渲染业务镜像优化

2023-10-13 13:14:48 浏览数 (1)

渲染业务建议使用≥server2019的系统

一、如果需要非sysprep(即不入域)的镜像,现有镜像买一台带公网的机器,做如下几个优化:

1、优化帐户策略、禁用安全中心

组策略:安全设置 → 帐户策略 → 开启密码复杂度、关闭帐户锁定

导入.reg禁用安全中心

disable_native_security.reg.zip

用advanced run提权到TrustedInstaller,执行reg.exe import disable_native_security.reg

如下图填写cmd.exe,选择TrustedInstaller运行,会打开一个提权了的cmd窗口,在里面输入reg.exe import filena.reg

执行成功后重启机器

2、安装TAT

不是光安装就完了,还得确保TAT起作用,具体参考:https://cloud.tencent.com/developer/article/2145058

3、下载运行这个.bat文件,执行完成后重启机器

NT6NT10.bat.zip

4、下载运行这个.ps1文件,执行完成后会自动关机并自销毁youhua.ps1自身,等关机后做镜像即可

youhua.ps1.zip

youhua.ps1的内容如下

代码语言:javascript复制
$client = new-object System.Net.WebClient
$client.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/wget64.exe',' c:windowswget.exe')


$client1 = new-object System.Net.WebClient
$client1.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/7z2200-x64.msi','c:7z2200-x64.msi')

msiexec.exe /i c:7z2200-x64.msi /qn
Start-Sleep 30
del c:7z2200-x64.msi 2>&1 > $null


if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2008 R2|Windows 7"){

wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/Win7_Win2008R2.zip -O c:drivers.zip

}elseif((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2012 R2|Windows 8.1"){

wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/Win8.1_Win2012R2.zip -O c:drivers.zip

}else{

wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/Win10_2016_2019.zip -O c:drivers.zip

}

cmd.exe /c rd /S /Q c:drivers 2>&1 > $null
if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2008 R2|2012 R2|Windows 7|Windows 8.1"){
& "$env:ProgramFiles7-Zip7z.exe" x -aoa c:drivers.zip -oc:drivers
}else{
expand-archive -path "c:drivers.zip" -destinationpath c:drivers
}

pnputil -i -a c:driversamd64viostor.inf
pnputil -i -a c:driversamd64netkvm.inf


$UserName="Administrator"
$NewPassword="firework@123"
([adsi]"WinNT://$ENV:COMPUTERNAME/$UserName").SetPassword("$NewPassword")

reg delete "HKLMSOFTWAREPoliciesMicrosoftWindowsWinRM" /f 2>&1 >$null
stop-service mpssvc 2>&1 > $null
winrm quickconfig -q 2>&1 > $null
winrm quickconfig -q -force 2>&1 > $null
restart-service winrm 2>&1 > $null
#Set-Item WSMan:localhostclienttrustedhosts -value * -force 2>&1 > $null
winrm set winrm/config/client '@{TrustedHosts="*"}' 2>&1 > $null
#netstat -ato|findstr :5985

reg add "HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /d 1 /t REG_DWORD /f
reg add "HKLMSoftwareMicrosoftPolicyManagerdefaultUpdate" /v "ExcludeWUDriversInQualityUpdate" /d 1 /t REG_DWORD /f
reg add "HKLMSYSTEMCurrentControlSetServicesAFDParameters" /v "DoNotHoldNicBuffers" /d 1 /t REG_DWORD /f
reg add "HKLMSYSTEMCurrentControlSetControlSession ManagerMemory Management" /v "ClearPageFileAtShutdown" /d 0 /t REG_DWORD /f
reg add "HKLMSoftwareMicrosoftServerManager" /v "DoNotOpenServerManagerAtLogon" /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsStorageSense"  /v "AllowStorageSenseGlobal" /d 0 /t REG_DWORD /f

powercfg -s 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
powercfg -x -monitor-timeout-dc 0
powercfg -x -monitor-timeout-ac 0
reg add "HKLMSOFTWAREPoliciesMicrosoftWindowsPersonalization" /v "NoLockScreen" /d 1 /t REG_DWORD /f
reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "DisableLockWorkstation" /d 1 /t REG_DWORD /f
reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAuthenticationLogonUISessionData" /v "AllowLockScreen" /d 0 /t REG_DWORD /f


wget.exe "http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/TencentCloudRun.ps1" -O "C:Program FilesCloudbase SolutionsCloudbase-InitLocalScriptsTencentCloudRun.ps1"
wget.exe "http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/localscripts.py" -O "C:Program FilesCloudbase SolutionsCloudbase-InitPythonLibsite-packagescloudbaseinitpluginscommonlocalscripts.py"
wget.exe "http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/cloudbase-init1.conf" -O "C:Program FilesCloudbase SolutionsCloudbase-Initconfcloudbase-init.conf"

sc.exe config cloudbase-init obj= LocalSystem 2>&1 > $null
sc.exe config cloudbase-init depend= tcpip/dhcp/dnscache/Winmgmt 2>&1 > $null
sc.exe failure cloudbase-init reset= 0 actions= restart/10000 2>&1 > $null
sc.exe qc cloudbase-init 8192 2>&1 > $null



(gwmi -class win32_terminalservicesetting -namespace "rootcimv2terminalservices").setallowtsconnections(1)
$portvalue = 3389
Set-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -name "PortNumber" -Value $portvalue



reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesAttachments" /v SaveZoneInformation /t REG_DWORD /d 1 /f 2>&1 > $null
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesAttachments" /v SaveZoneInformation /t REG_DWORD /d 1 /f 2>&1 > $null

reg add "HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain" /v "Start Page" /t reg_sz /d about:blank /f 2>&1 > $null
reg add "HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain" /v "Default_Page_URL" /t reg_sz /d about:blank /f 2>&1 > $null
reg add "HKLMSoftwareMicrosoftInternet ExplorerMain" /v "Start Page" /t reg_sz /d about:blank /f 2>&1 > $null
reg add "HKLMSoftwareMicrosoftInternet ExplorerMain" /v "Default_Page_URL" /t reg_sz /d about:blank /f 2>&1 > $null
reg add "HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerMain" /v "Start Page" /t reg_sz /d about:blank /f 2>&1 > $null
reg add "HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerMain" /v "Default_Page_URL" /t reg_sz /d about:blank /f 2>&1 > $null


reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings" /v CertificateRevocation /t REG_DWORD /d 0 /f 2>&1 > $null
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings" /v CertificateRevocation /t REG_DWORD /d 0 /f 2>&1 > $null
reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionWinTrustTrust ProvidersSoftware Publishing" /v State /t REG_DWORD /d 0x23e00 /f 2>&1 > $null

reg add "HKCUKeyboard LayoutPreload" /v "1" /d 00000409 /t REG_SZ /f 2>&1 > $null
reg add "HKCUKeyboard LayoutPreload" /v "2" /d 00000804 /t REG_SZ /f 2>&1 > $null

reg add "HKLMSYSTEMKeyboard LayoutPreload" /v "1" /d 00000409 /t REG_SZ /f 2>&1 > $null
reg add "HKLMSYSTEMKeyboard LayoutPreload" /v "2" /d 00000804 /t REG_SZ /f 2>&1 > $null

reg add "HKEY_USERS.DEFAULTKeyboard LayoutPreload" /v "1" /d 00000409 /t REG_SZ /f 2>&1 > $null
reg add "HKEY_USERS.DEFAULTKeyboard LayoutPreload" /v "2" /d 00000804 /t REG_SZ /f 2>&1 > $null

reg add "HKLMSYSTEMCurrentControlSetControlKeyboard Layout" /v IgnoreRemoteKeyboardLayout /t REG_DWORD /d 1 /f 2>&1 > $null
reg add "HKLMSYSTEMCurrentControlSetControlKeyboard Layouts" /v IgnoreRemoteKeyboardLayout /t REG_DWORD /d 1 /f 2>&1 > $null

"SAN Policy=OnlineAll" | diskpart
""



#reagentc /info

mkdir C:boottmp -force
$RecoveryPath=((reagentc /info|findstr GLOBALROOT).split(":")[1].split("y")[1] 2>$null).remove(0,1)
$RecoveryPathRoot="C:"

if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2012 R2|2016"){
if((Get-Partition -DiskNumber 0 -PartitionNumber 1).DriveLetter -ne "C"){
#Get-Partition -DiskNumber 0 -PartitionNumber 1 | Set-Partition -NewDriveLetter O 2>&1 > $null

$datapan = @"
sel disk 0
sel part 1
assign letter=O
"@

$datapan|diskpart

$RecoveryPathRoot="O:"
}
}


if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2008 R2|Windows 7"){

Dism /Get-WimInfo /WimFile:"$RecoveryPathRootRecovery$RecoveryPathWinre.wim"
Dism /Mount-Wim /WimFile:"$RecoveryPathRootRecovery$RecoveryPathWinre.wim" /index:1 /MountDir:"C:boottmp"

Dism /Add-Driver /Image:"C:boottmp" /Driver:"C:driversamd64viostor.inf" /ForceUnsigned
Dism /Add-Driver /Image:"C:boottmp" /Driver:"C:driversamd64netkvm.inf" /ForceUnsigned

Dism /Image:"C:boottmp" /Get-Drivers
Dism /Unmount-Wim /MountDir:"C:boottmp" /Commit
#Dism /Unmount-Wim /MountDir:"C:boottmp" /Discard

}else{

Dism /Get-ImageInfo /ImageFile:"$RecoveryPathRootRecovery$RecoveryPathWinre.wim"
Dism /Mount-Image /ImageFile:"$RecoveryPathRootRecovery$RecoveryPathWinre.wim" /index:1 /MountDir:"C:boottmp"

Dism /Add-Driver /Image:"C:boottmp" /Driver:"C:driversamd64viostor.inf" /ForceUnsigned
Dism /Add-Driver /Image:"C:boottmp" /Driver:"C:driversamd64netkvm.inf" /ForceUnsigned

Dism /Image:"C:boottmp" /Get-Drivers
Dism /Unmount-Image /MountDir:"C:boottmp" /Commit
#Dism /Unmount-Image /MountDir:"C:boottmp" /Discard

}




if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2012 R2|2016"){
if((Get-Partition -DiskNumber 0 -PartitionNumber 1).DriveLetter -ne "C"){
#Remove-PartitionAccessPath -DiskNumber 0 -PartitionNumber 1 -Accesspath O:
$datapan = @"
sel disk 0
sel part 1
remove letter=O
"@

$datapan|diskpart

}
}

cmd.exe /c rd /S /Q C:boottmp 2>&1 > $null



cmd.exe /c del /F /Q C:UsersAdministratorAppDataRoamingMicrosoftWindowsRecent* 2>$null

cd c:




reg delete "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkListProfiles" /f 2>&1 > $null
reg delete "HKLMSYSTEMCurrentControlSetControlTimeZoneInformation" /v "RealTimeIsUniversal" /f 2>&1 > $null
reg add "HKLMSYSTEMCurrentControlSetControlNetworkNewNetworkWindowOff" /f 2>&1 > $null



$interfacename=Get-WmiObject Win32_NetworkAdapter -Filter 'NetEnabled=True' | Select -ExpandProperty NetConnectionID
Set-Service -Name Spooler -StartupType Automatic
netsh interface ipv4 set dns $interfacename dhcp 2>&1 > $null
ipconfig /flushdns

cmd.exe /c rd /S /Q c:drivers 2>&1 > $null

cmd.exe /c del /F /Q C:UsersAdministratorAppDataRoamingMicrosoftWindowsRecent* 2>$null

cmd.exe /c "cscript /nologo %windir%/system32/slmgr.vbs -skms kms.tencentyun.com:1688"
cmd.exe /c "cscript /nologo %windir%/system32/slmgr.vbs -ato"

schtasks.exe /create /tn "kms" /ru SYSTEM /rl highest /sc ONSTART /tr "cmd.exe /c 'cscript /nologo %windir%/system32/slmgr.vbs -ato'" /f

#schtasks.exe /delete /tn "kms" /f
#(Get-Content "C:Progra~1Cloudb~1Cloudbase-Initconfcloudbase-init.conf") -replace "kms.tencentyun.com","kms.tencentyun.com" | Set-Content "C:Program FilesCloudbase SolutionsCloudbase-Initconfcloudbase-init.conf" -Verbos -force 2>&1 > $null
#(Get-Content "C:Progra~1Cloudb~1Cloudbase-Initconfcloudbase-init.conf") -replace "allow_reboot=true","allow_reboot=false" | Set-Content "C:Program FilesCloudbase SolutionsCloudbase-Initconfcloudbase-init.conf" -Verbos -force 2>&1 > $null
(Get-Content "C:Program FilesCloudbase SolutionsCloudbase-Initconfcloudbase-init.conf") -replace "kms.tencentyun.com","kms.tencentyun.com" | Set-Content "C:Program FilesCloudbase SolutionsCloudbase-Initconfcloudbase-init.conf" -force 2>&1 > $null
(Get-Content "C:Program FilesCloudbase SolutionsCloudbase-Initconfcloudbase-init.conf") -replace "allow_reboot=true","allow_reboot=false" | Set-Content "C:Program FilesCloudbase SolutionsCloudbase-Initconfcloudbase-init.conf" -force 2>&1 > $null
#Get-Content "C:Program FilesCloudbase SolutionsCloudbase-Initconfcloudbase-init.conf"
wget.exe "http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/cloudbase-init-unattend.conf" -O "C:Program FilesCloudbase SolutionsCloudbase-Initconfcloudbase-init-unattend.conf"

stop-service BaradAgentSvc 2>&1 > $null
stop-service StargateSvc 2>&1 > $null
stop-service YDLive 2>&1 > $null
stop-service YDService 2>&1 > $null
stop-service tatsvc 2>&1 > $null


write-host > c:windowsipconfig_xen_vm.ini

del "C:Program FilesCloudbase SolutionsCloudbase-Initlog*" 2>&1 > $null
del "C:Program FilesQCloudLogs*" 2>&1 > $null
del "C:Program FilesQCloudMonitorBaradlogs*" 2>&1 > $null
del "C:Program FilesQCloudStargatelogs*" 2>&1 > $null
del "C:Program FilesQCloudYunJinglog*" 2>&1 > $null
del "C:WindowsSystem32SysprepPanther*.log" 2>&1 > $null
del "C:WindowsPanther*.log" 2>&1 > $null
del "C:WindowsPantherUnattendGC*.log" 2>&1 > $null
del "C:cvm_init.log" 2>&1 > $null
del "‪C:WindowsINFsetupapi.dev.log" 2>&1 > $null
del "‪C:WindowsINFsetupapi.setup.log" 2>&1 > $null



if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2008 R2|Windows 7"){
schtasks /change /tn "MicrosoftWindowsDefragScheduledDefrag" /disable 2>&1 > $null
}else{

Get-ScheduledTask -TaskPath "MicrosoftWindowsData Integrity Scan","MicrosoftWindowsApplicationData","MicrosoftWindowsDefrag","MicrosoftWindowsDiskCleanup","MicrosoftWindowsDiskDiagnostic","MicrosoftWindowsDiskFootprint","MicrosoftWindowsWindows Defender","MicrosoftWindowsMaintenance" 2>$null | Disable-ScheduledTask 2>$null
}

net user cloudbase-init /del 2>&1 > $null

wevtutil el | Foreach-Object {wevtutil cl "$_" 2>$null}

wevtutil cl security 2>$null

wevtutil cl system 2>$null

cmd.exe /c del /F /Q C:UsersAdministratorAppDataRoamingMicrosoftWindowsRecent* 2>$null
clear-history
stop-computer
Remove-Item $MyInvocation.MyCommand.Path -force 2>$null

exit

5、如果你镜像中提前已经安装过cloudbase-init,那么userdata里可以做一些业务逻辑的设置,比如更改路由、子网掩码DNS、设置开机自动登录系统、设置开机自动运行某个程序等

例如:

代码语言:javascript复制
<powershell>

#以管理员身份运行
Set-ExecutionPolicy -Scope CurrentUser Unrestricted -forc
if(-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){   
$arguments = "& '"   $myinvocation.mycommand.definition   "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}

#设置自动登录

#net user Administrator "你的密码"
echo "REGEDIT4" > c:temp.reg
echo "[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]" >> c:temp.reg
echo "`"AutoAdminLogon`"=`"1`"">> c:temp.reg
echo "`"DefaultUserName`"=`"Administrator`""  >> c:temp.reg
echo "`"DefaultPassword`"=`"你的密码`"" >> c:temp.reg
cmd /c "reg import c:temp.reg"
del "c:temp.reg" 2>&1 > $null



#拷贝可执行文件快捷方式到startup目录或者在该目录创建一个可执行文件指向要执行的目标程序,可以自定义,如下2行仅供参考,到时候把其中的文件路径替换掉即可
#write-host > "C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUplaunch.vbs"
#"createobject(`"wscript.shell`").run `"C:Program FilesThinkboxdeadline10bindeadlineslave.exe`",0" | Out-File -Append "C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUplaunch.vbs" -encoding ascii

#重启机器
restart-computer -force 2>$null
exit 2>$null

</powershell>

例如:

代码语言:javascript复制
<powershell>

#以管理员身份运行
Set-ExecutionPolicy -Scope CurrentUser Unrestricted -forc
if(-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){   
$arguments = "& '"   $myinvocation.mycommand.definition   "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
$wmi = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled = True"
#your own subnet_mask
$wmi.EnableStatic($wmi.IPAddress[0], "255.255.254.0") 

#your own dns
$dnsServers = "172.20.0.4","172.20.0.40" 

Set-DnsClientServerAddress -InterfaceAlias $adapter.Name -ServerAddresses $dnsServers


#add route
$gw="10.226.0.1" #your own gateway
$idx=(Get-WmiObject win32_networkadapterconfiguration -filter "ipenabled = 'true'").InterfaceIndex
route delete 10.0.0.0 mask 255.0.0.0 2>$null
route add -p 10.0.0.0 mask 255.0.0.0 $gw metric 1 IF $idx 2>$null
route delete 172.16.0.0 mask 255.240.0.0 2>$null
route add -p 172.16.0.0 mask 255.240.0.0 $gw metric 1 IF $idx 2>$null
route delete 192.168.0.0 mask 255.255.0.0 2>$null
route add -p 192.168.0.0 mask 255.255.0.0 $gw metric 1 IF $idx 2>$null
route delete 169.254.0.0/16 2>$null
route -p add 169.254.0.0/16 $gw metric 1 IF $idx 2>$null
route delete 0.0.0.0 mask 0.0.0.0 2>$null
route add -p 0.0.0.0 mask 0.0.0.0 $gw metric 1 IF $idx 2>$null;
route print -4

restart-computer -force 2>$null
exit 2>$null

</powershell>

二、如果是域相关业务需要sysprep镜像,参考这个文档:https://cloud.tencent.com/developer/article/2214667

云服务器 windowsserver windows

0 人点赞