Skip to content

fix(windows-cse): check exit codes of external commands to honour try/catch#8133

Open
timmy-wright wants to merge 3 commits intomainfrom
timmy/windows-cse-scripts-error-handling
Open

fix(windows-cse): check exit codes of external commands to honour try/catch#8133
timmy-wright wants to merge 3 commits intomainfrom
timmy/windows-cse-scripts-error-handling

Conversation

@timmy-wright
Copy link
Contributor

@timmy-wright timmy-wright commented Mar 19, 2026
edited
Loading

Summary

Native executables in PowerShell set $LASTEXITCODE on failure but do not throw exceptions, so try/catch blocks silently swallow failures from commands like icacls.exe, sc.exe, nssm.exe, netsh, and reg.exe.

This PR adds if ($LASTEXITCODE -ne 0) { throw "..." } checks after each unchecked external command call so that failures propagate as exceptions through the call stack.

Changes

File Commands fixed
parts/windows/kuberneteswindowssetup.ps1 icacls.exe (x4), netsh advfirewall
staging/cse/windows/configfunc.ps1 sc.exe failure (x3), reg.exe import in try/catch that did not catch it, icacls (x4), nssm.exe install+configure for csi-proxy and hosts-config-agent
staging/cse/windows/kubeletfunc.ps1 nssm.exe install+configure for Kubelet and Kubeproxy, Invoke-Expression nssm DependOnService
staging/cse/windows/containerdfunc.ps1 sc.exe delete, nssm.exe install+configure for containerd
staging/cse/windows/windowsciliumnetworkingfunc.ps1 Cilium install script invocation

Notes

  • The reg.exe import call in configfunc.ps1 was already inside a try/catch but the catch was unreachable for native command failures. The $LASTEXITCODE check now makes it catchable.
  • For nssm.exe blocks a check is added after install and after the final set call.
  • Log/diagnostics-only commands were intentionally excluded.

Relates to IcM 613775405

@timmy-wright timmy-wright changed the base branch from master to main March 19, 2026 22:48
Copilot AI review requested due to automatic review settings March 19, 2026 22:50
@timmy-wright timmy-wright requested a review from YaoC as a code owner March 19, 2026 22:50
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves Windows CSE reliability by ensuring failures from native executables (which only set $LASTEXITCODE and don’t throw) are surfaced as exceptions so existing try/catch blocks can handle them, and it updates the generated CustomData snapshots accordingly.

Changes:

  • Add $LASTEXITCODE checks after various sc.exe, reg.exe, icacls, netsh, and nssm.exe invocations and throw on non-zero exit codes.
  • Ensure reg.exe import failures inside an existing try/catch become catchable.
  • Regenerate/update pkg/agent/testdata/**/CustomData snapshots to reflect script changes.

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
staging/cse/windows/windowsciliumnetworkingfunc.ps1 Throw on non-zero exit code after invoking the Windows Cilium install script.
staging/cse/windows/kubeletfunc.ps1 Add exit-code checks for nssm.exe install/configure and DependOnService operations.
staging/cse/windows/containerdfunc.ps1 Add exit-code checks for sc.exe delete and nssm.exe install/configure for containerd.
staging/cse/windows/configfunc.ps1 Add exit-code checks for sc.exe failure, reg.exe import, icacls, and nssm.exe service creation/configuration (csi-proxy, hosts-config-agent).
parts/windows/kuberneteswindowssetup.ps1 Add exit-code checks for icacls.exe ACL updates and netsh advfirewall disable.
pkg/agent/testdata/AKSWindows23H2Gen2+NextGenNetworkingNoConfig/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows23H2Gen2+NextGenNetworkingDisabled/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows23H2Gen2+NextGenNetworking/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+ootcredentialprovider/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+SecurityProfile/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+ManagedIdentity/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+KubeletServingCertificateRotation/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+KubeletClientTLSBootstrapping/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+K8S119/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+K8S119+FIPS/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+K8S119+CSI/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+K8S118/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+K8S117/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+K8S116/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+EnablePrivateClusterHostsConfigAgent/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+CustomVnet/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+CustomCloud/CustomData Snapshot update to include new exit-code checks.
pkg/agent/testdata/AKSWindows2019+CustomCloud+ootcredentialprovider/CustomData Snapshot update to include new exit-code checks.

@timmy-wright timmy-wright force-pushed the timmy/windows-cse-scripts-error-handling branch from db957f9 to c9b61f0 Compare March 19, 2026 23:17
Copilot AI review requested due to automatic review settings March 19, 2026 23:21
Copilot AI review requested due to automatic review settings March 20, 2026 02:24
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Copilot AI review requested due to automatic review settings March 20, 2026 02:30
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Copilot AI review requested due to automatic review settings March 20, 2026 03:12
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 5 comments.

Copilot AI review requested due to automatic review settings March 20, 2026 05:40
@timmy-wright timmy-wright force-pushed the timmy/windows-cse-scripts-error-handling branch from a9136ec to 4fde3cb Compare March 20, 2026 05:40
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated 1 comment.

Copilot AI review requested due to automatic review settings March 20, 2026 05:51
@timmy-wright timmy-wright force-pushed the timmy/windows-cse-scripts-error-handling branch from 8db83e5 to 95d02f6 Compare March 20, 2026 05:51
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated 1 comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SriHarsha001 SriHarsha001 Awaiting requested review from SriHarsha001

@yewmsft yewmsft Awaiting requested review from yewmsft

@yagmurbaydogan yagmurbaydogan Awaiting requested review from yagmurbaydogan

@cameronmeissner cameronmeissner Awaiting requested review from cameronmeissner cameronmeissner is a code owner

@ganeshkumarashok ganeshkumarashok Awaiting requested review from ganeshkumarashok ganeshkumarashok is a code owner

@Devinwong Devinwong Awaiting requested review from Devinwong Devinwong is a code owner

@lilypan26 lilypan26 Awaiting requested review from lilypan26 lilypan26 is a code owner

@AbelHu AbelHu Awaiting requested review from AbelHu AbelHu is a code owner

@junjiezhang1997 junjiezhang1997 Awaiting requested review from junjiezhang1997 junjiezhang1997 is a code owner

@djsly djsly Awaiting requested review from djsly djsly is a code owner

@phealy phealy Awaiting requested review from phealy phealy is a code owner

@r2k1 r2k1 Awaiting requested review from r2k1 r2k1 is a code owner

@zachary-bailey zachary-bailey Awaiting requested review from zachary-bailey zachary-bailey is a code owner

@awesomenix awesomenix Awaiting requested review from awesomenix awesomenix is a code owner

@sulixu sulixu Awaiting requested review from sulixu sulixu is a code owner

@surajssd surajssd Awaiting requested review from surajssd surajssd is a code owner

@mxj220 mxj220 Awaiting requested review from mxj220 mxj220 is a code owner

@pdamianov-dev pdamianov-dev Awaiting requested review from pdamianov-dev pdamianov-dev is a code owner

@calvin197 calvin197 Awaiting requested review from calvin197 calvin197 is a code owner

@YaoC YaoC Awaiting requested review from YaoC

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

windows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timmy-wright