This repository has been archived by the owner on Jan 21, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
/
pre-start.ps1.erb
131 lines (109 loc) · 4.94 KB
/
pre-start.ps1.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
filter timestamp {"$(Get-Date -Format G): $_"}
Write-Output "Started windowsfs pre-start" | timestamp
function cleanupCerts() {
Param(
[string]$certDirectory, [string]$certFile
)
rm -Recurse -Force -ErrorAction SilentlyContinue $certDirectory
Remove-Item $certFile
if (Test-Path $certDirectory) {
Write-Output "Failed to remove cert directory: $certDirectory" | timestamp
exit 1
}
if (Test-Path $certFile) {
Write-Output "Failed to remove cert directory: $certFile" | timestamp
exit 1
}
}
$sharedEventName = "RootfsEvent"
try {
$event = [System.Threading.EventWaitHandle]::OpenExisting($sharedEventName)
} catch {
$mode = New-Object System.Threading.EventResetMode
$initSignaled = $false
$event = New-Object System.Threading.EventWaitHandle($initSignaled, $mode, $sharedEventName)
}
$timeout = [long]30
# TODO Validate this
$minWincReleaseVersion = "v2.0"
Write-Output "Waiting $timeout minutes for signal from pre-start script of winc-release/job=groot" | timestamp
if ($event.WaitOne($timeout * 60 * 1000)) {
Write-Output "Received signal from pre-start script of winc-release/job=groot. Proceeding" | timestamp
} else {
$errStr = "No signal received on event $sharedEventName after $timeout minutes. This signal is " +
"generated by the pre-start script of winc-release/job=groot. You might have an older version " +
"of the winc-release. Require winc-release $minWincReleaseVersion or higher."
Write-Output $errStr | timestamp
exit 1
}
<% if p("windows-rootfs.trusted_certs") == "" %>
$ErrorActionPreference = "Stop";
trap { $host.SetShouldExit(1) }
Write-Output "No certs provided" | timestamp
# Even though there are no certs in the manifest, we have to clean up any existing
# certs that may have been placed in the image due to an earlier deploy.
#
# If groot does not provide a link, then the version of winc-release being deployed
# is too old to support providing trusted certificates. As such, there can't be an existing top
# layer in the rootfs OCI image on disk with the extra certificates and so we can
# skip the remove layer step.
<% if_link('groot') do |groot| %>
<% groot.p('groot.cached_image_uris').each do |uri| %>
$uri = "<%= uri %>"
Write-Output "Cleaning any pre-existing certs from the top layer of $uri" | timestamp
C:\var\vcap\packages\hydrate\hydrate.exe remove-layer --ociImage $uri
if ($LASTEXITCODE -ne 0) {
Write-Output "hydrate.exe remove-layer failed" | timestamp
exit $LASTEXITCODE
}
Write-Output "hydrate.exe remove-layer succeed for $uri" | timestamp
<% end %>
<% end %>
Write-Output "Finished windowsfs pre-start" | timestamp
exit 0
<% end %>
Write-Output "Deleting any existing containers" | timestamp
# Ensure there aren't any existing containers, because the cert-injector will
# do a `groot pull`, and this could cause issues with the layers if containers
# are around at the time of the pull.
Get-ComputeProcess | foreach { c:\var\vcap\packages\winc\winc.exe delete $_.Id }
<% if_p("windows-rootfs.trusted_certs") do |trusted_certs| %>
$ErrorActionPreference = "Stop";
trap { $host.SetShouldExit(1) }
Write-Output "Injecting trusted certs" | timestamp
# powershell can't handle multiple certs in one file, so we need to split them up
Write-Output "Splitting certs" | timestamp
$certData = "<%= trusted_certs %>"
$certFile=[System.IO.Path]::GetTempFileName()
Set-Content -Value $certData -Path $certFile -Encoding Ascii
$random = (Get-Random)
$certDirectory = "c:\var\vcap\data\tmp\windowsfs-trusted-certs-$random"
rm -Recurse -Force -ErrorAction SilentlyContinue $certDirectory
mkdir $certDirectory | Out-Null
$certSplitterBin = "c:\var\vcap\packages\certsplitter-fs\certsplitter.exe"
& $certSplitterBin $certFile $certDirectory
if ($LASTEXITCODE -ne 0) {
Write-Output "certsplitter failed to split certs" | timestamp
cleanupCerts -certDirectory $certDirectory -certFile $certFile
exit $LASTEXITCODE
}
Write-Output "The given certs have been split and written into the directory at $certDirectory" | timestamp
$grootDriverStore = ""
$grootImageUris = ""
<% if_link('groot') do |groot| %>
$grootDriverStore = "<%= groot.p('groot.driver_store') %>"
$grootImageUris = "<%= groot.p('groot.cached_image_uris').join(" ") %>"
<% end %>
$certInjectorBin = "c:\var\vcap\packages\cert-injector\cert-injector.exe"
Write-Output "Running cert-injector" | timestamp
& $certInjectorBin $grootDriverStore $certDirectory $grootImageUris.Split(" ")
if ($LASTEXITCODE -ne 0) {
Write-Output "cert-injector failed injecting trusted certs" | timestamp
cleanupCerts -certDirectory $certDirectory -certFile $certFile
exit $LASTEXITCODE
}
Write-Output "Finished running cert-injector" | timestamp
cleanupCerts -certDirectory $certDirectory -certFile $certFile
Write-Output "Finished injecting trusted certs" | timestamp
<% end %>
Write-Output "Finished windowsfs pre-start" | timestamp