Repository: brooklyn-library Updated Branches: refs/heads/master d7d44f9ff -> be0d23240
Improve the MS SQL blueprint to work in the general case This commit includes also a is running command for MS SQL Through CredSSP the installer is granted to execute all the required permissions it needs. Visit https://technet.microsoft.com/en-us/library/hh849719.aspx for more details on CredSSP. To use `Invoke-Command -Authentication CredSSP' several things should be up, which are not always all configured on different windows systems. Things that should be up: - WinRM over http - Trusted hosts which will use Invoke-Command - Allow the delegation of user credentials - Allowed CredSSP Project: http://git-wip-us.apache.org/repos/asf/brooklyn-library/repo Commit: http://git-wip-us.apache.org/repos/asf/brooklyn-library/commit/d645aa84 Tree: http://git-wip-us.apache.org/repos/asf/brooklyn-library/tree/d645aa84 Diff: http://git-wip-us.apache.org/repos/asf/brooklyn-library/diff/d645aa84 Branch: refs/heads/master Commit: d645aa847e2fe1477b7bec8956622ed12c68bcdf Parents: d7d44f9 Author: Valentin Aitken <[email protected]> Authored: Tue Mar 22 21:03:38 2016 +0200 Committer: Valentin Aitken <[email protected]> Committed: Tue Mar 22 21:13:40 2016 +0200 ---------------------------------------------------------------------- .../database/mssql/Custom-Enable-CredSSP.ps1 | 131 +++++++++++++++++++ .../entity/database/mssql/installmssql.ps1 | 33 +++-- .../brooklyn/entity/database/mssql/mssql.yaml | 9 +- 3 files changed, 152 insertions(+), 21 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/brooklyn-library/blob/d645aa84/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/Custom-Enable-CredSSP.ps1 ---------------------------------------------------------------------- diff --git a/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/Custom-Enable-CredSSP.ps1 b/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/Custom-Enable-CredSSP.ps1 new file mode 100644 index 0000000..ef2ee5c --- /dev/null +++ b/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/Custom-Enable-CredSSP.ps1 @@ -0,0 +1,131 @@ +#!ps1 +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# Resources: +# https://github.com/mwrock/boxstarter/blob/master/LICENSE.txt +# https://github.com/mwrock/boxstarter/blob/master/Boxstarter.Chocolatey/Enable-BoxstarterCredSSP.ps1 + +function Custom-Enable-CredSSP { +<# +.SYNOPSIS +Enables and configures CredSSP Authentication to be used in PowerShell remoting sessions + +.DESCRIPTION +Enabling CredSSP allows a caller from one remote session to authenticate on other remote +resources. This is known as credential delegation. By default, PowerShell sessions do not +use credSSP and therefore cannot bake a "second hop" to use other remote resources that +require their authentication token. + +This command will enable CredSSP and add all RemoteHostsToTrust to the CredSSP trusted +hosts list. It will also edit the users group policy to allow Fresh Credential Delegation. + +.PARAMETER RemoteHostsToTrust +A list of ComputerNames to add to the CredSSP Trusted hosts list. + +.OUTPUTS +A list of the original trusted hosts on the local machine. + +.EXAMPLE +Custom-Enable-CredSSP box1,box2 + + +#> + param( + [string[]] $RemoteHostsToTrust + ) + + # Required to be running for using CredSSP + winrm quickconfig -transport:http -quiet + + & winrm set winrm/config/service/auth '@{CredSSP="true"}' + If ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + + & winrm set winrm/config/client/auth '@{CredSSP="true"}' + If ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } + + $Result=@{ + Success=$False; + PreviousCSSPTrustedHosts=$null; + PreviousFreshCredDelegationHostCount=0 + } + + Write-Host "Configuring CredSSP settings..." + $credssp = Get-WSManCredSSP + + $ComputersToAdd = @() + $idxHosts=$credssp[0].IndexOf(": ") + if($idxHosts -gt -1){ + $credsspEnabled=$True + $Result.PreviousCSSPTrustedHosts=$credssp[0].substring($idxHosts+2) + $hostArray=$Result.PreviousCSSPTrustedHosts.Split(",") + $RemoteHostsToTrust | ? { $hostArray -notcontains "wsman/$_" } | % { $ComputersToAdd += $_ } + } + else { + $ComputersToAdd = $RemoteHostsToTrust + } + + if($ComputersToAdd.Count -gt 0){ + try { + Enable-WSManCredSSP -DelegateComputer $ComputersToAdd -Role Client -Force -ErrorAction Stop | Out-Null + } + catch { + Write-BoxstarterMessage "Enable-WSManCredSSP failed with: $_" -Verbose + return $result + } + } + + $key = "HKLM:\SOFTWARE\Policies\Microsoft\Windows" + if (!(Test-Path "$key\CredentialsDelegation")) { + New-Item $key -Name CredentialsDelegation | Out-Null + } + $key = Join-Path $key "CredentialsDelegation" + New-ItemProperty -Path "$key" -Name "ConcatenateDefaults_AllowFresh" -Value 1 -PropertyType Dword -Force | Out-Null + New-ItemProperty -Path "$key" -Name "ConcatenateDefaults_AllowFreshNTLMOnly" -Value 1 -PropertyType Dword -Force | Out-Null + + $result.PreviousFreshNTLMCredDelegationHostCount = Set-CredentialDelegation $key 'AllowFreshCredentialsWhenNTLMOnly' $RemoteHostsToTrust + $result.PreviousFreshCredDelegationHostCount = Set-CredentialDelegation $key 'AllowFreshCredentials' $RemoteHostsToTrust + + $Result.Success=$True + return $Result +} + +function Set-CredentialDelegation($key, $subKey, $allowed){ + New-ItemProperty -Path "$key" -Name $subKey -Value 1 -PropertyType Dword -Force | Out-Null + $policyNode = Join-Path $key $subKey + if (!(Test-Path $policyNode)) { + md $policyNode | Out-Null + } + $currentHostProps=@() + (Get-Item $policyNode).Property | % { + $currentHostProps += (Get-ItemProperty -Path $policyNode -Name $_).($_) + } + $currentLength = $currentHostProps.Length + $idx=$currentLength + $allowed | ? { $currentHostProps -notcontains "wsman/$_"} | % { + ++$idx + New-ItemProperty -Path $policyNode -Name "$idx" -Value "wsman/$_" -PropertyType String -Force | Out-Null + } + + return $currentLength +} + +$result = Custom-Enable-CredSSP $env:COMPUTERNAME,localhost +if (-not $result.Success) { + exit 1 +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/brooklyn-library/blob/d645aa84/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/installmssql.ps1 ---------------------------------------------------------------------- diff --git a/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/installmssql.ps1 b/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/installmssql.ps1 index 41bb75c..7777a22 100644 --- a/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/installmssql.ps1 +++ b/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/installmssql.ps1 @@ -24,12 +24,6 @@ $Path = "C:\sql2008.iso" $Username = "${config['mssql.download.user']}" $Password = '${config['mssql.download.password']}' -& winrm set winrm/config/service/auth '@{CredSSP="true"}' -If ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - -& winrm set winrm/config/client/auth '@{CredSSP="true"}' -If ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - New-Item -ItemType Directory -Force -Path "C:\Program Files (x86)\Microsoft SQL Server\DReplayClient\ResultDir" New-Item -ItemType Directory -Force -Path "C:\Program Files (x86)\Microsoft SQL Server\DReplayClient\WorkingDir" @@ -38,25 +32,28 @@ if (-Not $operationResult.Success) { exit 1 } $pass = '${attribute['windows.password']}' +$exitCode = 1 + Try { -$WebClient = New-Object System.Net.WebClient -$WebClient.Credentials = New-Object System.Net.Networkcredential($Username, $Password) -$WebClient.DownloadFile( $url, $path ) + $WebClient = New-Object System.Net.WebClient + $WebClient.Credentials = New-Object System.Net.Networkcredential($Username, $Password) + $WebClient.DownloadFile( $url, $path ) -$mountResult = Mount-DiskImage $Path -PassThru -$driveLetter = (($mountResult | Get-Volume).DriveLetter) + ":\" + $mountResult = Mount-DiskImage $Path -PassThru + $driveLetter = (($mountResult | Get-Volume).DriveLetter) + ":\" -$secpasswd = ConvertTo-SecureString $pass -AsPlainText -Force -$mycreds = New-Object System.Management.Automation.PSCredential ($($env:COMPUTERNAME + "\${location.user}"), $secpasswd) + $secpasswd = ConvertTo-SecureString $pass -AsPlainText -Force + $mycreds = New-Object System.Management.Automation.PSCredential ($($env:COMPUTERNAME + "\${location.user}"), $secpasswd) -$exitCode = Invoke-Command -ComputerName $env:COMPUTERNAME -Credential $mycreds -ScriptBlock { + $exitCode = Invoke-Command -ComputerName $env:COMPUTERNAME -Credential $mycreds -ScriptBlock { param($driveLetter) $process = Start-Process ( $driveLetter + "setup.exe") -ArgumentList "/ConfigurationFile=C:\ConfigurationFile.ini" -RedirectStandardOutput "C:\sqlout.txt" -RedirectStandardError "C:\sqlerr.txt" -Wait -PassThru -NoNewWindow $process.ExitCode -} -Authentication CredSSP -ArgumentList $driveLetter + } -Authentication CredSSP -ArgumentList $driveLetter + } Catch { - Write-Error $_.Exception - Write-Host 'Exception logged' - exit 1 + Write-Error $_.Exception + Write-Host 'Exception logged' + exit 1 } exit $exitCode \ No newline at end of file http://git-wip-us.apache.org/repos/asf/brooklyn-library/blob/d645aa84/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/mssql.yaml ---------------------------------------------------------------------- diff --git a/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/mssql.yaml b/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/mssql.yaml index c3d3c99..321b52d 100644 --- a/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/mssql.yaml +++ b/software/database/src/main/resources/org/apache/brooklyn/entity/database/mssql/mssql.yaml @@ -9,22 +9,25 @@ location: templateOptions: subnetId: subnet-a10e96c4 securityGroupIds: [['sg-a2d0c2c7']] - mapNewVolumeToDeviceName: ["/dev/sda1", 100, true] + mapNewVolumeToDeviceName: ["/dev/sda1", 60, true] services: - type: org.apache.brooklyn.entity.software.base.VanillaWindowsProcess brooklyn.config: templates.install: + classpath://org/apache/brooklyn/entity/database/mssql/Custom-Enable-CredSSP.ps1: "C:\\Custom-Enable-CredSSP.ps1" classpath://org/apache/brooklyn/entity/database/mssql/ConfigurationFile.ini: "C:\\ConfigurationFile.ini" classpath://org/apache/brooklyn/entity/database/mssql/installmssql.ps1: "C:\\installmssql.ps1" classpath://org/apache/brooklyn/entity/database/mssql/configuremssql.ps1: "C:\\configuremssql.ps1" classpath://org/apache/brooklyn/entity/database/mssql/launchmssql.bat: "C:\\launchmssql.bat" classpath://org/apache/brooklyn/entity/database/mssql/stopmssql.bat: "C:\\stopmssql.bat" - install.command: powershell -command "C:\\installmssql.ps1" + install.command: powershell -command "C:\\Custom-Enable-CredSSP.ps1" && powershell -command "C:\\installmssql.ps1" customize.command: powershell -command "C:\\configuremssql.ps1" launch.command: "C:\\launchmssql.bat" stop.command: "C:\\stopmssql.bat" - checkRunning.command: echo true + checkRunning.powershell.command: | + $service = Get-Service -Name MSSQLSERVER + If ( (-not $service) -or ($service.Status -ne 'Running') ) { exit 1 } ## NOTE: Values must be supplied for the following mssql.download.url:
