之所以在腾讯云的开发者社区提友商云,自然是多云对比的背景。
要看winrm状态,看监听是其次,主要得看防火墙状态,尤其是netsh.exe firewall show state显示的RemoteAdminMode(说白了有没有执行winrm quickconfig -q -force,有没有在防火墙放行RemoteAdmin)
阿里云的windows公共镜像(>=2008R2),sysprep镜像,没有执行winrm quickconfig -q -force,winrm默认没监听5985端口,防火墙默认没开启
腾讯云的windows公共镜像(>2008R2),sysprep镜像,没有执行winrm quickconfig -q -force,winrm,默认监听了5985端口,防火墙默认没开启
AWS的windows公共镜像(微软生命周期内,目前是>=2016),sysprep镜像,winrm默认监听5985端口,防火墙默认开启,但防火墙默认没有放行RemoteAdmin
这里分别介绍下AWS、阿里云、腾讯云分别怎么通过UserData设置密码并开启winrm
一、AWS(userdata标志是成对的<powershell></powershell>,不是#ps1,也不是[powershell])
<powershell>
net user Administrator "你的密码"
#Start-Service winrm
if($(get-service winrm).Status -notmatch "Running"){cmd.exe /c net start winrm}
netsh firewall set service remotedesktop enable
netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL profile=ALL
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL profile=Domain
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL profile=Standard
netsh firewall set service RemoteAdmin enable
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL profile=Current
netsh advfirewall firewall add rule name="Open Port 5985" dir=in action=allow protocol=TCP localport=5985
# Restart WinRM, and set it so that it auto-launches on startup.
cmd.exe /c net stop winrm
cmd.exe /c sc.exe config winrm start= auto
Set-Item WSMan:localhost\client\trustedhosts -value * -force -EA 0 2>&1 >$null
winrm quickconfig -q 2>&1 > $null
winrm quickconfig -q -force 2>&1 > $null
restart-service winrm 2>&1 > $null
netsh.exe firewall show state >c:\fw.txt
</powershell>
二、阿里云(userdata标志是[powershell],不是成对的<powershell></powershell>,也不是#ps1)
[powershell]
#ps1
# MAKE SURE IN YOUR PACKER CONFIG TO SET:
#
#
# "winrm_username": "Administrator",
# "winrm_insecure": true,
# "winrm_use_ssl": true,
#
#
net user Administrator "你的密码"
write-output "Running User Data Script"
write-host "(host) Running User Data Script"
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
#Start-Service winrm
if($(get-service winrm).Status -notmatch "Running"){cmd.exe /c net start winrm}
# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "Continue"
# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc.exe config winrm start= auto
cmd.exe /c net start winrm
netsh firewall set service remotedesktop enable
netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL profile=ALL
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL profile=Domain
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL profile=Standard
netsh firewall set service RemoteAdmin enable
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL profile=Current
netsh advfirewall firewall add rule name="Open Port 5985" dir=in action=allow protocol=TCP localport=5985
netsh advfirewall firewall add rule name="Open Port 5986" dir=in action=allow protocol=TCP localport=5986
# Restart WinRM, and set it so that it auto-launches on startup.
cmd.exe /c net stop winrm
cmd.exe /c sc.exe config winrm start= auto
winrm quickconfig -q -force 2>&1 > $null
winrm quickconfig -q 2>&1 > $null
Set-Item WSMan:localhost\client\trustedhosts -value * -Force -Confirm:$false -EA 0 2>&1 >$null
restart-service winrm 2>&1 > $null
netstat -ato|findstr ":5985 :5986"
winrs -r:http://127.0.0.1:5985 hostname
三、腾讯云(userdata标志是#ps1或成对的<powershell></powershell>,不是[powershell])
#ps1
<powershell>
# MAKE SURE IN YOUR PACKER CONFIG TO SET:
#
#
# "winrm_username": "Administrator",
# "winrm_insecure": true,
# "winrm_use_ssl": true,
#
#
net user Administrator "你的密码"
write-output "Running User Data Script"
write-host "(host) Running User Data Script"
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
#Start-Service winrm
if($(get-service winrm).Status -notmatch "Running"){cmd.exe /c net start winrm}
# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "Continue"
# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc.exe config winrm start= auto
cmd.exe /c net start winrm
netsh firewall set service remotedesktop enable
netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL profile=ALL
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL profile=Domain
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL profile=Standard
netsh firewall set service RemoteAdmin enable
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL profile=Current
netsh advfirewall firewall add rule name="Open Port 5985" dir=in action=allow protocol=TCP localport=5985
netsh advfirewall firewall add rule name="Open Port 5986" dir=in action=allow protocol=TCP localport=5986
# Restart WinRM, and set it so that it auto-launches on startup.
cmd.exe /c net stop winrm
cmd.exe /c sc.exe config winrm start= auto
winrm quickconfig -q -force 2>&1 > $null
winrm quickconfig -q 2>&1 > $null
Set-Item WSMan:localhost\client\trustedhosts -value * -Force -Confirm:$false -EA 0 2>&1 >$null
restart-service winrm 2>&1 > $null
netstat -ato|findstr ":5985 :5986"
winrs -r:http://127.0.0.1:5985 hostname
</powershell>
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。