1 # -*- coding: utf-8 -*-
3 # Copyright 2012 GRNET S.A. All rights reserved.
5 # Redistribution and use in source and binary forms, with or
6 # without modification, are permitted provided that the following
9 # 1. Redistributions of source code must retain the above
10 # copyright notice, this list of conditions and the following
13 # 2. Redistributions in binary form must reproduce the above
14 # copyright notice, this list of conditions and the following
15 # disclaimer in the documentation and/or other materials
16 # provided with the distribution.
18 # THIS SOFTWARE IS PROVIDED BY GRNET S.A. ``AS IS'' AND ANY EXPRESS
19 # OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GRNET S.A OR
22 # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24 # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
25 # USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
26 # AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 # POSSIBILITY OF SUCH DAMAGE.
31 # The views and conclusions contained in the software and
32 # documentation are those of the authors and should not be
33 # interpreted as representing official policies, either expressed
34 # or implied, of GRNET S.A.
36 """This module hosts OS-specific code common for the various Microsoft
39 from image_creator.os_type import OSBase, sysprep
40 from image_creator.util import FatalError, check_guestfs_version, get_command
51 kvm = get_command('kvm')
56 class Windows(OSBase):
57 """OS class for Windows"""
58 def __init__(self, image, **kargs):
59 super(Windows, self).__init__(image, **kargs)
61 device = self.g.part_to_dev(self.root)
63 self.last_part_num = self.g.part_list(device)[-1]['part_num']
64 self.last_drive = None
65 self.system_drive = None
67 for drive, partition in self.g.inspect_get_drive_mappings(self.root):
68 if partition == "%s%d" % (device, self.last_part_num):
69 self.last_drive = drive
70 if partition == self.root:
71 self.system_drive = drive
73 assert self.system_drive
75 def needed_sysprep_params(self):
76 """Returns a list of needed sysprep parameters. Each element in the
77 list is a SysprepParam object.
79 password = self.SysprepParam(
80 'password', 'Image Administrator Password', 20, lambda x: True)
84 @sysprep('Disabling IPv6 privacy extensions')
85 def disable_ipv6_privacy_extensions(self):
86 """Disable IPv6 privacy extensions"""
88 self._guest_exec('netsh interface ipv6 set global '
89 'randomizeidentifiers=disabled store=persistent')
91 @sysprep('Disabling Teredo interface')
92 def disable_teredo(self):
93 """Disable Teredo interface"""
95 self._guest_exec('netsh interface teredo set state disabled')
97 @sysprep('Disabling ISATAP Adapters')
98 def disable_isatap(self):
99 """Disable ISATAP Adapters"""
101 self._guest_exec('netsh interface isa set state disabled')
103 @sysprep('Enabling ping responses')
104 def enable_pings(self):
105 """Enable ping responces"""
107 self._guest_exec('netsh firewall set icmpsetting 8')
109 @sysprep('Disabling hibernation support')
110 def disable_hibernation(self):
111 """Disable hibernation support and remove the hibernation file"""
113 self._guest_exec(r'powercfg.exe /hibernate off')
115 @sysprep('Setting the system clock to UTC')
117 """Set the hardware clock to UTC"""
119 path = r'HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation'
121 r'REG ADD %s /v RealTimeIsUniversal /t REG_DWORD /d 1 /f' % path)
123 @sysprep('Clearing the event logs')
124 def clear_logs(self):
125 """Clear all the event logs"""
128 r"cmd /q /c for /f %l in ('wevtutil el') do wevtutil cl %l")
130 @sysprep('Executing sysprep on the image (may take more that 10 minutes)')
131 def microsoft_sysprep(self):
132 """Run the Microsoft System Preparation Tool. This will remove
133 system-specific data and will make the image ready to be deployed.
134 After this no other task may run.
137 self._guest_exec(r'C:\Windows\system32\sysprep\sysprep '
138 r'/quiet /generalize /oobe /shutdown')
139 self.syspreped = True
141 @sysprep('Shrinking the last filesystem')
143 """Shrink the last filesystem. Make sure the filesystem is defragged"""
145 # Query for the maximum number of reclaimable bytes
147 r'cmd /Q /C "SET SCRIPT=%TEMP%\QUERYMAX_%RANDOM%.TXT & ' +
148 r'ECHO SELECT DISK 0 > %SCRIPT% & ' +
149 'ECHO SELECT PARTITION %d >> %%SCRIPT%% & ' % self.last_part_num +
150 r'ECHO SHRINK QUERYMAX >> %SCRIPT% & ' +
151 r'ECHO EXIT >> %SCRIPT% & ' +
152 r'DISKPART /S %SCRIPT% & ' +
153 r'IF ERRORLEVEL 1 EXIT /B 1 & ' +
156 stdout, stderr, rc = self._guest_exec(cmd)
159 for line in stdout.splitlines():
160 # diskpart will return something like this:
162 # The maximum number of reclaimable bytes is: xxxx MB
164 if line.find('reclaimable') >= 0:
165 querymax = line.split(':')[1].split()[0].strip()
166 assert querymax.isdigit(), \
167 "Number of reclaimable bytes not a number"
170 FatalError("Error in shrinking! "
171 "Couldn't find the max number of reclaimable bytes!")
173 querymax = int(querymax)
175 # Practically the smallest shrunken size generally is at around
176 # "used space" + (20-200 MB). Please also take into account that
177 # Windows might need about 50-100 MB free space left to boot safely.
178 # I'll give 100MB extra space just to be sure
182 self.out.warn("Not enought available space to shrink the image!")
186 r'cmd /Q /C "SET SCRIPT=%TEMP%\QUERYMAX_%RANDOM%.TXT & ' +
187 r'ECHO SELECT DISK 0 > %SCRIPT% & ' +
188 'ECHO SELECT PARTITION %d >> %%SCRIPT%% & ' % self.last_part_num +
189 'ECHO SHRINK DESIRED=%d >> %%SCRIPT%% & ' % querymax +
190 r'ECHO EXIT >> %SCRIPT% & ' +
191 r'DISKPART /S %SCRIPT% & ' +
192 r'IF ERRORLEVEL 1 EXIT /B 1 & ' +
195 stdout, stderr, rc = self._guest_exec(cmd)
197 for line in stdout.splitlines():
198 if line.find('shrunk') >= 0:
199 self.out.output(line)
201 def do_sysprep(self):
202 """Prepare system for image creation."""
204 if getattr(self, 'syspreped', False):
205 raise FatalError("Image is already syspreped!")
207 txt = "System preparation parameter: `%s' is needed but missing!"
208 for param in self.needed_sysprep_params():
209 if param[0] not in self.sysprep_params:
210 raise FatalError(txt % param[0])
212 self.mount(readonly=False)
214 disabled_uac = self._update_uac_remote_setting(1)
215 token = self._enable_os_monitor()
217 # disable the firewalls
218 firewall_states = self._update_firewalls(0, 0, 0)
220 # Delete the pagefile. It will be recreated when the system boots
221 systemroot = self.g.inspect_get_windows_systemroot(self.root)
222 pagefile = "%s/pagefile.sys" % systemroot
223 self.g.rm_rf(self.g.case_sensitive_path(pagefile))
228 self.out.output("Shutting down helper VM ...", False)
230 # guestfs_shutdown which is the prefered way to shutdown the backend
231 # process was introduced in version 1.19.16
232 if check_guestfs_version(self.g, 1, 19, 16) >= 0:
233 ret = self.g.shutdown()
235 ret = self.g.kill_subprocess()
237 self.out.success('done')
242 self.out.output("Starting windows VM ...", False)
243 monitorfd, monitor = tempfile.mkstemp()
245 vm, display = self._create_vm(monitor)
246 self.out.success("started (console on vnc display: %d)." % display)
248 self.out.output("Waiting for OS to boot ...", False)
249 if not self._wait_on_file(monitor, token):
250 raise FatalError("Windows booting timed out.")
252 time.sleep(10) # Just to be sure everything is up
253 self.out.success('done')
255 self.out.output("Disabling automatic logon ...", False)
256 self._disable_autologon()
257 self.out.success('done')
259 self.out.output('Preparing system from image creation:')
261 tasks = self.list_syspreps()
262 enabled = filter(lambda x: x.enabled, tasks)
265 # Make sure shrink runs in the end, before ms sysprep
266 enabled = filter(lambda x: self.sysprep_info(x).name != 'shrink',
269 shrink_enabled = False
270 if len(enabled) != size:
271 enabled.append(self.shrink)
272 shrink_enabled = True
274 # Make sure the ms sysprep is the last task to run if it is enabled
276 lambda x: self.sysprep_info(x).name != 'microsoft-sysprep',
279 ms_sysprep_enabled = False
280 if len(enabled) != size:
281 enabled.append(self.microsoft_sysprep)
282 ms_sysprep_enabled = True
287 self.out.output(('(%d/%d)' % (cnt, size)).ljust(7), False)
289 setattr(task.im_func, 'executed', True)
291 self.out.output("Sending shut down command ...", False)
292 if not ms_sysprep_enabled:
294 self.out.success("done")
296 self.out.output("Waiting for windows to shut down ...", False)
298 self.out.success("done")
300 if monitor is not None:
306 self.out.output("Relaunching helper VM (may take a while) ...",
309 self.out.success('done')
311 self.mount(readonly=False)
314 self._update_uac_remote_setting(0)
316 self._update_firewalls(*firewall_states)
320 def _create_vm(self, monitor):
321 """Create a VM with the image attached as the disk
323 monitor: a file to be used to monitor when the OS is up
327 mac = [0x00, 0x16, 0x3e,
328 random.randint(0x00, 0x7f),
329 random.randint(0x00, 0xff),
330 random.randint(0x00, 0xff)]
332 return ':'.join(map(lambda x: "%02x" % x, mac))
334 # Use ganeti's VNC port range for a random vnc port
335 vnc_port = random.randint(11000, 14999)
336 display = vnc_port - 5900
339 '-smp', '1', '-m', '1024', '-drive',
340 'file=%s,format=raw,cache=unsafe,if=virtio' % self.image.device,
341 '-netdev', 'type=user,hostfwd=tcp::445-:445,id=netdev0',
342 '-device', 'virtio-net-pci,mac=%s,netdev=netdev0' % random_mac(),
343 '-vnc', ':%d' % display, '-serial', 'file:%s' % monitor, _bg=True)
347 def _destroy_vm(self, vm):
348 """Destroy a VM previously created by _create_vm"""
353 """Shuts down the windows VM"""
354 self._guest_exec(r'shutdown /s /t 5')
356 def _wait_on_file(self, fname, msg):
357 """Wait until a message appears on a file"""
359 for i in range(BOOT_TIMEOUT):
361 with open(fname) as f:
363 if line.startswith(msg):
367 def _disable_autologon(self):
368 """Disable automatic logon on the windows image"""
371 r'"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"'
373 self._guest_exec('REG DELETE %s /v DefaultUserName /f' % winlogon)
374 self._guest_exec('REG DELETE %s /v DefaultPassword /f' % winlogon)
375 self._guest_exec('REG DELETE %s /v AutoAdminLogon /f' % winlogon)
377 def _registry_file_path(self, regfile):
378 """Retrieves the case sensitive path to a registry file"""
380 systemroot = self.g.inspect_get_windows_systemroot(self.root)
381 path = "%s/system32/config/%s" % (systemroot, regfile)
383 path = self.g.case_sensitive_path(path)
384 except RuntimeError as e:
385 raise FatalError("Unable to retrieve registry file: %s. Reason: %s"
389 def _enable_os_monitor(self):
390 """Add a script in the registry that will send a random string to the
391 first serial port when the windows image finishes booting.
394 token = "".join(random.choice(string.ascii_letters) for x in range(16))
396 path = self._registry_file_path('SOFTWARE')
397 softwarefd, software = tempfile.mkstemp()
400 self.g.download(path, software)
402 h = hivex.Hivex(software, write=True)
404 # Enable automatic logon.
405 # This is needed because we need to execute a script that we add in
406 # the RunOnce registry entry and those programs only get executed
407 # when a user logs on. There is a RunServicesOnce registry entry
408 # whose keys get executed in the background when the logon dialog
409 # box first appears, but they seem to only work with services and
410 # not arbitrary command line expressions :-(
412 # Instructions on how to turn on automatic logon in Windows can be
413 # found here: http://support.microsoft.com/kb/324737
415 # Warning: Registry change will not work if the “Logon Banner” is
416 # defined on the server either by a Group Policy object (GPO) or by
420 for child in ('Microsoft', 'Windows NT', 'CurrentVersion',
422 winlogon = h.node_get_child(winlogon, child)
426 {'key': 'DefaultUserName', 't': 1,
427 'value': "Administrator".encode('utf-16le')})
430 {'key': 'DefaultPassword', 't': 1,
431 'value': self.sysprep_params['password'].encode('utf-16le')})
434 {'key': 'AutoAdminLogon', 't': 1,
435 'value': "1".encode('utf-16le')})
438 for child in ('Microsoft', 'Windows', 'CurrentVersion'):
439 key = h.node_get_child(key, child)
441 runonce = h.node_get_child(key, "RunOnce")
443 runonce = h.node_add_child(key, "RunOnce")
446 r'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe '
447 r'-ExecutionPolicy RemoteSigned '
448 r'"&{$port=new-Object System.IO.Ports.SerialPort COM1,9600,'
449 r'None,8,one;$port.open();$port.WriteLine(\"' + token + r'\");'
450 r'$port.Close()}"').encode('utf-16le')
452 h.node_set_value(runonce,
453 {'key': "BootMonitor", 't': 1, 'value': value})
456 r'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion'
457 r'\policies\system /v LocalAccountTokenFilterPolicy'
458 r' /t REG_DWORD /d 1 /f').encode('utf-16le')
460 h.node_set_value(runonce,
461 {'key': "UpdateRegistry", 't': 1, 'value': value})
465 self.g.upload(software, path)
471 def _update_firewalls(self, domain, public, standard):
472 """Enables or disables the firewall for the Domain, the Public and the
473 Standard profile. Returns a triplete with the old values.
475 1 will enable a firewall and 0 will disable it
478 if domain not in (0, 1):
479 raise ValueError("Valid values for domain parameter are 0 and 1")
481 if public not in (0, 1):
482 raise ValueError("Valid values for public parameter are 0 and 1")
484 if standard not in (0, 1):
485 raise ValueError("Valid values for standard parameter are 0 and 1")
487 path = self._registry_file_path("SYSTEM")
488 systemfd, system = tempfile.mkstemp()
491 self.g.download(path, system)
493 h = hivex.Hivex(system, write=True)
495 select = h.node_get_child(h.root(), 'Select')
496 current_value = h.node_get_value(select, 'Current')
498 # expecting a little endian dword
499 assert h.value_type(current_value)[1] == 4
500 current = "%03d" % h.value_dword(current_value)
502 firewall_policy = h.root()
503 for child in ('ControlSet%s' % current, 'services', 'SharedAccess',
504 'Parameters', 'FirewallPolicy'):
505 firewall_policy = h.node_get_child(firewall_policy, child)
508 new_values = [domain, public, standard]
509 for profile in ('Domain', 'Public', 'Standard'):
510 node = h.node_get_child(firewall_policy, '%sProfile' % profile)
512 old_value = h.node_get_value(node, 'EnableFirewall')
514 # expecting a little endian dword
515 assert h.value_type(old_value)[1] == 4
516 old_values.append(h.value_dword(old_value))
519 node, {'key': 'EnableFirewall', 't': 4L,
520 'value': struct.pack("<I", new_values.pop(0))})
523 self.g.upload(system, path)
530 def _update_uac_remote_setting(self, value):
531 """Updates the registry key value:
532 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
533 \System]"LocalAccountTokenFilterPolicy"
535 value = 1 will disable the UAC remote restrictions
536 value = 0 will enable the UAC remote restrictions
538 For more info see here: http://support.microsoft.com/kb/951016
541 True if the key is changed
542 False if the key is unchanged
545 if value not in (0, 1):
546 raise ValueError("Valid values for value parameter are 0 and 1")
548 path = self._registry_file_path('SOFTWARE')
549 softwarefd, software = tempfile.mkstemp()
552 self.g.download(path, software)
554 h = hivex.Hivex(software, write=True)
557 for child in ('Microsoft', 'Windows', 'CurrentVersion', 'Policies',
559 key = h.node_get_child(key, child)
562 for val in h.node_values(key):
563 if h.value_key(val) == "LocalAccountTokenFilterPolicy":
566 if policy is not None:
567 dword = h.value_dword(policy)
573 new_value = {'key': "LocalAccountTokenFilterPolicy", 't': 4L,
574 'value': struct.pack("<I", value)}
576 h.node_set_value(key, new_value)
579 self.g.upload(software, path)
586 def _do_collect_metadata(self):
587 """Collect metadata about the OS"""
588 super(Windows, self)._do_collect_metadata()
589 self.meta["USERS"] = " ".join(self._get_users())
591 def _get_users(self):
592 """Returns a list of users found in the images"""
593 path = self._registry_file_path('SAM')
594 samfd, sam = tempfile.mkstemp()
597 self.g.download(path, sam)
602 # Navigate to /SAM/Domains/Account/Users/Names
603 for child in ('SAM', 'Domains', 'Account', 'Users', 'Names'):
604 key = h.node_get_child(key, child)
606 users = [h.node_name(x) for x in h.node_children(key)]
611 # Filter out the guest account
612 return filter(lambda x: x != "Guest", users)
614 def _guest_exec(self, command, fatal=True):
615 """Execute a command on a windows VM"""
617 user = "Administrator%" + self.sysprep_params['password']
619 runas = '--runas=%s' % user
620 winexe = subprocess.Popen(
621 ['winexe', '-U', user, runas, "//%s" % addr, command],
622 stdout=subprocess.PIPE, stderr=subprocess.PIPE)
624 stdout, stderr = winexe.communicate()
627 if rc != 0 and fatal:
628 reason = stderr if len(stderr) else stdout
629 self.out.output("Command: `%s' failed. Reason: %s" %
631 raise FatalError("Command: `%s' failed. Reason: %s" %
634 return (stdout, stderr, rc)
636 # vim: set sta sts=4 shiftwidth=4 sw=4 et ai :