From 35bf5d84e2d510a5e7e6e1514e06f5c398cdbbb0 Mon Sep 17 00:00:00 2001 From: Tim Wright Date: Wed, 15 Jan 2025 04:28:48 +0000 Subject: [PATCH 1/7] update windows versions --- vhdbuilder/packer/windows-image.env | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/vhdbuilder/packer/windows-image.env b/vhdbuilder/packer/windows-image.env index bb78b508078..ab2d01bdc82 100644 --- a/vhdbuilder/packer/windows-image.env +++ b/vhdbuilder/packer/windows-image.env @@ -6,24 +6,24 @@ WINDOWS_2019_BASE_IMAGE_SKU=2019-Datacenter-Core-smalldisk # TODO: update global:patch in generate-windows-vhd-configuration.ps1 and remove this comment when you bump 12B # - but revert and bring back if open ssh fails when you build the VHD. This image is 9B. -WINDOWS_2019_BASE_IMAGE_VERSION=17763.6293.240905 +WINDOWS_2019_BASE_IMAGE_VERSION=17763.6775.250109 # CLI example to get the latest image version: # az vm image show --urn MicrosoftWindowsServer:WindowsServer:2022-Datacenter-Core-smalldisk:latest WINDOWS_2022_BASE_IMAGE_SKU=2022-Datacenter-Core-smalldisk -WINDOWS_2022_BASE_IMAGE_VERSION=20348.2966.241205 +WINDOWS_2022_BASE_IMAGE_VERSION=20348.3091.250112 # CLI example to get all available image version under a SKU (suffix g2 for Gen 2): # az vm image list --all --publisher MicrosoftWindowsServer --offer WindowsServer --output table -s 2022-datacenter-core-smalldisk-g2 # CLI example to get the latest image version: # az vm image show --urn MicrosoftWindowsServer:WindowsServer:2022-datacenter-core-smalldisk-g2:latest WINDOWS_2022_GEN2_BASE_IMAGE_SKU=2022-datacenter-core-smalldisk-g2 -WINDOWS_2022_GEN2_BASE_IMAGE_VERSION=20348.2966.241205 +WINDOWS_2022_GEN2_BASE_IMAGE_VERSION=20348.3091.250112 # CLI example to get the latest image version: # az vm image show --urn MicrosoftWindowsServer:WindowsServer:23h2-datacenter-core:latest WINDOWS_23H2_BASE_IMAGE_SKU=23h2-datacenter-core -WINDOWS_23H2_BASE_IMAGE_VERSION=25398.1308.241205 +WINDOWS_23H2_BASE_IMAGE_VERSION=25398.1369.250111 # CLI example to get all available image version under a SKU (suffix g2 for Gen 2): # az vm image list --all --publisher MicrosoftWindowsServer --offer WindowsServer --output table -s 23h2-datacenter-core-g2 @@ -31,7 +31,7 @@ WINDOWS_23H2_BASE_IMAGE_VERSION=25398.1308.241205 # az vm image show --urn MicrosoftWindowsServer:WindowsServer:23h2-datacenter-core-g2:latest # NOTE: Please update $global:patchUrls and $global:patchIDs in vhdbuilder/packer/generate-windows-vhd-configuration.ps1 on demand WINDOWS_23H2_GEN2_BASE_IMAGE_SKU=23h2-datacenter-core-g2 -WINDOWS_23H2_GEN2_BASE_IMAGE_VERSION=25398.1308.241205 +WINDOWS_23H2_GEN2_BASE_IMAGE_VERSION=25398.1369.250111 # Please uncomment the following lines and set a larger os disk size that is at least 30GB when your PR check-in fails # WINDOWS_2019_CONTAINERD_OS_DISK_SIZE_GB=30 From 5105e10ca3561a218b82eaf2dc80f0d739768c23 Mon Sep 17 00:00:00 2001 From: Tim Wright Date: Wed, 15 Jan 2025 20:37:35 +0000 Subject: [PATCH 2/7] create config path --- vhdbuilder/packer/configure-windows-vhd.ps1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vhdbuilder/packer/configure-windows-vhd.ps1 b/vhdbuilder/packer/configure-windows-vhd.ps1 index 50a04c99622..ff79b058d4c 100644 --- a/vhdbuilder/packer/configure-windows-vhd.ps1 +++ b/vhdbuilder/packer/configure-windows-vhd.ps1 @@ -393,7 +393,9 @@ function Install-OpenSSH { # It’s by design that files within the C:\Windows\System32\ folder are not modifiable. # When the OpenSSH Server starts, it copies C:\windows\system32\openssh\sshd_config_default to C:\programdata\ssh\sshd_config, if the file does not already exist. $OriginalConfigPath = "C:\windows\system32\OpenSSH\sshd_config_default" - $ConfigPath = "C:\programdata\ssh\sshd_config" + $ConfigDirectory = "C:\programdata\ssh" + New-Item -ItemType Directory -Force -Path $ConfigDirectory + $ConfigPath = $ConfigDirectory + "\sshd_config" Write-Log "Updating $ConfigPath for CVE-2023-48795" $ModifiedConfigContents = Get-Content $OriginalConfigPath ` | %{$_ -replace "#RekeyLimit default none", "$&`r`n# Disable cipher to mitigate CVE-2023-48795`r`nCiphers -chacha20-poly1305@openssh.com`r`nMacs -*-etm@openssh.com`r`n"} From 4f4f8983f9b87368c35afecf5e795ddb5d81f58d Mon Sep 17 00:00:00 2001 From: Tim Wright Date: Wed, 15 Jan 2025 20:52:37 +0000 Subject: [PATCH 3/7] add remove/add of openssh client --- vhdbuilder/packer/configure-windows-vhd.ps1 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/vhdbuilder/packer/configure-windows-vhd.ps1 b/vhdbuilder/packer/configure-windows-vhd.ps1 index ff79b058d4c..e760eaedec2 100644 --- a/vhdbuilder/packer/configure-windows-vhd.ps1 +++ b/vhdbuilder/packer/configure-windows-vhd.ps1 @@ -388,6 +388,14 @@ function Install-ContainerD { function Install-OpenSSH { Write-Log "Installing OpenSSH Server" + + # Somehow openssh client got added to Windows 2019 base image. + if ($env:WindowsSKU -Like '2019*') + { + Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0 + Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0 + } + Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 # It’s by design that files within the C:\Windows\System32\ folder are not modifiable. From e1eaeb75ddca1dcb5e2ac47a137a9cc512018ce2 Mon Sep 17 00:00:00 2001 From: Tim Wright Date: Wed, 15 Jan 2025 22:26:58 +0000 Subject: [PATCH 4/7] remove patch urls --- vhdbuilder/packer/configure-windows-vhd.ps1 | 2 +- .../packer/generate-windows-vhd-configuration.ps1 | 13 ++----------- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/vhdbuilder/packer/configure-windows-vhd.ps1 b/vhdbuilder/packer/configure-windows-vhd.ps1 index e760eaedec2..2dc067f1f66 100644 --- a/vhdbuilder/packer/configure-windows-vhd.ps1 +++ b/vhdbuilder/packer/configure-windows-vhd.ps1 @@ -884,7 +884,7 @@ function Log-ReofferUpdate { Write-Log "ReofferUpdate is $($result.ReofferUpdate)" } } catch { - Write-Log "ReofferUpdate does not exist" + Write-Log "ReofferUpdate registry setting does not exist" } } diff --git a/vhdbuilder/packer/generate-windows-vhd-configuration.ps1 b/vhdbuilder/packer/generate-windows-vhd-configuration.ps1 index 3c3964a5ee0..9c69d4a9320 100644 --- a/vhdbuilder/packer/generate-windows-vhd-configuration.ps1 +++ b/vhdbuilder/packer/generate-windows-vhd-configuration.ps1 @@ -60,17 +60,8 @@ $global:defenderUpdateInfoUrl = "https://go.microsoft.com/fwlink/?linkid=870379& switch -Regex ($windowsSku) { "2019-containerd" { - # TODO: clean up when you bump 2025-1B. These patches do an upgrade from 2024-9B to 2024-12B in a way that doesn't break openssh. - # The right patch for .NET is actually KB5046540. However, the download page us for KB5046269. So we have to verify that patch. I have no idea why. - - $global:patchUrls = @( - "https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2024/12/windows10.0-kb5048661-x64_6bfc43258aab46ec793d2977122226a4a2b8ed6f.msu", - "https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/updt/2024/10/windows10.0-kb5046268-x64_cd2f14649df2343f1b4692c50644f22b863ed408.msu" - ) - $global:patchIDs = @( - "KB5048661", - "KB5046268" - ) + $global:patchUrls = @() + $global:patchIDs = @() $global:imagesToPull = @( "mcr.microsoft.com/windows/servercore:ltsc2019", From 543c9228237fc9737f3e8fda4ba804be2801c956 Mon Sep 17 00:00:00 2001 From: Tim Wright Date: Thu, 16 Jan 2025 00:18:09 +0000 Subject: [PATCH 5/7] logging directory fix. --- .pipelines/templates/e2e-template.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.pipelines/templates/e2e-template.yaml b/.pipelines/templates/e2e-template.yaml index dc9d09096ac..b0e7d24ecb8 100644 --- a/.pipelines/templates/e2e-template.yaml +++ b/.pipelines/templates/e2e-template.yaml @@ -45,7 +45,9 @@ jobs: VHD_BUILD_ID: $(VHD_BUILD_ID) LOGGING_DIR: $(LOGGING_DIR) # Without this step next step may fail on successful run - - bash: mkdir -p $(System.DefaultWorkingDirectory)/e2e/$(LOGGING_DIR) + - bash: | + set -ex + mkdir -p "$(System.DefaultWorkingDirectory)/e2e/$(LOGGING_DIR)" condition: always() displayName: Create folder for scenario logs - task: PublishTestResults@2 From 900495cfe33a5a424561addd84fadc7b2d65fc36 Mon Sep 17 00:00:00 2001 From: Tim Wright Date: Thu, 16 Jan 2025 00:18:22 +0000 Subject: [PATCH 6/7] make directory earlier --- .pipelines/templates/e2e-template.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.pipelines/templates/e2e-template.yaml b/.pipelines/templates/e2e-template.yaml index b0e7d24ecb8..9ed96e32619 100644 --- a/.pipelines/templates/e2e-template.yaml +++ b/.pipelines/templates/e2e-template.yaml @@ -18,6 +18,7 @@ jobs: - bash: | set -ex LOGGING_DIR="scenario-logs-$(date +%s)" + mkdir -p "$(System.DefaultWorkingDirectory)/e2e/$(LOGGING_DIR)" echo "setting logging dir to $LOGGING_DIR" echo "##vso[task.setvariable variable=LOGGING_DIR]$LOGGING_DIR" displayName: Set logging directory @@ -44,12 +45,6 @@ jobs: env: VHD_BUILD_ID: $(VHD_BUILD_ID) LOGGING_DIR: $(LOGGING_DIR) - # Without this step next step may fail on successful run - - bash: | - set -ex - mkdir -p "$(System.DefaultWorkingDirectory)/e2e/$(LOGGING_DIR)" - condition: always() - displayName: Create folder for scenario logs - task: PublishTestResults@2 displayName: Upload test results condition: succeededOrFailed() From ee07425b1d1ceb929198351d9ec70465ddd40e97 Mon Sep 17 00:00:00 2001 From: Tim Wright Date: Thu, 16 Jan 2025 00:18:52 +0000 Subject: [PATCH 7/7] bring back step --- .pipelines/templates/e2e-template.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.pipelines/templates/e2e-template.yaml b/.pipelines/templates/e2e-template.yaml index 9ed96e32619..b0e7d24ecb8 100644 --- a/.pipelines/templates/e2e-template.yaml +++ b/.pipelines/templates/e2e-template.yaml @@ -18,7 +18,6 @@ jobs: - bash: | set -ex LOGGING_DIR="scenario-logs-$(date +%s)" - mkdir -p "$(System.DefaultWorkingDirectory)/e2e/$(LOGGING_DIR)" echo "setting logging dir to $LOGGING_DIR" echo "##vso[task.setvariable variable=LOGGING_DIR]$LOGGING_DIR" displayName: Set logging directory @@ -45,6 +44,12 @@ jobs: env: VHD_BUILD_ID: $(VHD_BUILD_ID) LOGGING_DIR: $(LOGGING_DIR) + # Without this step next step may fail on successful run + - bash: | + set -ex + mkdir -p "$(System.DefaultWorkingDirectory)/e2e/$(LOGGING_DIR)" + condition: always() + displayName: Create folder for scenario logs - task: PublishTestResults@2 displayName: Upload test results condition: succeededOrFailed()