Windows Updates

ansible/ansible.cfg

@@ -43,6 +43,7 @@ ansible_python_interpreter = /NODEJS2/python-2017-04-12-py27/python27/bin/python
 home                       = /u
 
 [hosts:win]
+ansible_become                       = false
 ansible_connection                   = winrm
 ansible_winrm_server_cert_validation = ignore
 

ansible/inventory.yml

@@ -77,6 +77,20 @@ hosts:
 
     - azure:
         msft-ubuntu1604_arm_cross-x64-1: {ip: nodejs.eastus2.cloudapp.azure.com, user: ubuntu}
+        msft-win10_vcbt2015-x64-1: {ip: nodejs.eastus2.cloudapp.azure.com}
+        msft-win10_vcbt2015-x64-2: {ip: nodejs.westus2.cloudapp.azure.com}
+        msft-win10_vcbt2015-x64-3: {ip: nodejs.eastus2.cloudapp.azure.com}
+        msft-win10_vcbt2015-x64-4: {ip: nodejs.westus2.cloudapp.azure.com}
+        msft-win10_vs2019-x64-1: {ip: nodejs.eastus2.cloudapp.azure.com}
+        msft-win10_vs2019-x64-2: {ip: nodejs.westus2.cloudapp.azure.com}
+        msft-win10_vs2019-x64-3: {ip: nodejs.eastus2.cloudapp.azure.com}
+        msft-win10_vs2019-x64-4: {ip: nodejs.westus2.cloudapp.azure.com}
+        msft-win2016_vs2017-x64-1: {ip: nodejs.eastus2.cloudapp.azure.com}
+        msft-win2016_vs2017-x64-2: {ip: nodejs.westus2.cloudapp.azure.com}
+        msft-win2016_vs2017-x64-3: {ip: nodejs.eastus2.cloudapp.azure.com}
+        msft-win2016_vs2017-x64-4: {ip: nodejs.westus2.cloudapp.azure.com}
+        msft-win2016_vs2017-x64-5: {ip: nodejs.eastus2.cloudapp.azure.com}
+        msft-win2016_vs2017-x64-6: {ip: nodejs.westus2.cloudapp.azure.com}
 
     - digitalocean:
         debian8-x64-1: {ip: 159.203.103.52}
@@ -134,8 +148,8 @@ hosts:
         macos10.12-x64-2: {ip: 207.254.58.162, port: 10002, user: administrator}
 
     - msft:
-        win10-arm64-1: { vs: '2017' }
-        win10-arm64-2: { vs: '2017' }
+        win10_vs2017-arm64-1: {}
+        win10_vs2017-arm64-2: {}
 
 
     - osuosl:
@@ -159,6 +173,24 @@ hosts:
         fedora27-x64-1: {ip: 119.9.51.79}
         ubuntu1604-x64-1: {ip: 119.9.51.176}
         ubuntu1604-x64-2: {ip: 104.130.124.194}
+        win2008r2_vs2017-x64-1: {ip: 162.242.223.198}
+        win2008r2_vs2017-x64-2: {ip: 104.130.135.210}
+        win2008r2_vs2017-x64-3: {ip: 119.9.131.43}
+        win2008r2_vs2017-x64-4: {ip: 104.130.116.9}
+        win2012r2_vs2013-x64-1: {ip: 104.239.174.165}
+        win2012r2_vs2013-x64-2: {ip: 104.130.132.171}
+        win2012r2_vs2015-x64-1: {ip: 104.239.174.8}
+        win2012r2_vs2015-x64-2: {ip: 104.130.141.137}
+        win2012r2_vs2017-x64-1: {ip: 162.242.237.72}
+        win2012r2_vs2017-x64-2: {ip: 104.239.142.99}
+        win2012r2_vs2017-x64-3: {ip: 119.9.131.54}
+        win2012r2_vs2017-x64-4: {ip: 166.78.99.25}
+        win2012r2_vs2019-x64-1: {ip: 162.242.237.124}
+        win2012r2_vs2019-x64-2: {ip: 104.130.158.58}
+        win2012r2_vs2019-x64-3: {ip: 119.9.131.63}
+        win2012r2_vs2019-x64-4: {ip: 104.130.219.103}
+        win2012r2_vs2019-x64-5: {ip: 104.130.6.92}
+        win2012r2_vs2019-x64-6: {ip: 104.130.141.231}
 
     - requireio:
         andineck-debian10-armv6l_pi1p-1:         {ip: 192.168.2.42, user: pi, alias: iojs-ns-pi1p-3 }

ansible/playbooks/jenkins/worker/create.yml

@@ -31,6 +31,28 @@
 
   environment: '{{remote_env}}'
 
+- hosts:
+  - "*-win*"
+
+  roles:
+    - bootstrap
+    - package-upgrade
+    - baselayout-windows
+    - visual-studio
+    - jenkins-worker-windows
+
+  pre_tasks:
+    - name: check if secret is properly set
+      fail:
+      failed_when: not secret
+
+  post_tasks:
+    - name: reboot Windows machines
+      when: os|startswith("win")
+      win_reboot:
+
+  environment: '{{remote_env}}'
+
 #
 # Set up Jenkins Workspace servers
 #
@@ -52,7 +74,10 @@
   roles:
     - linux-perf
 
+#
 # Ensure node is not installed anywhere but the linter servers
+#
+
 - hosts:
   - test
   - release

ansible/playbooks/update-windows.yml

@@ -0,0 +1,80 @@
+---
+
+#
+# Updates Windows username, password and connection ports
+#
+# Usage:
+#
+# Set the following variables with the new values in the secret inventory file:
+# - new_user     - to change the username
+# - new_password - to change the password
+# - new_port     - to change the WinRM connection port (default: 5986)
+# - new_rdp_port - to change the RDP connection port (default: 3389)
+#
+# Changing username, password or WinRM port makes Ansible unable to connect,
+# failing the command immediately. Thus, after EACH STEP in this script
+# runs/fails successfully, remove the old variable and 'new_' from the new one
+# in the inventory file and run again if there are more to change.
+#
+# Only the RDP port needs a reboot to apply (ansible HOST -m win_reboot).
+#
+# Changing credentials on release machines breaks access to the code signing
+# certificate, so it need to be re-installed after running this.
+#
+
+
+- hosts:
+  - "*-win*"
+
+  vars:
+    autologon_regpath: 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+
+  tasks:
+    - name: set automatic logon user name
+      when: '(new_user is defined) and (new_user|length > 0)'
+      win_regedit:
+        path: "{{ autologon_regpath }}"
+        name: DefaultUsername
+        data: "{{ new_user }}"
+        type: string
+    - name: rename user account - applies immediately making this fail on success
+      when: '(new_user is defined) and (new_user|length > 0)'
+      win_command: "wmic useraccount where name=\"{{ ansible_user }}\" rename {{ new_user }}"
+
+    - name: set automatic logon password
+      when: '(new_password is defined) and (new_password|length > 0)'
+      win_regedit:
+        path: "{{ autologon_regpath }}"
+        name: DefaultPassword
+        data: "{{ new_password }}"
+        type: string
+    - name: change user password - applies immediately making this fail on success
+      when: '(new_password is defined) and (new_password|length > 0)'
+      win_command: "net user {{ ansible_user }} {{ new_password }}"
+
+
+# CAUTION: Change ports only in Rackspace. Azure hosts are behind NAT.
+- hosts:
+  - "*-rackspace-win*"
+
+  vars:
+    netsh_common: 'netsh advfirewall firewall add rule profile=any dir=in protocol=TCP action=allow'
+
+  tasks:
+    - name: add firewall exception for WinRM port
+      when: '(new_port is defined) and (new_port > 0)'
+      win_command: "{{ netsh_common }} name=\"Allow WinRM HTTPS on port {{ new_port }}\" localport={{ new_port }}"
+    - name: change WinRM port - applies immediately making this fail with ConnectTimeout on success
+      when: '(new_port is defined) and (new_port > 0)'
+      win_shell: "winrm set winrm/config/listener?Address=*+Transport=HTTPS '@{Port=\"{{ new_port }}\"}'"
+
+    - name: add firewall exception for RDP port
+      when: '(new_rdp_port is defined) and (new_rdp_port > 0)'
+      win_command: "{{ netsh_common }} name=\"Allow RDP on port {{ new_rdp_port }}\" localport={{ new_rdp_port }}"
+    - name: change RDP port - applies only when host is rebooted
+      when: '(new_rdp_port is defined) and (new_rdp_port > 0)'
+      win_regedit:
+        path: 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'
+        name: PortNumber
+        data: "{{ new_rdp_port }}"
+        type: dword

ansible/plugins/inventory/nodejs_yaml.py

@@ -243,6 +243,10 @@ def parse_yaml(hosts, config):
                             hostvars.update({'ansible_become': True})
                             del metadata['user']
 
+                        if 'password' in metadata:
+                            hostvars.update({'ansible_password': str(metadata['password'])})
+                            del metadata['password']
+
                         hostvars.update(metadata)
 
                         # add specific options from config

ansible/roles/baselayout-windows/tasks/main.yml

@@ -7,6 +7,14 @@
 - name: install NetWide Assembler
   win_chocolatey: name=nasm
 
+- name: install CMake
+  win_chocolatey:
+    name: cmake
+    install_args: 'ADD_CMAKE_TO_PATH=System'
+
+- name: install Python 3
+  win_chocolatey: name=python
+
 - name: install Python 2
   win_chocolatey: name=python2
 
@@ -17,10 +25,14 @@
       params: '/GitAndUnixToolsOnPath'
   - name: enable long paths in Git
     win_command: 'git config --global core.longpaths true'
+  - name: set Git user name
+    win_command: 'git config --global user.name "{{inventory_hostname}}"'
+  - name: set Git user email
+    win_command: 'git config --global user.email "ci@iojs.org"'
 
 # Necessary for junit output in Jenkins jobs
 - name: install tap2junit
-  win_command: 'pip2 install tap2junit'
+  win_command: 'pip3 install --upgrade tap2junit'
 
 # Necessary for the libuv test job
 - block:

ansible/roles/bootstrap/tasks/partials/win.yml

@@ -26,3 +26,23 @@
       name: AutoAdminLogon
       data: 1
       type: string
+
+# Comply with Azure security recommendations
+# After changing anything in this list check if the following still work:
+# - Windows Update
+# - PowerShell remoting (for Ansible connections)
+# - RDP from Windows
+# - RDP from Remmina
+- block:
+  - name: disable SSL 2.0
+    win_regedit:
+      path: 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server'
+      name: Enabled
+      data: 0
+      type: dword
+  - name: disable SSL 3.0
+    win_regedit:
+      path: 'HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server'
+      name: Enabled
+      data: 0
+      type: dword

ansible/roles/package-upgrade/tasks/partials/chocolatey.yml

@@ -8,7 +8,7 @@
   - name: reboot machine to ensure no updates are pending
     win_reboot:
   - name: wait for Jenkins to start if already installed
-    win_shell: 'Start-Sleep -Seconds 10'
+    win_shell: 'Start-Sleep -Seconds 30'
   - name: stop Jenkins after reboot
     win_shell: 'Get-WmiObject Win32_Process -Filter "(Name = ''cmd.exe'') AND (CommandLine LIKE ''%jenkins.bat%'')" | % {$_.Terminate()}'
 

ansible/roles/visual-studio/tasks/main.yml

@@ -4,26 +4,51 @@
 # Install Visual Studio
 #
 
-- when: vs == '2013'
-  block:
-  # TODO: Ensure no other versions are installed
-  - name: install Visual Studio 2013
-    include_tasks: "partials/vs2013.yml"
+- name: install Visual Studio 2013
+  when: "'vs2013' in inventory_hostname"
+  include_tasks: "partials/vs2013.yml"
 
-- when: vs == '2015'
-  block:
-  # TODO: Ensure no other versions are installed
-  - name: install Visual Studio 2015
-    include_tasks: "partials/vs2015.yml"
+- name: install Visual Studio 2015
+  when: "'vs2015' in inventory_hostname"
+  include_tasks: "partials/vs2015.yml"
 
-- when: vs == 'vcbt2015'
-  block:
-  # TODO: Ensure no other versions are installed
-  - name: install Visual C++ Build Tools 2015
-    include_tasks: "partials/vcbt2015.yml"
+- name: install Visual C++ Build Tools 2015
+  when: "'vcbt2015' in inventory_hostname"
+  include_tasks: "partials/vcbt2015.yml"
 
-- when: vs == '2017'
-  block:
-  # TODO: Ensure no other versions are installed
-  - name: install Visual Studio 2017
-    include_tasks: "partials/vs2017.yml"
+- name: install Visual Studio 2017
+  when: "'vs2017' in inventory_hostname"
+  include_tasks: "partials/vs2017.yml"
+
+- name: install Visual Studio 2019
+  when: "'vs2019' in inventory_hostname"
+  include_tasks: "partials/vs2019.yml"
+
+# Install clcache and apply patches known to work
+- block:
+  - name: check if clcache is already cloned
+    win_stat: path='C:\clcache'
+    register: clcache_stat
+  - name: clone clcache repository
+    win_command: 'git clone https://github.com/frerich/clcache.git C:\clcache'
+    when: not clcache_stat.stat.exists
+  - name: update clcache repository
+    win_command: 'git fetch --all'
+    args: { chdir: 'C:\clcache' }
+    when: clcache_stat.stat.exists
+  - name: checkout revision
+    win_command: 'git checkout -f -B master 7a3e62a3d801e0bc94dd78001c03144ce5232940'
+    args: { chdir: 'C:\clcache' }
+  - name: merge PR 324
+    win_shell: 'curl.exe -L https://github.com/frerich/clcache/pull/324.patch | git am'
+    args: { chdir: 'C:\clcache' }
+  - name: merge PR 317
+    win_shell: 'curl.exe -L https://github.com/frerich/clcache/pull/317.patch | git am'
+    args: { chdir: 'C:\clcache' }
+  - name: install PyInstaller
+    # https://github.com/pyinstaller/pyinstaller/issues/4265
+    win_command: 'py -3 -m pip install https://github.com/pyinstaller/pyinstaller/archive/develop.tar.gz'
+    #win_command: 'py -3 -m pip install PyInstaller'
+  - name: build clcache
+    win_shell: '$env:PYTHONPATH = "C:\clcache"; py -3 -m PyInstaller -y pyinstaller/clcache_main.py'
+    args: { chdir: 'C:\clcache' }

ansible/roles/visual-studio/tasks/partials/vs2015.yml

@@ -12,7 +12,7 @@
 
 - name: install Visual Studio Community 2015
   win_command: 'C:\TEMP\vs2015_community.exe /Silent /NoRestart
-                /InstallSelectableItems NativeLanguageSupport_Group
+                /InstallSelectableItems NativeLanguageSupport_VC
                 /Log C:\TEMP\vs2015_install_log.txt'
 
 - name: install WiX Toolset

ansible/roles/visual-studio/tasks/partials/vs2017.yml

@@ -21,7 +21,7 @@
 
 - name: download WiX Toolset Visual Studio Extension
   win_get_url:
-    url: 'https://github.com/wixtoolset/VisualStudioExtension/releases/download/v0.9.21.62588/Votive2017.vsix'
+    url: 'https://github.com/wixtoolset/VisualStudioExtension/releases/download/v1.0.0.4/Votive2017.vsix'
     dest: 'C:\TEMP\Votive2017.vsix'
 
 - name: install WiX Toolset Visual Studio Extension