-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(#230) Add Admin Only Source For Chocolatey Core Packages #255
base: main
Are you sure you want to change the base?
Conversation
24711b3
to
3fe0c59
Compare
7e070da
to
75ed7a5
Compare
Converted back to draft after finding issue when running ClientSetup script. |
15ddbb0
to
51af786
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, delayed hitting send on this while you were out but remembered.
I think we need to change up how we're adding the internal source a little.
184a914
to
7d2ab5a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry
Start-C4bNexusSetup.ps1
Outdated
Get-ChildItem -Path "$env:SystemDrive\choco-setup\files\files" -Filter *.nupkg | ForEach-Object { | ||
choco push $_.FullName --source "$((Get-NexusRepository -Name 'ChocolateyInternal').url)/index.json" --apikey $NugetApiKey --force | ||
Get-ChildItem -Path "$env:SystemDrive\choco-setup\files\packages" -Filter *.nupkg | ForEach-Object { | ||
choco push $_.FullName --source "$((Get-NexusRepository -Name 'ChocolateyCore').url)/index.json" --apikey $NugetApiKey --force |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we sure we're only pushing what we need to here? What is in the packages folder at this point? The only filter is "give me all the nupkgs"
Start-C4bNexusSetup.ps1
Outdated
if (-not (Test-Path 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe')) { | ||
if (Test-Path 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'){ | ||
Write-Host "Syncing Microsoft Edge, to bring it under Chocolatey management" | ||
choco sync --id="Microsoft Edge" --package-id="microsoft-edge" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Careful with this Sync. I've seen edge Shipped as Windows be in Programs and Features but not be able to be synced because it's installed "special" and isn't in the hive(s) you'd expect from the registry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In fact, do we even need this? Edge is default in 2019+, which is what we support so it'll never not be there and on the path. This seems overly complicated at this stage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Server 2019 does not ship with Microsoft Edge, also if we are installing our product suite onto a fresh server dedicated just for Chocolatey use, should we not make sure all software on that machine is managed by a Chocolatey package?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we should. I'm just warning that in cases where Edge has been installed via servicing channel (think a Windows Update), choco sync does not detect it, even though it's installed, so we might drop out of the check erroneously.
It might be simpler to just go "screw it, I'm putting edge on here", install the package, and let the underlying install sort things out.
I bring this up because I've seen sync not work even though Edge was very clearly displaying in Programs and Features. It's a real peach.
@@ -112,21 +112,28 @@ choco config set cacheLocation $env:ChocolateyInstall\choco-cache | |||
choco config set commandExecutionTimeoutSeconds 14400 | |||
|
|||
if ($InternetEnabled) { | |||
choco source add --name="'ChocolateyInternal'" --source="'$RepositoryUrl'" --allow-self-service --user="'$($Credential.UserName)'" --password="'$($Credential.GetNetworkCredential().Password)'" --priority=1 | |||
choco source add --name="'ChocolateyCore'" --source="'$RepositoryUrl'" --allow-self-service --admin-only --user="'$($Credential.UserName)'" --password="'$($Credential.GetNetworkCredential().Password)'" --priority=0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think it a good idea to have the admin-only source configured with the same credentials as the non-admin source? What if the non-admin creds get found out? Now you got 2 problems, not 1.
This requires bigger changes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only reason ChocolateyCore repo has admin-only is to hide it from the end user GUI view. Also the credential is the same account with permissions to browse and download out of a raw/NuGet repo that ChocolateyInternal originally had before this change.
As this script is meant for a non-admin client registration. I wouldn't feel comfortable putting a true "admin" credential on either of these sources as default behavior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Admin in name only. The credential should and would (at least this is what I expect) to be limited to browse/read operations on this new repository. The existing credential would not have access to this repository. This is a true separation such that if either credential is leaked somehow, only 1 repository is affected, and even then only in that they can download the packages, they'll still not be able to delete or write anything.
c7fe463
to
aa63e22
Compare
6c779c2
to
84d95e8
Compare
The manifest folders lived in a folder named after one in the Ansible project. This didn't make sense here, where it often lives inside a /files/ directory already. This has been changed.
- Add ChocolateyCore repo as main repo for core packages - Add callout to new ChocolateyCore repository - Remove See It In Action README section as video is outdated - Fixup spelling/grammar in README - Add new Update ChocolateyCore Repository Jenkins Job - Add test to check for new Jenkins job - Remove legacy build files from new and existing Jenkins jobs
Add handling to bring edge under Chocolatey management if it was natively installed by a newer server OS. This should ensure that the test is more consistent, delivering the same result regardless of if the Chocolatey package were installed or not.
84d95e8
to
0fe0507
Compare
Description Of Changes
Motivation and Context
Main reason for creating this repository was from feedback of admins not wanting their end users to see the Chocolatey core packages in the default repository. This way ChocolateyInternal only contains the packages brought in by the Jenkins internalization pipeline. Also cleaning up the end user view.
Testing
Operating Systems Testing
Change Types Made
[ ] Bug fix (non-breaking change).[ ] Feature / Enhancement (non-breaking change).Change Checklist
Related Issue
Fixes #230