feat(windows): collect RSA key container handles#8908
Draft
sinmentis wants to merge 3 commits into
Draft
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Copilot-Session: b7e09cea-7439-4207-b1d5-fe87321cc149
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Copilot-Session: b7e09cea-7439-4207-b1d5-fe87321cc149
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enhances Windows diagnostics in AgentBaker by baking Sysinternals Handle into Windows VHDs and capturing RSA key container handle ownership in the on-demand Windows log bundle, enabling faster investigation of gMSA-related RSA key container leaks without incident-time downloads.
Changes:
- Download and cache Sysinternals Handle in Windows VHD build tooling.
- Extend
collect-windows-logs.ps1to runhandle64.exeforrsa-key-containerand add the output to the log archive. - Update Windows VHD content tests and Windows E2E log archive validation to include/verify the new artifact.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| vhdbuilder/packer/windows/configure-windows-vhd.ps1 | Adds Sysinternals Handle download/extract into c:\aks-tools\Handle during VHD build. |
| vhdbuilder/packer/test/windows-vhd-content-test.ps1 | Validates Handle\handle64.exe exists on the built VHD. |
| staging/cse/windows/debug/collect-windows-logs.ps1 | Collects RSA key container handle output (when Handle is present) into the log bundle. |
| e2e/validators.go | Expands and validates the log archive contains the new Handle output file. |
Keep validation compatible with older VHDs and exclude empty Handle output from log archives. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Copilot-Session: b7e09cea-7439-4207-b1d5-fe87321cc149
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
Why
This gives support engineers the handle ownership data needed to diagnose RSA key container leaks in Windows gMSA scenarios without downloading tools during an incident.
Compatibility
The collector skips Handle when it runs on an older VHD that doesn't include the binary, so newer CSE scripts remain compatible with supported older images.
Validation
go test ./...cd e2e && go test . -run '^$' && go vet ..ps1filesHandle\handle64.exeAB#37351719