From 0f2e57e32e387f191944615d3441e1d2baae5d00 Mon Sep 17 00:00:00 2001 From: Gabriel Adrian Samfira Date: Sat, 19 Jul 2025 00:31:28 +0000 Subject: [PATCH] Update garm-provider-common Pull in windows userdata changes. Signed-off-by: Gabriel Adrian Samfira --- go.mod | 4 +- go.sum | 8 +- .../aws-sdk-go-v2/service/ec2/CHANGELOG.md | 8 + .../api_op_CreateInstanceConnectEndpoint.go | 22 ++- .../service/ec2/api_op_DescribeImages.go | 3 + .../service/ec2/deserializers.go | 118 +++++++++++++ .../service/ec2/go_module_metadata.go | 2 +- .../aws-sdk-go-v2/service/ec2/serializers.go | 5 + .../aws-sdk-go-v2/service/ec2/types/enums.go | 25 ++- .../aws-sdk-go-v2/service/ec2/types/types.go | 64 ++++++- .../cloudconfig/templates.go | 159 +++++++++++++++++- vendor/modules.txt | 4 +- 12 files changed, 403 insertions(+), 19 deletions(-) diff --git a/go.mod b/go.mod index 1463d958..8d3076f4 100644 --- a/go.mod +++ b/go.mod @@ -9,9 +9,9 @@ require ( github.com/aws/aws-sdk-go-v2 v1.36.5 github.com/aws/aws-sdk-go-v2/config v1.29.17 github.com/aws/aws-sdk-go-v2/credentials v1.17.70 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.231.0 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.233.0 github.com/aws/smithy-go v1.22.4 - github.com/cloudbase/garm-provider-common v0.1.5 + github.com/cloudbase/garm-provider-common v0.1.6 github.com/invopop/jsonschema v0.13.0 github.com/stretchr/testify v1.10.0 github.com/xeipuuv/gojsonschema v1.2.0 diff --git a/go.sum b/go.sum index 2879b538..385fe034 100644 --- a/go.sum +++ b/go.sum @@ -14,8 +14,8 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 h1:i2vNHQiXUvKhs3quBR github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36/go.mod h1:UdyGa7Q91id/sdyHPwth+043HhmP6yP9MBHgbZM0xo8= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.231.0 h1:uhIwvt6crp2kQenKojfDShGw39WEIrtPRfYZ3FAFlJk= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.231.0/go.mod h1:35jGWx7ECvCwTsApqicFYzZ7JFEnBc6oHUuOQ3xIS54= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.233.0 h1:VxmOsv7MswuKQcSEIurxe4RK9tC6zYnosw9vBvv74lA= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.233.0/go.mod h1:35jGWx7ECvCwTsApqicFYzZ7JFEnBc6oHUuOQ3xIS54= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 h1:CXV68E2dNqhuynZJPB80bhPQwAKqBWVer887figW6Jc= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4/go.mod h1:/xFi9KtvBXP97ppCz1TAEvU1Uf66qvid89rbem3wCzQ= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 h1:t0E6FzREdtCsiLIoLCWsYliNsRBgyGD/MCK571qk4MI= @@ -32,8 +32,8 @@ github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPn github.com/bahlo/generic-list-go v0.2.0/go.mod h1:2KvAjgMlE5NNynlg/5iLrrCCZ2+5xWbdbCW3pNTGyYg= github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs= github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= -github.com/cloudbase/garm-provider-common v0.1.5 h1:aJL646l+VnZceQ2grbDYhWfxYpaQR2/QsUSD76kSZVs= -github.com/cloudbase/garm-provider-common v0.1.5/go.mod h1:2O51WbcfqRx5fDHyyJgIFq7KdTZZnefsM+aoOchyleU= +github.com/cloudbase/garm-provider-common v0.1.6 h1:wLqolRkUD2Z4rzuBLDs2exL1Aq+eJ5RBVnRvk5JP6fs= +github.com/cloudbase/garm-provider-common v0.1.6/go.mod h1:2O51WbcfqRx5fDHyyJgIFq7KdTZZnefsM+aoOchyleU= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/CHANGELOG.md index 8fc17f86..10faf8ca 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/CHANGELOG.md +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/CHANGELOG.md @@ -1,3 +1,11 @@ +# v1.233.0 (2025-07-17) + +* **Feature**: AWS Free Tier Version2 Support + +# v1.232.0 (2025-07-15) + +* **Feature**: This release adds support for volume initialization status, which enables you to monitor when the initialization process for an EBS volume is completed. This release also adds IPv6 support to EC2 Instance Connect Endpoints, allowing you to connect to your EC2 Instance via a private IPv6 address. + # v1.231.0 (2025-07-09) * **Feature**: Adds support to Capacity Blocks for ML for purchasing EC2 P6e-GB200 UltraServers. Customers can now purchase u-p6e-gb200x72 and u-p6e-gb200x36 UltraServers. Adds new DescribeCapacityBlocks andDescribeCapacityBlockStatus APIs. Adds support for CapacityBlockId to DescribeInstanceTopology. diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInstanceConnectEndpoint.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInstanceConnectEndpoint.go index e3424793..7929c9c9 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInstanceConnectEndpoint.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_CreateInstanceConnectEndpoint.go @@ -14,8 +14,8 @@ import ( // Creates an EC2 Instance Connect Endpoint. // // An EC2 Instance Connect Endpoint allows you to connect to an instance, without -// requiring the instance to have a public IPv4 address. For more information, see [Connect to your instances using EC2 Instance Connect Endpoint] -// in the Amazon EC2 User Guide. +// requiring the instance to have a public IPv4 or public IPv6 address. For more +// information, see [Connect to your instances using EC2 Instance Connect Endpoint]in the Amazon EC2 User Guide. // // [Connect to your instances using EC2 Instance Connect Endpoint]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect-Endpoint.html func (c *Client) CreateInstanceConnectEndpoint(ctx context.Context, params *CreateInstanceConnectEndpointInput, optFns ...func(*Options)) (*CreateInstanceConnectEndpointOutput, error) { @@ -50,6 +50,21 @@ type CreateInstanceConnectEndpointInput struct { // UnauthorizedOperation . DryRun *bool + // The IP address type of the endpoint. + // + // If no value is specified, the default value is determined by the IP address + // type of the subnet: + // + // - dualstack - If the subnet has both IPv4 and IPv6 CIDRs + // + // - ipv4 - If the subnet has only IPv4 CIDRs + // + // - ipv6 - If the subnet has only IPv6 CIDRs + // + // PreserveClientIp is only supported on IPv4 EC2 Instance Connect Endpoints. To + // use PreserveClientIp , the value for IpAddressType must be ipv4 . + IpAddressType types.IpAddressType + // Indicates whether the client IP address is preserved as the source. The // following are the possible values. // @@ -57,6 +72,9 @@ type CreateInstanceConnectEndpointInput struct { // // - false - Use the network interface IP address as the source. // + // PreserveClientIp is only supported on IPv4 EC2 Instance Connect Endpoints. To + // use PreserveClientIp , the value for IpAddressType must be ipv4 . + // // Default: false PreserveClientIp *bool diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DescribeImages.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DescribeImages.go index 690cf30f..ba0a7736 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DescribeImages.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_DescribeImages.go @@ -119,6 +119,9 @@ type DescribeImagesInput struct { // - ena-support - A Boolean that indicates whether enhanced networking with ENA // is enabled. // + // - free-tier-eligible - A Boolean that indicates whether this image can be used + // under the Amazon Web Services Free Tier ( true | false ). + // // - hypervisor - The hypervisor type ( ovm | xen ). // // - image-allowed - A Boolean that indicates whether the image meets the diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/deserializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/deserializers.go index c72db879..0057ce0e 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/deserializers.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/deserializers.go @@ -83898,6 +83898,19 @@ func awsEc2query_deserializeDocumentEc2InstanceConnectEndpoint(v **types.Ec2Inst sv.InstanceConnectEndpointId = ptr.String(xtv) } + case strings.EqualFold("ipAddressType", t.Name.Local): + val, err := decoder.Value() + if err != nil { + return err + } + if val == nil { + break + } + { + xtv := string(val) + sv.IpAddressType = types.IpAddressType(xtv) + } + case strings.EqualFold("networkInterfaceIdSet", t.Name.Local): nodeDecoder := smithyxml.WrapNodeDecoder(decoder.Decoder, t) if err := awsEc2query_deserializeDocumentNetworkInterfaceIdSet(&sv.NetworkInterfaceIds, nodeDecoder); err != nil { @@ -92522,6 +92535,22 @@ func awsEc2query_deserializeDocumentImage(v **types.Image, decoder smithyxml.Nod sv.EnaSupport = ptr.Bool(xtv) } + case strings.EqualFold("freeTierEligible", t.Name.Local): + val, err := decoder.Value() + if err != nil { + return err + } + if val == nil { + break + } + { + xtv, err := strconv.ParseBool(string(val)) + if err != nil { + return fmt.Errorf("expected Boolean to be of type *bool, got %T instead", val) + } + sv.FreeTierEligible = ptr.Bool(xtv) + } + case strings.EqualFold("hypervisor", t.Name.Local): val, err := decoder.Value() if err != nil { @@ -94667,6 +94696,89 @@ func awsEc2query_deserializeDocumentInferenceDeviceMemoryInfo(v **types.Inferenc return nil } +func awsEc2query_deserializeDocumentInitializationStatusDetails(v **types.InitializationStatusDetails, decoder smithyxml.NodeDecoder) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + var sv *types.InitializationStatusDetails + if *v == nil { + sv = &types.InitializationStatusDetails{} + } else { + sv = *v + } + + for { + t, done, err := decoder.Token() + if err != nil { + return err + } + if done { + break + } + originalDecoder := decoder + decoder = smithyxml.WrapNodeDecoder(originalDecoder.Decoder, t) + switch { + case strings.EqualFold("estimatedTimeToCompleteInSeconds", t.Name.Local): + val, err := decoder.Value() + if err != nil { + return err + } + if val == nil { + break + } + { + xtv := string(val) + i64, err := strconv.ParseInt(xtv, 10, 64) + if err != nil { + return err + } + sv.EstimatedTimeToCompleteInSeconds = ptr.Int64(i64) + } + + case strings.EqualFold("initializationType", t.Name.Local): + val, err := decoder.Value() + if err != nil { + return err + } + if val == nil { + break + } + { + xtv := string(val) + sv.InitializationType = types.InitializationType(xtv) + } + + case strings.EqualFold("progress", t.Name.Local): + val, err := decoder.Value() + if err != nil { + return err + } + if val == nil { + break + } + { + xtv := string(val) + i64, err := strconv.ParseInt(xtv, 10, 64) + if err != nil { + return err + } + sv.Progress = ptr.Int64(i64) + } + + default: + // Do nothing and ignore the unexpected tag element + err = decoder.Decoder.Skip() + if err != nil { + return err + } + + } + decoder = originalDecoder + } + *v = sv + return nil +} + func awsEc2query_deserializeDocumentInsideCidrBlocksStringList(v *[]string, decoder smithyxml.NodeDecoder) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) @@ -155935,6 +156047,12 @@ func awsEc2query_deserializeDocumentVolumeStatusItem(v **types.VolumeStatusItem, return err } + case strings.EqualFold("initializationStatusDetails", t.Name.Local): + nodeDecoder := smithyxml.WrapNodeDecoder(decoder.Decoder, t) + if err := awsEc2query_deserializeDocumentInitializationStatusDetails(&sv.InitializationStatusDetails, nodeDecoder); err != nil { + return err + } + case strings.EqualFold("outpostArn", t.Name.Local): val, err := decoder.Value() if err != nil { diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/go_module_metadata.go index b9139c66..749df6cc 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/go_module_metadata.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/go_module_metadata.go @@ -3,4 +3,4 @@ package ec2 // goModuleVersion is the tagged release for this module -const goModuleVersion = "1.231.0" +const goModuleVersion = "1.233.0" diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/serializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/serializers.go index 9c68ecfe..831188f5 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/serializers.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/serializers.go @@ -61631,6 +61631,11 @@ func awsEc2query_serializeOpDocumentCreateInstanceConnectEndpointInput(v *Create objectKey.Boolean(*v.DryRun) } + if len(v.IpAddressType) > 0 { + objectKey := object.Key("IpAddressType") + objectKey.String(string(v.IpAddressType)) + } + if v.PreserveClientIp != nil { objectKey := object.Key("PreserveClientIp") objectKey.Boolean(*v.PreserveClientIp) diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/types/enums.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/types/enums.go index b325330c..9a4ddf9a 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/types/enums.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/types/enums.go @@ -3041,6 +3041,25 @@ func (ImdsSupportValues) Values() []ImdsSupportValues { } } +type InitializationType string + +// Enum values for InitializationType +const ( + InitializationTypeDefault InitializationType = "default" + InitializationTypeProvisionedRate InitializationType = "provisioned-rate" +) + +// Values returns all known values for InitializationType. Note that this can be +// expanded in the future, and so it is only as up to date as the client. +// +// The ordering of this slice is not guaranteed to be stable across updates. +func (InitializationType) Values() []InitializationType { + return []InitializationType{ + "default", + "provisioned-rate", + } +} + type InstanceAttributeName string // Enum values for InstanceAttributeName @@ -10253,8 +10272,9 @@ type VolumeStatusName string // Enum values for VolumeStatusName const ( - VolumeStatusNameIoEnabled VolumeStatusName = "io-enabled" - VolumeStatusNameIoPerformance VolumeStatusName = "io-performance" + VolumeStatusNameIoEnabled VolumeStatusName = "io-enabled" + VolumeStatusNameIoPerformance VolumeStatusName = "io-performance" + VolumeStatusNameInitializationState VolumeStatusName = "initialization-state" ) // Values returns all known values for VolumeStatusName. Note that this can be @@ -10265,6 +10285,7 @@ func (VolumeStatusName) Values() []VolumeStatusName { return []VolumeStatusName{ "io-enabled", "io-performance", + "initialization-state", } } diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/types/types.go b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/types/types.go index b67e59fd..7da6e496 100644 --- a/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/types/types.go +++ b/vendor/github.com/aws/aws-sdk-go-v2/service/ec2/types/types.go @@ -4421,7 +4421,8 @@ type Ec2InstanceConnectEndpoint struct { // The DNS name of the EC2 Instance Connect Endpoint. DnsName *string - // + // The Federal Information Processing Standards (FIPS) compliant DNS name of the + // EC2 Instance Connect Endpoint. FipsDnsName *string // The Amazon Resource Name (ARN) of the EC2 Instance Connect Endpoint. @@ -4430,6 +4431,9 @@ type Ec2InstanceConnectEndpoint struct { // The ID of the EC2 Instance Connect Endpoint. InstanceConnectEndpointId *string + // The IP address type of the endpoint. + IpAddressType IpAddressType + // The ID of the elastic network interface that Amazon EC2 automatically created // when creating the EC2 Instance Connect Endpoint. NetworkInterfaceIds []string @@ -6808,6 +6812,14 @@ type Image struct { // Specifies whether enhanced networking with ENA is enabled. EnaSupport *bool + // Indicates whether the image is eligible for Amazon Web Services Free Tier. + // + // - If true , the AMI is eligible for Free Tier and can be used to launch + // instances under the Free Tier limits. + // + // - If false , the AMI is not eligible for Free Tier. + FreeTierEligible *bool + // The hypervisor type of the image. Only xen is supported. ovm is not supported. Hypervisor HypervisorType @@ -7365,6 +7377,34 @@ type InferenceDeviceMemoryInfo struct { noSmithyDocumentSerde } +// Information about the volume initialization. For more information, see [Initialize Amazon EBS volumes]. +// +// [Initialize Amazon EBS volumes]: https://docs.aws.amazon.com/ebs/latest/userguide/initalize-volume.html +type InitializationStatusDetails struct { + + // The estimated remaining time, in seconds, for volume initialization to + // complete. Returns 0 when volume initialization has completed. + // + // Only available for volumes created with Amazon EBS Provisioned Rate for Volume + // Initialization. + EstimatedTimeToCompleteInSeconds *int64 + + // The method used for volume initialization. Possible values include: + // + // - default - Volume initialized using the default volume initialization rate or + // fast snapshot restore. + // + // - provisioned-rate - Volume initialized using an Amazon EBS Provisioned Rate + // for Volume Initialization. + InitializationType InitializationType + + // The current volume initialization progress as a percentage (0-100). Returns 100 + // when volume initialization has completed. + Progress *int64 + + noSmithyDocumentSerde +} + // Describes an instance. type Instance struct { @@ -22362,6 +22402,17 @@ type VolumeStatusAttachmentStatus struct { type VolumeStatusDetails struct { // The name of the volume status. + // + // - io-enabled - Indicates the volume I/O status. For more information, see [Amazon EBS volume status checks]. + // + // - io-performance - Indicates the volume performance status. For more + // information, see [Amazon EBS volume status checks]. + // + // - initialization-state - Indicates the status of the volume initialization + // process. For more information, see [Initialize Amazon EBS volumes]. + // + // [Amazon EBS volume status checks]: https://docs.aws.amazon.com/ebs/latest/userguide/monitoring-volume-checks.html + // [Initialize Amazon EBS volumes]: https://docs.aws.amazon.com/ebs/latest/userguide/initalize-volume.html Name VolumeStatusName // The intended status of the volume status. @@ -22424,6 +22475,17 @@ type VolumeStatusItem struct { // A list of events associated with the volume. Events []VolumeStatusEvent + // Information about the volume initialization. It can take up to 5 minutes for + // the volume initialization information to be updated. + // + // Only available for volumes created from snapshots. Not available for empty + // volumes created without a snapshot. + // + // For more information, see [Initialize Amazon EBS volumes]. + // + // [Initialize Amazon EBS volumes]: https://docs.aws.amazon.com/ebs/latest/userguide/initalize-volume.html + InitializationStatusDetails *InitializationStatusDetails + // The Amazon Resource Name (ARN) of the Outpost. OutpostArn *string diff --git a/vendor/github.com/cloudbase/garm-provider-common/cloudconfig/templates.go b/vendor/github.com/cloudbase/garm-provider-common/cloudconfig/templates.go index baf990e6..12f3fa65 100644 --- a/vendor/github.com/cloudbase/garm-provider-common/cloudconfig/templates.go +++ b/vendor/github.com/cloudbase/garm-provider-common/cloudconfig/templates.go @@ -261,6 +261,127 @@ function Start-ExecuteWithRetry { } } +function Get-RandomString { + [CmdletBinding()] + Param( + [int]$Length=13 + ) + PROCESS { + if($Length -lt 6) { + $Length = 6 + } + $special = @(44, 45, 46, 64) + $numeric = 48..57 + $upper = 65..90 + $lower = 97..122 + + $passwd = [System.Collections.Generic.List[object]](New-object "System.Collections.Generic.List[object]") + for($i=0; $i -lt $Length-4; $i++){ + $c = get-random -input ($special + $numeric + $upper + $lower) + $passwd.Add([char]$c) + } + + $passwd.Add([char](get-random -input $numeric)) + $passwd.Add([char](get-random -input $special)) + $passwd.Add([char](get-random -input $upper)) + $passwd.Add([char](get-random -input $lower)) + + $Random = New-Object Random + return [string]::join("",($passwd|Sort-Object {$Random.Next()})) + } +} + +Add-Type -TypeDefinition @" +using System; +using System.Runtime.InteropServices; +using System.Text; + +public class GrantSysPrivileges +{ + [StructLayout(LayoutKind.Sequential)] + public struct LSA_UNICODE_STRING + { + public ushort Length; + public ushort MaximumLength; + public IntPtr Buffer; + } + + [StructLayout(LayoutKind.Sequential)] + public struct LSA_OBJECT_ATTRIBUTES + { + public int Length; + public IntPtr RootDirectory; + public IntPtr ObjectName; + public uint Attributes; + public IntPtr SecurityDescriptor; + public IntPtr SecurityQualityOfService; + } + + [DllImport("advapi32.dll", SetLastError=true)] + public static extern uint LsaOpenPolicy( + ref LSA_UNICODE_STRING SystemName, + ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, + uint DesiredAccess, + out IntPtr PolicyHandle + ); + + [DllImport("advapi32.dll", SetLastError=true)] + public static extern uint LsaAddAccountRights( + IntPtr PolicyHandle, + IntPtr AccountSid, + LSA_UNICODE_STRING[] UserRights, + uint CountOfRights + ); + + [DllImport("advapi32.dll")] + public static extern uint LsaClose(IntPtr PolicyHandle); + + [DllImport("advapi32.dll")] + public static extern uint LsaNtStatusToWinError(uint status); + + public const uint POLICY_ALL_ACCESS = 0x00F0FFF; + + public static uint GrantPrivilege(byte[] sid, string[] rights) + { + LSA_OBJECT_ATTRIBUTES loa = new LSA_OBJECT_ATTRIBUTES(); + LSA_UNICODE_STRING systemName = new LSA_UNICODE_STRING(); + + IntPtr policyHandle; + uint result = LsaOpenPolicy(ref systemName, ref loa, POLICY_ALL_ACCESS, out policyHandle); + if (result != 0) + { + return LsaNtStatusToWinError(result); + } + + LSA_UNICODE_STRING[] userRights = new LSA_UNICODE_STRING[rights.Length]; + for (int i = 0; i < rights.Length; i++) + { + byte[] bytes = Encoding.Unicode.GetBytes(rights[i]); + IntPtr ptr = Marshal.AllocHGlobal(bytes.Length); + Marshal.Copy(bytes, 0, ptr, bytes.Length); + + userRights[i].Buffer = ptr; + userRights[i].Length = (ushort)bytes.Length; + userRights[i].MaximumLength = (ushort)(bytes.Length); + } + + IntPtr sidPtr = Marshal.AllocHGlobal(sid.Length); + Marshal.Copy(sid, 0, sidPtr, sid.Length); + + result = LsaAddAccountRights(policyHandle, sidPtr, userRights, (uint)rights.Length); + LsaClose(policyHandle); + + foreach (var right in userRights) + { + Marshal.FreeHGlobal(right.Buffer); + } + Marshal.FreeHGlobal(sidPtr); + + return LsaNtStatusToWinError(result); + } +} +"@ -Language CSharp + function Invoke-FastWebRequest { [CmdletBinding()] Param( @@ -480,6 +601,26 @@ function Install-Runner() { Throw "missing metadata URL" } + # Create user with administrator rights to run service as + $userPasswd = Get-RandomString -Length 10 + $secPasswd = ConvertTo-SecureString "$userPasswd" -AsPlainText -Force + New-LocalUser -Name "runner" -Password $secPasswd -PasswordNeverExpires -UserMayNotChangePassword + $pscreds = New-Object System.Management.Automation.PSCredential (".\runner", $secPasswd) + $adminGrpName = (Get-CimInstance win32_group -Filter 'SID = "S-1-5-32-544"').Name + if (!$adminGrpName) { + Throw "Could not find administrators group name" + } + Add-LocalGroupMember -Group $adminGrpName -Member runner + $ntAcct = New-Object System.Security.Principal.NTAccount("runner") + $sid = $ntAcct.Translate([System.Security.Principal.SecurityIdentifier]) + $sidBytes = New-Object byte[] ($sid.BinaryLength) + $sid.GetBinaryForm($sidBytes, 0) + + $result = [GrantSysPrivileges]::GrantPrivilege($sidBytes, ("SeBatchLogonRight", "SeServiceLogonRight")) + if ($result -ne 0) { + Throw "Failed to grant privileges" + } + $bundle = wget -UseBasicParsing -Headers @{"Accept"="application/json"; "Authorization"="Bearer $Token"} -Uri $MetadataURL/system/cert-bundle $converted = ConvertFrom-Json $bundle foreach ($i in $converted.root_certificates.psobject.Properties){ @@ -514,6 +655,13 @@ function Install-Runner() { Update-GarmStatus -CallbackURL $CallbackURL -Message "using cached runner found at $runnerDir" } + # Ensure runner has full access to actions-runner folder + $runnerACL = Get-Acl $runnerDir + $runnerACL.SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule( + "runner", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow" + ))) + Set-Acl -Path $runnerDir -AclObject $runnerAcl + Update-GarmStatus -CallbackURL $CallbackURL -Message "configuring and starting runner" cd $runnerDir @@ -533,22 +681,23 @@ function Install-Runner() { Update-GarmStatus -CallbackURL $CallbackURL -Message "Creating system service" $SVC_NAME=(gc -raw $serviceNameFile) - New-Service -Name "$SVC_NAME" -BinaryPathName "C:\actions-runner\bin\RunnerService.exe" -DisplayName "$SVC_NAME" -Description "GitHub Actions Runner ($SVC_NAME)" -StartupType Automatic + New-Service -Name "$SVC_NAME" -BinaryPathName "C:\actions-runner\bin\RunnerService.exe" -DisplayName "$SVC_NAME" -Description "GitHub Actions Runner ($SVC_NAME)" -StartupType Automatic -Credential $pscreds Start-Service "$SVC_NAME" Set-SystemInfo -CallbackURL $CallbackURL -RunnerDir $runnerDir -BearerToken $Token Update-GarmStatus -Message "runner successfully installed" -CallbackURL $CallbackURL -Status "idle" | Out-Null {{- else }} - # Fetch GitHub runner registration token with retry $GithubRegistrationToken = Start-ExecuteWithRetry -ScriptBlock { Invoke-WebRequest -UseBasicParsing -Headers @{"Accept"="application/json"; "Authorization"="Bearer $Token"} -Uri $MetadataURL/runner-registration-token/ } -MaxRetryCount 5 -RetryInterval 5 -RetryMessage "Retrying download of GitHub registration token..." {{- if .GitHubRunnerGroup }} - ./config.cmd --unattended --url "{{ .RepoURL }}" --token $GithubRegistrationToken --runnergroup {{.GitHubRunnerGroup}} --name "{{ .RunnerName }}" --labels "{{ .RunnerLabels }}" --no-default-labels --ephemeral --runasservice + ./config.cmd --unattended --url "{{ .RepoURL }}" --token $GithubRegistrationToken --runnergroup {{.GitHubRunnerGroup}} --name "{{ .RunnerName }}" --labels "{{ .RunnerLabels }}" --no-default-labels --ephemeral --runasservice --windowslogonaccount runner --windowslogonpassword "$userPasswd" {{- else}} - ./config.cmd --unattended --url "{{ .RepoURL }}" --token $GithubRegistrationToken --name "{{ .RunnerName }}" --labels "{{ .RunnerLabels }}" --no-default-labels --ephemeral --runasservice + ./config.cmd --unattended --url "{{ .RepoURL }}" --token $GithubRegistrationToken --name "{{ .RunnerName }}" --labels "{{ .RunnerLabels }}" --no-default-labels --ephemeral --runasservice --windowslogonaccount runner --windowslogonpassword "$userPasswd" {{- end}} - + if ($LASTEXITCODE) { + Throw "Failed to configure runner. Err code $LASTEXITCODE" + } $agentInfoFile = Join-Path $runnerDir ".runner" $agentInfo = ConvertFrom-Json (gc -raw $agentInfoFile) Set-SystemInfo -CallbackURL $CallbackURL -RunnerDir $runnerDir -BearerToken $Token diff --git a/vendor/modules.txt b/vendor/modules.txt index c2e244d8..312c2d91 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -54,7 +54,7 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 # github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 ## explicit; go 1.22 github.com/aws/aws-sdk-go-v2/internal/ini -# github.com/aws/aws-sdk-go-v2/service/ec2 v1.231.0 +# github.com/aws/aws-sdk-go-v2/service/ec2 v1.233.0 ## explicit; go 1.22 github.com/aws/aws-sdk-go-v2/service/ec2 github.com/aws/aws-sdk-go-v2/service/ec2/internal/endpoints @@ -111,7 +111,7 @@ github.com/bahlo/generic-list-go # github.com/buger/jsonparser v1.1.1 ## explicit; go 1.13 github.com/buger/jsonparser -# github.com/cloudbase/garm-provider-common v0.1.5 +# github.com/cloudbase/garm-provider-common v0.1.6 ## explicit; go 1.23.0 github.com/cloudbase/garm-provider-common/cloudconfig github.com/cloudbase/garm-provider-common/defaults