Request to add Swift to the Windows builder images

[compnerd]

The Windows Swift installer requires elevated privileges (it will augment the WinSDK and MSVC toolset with modulemaps). The builder user does not have the permissions to perform the elevation and thus cannot install the dependency at runtime as is done on macOS and Linux for rules_swift.

Alternatively, if there is an approach that would work for gaining elevated privileges, that would allow the package to be installed in CI.

CC: @keith

[keith]

cc @meteorcloudy

[meteorcloudy]

I thought the builder on Windows VM has the admin right, like for creating symlinks, do you have any error message of the installation failure?

[compnerd]

Sure: https://buildkite.com/bazel/rules-swift-swift/builds/3396#01810287-ec84-43df-931c-fa0bff97e4f3

The download and install step has the install log.

The interesting part is:

[0464:0CA8][2022-05-26T22:41:36]i010: Launching elevated engine process.
--
  | [0464:0CA8][2022-05-26T22:41:36]e000: Error 0x80070424: Failed to launch elevated child process: C:\Windows\Temp\{356C39B3-7A86-4D62-9F33-0F5C3326D798}\.be\installer.exe
  | [0464:0CA8][2022-05-26T22:41:36]e000: Error 0x80070424: Failed to elevate.
  | [0464:0CA8][2022-05-26T22:41:36]e000: Error 0x80070424: Failed to actually elevate.
  | [0464:0CA8][2022-05-26T22:41:36]e000: Error 0x80070424: Failed to elevate.
  | [0464:0CA8][2022-05-26T22:41:36]i399: Apply complete, result: 0x80070424, restart: None, ba requested restart:  No
  | [0464:0CA8][2022-05-26T22:41:36]i500: Shutting down, exit code: 0x424

[compnerd]

@meteorcloudy I would still like to see this resolved!

[meteorcloudy]

@compnerd Sorry, I currently don't have capacity to look into this. Is it possible to tweak your commands in the presubmit.yml to debug and workaround this? I believe the Windows user running the jobs should already have the admin right.

[compnerd]

@meteorcloudy I'm not sure what debugging would be useful here. Without the UI it is difficult to extract more information from the installer. The highest level logging seems to indicate a failure to gain elevated privileges. Could it be that the Windows image is setup to prompt for elevated privileges (which you cannot do without the GUI)?

[compnerd]

One other thought: 0x80070424 could be error 0x424, which would be 1060, which would be service unavailable. Do we have Windows Update disabled on the CI hosts?

[compnerd]

Bleh, running net start wuauserv seems to indicate that the update service is enabled.

[compnerd]

Okay, trying out something more aggressive:

net start wuauserv
net start bits
net start cryptsvc
net start trustedinstaller

Gives:

  | The requested service has already been started.
  |  
  | More help is available by typing NET HELPMSG 2182.
  |  
  | System error 5 has occurred.
  |  
  | Access is denied.
  |  
  | System error 5 has occurred.
  |  
  | Access is denied.
  |  
  | System error 5 has occurred.
  |  
  | Access is denied.
  |  

This seems to indicate that we are not running with the elevated privileges. I don't think that I can do anything else here @meteorcloudy as the CI environment does not allow installation and this is going to require you to help.

[meteorcloudy]

@compnerd I think you are correct, the buildkite agent doesn't run with admin previleges, see how the user is created: https://github.com/bazelbuild/continuous-integration/blob/1f2d17f7ecd363813c7027b4061f5245f7bf1b58/buildkite/setup-windows.ps1#L279-L288

However, I'm not sure we can give the buildlkite user admin right due to security risks.

[meteorcloudy]

@fweikert Do you have any idea whether we can give the buildkite agent user admin right? We should be able to do it by adding

Add-LocalGroupMember -Group "Administrators" -Member $buildkite_username