X-Git-Url: https://code.grnet.gr/git/snf-image-creator/blobdiff_plain/74780ad6680f91c36d6ce67de8337b535b56320d..ec8b2a7949b8cdc47b5a9c624dcc6f78aa0e53f3:/image_creator/os_type/windows.py diff --git a/image_creator/os_type/windows.py b/image_creator/os_type/windows.py index 7807bdc..a5ef78a 100644 --- a/image_creator/os_type/windows.py +++ b/image_creator/os_type/windows.py @@ -36,62 +36,240 @@ """This module hosts OS-specific code common for the various Microsoft Windows OSs.""" -from image_creator.os_type import OSBase, sysprep -from image_creator.util import FatalError, check_guestfs_version, get_command +from image_creator.os_type import OSBase, sysprep, add_sysprep_param +from image_creator.util import FatalError, check_guestfs_version, \ + get_kvm_binary +from image_creator.winexe import WinEXE, WinexeTimeout import hivex import tempfile import os +import signal import time import random +import string import subprocess - -kvm = get_command('kvm') +import struct + +# For more info see: http://technet.microsoft.com/en-us/library/jj612867.aspx +KMS_CLIENT_SETUP_KEYS = { + "Windows 8 Professional": "NG4HW-VH26C-733KW-K6F98-J8CK4", + "Windows 8 Professional N": "XCVCF-2NXM9-723PB-MHCB7-2RYQQ", + "Windows 8 Enterprise": "32JNW-9KQ84-P47T8-D8GGY-CWCK7", + "Windows 8 Enterprise N": "JMNMF-RHW7P-DMY6X-RF3DR-X2BQT", + "Windows Server 2012 Core": "BN3D2-R7TKB-3YPBD-8DRP2-27GG4", + "Windows Server 2012 Core N": "8N2M2-HWPGY-7PGT9-HGDD8-GVGGY", + "Windows Server 2012 Core Single Language": + "2WN2H-YGCQR-KFX6K-CD6TF-84YXQ", + "Windows Server 2012 Core Country Specific": + "4K36P-JN4VD-GDC6V-KDT89-DYFKP", + "Windows Server 2012 Server Standard": "XC9B7-NBPP2-83J2H-RHMBY-92BT4", + "Windows Server 2012 Standard Core": "XC9B7-NBPP2-83J2H-RHMBY-92BT4", + "Windows Server 2012 MultiPoint Standard": "HM7DN-YVMH3-46JC3-XYTG7-CYQJJ", + "Windows Server 2012 MultiPoint Premium": "XNH6W-2V9GX-RGJ4K-Y8X6F-QGJ2G", + "Windows Server 2012 Datacenter": "48HP8-DN98B-MYWDG-T2DCC-8W83P", + "Windows Server 2012 Datacenter Core": "48HP8-DN98B-MYWDG-T2DCC-8W83P", + "Windows 7 Professional": "FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4", + "Windows 7 Professional N": "MRPKT-YTG23-K7D7T-X2JMM-QY7MG", + "Windows 7 Professional E": "W82YF-2Q76Y-63HXB-FGJG9-GF7QX", + "Windows 7 Enterprise": "33PXH-7Y6KF-2VJC9-XBBR8-HVTHH", + "Windows 7 Enterprise N": "YDRBP-3D83W-TY26F-D46B2-XCKRJ", + "Windows 7 Enterprise E": "C29WB-22CC8-VJ326-GHFJW-H9DH4", + "Windows Server 2008 R2 Web": "6TPJF-RBVHG-WBW2R-86QPH-6RTM4", + "Windows Server 2008 R2 HPC edition": "TT8MH-CG224-D3D7Q-498W2-9QCTX", + "Windows Server 2008 R2 Standard": "YC6KT-GKW9T-YTKYR-T4X34-R7VHC", + "Windows Server 2008 R2 Enterprise": "489J6-VHDMP-X63PK-3K798-CPX3Y", + "Windows Server 2008 R2 Datacenter": "74YFP-3QFB3-KQT8W-PMXWJ-7M648", + "Windows Server 2008 R2 for Itanium-based Systems": + "GT63C-RJFQ3-4GMB6-BRFB9-CB83V", + "Windows Vista Business": "YFKBB-PQJJV-G996G-VWGXY-2V3X8", + "Windows Vista Business N": "HMBQG-8H2RH-C77VX-27R82-VMQBT", + "Windows Vista Enterprise": "VKK3X-68KWM-X2YGT-QR4M6-4BWMV", + "Windows Vista Enterprise N": "VTC42-BM838-43QHV-84HX6-XJXKV", + "Windows Web Server 2008": "WYR28-R7TFJ-3X2YQ-YCY4H-M249D", + "Windows Server 2008 Standard": "TM24T-X9RMF-VWXK6-X8JC9-BFGM2", + "Windows Server 2008 Standard without Hyper-V": + "W7VD6-7JFBR-RX26B-YKQ3Y-6FFFJ", + "Windows Server 2008 Enterprise": + "YQGMW-MPWTJ-34KDK-48M3W-X4Q6V", + "Windows Server 2008 Enterprise without Hyper-V": + "39BXF-X8Q23-P2WWT-38T2F-G3FPG", + "Windows Server 2008 HPC": "RCTX3-KWVHP-BR6TB-RB6DM-6X7HP", + "Windows Server 2008 Datacenter": "7M67G-PC374-GR742-YH8V4-TCBY3", + "Windows Server 2008 Datacenter without Hyper-V": + "22XQ2-VRXRG-P8D42-K34TD-G3QQC", + "Windows Server 2008 for Itanium-Based Systems": + "4DWFP-JF3DJ-B7DTH-78FJB-PDRHK"} + +_POSINT = lambda x: type(x) == int and x >= 0 class Windows(OSBase): """OS class for Windows""" + @add_sysprep_param( + 'shutdown_timeout', int, 120, "Shutdown Timeout (seconds)", _POSINT) + @add_sysprep_param( + 'boot_timeout', int, 300, "Boot Timeout (seconds)", _POSINT) + @add_sysprep_param( + 'connection_retries', int, 5, "Connection Retries", _POSINT) + @add_sysprep_param('password', str, None, 'Image Administrator Password') + def __init__(self, image, **kargs): + super(Windows, self).__init__(image, **kargs) + + device = self.image.g.part_to_dev(self.root) + + self.last_part_num = self.image.g.part_list(device)[-1]['part_num'] + self.last_drive = None + self.system_drive = None + + for drive, part in self.image.g.inspect_get_drive_mappings(self.root): + if part == "%s%d" % (device, self.last_part_num): + self.last_drive = drive + if part == self.root: + self.system_drive = drive + + assert self.system_drive + + self.product_name = self.image.g.inspect_get_product_name(self.root) + self.syspreped = False + + @sysprep('Disabling IPv6 privacy extensions') + def disable_ipv6_privacy_extensions(self): + """Disable IPv6 privacy extensions""" - def needed_sysprep_params(self): - """Returns a list of needed sysprep parameters. Each element in the - list is a SysprepParam object. - """ + self._guest_exec('netsh interface ipv6 set global ' + 'randomizeidentifiers=disabled store=persistent') - password = self.SysprepParam( - 'password', 'Image Administrator Password', 20, lambda x: True) + @sysprep('Disabling Teredo interface') + def disable_teredo(self): + """Disable Teredo interface""" - return [password] + self._guest_exec('netsh interface teredo set state disabled') - @sysprep(enabled=True) - def disable_ipv6_privacy_extensions(self, print_header=True): - """Disable IPv6 privacy extensions""" + @sysprep('Disabling ISATAP Adapters') + def disable_isatap(self): + """Disable ISATAP Adapters""" - if print_header: - self.out.output("Disabling IPv6 privacy extensions") + self._guest_exec('netsh interface isa set state disabled') - out, err, rc = self._guest_exec( - 'netsh interface ipv6 set global randomizeidentifiers=disabled ' - 'store=persistent') + @sysprep('Enabling ping responses') + def enable_pings(self): + """Enable ping responses""" - if rc != 0: - raise FatalError("Unable to disable IPv6 privacy extensions: %s" % - err) + self._guest_exec('netsh firewall set icmpsetting 8') - @sysprep(enabled=True) - def microsoft_sysprep(self, print_header=True): - """Run the Micorsoft System Preparation Tool on the Image. After this - runs, no other task may run. - """ + @sysprep('Disabling hibernation support') + def disable_hibernation(self): + """Disable hibernation support and remove the hibernation file""" + + self._guest_exec(r'powercfg.exe /hibernate off') + + @sysprep('Setting the system clock to UTC') + def utc(self): + """Set the hardware clock to UTC""" + + path = r'HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' + self._guest_exec( + r'REG ADD %s /v RealTimeIsUniversal /t REG_DWORD /d 1 /f' % path) - if print_header: - self.out.output("Executing sysprep on the image (may take more " - "than 10 minutes)") + @sysprep('Clearing the event logs') + def clear_logs(self): + """Clear all the event logs""" - out, err, rc = self._guest_exec(r'C:\windows\system32\sysprep\sysprep ' - r'/quiet /generalize /oobe /shutdown') + self._guest_exec( + r"cmd /q /c for /f %l in ('wevtutil el') do wevtutil cl %l") + + @sysprep('Executing Sysprep on the image (may take more that 10 minutes)') + def microsoft_sysprep(self): + """Run the Microsoft System Preparation Tool. This will remove + system-specific data and will make the image ready to be deployed. + After this no other task may run. + """ + + self._guest_exec(r'C:\Windows\system32\sysprep\sysprep ' + r'/quiet /generalize /oobe /shutdown') self.syspreped = True - if rc != 0: - raise FatalError("Unable to perform sysprep: %s" % err) + + @sysprep('Converting the image into a KMS client', enabled=False) + def kms_client_setup(self): + """Install the appropriate KMS client setup key to the image to convert + it to a KMS client. Computers that are running volume licensing + editions of Windows 8, Windows Server 2012, Windows 7, Windows Server + 2008 R2, Windows Vista, and Windows Server 2008 are, by default, KMS + clients with no additional configuration needed. + """ + try: + setup_key = KMS_CLIENT_SETUP_KEYS[self.product_name] + except KeyError: + self.out.warn( + "Don't know the KMS client setup key for product: `%s'" % + self.product_name) + return + + self._guest_exec( + r"cscript \Windows\system32\slmgr.vbs /ipk %s" % setup_key) + + @sysprep('Shrinking the last filesystem') + def shrink(self): + """Shrink the last filesystem. Make sure the filesystem is defragged""" + + # Query for the maximum number of reclaimable bytes + cmd = ( + r'cmd /Q /V:ON /C "SET SCRIPT=%TEMP%\QUERYMAX_%RANDOM%.TXT & ' + + r'ECHO SELECT DISK 0 > %SCRIPT% & ' + + 'ECHO SELECT PARTITION %d >> %%SCRIPT%% & ' % self.last_part_num + + r'ECHO SHRINK QUERYMAX >> %SCRIPT% & ' + + r'ECHO EXIT >> %SCRIPT% & ' + + r'DISKPART /S %SCRIPT% & ' + + r'IF NOT !ERRORLEVEL! EQU 0 EXIT /B 1 & ' + + r'DEL /Q %SCRIPT%"') + + stdout, stderr, rc = self._guest_exec(cmd) + + querymax = None + for line in stdout.splitlines(): + # diskpart will return something like this: + # + # The maximum number of reclaimable bytes is: xxxx MB + # + if line.find('reclaimable') >= 0: + querymax = line.split(':')[1].split()[0].strip() + assert querymax.isdigit(), \ + "Number of reclaimable bytes not a number" + + if querymax is None: + FatalError("Error in shrinking! " + "Couldn't find the max number of reclaimable bytes!") + + querymax = int(querymax) + # From ntfsresize: + # Practically the smallest shrunken size generally is at around + # "used space" + (20-200 MB). Please also take into account that + # Windows might need about 50-100 MB free space left to boot safely. + # I'll give 100MB extra space just to be sure + querymax -= 100 + + if querymax < 0: + self.out.warn("Not enought available space to shrink the image!") + return + + self.out.output("\tReclaiming %dMB ..." % querymax) + + cmd = ( + r'cmd /Q /V:ON /C "SET SCRIPT=%TEMP%\QUERYMAX_%RANDOM%.TXT & ' + + r'ECHO SELECT DISK 0 > %SCRIPT% & ' + + 'ECHO SELECT PARTITION %d >> %%SCRIPT%% & ' % self.last_part_num + + 'ECHO SHRINK DESIRED=%d >> %%SCRIPT%% & ' % querymax + + r'ECHO EXIT >> %SCRIPT% & ' + + r'DISKPART /S %SCRIPT% & ' + + r'IF NOT !ERRORLEVEL! EQU 0 EXIT /B 1 & ' + + r'DEL /Q %SCRIPT%"') + + stdout, stderr, rc = self._guest_exec(cmd) + + for line in stdout.splitlines(): + if line.find('shrunk') >= 0: + self.out.output(line) def do_sysprep(self): """Prepare system for image creation.""" @@ -100,57 +278,73 @@ class Windows(OSBase): raise FatalError("Image is already syspreped!") txt = "System preparation parameter: `%s' is needed but missing!" - for param in self.needed_sysprep_params(): - if param[0] not in self.sysprep_params: - raise FatalError(txt % param[0]) + for name, param in self.needed_sysprep_params.items(): + if name not in self.sysprep_params: + raise FatalError(txt % name) self.mount(readonly=False) try: disabled_uac = self._update_uac_remote_setting(1) + token = self._enable_os_monitor() + + # disable the firewalls + firewall_states = self._update_firewalls(0, 0, 0) + + # Delete the pagefile. It will be recreated when the system boots + systemroot = self.image.g.inspect_get_windows_systemroot(self.root) + try: + pagefile = "%s/pagefile.sys" % systemroot + self.image.g.rm_rf(self.image.g.case_sensitive_path(pagefile)) + except RuntimeError: + pass + finally: self.umount() - self.out.output("Shutting down helper VM ...", False) - self.g.sync() - # guestfs_shutdown which is the prefered way to shutdown the backend - # process was introduced in version 1.19.16 - if check_guestfs_version(self.g, 1, 19, 16) >= 0: - ret = self.g.shutdown() - else: - ret = self.g.kill_subprocess() + self.image.disable_guestfs() - self.out.success('done') + vm = None + monitor = None try: self.out.output("Starting windows VM ...", False) + monitorfd, monitor = tempfile.mkstemp() + os.close(monitorfd) + vm = _VM(self.image.device, monitor, self.sysprep_params) + self.out.success("started (console on vnc display: %d)." % + vm.display) + + self.out.output("Waiting for OS to boot ...", False) + self._wait_vm_boot(vm, monitor, token) + self.out.success('done') - def random_mac(): - mac = [0x00, 0x16, 0x3e, - random.randint(0x00, 0x7f), - random.randint(0x00, 0xff), - random.randint(0x00, 0xff)] - return ':'.join(map(lambda x: "%02x" % x, mac)) - - vm = kvm('-smp', '1', '-m', '1024', '-drive', - 'file=%s,format=raw,cache=none,if=virtio' % - self.image.device, - '-netdev', 'type=user,hostfwd=tcp::445-:445,id=netdev0', - '-device', 'virtio-net-pci,mac=%s,netdev=netdev0' % - random_mac(), '-vnc', ':0', _bg=True) - time.sleep(60) + self.out.output("Checking connectivity to the VM ...", False) + self._check_connectivity() self.out.success('done') - tasks = self.list_syspreps() - enabled = filter(lambda x: x.enabled, tasks) + self.out.output("Disabling automatic logon ...", False) + self._disable_autologon() + self.out.success('done') + + self.out.output('Preparing system for image creation:') + tasks = self.list_syspreps() + enabled = [task for task in tasks if task.enabled] size = len(enabled) + # Make sure shrink runs in the end, before ms sysprep + enabled = [task for task in enabled if + self.sysprep_info(task).name != 'shrink'] + + if len(enabled) != size: + enabled.append(self.shrink) + # Make sure the ms sysprep is the last task to run if it is enabled - enabled = filter( - lambda x: x.im_func.func_name != 'microsoft_sysprep', enabled) + enabled = [task for task in enabled if + self.sysprep_info(task).name != 'microsoft-sysprep'] ms_sysprep_enabled = False if len(enabled) != size: - enabled.append(self.ms_sysprep) + enabled.append(self.microsoft_sysprep) ms_sysprep_enabled = True cnt = 0 @@ -160,45 +354,216 @@ class Windows(OSBase): task() setattr(task.im_func, 'executed', True) + self.out.output("Sending shut down command ...", False) if not ms_sysprep_enabled: self._shutdown() + self.out.success("done") - vm.wait() + self.out.output("Waiting for windows to shut down ...", False) + vm.wait(self.sysprep_params['shutdown_timeout']) + self.out.success("done") finally: - if vm.process.alive: - vm.terminate() - - self.out.output("Relaunching helper VM (may take a while) ...", - False) - self.g.launch() - self.out.success('done') - - if disabled_uac: - self._update_uac_remote_setting(0) + if monitor is not None: + os.unlink(monitor) + + try: + if vm is not None: + self.out.output("Destroying windows VM ...", False) + vm.destroy() + self.out.success("done") + finally: + self.image.enable_guestfs() + + self.mount(readonly=False) + try: + if disabled_uac: + self._update_uac_remote_setting(0) + + self._update_firewalls(*firewall_states) + finally: + self.umount() def _shutdown(self): """Shuts down the windows VM""" + self._guest_exec(r'shutdown /s /t 5') + + def _wait_vm_boot(self, vm, fname, msg): + """Wait until a message appears on a file or the vm process dies""" - self.out.output("Shutting down windows VM ...", False) - out, err, rc = self._guest_exec(r'shutdown /s /t 5') + for _ in range(self.sysprep_params['boot_timeout']): + time.sleep(1) + with open(fname) as f: + for line in f: + if line.startswith(msg): + return True + if not vm.isalive(): + raise FatalError("Windows VM died unexpectedly!") - if rc != 0: - raise FatalError("Unable to perform shutdown: %s" % err) + raise FatalError("Windows VM booting timed out!") - self.out.success('done') + def _disable_autologon(self): + """Disable automatic logon on the windows image""" + + winlogon = \ + r'"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"' + + self._guest_exec('REG DELETE %s /v DefaultUserName /f' % winlogon) + self._guest_exec('REG DELETE %s /v DefaultPassword /f' % winlogon) + self._guest_exec('REG DELETE %s /v AutoAdminLogon /f' % winlogon) def _registry_file_path(self, regfile): """Retrieves the case sensitive path to a registry file""" - systemroot = self.g.inspect_get_windows_systemroot(self.root) + systemroot = self.image.g.inspect_get_windows_systemroot(self.root) path = "%s/system32/config/%s" % (systemroot, regfile) try: - path = self.g.case_sensitive_path(path) - except RuntimeError as e: + path = self.image.g.case_sensitive_path(path) + except RuntimeError as error: raise FatalError("Unable to retrieve registry file: %s. Reason: %s" - % (regfile, str(e))) + % (regfile, str(error))) return path + def _enable_os_monitor(self): + """Add a script in the registry that will send a random string to the + first serial port when the windows image finishes booting. + """ + + token = "".join(random.choice(string.ascii_letters) for x in range(16)) + + path = self._registry_file_path('SOFTWARE') + softwarefd, software = tempfile.mkstemp() + try: + os.close(softwarefd) + self.image.g.download(path, software) + + h = hivex.Hivex(software, write=True) + + # Enable automatic logon. + # This is needed because we need to execute a script that we add in + # the RunOnce registry entry and those programs only get executed + # when a user logs on. There is a RunServicesOnce registry entry + # whose keys get executed in the background when the logon dialog + # box first appears, but they seem to only work with services and + # not arbitrary command line expressions :-( + # + # Instructions on how to turn on automatic logon in Windows can be + # found here: http://support.microsoft.com/kb/324737 + # + # Warning: Registry change will not work if the “Logon Banner” is + # defined on the server either by a Group Policy object (GPO) or by + # a local policy. + + winlogon = h.root() + for child in ('Microsoft', 'Windows NT', 'CurrentVersion', + 'Winlogon'): + winlogon = h.node_get_child(winlogon, child) + + h.node_set_value( + winlogon, + {'key': 'DefaultUserName', 't': 1, + 'value': "Administrator".encode('utf-16le')}) + h.node_set_value( + winlogon, + {'key': 'DefaultPassword', 't': 1, + 'value': self.sysprep_params['password'].encode('utf-16le')}) + h.node_set_value( + winlogon, + {'key': 'AutoAdminLogon', 't': 1, + 'value': "1".encode('utf-16le')}) + + key = h.root() + for child in ('Microsoft', 'Windows', 'CurrentVersion'): + key = h.node_get_child(key, child) + + runonce = h.node_get_child(key, "RunOnce") + if runonce is None: + runonce = h.node_add_child(key, "RunOnce") + + value = ( + r'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ' + r'-ExecutionPolicy RemoteSigned ' + r'"&{$port=new-Object System.IO.Ports.SerialPort COM1,9600,' + r'None,8,one;$port.open();$port.WriteLine(\"' + token + r'\");' + r'$port.Close()}"').encode('utf-16le') + + h.node_set_value(runonce, + {'key': "BootMonitor", 't': 1, 'value': value}) + + value = ( + r'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion' + r'\policies\system /v LocalAccountTokenFilterPolicy' + r' /t REG_DWORD /d 1 /f').encode('utf-16le') + + h.node_set_value(runonce, + {'key': "UpdateRegistry", 't': 1, 'value': value}) + + h.commit(None) + + self.image.g.upload(software, path) + finally: + os.unlink(software) + + return token + + def _update_firewalls(self, domain, public, standard): + """Enables or disables the firewall for the Domain, the Public and the + Standard profile. Returns a triplete with the old values. + + 1 will enable a firewall and 0 will disable it + """ + + if domain not in (0, 1): + raise ValueError("Valid values for domain parameter are 0 and 1") + + if public not in (0, 1): + raise ValueError("Valid values for public parameter are 0 and 1") + + if standard not in (0, 1): + raise ValueError("Valid values for standard parameter are 0 and 1") + + path = self._registry_file_path("SYSTEM") + systemfd, system = tempfile.mkstemp() + try: + os.close(systemfd) + self.image.g.download(path, system) + + h = hivex.Hivex(system, write=True) + + select = h.node_get_child(h.root(), 'Select') + current_value = h.node_get_value(select, 'Current') + + # expecting a little endian dword + assert h.value_type(current_value)[1] == 4 + current = "%03d" % h.value_dword(current_value) + + firewall_policy = h.root() + for child in ('ControlSet%s' % current, 'services', 'SharedAccess', + 'Parameters', 'FirewallPolicy'): + firewall_policy = h.node_get_child(firewall_policy, child) + + old_values = [] + new_values = [domain, public, standard] + for profile in ('Domain', 'Public', 'Standard'): + node = h.node_get_child(firewall_policy, '%sProfile' % profile) + + old_value = h.node_get_value(node, 'EnableFirewall') + + # expecting a little endian dword + assert h.value_type(old_value)[1] == 4 + old_values.append(h.value_dword(old_value)) + + h.node_set_value( + node, {'key': 'EnableFirewall', 't': 4L, + 'value': struct.pack("