Feature request: Bootstrapping for Windows minions

[scottp-dpaw]

My employer is interested in a mostly-foolproof way of rolling out a Salt minion release to a list of domain-managed Windows machines, assuming they had near-vanilla installs. I prototyped a method that succeeded at this for XP, 2003 and 7Pro targets. The one prerequisite is that the calling machine must have psexec from Sysinternals PsTools installed in the path.

In a nutshell, manage.bootstrap_psexec does the following:

• Compile batch file on host
• Use PsExec to transmit and execute batch file over SMB with appropriate admin credentials
• Batch file terminates salt-minion service if present, removes any cached master public key for an existing Salt install
• Batch file downloads two installer payloads via HTTP (VSCRT 2008 installer and latest Salt Installer) thanks to liberal abuse of the Windows Script Host and the IE6 AJAX module
• Batch file executes both installers in silent mode

I'm not sure what the rule is re. non-master machines calling salt-run, but I've tried it on a few Windows client installs and there doesn't seem to be any issue. Let me know if this is the appropriate place to have this functionality, or if there is somewhere else better (e.g. split out into a module)

[UtahDave]

@scottp-dpaw this looks great!

I was planning on building something similar very soon! @techhat and I have been working on related stuff for Salt Cloud. There is a project call winexe that provides psexec type functionality, but on Linux. https://sourceforge.net/projects/winexe/

How difficult do you think it would be to update your code to allow for both methods? That way this could be executed from both a Linux salt master and from a windows machine.

Thoughts?

[scottp-dpaw]

I had a go at building Winexe + Samba 4 when developing this, but zero success in doing anything useful to Windows machines with it. The best I managed was authenticating with the remote machine, winexesvc.exe getting loaded into the process space, then winexe bombing just before executing the command with "error ConnectNamedPipe(pout)".

There might be a problem with the size of the script. At first I had everything crammed into one call to cmd.exe /c, until I found that PsExec would give up without trying if you made the program arguments too long. (PsExec does support copying a file to the remote machine and executing that, which is used in my code. I don't think Winexe has this feature yet)

I'm hoping this is a PsExec problem; cmd.exe has a hard limit of 8192 characters for a single-line input, the batch files generated are about 2414 characters. I can check for platform and put together some new string glue to make the script a one-liner for Winexe, only I wouldn't be able to test it.

[UtahDave]

@scottp-dpaw ok, we went ahead and merged your current pull req. It looks great. I'd like to see if I can get winexe working with it.

[scottp-dpaw]

Awesome, thanks man :)

[techhat]

@scottp-dpaw, you'll want to look at saltstack/salt-cloud#860. When it's merged, you can use the saltify driver to bootstrap any existing Windows box, or the driver for the cloud provider of your choice to spin up a new one.