Attempting to run the pipeline on an Azure hosted agent - thoughts and experiences

[seqdan]

As far as I understand it, this repository seems to enable us to run our own Azure DevOps Agents in the cloud and/or on premise, and although we run them, they would have the same configuration as those agents that Microsoft offers as "hosted agents". Awesome!

I have experimented a bit creating my own windows2019 images. Some things went smoothly; others were a bit hard. I am not an expert; some things might have been difficult because of limited knowledge. But I just discovered the "Discussions" tab here and thought it might make sense to take notes of my progress (or not progress) and share them here for feedback. I'd be happy to update the documentation (via PR) here from what I figure out.

I find it quite tempting to be able to create a new VM image automatically via pipeline whenever there is a new release in this repository. This could be used in a virtual machine scale set in Azure. Once fully automated, one would automatically have always the latest agents up & running. It goes without saying that there should be security measures in place, like a manual review and approval step. And I obviously want to install a handful of extra tools, to save time during the pipeline runs.

It took me a while until I understood that, in order to create an image via my local machine, I only need to follow a few steps here: CreateImageAndAzureResources.md . Clone the repo, cd into it, and run the script:

Import-Module .\helpers\GenerateResourcesAndImage.ps1
GenerateResourcesAndImage -SubscriptionId {YourSubscriptionId} -ResourceGroupName "myTestResourceGroup" -ImageGenerationRepositoryRoot "$pwd" -ImageType Windows2019 -AzureLocation "East US"

The build itself took a bit more than 7 hours.

Now, the next step would be, to run this unattended in a pipeline. Wouldn't it be awesome to run it on a hosted Azure DevOps agent?

This is the challenge I am currently trying to solve. I am not sure if the hosted agents with their maximum runtime of 6 hours are fast enough and capable enough to run through the entire image generation process. It might be advisable to just launch a VM in Azure instead, but I want to try it out first.

There is an Azure Pipeline file windows2019.yml which seems to exist for exactly this purpose: I have created a pipeline in my own Azure DevOps Organization and linked it to this file.

The first stumblestone was the agent pool, which is hard coded in image-generation.yml . It would be great to have this defined as a variable, so that people with other pool names can directly hook their Azure Pipeline up to the repository. I have cloned it and ... hard coded :D a different value in my fork.

The second hurdle were the expected variables and permissions for the pipeline. The pipeline expects a certain set of variables set in a variable group named Image Generation Variables.

These variables seemed to be required:

• AZURE_LOCATION
• AZURE_RESOURCE_GROUP
• AZURE_STORAGE_ACCOUNT
• AZURE_SUBSCRIPTION
• AZURE_TENANT
• BUILD_AGENT_SUBNET_NAME
• BUILD_AGENT_VNET_NAME
• BUILD_AGENT_VNET_RESOURCE_GROUP
• CLIENT_ID
• CLIENT_SECRET
• GITHUB_TOKEN
• IMAGETYPE

Permissions were a bit tricky. It is clearly written in the documentation:

To setup image-generation CI or use packer manually — SP with full read-write permissions for selected Azure subscription needed.

Unfortunately, by the time I was working on this, I had forgotten about that part of the documentation, and encountered an error message I could not interpret:

Build 'vhd' errored after 1 second 358 milliseconds: resources.GroupsClient#CheckExistence: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: error response cannot be parsed: "" error: EOF

This issue here finally helped me figuring out why the disk could not be created: while it had full permissions on the resource group, it did not have any on the subscription. Therefore, the temporary resource group could not be created. Giving the SP full permissions on the subscription gave me a angry look of a colleague, but made it work.

Another thing I was unsure about were the vnet and subnet variables. I found it confusing that they are required to be filled. I have tried various approaches, like creating a vnet manually, leaving the value empty, and taking the variables out of the packer command (that one definitely works). I wonder if these really have to be mandatory, or if one could make them optional.

The pipeline has failed after 6 hours 11 minutes. I was surprised that the logs contained less content (1000 lines) after the job had failed than during the run (about 50k lines the last time I had looked). The raw log's first line:

2020-12-22T01:12:59.9690670Z ##[section]This job was abandoned. We have detected that logs from the agent may have not finished uploading. We have included our in-memory record of all log lines uploaded before we lost contact with the agent:

The error message in Azure DevOps:

##[error]We stopped hearing from agent Azure Pipelines 2. Verify the agent machine is running and has a healthy network connection. Anything that terminates an agent process, starves it for CPU, or blocks its network access can cause this error. For more information, see: https://go.microsoft.com/fwlink/?linkid=846610

This is most likely due to the 6 hours timeout.

[maxim-lobanov]

Hello @seqdan , content of images.CI folder is intended only for Internal purpose and we don't expert customers to use it to build own images regularly. images.CI requires some Azure pre-configuration, pre-defined agent and we are not ready to share it for now.

As it is mentioned in README, we suggest using the following guide to build own images: https://github.com/actions/virtual-environments/blob/main/help/CreateImageAndAzureResources.md

Also, it could be tricky to build images on Hosted agents because

• packer agent should be connected to VM that requires exposing VM ports to public from your Azure subscription. Potentially, it brings a lot of risks.
• Windows image generation takes 7-9 hours that won't work on Hosted agent due to 6 hours limitation.

Ideally, you should use self-hosted agent deployed in the same Azure subscription where you build VMs. In this case, packer agent and VM will be connected directly and there won't be security problems

[miketimofeev]

@seqdan I believe you can use service-principal authorization in that case

https://docs.microsoft.com/ru-ru/powershell/azure/create-azure-service-principal-azureps?view=azps-5.3.0

[maxim-lobanov]

@seqdan , currently, this script doesn't support auth in non-interactive way. But we would be glad to review pull-request to add support for it if you would like to contribute.

Probably, we can introduce additional optional inputs to auth via service principal and if they are not specified, fallback to interactive way.

[seqdan]

Thanks @maxim-lobanov and @miketimofeev , I have created a PR: #2622
Unfortunately, I have had some issues: Creating a Service Principal "B" while being authenticated via a Service Principal "A" seems to be a bit tricky, even if Service Principal "A" is an "Owner" of the subscription. I was not able to test a complete run yet; however, authentication itself seems to work.

[seqdan]

Would anyone be able to give me feedback on the service principals?

[maxim-lobanov]

@seqdan , may be we don't need to create new service principal if it is already provided as an input. We can just use input Service Principal to build image.

[itachenko]

Hey guys!
I've faced a problem which hopefully you can help me to solve.

Long story short.
Angular/Electron project.
Azure DevOps pipeline uses Microsoft hosted agent with macOS-10.15 image to build and test (Spectron) the application.
During the test run application reports no internet connection thus disabling some buttons thus failing tests.

According to colleagues these tests were passing previously - maybe a couple of months ago.
Issue could not be reproduced on local Mac mini with Catalina.

Is there anything on the hosted agent which can block outbound fetch requests?

Cheers,
Ivan

[miketimofeev]

@itachenko we're not aware of any changes. Could you please create an issue with the repro steps?