From 7f52deab66689f912da6d04de105c457d8ba671e Mon Sep 17 00:00:00 2001 From: Billy O'Neal Date: Sun, 14 May 2023 01:54:42 -0700 Subject: [PATCH] Update VMs for Patch Tuesday May 2023 (#31358) * Update PowerShell Core to not vulnerable versions. * Fix Android create-image relative paths. * Update pools and add docs. * Get android create-vmss to setup managed identity. --- .../azure-pipelines/android/create-image.ps1 | 2 +- .../azure-pipelines/android/create-vmss.ps1 | 2 +- .../android/setup-managed-identity.ps1 | 17 --------------- scripts/azure-pipelines/azure-pipelines.yml | 6 +++--- scripts/azure-pipelines/linux/create-vmss.ps1 | 20 +++++++++++++++--- .../patch-tuesday-checklist.md | 21 +++++++++++++++++++ .../azure-pipelines/windows/deploy-pwsh.ps1 | 2 +- scripts/vcpkgTools.xml | 8 +++---- 8 files changed, 48 insertions(+), 30 deletions(-) delete mode 100644 scripts/azure-pipelines/android/setup-managed-identity.ps1 create mode 100644 scripts/azure-pipelines/patch-tuesday-checklist.md diff --git a/scripts/azure-pipelines/android/create-image.ps1 b/scripts/azure-pipelines/android/create-image.ps1 index ca767fd25e..08b264c635 100644 --- a/scripts/azure-pipelines/android/create-image.ps1 +++ b/scripts/azure-pipelines/android/create-image.ps1 @@ -1 +1 @@ -../linux/create-image.ps1 -Prefix "And-" -ProvisionScript (Get-ChildItem .\provision-image.sh).fullname \ No newline at end of file +& "$PSScriptRoot/../linux/create-image.ps1" -Prefix "And-" -ProvisionScript "$PSScriptRoot/provision-image.sh" \ No newline at end of file diff --git a/scripts/azure-pipelines/android/create-vmss.ps1 b/scripts/azure-pipelines/android/create-vmss.ps1 index c589db19b9..d5ca2654f3 100644 --- a/scripts/azure-pipelines/android/create-vmss.ps1 +++ b/scripts/azure-pipelines/android/create-vmss.ps1 @@ -3,4 +3,4 @@ Param( [parameter(Mandatory=$true)] [string]$ImageName ) -../linux/create-vmss.ps1 -ImageName $ImageName -Prefix "PrAnd-" \ No newline at end of file +& "$PSScriptRoot/../linux/create-vmss.ps1" -ImageName $ImageName -Prefix "PrAnd-" -AddAndroidContainerRegistryPermissions diff --git a/scripts/azure-pipelines/android/setup-managed-identity.ps1 b/scripts/azure-pipelines/android/setup-managed-identity.ps1 deleted file mode 100644 index 79c5ae3b49..0000000000 --- a/scripts/azure-pipelines/android/setup-managed-identity.ps1 +++ /dev/null @@ -1,17 +0,0 @@ -# Create a system managed identity -# Adding to existing Scale set -$scaleSetResourceGroup = "PrAnd-2023-04-17" -$scaleSetName = "PrAnd-2023-04-17Vmss" - -$vm = Get-AzVMss -ResourceGroupName $scaleSetResourceGroup -Name $scaleSetName -Update-AzVMss -ResourceGroupName $scaleSetResourceGroup -VMScaleSetName $scaleSetName -IdentityType SystemAssigned - -$spID = $vm.Identity.PrincipalId - -$acrGroup = "And-Registry" -$acrName = "AndContainerRegistry" - -$resourceID = (Get-AzContainerRegistry -ResourceGroupName $acrGroup -Name $acrName).Id - -# needs admin privileges -New-AzRoleAssignment -ObjectId $spID -Scope $resourceID -RoleDefinitionName AcrPull \ No newline at end of file diff --git a/scripts/azure-pipelines/azure-pipelines.yml b/scripts/azure-pipelines/azure-pipelines.yml index e5ba113f93..7ebeb3c9ed 100644 --- a/scripts/azure-pipelines/azure-pipelines.yml +++ b/scripts/azure-pipelines/azure-pipelines.yml @@ -2,10 +2,10 @@ # SPDX-License-Identifier: MIT # variables: - windows-pool: 'PrWin-2023-04-12' - linux-pool: 'PrLin-2023-04-12' + android-pool: 'PrAnd-2023-05-09' + linux-pool: 'PrLin-2023-05-09' + windows-pool: 'PrWin-2023-05-09' osx-pool: 'PrOsx-2022-02-04' - android-pool: 'PrAnd-2023-04-17' linux-docker-image: 'andcontainerregistry.azurecr.io/vcpkg-android:2023-04-20' parameters: diff --git a/scripts/azure-pipelines/linux/create-vmss.ps1 b/scripts/azure-pipelines/linux/create-vmss.ps1 index 0c1a5fe654..a4217fe811 100755 --- a/scripts/azure-pipelines/linux/create-vmss.ps1 +++ b/scripts/azure-pipelines/linux/create-vmss.ps1 @@ -27,7 +27,8 @@ Param( [parameter(Mandatory=$true)] [string]$ImageName, [parameter(Mandatory=$false)] - [string]$Prefix = "PrLin-" + [string]$Prefix = "PrLin-", + [switch]$AddAndroidContainerRegistryPermissions ) $Location = 'eastasia' @@ -65,7 +66,8 @@ $Vmss = New-AzVmssConfig ` -UpgradePolicyMode Manual ` -EvictionPolicy Delete ` -Priority Spot ` - -MaxPrice -1 + -MaxPrice -1 ` + -IdentityType SystemAssigned $NicName = $ResourceGroupName + 'NIC' New-AzNetworkInterface ` @@ -103,11 +105,23 @@ $Vmss = Set-AzVmssBootDiagnostic ` -VirtualMachineScaleSet $Vmss ` -Enabled $true -New-AzVmss ` +$VmssCreated = New-AzVmss ` -ResourceGroupName $ResourceGroupName ` -Name $VmssName ` -VirtualMachineScaleSet $Vmss +if ($AddAndroidContainerRegistryPermissions) { + $spID = $VmssCreated.Identity.PrincipalId + + $acrGroup = "And-Registry" + $acrName = "AndContainerRegistry" + + $resourceID = (Get-AzContainerRegistry -ResourceGroupName $acrGroup -Name $acrName).Id + + # needs admin privileges + New-AzRoleAssignment -ObjectId $spID -Scope $resourceID -RoleDefinitionName AcrPull +} + Write-Host "Location: $Location" Write-Host "Resource group name: $ResourceGroupName" Write-Host 'Finished!' diff --git a/scripts/azure-pipelines/patch-tuesday-checklist.md b/scripts/azure-pipelines/patch-tuesday-checklist.md new file mode 100644 index 0000000000..9b1adcbadf --- /dev/null +++ b/scripts/azure-pipelines/patch-tuesday-checklist.md @@ -0,0 +1,21 @@ +## First time machine setup: +* [ ] Install Azure PowerShell: https://docs.microsoft.com/en-us/powershell/azure/install-az-ps + +## Each Patch Tuesday: +* [ ] Check for depends:vm-update PRs and make relevant changes if possible. +* [ ] Check for Service 360 alerts about vulnerable software we are installing in the VMs and + update that. (Most often PowerShell needs to be updated to the current 7.2.x release) +* [ ] Run android/create-image.ps1 +* [ ] Run linux/create-image.ps1 +* [ ] Run windows/create-image.ps1 +* [ ] Run android/create-vmss.ps1 +* [ ] Run linux/create-vmss.ps1 +* [ ] Run windows/create-vmss.ps1 +* [ ] Create new pools for all 3 of these in Azure DevOps: https://dev.azure.com/vcpkg/public/_settings/agentqueues + * Android: 4 agents + * Linux: 4 agents + * Windows: 22 agents +* [ ] Update azure-pipelines.yml to point to the new pools. +* [ ] Submit PR with those changes. +* [ ] Submit a full CI rebuild with those changes: https://dev.azure.com/vcpkg/public/_build?definitionId=29 + refs/pull/NUMBER/head diff --git a/scripts/azure-pipelines/windows/deploy-pwsh.ps1 b/scripts/azure-pipelines/windows/deploy-pwsh.ps1 index 75970784f1..17c23f168d 100644 --- a/scripts/azure-pipelines/windows/deploy-pwsh.ps1 +++ b/scripts/azure-pipelines/windows/deploy-pwsh.ps1 @@ -5,5 +5,5 @@ # REPLACE WITH UTILITY-PREFIX.ps1 -$PwshUrl = 'https://github.com/PowerShell/PowerShell/releases/download/v7.3.3/PowerShell-7.3.3-win-x64.msi' +$PwshUrl = 'https://github.com/PowerShell/PowerShell/releases/download/v7.3.4/PowerShell-7.3.4-win-x64.msi' InstallMSI -Url $PwshUrl -Name 'PowerShell Core' diff --git a/scripts/vcpkgTools.xml b/scripts/vcpkgTools.xml index 32778c7337..831c9be01c 100644 --- a/scripts/vcpkgTools.xml +++ b/scripts/vcpkgTools.xml @@ -194,11 +194,11 @@ ninja-freebsd-1.8.2.zip - 7.2.8 + 7.2.11 pwsh.exe - https://github.com/PowerShell/PowerShell/releases/download/v7.2.8/PowerShell-7.2.8-win-x86.zip - b91ad901837099b34f689ae654b238a1171141adce8be6fc52f48373a7e79117072e84ab38e427c1ac66647dd86a19f1c6c6cba2b8e365d656c65c8447069c72 - PowerShell-7.2.8-win-x86.zip + https://github.com/PowerShell/PowerShell/releases/download/v7.2.11/PowerShell-7.2.11-win-x86.zip + e9581122101ad161ad628a6feb63e61d3ef8f064a3f325465e8a1a4a6cfc1affbc9bf63146efae0aa65ff9ea5c93018af2c413dc0940f0d162edef805659ec84 + PowerShell-7.2.11-win-x86.zip 16.15.1