From 6c24613a9b51d9e84841d37e37d69ee7768241b1 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Thu, 13 Apr 2023 08:01:57 +0000 Subject: [PATCH 1/2] move adding KMS server in deploy VM Signed-off-by: Diane Wang --- common/vcenter_add_key_provider.yml | 40 ++++++++++++++++++++++ common/vcenter_add_standard_kp.yml | 14 +++++--- common/vm_add_vtpm_device.yml | 43 +++++------------------- windows/deploy_vm/deploy_vm.yml | 6 ++++ windows/deploy_vm/deploy_vm_from_iso.yml | 2 -- 5 files changed, 64 insertions(+), 41 deletions(-) create mode 100644 common/vcenter_add_key_provider.yml diff --git a/common/vcenter_add_key_provider.yml b/common/vcenter_add_key_provider.yml new file mode 100644 index 000000000..e798b0c12 --- /dev/null +++ b/common/vcenter_add_key_provider.yml @@ -0,0 +1,40 @@ +# Copyright 2023 VMware, Inc. +# SPDX-License-Identifier: BSD-2-Clause +--- +# The prerequsite of adding virtual TPM device to VM is key provider +# configured on vCenter server. +# When 'key_provider_type' parameter is set, add a new key provider with +# specified type firstly, now only support Standard key provider configuration. +# +# Parameters: +# key_provider_type: valid values are 'standard', 'native', now only 'standard' +# is supported. +# vc_cert_path: the file path on local machine for saving vCenter certificate. +# +- name: "Set fact of default key provider type" + ansible.builtin.set_fact: + key_provider_type: 'standard' + when: key_provider_type is undefined or not key_provider_type + +- name: "Check configured key provider type" + ansible.builtin.assert: + that: + - key_provider_type | lower == 'standard' + fail_msg: "Now the valid value of parameter 'key_provider_type' is 'standard', while configured value is '{{ key_provider_type }}'." + +- name: "Check required parameter" + ansible.builtin.assert: + that: + - vc_cert_path is defined + - vc_cert_path + fail_msg: "Parameter 'vc_cert_path' is required to be set to a valid path in local machine." + +- name: "Set fact of new key provider name" + ansible.builtin.set_fact: + new_kp_name: "{{ key_provider_type | lower }}{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }}" + +- name: "Add key provider on vCenter server" + include_tasks: vcenter_add_standard_kp.yml + vars: + standard_kp_name: "{{ new_kp_name }}" + vc_cert_download_path: "{{ vc_cert_path }}" diff --git a/common/vcenter_add_standard_kp.yml b/common/vcenter_add_standard_kp.yml index d27e745e3..d4aa90311 100644 --- a/common/vcenter_add_standard_kp.yml +++ b/common/vcenter_add_standard_kp.yml @@ -16,14 +16,18 @@ # kms_username (optional): the username to authenticate to KMS server. # kms_password (optional): the user password to authenticate to KMS server. # -- name: Check KMS server info list is set +- name: "Check KMS server info list is set" ansible.builtin.assert: that: - kms_info_list is defined - - kms_info_list | length != 0 - fail_msg: "'kms_info_list' parameter is required when adding new standard key provider." + - kms_info_list | length > 0 + - kms_info_list[0].kms_name is defined + - kms_info_list[0].kms_name + - kms_info_list[0].kms_ip is defined + - kms_info_list[0].kms_ip + fail_msg: "Parameter 'kms_info_list' is required and set to the list of dict with keys 'kms_name', 'kms_ip' when adding new Standard key provider." -- name: Add Standard key provider to vCenter +- name: "Add Standard key provider to vCenter" community.vmware.vcenter_standard_key_provider: hostname: "{{ vsphere_host_name }}" username: "{{ vsphere_host_user }}" @@ -43,6 +47,6 @@ download_self_signed_cert: "{{ vc_cert_download_path | default('/tmp/') }}" register: add_standard_kms_result -- name: Display the result of adding Standard key provider +- name: "Display the result of adding Standard key provider" ansible.builtin.debug: var=add_standard_kms_result when: enable_debug diff --git a/common/vm_add_vtpm_device.yml b/common/vm_add_vtpm_device.yml index 8fdf85e62..84a17c796 100644 --- a/common/vm_add_vtpm_device.yml +++ b/common/vm_add_vtpm_device.yml @@ -1,46 +1,21 @@ # Copyright 2022-2023 VMware, Inc. # SPDX-License-Identifier: BSD-2-Clause --- -# The prerequsite of adding virtual TPM device to VM is -# key provider configured on vCenter. +# Add new vTPM device to VM and check device exists. # -# When 'key_provider_type' parameter is set, add a new key -# provider with specified type firstly, now only support -# Standard key provider configuration. -# -- block: - - name: Check key provider type value - ansible.builtin.assert: - that: - - key_provider_type | lower == 'standard' - fail_msg: "Parameter 'key_provider_type' valid value is 'standard', but configured '{{ key_provider_type }}'." - - - name: Set fact of new key provider name - ansible.builtin.set_fact: - new_kp_name: "{{ key_provider_type | lower }}{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }}" - - - include_tasks: vcenter_add_standard_kp.yml - vars: - standard_kp_name: "{{ new_kp_name }}" - vc_cert_download_path: "{{ vc_cert_path }}" - when: key_provider_type | lower == 'standard' - when: - - key_provider_type is defined - - key_provider_type - -# When key provider type is not configured, means use the existing configured one. -# Will add get existing configured key provider info after new community.vmware module added -# TBD: add a new task to check key provider status when key_provider_type is not defined. - -- include_tasks: vm_add_remove_vtpm.yml +- name: "Add new vTPM device to VM" + include_tasks: vm_add_remove_vtpm.yml vars: vtpm_operation: 'present' -- include_tasks: vm_get_device_with_label.yml + +- name: "Get vTPM device on VM" + include_tasks: vm_get_device_with_label.yml vars: device_label: 'Virtual TPM' -- name: Check Virtual TPM device on VM + +- name: "Check vTPM device exists on VM" ansible.builtin.assert: that: - device_info_with_label is defined - device_info_with_label != "" - fail_msg: "Can not get Virtual TPM device on VM." + fail_msg: "Can not get vTPM device on VM: '{{ device_info_with_label | default('') }}'" diff --git a/windows/deploy_vm/deploy_vm.yml b/windows/deploy_vm/deploy_vm.yml index 8ee95d71d..de70dc48f 100644 --- a/windows/deploy_vm/deploy_vm.yml +++ b/windows/deploy_vm/deploy_vm.yml @@ -23,6 +23,12 @@ skip_reason: "Skipped" when: new_vm is undefined or not new_vm | bool + - name: "Add key provider on vCenter server" + include_tasks: ../../common/vcenter_add_key_provider.yml + vars: + vc_cert_path: "{{ current_test_log_folder }}" + when: virtual_tpm is defined and virtual_tpm | bool + - name: "Deploy VM" block: - name: "Deploy VM by creating a new VM and install OS from ISO image on it" diff --git a/windows/deploy_vm/deploy_vm_from_iso.yml b/windows/deploy_vm/deploy_vm_from_iso.yml index f0b780fb7..047e31ea1 100644 --- a/windows/deploy_vm/deploy_vm_from_iso.yml +++ b/windows/deploy_vm/deploy_vm_from_iso.yml @@ -51,8 +51,6 @@ block: # Add virtual TPM device - include_tasks: ../../common/vm_add_vtpm_device.yml - vars: - vc_cert_path: "{{ current_test_log_folder }}" when: virtual_tpm is defined and virtual_tpm | bool # Enable secureboot - include_tasks: ../../common/vm_set_boot_options.yml From 2dfe547ac97b67a3e48383a764fbc549b63d8955 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Thu, 13 Apr 2023 12:28:23 +0000 Subject: [PATCH 2/2] address comment Signed-off-by: Diane Wang --- common/vm_add_vtpm_device.yml | 2 +- windows/deploy_vm/deploy_vm_from_iso.yml | 88 ++++++++++++++---------- 2 files changed, 53 insertions(+), 37 deletions(-) diff --git a/common/vm_add_vtpm_device.yml b/common/vm_add_vtpm_device.yml index 84a17c796..25b465a5e 100644 --- a/common/vm_add_vtpm_device.yml +++ b/common/vm_add_vtpm_device.yml @@ -18,4 +18,4 @@ that: - device_info_with_label is defined - device_info_with_label != "" - fail_msg: "Can not get vTPM device on VM: '{{ device_info_with_label | default('') }}'" + fail_msg: "Not get vTPM device on VM after adding vTPM device." diff --git a/windows/deploy_vm/deploy_vm_from_iso.yml b/windows/deploy_vm/deploy_vm_from_iso.yml index 047e31ea1..bb0e94c15 100644 --- a/windows/deploy_vm/deploy_vm_from_iso.yml +++ b/windows/deploy_vm/deploy_vm_from_iso.yml @@ -17,29 +17,34 @@ ansible.builtin.set_fact: current_testcase_name: "deploy_vm_{{ firmware }}_{{ boot_disk_controller }}_{{ network_adapter_type }}" -# Check configured VM CPU number and cores per socket number -- include_tasks: check_cpu_socket.yml +- name: "Check configured VM CPU number and cores per socket number" + include_tasks: check_cpu_socket.yml -# Get or check configured ISO file list -- include_tasks: ../../common/get_iso_file_list.yml +- name: "Get configured ISO file list" + include_tasks: ../../common/get_iso_file_list.yml -# Generate unattend install iso file -- include_tasks: create_unattend_install_iso.yml +- name: "Generate unattend install ISO file" + include_tasks: create_unattend_install_iso.yml when: unattend_install_conf is defined and unattend_install_conf -- ansible.builtin.debug: - msg: "unattend_install_conf is not defined or set to a file path, will not generate unattend iso file" +- name: "Not Generate unattend install ISO file" + ansible.builtin.debug: + msg: "[WARNING] Parameter 'unattend_install_conf' is not configured in vars/test.yml." when: unattend_install_conf is undefined or not unattend_install_conf -# Compose VM CDROMs with ISO file list -- include_tasks: ../../common/compose_vm_cdroms.yml +- name: "Compose VM CDROMs with ISO file list" + include_tasks: ../../common/compose_vm_cdroms.yml -# Create new VM -- include_tasks: ../../common/vm_create.yml +- name: "Create new VM" + include_tasks: ../../common/vm_create.yml when: boot_disk_controller != 'ide' -- include_tasks: ../../common/vm_create_with_ide_disk.yml + +- name: "Create new VM with IDE boot disk controller" + include_tasks: ../../common/vm_create_with_ide_disk.yml when: boot_disk_controller == 'ide' -- include_tasks: ../../common/vm_get_vm_info.yml +- name: "Get new VM info" + include_tasks: ../../common/vm_get_vm_info.yml + - name: "Set fact of vm_exists to True" ansible.builtin.set_fact: vm_exists: true @@ -49,24 +54,26 @@ block: - name: "Set features on 64bit VM" block: - # Add virtual TPM device - - include_tasks: ../../common/vm_add_vtpm_device.yml + - name: "Add virtual TPM device" + include_tasks: ../../common/vm_add_vtpm_device.yml when: virtual_tpm is defined and virtual_tpm | bool - # Enable secureboot - - include_tasks: ../../common/vm_set_boot_options.yml + - name: "Enable secure boot" + include_tasks: ../../common/vm_set_boot_options.yml vars: secure_boot_enabled_set: "{{ secureboot_enabled | default(false) }}" enter_bios_setup: true - # Enable VBS - - include_tasks: ../utils/win_enable_vbs_vm.yml + - name: "Enable VM VBS" + include_tasks: ../utils/win_enable_vbs_vm.yml vars: win_enable_vbs: true when: enable_vbs is defined and enable_vbs | bool when: guest_id is defined and "'64' in guest_id" - - include_tasks: ../../common/vm_set_power_state.yml + - name: "Power on VM" + include_tasks: ../../common/vm_set_power_state.yml vars: vm_power_state_set: "powered-on" - - include_tasks: ../../common/vm_guest_send_key.yml + - name: "Send key strokes to VM console" + include_tasks: ../../common/vm_guest_send_key.yml vars: keys_send: - DOWNARROW @@ -75,17 +82,18 @@ - ENTER when: firmware is defined and firmware | lower == "efi" -# Power on VM directly when VM firmware is BIOS -- include_tasks: ../../common/vm_set_power_state.yml +- name: "Power on VM" + include_tasks: ../../common/vm_set_power_state.yml vars: vm_power_state_set: "powered-on" when: firmware is defined and firmware | lower == "bios" + - name: "Wait 3 minutes while OS install" ansible.builtin.pause: minutes: 3 -# Check Image APPROVED in vmware.log when VM secureboot is enabled -- include_tasks: ../../common/vm_wait_log_msg.yml +- name: "Check Image APPROVED in vmware.log when VM secureboot is enabled" + include_tasks: ../../common/vm_wait_log_msg.yml vars: vm_wait_log_name: "vmware.log" vm_wait_log_msg: "SECUREBOOT: Image APPROVED" @@ -96,24 +104,31 @@ - firmware is defined and firmware | lower == 'efi' - secureboot_enabled is defined and secureboot_enabled -- include_tasks: ../../common/vm_wait_network_connected.yml -- include_tasks: ../../common/vm_get_ip.yml +- name: "Wait for VM network adapter is connected" + include_tasks: ../../common/vm_wait_network_connected.yml + +- name: "Get VM IP address" + include_tasks: ../../common/vm_get_ip.yml vars: vm_get_ip_timeout: 3600 -- include_tasks: ../utils/win_check_winrm.yml + +- name: "Check WinRM is connectable" + include_tasks: ../utils/win_check_winrm.yml vars: win_check_winrm_timeout: 1800 - name: "Wait another 1 minute after OS becomes connectable" ansible.builtin.pause: minutes: 1 -- include_tasks: ../utils/add_windows_host.yml +- name: "Add Windows host to in-memory inventory" + include_tasks: ../utils/add_windows_host.yml -- name: "Enable VBS in guest OS" +- name: "Enable VBS" block: - - include_tasks: ../utils/win_enable_vbs_guest.yml - # Get VBS status in guest OS - - include_tasks: ../utils/win_get_vbs_guest.yml - - name: "Check VBS and running security service status" + - name: "Enable VBS in guest OS" + include_tasks: ../utils/win_enable_vbs_guest.yml + - name: "Get VBS status in guest OS" + include_tasks: ../utils/win_get_vbs_guest.yml + - name: "Check VBS and HVCI are running" ansible.builtin.assert: that: - win_vbs_status_guest | int == 2 @@ -121,4 +136,5 @@ fail_msg: "VBS is not running '{{ win_vbs_status_guest }}', or HVCI is not running '{{ win_vbs_running_service }}'." when: enable_vbs is defined and enable_vbs | bool -- include_tasks: detach_cdrom_iso.yml +- name: "Detach ISO image from VM CDROMs" + include_tasks: detach_cdrom_iso.yml