iSharkFly-Docs
/
packer-cn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Manually set up all required for remote management. Use in-built FW rules 

Use of 'winrm quickconfig' can sometimes cause the Packer build to fail
shortly after the WinRM connection is established.

* When executed the 'winrm quickconfig -q' command configures the
  firewall to allow management messages to be sent over HTTP (port 5985)
* This undoes the previous command in the script that configured the
  firewall to prevent this access.
* The upshot is that the system is configured and ready to accept WinRM
  connections earlier than intended.
* If Packer establishes its WinRM connection immediately after execution
  of the 'winrm quickconfig -q' command, the later commands within the
  script that restart the WinRM service cause the established
  connection, and consequently, the overall build to fail.
This commit is contained in:
DanHam 2017-10-13 21:07:33 +01:00
parent e4985ae6f6
commit dc45bd381c
1 changed files with 20 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
website/source/intro/getting-started/build-image.html.md
View File

@ -334,19 +334,22 @@ example of that file.
```powershell ```powershell
<powershell> <powershell>
# set administrator password # Set administrator password
net user Administrator SuperS3cr3t! net user Administrator SuperS3cr3t!
wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE
# First, make sure WinRM doesn't run and can't be connected to # Turn off PowerShell execution policy restrictions
netsh advfirewall firewall add rule name="WinRM" protocol=TCP dir=in localport=5985 action=block
net stop winrm
# turn off PowerShell execution policy restrictions
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine
# configure WinRM # First, make sure WinRM can't be connected to
winrm quickconfig -q netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=block
# Delete any existing WinRM listeners
winrm delete winrm/config/listener?Address=*+Transport=HTTP 2>$Null
winrm delete winrm/config/listener?Address=*+Transport=HTTPS 2>$Null
# Create a new WinRM listener and configure
winrm create winrm/config/listener?Address=*+Transport=HTTP
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="0"}' winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="0"}'
winrm set winrm/config '@{MaxTimeoutms="7200000"}' winrm set winrm/config '@{MaxTimeoutms="7200000"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}' winrm set winrm/config/service '@{AllowUnencrypted="true"}'
@ -354,12 +357,16 @@ winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="12000"}'
winrm set winrm/config/service/auth '@{Basic="true"}' winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}' winrm set winrm/config/client/auth '@{Basic="true"}'
net stop winrm # Configure UAC to allow privilege elevation in remote shells
set-service winrm -startupType automatic $Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Setting = 'LocalAccountTokenFilterPolicy'
Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force
# Finally, allow WinRM connections and start the service # Configure and restart the WinRM Service; Enable the required firewall exception
netsh advfirewall firewall set rule name="WinRM" new action=allow Stop-Service -Name WinRM
net start winrm Set-Service -Name WinRM -StartupType Automatic
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
Start-Service -Name WinRM
</powershell> </powershell>
``` ```