At my office, I set up the physical server (mainly Windows) that was delivered in the box. We deliver to our customers. However, when you have to set up one by one manually and you need to set up a large number of servers, It took a lot of man-hours, and there were many problems such as human error and setup error due to omission of handing over of workers.
The items that are mainly set up are as follows
■ Advance preparation and delivery confirmation ・ Parameter sheet confirmation / update ・ Delivery ・ Cable connection ・ UPS ・ Initial setting -BIOS language setting ・ RAID setting ・ OS installation ・ Check equipment maintenance information
■ Windows settings ・ IE security enhancement setting ・ Permission for remote desktop ・ Windows Update ・ Password indefinitely -Disable password complexity -Change Windows Firewall settings -Change the file explorer display ・ Check MAC address ・ IPv6 disabled ・ IPv4 setting -User UAC disabled ・ Change the drive name ・ Disk configuration change ・ Shortcut creation (network / PC) ・ Acquisition of work log ・ Application installation
Many ... In addition to this, if you include your environment-dependent settings (host name, IP address, etc.) There are many more setting items ... I thought that it would be bad as it is, so I decided to try automatic construction by Ansible, which I had been interested in for a long time. For the time being, after starting up the physical machine, I will try to build the part excluding the customer's environment-dependent settings such as the host name with Ansible.
・ Improvement of work quality ・ Reduction of work man-hours → Realized by automatic construction by Ansible
・ Infrastructure coding → If you use Ansible, you want to manage the version of PlayBook! I think, but since git etc. are not widespread in the company, I would like to introduce it eventually.
For understanding Ansible and building the execution environment, I referred to the following articles.
In my case, on the terminal I usually use for business I created an Ansible execution environment with VirtualBox + CentOS.
Also, in order to perform remote work in Ansible that sets Since it is necessary to enable a function called Win-RM on the Windows server side, Create the following power shell script, right-click → "Run with PowerShell" Enable Win-RM.
ansiwin.ps1
Invoke-WebRequest -Uri https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 -OutFile ConfigureRemotingForAnsible.ps1
Set-NetConnectionProfile -InterfaceAlias (Get-NetConnectionProfile -IPv4Connectivity Internet).InterfaceAlias -NetworkCategory Private
Get-NetConnectionProfile -IPv4Connectivity Internet
powershell -ExecutionPolicy RemoteSigned .\ConfigureRemotingForAnsible.ps1
Get-Item WSMan:\localhost\Listener\*\Port
This completes the preparations.
PlayBook I placed the PlayBook in the following directory on the Ansible server.
/etc/ansible
├─hosts
├─windows_setup.yml
└─ansible.cfg
The PlayBook to run is: The following articles will be helpful for the description method used in PlayBook.
What is YAML? --The identity of the guy who always appears in the Rails configuration file
Windows_setup.yml
##playybook
##C on the server:\work\Create ansible folder
##Copy the batch file there and execute
- hosts: windows
tasks:
- win_file:
path=C:\work
state=directory
# Change FireWall settings
- win_command: netsh advfirewall firewall set rule name="SNMP trap service(UDP reception)" profile=domain new enable=yes profile=domain program=%SystemRoot%\system32\snmptrap.exe
- win_command: netsh advfirewall firewall set rule name="SNMP trap service(UDP reception)" profile=private,public new enable=yes profile=private,public program=%SystemRoot%\system32\snmptrap.exe
- win_command: netsh advfirewall firewall set rule name="File and printer sharing(Echo request-ICMPv4 reception)" new enable=yes
- win_command: netsh advfirewall firewall set rule name="File and printer sharing(Echo request-ICMPv4 transmission)" new enable=yes
- win_command: wmic UserAccount where Name='Administrator' set PasswordExpires=false
#Disable password complexity requirements
- win_shell: secedit /export /cfg cfg.txt
- win_shell: (Get-Content cfg.txt) -Replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File cfg.txt
#Group policy changes
- win_shell: secedit /configure /db new.sdb /cfg cfg.txt /areas SecurityPolicy
- win_shell: del cfg.txt
- win_shell: gpupdate /force
- win_regedit:
key: '{{ item.key }}'
value: '{{ item.value }}'
data: '{{ item.data }}'
datatype: '{{ item.datatype | default("dword") }}'
with_items:
#Stop automatic startup of Server Manager
- key: HKLM:\SOFTWARE\Microsoft\ServerManager
value: DoNotOpenServerManagerAtLogon
data: 1
datatype: dword
#Icon display on desktop (PC, network)
- key: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
value: {20D04FE0-3AEA-1069-A2D8-08002B30309D}
data: 0
datatype: dword
- key: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
value: {F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
data: 0
datatype: dword
#Change the display format of the control panel
- key: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
value: ForceClassicControlPanel
data: 1
datatype: dword
#User Account Control (UAC) disabled
- key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
value: ConsentPromptBehaviorAdmin
data: 0
datatype: dword
- key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
value: EnableLUA
data: 1
datatype: dword
- key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
value: PromptOnSecureDesktop
data: 0
datatype: dword
#Disable Windows Update
- key: HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
value: IsInstalled
data: 0
datatype: dword
- key: HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
value: IsInstalled
data: 0
datatype: dword
Change folder display options
- key: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
value: FullPath
data: 1
datatype: dword
- key: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
value: LaunchTo
data: 1
datatype: dword
- key: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
value: HideFileExt
data: 0
datatype: dword
#Reboot
- name: reboot
win_reboot:
When you're ready, run PlayBook with the following command:
# ansible-playbook -i hosts windows_update.yml
When the setting change is completed normally
PLAY RECAP *************************************************************************************************************************************************************************************************
172.19.1.1 : ok=2 changed=10 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
The number of changed settings is displayed in "changed". This completes the automatic server construction.
If there are other places where you want to change the settings, you can be happy by checking the module.
For the time being, with this construction automation, we were able to reduce the time required to set up the server by about 30 minutes / unit. In addition, since human error has been eliminated, I think that the total man-hours have been reduced considerably. I felt that both infrastructure operators and builders can enjoy the benefits of using Ansible successfully. In the future, I will study other tools such as Teraform and the cloud.
Recommended Posts