1
0

windows.rst 8.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234
  1. ===========================
  2. Spinning up Windows Minions
  3. ===========================
  4. It is possible to use Salt Cloud to spin up Windows instances, and then install
  5. Salt on them. This functionality is available on all cloud providers that are
  6. supported by Salt Cloud. However, it may not necessarily be available on all
  7. Windows images.
  8. Requirements
  9. ============
  10. .. note::
  11. Support ``winexe`` and ``impacket`` has been deprecated and will be removed in
  12. 3001. These dependencies are replaced by ``pypsexec`` and ``smbprotocol``
  13. respectivly. These are pure python alternatives that are compatible with all
  14. supported python versions.
  15. Salt Cloud makes use of `impacket` and `winexe` to set up the Windows Salt
  16. Minion installer.
  17. `impacket` is usually available as either the `impacket` or the
  18. `python-impacket` package, depending on the distribution. More information on
  19. `impacket` can be found at the project home:
  20. * `impacket project home`__
  21. .. __: https://github.com/SecureAuthCorp/impacket
  22. `winexe` is less commonly available in distribution-specific repositories.
  23. However, it is currently being built for various distributions in 3rd party
  24. channels:
  25. * `RPMs at pbone.net`__
  26. .. __: http://rpm.pbone.net/index.php3?stat=3&search=winexe
  27. * `openSUSE Build Service`__
  28. .. __: https://software.opensuse.org/package/winexe
  29. * `pypsexec project home`__
  30. .. __: https://github.com/jborean93/pypsexec
  31. * `smbprotocol project home`__
  32. .. __: https://github.com/jborean93/smbprotocol
  33. Optionally WinRM can be used instead of `winexe` if the python module `pywinrm`
  34. is available and WinRM is supported on the target Windows version. Information
  35. on pywinrm can be found at the project home:
  36. * `pywinrm project home`__
  37. .. __: https://github.com/diyan/pywinrm
  38. Additionally, a copy of the Salt Minion Windows installer must be present on
  39. the system on which Salt Cloud is running. This installer may be downloaded
  40. from saltstack.com:
  41. * `SaltStack Download Area`__
  42. .. __: https://repo.saltstack.com/windows/
  43. .. _new-pywinrm:
  44. Self Signed Certificates with WinRM
  45. ===================================
  46. Salt-Cloud can use versions of ``pywinrm<=0.1.1`` or ``pywinrm>=0.2.1``.
  47. For versions greater than `0.2.1`, ``winrm_verify_ssl`` needs to be set to
  48. `False` if the certificate is self signed and not verifiable.
  49. Firewall Settings
  50. =================
  51. Because Salt Cloud makes use of `smbclient` and `winexe`, port 445 must be open
  52. on the target image. This port is not generally open by default on a standard
  53. Windows distribution, and care must be taken to use an image in which this port
  54. is open, or the Windows firewall is disabled.
  55. If supported by the cloud provider, a PowerShell script may be used to open up
  56. this port automatically, using the cloud provider's `userdata`. The following
  57. script would open up port 445, and apply the changes:
  58. .. code-block:: text
  59. <powershell>
  60. New-NetFirewallRule -Name "SMB445" -DisplayName "SMB445" -Protocol TCP -LocalPort 445
  61. Set-Item (dir wsman:\localhost\Listener\*\Port -Recurse).pspath 445 -Force
  62. Restart-Service winrm
  63. </powershell>
  64. For EC2, this script may be saved as a file, and specified in the provider or
  65. profile configuration as `userdata_file`. For instance:
  66. .. code-block:: yaml
  67. my-ec2-config:
  68. # Pass userdata to the instance to be created
  69. userdata_file: /etc/salt/windows-firewall.ps1
  70. .. note::
  71. From versions 2016.11.0 and 2016.11.3, this file was passed through the
  72. master's :conf_master:`renderer` to template it. However, this caused
  73. issues with non-YAML data, so templating is no longer performed by default.
  74. To template the userdata_file, add a ``userdata_template`` option to the
  75. cloud profile:
  76. .. code-block:: yaml
  77. my-ec2-config:
  78. # Pass userdata to the instance to be created
  79. userdata_file: /etc/salt/windows-firewall.ps1
  80. userdata_template: jinja
  81. If no ``userdata_template`` is set in the cloud profile, then the master
  82. configuration will be checked for a :conf_master:`userdata_template` value.
  83. If this is not set, then no templating will be performed on the
  84. userdata_file.
  85. To disable templating in a cloud profile when a
  86. :conf_master:`userdata_template` has been set in the master configuration
  87. file, simply set ``userdata_template`` to ``False`` in the cloud profile:
  88. .. code-block:: yaml
  89. my-ec2-config:
  90. # Pass userdata to the instance to be created
  91. userdata_file: /etc/salt/windows-firewall.ps1
  92. userdata_template: False
  93. If you are using WinRM on EC2 the HTTPS port for the WinRM service must also be
  94. enabled in your userdata. By default EC2 Windows images only have insecure HTTP
  95. enabled. To enable HTTPS and basic authentication required by pywinrm consider
  96. the following userdata example:
  97. .. code-block:: text
  98. <powershell>
  99. New-NetFirewallRule -Name "SMB445" -DisplayName "SMB445" -Protocol TCP -LocalPort 445
  100. New-NetFirewallRule -Name "WINRM5986" -DisplayName "WINRM5986" -Protocol TCP -LocalPort 5986
  101. winrm quickconfig -q
  102. winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}'
  103. winrm set winrm/config '@{MaxTimeoutms="1800000"}'
  104. winrm set winrm/config/service/auth '@{Basic="true"}'
  105. $SourceStoreScope = 'LocalMachine'
  106. $SourceStorename = 'Remote Desktop'
  107. $SourceStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $SourceStorename, $SourceStoreScope
  108. $SourceStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
  109. $cert = $SourceStore.Certificates | Where-Object -FilterScript {
  110. $_.subject -like '*'
  111. }
  112. $DestStoreScope = 'LocalMachine'
  113. $DestStoreName = 'My'
  114. $DestStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $DestStoreName, $DestStoreScope
  115. $DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
  116. $DestStore.Add($cert)
  117. $SourceStore.Close()
  118. $DestStore.Close()
  119. winrm create winrm/config/listener?Address=*+Transport=HTTPS `@`{CertificateThumbprint=`"($cert.Thumbprint)`"`}
  120. Restart-Service winrm
  121. </powershell>
  122. No certificate store is available by default on EC2 images and creating
  123. one does not seem possible without an MMC (cannot be automated). To use the
  124. default EC2 Windows images the above copies the RDP store.
  125. Configuration
  126. =============
  127. Configuration is set as usual, with some extra configuration settings. The
  128. location of the Windows installer on the machine that Salt Cloud is running on
  129. must be specified. This may be done in any of the regular configuration files
  130. (main, providers, profiles, maps). For example:
  131. Setting the installer in ``/etc/salt/cloud.providers``:
  132. .. code-block:: yaml
  133. my-softlayer:
  134. driver: softlayer
  135. user: MYUSER1138
  136. apikey: 'e3b68aa711e6deadc62d5b76355674beef7cc3116062ddbacafe5f7e465bfdc9'
  137. minion:
  138. master: saltmaster.example.com
  139. win_installer: /root/Salt-Minion-2014.7.0-AMD64-Setup.exe
  140. win_username: Administrator
  141. win_password: letmein
  142. smb_port: 445
  143. The default Windows user is `Administrator`, and the default Windows password
  144. is blank.
  145. If WinRM is to be used ``use_winrm`` needs to be set to `True`. ``winrm_port``
  146. can be used to specify a custom port (must be HTTPS listener). And
  147. ``winrm_verify_ssl`` can be set to `False` to use a self signed certificate.
  148. Auto-Generated Passwords on EC2
  149. ===============================
  150. On EC2, when the `win_password` is set to `auto`, Salt Cloud will query EC2 for
  151. an auto-generated password. This password is expected to take at least 4 minutes
  152. to generate, adding additional time to the deploy process.
  153. When the EC2 API is queried for the auto-generated password, it will be returned
  154. in a message encrypted with the specified `keyname`. This requires that the
  155. appropriate `private_key` file is also specified. Such a profile configuration
  156. might look like:
  157. .. code-block:: yaml
  158. windows-server-2012:
  159. provider: my-ec2-config
  160. image: ami-c49c0dac
  161. size: m1.small
  162. securitygroup: windows
  163. keyname: mykey
  164. private_key: /root/mykey.pem
  165. userdata_file: /etc/salt/windows-firewall.ps1
  166. win_installer: /root/Salt-Minion-2014.7.0-AMD64-Setup.exe
  167. win_username: Administrator
  168. win_password: auto