Using Scripts to Batch Update the One-Click Password Reset Plug-ins for Windows ECSs

Scenarios

The offline password reset depends on the one-click password reset plug-in. If the one-click password reset plug-in is updated for security purposes, you can update the plug-in for an individual ECS by referring to this section.

This section describes how to use a script to batch update the one-click password reset plug-ins for multiple Windows ECSs.

Prerequisites

• An executor ECS meeting the requirements in Constraints is available.
• You have obtained the IP addresses of the ECSs where plug-ins are to be batch installed, and the password of user Administrator.
• The executor ECS and the ECSs whose password reset plug-ins are to be updated must be in the same VPC.
• The EIP can be unbound only after you perform step 7.

Constraints

The executor ECS must use the public image CentOS 8.2, has an EIP bound, and can communicate with the ECSs where the plug-ins are to be batch installed.

If the internal yum repository has been configured, the executor ECS does not require an EIP.

Procedure

1. Log in to the executor ECS as user root.
2. Install the required dependencies.
   1. Install epel.

      yum install epel-release -y

   2. Install ansible.

      yum install ansible -y --skip-broken

      Run ansible --version to check whether Ansible is successfully installed.

      

      If Ansible cannot be installed due to yum repository configuration issues, run the following commands to install Ansible:

      yum install python3 python3-pip

      pip3 install --upgrade pip

      pip3 install ansible

   3. Install pip.

      python3.6 -m pip install bcrypt==3.2.0 paramiko==3.3.1 cryptography==3.3.0 pywinrm PyYAML Jinja2 httplib2 six

      If an error shown in Figure 1 is displayed, perform the following operations:

      1. Install the dependency.

         dnf install python3-devel

      2. Run the following command again:

         python3.6 -m pip install bcrypt==3.2.0 paramiko==3.3.1 cryptography==3.3.0 pywinrm PyYAML Jinja2 httplib2 six

      Figure 1 Error message
      
3. Download the one-click password reset plug-in CloudResetPwdAgent.zip for Windows ECSs in the corresponding region by referring to Table 1 and verify the plug-in integrity.

   For example, to download the plug-in for Windows ECSs in the CN North-Beijing4 region, run the following command:

   wget https://cn-north-4-cloud-reset-pwd.obs.cn-north-4.myhuaweicloud.com/windows/reset_pwd_agent/CloudResetPwdAgent.zip

   wget https://cn-north-4-cloud-reset-pwd.obs.cn-north-4.myhuaweicloud.com/windows/reset_pwd_agent/CloudResetPwdAgent.zip.sha256

   For details about how to verify the plug-in integrity, see 4 in Obtaining the One-Click Password Reset Plug-in and Verifying Its Integrity (Linux).

   The password reset plug-in can be stored in any directory.

4. Download the Windows installation package of the corresponding version and OS architecture to the root directory.
   Note: Run the pwd command to check whether the current directory is root. If not, switch to the root directory.

   • 32-bit OS, x86 architecture

     wget https://www.7-zip.org/a/7z2107.exe '--no-check-certificate'

   • 64-bit OS, x86 architecture

     wget https://www.7-zip.org/a/7z2107-x64.exe '--no-check-certificate'

   • 64-bit OS, Kunpeng architecture

     wget https://www.7-zip.org/a/7z2107-x64.exe '--no-check-certificate'

5. Download the batch execution script to the root directory.

   curl URL > ~/batch_update_log4j_version_for_windows.py

   URL is the address for downloading the batch execution script.

   Select an address for downloading the script based on the region where the ECSs are located.

   • CN North-Beijing1: https://cn-north-1-cloud-reset-pwd.obs.cn-north-1.myhuaweicloud.com/windows/batch_update_resetpwd/batch_update_log4j_version_for_windows.py
   • CN North-Beijing4: https://cn-north-4-cloud-reset-pwd.obs.cn-north-4.myhuaweicloud.com/windows/batch_update_resetpwd/batch_update_log4j_version_for_windows.py
   • CN East-Shanghai2: https://cn-east-2-cloud-reset-pwd.obs.cn-east-2.myhuaweicloud.com/windows/batch_update_resetpwd/batch_update_log4j_version_for_windows.py
   • CN South-Guangzhou: https://cn-south-1-cloud-reset-pwd.obs.cn-south-1.myhuaweicloud.com/windows/batch_update_resetpwd/batch_update_log4j_version_for_windows.py
   • CN-Hong Kong: https://ap-southeast-1-cloud-reset-pwd.obs.ap-southeast-1.myhuaweicloud.com/windows/batch_update_resetpwd/batch_update_log4j_version_for_windows.py
   • AP-Bangkok: https://ap-southeast-2-cloud-reset-pwd.obs.ap-southeast-2.myhuaweicloud.com/windows/batch_update_resetpwd/batch_update_log4j_version_for_windows.py
6. Download the plug-in update script to the root directory.

   curl URL > ~/update_log4j_version_for_resetpwdagent_windows.bat

   URL is the address for downloading the plug-in update script.

   Select an address for downloading the script based on the region where the ECSs are located.

   • CN North-Beijing1: https://cn-north-1-cloud-reset-pwd.obs.cn-north-1.myhuaweicloud.com/windows/batch_update_resetpwd/update_log4j_version_for_resetpwdagent_windows.bat
   • CN North-Beijing4: https://cn-north-4-cloud-reset-pwd.obs.cn-north-4.myhuaweicloud.com/windows/batch_update_resetpwd/update_log4j_version_for_resetpwdagent_windows.bat
   • CN East-Shanghai2: https://cn-east-2-cloud-reset-pwd.obs.cn-east-2.myhuaweicloud.com/windows/batch_update_resetpwd/update_log4j_version_for_resetpwdagent_windows.bat
   • CN South-Guangzhou: https://cn-south-1-cloud-reset-pwd.obs.cn-south-1.myhuaweicloud.com/windows/batch_update_resetpwd/update_log4j_version_for_resetpwdagent_windows.bat
   • CN-Hong Kong: https://ap-southeast-1-cloud-reset-pwd.obs.ap-southeast-1.myhuaweicloud.com/windows/batch_update_resetpwd/update_log4j_version_for_resetpwdagent_windows.bat
   • AP-Bangkok: https://ap-southeast-2-cloud-reset-pwd.obs.ap-southeast-2.myhuaweicloud.com/windows/batch_update_resetpwd/update_log4j_version_for_resetpwdagent_windows.bat
7. Check whether the following files are in the root directory:
   • batch_update_log4j_version_for_windows.py
   • update_log4j_version_for_resetpwdagent_windows.bat
   • CloudResetPwdAgent.zip
   • 7z*.exe
8. Create host_list.txt and press i to enter editing mode.

   vi host_list.txt

   Enter the information of the target ECSs in the host_list.txt file.

   In each line, enter the IP address and the password of the Administrator user and separate them with a comma (,).

   For example:

   192.168.1.10,'**********'
   192.168.1.11,'**********'

9. Add the Ansible configuration file.

   mkdir -p /etc/ansible

   touch /etc/ansible/ansible.cfg

10. Execute the batch execution script batch_update_log4j_version_for_windows.py.
    python3.6 batch_update_log4j_version_for_windows.py

    Figure 2 Executing the script
    
11. View the execution result log in the last line of /root/logs/exec_origin.log.

    vim /root/logs/exec_origin.log

    If the following information is displayed, the execution is successful.

    Figure 3 Successful script execution
    

Follow-up Procedure

• After the one-click password reset plug-in is updated, you can add it to the startup items if it cannot automatically start upon ECS startup. For details, see What Do I Do If the One-Click Password Resetting Plug-In Failed to Start?
• After the one-click password reset plug-in is updated, do not delete the CloudResetPwdAgent process. Otherwise, one-click password reset will not be available.
• If you have updated the one-click password reset plug-in, newly created ECSs work in PIPE mode by default to prevent the plug-in from using service ports. Existing ECSs still work in AUTO mode, in which the plug-in selects an idle port with the smallest port number from 31000 to 32999.