Skip to content

Commit

Permalink
update install script
Browse files Browse the repository at this point in the history
  • Loading branch information
HarrisonWAffel committed Oct 2, 2024
1 parent 4293d68 commit 34718ba
Show file tree
Hide file tree
Showing 7 changed files with 280 additions and 23 deletions.
9 changes: 5 additions & 4 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ require (
github.com/mattn/go-colorable v0.1.13
github.com/pkg/errors v0.9.1
github.com/rancher/remotedialer v0.4.1
github.com/rancher/system-agent v0.3.9
github.com/rancher/system-agent v0.3.10-rc.1
github.com/sirupsen/logrus v1.9.3
github.com/urfave/cli/v2 v2.27.4
golang.org/x/sync v0.8.0
Expand Down Expand Up @@ -100,7 +100,7 @@ require (
github.com/google/cel-go v0.17.8 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/go-containerregistry v0.20.1 // indirect
github.com/google/go-containerregistry v0.20.2 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
Expand All @@ -126,7 +126,8 @@ require (
github.com/prometheus/common v0.44.0 // indirect
github.com/prometheus/procfs v0.10.1 // indirect
github.com/rancher/lasso v0.0.0-20230830164424-d684fdeb6f29 // indirect
github.com/rancher/wharfie v0.6.6 // indirect
github.com/rancher/permissions v0.0.0-20240924180251-69b0dcb34065 // indirect
github.com/rancher/wharfie v0.6.7 // indirect
github.com/rancher/wrangler v1.1.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/spf13/cobra v1.7.0 // indirect
Expand Down Expand Up @@ -171,7 +172,7 @@ require (
k8s.io/cloud-provider v0.0.0 // indirect
k8s.io/component-base v0.29.7 // indirect
k8s.io/controller-manager v0.29.7 // indirect
k8s.io/klog/v2 v2.120.1 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kms v0.29.7 // indirect
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
k8s.io/kubelet v0.24.2 // indirect
Expand Down
22 changes: 12 additions & 10 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -166,8 +166,8 @@ github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvR
github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-containerregistry v0.20.1 h1:eTgx9QNYugV4DN5mz4U8hiAGTi1ybXn0TPi4Smd8du0=
github.com/google/go-containerregistry v0.20.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo=
github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
Expand Down Expand Up @@ -288,16 +288,18 @@ github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPH
github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
github.com/rancher/client-go v1.29.3-rancher1 h1:4nZ6BEtFLxBSomVgJFSCoOAmfo6hr8PYMwnsZk1Ubu8=
github.com/rancher/client-go v1.29.3-rancher1/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0=
github.com/rancher/dynamiclistener v0.3.5 h1:5TaIHvkDGmZKvc96Huur16zfTKOiLhDtK4S+WV0JA6A=
github.com/rancher/dynamiclistener v0.3.5/go.mod h1:dW/YF6/m2+uEyJ5VtEcd9THxda599HP6N9dSXk81+k0=
github.com/rancher/dynamiclistener v0.3.6 h1:iAFWeiFNra6tYlt4k+jINrK3hOxZ8mjW2S/9nA6sxKs=
github.com/rancher/dynamiclistener v0.3.6/go.mod h1:VqBaJNi+bZmre0+gi+2Jb6jbn7ovHzRueW+M7QhVKsk=
github.com/rancher/lasso v0.0.0-20230830164424-d684fdeb6f29 h1:+kige/h8/LnzWgPjB5NUIHz/pWiW/lFpqcTUkN5uulY=
github.com/rancher/lasso v0.0.0-20230830164424-d684fdeb6f29/go.mod h1:kgk9kJVMj9FIrrXU0iyM6u/9Je4bEjPImqswkTVaKsQ=
github.com/rancher/permissions v0.0.0-20240924180251-69b0dcb34065 h1:nJPrW/DdnSYQnKryQYlFXMs6nh12Q7MCW8Zb6l9Cb1A=
github.com/rancher/permissions v0.0.0-20240924180251-69b0dcb34065/go.mod h1:PDAb+l6/i6cbSokQ2CuNCgGOT/BHQY2WgZATwPXEyU4=
github.com/rancher/remotedialer v0.4.1 h1:jwOf2kPRjBBpSFofv1OuZHWaYHeC9Eb6/XgDvbkoTgc=
github.com/rancher/remotedialer v0.4.1/go.mod h1:Ys004RpJuTLSm+k4aYUCoFiOOad37ubYev3TkOFg/5w=
github.com/rancher/system-agent v0.3.9 h1:6t5EqF3n9yKePBhdSePCT1ASm8F4Gu+mjbnNrVMtzao=
github.com/rancher/system-agent v0.3.9/go.mod h1:hG3HockCxJkeUbcdxsYz3qHYaXv6O4fLiehlB28+szQ=
github.com/rancher/wharfie v0.6.6 h1:ESxPxBDiq9RXd8G9fC71qc7+AbetThVtxPC9K8VVZ2Y=
github.com/rancher/wharfie v0.6.6/go.mod h1:sfCy07HF8EE1MDKhpDc/cLptLTiTC0y/wisD44gr8uc=
github.com/rancher/system-agent v0.3.10-rc.1 h1:WjPVxWnHCiEBERgPur5faIDUyIkhb1fBLUEBJjuqkQw=
github.com/rancher/system-agent v0.3.10-rc.1/go.mod h1:pX+68YRd0Z/7PFgKxTWTq8WweviGTYAo7kCz2RsUK3g=
github.com/rancher/wharfie v0.6.7 h1:BhbBVJSLoDQMkZb+zVTLEKckUbq4sc3ZmEYqGakggSY=
github.com/rancher/wharfie v0.6.7/go.mod h1:ew49A9PzRsTngdzXIkgakfhMq3mHMA650HS1OVQpaNA=
github.com/rancher/wrangler v1.1.1 h1:wmqUwqc2M7ADfXnBCJTFkTB5ZREWpD78rnZMzmxwMvM=
github.com/rancher/wrangler v1.1.1/go.mod h1:ioVbKupzcBOdzsl55MvEDN0R1wdGggj8iNCYGFI5JvM=
github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
Expand Down Expand Up @@ -576,8 +578,8 @@ k8s.io/component-base v0.29.7 h1:zXLJvZjvvDWdYmZCwZYk95E1Fd2oRXUz71mQukkRk5I=
k8s.io/component-base v0.29.7/go.mod h1:ddLTpIrjazaRI1EG83M41GNcYEAdskuQmx4JOOSXCOg=
k8s.io/controller-manager v0.29.7 h1:8FC9kQAm+BUTrAKyCS2uOaTXBytV3eEOIREfrFxaCjo=
k8s.io/controller-manager v0.29.7/go.mod h1:lAua8GONLnkPAHPSzU0POmvHLhsKeHbjHnVtEQPfUno=
k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kms v0.29.7 h1:4ELQdx7T4EPKbN/QMj6SeZizrEKapza5YF8e5XtZPv0=
k8s.io/kms v0.29.7/go.mod h1:vWVImKkJd+1BQY4tBwdfSwjQBiLrnbNtHADcDEDQFtk=
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
Expand Down
96 changes: 94 additions & 2 deletions install.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,15 @@
- CATTLE_AGENT_BINARY_URL (default: latest GitHub release)
- CATTLE_PRESERVE_WORKDIR (default: false)
- CATTLE_REMOTE_ENABLED (default: true)
- CATTLE_LOCAL_ENABLED (default: false)
- CATTLE_ID (default: autogenerate)
- CATTLE_AGENT_BINARY_LOCAL (default: false)
- CATTLE_AGENT_BINARY_LOCAL_LOCATION (default: )
- CSI_PROXY_URL (default: )
- CSI_PROXY_VERSION (default: )
- CSI_PROXY_KUBELET_PATH (default: )
.EXAMPLE
.EXAMPLE
#>
#Make sure this params matches the CmdletBinding below
param (
Expand Down Expand Up @@ -213,6 +214,12 @@ function Invoke-WinsInstaller {
$env:CATTLE_REMOTE_ENABLED = $env:CATTLE_REMOTE_ENABLED.ToLower()
}

if (-Not $env:CATTLE_LOCAL_ENABLED) {
$env:CATTLE_LOCAL_ENABLED = "false"
} else {
$env:CATTLE_LOCAL_ENABLED = $env:CATTLE_LOCAL_ENABLED.ToLower()
}

if (-Not $env:CATTLE_PRESERVE_WORKDIR) {
$env:CATTLE_PRESERVE_WORKDIR = "false"
}
Expand Down Expand Up @@ -277,6 +284,14 @@ function Invoke-WinsInstaller {
}
}

if (($env:CATTLE_REMOTE_ENABLED -eq "true") -and ($env:CATTLE_LOCAL_ENABLED -eq "true")){
Write-LogFatal "Both CATTLE_LOCAL_ENABLED and CATTLE_REMOTE_ENABLED were enabled, exiting as only one can be enabled"
}

if (($env:CATTLE_REMOTE_ENABLED -eq "false") -and ($env:CATTLE_LOCAL_ENABLED -eq "false")){
Write-LogFatal "Neither CATTLE_LOCAL_ENABLED nor CATTLE_REMOTE_ENABLED were enabled, exiting as one must be enabled"
}

if (-Not $env:CATTLE_AGENT_CONFIG_DIR) {
$env:CATTLE_AGENT_CONFIG_DIR = "C:/etc/rancher/wins"
Write-LogInfo "Using default agent configuration directory $( $env:CATTLE_AGENT_CONFIG_DIR )"
Expand Down Expand Up @@ -463,6 +478,7 @@ function Invoke-WinsInstaller {
}
}
}
Set-RestrictedPermissions -Path $env:CATTLE_AGENT_VAR_DIR/rancher2_connection_info.json
}
}

Expand All @@ -487,6 +503,7 @@ systemagent:
workDirectory: $($env:CATTLE_AGENT_VAR_DIR)/work
appliedPlanDirectory: $($env:CATTLE_AGENT_VAR_DIR)/applied
remoteEnabled: $($env:CATTLE_REMOTE_ENABLED)
localEnabled: $($env:CATTLE_LOCAL_ENABLED)
preserveWorkDirectory: $($env:CATTLE_PRESERVE_WORKDIR)
"@
Add-Content -Path $env:CATTLE_AGENT_CONFIG_DIR/config -Value $agentConfig
Expand All @@ -501,6 +518,7 @@ systemagent:
"@
Add-Content -Path $env:CATTLE_AGENT_CONFIG_DIR/config -Value $tlsConfig
}
Set-RestrictedPermissions -Path $env:CATTLE_AGENT_CONFIG_DIR/config
}

function Set-CsiProxyConfig() {
Expand Down Expand Up @@ -614,10 +632,84 @@ csi-proxy:
}
}

function Set-RestrictedPermissions {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]
$Path,
[Parameter(Mandatory=$false)]
[Switch]
$Directory
)

$Owner = "BUILTIN\Administrators"
$Group = "NT AUTHORITY\SYSTEM"

$acl = Get-Acl $Path

# cleanup existing rules by removing both explicit and inherited rules.
foreach ($rule in $acl.GetAccessRules($true, $true, [System.Security.Principal.SecurityIdentifier])) {
$acl.RemoveAccessRule($rule) | Out-Null
}

$acl.SetAccessRuleProtection($true, $false)
$acl.SetOwner((New-Object System.Security.Principal.NTAccount($Owner)))
$acl.SetGroup((New-Object System.Security.Principal.NTAccount($Group)))

Set-FileSystemAccessRule -Directory $Directory -acl $acl

Set-Acl -Path $Path -AclObject $acl
}

function Set-FileSystemAccessRule() {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[Boolean]
$Directory,
[Parameter(Mandatory=$false)]
[System.Security.AccessControl.ObjectSecurity]
$acl
)
$users = @(
$acl.Owner,
$acl.Group
)
# Note that the function signature for files and directories
# intentionally differ.
$FullPath = Resolve-Path $Path
if ($Directory -eq $true) {
Write-LogInfo "Setting restricted ACL on $FullPath directory"
foreach ($user in $users) {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
$user,
[System.Security.AccessControl.FileSystemRights]::FullControl,
[System.Security.AccessControl.InheritanceFlags]'ObjectInherit,ContainerInherit',
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
)
$acl.AddAccessRule($rule)
}
} else {
Write-LogInfo "Setting restricted ACL on $FullPath"
foreach ($user in $users) {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
$user,
[System.Security.AccessControl.FileSystemRights]::FullControl,
[System.Security.AccessControl.AccessControlType]::Allow
)
$acl.AddAccessRule($rule)
}
}
}

function Invoke-WinsAgentInstall() {
$serviceName = "rancher-wins"
Get-Args
Set-Environment
Set-RestrictedPermissions -Path $env:CATTLE_AGENT_CONFIG_DIR -Directory
Set-RestrictedPermissions -Path $env:CATTLE_AGENT_VAR_DIR -Directory
Set-Path
Test-CaCheckSum

Expand Down
81 changes: 81 additions & 0 deletions tests/integration/install_test.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
$ErrorActionPreference = "Stop"

Import-Module -Name @(
"$PSScriptRoot\utils.psm1"
) -WarningAction Ignore

# clean interferences
try {
Get-Process -Name "rancher-wins-*" -ErrorAction Ignore | Stop-Process -Force -ErrorAction Ignore
Get-NetFirewallRule -PolicyStore ActiveStore -Name "rancher-wins-*" -ErrorAction Ignore | ForEach-Object { Remove-NetFirewallRule -Name $_.Name -PolicyStore ActiveStore -ErrorAction Ignore } | Out-Null
Get-Process -Name "wins" -ErrorAction Ignore | Stop-Process -Force -ErrorAction Ignore
}
catch {
Log-Warn $_.Exception.Message
}

Describe "install" {
BeforeEach {
# note: we cannot test system agent install today since we need a mocked API server
Log-Info "Running install script"
# note: Simply running the install script does not do anything. During normal provisioning,
# Rancher will mutate the install script to both add environment variables, and to call
# the primary function 'Invoke-WinsInstaller'. As this is an integration test, we need to manually
# update the install script ourselves.
Add-Content -Path ./install.ps1 -Value '$env:CATTLE_REMOTE_ENABLED = "false"'
Add-Content -Path ./install.ps1 -Value '$env:CATTLE_LOCAL_ENABLED = "true"'
Add-Content -Path ./install.ps1 -Value Invoke-WinsInstaller

.\install.ps1
}

AfterEach {
Log-Info "Running uninstall script"
try {
# note: since this script may not be run by an administrator, it's possible that it might fail
# on trying to delete certain files with ACLs attached to them.
# If you are running this locally, make sure you run with admin privileges.
# On CI, since we don't run as an admin today, this prevents automatic failure when the right ACLs are set.
.\uninstall.ps1
} catch {
Log-Warn "You need to manually run uninstall.ps1, encountered error: $($_.Exception.Message)"
}
}

It "creates files and directories with scoped down permissions" {
# While these get set in install.ps1, pester removes them as
# install.ps1 is called in the BeforeEach block
$env:CATTLE_AGENT_VAR_DIR = "c:/var/lib/rancher/agent"
$env:CATTLE_AGENT_CONFIG_DIR = "c:/etc/rancher/wins"

$restrictedPaths = @(
$env:CATTLE_AGENT_VAR_DIR,
$env:CATTLE_AGENT_CONFIG_DIR,
"$env:CATTLE_AGENT_CONFIG_DIR/config"

# TODO: to test the creation of rancher2_connection_info.json, we need to mock the Rancher server.
# Once this capability is added to tests, uncomment this and remove $env:CATTLE_REMOTE_ENABLED = "false" above.
# "$env:CATTLE_AGENT_VAR_DIR/rancher2_connection_info.json"
)
foreach ($path in $restrictedPaths) {
Log-Info "Checking $path"

Test-Path -Path $path | Should -Be $true

Test-Permissions -Path $path -ExpectedOwner "BUILTIN\Administrators" -ExpectedGroup "NT AUTHORITY\SYSTEM" -ExpectedPermissions @(
[PSCustomObject]@{
AccessMask = "FullControl"
Type = 0
Identity = "NT AUTHORITY\SYSTEM"
},
[PSCustomObject]@{
AccessMask = "FullControl"
Type = 0
Identity = "BUILTIN\Administrators"
}
)

Log-Info "Confirmed expected ACLs on $path"
}
}
}
4 changes: 3 additions & 1 deletion tests/integration/network_test.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,9 @@ Describe "network" {
It "get default adapter" {
# wins.exe cli network get
# docker run --rm -v //./pipe/rancher_wins://./pipe/rancher_wins -v c:/etc/rancher/wins:c:/etc/rancher/wins wins-cli network get
$ret = Execute-Binary -FilePath "docker.exe" -ArgumentList @("run", "--rm", "-v", "//./pipe/rancher_wins://./pipe/rancher_wins", "-v", "c:/etc/rancher/wins:c:/etc/rancher/wins", "wins-cli", "network", "get") -PassThru
New-Directory "c:/etc/rancher/pipe"

$ret = Execute-Binary -FilePath "docker.exe" -ArgumentList @("run", "--rm", "-v", "//./pipe/rancher_wins://./pipe/rancher_wins", "-v", "c:/etc/rancher/pipe:c:/etc/rancher/pipe", "wins-cli", "network", "get") -PassThru
if (-not $ret.Ok) {
Log-Error $ret.Output
$false | Should -Be $true
Expand Down
3 changes: 2 additions & 1 deletion tests/integration/process_test.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ Describe "process" {
)
}
}
New-Directory "c:\etc\rancher\wins"
$config | ConvertTo-Json -Compress -Depth 32 | Out-File -NoNewline -Encoding utf8 -Force -FilePath "c:\etc\rancher\wins\config"
$configJson = Get-Content -Raw -Path "c:\etc\rancher\wins\config"
Log-Info $configJson
Expand All @@ -97,7 +98,7 @@ Describe "process" {

# wins.exe cli prc run --path xxx --exposes xxx
# docker run --name prc-run --rm -v //./pipe/rancher_wins://./pipe/rancher_wins -v c:/etc/rancher/wins:c:/etc/rancher/wins -v c:/etc/nginx:c:/host/etc/nginx wins-nginx
Execute-Binary -FilePath "docker.exe" -ArgumentList @("run", "--name", "prc-run", "--rm", "-v", "//./pipe/rancher_wins://./pipe/rancher_wins", "-v", "c:/etc/rancher/wins:c:/etc/rancher/wins", "-v", "c:/etc/nginx:c:/host/etc/nginx", "wins-nginx") -Backgroud
Execute-Binary -FilePath "docker.exe" -ArgumentList @("run", "--name", "prc-run", "--rm", "-v", "//./pipe/rancher_wins://./pipe/rancher_wins", "-v", "c:/etc/rancher/pipe:c:/etc/rancher/pipe", "-v", "c:/etc/nginx:c:/host/etc/nginx", "wins-nginx") -Backgroud
{
Wait-Ready -Timeout 3 -Path "c:\etc\nginx\rancher-wins-nginx.exe" -Throw
} | Should -Throw
Expand Down
Loading

0 comments on commit 34718ba

Please sign in to comment.