have_valid_cert is defined and not have_valid_cert post_tasks: - name: Remove tempfile @@ -209,3 +211,11 @@ register: networkinfo - debug: msg="{{networkinfo}}" + +- name: Reminder + hosts: localhost + connection: local + tasks: + - name: Reminder + debug: "Don't forget to add tso off gro off gso off lro off to i217-LM NIC's (eg: Dell Optiplex)!" +# https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/sect-hosts_and_networking#Editing_Host_Network_Interfaces_and_Assigning_Logical_Networks_to_Hosts diff --git a/roles/felixfontein.acme_certificate/meta/.galaxy_install_info b/roles/felixfontein.acme_certificate/meta/.galaxy_install_info index 8a6f868..ef65773 100644 --- a/roles/felixfontein.acme_certificate/meta/.galaxy_install_info +++ b/roles/felixfontein.acme_certificate/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Mon Apr 19 15:24:27 2021 +install_date: Fri Oct 15 18:59:51 2021 version: 1.1.1 diff --git a/roles/geerlingguy.gitlab/meta/.galaxy_install_info b/roles/geerlingguy.gitlab/meta/.galaxy_install_info index e2f8f49..d227190 100644 --- a/roles/geerlingguy.gitlab/meta/.galaxy_install_info +++ b/roles/geerlingguy.gitlab/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:45 2021 +install_date: Fri Oct 15 18:59:12 2021 version: 3.1.0 diff --git a/roles/geerlingguy.java/meta/.galaxy_install_info b/roles/geerlingguy.java/meta/.galaxy_install_info index 8bb584f..87da7f1 100644 --- a/roles/geerlingguy.java/meta/.galaxy_install_info +++ b/roles/geerlingguy.java/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:44 2021 +install_date: Fri Oct 15 18:59:11 2021 version: 1.10.0 diff --git a/roles/ikke_t.container_image_cleanup/meta/.galaxy_install_info b/roles/ikke_t.container_image_cleanup/meta/.galaxy_install_info index e3790ed..150d893 100644 --- a/roles/ikke_t.container_image_cleanup/meta/.galaxy_install_info +++ b/roles/ikke_t.container_image_cleanup/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:56 2021 +install_date: Fri Oct 15 18:59:25 2021 version: master diff --git a/roles/ikke_t.podman_container_systemd/README.md b/roles/ikke_t.podman_container_systemd/README.md index 56e37d7..8950042 100644 --- a/roles/ikke_t.podman_container_systemd/README.md +++ b/roles/ikke_t.podman_container_systemd/README.md @@ -98,6 +98,7 @@ Dependencies ------------ * [containers.podman](https://galaxy.ansible.com/containers/podman) (collection) +* [ansible.posix](https://galaxy.ansible.com/ansible/posix) (collection) Example Playbook ---------------- diff --git a/roles/ikke_t.podman_container_systemd/defaults/main.yml b/roles/ikke_t.podman_container_systemd/defaults/main.yml index 29eee9f..879fd31 100644 --- a/roles/ikke_t.podman_container_systemd/defaults/main.yml +++ b/roles/ikke_t.podman_container_systemd/defaults/main.yml @@ -7,7 +7,7 @@ container_state: running # see man systemd.service for info # by default we want to restart failed container container_restart: on-failure -service_files_dir: /etc/systemd/system +service_files_dir: /usr/local/lib/systemd/system systemd_scope: system systemd_TimeoutStartSec: 15 systemd_RestartSec: 30 @@ -17,6 +17,15 @@ container_run_as_user: root container_run_as_group: root container_stop_timeout: 15 +# SystemD dependencies (some are hardcoded; see templates) +systemd_After: [network.target] +systemd_Before: [] +systemd_Conflicts: [] +systemd_RequiredBy: [] +systemd_Requires: [] +systemd_WantedBy: [] +systemd_Wants: [] + # systemd service name service_name: "{{ container_name }}-container-pod-{{ container_run_as_user }}.service" diff --git a/roles/ikke_t.podman_container_systemd/meta/.galaxy_install_info b/roles/ikke_t.podman_container_systemd/meta/.galaxy_install_info index 877d2c3..8c69d0f 100644 --- a/roles/ikke_t.podman_container_systemd/meta/.galaxy_install_info +++ b/roles/ikke_t.podman_container_systemd/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:54 2021 -version: 2.1.0 +install_date: Fri Oct 15 18:59:22 2021 +version: 2.2.0 diff --git a/roles/ikke_t.podman_container_systemd/meta/main.yml b/roles/ikke_t.podman_container_systemd/meta/main.yml index bccfb7a..097c2b1 100644 --- a/roles/ikke_t.podman_container_systemd/meta/main.yml +++ b/roles/ikke_t.podman_container_systemd/meta/main.yml @@ -36,7 +36,8 @@ dependencies: when: > (ansible_distribution == 'Debian' and ansible_distribution_release == 'buster') or - ansible_distribution == 'Ubuntu' + (ansible_distribution == 'Ubuntu' and + ansible_distribution_version is version('21.04', '<')) collections: - containers.podman diff --git a/roles/ikke_t.podman_container_systemd/requirements.yml b/roles/ikke_t.podman_container_systemd/requirements.yml index 68b4a8e..397ca6b 100644 --- a/roles/ikke_t.podman_container_systemd/requirements.yml +++ b/roles/ikke_t.podman_container_systemd/requirements.yml @@ -1,3 +1,4 @@ --- collections: + - ansible.posix - containers.podman diff --git a/roles/ikke_t.podman_container_systemd/tasks/main.yml b/roles/ikke_t.podman_container_systemd/tasks/main.yml index bdea812..bfa8f1f 100644 --- a/roles/ikke_t.podman_container_systemd/tasks/main.yml +++ b/roles/ikke_t.podman_container_systemd/tasks/main.yml @@ -38,11 +38,20 @@ - name: set systemd scope to system if needed set_fact: systemd_scope: system - service_files_dir: '/etc/systemd/system' + service_files_dir: /usr/local/lib/systemd/system xdg_runtime_dir: "/run/user/{{ container_run_as_uid.stdout }}" when: container_run_as_user == "root" changed_when: false +- name: create local systemd directory + when: service_files_dir == '/usr/local/lib/systemd/system' + file: + group: root + mode: u=rwX,go=rX + owner: root + path: /usr/local/lib/systemd/system/ + state: directory + - name: check if service file exists already stat: path: "{{ service_files_dir }}/{{ service_name }}" @@ -95,6 +104,7 @@ # https://github.com/containers/libpod/issues/5570 # command: podman inspect -f {{.Id}} "{{ container_image }}" command: "podman image inspect -f '{{ '{{' }}.Id{{ '}}' }}' {{ item }}" + changed_when: false register: pre_pull_id ignore_errors: true when: @@ -121,6 +131,7 @@ - name: running single container, get image Id if it exists command: "podman image inspect -f '{{ '{{' }}.Id{{ '}}' }}' {{ item }}" + changed_when: false become: true become_user: "{{ container_run_as_user }}" register: post_pull_id @@ -204,6 +215,18 @@ - service_file_before_template.stat.exists - service_file.changed + - name: ensure auto update is running for images + become: true + become_user: "{{ container_run_as_user }}" + environment: + XDG_RUNTIME_DIR: "{{ xdg_runtime_dir }}" + systemd: + name: podman-auto-update.timer + daemon_reload: true + scope: "{{ systemd_scope }}" + state: started + enabled: true + when: container_state == "running" - name: configure firewall if container_firewall_ports is defined @@ -247,7 +270,7 @@ - name: ensure container's exposed ports firewall state tags: firewall - firewalld: + ansible.posix.firewalld: port: "{{ item }}" permanent: true immediate: true diff --git a/roles/ikke_t.podman_container_systemd/templates/systemd-service-pod.j2 b/roles/ikke_t.podman_container_systemd/templates/systemd-service-pod.j2 index 6dde870..309753b 100644 --- a/roles/ikke_t.podman_container_systemd/templates/systemd-service-pod.j2 +++ b/roles/ikke_t.podman_container_systemd/templates/systemd-service-pod.j2 @@ -1,6 +1,20 @@ [Unit] Description={{ container_name }} Podman Container -After=network.target +{% for unit in systemd_After %} +After={{ unit }} +{% endfor %} +{% for unit in systemd_Before %} +Before={{ unit }} +{% endfor %} +{% for unit in systemd_Conflicts %} +Conflicts={{ unit }} +{% endfor %} +{% for unit in systemd_Requires %} +Requires={{ unit }} +{% endfor %} +{% for unit in systemd_Wants %} +Wants={{ unit }} +{% endfor %} [Service] Type=forking @@ -18,6 +32,7 @@ ExecReload=-/usr/bin/podman pod rm -f {{ container_name }} ExecStop=-/usr/bin/podman pod rm -f {{ container_name }} Restart={{ container_restart }} RestartSec={{ systemd_RestartSec }} +Environment=PODMAN_SYSTEMD_UNIT=%n [Install] {% if container_run_as_user == 'root' %} @@ -26,3 +41,9 @@ WantedBy=multi-user.target {% if container_run_as_user != 'root' %} WantedBy=default.target {% endif %} +{% for unit in systemd_RequiredBy %} +RequiredBy={{ unit }} +{% endfor %} +{% for unit in systemd_WantedBy %} +WantedBy={{ unit }} +{% endfor %} diff --git a/roles/ikke_t.podman_container_systemd/templates/systemd-service-single.j2 b/roles/ikke_t.podman_container_systemd/templates/systemd-service-single.j2 index bc648d0..559a799 100644 --- a/roles/ikke_t.podman_container_systemd/templates/systemd-service-single.j2 +++ b/roles/ikke_t.podman_container_systemd/templates/systemd-service-single.j2 @@ -1,10 +1,26 @@ [Unit] Description={{ container_name }} Podman Container -After=network.target +{% for unit in systemd_After %} +After={{ unit }} +{% endfor %} +{% for unit in systemd_Before %} +Before={{ unit }} +{% endfor %} +{% for unit in systemd_Conflicts %} +Conflicts={{ unit }} +{% endfor %} +{% for unit in systemd_Requires %} +Requires={{ unit }} +{% endfor %} +{% for unit in systemd_Wants %} +Wants={{ unit }} +{% endfor %} [Service] Type=simple TimeoutStartSec={{ systemd_TimeoutStartSec }} +ExecStartPre=-/usr/bin/podman stop -t {{ container_stop_timeout|quote }} {{ container_name|quote }} +ExecStartPre=-/usr/bin/podman rm -f {{ container_name|quote }} ExecStartPre=-/usr/bin/rm -f {{ pidfile }} {{ cidfile }} {% if container_run_as_user == 'root' %} User={{ container_run_as_user }} @@ -22,6 +38,7 @@ Restart={{ container_restart }} RestartSec={{ systemd_RestartSec }} KillMode=mixed PIDFile={{ pidfile }} +Environment=PODMAN_SYSTEMD_UNIT=%n [Install] {% if container_run_as_user == 'root' %} @@ -30,3 +47,9 @@ WantedBy=multi-user.target {% if container_run_as_user != 'root' %} WantedBy=default.target {% endif %} +{% for unit in systemd_RequiredBy %} +RequiredBy={{ unit }} +{% endfor %} +{% for unit in systemd_WantedBy %} +WantedBy={{ unit }} +{% endfor %} diff --git a/roles/oatakan.ansible-role-ovirt/meta/.galaxy_install_info b/roles/oatakan.ansible-role-ovirt/meta/.galaxy_install_info index d8dccdf..a037129 100644 --- a/roles/oatakan.ansible-role-ovirt/meta/.galaxy_install_info +++ b/roles/oatakan.ansible-role-ovirt/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:51 2021 +install_date: Fri Oct 15 18:59:19 2021 version: '' diff --git a/roles/oatakan.ansible-role-ovirt/tasks/deprovision.yml b/roles/oatakan.ansible-role-ovirt/tasks/deprovision.yml index d3ae173..477d815 100644 --- a/roles/oatakan.ansible-role-ovirt/tasks/deprovision.yml +++ b/roles/oatakan.ansible-role-ovirt/tasks/deprovision.yml @@ -58,7 +58,7 @@ until: disks_deletion.finished retries: "{{ instance_wait_retry_limit }}" delay: 10 - with_items: "{{ delete_disks.results }}" + loop: "{{ delete_disks.results }}" when: - nodes is defined - delete_disks.results is defined diff --git a/roles/oatakan.ansible-role-ovirt/tasks/provision.yml b/roles/oatakan.ansible-role-ovirt/tasks/provision.yml index ac1835d..75ea7fb 100644 --- a/roles/oatakan.ansible-role-ovirt/tasks/provision.yml +++ b/roles/oatakan.ansible-role-ovirt/tasks/provision.yml @@ -48,7 +48,7 @@ retries: "{{ instance_wait_retry_limit }}" delay: 10 no_log: true - with_items: "{{ deploy.results }}" + loop: "{{ deploy.results }}" when: - nodes is defined - deploy.results is defined @@ -85,7 +85,7 @@ until: disks_creation.finished retries: "{{ instance_wait_retry_limit }}" delay: 10 - with_items: "{{ create_disks.results }}" + loop: "{{ create_disks.results }}" when: - nodes is defined - create_disks.results is defined @@ -110,7 +110,7 @@ nic_name: "{{ item.networks[0].nic_name | default(item.networks[0].device_name) | default('eth0') }}" nic_on_boot: true host_name: "{{ item.name }}.{{ item.domain | default('') }}" - dns_servers: "{{ item.dns_servers|join(' ') | default([]) }}" + dns_servers: "{{ (item.dns_servers | default([])) | join(' ') }}" custom_script: "{{ item.custom_script | default('') }}" user_name: "{{ item.user_name | default('') }}" root_password: "{{ item.root_password | default('') }}" @@ -144,7 +144,7 @@ - name: combine deployment results set_fact: deploy_results: "{{ deploy_results|default([]) + [ item ] }}" - with_items: "{{ deploy_linux.results + deploy_windows.results }}" + loop: "{{ deploy_linux.results + deploy_windows.results }}" when: - nodes is defined - item.ansible_job_id is defined @@ -156,7 +156,7 @@ until: instances.finished retries: "{{ instance_wait_retry_limit }}" delay: 10 - with_items: "{{ deploy_results }}" + loop: "{{ deploy_results }}" when: - nodes is defined - deploy_results is defined diff --git a/roles/oatakan.ansible-role-ovirt/tasks/wait_for_ip.yml b/roles/oatakan.ansible-role-ovirt/tasks/wait_for_ip.yml index 8db9f4d..9c445bc 100644 --- a/roles/oatakan.ansible-role-ovirt/tasks/wait_for_ip.yml +++ b/roles/oatakan.ansible-role-ovirt/tasks/wait_for_ip.yml @@ -1,31 +1,33 @@ --- -#- name: waiting for ip address to be assigned -# ovirt_nic_info: -# auth: "{{ ovirt_auth }}" -# vm: "{{ item.vm.name }}" -# name: nic1 -# register: nics -# until: -# - nics.ovirt_nics | length > 0 -# - nics.ovirt_nics[0].reported_devices | length > 0 -# - nics.ovirt_nics[0].reported_devices[0].ips is defined -# - nics.ovirt_nics[0].reported_devices[0].ips | length > 0 -# - nics.ovirt_nics[0].reported_devices[0].ips[0].address is defined -# - nics.ovirt_nics[0].reported_devices[0].ips[0].version == 'v4' -# retries: 300 -# delay: 10 -# with_items: "{{ instances.results }}" -# when: -# - nodes is defined -# - instances.results is defined -# - item.vm is defined +- name: waiting for ip address to be assigned + ovirt_nic_info: + auth: "{{ ovirt_auth }}" + vm: "{{ item.vm.name }}" + name: nic1 + fetch_nested: yes + nested_attributes: + - ips + register: nics + until: + - nics.ovirt_nics | length > 0 + - nics.ovirt_nics[0].reported_devices | length > 0 + - reported_ipv4_addresses | length + retries: 300 + delay: 10 + loop: "{{ instances.results }}" + when: + - nodes is defined + - instances.results is defined + - item.vm is defined + vars: + reported_ipv4_addresses: "{{ (nics.ovirt_nics[0].reported_devices | json_query('[*].ips[?version==`v4`].address') | flatten) | default([]) }}" - name: waiting for servers to come online on predefined ip wait_for: host: "{{ item.networks[0].ip }}" port: "{{ item.ansible_port | default(ansible_port) | default('22') }}" - with_items: "{{ nodes }}" + loop: "{{ nodes }}" when: - nodes is defined - item.networks is defined @@ -33,9 +35,9 @@ - name: waiting for servers to come online on dhcp ip wait_for: - host: "{{ (item.ovirt_nics[0].reported_devices[0].ips | json_query('[?version==`v4`].address'))[0] }}" + host: "{{ (item.ovirt_nics[0].reported_devices | json_query('[*].ips[?version==`v4`].address'))[0][0] | default('') }}" port: "{{ item.item.item.item.ansible_port | default(ansible_port) | default('22') }}" - with_items: "{{ nics.results }}" + loop: "{{ nics.results }}" when: - nodes is defined - nics.results is defined @@ -55,15 +57,14 @@ until: - nics.ovirt_nics | length > 0 - nics.ovirt_nics[0].reported_devices | length > 0 - - nics.ovirt_nics[0].reported_devices[0].ips | length > 0 - - nics.ovirt_nics[0].reported_devices[0].ips[0].address is defined - - nics.ovirt_nics[0].reported_devices[0].ips[0].version == 'v4' - - nics.ovirt_nics[0].reported_devices[0].ips[0].address == item.networks[0].ip + - item.networks[0].ip in reported_ipv4_addresses retries: "{{ ip_wait_retry_limit }}" delay: 10 - with_items: "{{ nodes }}" + loop: "{{ nodes }}" when: - wait_for_static_ip_assigned|bool - nodes is defined - item.networks | length > 0 - - item.networks[0].ip is defined \ No newline at end of file + - item.networks[0].ip is defined + vars: + reported_ipv4_addresses: "{{ (nics.ovirt_nics[0].reported_devices | json_query('[*].ips[?version==`v4`].address') | flatten) | default([]) }}" \ No newline at end of file diff --git a/roles/oatakan.ansible-role-ovirt/tasks/wait_for_ip_pre29.yml b/roles/oatakan.ansible-role-ovirt/tasks/wait_for_ip_pre29.yml index aa52ab7..2f2ee18 100644 --- a/roles/oatakan.ansible-role-ovirt/tasks/wait_for_ip_pre29.yml +++ b/roles/oatakan.ansible-role-ovirt/tasks/wait_for_ip_pre29.yml @@ -1,31 +1,30 @@ --- -#- name: waiting for ip address to be assigned (<2.9) -# ovirt_nic_facts: -# auth: "{{ ovirt_auth }}" -# vm: "{{ item.vm.name }}" -# name: nic1 -# register: nics -# until: -# - nics.ansible_facts.ovirt_nics | length > 0 -# - nics.ansible_facts.ovirt_nics[0].reported_devices | length > 0 -# - nics.ansible_facts.ovirt_nics[0].reported_devices[0].ips is defined -# - nics.ansible_facts.ovirt_nics[0].reported_devices[0].ips | length > 0 -# - nics.ansible_facts.ovirt_nics[0].reported_devices[0].ips[0].address is defined -# - nics.ansible_facts.ovirt_nics[0].reported_devices[0].ips[0].version == 'v4' -# retries: 300 -# delay: 10 -# with_items: "{{ instances.results }}" -# when: -# - nodes is defined -# - instances.results is defined -# - item.vm is defined +- name: waiting for ip address to be assigned (<2.9) + ovirt_nic_facts: + auth: "{{ ovirt_auth }}" + vm: "{{ item.vm.name }}" + name: nic1 + register: nics + until: + - nics.ansible_facts.ovirt_nics | length > 0 + - nics.ansible_facts.ovirt_nics[0].reported_devices | length > 0 + - reported_ipv4_addresses | length + retries: 300 + delay: 10 + loop: "{{ instances.results }}" + when: + - nodes is defined + - instances.results is defined + - item.vm is defined + vars: + reported_ipv4_addresses: "{{ (nics.ovirt_nics[0].reported_devices | json_query('[*].ips[?version==`v4`].address') | flatten) | default([]) }}" - name: waiting for servers to come online on predefined ip wait_for: host: "{{ item.networks[0].ip }}" port: "{{ item.ansible_port | default(ansible_port) | default('22') }}" - with_items: "{{ nodes }}" + loop: "{{ nodes }}" when: - nodes is defined - item.networks is defined @@ -35,7 +34,7 @@ wait_for: host: "{{ (item.ansible_facts.ovirt_nics[0].reported_devices[0].ips | json_query('[?version==`v4`].address'))[0] }}" port: "{{ item.item.item.item.ansible_port | default(ansible_port) | default('22') }}" - with_items: "{{ nics.results }}" + loop: "{{ nics.results }}" when: - nodes is defined - nics.results is defined @@ -55,15 +54,14 @@ until: - nics.ansible_facts.ovirt_nics | length > 0 - nics.ansible_facts.ovirt_nics[0].reported_devices | length > 0 - - nics.ansible_facts.ovirt_nics[0].reported_devices[0].ips | length > 0 - - nics.ansible_facts.ovirt_nics[0].reported_devices[0].ips[0].address is defined - - nics.ansible_facts.ovirt_nics[0].reported_devices[0].ips[0].version == 'v4' - - nics.ansible_facts.ovirt_nics[0].reported_devices[0].ips[0].address == item.networks[0].ip + - item.networks[0].ip in reported_ipv4_addresses retries: "{{ ip_wait_retry_limit }}" delay: 10 - with_items: "{{ nodes }}" + loop: "{{ nodes }}" when: - wait_for_static_ip_assigned|bool - nodes is defined - item.networks | length > 0 - - item.networks[0].ip is defined \ No newline at end of file + - item.networks[0].ip is defined + vars: + reported_ipv4_addresses: "{{ (nics.ovirt_nics[0].reported_devices | json_query('[*].ips[?version==`v4`].address') | flatten) | default([]) }}" \ No newline at end of file diff --git a/roles/oatakan.ansible-role-windows-ad-controller/meta/.galaxy_install_info b/roles/oatakan.ansible-role-windows-ad-controller/meta/.galaxy_install_info index 03b2a7f..4048434 100644 --- a/roles/oatakan.ansible-role-windows-ad-controller/meta/.galaxy_install_info +++ b/roles/oatakan.ansible-role-windows-ad-controller/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:47 2021 +install_date: Fri Oct 15 18:59:14 2021 version: '' diff --git a/roles/oatakan.rhel_ovirt_template/meta/.galaxy_install_info b/roles/oatakan.rhel_ovirt_template/meta/.galaxy_install_info index cc1745b..6f0d050 100644 --- a/roles/oatakan.rhel_ovirt_template/meta/.galaxy_install_info +++ b/roles/oatakan.rhel_ovirt_template/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:53 2021 +install_date: Fri Oct 15 18:59:21 2021 version: master diff --git a/roles/oatakan.rhel_ovirt_template/templates/rhel8/ks.cfg.j2 b/roles/oatakan.rhel_ovirt_template/templates/rhel8/ks.cfg.j2 index df5c081..48eb85a 100644 --- a/roles/oatakan.rhel_ovirt_template/templates/rhel8/ks.cfg.j2 +++ b/roles/oatakan.rhel_ovirt_template/templates/rhel8/ks.cfg.j2 @@ -1,6 +1,5 @@ firewall --disabled -install cdrom lang en_US.UTF-8 keyboard us @@ -34,7 +33,7 @@ volgroup vg00 --pesize=4096 pv.00 logvol swap --fstype="swap" --size=4096 --name=swap --vgname=vg00 logvol / --fstype="xfs" --size=1 --grow --name=root --vgname=vg00 -auth --useshadow --enablemd5 +authselect --useshadow --enablemd5 firstboot --disabled services --enabled=NetworkManager,sshd reboot diff --git a/roles/oatakan.rhel_template_build/meta/.galaxy_install_info b/roles/oatakan.rhel_template_build/meta/.galaxy_install_info index 607a6b6..2ad1198 100644 --- a/roles/oatakan.rhel_template_build/meta/.galaxy_install_info +++ b/roles/oatakan.rhel_template_build/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:52 2021 +install_date: Fri Oct 15 18:59:20 2021 version: master diff --git a/roles/oatakan.windows_ovirt_guest_agent/meta/.galaxy_install_info b/roles/oatakan.windows_ovirt_guest_agent/meta/.galaxy_install_info index 35adf9d..e68ade5 100644 --- a/roles/oatakan.windows_ovirt_guest_agent/meta/.galaxy_install_info +++ b/roles/oatakan.windows_ovirt_guest_agent/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:48 2021 +install_date: Fri Oct 15 18:59:15 2021 version: master diff --git a/roles/oatakan.windows_ovirt_template/defaults/main.yml b/roles/oatakan.windows_ovirt_template/defaults/main.yml index b64a43c..7be489c 100644 --- a/roles/oatakan.windows_ovirt_template/defaults/main.yml +++ b/roles/oatakan.windows_ovirt_template/defaults/main.yml @@ -3,6 +3,7 @@ install_updates: yes instance_wait_retry_limit: 300 instance_wait_connection_timeout: 400 +instance_stop_retry_limit: 60 # this will remove existing template with the same name template_force: no @@ -73,4 +74,5 @@ os_short_names: win2012: 2k12R2 win2016: 2k16 win2019: 2k19 - win10: 10 \ No newline at end of file + win2022: 2k19 # 2k22 is not *yet* available on virtio iso + win10: w10 \ No newline at end of file diff --git a/roles/oatakan.windows_ovirt_template/meta/.galaxy_install_info b/roles/oatakan.windows_ovirt_template/meta/.galaxy_install_info index 3bd5051..cd1267d 100644 --- a/roles/oatakan.windows_ovirt_template/meta/.galaxy_install_info +++ b/roles/oatakan.windows_ovirt_template/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:45 2021 +install_date: Fri Oct 15 18:59:12 2021 version: '' diff --git a/roles/oatakan.windows_ovirt_template/tasks/stop_vm.yml b/roles/oatakan.windows_ovirt_template/tasks/stop_vm.yml index 057ba45..588458b 100644 --- a/roles/oatakan.windows_ovirt_template/tasks/stop_vm.yml +++ b/roles/oatakan.windows_ovirt_template/tasks/stop_vm.yml @@ -17,9 +17,19 @@ when: ansible_version.full is version('2.9', '>=') rescue: - - name: ignoring any error - debug: - msg: "ignoring error..." + - name: stop vm + ovirt.ovirt.ovirt_vm: + auth: "{{ ovirt_auth }}" + cluster: "{{ providers.ovirt.cluster }}" + name: "{{ template.name }}" + state: stopped + when: template is defined + + - include_tasks: wait_vm_poweredoff_pre29.yml + when: ansible_version.full is version('2.9', '<') + + - include_tasks: wait_vm_poweredoff.yml + when: ansible_version.full is version('2.9', '>=') - name: reconfigure vm ovirt.ovirt.ovirt_vm: diff --git a/roles/oatakan.windows_ovirt_template/tasks/wait_vm_poweredoff.yml b/roles/oatakan.windows_ovirt_template/tasks/wait_vm_poweredoff.yml index 918ef86..75a44c3 100644 --- a/roles/oatakan.windows_ovirt_template/tasks/wait_vm_poweredoff.yml +++ b/roles/oatakan.windows_ovirt_template/tasks/wait_vm_poweredoff.yml @@ -10,4 +10,4 @@ - ovirt_vm_info_result.ovirt_vms|length > 0 - ovirt_vm_info_result.ovirt_vms[0].status == 'down' delay: 5 - retries: 30 \ No newline at end of file + retries: "{{ instance_stop_retry_limit }}" \ No newline at end of file diff --git a/roles/oatakan.windows_ovirt_template/tasks/wait_vm_poweredoff_pre29.yml b/roles/oatakan.windows_ovirt_template/tasks/wait_vm_poweredoff_pre29.yml index 264fef9..0bb61bf 100644 --- a/roles/oatakan.windows_ovirt_template/tasks/wait_vm_poweredoff_pre29.yml +++ b/roles/oatakan.windows_ovirt_template/tasks/wait_vm_poweredoff_pre29.yml @@ -9,4 +9,4 @@ - ovirt_vms|length > 0 - ovirt_vms[0].status == 'down' delay: 5 - retries: 30 \ No newline at end of file + retries: "{{ instance_stop_retry_limit }}" \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/README.md b/roles/oatakan.windows_template_build/README.md index bee9ca8..904aeb6 100644 --- a/roles/oatakan.windows_template_build/README.md +++ b/roles/oatakan.windows_template_build/README.md @@ -21,6 +21,7 @@ A list of roles that this role utilizes: - oatakan.windows_ec2_ena_driver - oatakan.windows_ovirt_guest_agent +- oatakan.windows_powershell_upgrade - oatakan.windows_update - oatakan.windows_virtio - oatakan.windows_vmware_tools diff --git a/roles/oatakan.windows_template_build/defaults/main.yml b/roles/oatakan.windows_template_build/defaults/main.yml index 33b9e42..4c5e86d 100644 --- a/roles/oatakan.windows_template_build/defaults/main.yml +++ b/roles/oatakan.windows_template_build/defaults/main.yml @@ -5,16 +5,10 @@ remove_apps: no clean_up_components: yes upgrade_powershell: no powershell_target_version: 3.0 -temp_directory: "{{ ansible_env.TEMP }}" +default_temp_directory: 'C:\Windows\Temp' update_retry_limit: 10 upgrade_wait_timeout: 600 -powershell_script_url: https://raw.githubusercontent.com/oatakan/ansible-role-windows-template-build/master/files/Upgrade-PowerShell.ps1 -powershell_upgrade_script_file: 'C:\Upgrade-PowerShell.ps1' - -ps_memfix_script_url: https://raw.githubusercontent.com/oatakan/ansible-role-windows-template-build/master/files/Install-WMF3Hotfix.ps1 -ps_memfix_script_file: 'C:\Install-WMF3Hotfix.ps1' - set_network_to_private: '([Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}"))).GetNetworkConnections() | % {$_.GetNetwork().SetCategory(1)}' enable_tlsv12_hotfix_download_location: "{{ ansible_env.TEMP }}" @@ -24,24 +18,36 @@ enable_tlsv12_hotfix: url: https://download.microsoft.com/download/F/4/1/F4154AD2-2119-48B4-BF99-CC15F68E110D/Windows6.1-KB3080079-x64.msu enable_tls_support_hotfix_download_location: 'C:\Windows\Temp' +# no longer available +#enable_tls_support_hotfix: +# kb: kb3154518 +# file: windows6.1-kb3154518-x64.msu +# url: http://download.microsoft.com/download/6/8/0/680ee424-358c-4fdf-a0de-b45dee07b711/windows6.1-kb3154518-x64.msu + +# fix: https://support.microsoft.com/en-us/topic/security-and-quality-rollup-for-net-framework-3-5-1-for-windows-7-sp1-and-windows-server-2008-r2-sp1-kb-4040980-71f9f600-4878-a9d4-6b36-93cafad2eefe enable_tls_support_hotfix: - kb: kb3154518 - file: windows6.1-kb3154518-x64.msu - url: http://download.microsoft.com/download/6/8/0/680ee424-358c-4fdf-a0de-b45dee07b711/windows6.1-kb3154518-x64.msu + kb: kb4040980 + file: windows6.1-kb4040980-x64_83282fb5210091802984ead0d4175879056d602c.msu + url: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/09/windows6.1-kb4040980-x64_83282fb5210091802984ead0d4175879056d602c.msu dot_net_security_hotfix_download_location: 'C:\Windows\Temp' +# no longer available +#dot_net_security_hotfix: +# kb: KB2898850 +# file: Windows8.1-KB2898850-x64.msu +# url: http://download.microsoft.com/download/C/6/9/C690CC33-18F7-405D-B18A-0A8E199E531C/Windows8.1-KB2898850-x64.msu + dot_net_security_hotfix: kb: KB2898850 - file: Windows8.1-KB2898850-x64.msu - url: http://download.microsoft.com/download/C/6/9/C690CC33-18F7-405D-B18A-0A8E199E531C/Windows8.1-KB2898850-x64.msu + file: windows8.1-kb2898850-x64_9ffdfdeac9011569d1b14cf2dbf926257c50186d.msu + url: http://download.windowsupdate.com/d/msdownload/update/software/secu/2014/04/windows8.1-kb2898850-x64_9ffdfdeac9011569d1b14cf2dbf926257c50186d.msu windows_update_agent_url: http://download.windowsupdate.com/windowsupdate/redist/standalone/7.6.7600.320/windowsupdateagent-7.6-x64.exe #sdelete_download_url: http://web.archive.org/web/20140902022253/http://download.sysinternals.com/files/SDelete.zip bleachbit_download_url: https://download.bleachbit.org/BleachBit-4.0.0-portable.zip sdelete_download_url: https://download.sysinternals.com/files/SDelete.zip -#ultradefrag_download_url: http://downloads.sourceforge.net/project/ultradefrag/stable-release/6.1.0/ultradefrag-portable-6.1.0.bin.amd64.zip -ultradefrag_download_url: https://sourceforge.net/projects/ultradefrag/files/stable-release/7.1.4/ultradefrag-portable-7.1.4.bin.amd64.zip/download +ultradefrag_download_url: https://downloads.sourceforge.net/project/ultradefrag/stable-release/7.1.4/ultradefrag-portable-7.1.4.bin.amd64.zip enable_auto_logon: yes @@ -59,6 +65,7 @@ virtio_role: oatakan.windows_virtio vmware_tools_role: oatakan.windows_vmware_tools virtualbox_guest_additions_role: oatakan.windows_virtualbox_guest_additions windows_update_role: oatakan.windows_update +windows_powershell_upgrade_role: oatakan.windows_powershell_upgrade policy: allow_unauthenticated_guest_access: no diff --git a/roles/oatakan.windows_template_build/files/Install-WMF3Hotfix.ps1 b/roles/oatakan.windows_template_build/files/Install-WMF3Hotfix.ps1 deleted file mode 100644 index 016af67..0000000 --- a/roles/oatakan.windows_template_build/files/Install-WMF3Hotfix.ps1 +++ /dev/null @@ -1,152 +0,0 @@ -#Requires -Version 3.0 -<#PSScriptInfo -.VERSION 1.0 -.GUID 6cf319d1-8c50-460b-99ee-71b11cf7270d -.AUTHOR - Jordan Borean -.COPYRIGHT - Jordan Borean 2017 -.TAGS - PowerShell,Ansible,WinRM,WMF,Hotfix -.LICENSEURI https://github.com/jborean93/ansible-windows/blob/master/LICENSE -.PROJECTURI https://github.com/jborean93/ansible-windows -.RELEASENOTES - Version 1.0: 2017-09-27 - Initial script created -#> - -<# -.DESCRIPTION -The script will install the WinRM hotfix KB2842230 which fixes the memory -issues that occur when running over WinRM with WMF 3.0. -The script will; - 1. Detect if running on PS version 3.0 and exit if it is not - 2. Check if KB2842230 is already installed and exit if it is - 3. Download the hotfix from Microsoft server's based on the OS version - 4. Extract the .msu file from the downloaded hotfix - 5. Install the .msu silently - 6. Detect if a reboot is required and prompt whether the user wants to restart - -Once the install is complete, if the install process returns an exit -code of 3010, it will ask the user whether to restart the computer now -or whether it will be done later. - -See https://github.com/jborean93/ansible-windows/tree/master/scripts for more -details. -.PARAMETER Verbose - [switch] - Whether to display Verbose logs on the console -.EXAMPLE - powershell.exe -ExecutionPolicy ByPass -File Install-WMF3Hotfix.ps1 -.EXAMPLE - powershell.exe -ExecutionPolicy ByPass -File Install-WMF3Hotfix.ps1 -Verbose -#> - -[CmdletBinding()] -Param() - -$ErrorActionPreference = "Stop" -if ($verbose) { - $VerbosePreference = "Continue" -} - -Function Run-Process($executable, $arguments) { - $process = New-Object -TypeName System.Diagnostics.Process - $psi = $process.StartInfo - $psi.FileName = $executable - $psi.Arguments = $arguments - Write-Verbose -Message "starting new process '$executable $arguments'" - $process.Start() | Out-Null - - $process.WaitForExit() | Out-Null - $exit_code = $process.ExitCode - Write-Verbose -Message "process completed with exit code '$exit_code'" - - return $exit_code -} - -Function Download-File($url, $path) { - Write-Verbose -Message "downloading url '$url' to '$path'" - $client = New-Object -TypeName System.Net.WebClient - $client.DownloadFile($url, $path) -} - -Function Extract-Zip($zip, $dest) { - Write-Verbose -Message "extracting '$zip' to '$dest'" - try { - Add-Type -AssemblyName System.IO.Compression.FileSystem > $null - $legacy = $false - } catch { - $legacy = $true - } - - if ($legacy) { - $shell = New-Object -ComObject Shell.Application - $zip_src = $shell.NameSpace($zip) - $zip_dest = $shell.NameSpace($dest) - $zip_dest.CopyHere($zip_src.Items(), 1044) - } else { - [System.IO.Compression.ZipFile]::ExtractToDirectory($zip, $dest) - } -} - -$tmp_dir = $env:temp -$kb = "KB2842230" -if ($PSVersionTable.PSVersion.Major -ne 3) { - Write-Verbose -Message "$kb is only applicable with Powershell v3, no action required" - exit 0 -} - -$hotfix_installed = Get-Hotfix -Id $kb -ErrorAction SilentlyContinue -if ($hotfix_installed -ne $null) { - Write-Verbose -Message "$kb is already installed" - exit 0 -} - -if (-not (Test-Path -Path $tmp_dir)) { - New-Item -Path $tmp_dir -ItemType Directory > $null -} -$os_version = [Version](Get-Item -Path "$env:SystemRoot\System32\kernel32.dll").VersionInfo.ProductVersion -$host_string = "$($os_version.Major).$($os_version.Minor)-$($env:PROCESSOR_ARCHITECTURE)" -switch($host_string) { - # These URLS point to the Ansible Core CI S3 bucket, MS no longer provide a link to Server 2008 so we need to - # rely on this URL. There are no guarantees this will stay up in the future. - "6.0-x86" { - $url = "https://s3.amazonaws.com/ansible-ci-files/hotfixes/KB2842230/464091_intl_i386_zip.exe" - } - "6.0-AMD64" { - $url = "https://s3.amazonaws.com/ansible-ci-files/hotfixes/KB2842230/464090_intl_x64_zip.exe" - } - "6.1-x86" { - $url = "https://s3.amazonaws.com/ansible-ci-files/hotfixes/KB2842230/463983_intl_i386_zip.exe" - } - "6.1-AMD64" { - $url = "https://s3.amazonaws.com/ansible-ci-files/hotfixes/KB2842230/463984_intl_x64_zip.exe" - } - "6.2-x86" { - $url = "https://s3.amazonaws.com/ansible-ci-files/hotfixes/KB2842230/463940_intl_i386_zip.exe" - } - "6.2-AMD64" { - $url = "https://s3.amazonaws.com/ansible-ci-files/hotfixes/KB2842230/463941_intl_x64_zip.exe" - } -} - -$filename = $url.Split("/")[-1] -$compressed_file = "$tmp_dir\$($filename).zip" -Download-File -url $url -path $compressed_file -Extract-Zip -zip $compressed_file -dest $tmp_dir -$file = Get-Item -Path "$tmp_dir\*$kb*.msu" -if ($file -eq $null) { - Write-Error -Message "unable to find extracted msu file for hotfix KB" - exit 1 -} - -$exit_code = Run-Process -executable $file.FullName -arguments "/quiet /norestart" -if ($exit_code -eq 3010) { - Write-Verbose "need to restart computer after hotfix $kb install" - Restart-Computer -Force -} elseif ($exit_code -ne 0) { - Write-Error -Message "failed to install hotfix $($kb): exit code $exit_code" -} else { - Write-Verbose -Message "hotfix $kb install complete" -} -exit $exit_code \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/files/Upgrade-PowerShell.ps1 b/roles/oatakan.windows_template_build/files/Upgrade-PowerShell.ps1 deleted file mode 100644 index 19409cb..0000000 --- a/roles/oatakan.windows_template_build/files/Upgrade-PowerShell.ps1 +++ /dev/null @@ -1,400 +0,0 @@ -# PSScriptInfo -# .VERSION 1.0 -# .GUID 23743bae-7604-459d-82c5-a23d36b0820e -# .AUTHOR -# Jordan Borean -# .COPYRIGHT -# Jordan Borean 2017 -# .TAGS -# PowerShell,Ansible -# .LICENSEURI https://github.com/jborean93/ansible-windows/blob/master/LICENSE -# .PROJECTURI https://github.com/jborean93/ansible-windows -# .RELEASENOTES -# Version 1.0: 2017-09-27 -# Initial script created -# .DESCRIPTION -# The script will upgrade the powershell version to whatever is supplied as -# the 'version' on the host. The current versions can be set as the target -# 'version': -# - 3.0 -# - 4.0 -# - 5.1 (default if -Version not set) -# -# This script can be run on the following OS' -# Windows Server 2008 (with SP2) - only supported version 3.0 -# Windows Server 2008 R2 (with SP1) -# Windows Server 2012 -# Windows Server 2012 R2 -# Windows Server 2016 -# -# Windows 7 (with SP1) -# Windows 8.1 -# Windows 10 -# -# All OS' can be upgraded to 5.1 except for Windows Server 2008. If running -# on Powershell 1.0 then this script will first upgrade the version to 2.0 -# before running the checks. This is because a lot of the upgrade paths need -# this version installed as a baseline. If the .NET Framework version -# installed is less than 4.5.2, it will be upgraded to 4.5.2 as this is -# supported on all hosts and is required for v5.0. -# -# As multiple packages can be installed in this process, multiple reboots may -# be required to continue with the install. If a reboot is required the -# script will detect if the 'username' and 'password' parameters have been -# supplied. If they have been supplied it will automatically reboot and login -# to continue the install process until it is all complete. If these -# parameters are not set then it will prompt the user for a reboot and -# require the user to log back in manually after the reboot before -# continuing. -# -# A log of this process is created in -# $env:SystemDrive\temp\upgrade_powershell.log which is usually C:\temp\. This -# log can used to see how the script faired after an automatic reboot. -# -# See https://github.com/jborean93/ansible-windows/tree/master/scripts for more -# details. -# .PARAMETER version -# [string] - The target powershell version to upgrade to. This can be; -# 3.0, -# 4.0, or -# 5.1 (default) -# Depending on the circumstances, the process to reach the target version -# may require multiple reboots. -# .PARAMETER username -# [string] - The username of a local admin user that will be automatically -# logged in after a reboot to continue the script install. The 'password' -# parameter is also required if this is set. -# .PARAMETER password -# [string] - The password for 'username', this is required if the 'username' -# parameter is also set. -# .PARAMETER Verbose -# [switch] - Whether to display Verbose logs on the console -# .EXAMPLE -# # upgrade from powershell 1.0 to 3.0 with automatic login and reboots -# Set-ExecutionPolicy Unrestricted -Force -# &.\Upgrade-PowerShell.ps1 -version 3.0 -username "Administrator" -password "Password" -Verbose -# .EXAMPLE -# # upgrade to 5.1 with defaults and manual login and reboots -# powershell.exe -ExecutionPolicy ByPass -File Upgrade-PowerShell.ps1 -# .EXAMPLE -# # upgrade to powershell 4.0 with automatic login and reboots -# powershell.exe -ExecutionPolicy ByPass -File Upgrade-PowerShell.ps1 -version 4.0 -username "Administrator" -password "Password" -Verbose - -Param( - [string]$version = "5.1", - [string]$username, - [string]$password, - [switch]$verbose = $false -) -$ErrorActionPreference = 'Stop' -if ($verbose) { - $VerbosePreference = "Continue" -} - -$tmp_dir = $env:temp -if (-not (Test-Path -Path $tmp_dir)) { - New-Item -Path $tmp_dir -ItemType Directory > $null -} - -Function Write-Log($message, $level="INFO") { - # Poor man's implementation of Log4Net - $date_stamp = Get-Date -Format s - $log_entry = "$date_stamp - $level - $message" - $log_file = "$tmp_dir\upgrade_powershell.log" - Write-Verbose -Message $log_entry - Add-Content -Path $log_file -Value $log_entry -} - -Function Reboot-AndResume { - Write-Log -message "adding script to run on next logon" - $script_path = $script:MyInvocation.MyCommand.Path - $ps_path = "$env:SystemDrive\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" - $arguments = "-version $version" - if ($username -and $password) { - $arguments = "$arguments -username `"$username`" -password `"$password`"" - } - if ($verbose) { - $arguments = "$arguments -Verbose" - } - - $command = "$ps_path -ExecutionPolicy ByPass -File $script_path $arguments" - $reg_key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" - $reg_property_name = "ps-upgrade" - Set-ItemProperty -Path $reg_key -Name $reg_property_name -Value $command - - if ($username -and $password) { - $reg_winlogon_path = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" - Set-ItemProperty -Path $reg_winlogon_path -Name AutoAdminLogon -Value 1 - Set-ItemProperty -Path $reg_winlogon_path -Name DefaultUserName -Value $username - Set-ItemProperty -Path $reg_winlogon_path -Name DefaultPassword -Value $password - Write-Log -message "rebooting server to continue powershell upgrade" - } else { - Write-Log -message "need to reboot server to continue powershell upgrade" - $reboot_confirmation = Read-Host -Prompt "need to reboot server to continue powershell upgrade, do you wish to proceed (y/n)" - if ($reboot_confirmation -ne "y") { - $error_msg = "please reboot server manually and login to continue upgrade process, the script will restart on the next login automatically" - Write-Log -message $error_msg -level "ERROR" - throw $error_msg - } - } - - if (Get-Command -Name Restart-Computer -ErrorAction SilentlyContinue) { - Restart-Computer -Force - } else { - # PS v1 (Server 2008) doesn't have the cmdlet Restart-Computer, use el-traditional - shutdown /r /t 0 - } -} - -Function Run-Process($executable, $arguments) { - $process = New-Object -TypeName System.Diagnostics.Process - $psi = $process.StartInfo - $psi.FileName = $executable - $psi.Arguments = $arguments - Write-Log -message "starting new process '$executable $arguments'" - $process.Start() | Out-Null - - $process.WaitForExit() | Out-Null - $exit_code = $process.ExitCode - Write-Log -message "process completed with exit code '$exit_code'" - - return $exit_code -} - -Function Download-File($url, $path) { - Write-Log -message "downloading url '$url' to '$path'" - $client = New-Object -TypeName System.Net.WebClient - $client.DownloadFile($url, $path) -} - -Function Clear-AutoLogon { - $reg_winlogon_path = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" - Write-Log -message "clearing auto logon registry properties" - Set-ItemProperty -Path $reg_winlogon_path -Name AutoAdminLogon -Value 0 - Remove-ItemProperty -Path $reg_winlogon_path -Name DefaultUserName -ErrorAction SilentlyContinue - Remove-ItemProperty -Path $reg_winlogon_path -Name DefaultPassword -ErrorAction SilentlyContinue -} - -Function Download-Wmf5Server2008($architecture) { - if ($architecture -eq "x64") { - $zip_url = "http://download.microsoft.com/download/6/F/5/6F5FF66C-6775-42B0-86C4-47D41F2DA187/Win7AndW2K8R2-KB3191566-x64.zip" - $file = "$tmp_dir\Win7AndW2K8R2-KB3191566-x64.msu" - } else { - $zip_url = "http://download.microsoft.com/download/6/F/5/6F5FF66C-6775-42B0-86C4-47D41F2DA187/Win7-KB3191566-x86.zip" - $file = "$tmp_dir\Win7-KB3191566-x86.msu" - } - if (Test-Path -Path $file) { - return $file - } - - $filename = $zip_url.Split("/")[-1] - $zip_file = "$tmp_dir\$filename" - Download-File -url $zip_url -path $zip_file - - Write-Log -message "extracting '$zip_file' to '$tmp_dir'" - try { - Add-Type -AssemblyName System.IO.Compression.FileSystem > $null - $legacy = $false - } catch { - $legacy = $true - } - - if ($legacy) { - $shell = New-Object -ComObject Shell.Application - $zip_src = $shell.NameSpace($zip_file) - $zip_dest = $shell.NameSpace($tmp_dir) - $zip_dest.CopyHere($zip_src.Items(), 1044) - } else { - [System.IO.Compression.ZipFile]::ExtractToDirectory($zip_file, $tmp_dir) - } - - return $file -} - -Write-Log -message "starting script" -# on PS v1.0, upgrade to 2.0 and then run the script again -if ($PSVersionTable -eq $null) { - Write-Log -message "upgrading powershell v1.0 to v2.0" - $architecture = $env:PROCESSOR_ARCHITECTURE - if ($architecture -eq "AMD64") { - # this url not working - #$url = "https://download.microsoft.com/download/2/8/6/28686477-3242-4E96-9009-30B16BED89AF/Windows6.0-KB968930-x64.msu" - $url = "http://download.windowsupdate.com/msdownload/update/software/updt/2011/02/windows6.0-kb968930-x64_4de013d593181a2a04217ce3b0e7536ab56995aa.msu" - } else { - # this url not working - #$url = "https://download.microsoft.com/download/F/9/E/F9EF6ACB-2BA8-4845-9C10-85FC4A69B207/Windows6.0-KB968930-x86.msu" - $url = "http://download.windowsupdate.com/msdownload/update/software/updt/2011/02/windows6.0-kb968930-x86_16fd2e93be2e7265821191119ddfc0cdaa6f4243.msu" - } - $filename = $url.Split("/")[-1] - $file = "$tmp_dir\$filename" - Download-File -url $url -path $file - $exit_code = Run-Process -executable $file -arguments "/quiet /norestart" - if ($exit_code -ne 0 -and $exit_code -ne 3010) { - $error_msg = "failed to update Powershell from 1.0 to 2.0: exit code $exit_code" - Write-Log -message $error_msg -level "ERROR" - throw $error_msg - } - Reboot-AndResume -} - -# exit if the target version is the same as the actual version -$current_ps_version = [version]"$($PSVersionTable.PSVersion.Major).$($PSVersionTable.PSVersion.Minor)" -if ($current_ps_version -eq [version]$version) { - Write-Log -message "current and target PS version are the same, no action is required" - Clear-AutoLogon - exit 0 -} - -$os_version = [Version](Get-Item -Path "$env:SystemRoot\System32\kernel32.dll").VersionInfo.ProductVersion -$architecture = $env:PROCESSOR_ARCHITECTURE -if ($architecture -eq "AMD64") { - $architecture = "x64" -} else { - $architecture = "x86" -} - -$actions = @() -switch ($version) { - "3.0" { - $actions += "3.0" - break - } - "4.0" { - if ($os_version -lt [version]"6.1") { - $error_msg = "cannot upgrade Server 2008 to Powershell v4, v3 is the latest supported" - Write-Log -message $error_msg -level "ERROR" - throw $error_msg - } - $actions += "4.0" - break - } - "5.1" { - if ($os_version -lt [version]"6.1") { - $error_msg = "cannot upgrade Server 2008 to Powershell v5.1, v3 is the latest supported" - Write-Log -message $error_msg -level "ERROR" - throw $error_msg - } - # check if WMF 3 is installed, need to be uninstalled before 5.1 - if ($os_version.Minor -lt 2) { - $wmf3_installed = Get-Hotfix -Id "KB2506143" -ErrorAction SilentlyContinue - if ($wmf3_installed) { - $actions += "remove-3.0" - } - } - $actions += "5.1" - break - } - default { - $error_msg = "version '$version' is not supported in this upgrade script" - Write-Log -message $error_msg -level "ERROR" - throw $error_msg - } -} - -# detect if .NET 4.5.2 is not installed and add to the actions -$dotnet_path = "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -if (-not (Test-Path -Path $dotnet_path)) { - $dotnet_upgrade_needed = $true -} else { - $dotnet_version = Get-ItemProperty -Path $dotnet_path -Name Release -ErrorAction SilentlyContinue - if ($dotnet_version) { - # 379893 == 4.5.2 - if ($dotnet_version.Release -lt 379893) { - $dotnet_upgrade_needed = $true - } - } else { - $dotnet_upgrade_needed = $true - } -} -if ($dotnet_upgrade_needed) { - $actions = @("dotnet") + $actions -} - -Write-Log -message "The following actions will be performed: $($actions -join ", ")" -foreach ($action in $actions) { - $url = $null - $file = $null - $arguments = "/quiet /norestart" - - switch ($action) { - "dotnet" { - Write-Log -message "running .NET update to 4.5.2" - $url = "https://download.microsoft.com/download/E/2/1/E21644B5-2DF2-47C2-91BD-63C560427900/NDP452-KB2901907-x86-x64-AllOS-ENU.exe" - $error_msg = "failed to update .NET to 4.5.2" - $arguments = "/q /norestart" - break - } - "remove-3.0" { - # this is only run before a 5.1 install on Windows 7/2008 R2, the - # install zip needs to be downloaded and extracted before - # removing 3.0 as then the FileSystem assembly cannot be loaded - Write-Log -message "downloading WMF/PS v5.1 and removing WMF/PS v3 before version 5.1 install" - Download-Wmf5Server2008 -architecture $architecture > $null - - $file = "wusa.exe" - $arguments = "/uninstall /KB:2506143 /quiet /norestart" - break - } - "3.0" { - Write-Log -message "running powershell update to version 3" - if ($os_version.Minor -eq 1) { - $url = "https://download.microsoft.com/download/E/7/6/E76850B8-DA6E-4FF5-8CCE-A24FC513FD16/Windows6.1-KB2506143-$($architecture).msu" - } else { - $url = "https://download.microsoft.com/download/E/7/6/E76850B8-DA6E-4FF5-8CCE-A24FC513FD16/Windows6.0-KB2506146-$($architecture).msu" - } - $error_msg = "failed to update Powershell to version 3" - break - } - "4.0" { - Write-Log -message "running powershell update to version 4" - if ($os_version.Minor -eq 1) { - $url = "https://download.microsoft.com/download/3/D/6/3D61D262-8549-4769-A660-230B67E15B25/Windows6.1-KB2819745-$($architecture)-MultiPkg.msu" - } else { - $url = "https://download.microsoft.com/download/3/D/6/3D61D262-8549-4769-A660-230B67E15B25/Windows8-RT-KB2799888-x64.msu" - } - $error_msg = "failed to update Powershell to version 4" - break - } - "5.1" { - Write-Log -message "running powershell update to version 5.1" - if ($os_version.Minor -eq 1) { - # Server 2008 R2 and Windows 7, already downloaded in remove-3.0 - $file = Download-Wmf5Server2008 -architecture $architecture - } elseif ($os_version.Minor -eq 2) { - # Server 2012 - $url = "http://download.microsoft.com/download/6/F/5/6F5FF66C-6775-42B0-86C4-47D41F2DA187/W2K12-KB3191565-x64.msu" - } else { - # Server 2012 R2 and Windows 8.1 - if ($architecture -eq "x64") { - $url = "http://download.microsoft.com/download/6/F/5/6F5FF66C-6775-42B0-86C4-47D41F2DA187/Win8.1AndW2K12R2-KB3191564-x64.msu" - } else { - $url = "http://download.microsoft.com/download/6/F/5/6F5FF66C-6775-42B0-86C4-47D41F2DA187/Win8.1-KB3191564-x86.msu" - } - } - break - } - default { - $error_msg = "unknown action '$action'" - Write-Log -message $error_msg -level "ERROR" - } - } - - if ($file -eq $null) { - $filename = $url.Split("/")[-1] - $file = "$tmp_dir\$filename" - } - if ($url -ne $null) { - Download-File -url $url -path $file - } - - $exit_code = Run-Process -executable $file -arguments $arguments - if ($exit_code -ne 0 -and $exit_code -ne 3010) { - $log_msg = "$($error_msg): exit code $exit_code" - Write-Log -message $log_msg -level "ERROR" - throw $log_msg - } - if ($exit_code -eq 3010) { - Reboot-AndResume - break - } -} \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/handlers/main.yml b/roles/oatakan.windows_template_build/handlers/main.yml new file mode 100644 index 0000000..66372ec --- /dev/null +++ b/roles/oatakan.windows_template_build/handlers/main.yml @@ -0,0 +1,10 @@ +--- + +- name: ensure Windows ADK with DISM is removed + win_chocolatey: + name: windows-adk-deploy + state: absent + register: remove_win_adk_dism + until: remove_win_adk_dism is success + delay: 3 + retries: 5 \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/meta/.galaxy_install_info b/roles/oatakan.windows_template_build/meta/.galaxy_install_info index e2a9ac5..b8e9ec4 100644 --- a/roles/oatakan.windows_template_build/meta/.galaxy_install_info +++ b/roles/oatakan.windows_template_build/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:46 2021 +install_date: Fri Oct 15 18:59:14 2021 version: master diff --git a/roles/oatakan.windows_template_build/tasks/compact.yml b/roles/oatakan.windows_template_build/tasks/compact.yml index 8386d59..1259414 100644 --- a/roles/oatakan.windows_template_build/tasks/compact.yml +++ b/roles/oatakan.windows_template_build/tasks/compact.yml @@ -73,12 +73,13 @@ - name: clean with bleachbit win_shell: > - '{{ ansible_user_dir }}\BleachBit-Portable\bleachbit_console.exe --clean deepscan.backup + '{{ ansible_user_dir }}\BleachBit-Portable\bleachbit_console.exe' + --clean deepscan.backup deepscan.ds_store deepscan.thumbs_db deepscan.tmp internet_explorer.cookies internet_explorer.forms internet_explorer.history internet_explorer.temporary_files system.clipboard system.custom system.logs system.memory_dump system.muicache system.prefetch system.recycle_bin system.tmp system.updates windows_defender.history windows_explorer.mru windows_explorer.recent_documents windows_explorer.run - windows_explorer.search_history windows_explorer.thumbnails > NUL' + windows_explorer.search_history windows_explorer.thumbnails 2> nul args: executable: cmd when: @@ -164,6 +165,9 @@ - name: remove bleachbit files win_file: - path: '{{ ansible_user_dir }}\BleachBit-Portable' + path: '{{ item }}' state: absent - when: download_bleachbit is success \ No newline at end of file + when: download_bleachbit is success + loop: + - '{{ temp_directory }}\BleachBit-portable.zip' + - '{{ ansible_user_dir }}\BleachBit-Portable' \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/enable-tlsv12.yml b/roles/oatakan.windows_template_build/tasks/enable-tlsv12.yml index 418f538..bab6ac1 100644 --- a/roles/oatakan.windows_template_build/tasks/enable-tlsv12.yml +++ b/roles/oatakan.windows_template_build/tasks/enable-tlsv12.yml @@ -1,97 +1,43 @@ --- -- name: ensure Windows ADK with DISM is installed - win_chocolatey: - name: windows-adk-deploy - state: present - version: 10.0.17134.0 - register: install_windows_adk_deploy +- block: + - name: test SSL connection + win_shell: "[System.Net.WebRequest]::Create('https://github.com').GetResponse()" -- name: ensure PATH contains Windows ADK - win_path: - scope: machine - state: present - elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM" + rescue: + - name: enable TLSv1.2 support + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\{{ item.type }} + name: '{{ item.property }}' + data: '{{ item.value }}' + type: dword + state: present + register: enable_tls12 + loop: + - type: Server + property: Enabled + value: 1 + - type: Server + property: DisabledByDefault + value: 0 + - type: Client + property: Enabled + value: 1 + - type: Client + property: DisabledByDefault + value: 0 -- pause: - seconds: 10 + - name: enable strong crypto + win_regedit: + path: HKLM:\{{ item }} + name: SchUseStrongCrypto + data: 1 + type: dword + state: present + loop: + - 'SOFTWARE\Microsoft\.NETFramework\v4.0.30319' + - 'SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -- name: download hotfix - win_get_url: - url: '{{ enable_tlsv12_hotfix.url }}' - dest: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}' - register: download_hotfix - until: download_hotfix is success - delay: 3 - retries: 5 - -- name: install hotfix (PS >= 4) - win_hotfix: - source: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}' - state: present - register: hotfix_install - when: ansible_powershell_version is version('4', '>=') - -- name: install hotfix (PS == 3) - win_shell: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }} /quiet /norestart' - register: hotfix_install - when: ansible_powershell_version is version('3', '==') - -- name: debug hotfix installation result - debug: - var: hotfix_install - -- name: ensure hotfix file is removed - win_file: - path: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}' - state: absent - -- name: reboot if needed - win_reboot: - when: hotfix_install.reboot_required | default(False) - -- name: enable TLSv1.2 support - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\{{ item.type }} - name: '{{ item.property }}' - data: '{{ item.value }}' - type: dword - state: present - register: enable_tls12 - loop: - - type: Server - property: Enabled - value: 1 - - type: Server - property: DisabledByDefault - value: 0 - - type: Client - property: Enabled - value: 1 - - type: Client - property: DisabledByDefault - value: 0 - -- name: enable strong crypto - win_regedit: - path: HKLM:\{{ item }} - name: SchUseStrongCrypto - data: 1 - type: dword - state: present - loop: - - 'SOFTWARE\Microsoft\.NETFramework\v4.0.30319' - - 'SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' - -- name: ensure Windows ADK with DISM is removed - win_chocolatey: - name: windows-adk-deploy - state: absent - register: remove_win_adk_dism - until: remove_win_adk_dism is success - delay: 3 - retries: 5 - -- name: reboot if TLS config was applied - win_reboot: - when: enable_tls12 is changed \ No newline at end of file + - name: reboot if TLS config was applied + win_reboot: + when: enable_tls12 is changed \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/enable_powershell.yml b/roles/oatakan.windows_template_build/tasks/enable_powershell.yml deleted file mode 100644 index c77ef8e..0000000 --- a/roles/oatakan.windows_template_build/tasks/enable_powershell.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- - -- name: check if powershell is available - raw: 'Get-Host' - failed_when: False - check_mode: no - register: check_powershell - -- block: - - name: enable powershell - raw: '{{ item }}' - args: - executable: cmd.exe - changed_when: False - check_mode: no - loop: - - dism /online /enable-feature /featurename:NetFx2-ServerCore - - dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell - - dism /online /enable-feature /featurename:ServerManager-PSH-Cmdlets - - - name: reboot system - raw: shutdown /r /t 5 - args: - executable: cmd.exe - changed_when: False - check_mode: no - - - pause: - seconds: 30 - when: - - check_powershell.stderr is defined - - ('is not recognized' in check_powershell.stderr) \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/enable_tls_system_default.yml b/roles/oatakan.windows_template_build/tasks/enable_tls_system_default.yml deleted file mode 100644 index b6dce6f..0000000 --- a/roles/oatakan.windows_template_build/tasks/enable_tls_system_default.yml +++ /dev/null @@ -1,51 +0,0 @@ -# on Windows 7 SP1, TLS 1.1 and 1.2 is not enabled by default -# this hotfix is needed to fix that -# see https://support.microsoft.com/en-us/topic/support-for-tls-system-default-versions-included-in-the-net-framework-3-5-1-on-windows-7-sp1-and-server-2008-r2-sp1-5ef38dda-8e6c-65dc-c395-62d2df58715a - -- name: download hotfix - raw: '(New-Object -TypeName System.Net.WebClient).DownloadFile("{{ enable_tls_support_hotfix.url }}", "{{ enable_tls_support_hotfix_download_location }}\\{{ enable_tls_support_hotfix.file }}")' - changed_when: False - check_mode: no - register: download_hotfix - until: download_hotfix is success - delay: 3 - retries: 5 - -- name: delete scheduled task if it exists (hotfix) - raw: 'SCHTASKS /Delete /TN hotfix_install /f' - args: - executable: cmd.exe - changed_when: False - check_mode: no - ignore_errors: yes - -- name: create a scheduled task to install hotfix - raw: SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN hotfix_install /TR "{{ enable_tls_support_hotfix_download_location }}\\{{ enable_tls_support_hotfix.file }} /quiet /restart" - args: - executable: cmd.exe - changed_when: False - check_mode: no - -- name: run scheduled task (hotfix) - raw: 'SCHTASKS /Run /TN hotfix_install' - args: - executable: cmd.exe - changed_when: False - check_mode: no - -- pause: - seconds: 60 - -- name: delete scheduled task (hotfix) - raw: 'SCHTASKS /Delete /TN hotfix_install /f' - args: - executable: cmd.exe - changed_when: False - check_mode: no - ignore_errors: yes - -- name: remove hotfix file - raw: 'Remove-Item -Path {{ enable_tls_support_hotfix_download_location }}\{{ enable_tls_support_hotfix.file }} -Force' - changed_when: False - check_mode: no - ignore_errors: yes \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/hotfix-tlsv12.yml b/roles/oatakan.windows_template_build/tasks/hotfix-tlsv12.yml new file mode 100644 index 0000000..a694a08 --- /dev/null +++ b/roles/oatakan.windows_template_build/tasks/hotfix-tlsv12.yml @@ -0,0 +1,53 @@ +--- + +- name: ensure Windows ADK with DISM is installed + win_chocolatey: + name: windows-adk-deploy + state: present + version: 10.0.17134.0 + register: install_windows_adk_deploy + notify: ensure Windows ADK with DISM is removed + +- name: ensure PATH contains Windows ADK + win_path: + scope: machine + state: present + elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM" + +- pause: + seconds: 10 + +- name: download hotfix + win_get_url: + url: '{{ enable_tlsv12_hotfix.url }}' + dest: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}' + register: download_hotfix + until: download_hotfix is success + delay: 3 + retries: 5 + +- block: + - name: install hotfix (PS >= 4) + win_hotfix: + source: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}' + state: present + register: hotfix_install + when: ansible_powershell_version is version('4', '>=') + rescue: + - name: install hotfix using shell + win_shell: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }} /quiet /norestart' + register: hotfix_install + +- name: install hotfix (PS == 3) + win_shell: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }} /quiet /norestart' + register: hotfix_install + when: ansible_powershell_version is version('3', '==') + +- name: ensure hotfix file is removed + win_file: + path: '{{ enable_tlsv12_hotfix_download_location }}\{{ enable_tlsv12_hotfix.file }}' + state: absent + +- name: reboot if needed + win_reboot: + when: hotfix_install.reboot_required | default(False) \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/main.yml b/roles/oatakan.windows_template_build/tasks/main.yml index e3f6b01..e65720f 100644 --- a/roles/oatakan.windows_template_build/tasks/main.yml +++ b/roles/oatakan.windows_template_build/tasks/main.yml @@ -1,13 +1,16 @@ --- -- include_tasks: powershell-upgrade.yml +- include_role: + name: "{{ windows_powershell_upgrade_role }}" when: upgrade_powershell | bool - name: run setup module setup: +- include_tasks: hotfix-tlsv12.yml + when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution" + - include_tasks: enable-tlsv12.yml - when: upgrade_powershell | bool - include_tasks: update-agent-win2008.yml when: "'Windows Server 2008' in ansible_distribution or 'Windows 7' in ansible_distribution" @@ -42,7 +45,7 @@ - include_tasks: policy.yml - include_tasks: power.yml - when: "'Server' not in ansible_distribution" + when: (ansible_os_product_type == 'workstation') | default(False) - include_tasks: enable-rdp.yml @@ -55,15 +58,21 @@ - not target_ovirt | bool - not target_vagrant | bool -- include_tasks: remove-apps-alt-2.yml +- block: + - include_tasks: remove-apps-alt-2.yml + + - include_tasks: remove-onedrive.yml when: - remove_apps | bool - - "'Server' not in ansible_distribution" + - (ansible_os_product_type == 'workstation') | default(False) - include_role: name: "{{ ec2_ena_driver_role }}" when: target_ec2 | bool +- name: run all handlers here + meta: flush_handlers + - include_tasks: clean-up-components.yml when: clean_up_components | bool diff --git a/roles/oatakan.windows_template_build/tasks/powershell-upgrade.yml b/roles/oatakan.windows_template_build/tasks/powershell-upgrade.yml deleted file mode 100644 index 28a8c26..0000000 --- a/roles/oatakan.windows_template_build/tasks/powershell-upgrade.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- - -- include_tasks: enable_powershell.yml - -- include_tasks: enable_tls_system_default.yml - -- name: download script - raw: '[Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072); (New-Object -TypeName System.Net.WebClient).DownloadFile("{{ powershell_script_url }}", "{{ powershell_upgrade_script_file }}")' - changed_when: False - check_mode: no - register: download_script - -- name: set execution policy - raw: 'Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force' - changed_when: False - check_mode: no - ignore_errors: yes - -- name: delete scheduled task if it exists - raw: 'SCHTASKS /Delete /TN upgrade /f' - args: - executable: cmd.exe - changed_when: False - check_mode: no - failed_when: False - -- name: create a scheduled task to run powershell script - raw: > - SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN upgrade /TR "powershell.exe -Command - '& {{ powershell_upgrade_script_file }} -Version {{ powershell_target_version }} - -Username {{ ansible_user }} -Password {{ ansible_password }}'" - args: - executable: cmd.exe - changed_when: False - check_mode: no - -- name: start windows update service - raw: net start wuauserv - args: - executable: cmd.exe - failed_when: false - -- pause: - seconds: 60 - -- name: run scheduled task - raw: 'SCHTASKS /Run /TN upgrade' - args: - executable: cmd.exe - changed_when: False - check_mode: no - -- pause: - seconds: "{{ upgrade_wait_timeout }}" - -- name: wait for powershell upgrade task to finish - raw: '((schtasks /query /TN upgrade)[4] -split " +")[-2]' - changed_when: False - check_mode: no - register: upgrade_status_check - failed_when: false - until: (upgrade_status_check.stdout | trim | lower) == 'ready' - delay: 10 - retries: 10 - -- debug: - msg: "{{ powershell_target_version }}" - -# apply winrm memory hotfix for powershell 3.0 -- include_tasks: winrm-memfix.yml - when: powershell_target_version is version('3.0', '==') - -- name: wait for system to reboot after upgrade - wait_for_connection: - sleep: 60 - timeout: 400 - -- name: delete scheduled task - win_scheduled_task: - name: upgrade - state: absent - -- name: delete script - win_file: - path: "{{ powershell_upgrade_script_file }}" - state: absent - -- name: ensure auto login is disabled - win_regedit: - path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon - name: AutoAdminLogon - data: 0 - type: string - -- name: ensure auto login creds are removed - win_regedit: - path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon - name: "{{ item }}" - state: absent - loop: - - DefaultUserName - - DefaultPassword \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/tasks/remove-onedrive.yml b/roles/oatakan.windows_template_build/tasks/remove-onedrive.yml index e4dfa8e..9f88618 100644 --- a/roles/oatakan.windows_template_build/tasks/remove-onedrive.yml +++ b/roles/oatakan.windows_template_build/tasks/remove-onedrive.yml @@ -8,6 +8,10 @@ win_shell: '{{ ansible_env.SystemRoot }}\SysWOW64\OneDriveSetup.exe /uninstall' ignore_errors: yes +- name: remove onedrivesync package + win_shell: get-appxpackage *Microsoft.OneDriveSync* | remove-appxpackage -AllUsers + ignore_errors: yes + - name: remove onedrive directories win_file: path: '{{ item }}' diff --git a/roles/oatakan.windows_template_build/tasks/security-update-win2012.yml b/roles/oatakan.windows_template_build/tasks/security-update-win2012.yml index b8453b7..6f826cb 100644 --- a/roles/oatakan.windows_template_build/tasks/security-update-win2012.yml +++ b/roles/oatakan.windows_template_build/tasks/security-update-win2012.yml @@ -11,16 +11,22 @@ delay: 3 retries: 5 -- name: install hotfix (PS >= 4) - win_hotfix: - source: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }}' - state: present - register: hotfix_install - when: ansible_powershell_version is version('4', '>=') +- block: + - name: install hotfix (PS >= 4) + win_hotfix: + source: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }}' + state: present + register: hotfix_install + when: ansible_powershell_version is version('4', '>=') + rescue: + - name: install hotfix using shell + win_shell: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }} /quiet /norestart' + register: hotfix_install -- name: debug hotfix installation result - debug: - var: hotfix_install +- name: install hotfix (PS == 3) + win_shell: '{{ dot_net_security_hotfix_download_location }}\{{ dot_net_security_hotfix.file }} /quiet /norestart' + register: hotfix_install + when: ansible_powershell_version is version('3', '==') - name: ensure hotfix file is removed win_file: diff --git a/roles/oatakan.windows_template_build/tasks/winrm-memfix.yml b/roles/oatakan.windows_template_build/tasks/winrm-memfix.yml deleted file mode 100644 index 4fdb29c..0000000 --- a/roles/oatakan.windows_template_build/tasks/winrm-memfix.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- - -# see https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#winrm-memory-hotfix - -- name: download script - raw: '[Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072); (New-Object -TypeName System.Net.WebClient).DownloadFile("{{ ps_memfix_script_url }}", "{{ ps_memfix_script_file }}")' - changed_when: False - check_mode: no - register: download_script - -- name: set execution policy - raw: 'Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force' - changed_when: False - check_mode: no - ignore_errors: yes - -- name: delete scheduled task if it exists - raw: 'SCHTASKS /Delete /TN memfix /f' - args: - executable: cmd.exe - changed_when: False - check_mode: no - failed_when: False - -- name: create a scheduled task to run powershell script - raw: > - SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN memfix /TR "powershell.exe -Command - '& {{ ps_memfix_script_file }} -Verbose'" - args: - executable: cmd.exe - changed_when: False - check_mode: no - -- name: run scheduled task - raw: 'SCHTASKS /Run /TN memfix' - args: - executable: cmd.exe - changed_when: False - check_mode: no - -- name: wait for system to reboot after fix - wait_for_connection: - delay: 300 - sleep: 30 - timeout: 300 - -- name: wait for powershell memfix task to finish - raw: '((schtasks /query /TN memfix)[4] -split " +")[-2]' - changed_when: False - check_mode: no - register: memfix_status_check - failed_when: false - until: (memfix_status_check.stdout | trim | lower) == 'ready' - delay: 10 - retries: 30 - -- name: delete scheduled task - win_scheduled_task: - name: memfix - state: absent - register: delete_scheduled_task - until: delete_scheduled_task is success - delay: 10 - retries: 10 - -- name: delete script - win_file: - path: "{{ ps_memfix_script_file }}" - state: absent \ No newline at end of file diff --git a/roles/oatakan.windows_template_build/vars/main.yml b/roles/oatakan.windows_template_build/vars/main.yml index a571171..e14b634 100644 --- a/roles/oatakan.windows_template_build/vars/main.yml +++ b/roles/oatakan.windows_template_build/vars/main.yml @@ -1,5 +1,7 @@ --- +temp_directory: "{{ ansible_env.TEMP | default(default_temp_directory) }}" + unattend: administrator_password: "{{ local_administrator_password }}" local_accounts: diff --git a/roles/oatakan.windows_update/defaults/main.yml b/roles/oatakan.windows_update/defaults/main.yml index e9a1b41..b8d1381 100644 --- a/roles/oatakan.windows_update/defaults/main.yml +++ b/roles/oatakan.windows_update/defaults/main.yml @@ -1,5 +1,6 @@ --- +update_retry_count: 0 update_retry_limit: 10 win_update_category_names: - CriticalUpdates diff --git a/roles/oatakan.windows_update/handlers/main.yml b/roles/oatakan.windows_update/handlers/main.yml new file mode 100644 index 0000000..66372ec --- /dev/null +++ b/roles/oatakan.windows_update/handlers/main.yml @@ -0,0 +1,10 @@ +--- + +- name: ensure Windows ADK with DISM is removed + win_chocolatey: + name: windows-adk-deploy + state: absent + register: remove_win_adk_dism + until: remove_win_adk_dism is success + delay: 3 + retries: 5 \ No newline at end of file diff --git a/roles/oatakan.windows_update/meta/.galaxy_install_info b/roles/oatakan.windows_update/meta/.galaxy_install_info index ae3da43..507346c 100644 --- a/roles/oatakan.windows_update/meta/.galaxy_install_info +++ b/roles/oatakan.windows_update/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:50 2021 +install_date: Fri Oct 15 18:59:19 2021 version: master diff --git a/roles/oatakan.windows_update/tasks/updates-all.yml b/roles/oatakan.windows_update/tasks/updates-all.yml index 108b25b..d85c8ad 100644 --- a/roles/oatakan.windows_update/tasks/updates-all.yml +++ b/roles/oatakan.windows_update/tasks/updates-all.yml @@ -10,9 +10,11 @@ - debug: msg: | {{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available. - {% for key, value in available_updates.updates.items() %} - - {{ value.title }} + {% for update in updates %} + - {{ update.title }} {% endfor %} + vars: + updates: "{{ (available_updates.updates.values() | list) if (available_updates.updates is mapping) else (available_updates.updates) }}" when: available_updates.updates is defined - include_tasks: updates-with-retry.yml @@ -20,7 +22,7 @@ - available_updates.updates is defined - available_updates.found_update_count > 0 -- name: check for missing updates. +- name: check for missing updates win_updates: state: searched register: available_updates diff --git a/roles/oatakan.windows_update/tasks/updates-powershell.yml b/roles/oatakan.windows_update/tasks/updates-powershell.yml index 2f1a45c..a80612b 100644 --- a/roles/oatakan.windows_update/tasks/updates-powershell.yml +++ b/roles/oatakan.windows_update/tasks/updates-powershell.yml @@ -16,9 +16,11 @@ - debug: msg: | {{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available. - {% for key, value in available_updates.updates.items() %} - - {{ value.title }} + {% for update in updates %} + - {{ update.title }} {% endfor %} + vars: + updates: "{{ (available_updates.updates.values() | list) if (available_updates.updates is mapping) else (available_updates.updates) }}" when: available_updates.updates is defined - block: @@ -67,9 +69,11 @@ - debug: msg: | {{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing. - {% for key, value in missing_updates.updates.items() %} - - {{ value.title }} + {% for update in updates %} + - {{ update.title }} {% endfor %} + vars: + updates: "{{ (missing_updates.updates.values() | list) if (missing_updates.updates is mapping) else (missing_updates.updates) }}" when: missing_updates.updates is defined - block: diff --git a/roles/oatakan.windows_update/tasks/updates-win2008r2.yml b/roles/oatakan.windows_update/tasks/updates-win2008r2.yml index 700c36f..e2fe4a3 100644 --- a/roles/oatakan.windows_update/tasks/updates-win2008r2.yml +++ b/roles/oatakan.windows_update/tasks/updates-win2008r2.yml @@ -6,6 +6,7 @@ state: present version: 10.0.17134.0 register: install_windows_adk_deploy + notify: ensure Windows ADK with DISM is removed - name: ensure PATH contains Windows ADK win_path: @@ -13,19 +14,25 @@ state: present elements: "C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM" -- name: download hotfix group 1 (PS >= 4) +- name: download hotfix group 1 win_get_url: url: '{{ item.url }}' dest: '{{ hotfix_download_location }}\{{ item.file }}' loop: "{{ hotfixes_group_1 }}" -- name: install hotfix group 1 - win_hotfix: - source: '{{ hotfix_download_location }}\{{ item.file }}' - state: present - register: hotfix_install_group_1 - loop: "{{ hotfixes_group_1 }}" - when: ansible_powershell_version is version('4', '>=') +- block: + - name: install hotfix group 1 (PS >= 4) + win_hotfix: + source: '{{ hotfix_download_location }}\{{ item.file }}' + state: present + register: hotfix_install_group_1 + loop: "{{ hotfixes_group_1 }}" + when: ansible_powershell_version is version('4', '>=') + rescue: + - name: install hotfix using shell + win_shell: '{{ hotfix_download_location }}\{{ item.file }} /quiet /norestart' + register: hotfix_install_group_1 + loop: "{{ hotfixes_group_1 }}" - name: install hotfix (PS == 3) win_shell: '{{ hotfix_download_location }}\{{ item.file }} /quiet /norestart' @@ -56,9 +63,11 @@ - debug: msg: | {{ inventory_hostname }} has {{ available_updates.found_update_count }} updates available. - {% for key, value in available_updates.updates.items() %} - - {{ value.title }} + {% for update in updates %} + - {{ update.title }} {% endfor %} + vars: + updates: "{{ (available_updates.updates.values() | list) if (available_updates.updates is mapping) else (available_updates.updates) }}" when: available_updates.updates is defined - include_tasks: updates-with-retry.yml @@ -73,9 +82,4 @@ - name: list missing updates debug: - var: available_updates - -- name: make sure Windows ADK with DISM for Server 2008 R2 is not installed - win_chocolatey: - name: windows-adk-deploy - state: absent \ No newline at end of file + var: available_updates \ No newline at end of file diff --git a/roles/oatakan.windows_update/tasks/updates-with-retry.yml b/roles/oatakan.windows_update/tasks/updates-with-retry.yml index facf18d..2c40d7c 100644 --- a/roles/oatakan.windows_update/tasks/updates-with-retry.yml +++ b/roles/oatakan.windows_update/tasks/updates-with-retry.yml @@ -58,9 +58,11 @@ - debug: msg: | {{ inventory_hostname }} has {{ missing_updates.found_update_count }} updates still missing. - {% for key, value in missing_updates.updates.items() %} - - {{ value.title }} + {% for update in updates %} + - {{ update.title }} {% endfor %} + vars: + updates: "{{ (missing_updates.updates.values() | list) if (missing_updates.updates is mapping) else (missing_updates.updates) }}" when: missing_updates.updates is defined - name: still more updates - need to retry diff --git a/roles/oatakan.windows_virtio/defaults/main.yml b/roles/oatakan.windows_virtio/defaults/main.yml index cd20f2d..73b386b 100644 --- a/roles/oatakan.windows_virtio/defaults/main.yml +++ b/roles/oatakan.windows_virtio/defaults/main.yml @@ -11,7 +11,9 @@ virtio_win_ovirt: false virtio_win_facts: "{{ ansible_env.SystemDrive }}\\{{ source_of_supply_name | default('Support') }}\\facts.d" virtio_driver_directory: >- - {% if 'Windows Server 2019' in ansible_distribution -%} + {% if 'Windows Server 2022' in ansible_distribution -%} + {% set virt_dir = '2k19' %} + {% elif 'Windows Server 2019' in ansible_distribution -%} {% set virt_dir = '2k19' %} {% elif 'Windows Server 2016' in ansible_distribution -%} {% set virt_dir = '2k16' %} diff --git a/roles/oatakan.windows_virtio/handlers/main.yml b/roles/oatakan.windows_virtio/handlers/main.yml index d5a5e4d..440c14e 100644 --- a/roles/oatakan.windows_virtio/handlers/main.yml +++ b/roles/oatakan.windows_virtio/handlers/main.yml @@ -4,7 +4,7 @@ win_disk_image: image_path: "{{ ansible_env.TEMP }}\\{{ virtio_win_iso_name }}" state: absent - when: win_disk_image.mount_path is defined + when: win_disk_image.mount_paths is defined - name: Delete downloaded win_file: diff --git a/roles/oatakan.windows_virtio/meta/.galaxy_install_info b/roles/oatakan.windows_virtio/meta/.galaxy_install_info index 0ee7910..9260faa 100644 --- a/roles/oatakan.windows_virtio/meta/.galaxy_install_info +++ b/roles/oatakan.windows_virtio/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Wed Jun 30 01:12:49 2021 +install_date: Fri Oct 15 18:59:17 2021 version: master diff --git a/roles/oatakan.windows_virtio/tasks/install.yml b/roles/oatakan.windows_virtio/tasks/install.yml index d28309a..6d70876 100644 --- a/roles/oatakan.windows_virtio/tasks/install.yml +++ b/roles/oatakan.windows_virtio/tasks/install.yml @@ -2,8 +2,8 @@ - name: Set the virtio_win_iso_path and virtio_win_virtio_path set_fact: - virtio_win_iso_path: '{{ win_disk_image.mount_path | default(virtio_iso_mount_drive) }}' - virtio_win_virtio_path: "{{ (win_disk_image.mount_path | default(virtio_iso_mount_drive)) + '\\virtio' if virtio_win_ovirt else (win_disk_image.mount_path | default(virtio_iso_mount_drive)) }}" + virtio_win_iso_path: '{{ win_disk_image.mount_paths[0] | default(virtio_iso_mount_drive) }}' + virtio_win_virtio_path: "{{ (win_disk_image.mount_paths[0] | default(virtio_iso_mount_drive)) + '\\virtio' if virtio_win_ovirt else (win_disk_image.mount_paths[0] | default(virtio_iso_mount_drive)) }}" virtio_win_iso_name: "{{ virtio_win_iso_name }}" when: - virtio_iso_mount_drive | length > 0 or ('Windows Server 2008' not in ansible_distribution and 'Windows 7' not in ansible_distribution)