Skip to content

Commit

Permalink
update planner, bump wins
Browse files Browse the repository at this point in the history
  • Loading branch information
HarrisonWAffel committed Oct 2, 2024
1 parent da8f83b commit 9e7d8aa
Show file tree
Hide file tree
Showing 6 changed files with 177 additions and 4 deletions.
2 changes: 1 addition & 1 deletion package/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ ENV DOCKER_MACHINE_HARVESTER_VERSION v0.6.9
ENV CATTLE_KDM_BRANCH ${CATTLE_KDM_BRANCH}
ENV HELM_VERSION v3.15.2
ENV KUSTOMIZE_VERSION v5.4.2
ENV CATTLE_WINS_AGENT_VERSION v0.4.18
ENV CATTLE_WINS_AGENT_VERSION v0.4.19-rc.1
ENV CATTLE_WINS_AGENT_INSTALL_SCRIPT https://raw.githubusercontent.com/rancher/wins/${CATTLE_WINS_AGENT_VERSION}/install.ps1
ENV CATTLE_WINS_AGENT_UNINSTALL_SCRIPT https://raw.githubusercontent.com/rancher/wins/${CATTLE_WINS_AGENT_VERSION}/uninstall.ps1
ENV CATTLE_WINS_AGENT_UPGRADE_IMAGE rancher/wins:${CATTLE_WINS_AGENT_VERSION}
Expand Down
2 changes: 1 addition & 1 deletion package/windows/Dockerfile.agent
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ RUN go build -tags "${TAGS}" -ldflags "${LDFLAGS}" -o agent.exe ./cmd/agent
FROM mcr.microsoft.com/windows/servercore:${SERVERCORE_VERSION} AS builder
SHELL ["powershell", "-NoLogo", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
# download wins
RUN $URL = 'https://github.com/rancher/wins/releases/download/v0.4.18/wins.exe'; \
RUN $URL = 'https://github.com/rancher/wins/releases/download/v0.4.19-rc.1/wins.exe'; \
\
Write-Host ('Downloading Wins from {0} ...' -f $URL); \
curl.exe -sfL $URL -o c:\wins.exe; \
Expand Down
10 changes: 10 additions & 0 deletions pkg/capr/planner/planner.go
Original file line number Diff line number Diff line change
Expand Up @@ -1089,6 +1089,16 @@ func (p *Planner) desiredPlan(controlPlane *rkev1.RKEControlPlane, tokensSecret
}
}

if windows(entry) {
// We need to wait for the controlPlane to be ready before sending this plan
// to ensure that the initial installation has fully completed and all files have been
// written to disk. If all required files already have the proper ACLs, this plan will noop.
if controlPlane.Status.Ready {
nodePlan.Files = append(nodePlan.Files, setPermissionsWindowsScriptFile)
nodePlan.Instructions = append(nodePlan.Instructions, setPermissionsWindowsScriptInstruction)
}
}

if isEtcd(entry) {
nodePlan, err = p.addEtcdSnapshotListLocalPeriodicInstruction(nodePlan, controlPlane)
if err != nil {
Expand Down
163 changes: 163 additions & 0 deletions pkg/capr/planner/windows.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
package planner

import (
"encoding/base64"
"fmt"

"github.com/rancher/rancher/pkg/apis/rke.cattle.io/v1/plan"
)

const (
setPermissionsWindowsScriptPath = "%s/windows/set-permissions.ps1"

setPermissionsWindowsScript = `
function Set-RestrictedPermissions {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]
$Path,
[Parameter(Mandatory=$true)]
[Boolean]
$Directory
)
$Owner = "BUILTIN\Administrators"
$Group = "NT AUTHORITY\SYSTEM"
$acl = Get-Acl $Path
foreach ($rule in $acl.GetAccessRules($true, $true, [System.Security.Principal.SecurityIdentifier])) {
$acl.RemoveAccessRule($rule) | Out-Null
}
$acl.SetAccessRuleProtection($true, $false)
$acl.SetOwner((New-Object System.Security.Principal.NTAccount($Owner)))
$acl.SetGroup((New-Object System.Security.Principal.NTAccount($Group)))
Set-FileSystemAccessRule -Directory $Directory -acl $acl
$FullPath = Resolve-Path $Path
Write-Host "Setting restricted ACL on $FullPath"
Set-Acl -Path $Path -AclObject $acl
}
function Set-FileSystemAccessRule() {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[Boolean]
$Directory,
[Parameter(Mandatory=$false)]
[System.Security.AccessControl.ObjectSecurity]
$acl
)
$users = @(
$acl.Owner,
$acl.Group
)
# Note that the function signature for files and directories
# intentionally differ.
if ($Directory -eq $true) {
foreach ($user in $users) {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
$user,
[System.Security.AccessControl.FileSystemRights]::FullControl,
[System.Security.AccessControl.InheritanceFlags]'ObjectInherit,ContainerInherit',
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
)
$acl.AddAccessRule($rule)
}
} else {
foreach ($user in $users) {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
$user,
[System.Security.AccessControl.FileSystemRights]::FullControl,
[System.Security.AccessControl.AccessControlType]::Allow
)
$acl.AddAccessRule($rule)
}
}
}
function Confirm-ACL {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[String]
$Path
)
foreach ($a in (Get-Acl $path).Access) {
$ref = $a.IdentityReference
if (($ref -ne "BUILTIN\Administrators") -and ($ref -ne "NT AUTHORITY\SYSTEM")) {
return $false
}
}
return $true
}
$RKE2_DATA_DIR="%s"
$SYSTEM_AGENT_DIR="%s"
$RANCHER_PROVISIONING_DIR="%s"
$restrictedPaths = @(
[PSCustomObject]@{
Path = "c:\etc\rancher\wins\config"
Directory = $false
}
[PSCustomObject]@{
Path = "c:\etc\rancher\node\password"
Directory = $false
}
[PSCustomObject]@{
Path = "$SYSTEM_AGENT_DIR\rancher2_connection_info.json"
Directory = $false
}
[PSCustomObject]@{
Path = "c:\etc\rancher\rke2\config.yaml.d\50-rancher.yaml"
Directory = $false
}
[PSCustomObject]@{
Path = "c:\usr\local\bin\rke2.exe"
Directory = $false
}
[PSCustomObject]@{
Path = "$RANCHER_PROVISIONING_DIR"
Directory = $true
}
[PSCustomObject]@{
Path = "$SYSTEM_AGENT_DIR"
Directory = $true
}
[PSCustomObject]@{
Path = "$RKE2_DATA_DIR"
Directory = $true
}
)
foreach ($path in $restrictedPaths) {
if (-Not (Confirm-ACL -Path $path.Path)) {
Set-RestrictedPermissions -Path $path.Path -Directory $path.Directory
}
}
`
)

var (
setPermissionsWindowsScriptFile = plan.File{
Content: base64.StdEncoding.EncodeToString([]byte(
fmt.Sprintf(setPermissionsWindowsScript,
"c:\\var\\lib\\rancher\\rke2", // RKE2 data dir
"c:\\var\\lib\\rancher\\agent", // System agent dir
"c:\\var\\lib\\rancher\\capr"))), // Provisioning dir

Path: fmt.Sprintf(setPermissionsWindowsScriptPath,
"c:\\var\\lib\\rancher\\capr"), // provisioning dir
Dynamic: true,
Minor: true,
}
setPermissionsWindowsScriptInstruction = plan.OneTimeInstruction{
Name: "Set permissions for RKE2 installation files on Windows",
Command: "powershell.exe",
Args: []string{"-File", fmt.Sprintf(setPermissionsWindowsScriptPath,
"c:\\var\\lib\\rancher\\capr")},
}
)
2 changes: 1 addition & 1 deletion pkg/settings/setting.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ var (
CSIProxyAgentVersion = NewSetting("csi-proxy-agent-version", "")
CSIProxyAgentURL = NewSetting("csi-proxy-agent-url", "https://acs-mirror.azureedge.net/csi-proxy/%[1]s/binaries/csi-proxy-%[1]s.tar.gz")
SystemAgentInstallScript = NewSetting("system-agent-install-script", "https://github.com/rancher/system-agent/releases/download/v0.3.9/install.sh") // To ensure consistency between SystemAgentInstallScript default value and CATTLE_SYSTEM_AGENT_INSTALL_SCRIPT to utilize the local system-agent-install.sh script when both values are equal.
WinsAgentInstallScript = NewSetting("wins-agent-install-script", "https://raw.githubusercontent.com/rancher/wins/v0.4.18/install.ps1")
WinsAgentInstallScript = NewSetting("wins-agent-install-script", "https://raw.githubusercontent.com/rancher/wins/v0.4.19-rc.1/install.ps1")
SystemAgentInstallerImage = NewSetting("system-agent-installer-image", "") // Defined via environment variable
SystemAgentUpgradeImage = NewSetting("system-agent-upgrade-image", "") // Defined via environment variable
WinsAgentUpgradeImage = NewSetting("wins-agent-upgrade-image", "")
Expand Down
2 changes: 1 addition & 1 deletion tests/v2/codecoverage/package/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ ENV DOCKER_MACHINE_HARVESTER_VERSION v0.6.5
ENV CATTLE_KDM_BRANCH ${CATTLE_KDM_BRANCH}
ENV HELM_VERSION v3.15.2
ENV KUSTOMIZE_VERSION v5.4.2
ENV CATTLE_WINS_AGENT_VERSION v0.4.18
ENV CATTLE_WINS_AGENT_VERSION v0.4.19-rc.1
ENV CATTLE_WINS_AGENT_INSTALL_SCRIPT https://raw.githubusercontent.com/rancher/wins/${CATTLE_WINS_AGENT_VERSION}/install.ps1
ENV CATTLE_WINS_AGENT_UNINSTALL_SCRIPT https://raw.githubusercontent.com/rancher/wins/${CATTLE_WINS_AGENT_VERSION}/uninstall.ps1
ENV CATTLE_WINS_AGENT_UPGRADE_IMAGE rancher/wins:${CATTLE_WINS_AGENT_VERSION}
Expand Down

0 comments on commit 9e7d8aa

Please sign in to comment.