From 0801fb3a917bfcb75b31e2be098721a284e69d38 Mon Sep 17 00:00:00 2001 From: Heschi Kreinick Date: Tue, 17 Jan 2023 17:45:07 -0500 Subject: [PATCH] env/windows-arm64/azure: update instructions - Account for the new production environment - Use smaller, cheaper machines - Fix the antivirus instructions For golang/go#57408. Change-Id: I219677c570787a907d67763e0d88552ebdc142c4 Reviewed-on: https://go-review.googlesource.com/c/build/+/462516 Reviewed-by: Than McIntosh Auto-Submit: Heschi Kreinick Run-TryBot: Heschi Kreinick TryBot-Result: Gopher Robot --- env/windows-arm64/azure/README.md | 25 +++++++++++-------- .../azure/antivirusadditions.ps1 | 6 ++--- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/env/windows-arm64/azure/README.md b/env/windows-arm64/azure/README.md index fec7f003..5cf8fe4e 100644 --- a/env/windows-arm64/azure/README.md +++ b/env/windows-arm64/azure/README.md @@ -33,13 +33,13 @@ Deployment VMs are set up with invocations of the following az CLI command: ``` az vm create \ --name=MyNewVmName \ - --resource-group=dev_buildlets \ + --resource-group=_buildlets \ --admin-username=gopheradmin \ --admin-password= \ --image=microsoftwindowsdesktop:windows11preview-arm64:win11-22h2-ent:latest \ - --nsg-rule=NONE \ - --size=Standard_D8ps_v5 \ - --subscription= \ + --nsg=_buildlets-security-group \ + --size=Standard_D4ps_v5 \ + --subscription= \ --public-ip-address "" ``` @@ -57,7 +57,8 @@ Once a VM has been created, you can apply Go-specific configuration to it by run az vm run-command invoke \ --command-id=RunPowerShellScript \ --name="MyNewVM" \ - --resource-group=dev_buildlets \ + --subscription= \ + --resource-group=_buildlets \ --scripts @startup.ps1 ``` @@ -67,25 +68,27 @@ Notes: * output from the command is in JSON * exit status of the "az" command does NOT accurately reflect exit status of the powershell script. +* errors about things already existing are expected + +## First login + +Log into the new builder as "gopher" at least once so as to go through the "initial login" Windows workflow. Find the VM in the Azure portal, and enter the login in the Bastion section. Choose "no" on all the setup prompts. ## Follow-ons to disable antivirus In later versions of windows, it can be very difficult to completely disable the system's antivirus software, due to "features" such as [tamper protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide), which make it almost impossible to programmatically turn off windows defender (and which ensure that any changes made are undone when the system reboots). -Running this command should help somewhat: +Open Windows Security, Virus & threat protection, Manage settings, and turn off Tamper Protection. Then run this command: ``` az vm run-command invoke \ --command-id=RunPowerShellScript \ --name="MyNewVM" \ - --resource-group=dev_buildlets \ + --subscription= \ + --resource-group=_buildlets \ --scripts @antivirusadditions.ps1 ``` -## First login - -Log into the new builder as "gopher" at least once so as to go through the "initial login" Windows workflow. - ## Builder key Generate a builder key for the VMs according to the directions in [x/build/cmd/genbuilderkey](https://go.googlesource.com/build/+/fdfb99e1de1f68b555502056567be459d98a0e71/cmd/genbuilderkey/README.md). diff --git a/env/windows-arm64/azure/antivirusadditions.ps1 b/env/windows-arm64/azure/antivirusadditions.ps1 index dc283848..8bf16603 100644 --- a/env/windows-arm64/azure/antivirusadditions.ps1 +++ b/env/windows-arm64/azure/antivirusadditions.ps1 @@ -8,10 +8,8 @@ Write-Host "Adding drive and process exclusions" # Antivirus setup. -$drive = "C" - -Add-MpPreference -ExclusionPath "$(drive):\" -ErrorAction SilentlyContinue -Add-MpPreference -ExclusionProcess "$(drive):\*" -ErrorAction SilentlyContinue +Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue +Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue Write-Host "Attempting to disable scanning engines via Set-MpPreference"