[build] env/windows-arm64: initial Azure VM support
35 views
Skip to first unread message
Than McIntosh (Gerrit)
Jan 6, 2023, 10:38:35 AM1/6/23
to Than McIntosh, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Gopher Robot, Heschi Kreinick, golang-co...@googlegroups.com
Than McIntosh submitted this change.
4 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:
```
The name of the file: env/windows-arm64/azure/setupAndRunAllDotBat.sh
Insertions: 7, Deletions: 4.
@@ -1,14 +1,17 @@
#!/bin/sh
#
-# For hand testing a newly created/configured VM. Set the environment variables
-# below before running this script:
+# For initial hand testing a newly created/configured test/debug VM. Set the
+# environment variables below before running this script:
#
# ACCOUNT account to use when ssh'ing to the VM
# VM_IP_ADDRESS public IP address of VM
#
# Note that as the script runs it will invoke "ssh", which will require the
-# invoker to enter the VM account password several times. This script also uses
-# "gsutil" to copy things from the go-builder GCS bucket as part opf th
+# invoker to enter the VM account password several times. TODO: use -M and
+# -S ssh flags to avoid reauthentication.
+#
+# This script also uses "gsutil" to copy things from the go-builder GCS bucket
+# as part of the setup.
#
#-----------------------------
#
```
```
The name of the file: env/windows-arm64/azure/startup.ps1
Insertions: 1, Deletions: 1.
@@ -146,7 +146,7 @@
Set-LocalUser -Name $buildlet_user -PasswordNeverExpires $true
# Set GO_BUILDER_NAME environment variable (needed by the stage0 buildlet);
-# this setting needs to persist across reboots.
+# this setting needs to persist across reboots.
[Environment]::SetEnvironmentVariable('GO_BUILDER_ENV', 'host-windows11-arm64-azure', [System.EnvironmentVariableTarget]::Machine)
# Run the bootstrap program on login
```
```
The name of the file: env/windows-arm64/azure/README.md
Insertions: 65, Deletions: 59.
@@ -22,9 +22,69 @@
Authenticate with "az login".
-## Test VM creation
+## VM strategy for Azure
-To create a new windows-arm64 VM named "MyNewVM" for debugging/testing purposes (e.g. SSH enabled, public IP, port open, etc) use the command:
+At the moment, windows-arm64 Azure VMs are configured as reverse builders, and they are set up with no public IP address and no exposed ports. To interact with the VMs directly (e.g. to log in and poke around) it is recommended to use the Azure "bastion" feature, which provides RDP-like access to VMs from within the portal.
+
+## Deployment VM creation
+
+Deployment VMs are set up with invocations of the following az CLI command:
+
+```
+az vm create \
+ --name=MyNewVmName \
+ --resource-group=dev_buildlets \
+ --admin-username=<pick your admin account name> \
+ --admin-password=<pick password> \
+ --image=microsoftwindowsdesktop:windows11preview-arm64:win11-22h2-ent:latest \
+ --nsg-rule=NONE \
+ --size=Standard_D8ps_v5 \
+ --subscription=<set subscription ID here> \
+ --public-ip-address ""
+```
+
+and then configure as described below in VM setup. This VM will have no public IP address or open ports, thus will be usable only by the coordinator.
+
+Notes:
+* the "image" argument above is arm-specific, and in addition "size" argument also encodes the arm64-ness of the VM (strangely)
+
+
+## VM setup
+
+Once a VM has been created, you can apply Go-specific configuration to it by running the setup script in this directory (startup.ps1), using this command:
+
+```
+az vm run-command invoke \
+ --command-id=RunPowerShellScript \
+ --name="MyNewVM" \
+ --resource-group=dev_buildlets \
+ --scripts @startup.ps1
+```
+
+Where "startup.ps1" is the path (on your local machine) to the script to be run on the Azure VM, and the value passed to "--name" is the one you used when creating the VM.
+
+Notes:
+
+* output from the command is in JSON
+* exit status of the "az" command does NOT accurately reflect exit status of the powershell script.
+
+## Follow-ons to disable antivirus
+
+In later versions of windows, it can be very difficult to completely disable the system's antivirus software, due to "features" such as [tamper protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide), which make it almost impossible to programmatically turn off windows defender (and which ensure that any changes made are undone when the system reboots).
+
+Running this command should help somewhat:
+
+```
+az vm run-command invoke \
+ --command-id=RunPowerShellScript \
+ --name="MyNewVM" \
+ --resource-group=dev_buildlets \
+ --scripts @antivirusadditions.ps1
+```
+
+## Debugging/testing VM creation
+
+To create a new windows-arm64 VM named "MyNewVM" that is net accessible (e.g. with a public IP and ssh port exposed), use this command:
```
az vm create \
@@ -41,61 +101,7 @@
Notes:
-* the "image" argument above is arm-specific, and in addition "size" argument also encodes the arm64-ness of the VM (strangely)
-* by default Azure will open ports for allowing RDP on Windows and allowing SSH on Linux, so here we override the default with --nsg-rule=SSH
-* output from the command is in JSON
-* the admin account here is chosen arbitrarily; this is in case you need to "ssh" into the machine to run experiments or verify configuration.
-* this VM has a public IP, hence should only be used for testing
+* be sure to pick a very strong password
+* configure the VM once created as in `VM Setup` above, but with the section that starts the stage0 buildlet commented out (since we don't want the VM to connect to the coordinator)
+* delete VM when you are finished with it
-## VM setup
-
-Once a VM has been created, you can apply Go-specific configuration to it by running the setup script in this directory (startup.ps1), using this command:
-
-```
-az vm run-command invoke \
- --command-id=RunPowerShellScript \
- --name="MyNewVM" \
- --resource-group=dev_buildlets \
- --scripts @startup.ps1
-```
-
-Where "startup.ps1" is the path (on your local machine) to the script to be run on the Azure VM, and the value passed to "--name" is the one you used when creating the VM. If this VM is going to be used for testing probably best to comment out the portion of startup.ps1 that invokes the buildlet.
-
-Notes:
-
-* output from the command is in JSON
-* exit status of the "az" command does NOT accurately reflect exit status of the powershell script.
-
-## Deployment VM creation
-
-Once the VM looks good (you are happy with all.bat runs, etc), you can create a deployment VM using this command:
-
-```
-az vm create \
- --name=MyNewVM \
- --resource-group=dev_buildlets \
- --admin-username=<pick your admin account name> \
- --admin-password=<pick password> \
- --image=microsoftwindowsdesktop:windows11preview-arm64:win11-22h2-ent:latest \
- --nsg-rule=NONE \
- --size=Standard_D8ps_v5 \
- --subscription=<set subscription ID here> \
- --public-ip-address ""
-```
-
-and then configure as described above in VM setup. This VM will have no public IP address or open ports, thus will be usable only by the coordinator.
-
-
-## Follow-ons to disable antivirus
-
-In later versions of windows, it can be very difficult to completely disable the system's antivirus software, due to "features" such as [tamper protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide), which make it almost impossible to programmatically turn off windows defender (and which ensure that any changes made are undone when the system reboots).
-
-Running this command should help somewhat:
-
-```
-az vm run-command invoke \
- --command-id=RunPowerShellScript \
- --name="MyNewVM" \
- --resource-group=dev_buildlets \
- --scripts @antivirusadditions.ps1
-```
```
Approvals:
Gopher Robot: TryBots succeeded
Heschi Kreinick: Looks good to me, approved
Than McIntosh: Run TryBots
env/windows-arm64: initial Azure VM support
Add README / notes and startup powershell scripts for creating and
configuring Windows Arm64 VMs hosted on Azure.
There are two recipes included here, one for creating deployment
reverse builder VMs (with no public IP), and a second recipe for
creating a test/debugging VM (with public IP, ssh enabled, etc) that
can be used for manual testing (the expectation is that debug/test VMs
will be needed only occasionally, and on a short-term temporary basis).
NB: more work/investigation needed on configuring the VMs to reduce
anti-virus overhead; at the moment the all.bat runtime is not as fast
as it could be, due to interference from "Antimalware service
executable" according to task manager.
Updates golang/go#57408.
Change-Id: Ic8f56c42ca882d86cefdda5dd27be846237778c3
Reviewed-on: https://go-review.googlesource.com/c/build/+/451275
Reviewed-by: Heschi Kreinick <hes...@google.com>
TryBot-Result: Gopher Robot <go...@golang.org>
Run-TryBot: Than McIntosh <th...@google.com>
---
A env/windows-arm64/azure/README.md
A env/windows-arm64/azure/antivirusadditions.ps1
A env/windows-arm64/azure/setupAndRunAllDotBat.sh
A env/windows-arm64/azure/startup.ps1
4 files changed, 490 insertions(+), 0 deletions(-)
diff --git a/env/windows-arm64/azure/README.md b/env/windows-arm64/azure/README.md
new file mode 100644
index 0000000..f72e245
--- /dev/null
+++ b/env/windows-arm64/azure/README.md
@@ -0,0 +1,107 @@
+<!---
+# Copyright 2022 The Go Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+-->
+
+# Azure windows arm64 VM setup notes
+
+This doc contains notes on setup info for deploying windows arm64 Go builders on Azure.
+
+## Prerequisites
+
+You'll need to install the Azure CLI toolset ("az *" commands) to take the various actions (VM creation, setup) below. You'll also need a Microsoft account into order to do anything with "az" and/or to log into the azure website (e.g. portal.asure.com); recommendation is to use your golang.org account.
+
+## CLI install
+
+Although you can try to install the Azure CLI using "sudo apt-get install azure-cli", this version winds up being broken/non-functional. Make sure this version is uninstalled via "sudo apt-get remove azure-cli", then install the CLI via
+
+ pip install azure-cli
+
+## Authentication
+
+Authenticate with "az login".
+
+## VM strategy for Azure
+
+At the moment, windows-arm64 Azure VMs are configured as reverse builders, and they are set up with no public IP address and no exposed ports. To interact with the VMs directly (e.g. to log in and poke around) it is recommended to use the Azure "bastion" feature, which provides RDP-like access to VMs from within the portal.
+
+## Deployment VM creation
+
+Deployment VMs are set up with invocations of the following az CLI command:
+
+```
+az vm create \
+ --name=MyNewVmName \
+ --resource-group=dev_buildlets \
+ --admin-username=<pick your admin account name> \
+ --admin-password=<pick password> \
+ --image=microsoftwindowsdesktop:windows11preview-arm64:win11-22h2-ent:latest \
+ --nsg-rule=NONE \
+ --size=Standard_D8ps_v5 \
+ --subscription=<set subscription ID here> \
+ --public-ip-address ""
+```
+
+and then configure as described below in VM setup. This VM will have no public IP address or open ports, thus will be usable only by the coordinator.
+
+Notes:
+* the "image" argument above is arm-specific, and in addition "size" argument also encodes the arm64-ness of the VM (strangely)
+
+
+## VM setup
+
+Once a VM has been created, you can apply Go-specific configuration to it by running the setup script in this directory (startup.ps1), using this command:
+
+```
+az vm run-command invoke \
+ --command-id=RunPowerShellScript \
+ --name="MyNewVM" \
+ --resource-group=dev_buildlets \
+ --scripts @startup.ps1
+```
+
+Where "startup.ps1" is the path (on your local machine) to the script to be run on the Azure VM, and the value passed to "--name" is the one you used when creating the VM.
+
+Notes:
+
+* output from the command is in JSON
+* exit status of the "az" command does NOT accurately reflect exit status of the powershell script.
+
+## Follow-ons to disable antivirus
+
+In later versions of windows, it can be very difficult to completely disable the system's antivirus software, due to "features" such as [tamper protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide), which make it almost impossible to programmatically turn off windows defender (and which ensure that any changes made are undone when the system reboots).
+
+Running this command should help somewhat:
+
+```
+az vm run-command invoke \
+ --command-id=RunPowerShellScript \
+ --name="MyNewVM" \
+ --resource-group=dev_buildlets \
+ --scripts @antivirusadditions.ps1
+```
+
+## Debugging/testing VM creation
+
+To create a new windows-arm64 VM named "MyNewVM" that is net accessible (e.g. with a public IP and ssh port exposed), use this command:
+
+```
+az vm create \
+ --name=MyNewVM \
+ --resource-group=dev_buildlets \
+ --admin-username=<pick your admin account name> \
+ --admin-password=<pick password> \
+ --image=microsoftwindowsdesktop:windows11preview-arm64:win11-22h2-ent:latest \
+ --nsg-rule=SSH \
+ --size=Standard_D8ps_v5 \
+ --subscription=<set subscription ID here> \
+ --public-ip-sku Standard
+```
+
+Notes:
+
+* be sure to pick a very strong password
+* configure the VM once created as in `VM Setup` above, but with the section that starts the stage0 buildlet commented out (since we don't want the VM to connect to the coordinator)
+* delete VM when you are finished with it
+
diff --git a/env/windows-arm64/azure/antivirusadditions.ps1 b/env/windows-arm64/azure/antivirusadditions.ps1
new file mode 100644
index 0000000..dc28384
--- /dev/null
+++ b/env/windows-arm64/azure/antivirusadditions.ps1
@@ -0,0 +1,34 @@
+# Copyright 2022 The Go Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+Set-StrictMode -Version Latest
+
+Write-Host "Adding drive and process exclusions"
+
+# Antivirus setup.
+
+$drive = "C"
+
+Add-MpPreference -ExclusionPath "$(drive):\" -ErrorAction SilentlyContinue
+Add-MpPreference -ExclusionProcess "$(drive):\*" -ErrorAction SilentlyContinue
+
+Write-Host "Attempting to disable scanning engines via Set-MpPreference"
+
+Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue
+Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue
+Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue
+Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue
+Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue
+Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue
+Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue
+Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue
+Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue
+Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue
+
+Write-Host "Setting default actions to Allow via Set-MpPreference"
+
+Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue
+Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue
+Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue
+
diff --git a/env/windows-arm64/azure/setupAndRunAllDotBat.sh b/env/windows-arm64/azure/setupAndRunAllDotBat.sh
new file mode 100644
index 0000000..5defa58
--- /dev/null
+++ b/env/windows-arm64/azure/setupAndRunAllDotBat.sh
@@ -0,0 +1,151 @@
+#!/bin/sh
+#
+# For initial hand testing a newly created/configured test/debug VM. Set the
+# environment variables below before running this script:
+#
+# ACCOUNT account to use when ssh'ing to the VM
+# VM_IP_ADDRESS public IP address of VM
+#
+# Note that as the script runs it will invoke "ssh", which will require the
+# invoker to enter the VM account password several times. TODO: use -M and
+# -S ssh flags to avoid reauthentication.
+#
+# This script also uses "gsutil" to copy things from the go-builder GCS bucket
+# as part of the setup.
+#
+#-----------------------------
+#
+function checkvarpresent() {
+ local TAG="$1"
+ local WHICH="$2"
+ if [ -z "$WHICH" ]; then
+ echo "error: set env var $TAG before running this script"
+ exit 1
+ fi
+}
+#
+function copy_file_to_vm() {
+ local FILE="$1"
+ local TGT="$2"
+ local SPATH="scp://${ACCOUNT}@${VM_IP_ADDRESS}/${TGT}"
+ echo "... executing: scp $FILE $SPATH"
+ scp $FILE $SPATH
+ if [ $? != 0 ]; then
+ echo "** copy failed, aborting"
+ exit 1
+ fi
+}
+function run_command_on_vm() {
+ local CMD="$*"
+ echo "... executing: ssh ${ACCOUNT}@${VM_IP_ADDRESS} $CMD"
+ ssh ${ACCOUNT}@${VM_IP_ADDRESS} $CMD
+ if [ $? != 0 ]; then
+ echo "** command failed, aborting"
+ exit 1
+ fi
+}
+function copy_from_go_builder_data() {
+ local FILE="$1"
+ local TGT="$2"
+ echo "... executing: gsutil cp gs://go-builder-data/${FILE} $TGT"
+ gsutil cp gs://go-builder-data/${FILE} $TGT
+ if [ $? != 0 ]; then
+ echo "error: copy from gs://go-builder-data/${FILE} failed, aborting"
+ exit 1
+ fi
+}
+#
+checkvarpresent ACCOUNT "$ACCOUNT"
+checkvarpresent VM_IP_ADDDRESS "$VM_IP_ADDRESS"
+#
+# Create various directories on the VM.
+#
+TF=`mktemp /tmp/mkdirsbat.XXXXXXXXXX`
+cat >$TF<<EOF
+rmdir /s /q C:\Windows\Temp\go
+rmdir /s /q C:\Windows\Temp\gobootstrap
+mkdir C:\Windows\Temp\go
+mkdir C:\Windows\Temp\gobootstrap
+EOF
+echo "... creating go and gobootstrap directories on VM"
+SCRIPT="C:\Windows\Temp\mkdirs.bat"
+copy_file_to_vm $TF $SCRIPT
+rm -f $TF
+run_command_on_vm $SCRIPT
+echo "... dir creation on vm complete."
+#
+# Collect windows bootstrap go to use with all.bat
+#
+TF2=`mktemp /tmp/bootstrapgo.XXXXXXXXXX`
+echo "... copying bootstrap Go from GCS bucket to local path"
+copy_from_go_builder_data gobootstrap-windows-arm64-go1.17.13.tar.gz $TF2
+#
+# Copy the bootstrap Go tar file to the VM.
+#
+echo "... copying bootstrap Go to VM"
+BOOTGOLOC="C:\Windows\Temp\bootgo.tgz"
+copy_file_to_vm $TF2 $BOOTGOLOC
+rm -f $TF2
+echo "... finished copying bootstrap Go to VM"
+#
+# Unpack the bootstrap Go on the VM
+#
+echo "... unpacking bootstrap Go on VM"
+run_command_on_vm "C:\golang\bootstrap.exe --untar-file=${BOOTGOLOC} --untar-dest-dir=C:\Windows\Temp\gobootstrap"
+echo "... finished unpacking bootstrap Go on VM"
+#
+# Clone Go repo at head, dump a dummy version in it.
+#
+echo "... starting clone of Go repo"
+TF3=`mktemp -d /tmp/gorepo.XXXXXXXXXX`
+TF4=`mktemp /tmp/go.XXXXXXXXXX.tgz`
+mkdir $TF3/go
+git clone --depth=1 https://go.googlesource.com/go $TF3/go
+if [ $? != 0 ]; then
+ echo "error: git clone failed (git clone --depth=1 https://go.googlesource.com/go $TF3/go)"
+ exit 1
+fi
+echo -n devel gomote.XXXXX > $TF3/go/VERSION
+echo -n devel gomote.XXXXX > $TF3/go/VERSION.cache
+rm -rf $TF3/go/.git
+echo "... finished clone and setup of Go repo"
+#
+# Tar up the Go repo and copy it to the VM
+#
+echo "... tar up go repo"
+(cd $TF3 ; tar zcf - ./go) > $TF4
+echo "... copying go repo tar file to VM"
+GOTIPLOC="C:\Windows\Temp\gotip.tgz"
+copy_file_to_vm $TF4 $GOTIPLOC
+rm -f $TF4
+rm -rf $TF3
+#
+# Unpack on the VM
+#
+echo "... unpacking Go repo tar file on vm"
+run_command_on_vm "C:\golang\bootstrap.exe --untar-file=${GOTIPLOC} --untar-dest-dir=C:\Windows\Temp\go"
+#
+# Create command to run all.bat
+#
+TF5=`mktemp /tmp/runallbat.XXXXXXXXXX`
+echo "... creating bat script to run all.bat"
+cat >$TF5<<EOF
+cd C:\Windows\Temp\go\go\src
+set PATH=%PATH%;C:\godep\llvm-aarch64\bin
+set GOROOT_BOOTSTRAP=C:\Windows\Temp\gobootstrap
+all.bat
+EOF
+#
+# Copy script to VM
+#
+echo "... copying all.bat script to VM"
+ALLBATSCRIPT="C:\Windows\Temp\runall.bat"
+copy_file_to_vm $TF5 $ALLBATSCRIPT
+rm -f $TF5
+#
+# Execute
+#
+echo "... running all.bat invocation script"
+run_command_on_vm $ALLBATSCRIPT
+echo "done."
+exit 0
diff --git a/env/windows-arm64/azure/startup.ps1 b/env/windows-arm64/azure/startup.ps1
new file mode 100644
index 0000000..2726812
--- /dev/null
+++ b/env/windows-arm64/azure/startup.ps1
@@ -0,0 +1,169 @@
+# Copyright 2022 The Go Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+Set-StrictMode -Version Latest
+
+# Helpers
+function Test-RegistryKeyExists($path, $name)
+{
+ $key = Get-Item -LiteralPath $path -ErrorAction SilentlyContinue
+ ($key -and $null -ne $key.GetValue($name, $null)) -ne $false
+}
+
+function Get-FileFromUrl(
+ [string] $URL,
+ [string] $Output)
+{
+ Add-Type -AssemblyName "System.Net.Http"
+
+ $client = New-Object System.Net.Http.HttpClient
+ $request = New-Object System.Net.Http.HttpRequestMessage -ArgumentList @([System.Net.Http.HttpMethod]::Get, $URL)
+ $responseMsg = $client.SendAsync($request)
+ $responseMsg.Wait()
+
+ if (!$responseMsg.IsCanceled)
+ {
+ $response = $responseMsg.Result
+ if ($response.IsSuccessStatusCode)
+ {
+ $downloadedFileStream = [System.IO.File]::Create($Output)
+ $copyStreamOp = $response.Content.CopyToAsync($downloadedFileStream)
+ $copyStreamOp.Wait()
+ $downloadedFileStream.Close()
+ if ($copyStreamOp.Exception -ne $null)
+ {
+ throw $copyStreamOp.Exception
+ }
+ }
+ }
+}
+
+# https://social.technet.microsoft.com/Forums/ie/en-US/29508e4e-a2b5-42eb-9729-6eca473716ae/disabling-password-complexity-via-command?forum=ITCG
+function Disable-PasswordComplexity
+{
+ param()
+
+ $secEditPath = [System.Environment]::ExpandEnvironmentVariables("%SystemRoot%\system32\secedit.exe")
+ $tempFile = [System.IO.Path]::GetTempFileName()
+
+ $exportArguments = '/export /cfg "{0}" /quiet' -f $tempFile
+ $importArguments = '/configure /db secedit.sdb /cfg "{0}" /quiet' -f $tempFile
+
+ Start-Process -FilePath $secEditPath -ArgumentList $exportArguments -Wait
+
+ $currentConfig = Get-Content -Path $tempFile
+
+ $currentConfig = $currentConfig -replace 'PasswordComplexity = .', 'PasswordComplexity = 0'
+ $currentConfig = $currentConfig -replace 'MinimumPasswordLength = .', 'MinimumPasswordLength = 0'
+ $currentConfig | Out-File -FilePath $tempFile
+
+ Start-Process -FilePath $secEditPath -ArgumentList $importArguments -Wait
+
+ Remove-Item -Path .\secedit.sdb
+ Remove-Item -Path $tempFile
+}
+
+# Wait till network comes up
+while(-Not (Test-NetConnection 8.8.8.8 -Port 53 | ? { $_.TcpTestSucceeded })) {
+ Write-Host "waiting for network (external network) to come up"
+ sleep 3
+}
+
+# Disable password complexity, automatic updates, windows firewall, error reporting, and UAC
+#
+# - Update can interrupt the builds
+# - We don't care about security since this isn't going to be Internet-facing
+# - No ports will ever be accessible externally
+# - We can be trusted to run as a real Administrator
+Write-Host "disabling security features"
+New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
+New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
+New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name NoAutoUpdate -Value 1 -Force | Out-Null
+New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" -Name Disabled -Value 1 -Force | Out-Null
+New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" -Name DontShowUI -Value 1 -Force | Out-Null
+New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" -Name EnableLUA -PropertyType DWord -Value 0 -Force | Out-Null
+netsh advfirewall set allprofiles state off
+netsh firewall set opmode mode=disable profile=ALL
+Set-MpPreference -DisableRealtimeMonitoring $true
+
+# Disable unwanted services
+Write-Host "disabling unused services"
+Set-Service -Name 'NlaSvc' -StartupType 'Disabled'
+Set-Service -Name 'LanmanServer' -StartupType 'Disabled'
+Set-Service -Name 'BITS' -StartupType 'Disabled'
+Set-Service -Name 'DPS' -StartupType 'Disabled'
+Set-Service -Name 'MSDTC' -StartupType 'Disabled'
+Set-Service -Name 'IKEEXT' -StartupType 'Disabled'
+Set-Service -Name 'RemoteRegistry' -StartupType 'Disabled'
+Set-Service -Name 'lmhosts' -StartupType 'Disabled'
+
+# Download buildlet
+Write-Host "downloading stage0"
+$builder_dir = "C:\golang"
+$bootstrap_exe_path = "$builder_dir\bootstrap.exe"
+mkdir $builder_dir
+Get-FileFromUrl -URL 'https://storage.googleapis.com/go-builder-data/buildlet-stage0.windows-arm64' -Output $bootstrap_exe_path
+
+# Install the OpenSSH Client
+Add-WindowsCapability -Online -Name OpenSSH.Client
+# Install the OpenSSH Server
+Add-WindowsCapability -Online -Name OpenSSH.Server
+
+Start-Service sshd
+# OPTIONAL but recommended:
+Set-Service -Name sshd -StartupType 'Automatic'
+
+# Download and unpack LLVM
+Write-Host "downloading LLVM"
+$dep_dir = "C:\godep"
+$llvm64_tar = "$dep_dir\llvm64.tar.gz"
+mkdir $dep_dir
+Get-FileFromUrl -URL "https://storage.googleapis.com/go-builder-data/llvm-mingw-20220323-ucrt-aarch64.tar.gz" -Output "$llvm64_tar"
+
+Write-Host "extracting LLVM"
+$extract64_args=@("--untar-file=$llvm64_tar", "--untar-dest-dir=$dep_dir")
+& $bootstrap_exe_path $extract64_args
+
+$builder_dir = "C:\golang"
+$bootstrap_exe_path = "$builder_dir\bootstrap.exe"
+
+# Download and install Visual Studio Build Tools (MSVC)
+# https://docs.microsoft.com/en-us/visualstudio/install/build-tools-container
+Write-Host "downloading Visual Studio Build Tools"
+$vs_buildtools = "$builder_dir\vs_buildtools.exe"
+Get-FileFromUrl -URL "https://aka.ms/vs/16/release/vs_buildtools.exe" -Output "$vs_buildtools"
+
+Write-Host "installing Visual Studio Build Tools"
+& $vs_buildtools --quiet --wait --norestart --nocache --installPath "$dep_dir\vs" --all --add Microsoft.VisualStudio.Component.VC.Tools.ARM64 --add Microsoft.VisualStudio.Component.VC.Tools.ARM
+
+# Create a buildlet user
+Write-Host "creating buildlet user"
+$buildlet_user = "gopher"
+$buildlet_password = "gopher"
+net user $buildlet_user $buildlet_password /ADD
+net localgroup administrators $buildlet_user /ADD
+Set-LocalUser -Name $buildlet_user -PasswordNeverExpires $true
+
+# Set GO_BUILDER_NAME environment variable (needed by the stage0 buildlet);
+# this setting needs to persist across reboots.
+[Environment]::SetEnvironmentVariable('GO_BUILDER_ENV', 'host-windows11-arm64-azure', [System.EnvironmentVariableTarget]::Machine)
+
+# Run the bootstrap program on login
+Write-Host "setting stage0 to run on start"
+$bootstrap_cmd = "cmd /k ""cd $builder_dir && $bootstrap_exe_path"""
+New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Buildlet" -PropertyType ExpandString -Value $bootstrap_cmd -Force
+
+# Setup autologon and reboot
+$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
+if ((Test-RegistryKeyExists $RegPath "DefaultUsername") -eq $false) {
+ Write-Host "configuring auto login"
+ Remove-ItemProperty -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'AutoLogonCount' -Force | Out-Null
+ Set-ItemProperty $RegPath "AutoAdminLogon" -Value "1" -type String
+ Set-ItemProperty $RegPath "DefaultUsername" -Value "$buildlet_user" -type String
+ Set-ItemProperty $RegPath "DefaultPassword" -Value "$buildlet_password" -type String
+ Set-ItemProperty $RegPath "LogonCount" -Value "99999999" -type String
+ Write-Host "rebooting"
+ shutdown /r /t 0
+}
+
To view, visit change 451275. To unsubscribe, or for help writing mail filters, visit settings.
Reply all
Reply to author
Forward
0 new messages