(#230) Add Admin Only Source For Chocolatey Core Packages #255
Conversation
ryanrichter94
force-pushed
the
QSG-230
branch
5 times, most recently
from
24711b3
to
3fe0c59
Compare
ryanrichter94
force-pushed
the
QSG-230
branch
2 times, most recently
from
7e070da
to
75ed7a5
Compare
|
Converted back to draft after finding issue when running ClientSetup script. |
ryanrichter94
force-pushed
the
QSG-230
branch
3 times, most recently
from
15ddbb0
to
51af786
Compare
ryanrichter94
force-pushed
the
QSG-230
branch
4 times, most recently
from
184a914
to
7d2ab5a
Compare
Start-C4bNexusSetup.ps1
Outdated
| Get-ChildItem -Path "$env:SystemDrive\choco-setup\files\files" -Filter *.nupkg | ForEach-Object { | ||
| choco push $_.FullName --source "$((Get-NexusRepository -Name 'ChocolateyInternal').url)/index.json" --apikey $NugetApiKey --force | ||
| Get-ChildItem -Path "$env:SystemDrive\choco-setup\files\packages" -Filter *.nupkg | ForEach-Object { | ||
| choco push $_.FullName --source "$((Get-NexusRepository -Name 'ChocolateyCore').url)/index.json" --apikey $NugetApiKey --force |
There was a problem hiding this comment.
Are we sure we're only pushing what we need to here? What is in the packages folder at this point? The only filter is "give me all the nupkgs"
Start-C4bNexusSetup.ps1
Outdated
| if (-not (Test-Path 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe')) { | ||
| if (Test-Path 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'){ | ||
| Write-Host "Syncing Microsoft Edge, to bring it under Chocolatey management" | ||
| choco sync --id="Microsoft Edge" --package-id="microsoft-edge" |
There was a problem hiding this comment.
Careful with this Sync. I've seen edge Shipped as Windows be in Programs and Features but not be able to be synced because it's installed "special" and isn't in the hive(s) you'd expect from the registry.
There was a problem hiding this comment.
In fact, do we even need this? Edge is default in 2019+, which is what we support so it'll never not be there and on the path. This seems overly complicated at this stage.
There was a problem hiding this comment.
Server 2019 does not ship with Microsoft Edge, also if we are installing our product suite onto a fresh server dedicated just for Chocolatey use, should we not make sure all software on that machine is managed by a Chocolatey package?
There was a problem hiding this comment.
Yes, we should. I'm just warning that in cases where Edge has been installed via servicing channel (think a Windows Update), choco sync does not detect it, even though it's installed, so we might drop out of the check erroneously.
It might be simpler to just go "screw it, I'm putting edge on here", install the package, and let the underlying install sort things out.
I bring this up because I've seen sync not work even though Edge was very clearly displaying in Programs and Features. It's a real peach.
| @@ -112,21 +112,28 @@ choco config set cacheLocation $env:ChocolateyInstall\choco-cache | |||
| choco config set commandExecutionTimeoutSeconds 14400 | |||
|
|
|||
| if ($InternetEnabled) { | |||
| choco source add --name="'ChocolateyInternal'" --source="'$RepositoryUrl'" --allow-self-service --user="'$($Credential.UserName)'" --password="'$($Credential.GetNetworkCredential().Password)'" --priority=1 | |||
| choco source add --name="'ChocolateyCore'" --source="'$RepositoryUrl'" --allow-self-service --admin-only --user="'$($Credential.UserName)'" --password="'$($Credential.GetNetworkCredential().Password)'" --priority=0 | |||
There was a problem hiding this comment.
Think it a good idea to have the admin-only source configured with the same credentials as the non-admin source? What if the non-admin creds get found out? Now you got 2 problems, not 1.
This requires bigger changes
There was a problem hiding this comment.
The only reason ChocolateyCore repo has admin-only is to hide it from the end user GUI view. Also the credential is the same account with permissions to browse and download out of a raw/NuGet repo that ChocolateyInternal originally had before this change.
As this script is meant for a non-admin client registration. I wouldn't feel comfortable putting a true "admin" credential on either of these sources as default behavior.
There was a problem hiding this comment.
Admin in name only. The credential should and would (at least this is what I expect) to be limited to browse/read operations on this new repository. The existing credential would not have access to this repository. This is a true separation such that if either credential is leaked somehow, only 1 repository is affected, and even then only in that they can download the packages, they'll still not be able to delete or write anything.
ryanrichter94
force-pushed
the
QSG-230
branch
3 times, most recently
from
c7fe463
to
aa63e22
Compare
ryanrichter94
force-pushed
the
QSG-230
branch
from
6c779c2
to
84d95e8
Compare
The manifest folders lived in a folder named after one in the Ansible project. This didn't make sense here, where it often lives inside a /files/ directory already. This has been changed.
- Add ChocolateyCore repo as main repo for core packages - Add callout to new ChocolateyCore repository - Remove See It In Action README section as video is outdated - Fixup spelling/grammar in README - Add new Update ChocolateyCore Repository Jenkins Job - Add test to check for new Jenkins job - Remove legacy build files from new and existing Jenkins jobs
Add handling to bring edge under Chocolatey management if it was natively installed by a newer server OS. This should ensure that the test is more consistent, delivering the same result regardless of if the Chocolatey package were installed or not.
ryanrichter94
force-pushed
the
QSG-230
branch
from
84d95e8
to
0fe0507
Compare
Description Of Changes
Motivation and Context
Main reason for creating this repository was from feedback of admins not wanting their end users to see the Chocolatey core packages in the default repository. This way ChocolateyInternal only contains the packages brought in by the Jenkins internalization pipeline. Also cleaning up the end user view.
Testing
Operating Systems Testing
Change Types Made
[ ] Bug fix (non-breaking change).[ ] Feature / Enhancement (non-breaking change).Change Checklist
Related Issue
Fixes #230