From 8431dd12f25adce8fcf68733b9f0bc7231cbd623 Mon Sep 17 00:00:00 2001 From: Andrey Koltsov Date: Wed, 17 Jul 2024 15:08:45 +0200 Subject: [PATCH] [TCQA] Extend change of permissions to Windows 2019 Server Core-based agent (#166) * Use ContainerAdministrator account during the first build phase. * Update permission set. --- .../nanoserver/NanoServer1809.Dockerfile | 8 +++++++- .../WindowsServerCore1803.Dockerfile | 9 ++++++++- .../nanoserver/NanoServer1809.Dockerfile | 9 ++++----- .../windows/Agent/nanoserver/1809/Dockerfile | 8 +++++++- .../windows/Agent/nanoserver/1903/Dockerfile | 8 +++++++- .../windows/Agent/nanoserver/1909/Dockerfile | 8 +++++++- .../Agent/windowsservercore/1803/Dockerfile | 7 +++++++ .../Agent/windowsservercore/1809/Dockerfile | 7 +++++++ .../Agent/windowsservercore/1903/Dockerfile | 7 +++++++ .../Agent/windowsservercore/1909/Dockerfile | 7 +++++++ .../MinimalAgent/nanoserver/1809/Dockerfile | 7 +++---- .../MinimalAgent/nanoserver/1903/Dockerfile | 19 +++++++++++++++++-- .../MinimalAgent/nanoserver/1909/Dockerfile | 7 +++---- 13 files changed, 91 insertions(+), 20 deletions(-) diff --git a/configs/windows/Agent/nanoserver/NanoServer1809.Dockerfile b/configs/windows/Agent/nanoserver/NanoServer1809.Dockerfile index 13ba5787e..78eb7bc9c 100644 --- a/configs/windows/Agent/nanoserver/NanoServer1809.Dockerfile +++ b/configs/windows/Agent/nanoserver/NanoServer1809.Dockerfile @@ -87,9 +87,15 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # Skip extraction of XML docs - generally not useful within an image/container - helps perfomance NUGET_XMLDOC_MODE=skip -# In order to set system PATH, ContainerAdministrator must be used +# Use ContainerAdministrator to update permissions and PATH USER ContainerAdministrator RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd;C:\Program Files\dotnet" +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete (critical for upgrade), /T - apply to subfolders & files +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser # Trigger first run experience by running arbitrary cmd to populate local package cache diff --git a/configs/windows/Agent/windowsservercore/WindowsServerCore1803.Dockerfile b/configs/windows/Agent/windowsservercore/WindowsServerCore1803.Dockerfile index 6bfe907bc..ab630aec8 100644 --- a/configs/windows/Agent/windowsservercore/WindowsServerCore1803.Dockerfile +++ b/configs/windows/Agent/windowsservercore/WindowsServerCore1803.Dockerfile @@ -98,6 +98,13 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # Skip extraction of XML docs - generally not useful within an image/container - helps perfomance NUGET_XMLDOC_MODE=skip + USER ContainerAdministrator RUN setx /M PATH ('{0};{1}\bin;C:\Program Files\Git\cmd;C:\Program Files\Mercurial' -f $env:PATH, $env:JAVA_HOME) -USER ContainerUser \ No newline at end of file +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete, /T - apply to subfolders & files +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'DefaultAccount:(OI)(CI)F' /grant:r 'DefaultAccount:(OI)(CI)D' /T +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'Users:(OI)(CI)F' /grant:r 'Users:(OI)(CI)D' /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* +USER ContainerUser diff --git a/configs/windows/MinimalAgent/nanoserver/NanoServer1809.Dockerfile b/configs/windows/MinimalAgent/nanoserver/NanoServer1809.Dockerfile index 4aa90757c..55ff50555 100644 --- a/configs/windows/MinimalAgent/nanoserver/NanoServer1809.Dockerfile +++ b/configs/windows/MinimalAgent/nanoserver/NanoServer1809.Dockerfile @@ -25,13 +25,13 @@ FROM ${powershellImage} AS base # ... PowerShell container. USER ContainerAdministrator -COPY scripts/*.cs /scripts/ -SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] - # Prepare build agent distribution RUN mkdir C:\\BuildAgent COPY TeamCity/buildAgent C:/BuildAgent +COPY scripts/*.cs /scripts/ +SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] + COPY run-agent.ps1 /BuildAgent/run-agent.ps1 # JDK @@ -86,7 +86,6 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \ COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent -# Use ContainerAdministrator to update permissions USER ContainerAdministrator # Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... # ... F - full control, D - delete, /T - apply to subfolders & files @@ -101,4 +100,4 @@ VOLUME C:/BuildAgent/work VOLUME C:/BuildAgent/temp VOLUME C:/BuildAgent/logs -CMD ["pwsh", "./BuildAgent/run-agent.ps1"] +CMD ["pwsh", "./BuildAgent/run-agent.ps1"] \ No newline at end of file diff --git a/context/generated/windows/Agent/nanoserver/1809/Dockerfile b/context/generated/windows/Agent/nanoserver/1809/Dockerfile index 2a37a6bb4..917e708b5 100644 --- a/context/generated/windows/Agent/nanoserver/1809/Dockerfile +++ b/context/generated/windows/Agent/nanoserver/1809/Dockerfile @@ -77,9 +77,15 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # Skip extraction of XML docs - generally not useful within an image/container - helps perfomance NUGET_XMLDOC_MODE=skip -# In order to set system PATH, ContainerAdministrator must be used +# Use ContainerAdministrator to update permissions and PATH USER ContainerAdministrator RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd;C:\Program Files\dotnet" +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete (critical for upgrade), /T - apply to subfolders & files +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser # Trigger first run experience by running arbitrary cmd to populate local package cache diff --git a/context/generated/windows/Agent/nanoserver/1903/Dockerfile b/context/generated/windows/Agent/nanoserver/1903/Dockerfile index bcfb7477f..4f3ddce16 100644 --- a/context/generated/windows/Agent/nanoserver/1903/Dockerfile +++ b/context/generated/windows/Agent/nanoserver/1903/Dockerfile @@ -77,9 +77,15 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # Skip extraction of XML docs - generally not useful within an image/container - helps perfomance NUGET_XMLDOC_MODE=skip -# In order to set system PATH, ContainerAdministrator must be used +# Use ContainerAdministrator to update permissions and PATH USER ContainerAdministrator RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd;C:\Program Files\dotnet" +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete (critical for upgrade), /T - apply to subfolders & files +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser # Trigger first run experience by running arbitrary cmd to populate local package cache diff --git a/context/generated/windows/Agent/nanoserver/1909/Dockerfile b/context/generated/windows/Agent/nanoserver/1909/Dockerfile index 8fc097b91..1e8800f62 100644 --- a/context/generated/windows/Agent/nanoserver/1909/Dockerfile +++ b/context/generated/windows/Agent/nanoserver/1909/Dockerfile @@ -77,9 +77,15 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # Skip extraction of XML docs - generally not useful within an image/container - helps perfomance NUGET_XMLDOC_MODE=skip -# In order to set system PATH, ContainerAdministrator must be used +# Use ContainerAdministrator to update permissions and PATH USER ContainerAdministrator RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd;C:\Program Files\dotnet" +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete (critical for upgrade), /T - apply to subfolders & files +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser # Trigger first run experience by running arbitrary cmd to populate local package cache diff --git a/context/generated/windows/Agent/windowsservercore/1803/Dockerfile b/context/generated/windows/Agent/windowsservercore/1803/Dockerfile index 7938c71d2..e97063d6e 100644 --- a/context/generated/windows/Agent/windowsservercore/1803/Dockerfile +++ b/context/generated/windows/Agent/windowsservercore/1803/Dockerfile @@ -93,6 +93,13 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # Skip extraction of XML docs - generally not useful within an image/container - helps perfomance NUGET_XMLDOC_MODE=skip + USER ContainerAdministrator RUN setx /M PATH ('{0};{1}\bin;C:\Program Files\Git\cmd;C:\Program Files\Mercurial' -f $env:PATH, $env:JAVA_HOME) +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete, /T - apply to subfolders & files +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'DefaultAccount:(OI)(CI)F' /grant:r 'DefaultAccount:(OI)(CI)D' /T +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'Users:(OI)(CI)F' /grant:r 'Users:(OI)(CI)D' /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser diff --git a/context/generated/windows/Agent/windowsservercore/1809/Dockerfile b/context/generated/windows/Agent/windowsservercore/1809/Dockerfile index 26d13fa79..63fc32cc3 100644 --- a/context/generated/windows/Agent/windowsservercore/1809/Dockerfile +++ b/context/generated/windows/Agent/windowsservercore/1809/Dockerfile @@ -93,6 +93,13 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # Skip extraction of XML docs - generally not useful within an image/container - helps perfomance NUGET_XMLDOC_MODE=skip + USER ContainerAdministrator RUN setx /M PATH ('{0};{1}\bin;C:\Program Files\Git\cmd;C:\Program Files\Mercurial' -f $env:PATH, $env:JAVA_HOME) +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete, /T - apply to subfolders & files +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'DefaultAccount:(OI)(CI)F' /grant:r 'DefaultAccount:(OI)(CI)D' /T +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'Users:(OI)(CI)F' /grant:r 'Users:(OI)(CI)D' /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser diff --git a/context/generated/windows/Agent/windowsservercore/1903/Dockerfile b/context/generated/windows/Agent/windowsservercore/1903/Dockerfile index ab4619b3e..09a6959fe 100644 --- a/context/generated/windows/Agent/windowsservercore/1903/Dockerfile +++ b/context/generated/windows/Agent/windowsservercore/1903/Dockerfile @@ -93,6 +93,13 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # Skip extraction of XML docs - generally not useful within an image/container - helps perfomance NUGET_XMLDOC_MODE=skip + USER ContainerAdministrator RUN setx /M PATH ('{0};{1}\bin;C:\Program Files\Git\cmd;C:\Program Files\Mercurial' -f $env:PATH, $env:JAVA_HOME) +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete, /T - apply to subfolders & files +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'DefaultAccount:(OI)(CI)F' /grant:r 'DefaultAccount:(OI)(CI)D' /T +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'Users:(OI)(CI)F' /grant:r 'Users:(OI)(CI)D' /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser diff --git a/context/generated/windows/Agent/windowsservercore/1909/Dockerfile b/context/generated/windows/Agent/windowsservercore/1909/Dockerfile index c583d5cf3..3e4a32ed9 100644 --- a/context/generated/windows/Agent/windowsservercore/1909/Dockerfile +++ b/context/generated/windows/Agent/windowsservercore/1909/Dockerfile @@ -93,6 +93,13 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # Skip extraction of XML docs - generally not useful within an image/container - helps perfomance NUGET_XMLDOC_MODE=skip + USER ContainerAdministrator RUN setx /M PATH ('{0};{1}\bin;C:\Program Files\Git\cmd;C:\Program Files\Mercurial' -f $env:PATH, $env:JAVA_HOME) +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete, /T - apply to subfolders & files +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'DefaultAccount:(OI)(CI)F' /grant:r 'DefaultAccount:(OI)(CI)D' /T +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'Users:(OI)(CI)F' /grant:r 'Users:(OI)(CI)D' /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser diff --git a/context/generated/windows/MinimalAgent/nanoserver/1809/Dockerfile b/context/generated/windows/MinimalAgent/nanoserver/1809/Dockerfile index cfa0a4a0d..761862ea5 100644 --- a/context/generated/windows/MinimalAgent/nanoserver/1809/Dockerfile +++ b/context/generated/windows/MinimalAgent/nanoserver/1809/Dockerfile @@ -19,13 +19,13 @@ FROM ${powershellImage} AS base # ... PowerShell container. USER ContainerAdministrator -COPY scripts/*.cs /scripts/ -SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] - # Prepare build agent distribution RUN mkdir C:\\BuildAgent COPY TeamCity/buildAgent C:/BuildAgent +COPY scripts/*.cs /scripts/ +SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] + COPY run-agent.ps1 /BuildAgent/run-agent.ps1 # JDK @@ -79,7 +79,6 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \ COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent -# Use ContainerAdministrator to update permissions USER ContainerAdministrator # Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... # ... F - full control, D - delete, /T - apply to subfolders & files diff --git a/context/generated/windows/MinimalAgent/nanoserver/1903/Dockerfile b/context/generated/windows/MinimalAgent/nanoserver/1903/Dockerfile index 75a1c2848..824eced81 100644 --- a/context/generated/windows/MinimalAgent/nanoserver/1903/Dockerfile +++ b/context/generated/windows/MinimalAgent/nanoserver/1903/Dockerfile @@ -15,11 +15,17 @@ ARG powershellImage='mcr.microsoft.com/powershell:nanoserver-1903' FROM ${powershellImage} AS base -COPY scripts/*.cs /scripts/ -SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] +# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ... +# ... PowerShell container. +USER ContainerAdministrator # Prepare build agent distribution +RUN mkdir C:\\BuildAgent COPY TeamCity/buildAgent C:/BuildAgent + +COPY scripts/*.cs /scripts/ +SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] + COPY run-agent.ps1 /BuildAgent/run-agent.ps1 # JDK @@ -73,6 +79,15 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \ COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent +USER ContainerAdministrator +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete, /T - apply to subfolders & files +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* +USER ContainerUser + VOLUME C:/BuildAgent/conf VOLUME C:/BuildAgent/work VOLUME C:/BuildAgent/temp diff --git a/context/generated/windows/MinimalAgent/nanoserver/1909/Dockerfile b/context/generated/windows/MinimalAgent/nanoserver/1909/Dockerfile index 1726cba82..bdc0fbca4 100644 --- a/context/generated/windows/MinimalAgent/nanoserver/1909/Dockerfile +++ b/context/generated/windows/MinimalAgent/nanoserver/1909/Dockerfile @@ -19,13 +19,13 @@ FROM ${powershellImage} AS base # ... PowerShell container. USER ContainerAdministrator -COPY scripts/*.cs /scripts/ -SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] - # Prepare build agent distribution RUN mkdir C:\\BuildAgent COPY TeamCity/buildAgent C:/BuildAgent +COPY scripts/*.cs /scripts/ +SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] + COPY run-agent.ps1 /BuildAgent/run-agent.ps1 # JDK @@ -79,7 +79,6 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \ COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent -# Use ContainerAdministrator to update permissions USER ContainerAdministrator # Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... # ... F - full control, D - delete, /T - apply to subfolders & files