chore: new Windows signed scripts and package version (#176)

* windows scripts changes

* new scripts version

* update windows provision script package version

* clean up

* address comments

* additional windows scripts changes

* additional

* missed quote

* Update generated code

---------

Co-authored-by: christinalau0 <[email protected]>
Co-authored-by: Christina Lau <[email protected]>

Author: haofan-ms

packer.mk

@@ -17,7 +17,7 @@ run-packer-windows: az-login
 	@packer version && set -o pipefail && ($(MAKE) init-packer | tee packer-output) && ($(MAKE) build-packer-windows | tee -a packer-output)
 
 az-copy: az-login
-	azcopy-preview copy "${OS_DISK_SAS}" "${SA_CONTAINER_URL}?${SA_TOKEN}"
+	azcopy-preview copy "${OS_DISK_SAS}" "${SA_CONTAINER_URL}?${SA_TOKEN}" --overwrite=false
 
 delete-sa: az-login
 	az storage account delete -n ${PACKER_TEMP_SA} -g ${PACKER_TEMP_GROUP} --yes

parts/k8s/kuberneteswindowsfunctions.ps1

@@ -200,7 +200,7 @@ function Get-LogCollectionScripts {
     DownloadFileOverHttp -Url 'https://github.com/microsoft/SDN/raw/master/Kubernetes/windows/debug/stoppacketcapture.cmd' -DestinationPath 'c:\k\debug\stoppacketcapture.cmd'
     DownloadFileOverHttp -Url 'https://github.com/Microsoft/SDN/raw/master/Kubernetes/windows/debug/VFP.psm1' -DestinationPath 'c:\k\debug\VFP.psm1'
     DownloadFileOverHttp -Url 'https://github.com/microsoft/SDN/raw/master/Kubernetes/windows/helper.psm1' -DestinationPath 'c:\k\debug\helper.psm1'
-    DownloadFileOverHttp -Url 'https://github.com/microsoft/SDN/raw/master/Kubernetes/windows/hns.psm1' -DestinationPath 'c:\k\debug\hns.psm1'
+    DownloadFileOverHttp -Url 'https://github.com/microsoft/SDN/raw/master/Kubernetes/windows/hns.v2.psm1' -DestinationPath 'c:\k\debug\hns.v2.psm1'
 }
 
 function Register-LogsCleanupScriptTask {
@@ -235,7 +235,7 @@ function Write-KubeClusterConfig {
     $Global:ClusterConfiguration = [PSCustomObject]@{ }
 
     $Global:ClusterConfiguration | Add-Member -MemberType NoteProperty -Name Cri -Value @{
-        Name   = $global:ContainerRuntime;
+        Name   = "containerd";
         Images = @{
             # e.g. "mcr.microsoft.com/oss/kubernetes/pause:3.8"
             "Pause" = $global:WindowsPauseImageURL
@@ -298,10 +298,8 @@ function Update-DefenderPreferences {
     Add-MpPreference -ExclusionProcess "c:\k\kubelet.exe"
 
     if ($global:EnableCsiProxy) {
-        Add-MpPreference -ExclusionProcess "c:\k\csi-proxy-server.exe"
+        Add-MpPreference -ExclusionProcess "c:\k\csi-proxy.exe"
     }
 
-    if ($global:ContainerRuntime -eq 'containerd') {
-        Add-MpPreference -ExclusionProcess "c:\program files\containerd\containerd.exe"
-    }
+    Add-MpPreference -ExclusionProcess "c:\program files\containerd\containerd.exe"
 }

parts/k8s/kuberneteswindowssetup.ps1

@@ -115,7 +115,7 @@ $global:ExcludeMasterFromStandardLB = "{{WrapAsVariable "excludeMasterFromStanda
 # Windows defaults, not changed by aks-engine
 $global:CacheDir = "c:\akse-cache"
 $global:KubeDir = "c:\k"
-$global:HNSModule = [Io.path]::Combine("$global:KubeDir", "hns.psm1")
+$global:HNSModule = [Io.path]::Combine("$global:KubeDir", "hns.v2.psm1")
 
 $global:KubeDnsSearchPath = "svc.cluster.local"
 
@@ -173,7 +173,6 @@ Expand-Archive scripts.zip -DestinationPath "C:\\AzureData\\"
 . c:\AzureData\k8s\windowscontainerdfunc.ps1
 . c:\AzureData\k8s\windowshostsconfigagentfunc.ps1
 
-$useContainerD = ($global:ContainerRuntime -eq "containerd")
 $global:KubeClusterConfigPath = "c:\k\kubeclusterconfig.json"
 
 try
@@ -277,27 +276,17 @@ try
             Get-KubeBinaries -KubeBinariesURL $global:WindowsKubeBinariesURL
         }
 
-        if ($useContainerD) {
-            Write-Log "Installing ContainerD"
-            $containerdTimer = [System.Diagnostics.Stopwatch]::StartNew()
-            $cniBinPath = $global:AzureCNIBinDir
-            $cniConfigPath = $global:AzureCNIConfDir
-            if ($global:NetworkPlugin -eq "kubenet") {
-                $cniBinPath = $global:CNIPath
-                $cniConfigPath = $global:CNIConfigPath
-            }
-            Install-Containerd -ContainerdUrl $global:ContainerdUrl -CNIBinDir $cniBinPath -CNIConfDir $cniConfigPath -KubeDir $global:KubeDir
-            $containerdTimer.Stop()
-            $global:AppInsightsClient.TrackMetric("Install-ContainerD", $containerdTimer.Elapsed.TotalSeconds)
-            # TODO: disable/uninstall Docker later
-        } else {
-            Write-Log "Install docker"
-            $dockerTimer = [System.Diagnostics.Stopwatch]::StartNew()
-            Install-Docker -DockerVersion $global:DockerVersion
-            Set-DockerLogFileOptions
-            $dockerTimer.Stop()
-            $global:AppInsightsClient.TrackMetric("Install-Docker", $dockerTimer.Elapsed.TotalSeconds)
+        Write-Log "Installing ContainerD"
+        $containerdTimer = [System.Diagnostics.Stopwatch]::StartNew()
+        $cniBinPath = $global:AzureCNIBinDir
+        $cniConfigPath = $global:AzureCNIConfDir
+        if ($global:NetworkPlugin -eq "kubenet") {
+            $cniBinPath = $global:CNIPath
+            $cniConfigPath = $global:CNIConfigPath
         }
+        Install-Containerd -ContainerdUrl $global:ContainerdUrl -CNIBinDir $cniBinPath -CNIConfDir $cniConfigPath -KubeDir $global:KubeDir
+        $containerdTimer.Stop()
+        $global:AppInsightsClient.TrackMetric("Install-ContainerD", $containerdTimer.Elapsed.TotalSeconds)
 
         Write-Log "Write Azure cloud provider config"
         Write-AzureConfig `
@@ -351,19 +340,14 @@ try
 
         Write-Log "Create the Pause Container kubletwin/pause"
         $infraContainerTimer = [System.Diagnostics.Stopwatch]::StartNew()
-        New-InfraContainer -KubeDir $global:KubeDir -ContainerRuntime $global:ContainerRuntime
+        New-InfraContainer -KubeDir $global:KubeDir
         $infraContainerTimer.Stop()
         $global:AppInsightsClient.TrackMetric("New-InfraContainer", $infraContainerTimer.Elapsed.TotalSeconds)
 
-        if (-not (Test-ContainerImageExists -Image "kubletwin/pause" -ContainerRuntime $global:ContainerRuntime)) {
+        if (-not (Test-ContainerImageExists -Image "kubletwin/pause")) {
             Write-Log "Could not find container with name kubletwin/pause"
-            if ($useContainerD) {
-                $o = ctr -n k8s.io image list
-                Write-Log $o
-            } else {
-                $o = docker image list
-                Write-Log $o
-            }
+            $o = ctr -n k8s.io image list
+            Write-Log $o
             throw "kubletwin/pause container does not exist!"
         }
 
@@ -404,19 +388,14 @@ try
         }
         elseif ($global:NetworkPlugin -eq "kubenet") {
             Write-Log "Fetching additional files needed for kubenet"
-            if ($useContainerD) {
-                # TODO: CNI may need to move to c:\program files\containerd\cni\bin with ContainerD
-                Install-SdnBridge -Url $global:ContainerdSdnPluginUrl -CNIPath $global:CNIPath
-            } else {
-                Update-WinCNI -CNIPath $global:CNIPath
-            }
+            # TODO: CNI may need to move to c:\program files\containerd\cni\bin with ContainerD
+            Install-SdnBridge -Url $global:ContainerdSdnPluginUrl -CNIPath $global:CNIPath
         }
 
         New-ExternalHnsNetwork -IsDualStackEnabled $global:IsDualStackEnabled
 
         Install-KubernetesServices `
-            -KubeDir $global:KubeDir `
-            -ContainerRuntime $global:ContainerRuntime
+            -KubeDir $global:KubeDir
 
         Get-LogCollectionScripts
 
@@ -441,7 +420,7 @@ try
         PREPROVISION_EXTENSION
 
         Write-Log "Update service failure actions"
-        Update-ServiceFailureActions -ContainerRuntime $global:ContainerRuntime
+        Update-ServiceFailureActions
 
         Adjust-DynamicPortRange
         Register-LogsCleanupScriptTask

parts/k8s/windowsazurecnifunc.ps1

@@ -1,23 +1,4 @@
-
-
-# TODO: remove - dead code?
-function
-Set-VnetPluginMode()
-{
-    Param(
-        [Parameter(Mandatory=$true)][string]
-        $AzureCNIConfDir,
-        [Parameter(Mandatory=$true)][string]
-        $Mode
-    )
-    # Sets Azure VNET CNI plugin operational mode.
-    $fileName  = [Io.path]::Combine("$AzureCNIConfDir", "10-azure.conflist")
-    (Get-Content $fileName) | %{$_ -replace "`"mode`":.*", "`"mode`": `"$Mode`","} | Out-File -encoding ASCII -filepath $fileName
-}
-
-
-function
-Install-VnetPlugins
+function Install-VnetPlugins
 {
     Param(
         [Parameter(Mandatory=$true)][string]
@@ -44,16 +25,7 @@ Install-VnetPlugins
     move $AzureCNIBinDir/*.conflist $AzureCNIConfDir
 }
 
-# TODO: remove - dead code?
-function
-Set-AzureNetworkPlugin()
-{
-    # Azure VNET network policy requires tunnel (hairpin) mode because policy is enforced in the host.
-    Set-VnetPluginMode "tunnel"
-}
-
-function
-Set-AzureCNIConfig
+function Set-AzureCNIConfig
 {
     Param(
         [Parameter(Mandatory=$true)][string]
@@ -98,7 +70,35 @@ Set-AzureCNIConfig
         $configJson.plugins.AdditionalArgs[0].Value.ExceptionList = $processedExceptions
     }
     else {
-        $configJson.plugins.AdditionalArgs[0].Value.ExceptionList = $exceptionAddresses
+        if ($IsDualStackEnabled) {
+            $ipv4Cidrs = @()
+            $ipv6Cidrs = @()
+            foreach ($cidr in $exceptionAddresses) {
+                # this is the pwsh way of strings.Count(s, ":") >= 2
+                if (($cidr -split ":").Count -ge 3) {
+                    $ipv6Cidrs += $cidr
+                } else {
+                    $ipv4Cidrs += $cidr
+                }
+            }
+
+            # we just assume the first entry in additional Args is the exception
+            # list for IPv4 and then append a new EnpointPolicy for IPv6. We
+            # probably shouldn't hard code the first one like this and just build
+            # 2 EndpointPolicies and append to the AdditionalArgs.
+            $configJson.plugins.AdditionalArgs[0].Value.ExceptionList = $ipv4Cidrs
+
+            $outboundException = [PSCustomObject]@{
+                Name = 'EndpointPolicy'
+                Value = [PSCustomObject]@{
+                    Type = 'OutBoundNAT'
+                    ExceptionList = $ipv6Cidrs
+                }
+            }
+            $configJson.plugins[0].AdditionalArgs += $outboundException
+        } else {
+            $configJson.plugins.AdditionalArgs[0].Value.ExceptionList = $exceptionAddresses
+        }
     }
 
     if ($IsDualStackEnabled){

parts/k8s/windowscnifunc.ps1

@@ -2,26 +2,13 @@ function Get-HnsPsm1
 {
     Param(
         [string]
-        $HnsUrl = "https://github.com/Microsoft/SDN/raw/master/Kubernetes/windows/hns.psm1",
+        $HnsUrl = "https://github.com/Microsoft/SDN/raw/master/Kubernetes/windows/hns.v2.psm1",
         [Parameter(Mandatory=$true)][string]
         $HNSModule
     )
     DownloadFileOverHttp -Url $HnsUrl -DestinationPath "$HNSModule"
 }
 
-function Update-WinCNI
-{
-    Param(
-        [string]
-        $WinCniUrl = "https://github.com/Microsoft/SDN/raw/master/Kubernetes/flannel/l2bridge/cni/win-bridge.exe",
-        [Parameter(Mandatory=$true)][string]
-        $CNIPath
-    )
-    $wincni = "win-bridge.exe"
-    $wincniFile = [Io.path]::Combine($CNIPath, $wincni)
-    DownloadFileOverHttp -Url $WinCniUrl -DestinationPath $wincniFile
-}
-
 function Install-SdnBridge
 {
     Param(

parts/k8s/windowsconfigfunc.ps1

@@ -40,95 +40,6 @@ function Set-Explorer
     New-ItemProperty -Path HKLM:"\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main" -Name "Start Page" -Type String -Value http://bing.com
 }
 
-function Install-Docker
-{
-    Param(
-        [Parameter(Mandatory=$true)][string]
-        $DockerVersion
-    )
-
-    # DOCKER_API_VERSION needs to be set for Docker versions older than 18.09.0 EE
-    # due to https://github.com/kubernetes/kubernetes/issues/69996
-    # this issue was fixed by https://github.com/kubernetes/kubernetes/issues/69996#issuecomment-438499024
-    # Note: to get a list of all versions, use this snippet
-    # $versions = (curl.exe -L "https://go.microsoft.com/fwlink/?LinkID=825636&clcid=0x409" | ConvertFrom-Json).Versions | Get-Member -Type NoteProperty | Select-Object Name
-    # Docker version to API version decoder: https://docs.docker.com/develop/sdk/#api-version-matrix
-
-    switch ($DockerVersion.Substring(0,5))
-    {
-        "17.06" {
-            Write-Log "Docker 17.06 found, setting DOCKER_API_VERSION to 1.30"
-            [System.Environment]::SetEnvironmentVariable('DOCKER_API_VERSION', '1.30', [System.EnvironmentVariableTarget]::Machine)
-        }
-
-        "18.03" {
-            Write-Log "Docker 18.03 found, setting DOCKER_API_VERSION to 1.37"
-            [System.Environment]::SetEnvironmentVariable('DOCKER_API_VERSION', '1.37', [System.EnvironmentVariableTarget]::Machine)
-        }
-
-        default {
-            Write-Log "Docker version $DockerVersion found, clearing DOCKER_API_VERSION"
-            [System.Environment]::SetEnvironmentVariable('DOCKER_API_VERSION', $null, [System.EnvironmentVariableTarget]::Machine)
-        }
-    }
-
-    try {
-        $installDocker = $true
-        $dockerService = Get-Service | ? Name -like 'docker'
-        if ($dockerService.Count -eq 0) {
-            Write-Log "Docker is not installed. Install docker version($DockerVersion)."
-        }
-        else {
-            $dockerServerVersion = docker version --format '{{.Server.Version}}'
-            Write-Log "Docker service is installed with docker version($dockerServerVersion)."
-            if ($dockerServerVersion -eq $DockerVersion) {
-                $installDocker = $false
-                Write-Log "Same version docker installed will skip installing docker version($dockerServerVersion)."
-            }
-            else {
-                Write-Log "Same version docker is not installed. Will install docker version($DockerVersion)."
-            }
-        }
-
-        if ($installDocker) {
-            Find-Package -Name Docker -ProviderName DockerMsftProvider -RequiredVersion $DockerVersion -ErrorAction Stop
-            Write-Log "Found version $DockerVersion. Installing..."
-            Install-Package -Name Docker -ProviderName DockerMsftProvider -Update -Force -RequiredVersion $DockerVersion
-            net start docker
-            Write-Log "Installed version $DockerVersion"
-        }
-    } catch {
-        Write-Log "Error while installing package: $_.Exception.Message"
-        $currentDockerVersion = (Get-Package -Name Docker -ProviderName DockerMsftProvider).Version
-        Write-Log "Not able to install docker version. Using default version $currentDockerVersion"
-    }
-}
-
-function Set-DockerLogFileOptions {
-    Write-Log "Updating log file options in docker config"
-    $dockerConfigPath = "C:\ProgramData\docker\config\daemon.json"
-
-    if (-not (Test-Path $dockerConfigPath)) {
-        "{}" | Out-File $dockerConfigPath
-    }
-
-    $dockerConfig = Get-Content $dockerConfigPath | ConvertFrom-Json
-    $dockerConfig | Add-Member -Name "log-driver" -Value "json-file" -MemberType NoteProperty
-    $logOpts = @{ "max-size" = "50m"; "max-file" = "5" }
-    $dockerConfig | Add-Member -Name "log-opts" -Value $logOpts -MemberType NoteProperty
-    $dockerConfig = $dockerConfig | ConvertTo-Json -Depth 10
-
-    Write-Log "New docker config:"
-    Write-Log $dockerConfig
-
-    # daemon.json MUST be encoded as UTF8-no-BOM!
-    Remove-Item $dockerConfigPath
-    $fileEncoding = New-Object System.Text.UTF8Encoding $false
-    [IO.File]::WriteAllLInes($dockerConfigPath, $dockerConfig, $fileEncoding)
-
-    Restart-Service docker
-}
-
 # Pagefile adjustments
 function Adjust-PageFileSize()
 {
@@ -153,13 +64,9 @@ function Adjust-DynamicPortRange()
 # Service start actions. These should be split up later and included in each install step
 function Update-ServiceFailureActions
 {
-    Param(
-        [Parameter(Mandatory = $true)][string]
-        $ContainerRuntime
-    )
     sc.exe failure "kubelet" actions= restart/60000/restart/60000/restart/60000 reset= 900
     sc.exe failure "kubeproxy" actions= restart/60000/restart/60000/restart/60000 reset= 900
-    sc.exe failure $ContainerRuntime actions= restart/60000/restart/60000/restart/60000 reset= 900
+    sc.exe failure "containerd" actions= restart/60000/restart/60000/restart/60000 reset= 900
 }
 
 function Add-SystemPathEntry

parts/k8s/windowscontainerdfunc.ps1

@@ -33,9 +33,27 @@ function RegisterContainerDService {
   & "$KubeDir\nssm.exe" set containerd AppRotateSeconds 86400 | RemoveNulls
   & "$KubeDir\nssm.exe" set containerd AppRotateBytes 10485760 | RemoveNulls
 
-  $svc = Get-Service -Name "containerd" -ErrorAction SilentlyContinue
-  if ($svc.Status -ne "Running") {
+  $retryCount=0
+  $retryInterval=10
+  $maxRetryCount=6 # 1 minutes
+
+  do {
+    $svc = Get-Service -Name "containerd" -ErrorAction SilentlyContinue
+    if ($null -eq $svc) {
+      throw "Error: containerd.exe did not get installed as a service correctly."
+    }
+    if ($svc.Status -eq "Running") {
+      break
+    }
+    Write-Log "Starting containerd, current status: $svc.Status"
     Start-Service containerd
+    $retryCount++
+    Write-Log "Retry $retryCount : Sleep $retryInterval and check containerd status"
+    Sleep $retryInterval
+  } while ($retryCount -lt $maxRetryCount)
+
+  if ($svc.Status -ne "Running") {
+    throw "Eror: containerd service is not running"
   }
 }