Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows MSI build: run light.exe with -sval in GitLab #10309

Closed
wants to merge 1 commit into from

Conversation

Al2Klimov
Copy link
Member

This is equivalent to "setting true in your WiX MSBuild project" not to require the CI/CD service to run as an admin. https://wixtoolset.org/docs/tools/validation/#errors-running-validation

It's just, w/o this PR our builds also perform a "package validation" which involves the installer service. Non-admins can access the latter, but only if logged in via RDP. Services can't.

@Al2Klimov Al2Klimov added the area/windows Windows agent and plugins label Jan 20, 2025
@Al2Klimov Al2Klimov added this to the 2.15.0 milestone Jan 20, 2025
@Al2Klimov Al2Klimov requested a review from julianbrost January 20, 2025 12:14
@cla-bot cla-bot bot added the cla/signed label Jan 20, 2025
@Al2Klimov
Copy link
Member Author

Al2Klimov commented Jan 20, 2025

Test

GitLab runner Windows service (not RDP logged in user!) runs these (not admin!) to build Icinga:

  • & .\tools\win32\load-vsenv.ps1
  • & powershell.exe .\tools\win32\configure.ps1
  • & powershell.exe .\tools\win32\build.ps1

Before

https://git.icinga.com/packaging/windows-icinga2/-/pipelines/35363
https://git.icinga.com/packaging/windows-icinga2/-/jobs/638022

...
CPack: Create package using WIX
  CPack: Install projects
  CPack: - Install project: icinga2 [RelWithDebInfo]
  CPack: Create package
EXEC : CPack error : Problem running WiX candle. Please check 'C:/Build/builds/t3_feTz7p/1/packaging/windows-icinga2/icinga2/Build/_CPack_Packages/win64/WIX/wix.log' for errors. [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
EXEC : CPack error : Fatal WiX Generator Error [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
EXEC : CPack error : Problem compressing the directory [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
EXEC : CPack error : Error when generating package: Icinga 2 [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: Der Befehl "setlocal [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: cd C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: if %errorlevel% neq 0 goto :cmEnd [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: C: [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: if %errorlevel% neq 0 goto :cmEnd [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: "C:\Program Files\CMake\bin\cpack.exe" -C RelWithDebInfo --config ./CPackConfig.cmake [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: if %errorlevel% neq 0 goto :cmEnd [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: :cmEnd [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: endlocal & call :cmErrorLevel %errorlevel% & goto :cmDone [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: :cmErrorLevel [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: exit /b %1 [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: :cmDone [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: if %errorlevel% neq 0 goto :VCEnd [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(155,5): error MSB3073: :VCEnd" wurde mit dem Code 1 beendet. [C:\Build\builds\t3_feTz7p\1\packaging\windows-icinga2\icinga2\Build\PACKAGE.vcxproj]
DEBUG:   27+ if ( >>>> $lastexitcode -ne 0) { exit $lastexitcode }
DEBUG:   27+ if ($lastexitcode -ne 0) {  >>>> exit $lastexitcode }
DEBUG:   20+ if ( >>>> $LastExitCode -ne 0) { throw "Error during build" }
DEBUG:   20+ if ($LastExitCode -ne 0) {  >>>> throw "Error during build" }
Error during build
In C:\build\builds\t3_feTz7p\1\packaging\windows-icinga2\build.ps1:20 Zeichen:28
+ if ($LastExitCode -ne 0) { throw "Error during build" }
+                            ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Error during build:String) [], RuntimeException
    + FullyQualifiedErrorId : Error during build

After

https://git.icinga.com/packaging/windows-icinga2/-/pipelines/35364
https://git.icinga.com/packaging/windows-icinga2/-/jobs/638026

Works. 👍

@julianbrost
Copy link
Contributor

That doesn't seem to be an issue on GitHub Actions, so can we disable this just in the GitLab pipelines? I mean what it does sounds useful (from your link):

Package validation checks the content of MSI packages to, among other things, ensure the internal database structure follows (at least some of) the rules for MSI packages.

So doesn't sound like a bad idea to try to keep this where possible.

@Al2Klimov Al2Klimov changed the title Windows MSI build: run light.exe with -sval Windows MSI build: run light.exe with -sval in GitLab Jan 20, 2025
CMakeLists.txt Outdated Show resolved Hide resolved
CMakeLists.txt Outdated
Comment on lines 512 to 515
if(DEFINED ENV{GITLAB_CI})
# https://wixtoolset.org/docs/tools/validation/#errors-running-validation
set(CPACK_WIX_LIGHT_EXTRA_FLAGS "-sval")
endif()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That change suggests it is actually impossible to do this validation while running in the GitLab CI. However, that's not the case as we did just that for years.

This is a problem that only appeared due to planned changes to our GitLab runners, hence, that's where I'd try to adjust this. Is it possible to just pass this as -DCPACK_WIX_LIGHT_EXTRA_FLAGS=-sval to CMake in our GitLab job definition instead?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That change suggests it is actually impossible to do this validation while running in the GitLab CI. However, that's not the case as we did just that for years.

... as administrator! Only that made it possible for all these things to happen under a Windows service. 😅🙈😈

This is a problem that only appeared due to planned changes to our GitLab runners, hence, that's where I'd try to adjust this.

IMAO the problem has always been in this repo. It unnecessarily enforces such privileges for GitLab runners.

Is it possible to just pass this as -DCPACK_WIX_LIGHT_EXTRA_FLAGS=-sval to CMake in our GitLab job definition instead?

Yes, but actually no:

I mean, I can put this flag and env check into tools\win32\configure.ps1 if you explain why*. But that would be in the very same repo.

*) IMAO CMake stuff belongs into CMake files, especially sane defaults which apply universally, across callers of CMake.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMAO the problem has always been in this repo. It unnecessarily enforces such privileges for GitLab runners.

If this repo doesn't allow to disable this externally, that should be fixed. With your proposed change, it unnecessarily prevents performing that validation from GitLab CI altogether.

I mean, I can put this flag and env check into tools\win32\configure.ps1 if you explain why*. But that would be in the very same repo.

Why does it have to be a check on the GITLAB_CI environment variable here? What if the following would just allow passing custom CMake options?

& cmake.exe "$sourcePath" `
-DCMAKE_BUILD_TYPE="$env:CMAKE_BUILD_TYPE" `
-G "$env:CMAKE_GENERATOR" -A "$env:CMAKE_GENERATOR_PLATFORM" -DCPACK_GENERATOR=WIX `
-DOPENSSL_ROOT_DIR="$env:OPENSSL_ROOT_DIR" `
-DBOOST_LIBRARYDIR="$env:BOOST_LIBRARYDIR" `
-DBOOST_INCLUDEDIR="$env:BOOST_ROOT" `
-DFLEX_EXECUTABLE="$env:FLEX_BINARY" `
-DBISON_EXECUTABLE="$env:BISON_BINARY"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With your proposed change, it unnecessarily prevents performing that validation from GitLab CI altogether.

Why does it have to be a check on the GITLAB_CI environment variable here?

It necessarily prevents it because in a sane CI infra the GitLab service is not run as admin, which makes MSI validation impossible. So what? We have GitHub actions for this, as you said.

What if the following would just allow passing custom CMake options?

& cmake.exe "$sourcePath" `
-DCMAKE_BUILD_TYPE="$env:CMAKE_BUILD_TYPE" `
-G "$env:CMAKE_GENERATOR" -A "$env:CMAKE_GENERATOR_PLATFORM" -DCPACK_GENERATOR=WIX `
-DOPENSSL_ROOT_DIR="$env:OPENSSL_ROOT_DIR" `
-DBOOST_LIBRARYDIR="$env:BOOST_LIBRARYDIR" `
-DBOOST_INCLUDEDIR="$env:BOOST_ROOT" `
-DFLEX_EXECUTABLE="$env:FLEX_BINARY" `
-DBISON_EXECUTABLE="$env:BISON_BINARY"

CMake allows passing custom CMake options. This is a convenience script, its job is to fiddle together CMake options which CMake itself can't.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With your proposed change, it unnecessarily prevents performing that validation from GitLab CI altogether.

Why does it have to be a check on the GITLAB_CI environment variable here?

It necessarily prevents it because in a sane CI infra the GitLab service is not run as admin, which makes MSI validation impossible. So what? We have GitHub actions for this, as you said.

Well now I'm tempted to try whether your jobs run with admin privileges on the GitLab.com hosted Windows runners and whether you just called their infrastructure insane. 😅

What if the following would just allow passing custom CMake options?

& cmake.exe "$sourcePath" `
-DCMAKE_BUILD_TYPE="$env:CMAKE_BUILD_TYPE" `
-G "$env:CMAKE_GENERATOR" -A "$env:CMAKE_GENERATOR_PLATFORM" -DCPACK_GENERATOR=WIX `
-DOPENSSL_ROOT_DIR="$env:OPENSSL_ROOT_DIR" `
-DBOOST_LIBRARYDIR="$env:BOOST_LIBRARYDIR" `
-DBOOST_INCLUDEDIR="$env:BOOST_ROOT" `
-DFLEX_EXECUTABLE="$env:FLEX_BINARY" `
-DBISON_EXECUTABLE="$env:BISON_BINARY"

CMake allows passing custom CMake options. This is a convenience script, its job is to fiddle together CMake options which CMake itself can't.

I've linked that script because my question was about that script allowing additional custom CMake options.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well now I'm tempted to try whether your jobs run with admin privileges on the GitLab.com hosted Windows runners and whether you just called their infrastructure insane. 😅

I talked about "the GitLab service"!

I've linked that script because my question was about that script allowing additional custom CMake options.

I don't see a point in custom ones, but I can offer you #10309 (comment) if you really care about hypothetic stuff.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I talked about "the GitLab service"!

Why is this relevant? Aren't the build job permission what matters here?

@Al2Klimov Al2Klimov requested a review from julianbrost January 21, 2025 15:01
…TION is set

This is equivalent to "setting <SuppressValidation>true</SuppressValidation> in your WiX MSBuild project" not to require a CI/CD service to run as an admin.
https://wixtoolset.org/docs/tools/validation/#errors-running-validation
CMakeLists.txt Outdated
@@ -509,6 +509,11 @@ set(CPACK_WIX_PATCH_FILE "${CMAKE_CURRENT_BINARY_DIR}/icinga-installer/icinga2.w
set(CPACK_WIX_EXTENSIONS "WixUtilExtension" "WixNetFxExtension")
set(CPACK_WIX_INSTALL_SCOPE NONE)

if(DEFINED ENV{GITLAB_CI})
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if(DEFINED ENV{GITLAB_CI})
if(DEFINED ENV{ICINGA2_NO_MSI_VALIDATION})

Better?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ICINGA2_NO_MSI_VALIDATION is better than hard-coded GITLAB_CI. Though that being an environment variable there looks a bit odd. None of the other ICINGA2_* options are environment variables but rather regular CMake options. Also, with tools/win32/configure.ps1, there's a script for mapping environment to CMake options.

So I'd rather do something like if (env:ICINGA2_NO_MSI_VALIDATION) CMAKE_OPTS+=DCPACK_WIX_LIGHT_EXTRA_FLAGS=-sval in tools/win32/configure.ps1, or, preferably unless that gets a complete whitespace quoting nightmare - just allow setting any options so that if additional CMake options are needed in the future, this doesn't need another pull request (+ backports) here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/windows Windows agent and plugins cla/signed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants