chore: enable msi for private container images

Azure · Mar 28, 2024 · 82c4eb6 · 82c4eb6
1 parent b3ab50f
commit 82c4eb6
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 22 deletions.
diff --git a/vhdbuilder/packer/configure-windows-vhd.ps1 b/vhdbuilder/packer/configure-windows-vhd.ps1
@@ -17,7 +17,7 @@ function Write-Log($Message) {
     Write-Output $msg
 }
 
-function DownloadFileWithRetry {
+function Download-File {
     param (
         $URL,
         $Dest,
@@ -35,6 +35,34 @@ function DownloadFileWithRetry {
     }
 }
 
+function Download-FileWithAzCopy {
+    param (
+        $URL,
+        $Dest
+    )
+
+    if (!(Test-Path -Path $global:aksTempDir)) {
+        Write-Log "Creating temp dir for tools of building vhd"
+        New-Item -ItemType Directory $global:aksTempDir -Force
+    }
+
+    Write-Log "Downloading azcopy"
+    Invoke-WebRequest -UseBasicParsing "https://aka.ms/downloadazcopy-v10-windows" -OutFile "$global:aksTempDir\azcopy.zip"
+    Expand-Archive -Path "$global:aksTempDir\azcopy.zip" -DestinationPath "$global:aksTempDir\azcopy" -Force
+
+    $env:AZCOPY_AUTO_LOGIN_TYPE="MSI"
+    $env:AZCOPY_MSI_RESOURCE_STRING=$env:WindowsMSIResourceString
+
+    Invoke-Expression -Command "$global:aksTempDir\azcopy\*\azcopy.exe copy $URL $dest"
+
+}
+
+function Cleanup-TemporaryFiles {
+    if (Test-Path -Path $global:aksTempDir) {
+        Remove-Item -Path $global:aksTempDir -Force -Recurse
+    }
+}
+
 function Retry-Command {
     [CmdletBinding()]
     Param(
@@ -169,7 +197,7 @@ function Get-ContainerImages {
             $fileName = [IO.Path]::GetFileName($url.Split("?")[0])
             $tmpDest = [IO.Path]::Combine([System.IO.Path]::GetTempPath(), $fileName)
             Write-Log "Downloading image $image to $tmpDest"
-            DownloadFileWithRetry -URL $url -Dest $tmpDest -redactUrl
+            Download-FileWithAzCopy -URL $url -Dest $tmpDest
 
             Write-Log "Loading image $image from $tmpDest"
             Retry-Command -ScriptBlock {
@@ -200,7 +228,7 @@ function Get-FilesToCacheOnVHD {
             $dest = [IO.Path]::Combine($dir, $fileName)
 
             Write-Log "Downloading $URL to $dest"
-            DownloadFileWithRetry -URL $URL -Dest $dest
+            Download-File -URL $URL -Dest $dest
         }
     }
 }
@@ -225,23 +253,14 @@ function Get-PrivatePackagesToCacheOnVHD {
         $dir = "c:\akse-cache\private-packages"
         New-Item -ItemType Directory $dir -Force | Out-Null
 
-        Write-Log "Downloading azcopy"
-        Invoke-WebRequest -UseBasicParsing "https://aka.ms/downloadazcopy-v10-windows" -OutFile azcopy.zip
-        Expand-Archive -Path azcopy.zip -DestinationPath ".\azcopy" -Force
-        $env:AZCOPY_AUTO_LOGIN_TYPE="MSI"
-        $env:AZCOPY_MSI_RESOURCE_STRING=$env:WindowsMSIResourceString
-
         $urls = $env:WindowsPrivatePackagesURL.Split(",")
         foreach ($url in $urls) {
             $fileName = [IO.Path]::GetFileName($url.Split("?")[0])
             $dest = [IO.Path]::Combine($dir, $fileName)
 
             Write-Log "Downloading a private package to $dest"
-            .\azcopy\*\azcopy.exe copy $URL $dest
+            Download-FileWithAzCopy -URL $URL -Dest $dest
         }
-
-        Remove-Item -Path ".\azcopy" -Force -Recurse
-        Remove-Item -Path ".\azcopy.zip" -Force
     }
 }
 
@@ -258,7 +277,7 @@ function Install-ContainerD {
 
     $containerdFilename=[IO.Path]::GetFileName($global:defaultContainerdPackageUrl)
     $containerdTmpDest = [IO.Path]::Combine($installDir, $containerdFilename)
-    DownloadFileWithRetry -URL $global:defaultContainerdPackageUrl -Dest $containerdTmpDest
+    Download-File -URL $global:defaultContainerdPackageUrl -Dest $containerdTmpDest
     # The released containerd package format is either zip or tar.gz
     if ($containerdFilename.endswith(".zip")) {
         Expand-Archive -path $containerdTmpDest -DestinationPath $installDir -Force
@@ -314,7 +333,7 @@ function Install-WindowsPatches {
         switch ($fileExtension) {
             ".msu" {
                 Write-Log "Downloading windows patch from $pathOnly to $fullPath"
-                DownloadFileWithRetry -URL $patchUrl -Dest $fullPath -redactUrl
+                Download-File -URL $patchUrl -Dest $fullPath -redactUrl
                 Write-Log "Starting install of $fileName"
                 $proc = Start-Process -Passthru -FilePath wusa.exe -ArgumentList "$fullPath /quiet /norestart"
                 Wait-Process -InputObject $proc
@@ -811,7 +830,7 @@ function Get-LatestWindowsDefenderPlatformUpdate {
 
     if ($latestDefenderProductVersion -gt $currentDefenderProductVersion) {
         Write-Log "Update started. Current MPVersion: $currentDefenderProductVersion, Expected Version: $latestDefenderProductVersion"
-        DownloadFileWithRetry -URL $global:defenderUpdateUrl -Dest $downloadFilePath
+        Download-File -URL $global:defenderUpdateUrl -Dest $downloadFilePath
         $proc = Start-Process -PassThru -FilePath $downloadFilePath -Wait
         Start-Sleep -Seconds 10
         switch ($proc.ExitCode) {
@@ -877,6 +896,7 @@ try{
             Get-ToolsToVHD # Rely on the completion of Get-FilesToCacheOnVHD
             Get-PrivatePackagesToCacheOnVHD
             Remove-Item -Path c:\windows-vhd-configuration.ps1
+            Cleanup-TemporaryFiles
             (New-Guid).Guid | Out-File -FilePath 'c:\vhd-id.txt'
             Log-ReofferUpdate
         }

diff --git a/vhdbuilder/packer/generate-windows-vhd-configuration.ps1 b/vhdbuilder/packer/generate-windows-vhd-configuration.ps1
@@ -8,6 +8,9 @@ if (-not ($validSKU -contains $windowsSKU)) {
     throw "Unsupported windows image SKU: $windowsSKU"
 }
 
+# We use the same temp dir for all temp tools that will be used for vhd build
+$global:aksTempDir = "c:\akstemp"
+
 # We need to guarantee that the node provisioning will not fail because the vhd is full before resize-osdisk is called in AKS Windows CSE script.
 $global:lowestFreeSpace = 2*1024*1024*1024 # 2GB
 

diff --git a/vhdbuilder/packer/init-variables.sh b/vhdbuilder/packer/init-variables.sh
@@ -305,13 +305,10 @@ if [ "$OS_TYPE" == "Windows" ]; then
 
 		WINDOWS_IMAGE_URL=${IMPORTED_IMAGE_URL}
 
-		echo "Generating sas token to copy Windows base image"
-		expiry_date=$(date -u -d "20 minutes" '+%Y-%m-%dT%H:%MZ')
 		echo "Copy Windows base image to ${WINDOWS_IMAGE_URL}"
-		set +x
-		sas_token=$(az storage account generate-sas --account-name ${STORAGE_ACCOUNT_NAME} --permissions cw --account-key "$key" --resource-types o --services b --expiry ${expiry_date} | tr -d '"')
-		azcopy-preview copy "${WINDOWS_BASE_IMAGE_URL}" "${WINDOWS_IMAGE_URL}?${sas_token}"
-		set -x
+		export AZCOPY_AUTO_LOGIN_TYPE="MSI"
+		export AZCOPY_MSI_RESOURCE_STRING="${AZURE_MSI_RESOURCE_STRING}"
+		azcopy-preview copy "${WINDOWS_BASE_IMAGE_URL}" "${WINDOWS_IMAGE_URL}"
 		# https://www.packer.io/plugins/builders/azure/arm#image_url
 		# WINDOWS_IMAGE_URL to a custom VHD to use for your base image. If this value is set, image_publisher, image_offer, image_sku, or image_version should not be set.
 		WINDOWS_IMAGE_PUBLISHER=""