[PRODENG-3471] Fix Windows MCR install failing on FIPS channels#640
Open
james-nesbitt wants to merge 6 commits into
Open
[PRODENG-3471] Fix Windows MCR install failing on FIPS channels#640james-nesbitt wants to merge 6 commits into
james-nesbitt wants to merge 6 commits into
Conversation
DOCKER_VERSION was hardcoded to "latest" in the InstallMCR command. For FIPS channels, install.ps1 appends +fips to produce "latest+fips", but docker-latest+fips.zip is never published — only versioned artifacts (docker-29.2.1+fips.zip) exist. Without DOCKER_VERSION set, install.ps1 fetches the channel's index.json and calls getNumericallyHigherVersion, which returns the correct pinned version. This works for all channel types: versioned FIPS (stable-29.2.1/fips), rolling FIPS (stable/fips), and non-FIPS channels alike. Fixes PRODENG-3471
Exercises a ubuntu24 manager + windows_2022 worker cluster with MCR channel stable-29.2.1/fips. Both Linux (APT component ubuntu/dists/noble/stable-29.2.1/fips/) and Windows (win/static/stable-29.2.1/fips/index.json) have published artifacts for this channel. The test directly covers the regression: without the fix, the Windows installer would attempt docker-latest+fips.zip (which does not exist); with the fix it resolves docker-29.2.1.1+fips.zip from the channel index.
Triggered by the 'smoke-windows-fips' PR label (or 'smoke-test' to run all suites, or on push to main).
james-nesbitt
added
smoke-fips
There was a problem hiding this comment.
Pull request overview
This PR fixes Windows MCR installation on FIPS channels by no longer forcing DOCKER_VERSION=latest, allowing the upstream install.ps1 script to resolve an appropriate versioned +fips artifact via the channel index.json.
Changes:
- Remove hardcoded
DOCKER_VERSION=latestfrom the Windows MCR install command so the installer script can select a valid versioned artifact. - Add a new FIPS-focused smoke test (
TestFIPSCluster) and wire it into Make and GitHub Actions as an on-demand smoke job.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
pkg/configurer/windows.go |
Drops DOCKER_VERSION from the Windows MCR install invocation so FIPS channels resolve to versioned artifacts. |
test/smoke/smoke_test.go |
Adds a smoke test covering an Ubuntu manager + Windows 2022 worker using a FIPS MCR channel. |
Makefile |
Adds a smoke-fips target to run the new FIPS smoke test. |
.github/workflows/smoke-tests.yaml |
Adds a smoke-fips workflow job gated by labels / pushes, invoking make smoke-fips. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }() | ||
|
|
||
| installCommand := fmt.Sprintf("set DOWNLOAD_URL=%s && set DOCKER_VERSION=%s && set CHANNEL=%s && powershell -ExecutionPolicy Bypass -NoProfile -NonInteractive -File %s -Verbose", engineConfig.RepoURL, version, engineConfig.Channel, ps.DoubleQuote(installer)) | ||
| installCommand := fmt.Sprintf("set DOWNLOAD_URL=%s && set CHANNEL=%s && powershell -ExecutionPolicy Bypass -NoProfile -NonInteractive -File %s -Verbose", engineConfig.RepoURL, engineConfig.Channel, ps.DoubleQuote(installer)) |
3 tasks
…ks up v0.1.6 The terraform-mirantis-modules/provision-aws module gained ubuntu_22.04_fips in v0.1.6 but the Terraform Registry has not yet indexed that release. Add it to lib_local_platform_definitions in examples/terraform/aws-simple/platform.tf as a temporary override with a TODO to remove once the module source is bumped to >= v0.1.6. Also wire Ubuntu22FIPS into test/platforms.go and update TestFIPSCluster to use it as the manager node.
Collaborator
Author
|
The Written by AI: claude-sonnet-4-5 |
windows_2022 consistently fails to open port 5986 (WinRM HTTPS) within the retry window. Switching to windows_2025 to determine if the issue is AMI-specific.
james-nesbitt
force-pushed
the
PRODENG-3471
branch
from
e2fb317 to
4f2d630
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Remove hardcoded
DOCKER_VERSION=latestfrom the Windows MCR install command, lettinginstall.ps1resolve the version from the channel'sindex.json.Why
For FIPS channels,
install.ps1appends+fipstoDOCKER_VERSION, producingdocker-latest+fips.zip— a file that has never been published. Only versioned artifacts (docker-29.2.1+fips.zip) exist on FIPS channels.How
version := "latest"and theDOCKER_VERSIONenv var from theset … && powershellinstall command inInstallMCRDOCKER_VERSIONset,install.ps1fetches{repoURL}/win/static/{channel}/index.jsonand callsgetNumericallyHigherVersion, returning the correct pinned artifact (e.g.29.2.1.1+fips)Testing
go build ./...)docker-latest+fips.zipabsent,docker-29.2.1.1+fips.zippresent;index.jsonlists versioned entries thatgetNumericallyHigherVersioncorrectly selectsLinks
Checklist
Written by AI: claude-sonnet-4-5