better system stability waiting, added more blocking for windows defender and downloaded content, plus some additional qemu performance changes

lg · lg · commit 61b4f04b7b88 · 2023-08-06T14:37:05.000-07:00
diff --git a/README.md b/README.md
@@ -1,20 +1,34 @@
 # osrun
 
-A docker container to run a command in Windows 11 (via QEMU). On first run it will generate a Windows 11 ISO and run a VM to install it and create a system snapshot. On subsequent runs it will use the existing cached VM image.
+A docker container to run Windows commands and processes. On first run it will generate a Windows 11 ISO and run a VM to install it and create a system snapshot. On subsequent runs it will use the existing cached VM image.
 
 ## Usage
 
 ```bash
 docker run -it --rm --device=/dev/kvm -v $(pwd)/cache:/cache ghcr.io/lg/osrun 'dir c:\windows\system32'
 ```
 
+```text
+Usage: osrun [-v] [-h] <command>
+Short-lived containerized Windows instances
+
+  -h --help: Display this help
+  -v --verbose: Verbose mode
+
+Install
+  -k --keep: Keep the installation cached artifacts after successful provisioning
+
+Run
+  -p --pause: Do not close the VM after the command finishes
+```
+
 If you don't have kvm on your machine, you can skip the parameter, but things will be a lot slower. This mode is currently unreliable and may freeze during Windows 11 installation.
 
 ## Details
 
-This container uses [QEMU](https://www.qemu.org/) to run a Windows 11 VM. Windows 11 is built with the file list from [UUP dump](https://uupdump.net/) and files are downloaded directly from Microsoft's Windows Update servers. The UUP dump script generates a Windows ISO which we then inject [virtio drivers](https://docs.fedoraproject.org/en-US/quick-docs/creating-windows-virtual-machines-using-virtio-drivers/index.html) into along with an `autounattend.xml` script and a variety of Powershell scripts to automate the installation. To keep the VM small and fast we remove a lot of the default Windows components and services including Windows Defender, Windows Update, most default apps, and also disable things like paging, sleep and hibernation, plus the hard drive is compressed and trimmed to be <10GB. This image and VM state is then snapshotted and saved to a cache directory so that subsequent runs can use the cached VM state to startup quickly.
+This container uses [QEMU](https://www.qemu.org/) to run a Windows 11 VM. Windows 11 is built with the file list from [UUP dump](https://uupdump.net/) and files are downloaded directly from Microsoft's Windows Update servers. The UUP dump script generates a Windows ISO which we then inject an `autounattend.xml` script to start the installation automation. To keep the resultant VM small and fast we remove a lot of the default Windows components and services including Windows Defender, Windows Update, most default apps, and also disable things like paging, sleep and hibernation, plus the hard drive is compressed and trimmed to be <10GB. This image and VM state is then snapshotted and saved to a cache directory so that subsequent runs can use the cached VM state to startup quickly. On a reasonably fast machine the installation process takes about 20 minutes end-to-end and runs take about 3-4 seconds for simple commands like `dir`.
 
-Communication between the VM and the host is done via the QEMU Agent and a QEMU-started Samba server (available on the host in `/tmp/qemu-status` or in the container in `\\10.0.2.4\qemu`). During installation and execution, multiple debugging services are started (you'll need to forward these ports using Docker):
+Communication between the VM and the host is done via the QEMU Agent and a QEMU-started Samba server (available in the host container in `/tmp/qemu-status` or in the VM in `\\10.0.2.4\qemu`). During installation and execution, multiple debugging services are started (you'll need to forward these ports using Docker if you want to use them):
 - a QEMU-run VNC server is available on port `5950` (not compatible with Apple Screen Sharing),
 - the QEMU Monitor is available on port `55556` (supported commands are [here](https://qemu-project.gitlab.io/qemu/system/monitor.html)), and
 - the QEMU Agent is available on port `44444` (protocol is [here](https://qemu.readthedocs.io/en/latest/interop/qemu-ga-ref.html)).
diff --git a/run.sh b/run.sh
@@ -6,7 +6,7 @@ set -o errexit -o noclobber -o nounset -o pipefail
 usage() {
   echo -e \
     "Usage: osrun [-v] [-h] <command>\n" \
-    "Installs Windows 11 and runs commands in a VM.\n" \
+    "Short-lived containerized Windows instances\n" \
     "\n" \
     "  -h --help: Display this help\n" \
     "  -v --verbose: Verbose mode\n" \
@@ -47,7 +47,7 @@ touch /tmp/qemu-status/status.txt
 tail -f /tmp/qemu-status/status.txt &
 
 start_qemu() {
-  KVM_PARAM=",accel=kvm"; CPU_PARAM="-cpu host"
+  KVM_PARAM=",accel=kvm"; CPU_PARAM="-cpu host,hv_stimer,hv_time,hv_synic,hv_vpindex"
   if [ ! -e /dev/kvm ]; then
     echo -e "\033[33;49mKVM acceleration not found. Ensure you're using --device=/dev/kvm with docker. Virtualization will be very slow.\033[0m" > /dev/stderr
     KVM_PARAM=""; CPU_PARAM="-accel tcg"
@@ -140,7 +140,7 @@ if [ ! -e /cache/win11.qcow2 ]; then
     if [ ! -e "$STEP_ARTIFACT" ]; then
       rm -f /cache/win11-step$STEP-*.qcow2          # remove any previous artifacts for this step
       if [ "$STEP" = "0" ]; then
-        qemu-img create -f qcow2 -o compression_type=zstd -q "$STEP_ARTIFACT" 15G
+        qemu-img create -f qcow2 -o compression_type=zstd,extended_l2=on,cluster_size=128k -q "$STEP_ARTIFACT" 15G
       else
         cp "$PREV_STEP_ARTIFACT" "$STEP_ARTIFACT"
       fi
diff --git a/win11-init/boot-0.ps1 b/win11-init/boot-0.ps1
@@ -52,7 +52,8 @@ $executables = @(
   "c:\windows\system32\smartscreen.exe",
   "c:\windows\system32\sppsvc.exe",
   "c:\windows\system32\ctfmon.exe",
-  "c:\windows\system32\Sgrm\SgrmBroker.exe"
+  "c:\windows\system32\Sgrm\SgrmBroker.exe",
+  "c:\Program Files\Windows Defender\MpCmdRun.exe"
 )
 foreach ($executable in $executables) {
   $acl = Get-Acl $executable ; $acl.SetAccessRuleProtection($true, $true) ; Set-Acl $executable $acl
@@ -224,7 +225,18 @@ Set-RegItem -PathWithName "HKU:\DefaultHive\Software\Microsoft\Windows\CurrentVe
 Set-RegItem -PathWithName "HKU:\DefaultHive\Software\Microsoft\Windows\CurrentVersion\AppHost\PreventOverride" -Value 0
 
 Write-Output "Disabling Content Delivery Manager"
-Set-RegItem -PathWithName "HKU:\DefaultHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SilentInstalledAppsEnabled" -Value 0
+$ContentDeliveryKeys = @("ContentDeliveryAllowed", "FeatureManagementEnabled", "OemPreInstalledAppsEnabled",
+"PreInstalledAppsEnabled", "PreInstalledAppsEverEnabled", "SilentInstalledAppsEnabled", "SoftLandingEnabled",
+"SubscribedContentEnabled", "SystemPaneSuggestionsEnabled", "SubscribedContent-310093Enabled",
+"SubscribedContent-338388Enabled", "SubscribedContent-338389Enabled", "SubscribedContent-338393Enabled",
+"SubscribedContent-353694Enabled", "SubscribedContent-353696Enabled", "SubscribedContentEnabled")
+foreach ($key in $ContentDeliveryKeys) {
+  Set-RegItem -PathWithName "HKU:\DefaultHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\$key" -Value 0
+}
+Set-RegItem -PathWithName "HKLM:\Software\Policies\Microsoft\PushToInstall\DisablePushToInstall" -Value 1
+Set-RegItem -PathWithName "HKLM:\Software\Policies\Microsoft\MRT\DontOfferThroughWUAU" -Value 1
+Remove-Item "HKU:\DefaultHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" -Force -ErrorAction SilentlyContinue
+Remove-Item "HKU:\DefaultHive\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps" -Force -ErrorAction SilentlyContinue
 
 Write-Output "Enabling Explorer performance settings"
 Set-RegItem -PathWithName "HKLM:\SYSTEM\CurrentControlSet\Control\PriorityControl\Win32PrioritySeparation" -Value 38
diff --git a/win11-init/boot-1.ps1 b/win11-init/boot-1.ps1
@@ -6,22 +6,7 @@ $ErrorActionPreference = "Inquire"
 
 Write-Output "Installing QEMU agent (virtio already installed)"
 & "C:\virtio-win-guest-tools.exe" /install /quiet | Out-Null
-
-Write-Output "Waiting for all packages to be installed"
-Do {
-  Sleep 10
-  $stagedPackages = Get-AppxPackage -AllUsers | Where-Object { $_.PackageUserInformation.InstallState -ne 'Installed' }
-  Write-Output "[$(Get-Date)] Currently installing packages: $($stagedPackages.PackageFullName -join ', ')"
-} While ($stagedPackages)
-
-Write-Output "Waiting for all scheduled tasks to finish"
-Do {
-  Sleep 10
-  $runningTasks = Get-ScheduledTask | Where-Object State -NE "Disabled" | Where-Object State -NE "Ready"
-  Write-Output "[$(Get-Date)] Currently running tasks: $($runningTasks.TaskName -join ', ')"
-} While ($runningTasks)
-
-#####
+Remove-Item -Path "C:\virtio-win-guest-tools.exe" -Force | Out-Null
 
 Write-Output "Disabling all scheduled tasks with a scheduled time or idle trigger"
 Get-ScheduledTask | Where-Object State -NE "Disabled" |
@@ -33,11 +18,12 @@ Get-ScheduledTask | Where-Object State -NE "Disabled" |
   ForEach-Object { Disable-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -ErrorAction SilentlyContinue } |
   Out-Null
 
-
-#####
-
-
-
+Write-Output "Waiting for installation processes to end"
+$BadProcesses = @("msiexec", "TiWorker", "backgroundTaskHost", "TrustedInstaller")
+While ($StillRunning = ($BadProcesses | ForEach-Object { Get-Process -Name $_ -ErrorAction SilentlyContinue }).Name) {
+  Write-Output "Still running: $($StillRunning -join ', ')"
+  Sleep 30
+}
 
 #####
 
@@ -52,12 +38,19 @@ Remove-Item -Path "C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCa
 Write-Output "Removing unused windows components"
 & Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase | Out-Null
 
-Write-Output "Defragmenting and trimming"
-Optimize-Volume -DriveLetter C -Defrag -ReTrim -SlabConsolidate | Out-Null
-
 Write-Output "Compressing drive"
 & compact.exe /compactos:always *>&1 | Out-Null
 
+Write-Output "Defragmenting and trimming"
+Optimize-Volume -DriveLetter C -Defrag
+Optimize-Volume -DriveLetter C -ReTrim
+
+Write-Output "Final wait for installation processes to end"
+While ($StillRunning = ($BadProcesses | ForEach-Object { Get-Process -Name $_ -ErrorAction SilentlyContinue }).Name) {
+  Write-Output "Still running: $($StillRunning -join ', ')"
+  Sleep 30
+}
+
 Write-Output "Successfully provisioned image."
 
 #####
