env/windows-arm64/azure: fix problems with token generation setup

thanm · thanm · commit e76512c4a51d · 2023-12-14T19:26:45.000Z
This patch revises the recipe for creating a scheduled task (via powershell commands) to run the LUCI token generator. Turns out that the default for scheduled tasks is to only run them when their specified user is logged in, meaning that the recipe as written was incorrect. The fix is to use the 'New-ScheduledTaskPrincipal' cmdlet to boost the priority of the task and run it as a service account / system user. Updates golang/go#64587. Change-Id: I281d8c5c11b0b41478524dfd456f4b1179c4d840 Reviewed-on: https://go-review.googlesource.com/c/build/+/549755 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/env/windows-arm64/azure/startup.ps1 b/env/windows-arm64/azure/startup.ps1
@@ -239,12 +239,15 @@ $cmd | Out-File -Encoding ascii $run_tokend_batfile
 Add-Content -Encoding ascii -Path $run_tokend_batfile -Value "echo %date% %time% >> $cert_dir\lastrun.txt"
 
 # Create a scheduled task to run 'luci_machine_tokend.exe' every 10
-# minutes (as tokend user) to regenerated token.json. 
+# minutes to regenerate token.json.  Note that this scheduled task
+# has to be run even when user "tokend" is not logged in, which requires
+# a bit of extra work (via -LogonType option to New-ScheduledTaskPrincipal).
 $task_action = New-ScheduledTaskAction -Execute $run_tokend_batfile
-$task_trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1)
-$task_settings = New-ScheduledTaskSettingsSet
-$task = New-ScheduledTask -Action $task_action -Trigger $task_trigger -Settings $task_settings
-Register-ScheduledTask -TaskName 'Token Generator' -InputObject $task -User 'tokend'
+$task_trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 10)
+$task_settings = New-ScheduledTaskSettingsSet -MultipleInstances Parallel
+$principal = New-ScheduledTaskPrincipal -LogonType ServiceAccount -UserID "NT AUTHORITY\SYSTEM" -RunLevel Highest
+$task = New-ScheduledTask -Action $task_action -Trigger $task_trigger -Settings $task_settings -Principal $principal
+Register-ScheduledTask -TaskName 'Token Generator' -InputObject $task
 
 # Run the swarming loop script on login
 Write-Host "setting bootstrapswarm to run on start"
