Merge branch 'master' into andyzhangx/add-old-images

.pipelines/templates/.builder-release-template.yaml

@@ -215,6 +215,11 @@ steps:
       -e BLOB_URL=${BLOB_URL} \
       -e SEVERITY=${SEVERITY} \
       -e MODULE_VERSION=${MODULE_VERSION} \
+      -e BUILD_REPOSITORY_NAME=$(Build.Repository.Name) \
+      -e BUILD_SOURCEVERSION=$(Build.SourceVersion) \
+      -e SYSTEM_COLLECTIONURI=$(System.CollectionUri) \
+      -e SYSTEM_TEAMPROJECT=$(System.TeamProject) \
+      -e BUILD_RUN_NUMBER=$(Build.BuildNumber) \
       ${CONTAINER_IMAGE} make -f packer.mk test-scan-and-cleanup
     condition: always()
     displayName: Test, Scan, and Cleanup

parts/linux/cloud-init/artifacts/components.json

@@ -31,20 +31,14 @@
         "v1.9.4-hotfix.20240704"
       ]
     },
-    {
-      "downloadURL": "mcr.microsoft.com/mirror/docker/library/busybox:*",
-      "amd64OnlyVersions": [],
-      "multiArchVersions": [
-        "1.35"
-      ]
-    },
     {
       "downloadURL": "mcr.microsoft.com/containernetworking/azure-cni:*",
       "amd64OnlyVersions": [],
       "multiArchVersions": [
         "v1.5.32",
+        "v1.5.35",
         "v1.6.0",
-        "v1.6.3"
+        "v1.6.5"
       ],
       "prefetchOptimizations": [
         {
@@ -53,14 +47,20 @@
             "dropgz"
           ]
         },
+        {
+          "version": "v1.5.35",
+          "binaries": [
+            "dropgz"
+          ]
+        },
         {
           "version": "v1.6.0",
           "binaries": [
             "dropgz"
           ]
         },
         {
-          "version": "v1.6.3",
+          "version": "v1.6.5",
           "binaries": [
             "dropgz"
           ]
@@ -73,8 +73,9 @@
       "multiArchVersions": [
         "v1.4.52",
         "v1.5.32",
+        "v1.5.35",
         "v1.6.0",
-        "v1.6.3"
+        "v1.6.5"
       ],
       "prefetchOptimizations": [
         {
@@ -83,14 +84,20 @@
             "usr/local/bin/azure-cns"
           ]
         },
+        {
+          "version": "v1.5.35",
+          "binaries": [
+            "usr/local/bin/azure-cns"
+          ]
+        },
         {
           "version": "v1.6.0",
           "binaries": [
             "usr/local/bin/azure-cns"
           ]
         },
         {
-          "version": "v1.6.3",
+          "version": "v1.6.5",
           "binaries": [
             "usr/local/bin/azure-cns"
           ]
@@ -489,7 +496,8 @@
             "versions": [
               "1.4.54",
               "1.5.32",
-              "1.6.3"
+              "1.5.35",
+              "1.6.5"
             ],
             "downloadURL": "https://acs-mirror.azureedge.net/azure-cni/v${version}/binaries/azure-vnet-cni-linux-${CPU_ARCH}-v${version}.tgz"
           }

spec/parts/linux/cloud-init/artifacts/cse_install_spec.sh

@@ -40,7 +40,7 @@ Describe 'cse_install.sh'
         It 'returns downloadURIs.default.current.versions of package azure-cni for UBUNTU 20.04'
             package=$(readPackage "azure-cni")
             When call returnPackageVersions "$package" "UBUNTU" "20.04"
-            The variable PACKAGE_VERSIONS[@] should equal "1.4.54 1.5.32 1.6.3"
+            The variable PACKAGE_VERSIONS[@] should equal "1.4.54 1.5.32 1.5.35 1.6.5"
         End
 
         It 'returns downloadURIs.default.current.versions of package oras for UBUNTU 20.04'
@@ -70,7 +70,7 @@ Describe 'cse_install.sh'
         It 'returns downloadURIs.default.current.versions of package azure-cni for MARINER'
             package=$(readPackage "azure-cni")
             When call returnPackageVersions "$package" "MARINER" "some_mariner_version"
-            The variable PACKAGE_VERSIONS[@] should equal "1.4.54 1.5.32 1.6.3"
+            The variable PACKAGE_VERSIONS[@] should equal "1.4.54 1.5.32 1.5.35 1.6.5"
         End
 
         It 'returns downloadURIs.default.current.versions of package containerd for MARINERKATA'
@@ -82,7 +82,7 @@ Describe 'cse_install.sh'
         It 'returns downloadURIs.default.current.versions of package azure-cni for AZURELINUX'
             package=$(readPackage "azure-cni")
             When call returnPackageVersions "$package" "AZURELINUX" "some_azurelinux_version"
-            The variable PACKAGE_VERSIONS[@] should equal "1.4.54 1.5.32 1.6.3"
+            The variable PACKAGE_VERSIONS[@] should equal "1.4.54 1.5.32 1.5.35 1.6.5"
         End
 
         It 'returns downloadURIs.azurelinux.current.versions of package runc for AZURELINUX'

vhdbuilder/packer/generate-windows-vhd-configuration.ps1

@@ -119,13 +119,15 @@ $global:imagesToPull += @(
     # CNS (Container Networking Service) Owner: jaer-tsun (Jaeryn)
     "mcr.microsoft.com/containernetworking/azure-cns:v1.4.52",
     "mcr.microsoft.com/containernetworking/azure-cns:v1.5.32",
+    "mcr.microsoft.com/containernetworking/azure-cns:v1.5.35",
     "mcr.microsoft.com/containernetworking/azure-cns:v1.6.0",
-    "mcr.microsoft.com/containernetworking/azure-cns:v1.6.3",
+    "mcr.microsoft.com/containernetworking/azure-cns:v1.6.5",
     # CNI installer for azure-vnet. Owner: evanbaker
     "mcr.microsoft.com/containernetworking/cni-dropgz:v0.1.4"
     "mcr.microsoft.com/containernetworking/cni-dropgz:v0.2.0"
-    "mcr.microsoft.com/containernetworking/azure-cni:v1.5.32"
-    "mcr.microsoft.com/containernetworking/azure-cni:v1.6.3"
+    "mcr.microsoft.com/containernetworking/azure-cni:v1.5.32",
+    "mcr.microsoft.com/containernetworking/azure-cni:v1.5.35"
+    "mcr.microsoft.com/containernetworking/azure-cni:v1.6.5"
 )
 
 $global:map = @{
@@ -190,7 +192,8 @@ $global:map = @{
     "c:\akse-cache\win-vnet-cni\" = @(
         # Azure CNI v1 (legacy)
         "https://acs-mirror.azureedge.net/azure-cni/v1.5.32/binaries/azure-vnet-cni-windows-amd64-v1.5.32.zip",
-        "https://acs-mirror.azureedge.net/azure-cni/v1.6.3/binaries/azure-vnet-cni-windows-amd64-v1.6.3.zip",
+        "https://acs-mirror.azureedge.net/azure-cni/v1.5.35/binaries/azure-vnet-cni-windows-amd64-v1.5.35.zip",
+        "https://acs-mirror.azureedge.net/azure-cni/v1.6.5/binaries/azure-vnet-cni-windows-amd64-v1.6.5.zip",
         # Azure CNI v2 (pod subnet)
         "https://acs-mirror.azureedge.net/azure-cni/v1.4.54/binaries/azure-vnet-cni-swift-windows-amd64-v1.4.54.zip",
         # Azure CNI for Overlay

vhdbuilder/packer/test-scan-and-cleanup.sh

@@ -8,6 +8,10 @@ required_env_vars=(
   "SIG_GALLERY_NAME"
   "OS_VERSION"
   "SIG_IMAGE_NAME"
+  "UMSI_RESOURCE_ID"
+  "UMSI_PRINCIPAL_ID"
+  "UMSI_CLIENT_ID"
+  "BUILD_RUN_NUMBER"
 )
 
 for v in "${required_env_vars[@]}"; do

vhdbuilder/packer/trivy-scan.sh

@@ -30,6 +30,13 @@ SEVERITY=${17}
 MODULE_VERSION=${18}
 UMSI_PRINCIPAL_ID=${19}
 UMSI_CLIENT_ID=${20}
+BUILD_RUN_NUMBER=${21}
+export BUILD_REPOSITORY_NAME=${22}
+export BUILD_SOURCEBRANCH=${23}
+export BUILD_SOURCEVERSION=${24}
+export SYSTEM_COLLECTIONURI=${25}
+export SYSTEM_TEAMPROJECT=${26}
+export BUILD_BUILDID=${27}
 
 install_azure_cli() {
     OS_SKU=${1}
@@ -110,6 +117,7 @@ export PATH="$(pwd):$PATH"
 ./trivy --scanners vuln rootfs -f json --skip-dirs /var/lib/containerd --ignore-unfixed --severity ${SEVERITY} -o "${TRIVY_REPORT_ROOTFS_JSON_PATH}" /
 if [[ -f ${TRIVY_REPORT_ROOTFS_JSON_PATH} ]]; then
     ./vuln-to-kusto-vhd scan-report \
+        --vhd-buildrunnumber=${BUILD_RUN_NUMBER} \
         --vhd-vhdname="${VHD_NAME}" \
         --vhd-ossku="${OS_SKU}" \
         --vhd-osversion="${OS_VERSION}" \
@@ -137,6 +145,7 @@ for CONTAINER_IMAGE in $IMAGE_LIST; do
 
     if [[ -f ${TRIVY_REPORT_IMAGE_JSON_PATH} ]]; then
         ./vuln-to-kusto-vhd scan-report \
+            --vhd-buildrunnumber=${BUILD_RUN_NUMBER} \
             --vhd-vhdname="${VHD_NAME}" \
             --vhd-ossku="${OS_SKU}" \
             --vhd-osversion="${OS_VERSION}" \

vhdbuilder/packer/vhd-scanning.sh

@@ -20,13 +20,6 @@ SUBNET_NAME="scanning"
 if [ -z "$PACKER_BUILD_LOCATION" ]; then
     echo "PACKER_BUILD_LOCATION must be set to run VHD scanning"
     exit 1
-fi 
-
-# We assign this identity to the scanning VM so that it has permission
-# to push the trivy output to the storage blob and to export output to the Kusto table.
-if [ -z "$UMSI_RESOURCE_ID" ]; then
-    echo "UMSI_RESOURCE_ID must be set to run VHD scanning"
-    exit 1
 fi
 
 # Use the domain name from the classic blob URL to get the storage account name.
@@ -83,6 +76,9 @@ TRIVY_SCRIPT_PATH="$CDIR/$TRIVY_SCRIPT_PATH"
 TIMESTAMP=$(date +%s%3N)
 TRIVY_UPLOAD_REPORT_NAME="trivy-report-${BUILD_ID}-${TIMESTAMP}.json"
 TRIVY_UPLOAD_TABLE_NAME="trivy-table-${BUILD_ID}-${TIMESTAMP}.txt"
+
+# Extract date, revision from build number
+BUILD_RUN_NUMBER=$(echo $BUILD_RUN_NUMBER | cut -d_ -f 1)
 az vm run-command invoke \
     --command-id RunShellScript \
     --name $SCAN_VM_NAME \
@@ -107,7 +103,14 @@ az vm run-command invoke \
         "SEVERITY"=${SEVERITY} \
         "MODULE_VERSION"=${MODULE_VERSION} \
         "UMSI_PRINCIPAL_ID"=${UMSI_PRINCIPAL_ID} \
-        "UMSI_CLIENT_ID"=${UMSI_CLIENT_ID}
+        "UMSI_CLIENT_ID"=${UMSI_CLIENT_ID} \
+        "BUILD_RUN_NUMBER"=${BUILD_RUN_NUMBER} \
+        "BUILD_REPOSITORY_NAME"=${BUILD_REPOSITORY_NAME} \
+        "BUILD_SOURCEBRANCH"=${GIT_BRANCH} \
+        "BUILD_SOURCEVERSION"=${BUILD_SOURCEVERSION} \
+        "SYSTEM_COLLECTIONURI"=${SYSTEM_COLLECTIONURI} \
+        "SYSTEM_TEAMPROJECT"=${SYSTEM_TEAMPROJECT} \
+        "BUILDID"=${BUILD_ID}
 
 az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${TRIVY_UPLOAD_REPORT_NAME} --file trivy-report.json --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
 az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${TRIVY_UPLOAD_TABLE_NAME} --file  trivy-images-table.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login