diff --git a/package/Dockerfile b/package/Dockerfile index 5b64f954960..3caa277ea80 100644 --- a/package/Dockerfile +++ b/package/Dockerfile @@ -67,13 +67,13 @@ ENV DOCKER_MACHINE_HARVESTER_VERSION v0.6.7 ENV CATTLE_KDM_BRANCH ${CATTLE_KDM_BRANCH} ENV HELM_VERSION v3.15.2 ENV KUSTOMIZE_VERSION v5.4.2 -ENV CATTLE_WINS_AGENT_VERSION v0.4.18-rc1 +ENV CATTLE_WINS_AGENT_VERSION v0.4.19-rc.1 ENV CATTLE_WINS_AGENT_INSTALL_SCRIPT https://raw.githubusercontent.com/rancher/wins/${CATTLE_WINS_AGENT_VERSION}/install.ps1 ENV CATTLE_WINS_AGENT_UNINSTALL_SCRIPT https://raw.githubusercontent.com/rancher/wins/${CATTLE_WINS_AGENT_VERSION}/uninstall.ps1 ENV CATTLE_WINS_AGENT_UPGRADE_IMAGE rancher/wins:${CATTLE_WINS_AGENT_VERSION} ENV CATTLE_CSI_PROXY_AGENT_VERSION v1.1.3 # make sure the CATTLE_SYSTEM_AGENT_VERSION is consistent with tests/v2/codecoverage/package/Dockerfile -ENV CATTLE_SYSTEM_AGENT_VERSION v0.3.9-rc.4 +ENV CATTLE_SYSTEM_AGENT_VERSION v0.3.10-rc.1 ENV CATTLE_SYSTEM_AGENT_DOWNLOAD_PREFIX https://github.com/rancher/system-agent/releases/download ENV CATTLE_SYSTEM_AGENT_UPGRADE_IMAGE rancher/system-agent:${CATTLE_SYSTEM_AGENT_VERSION}-suc ENV CATTLE_SYSTEM_AGENT_INSTALLER_IMAGE rancher/system-agent-installer- diff --git a/package/windows/Dockerfile.agent b/package/windows/Dockerfile.agent index cc79c38ffe2..a3c67b4edb8 100644 --- a/package/windows/Dockerfile.agent +++ b/package/windows/Dockerfile.agent @@ -17,7 +17,7 @@ RUN go build -tags "${TAGS}" -ldflags "${LDFLAGS}" -o agent.exe ./cmd/agent FROM mcr.microsoft.com/windows/servercore:${SERVERCORE_VERSION} AS builder SHELL ["powershell", "-NoLogo", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] # download wins -RUN $URL = 'https://github.com/rancher/wins/releases/download/v0.4.18-rc1/wins.exe'; \ +RUN $URL = 'https://github.com/rancher/wins/releases/download/v0.4.19-rc.1/wins.exe'; \ \ Write-Host ('Downloading Wins from {0} ...' -f $URL); \ curl.exe -sfL $URL -o c:\wins.exe; \ diff --git a/pkg/capr/planner/planner.go b/pkg/capr/planner/planner.go index 9c23fd1bfac..efad35e2def 100644 --- a/pkg/capr/planner/planner.go +++ b/pkg/capr/planner/planner.go @@ -1111,6 +1111,15 @@ func (p *Planner) desiredPlan(controlPlane *rkev1.RKEControlPlane, tokensSecret } } + if windows(entry) { + // We need to wait for the controlPlane to be ready before sending this plan + // to ensure that the initial installation has fully completed + if controlPlane.Status.Ready { + nodePlan.Files = append(nodePlan.Files, setPermissionsWindowsScriptFile) + nodePlan.Instructions = append(nodePlan.Instructions, setPermissionsWindowsScriptInstruction) + } + } + if isEtcd(entry) { nodePlan, err = p.addEtcdSnapshotListLocalPeriodicInstruction(nodePlan, controlPlane) if err != nil { diff --git a/pkg/capr/planner/windows.go b/pkg/capr/planner/windows.go new file mode 100644 index 00000000000..c43daf52257 --- /dev/null +++ b/pkg/capr/planner/windows.go @@ -0,0 +1,163 @@ +package planner + +import ( + "encoding/base64" + "fmt" + + "github.com/rancher/rancher/pkg/apis/rke.cattle.io/v1/plan" +) + +const ( + setPermissionsWindowsScriptPath = "%s/windows/set-permissions.ps1" + + setPermissionsWindowsScript = ` +function Set-RestrictedPermissions { + [CmdletBinding()] + param ( + [Parameter(Mandatory=$true)] + [string] + $Path, + [Parameter(Mandatory=$true)] + [Boolean] + $Directory + ) + $Owner = "BUILTIN\Administrators" + $Group = "NT AUTHORITY\SYSTEM" + $acl = Get-Acl $Path + + foreach ($rule in $acl.GetAccessRules($true, $true, [System.Security.Principal.SecurityIdentifier])) { + $acl.RemoveAccessRule($rule) | Out-Null + } + $acl.SetAccessRuleProtection($true, $false) + $acl.SetOwner((New-Object System.Security.Principal.NTAccount($Owner))) + $acl.SetGroup((New-Object System.Security.Principal.NTAccount($Group))) + + Set-FileSystemAccessRule -Directory $Directory -acl $acl + + $FullPath = Resolve-Path $Path + Write-Host "Setting restricted ACL on $FullPath" + Set-Acl -Path $Path -AclObject $acl +} + +function Set-FileSystemAccessRule() { + [CmdletBinding()] + param ( + [Parameter(Mandatory=$true)] + [Boolean] + $Directory, + [Parameter(Mandatory=$false)] + [System.Security.AccessControl.ObjectSecurity] + $acl + ) + $users = @( + $acl.Owner, + $acl.Group + ) + # Note that the function signature for files and directories + # intentionally differ. + if ($Directory -eq $true) { + foreach ($user in $users) { + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule( + $user, + [System.Security.AccessControl.FileSystemRights]::FullControl, + [System.Security.AccessControl.InheritanceFlags]'ObjectInherit,ContainerInherit', + [System.Security.AccessControl.PropagationFlags]::None, + [System.Security.AccessControl.AccessControlType]::Allow + ) + $acl.AddAccessRule($rule) + } + } else { + foreach ($user in $users) { + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule( + $user, + [System.Security.AccessControl.FileSystemRights]::FullControl, + [System.Security.AccessControl.AccessControlType]::Allow + ) + $acl.AddAccessRule($rule) + } + } +} + +function Confirm-ACL { + [CmdletBinding()] + param ( + [Parameter(Mandatory=$true)] + [String] + $Path + ) + foreach ($a in (Get-Acl $path).Access) { + $ref = $a.IdentityReference + if (($ref -ne "BUILTIN\Administrators") -and ($ref -ne "NT AUTHORITY\SYSTEM")) { + return $false + } + } + return $true +} + +$RKE2_DATA_DIR="%s" +$SYSTEM_AGENT_DIR="%s" +$RANCHER_PROVISIONING_DIR="%s" + +$restrictedPaths = @( + [PSCustomObject]@{ + Path = "c:\etc\rancher\wins\config" + Directory = $false + } + [PSCustomObject]@{ + Path = "c:\etc\rancher\node\password" + Directory = $false + } + [PSCustomObject]@{ + Path = "$SYSTEM_AGENT_DIR\rancher2_connection_info.json" + Directory = $false + } + [PSCustomObject]@{ + Path = "c:\etc\rancher\rke2\config.yaml.d\50-rancher.yaml" + Directory = $false + } + [PSCustomObject]@{ + Path = "c:\usr\local\bin\rke2.exe" + Directory = $false + } + [PSCustomObject]@{ + Path = "$RANCHER_PROVISIONING_DIR" + Directory = $true + } + [PSCustomObject]@{ + Path = "$SYSTEM_AGENT_DIR" + Directory = $true + } + [PSCustomObject]@{ + Path = "$RKE2_DATA_DIR" + Directory = $true + } +) + +foreach ($path in $restrictedPaths) { + if (-Not (Confirm-ACL -Path $path.Path)) { + Set-RestrictedPermissions -Path $path.Path -Directory $path.Directory + } +} +` +) + +var ( + setPermissionsWindowsScriptFile = plan.File{ + Content: base64.StdEncoding.EncodeToString([]byte( + fmt.Sprintf(setPermissionsWindowsScript, + "c:\\var\\lib\\rancher\\rke2", + "c:\\var\\lib\\rancher\\agent", + "c:\\var\\lib\\rancher\\capr"))), + + Path: fmt.Sprintf(setPermissionsWindowsScriptPath, + "c:\\var\\lib\\rancher\\capr"), + Dynamic: true, + Minor: true, + } + setPermissionsWindowsScriptInstruction = plan.OneTimeInstruction{ + Name: "Set permissions for RKE2 installation files on Windows", + Command: "powershell.exe", + Args: []string{"-File", fmt.Sprintf(setPermissionsWindowsScriptPath, + "c:\\var\\lib\\rancher\\capr")}, + } +) diff --git a/pkg/settings/setting.go b/pkg/settings/setting.go index 2982bc26138..46dda15daae 100644 --- a/pkg/settings/setting.go +++ b/pkg/settings/setting.go @@ -103,8 +103,8 @@ var ( WinsAgentVersion = NewSetting("wins-agent-version", "") CSIProxyAgentVersion = NewSetting("csi-proxy-agent-version", "") CSIProxyAgentURL = NewSetting("csi-proxy-agent-url", "https://acs-mirror.azureedge.net/csi-proxy/%[1]s/binaries/csi-proxy-%[1]s.tar.gz") - SystemAgentInstallScript = NewSetting("system-agent-install-script", "https://github.com/rancher/system-agent/releases/download/v0.3.9-rc.4/install.sh") // To ensure consistency between SystemAgentInstallScript default value and CATTLE_SYSTEM_AGENT_INSTALL_SCRIPT to utilize the local system-agent-install.sh script when both values are equal. - WinsAgentInstallScript = NewSetting("wins-agent-install-script", "https://raw.githubusercontent.com/rancher/wins/v0.4.18-rc1/install.ps1") + SystemAgentInstallScript = NewSetting("system-agent-install-script", "https://github.com/rancher/system-agent/releases/download/v0.3.10-rc.1/install.sh") // To ensure consistency between SystemAgentInstallScript default value and CATTLE_SYSTEM_AGENT_INSTALL_SCRIPT to utilize the local system-agent-install.sh script when both values are equal. + WinsAgentInstallScript = NewSetting("wins-agent-install-script", "https://raw.githubusercontent.com/rancher/wins/v0.4.19-rc.1/install.ps1") SystemAgentInstallerImage = NewSetting("system-agent-installer-image", "") // Defined via environment variable SystemAgentUpgradeImage = NewSetting("system-agent-upgrade-image", "") // Defined via environment variable WinsAgentUpgradeImage = NewSetting("wins-agent-upgrade-image", "") diff --git a/tests/v2/codecoverage/package/Dockerfile b/tests/v2/codecoverage/package/Dockerfile index 39b13bd427e..62005a30b5a 100644 --- a/tests/v2/codecoverage/package/Dockerfile +++ b/tests/v2/codecoverage/package/Dockerfile @@ -66,13 +66,13 @@ ENV DOCKER_MACHINE_HARVESTER_VERSION v0.6.7 ENV CATTLE_KDM_BRANCH ${CATTLE_KDM_BRANCH} ENV HELM_VERSION v3.15.2 ENV KUSTOMIZE_VERSION v5.4.2 -ENV CATTLE_WINS_AGENT_VERSION v0.4.18-rc1 +ENV CATTLE_WINS_AGENT_VERSION v0.4.19-rc.1 ENV CATTLE_WINS_AGENT_INSTALL_SCRIPT https://raw.githubusercontent.com/rancher/wins/${CATTLE_WINS_AGENT_VERSION}/install.ps1 ENV CATTLE_WINS_AGENT_UNINSTALL_SCRIPT https://raw.githubusercontent.com/rancher/wins/${CATTLE_WINS_AGENT_VERSION}/uninstall.ps1 ENV CATTLE_WINS_AGENT_UPGRADE_IMAGE rancher/wins:${CATTLE_WINS_AGENT_VERSION} ENV CATTLE_CSI_PROXY_AGENT_VERSION v1.1.3 # make sure the CATTLE_SYSTEM_AGENT_VERSION is consistent with tests/v2/codecoverage/package/Dockerfile -ENV CATTLE_SYSTEM_AGENT_VERSION v0.3.9-rc.4 +ENV CATTLE_SYSTEM_AGENT_VERSION v0.3.10-rc.1 ENV CATTLE_SYSTEM_AGENT_DOWNLOAD_PREFIX https://github.com/rancher/system-agent/releases/download ENV CATTLE_SYSTEM_AGENT_UPGRADE_IMAGE rancher/system-agent:${CATTLE_SYSTEM_AGENT_VERSION}-suc ENV CATTLE_SYSTEM_AGENT_INSTALLER_IMAGE rancher/system-agent-installer-