Ubuntu 2204 update

CHANGELOG.md

@@ -8,8 +8,11 @@ FEATURES:
 ENHANCEMENTS:
 
 BUG FIXES:
+* Update Guacomole Linux VM Images to Ubuntu 22.04 LTS. Part of ([#3523](https://github.com/microsoft/AzureTRE/issues/3523))
+* Update Nexus Shared Service with new proxies. Part of ([#3523](https://github.com/microsoft/AzureTRE/issues/3523))
 * Update to Resource Processor Image, now using Ubuntu 22.04 (jammy). Part of ([#3523](https://github.com/microsoft/AzureTRE/issues/3523))
-* Remove TLS1.0/1.1 support from Application Gateway
+* Remove TLS1.0/1.1 support from Application Gateway ([#3914](https://github.com/microsoft/AzureTRE/issues/3914))
+* GitHub Actions version updates. ([#3847](https://github.com/microsoft/AzureTRE/issues/3847))
 
 COMPONENTS:
 

docs/tre-templates/shared-services/nexus.md

@@ -87,10 +87,12 @@ Nexus Shared Service requires access to resources outside of the Azure TRE VNET.
 | Ubuntu Security Packages | apt | [http://security.ubuntu.com/ubuntu/] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/ubuntu-security/` | Provide access to Ubuntu Security apt packages on Ubuntu systems. |
 | Almalinux | yum | [https://repo.almalinux.org] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/almalinux` | Install Almalinux packages |
 | R-Proxy | r | [https://cran.r-project.org/] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/r-proxy` | Provide access to CRAN packages for R |
+| R-Studio Download | raw | [https://download1.rstudio.org] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/r-studio-download` | Provide access to download R Studio |
 | Fedora Project | yum | [https://download-ib01.fedoraproject.org] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/fedoraproject` | Install Fedora Project Linux packages |
 | Microsoft Apt | apt | [https://packages.microsoft.com] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-apt` | Provide access to Microsoft Apt packages |
 | Microsoft Keys | raw | [https://packages.microsoft.com/keys/] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-keys` | Provide access to Microsoft keys |
 | Microsoft Yum | yum | [https://packages.microsoft.com/yumrepos] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-yum` | Provide access to Microsoft Yum packages |
+| Microsoft Download | raw | [https://download.microsoft.com/download] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-download` | Provide access to Microsoft Downloads |
 
 ### Migrate from an existing V1 Nexus service (hosted on App Service)
 
@@ -111,3 +113,20 @@ If you still have an existing Nexus installation based on App Service (from the
 The Nexus service checks Key Vault regularly for the latest certificate matching the name you passed on deploy (`nexus-ssl` by default).
 
 When approaching expiry, you can either provide an updated certificate into the TRE core KeyVault (with the name you specified when installing Nexus) if you brought your own, or if you used the certs shared service to generate one, just call the `renew` custom action on that service. This will generate a new certificate and persist it to the Key Vault, replacing the expired one.
+
+## Updating to v3.0.0
+The newest version of Nexus is a significant update for the service.
+As a result, a new installation of Nexus will be necessary.
+
+We are currently in the process of developing an upgrade path for upcoming releases.
+
+## Using Docker Hub
+When using Docker with a VM, the image URL should be constructed as follows: {NEXUS_URL}:{port}/docker-image
+
+```bash
+sudo docker pull {NEXUS_URL}:8083/hello-world
+```
+
+the default port out of the box is 8083
+
+Nexus will also need "Anonymous Access" set to "Enable". This can be done by logging into the Nexus Portal with the Admin user and following the prompts.

docs/tre-templates/user-resources/custom.md

@@ -0,0 +1,62 @@
+# Guacamole User Resources
+
+- linuxvm - a Linux-based virtual machine
+- windowsvm - A Windows-based virtual machine
+
+## Customising the user resources
+
+The `guacamole-azure-linuxvm` and `guacamole-azure-windowsvm` folders follow a consistent layout.
+To update one of these templates (or to create a new template based on these folders) to use different image details or VM sizes, there are a few files that need to be updated:
+
+| File                   | Description                                                                                                                                                                                                                                                                        |
+| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `porter.yaml`          | This file describes the template and the name should be updated when creating a template based on the folder.<br> This file also contains a `custom` data section that describes the VM properties.<br> Additionally, the version needs to be updated to deploy an updated version |
+| `template_schema.json` | This file controls the validation applied to the template, for example specifying the valid options for fields such as size and image                                                                                                                                              |
+
+### Configuration
+
+In `porter.yaml`, the `custom` section contains a couple of sub-sections (shown below)
+
+```yaml
+custom:
+  vm_sizes:
+    "2 CPU | 8GB RAM": Standard_D2s_v5
+    "4 CPU | 16GB RAM": Standard_D4s_v5
+    "8 CPU | 32GB RAM": Standard_D8s_v5
+    "16 CPU | 64GB RAM": Standard_D16s_v5
+  image_options:
+    "Ubuntu 22.04 LTS":
+      source_image_reference:
+        publisher: canonical
+        offer: 0001-com-ubuntu-server-jammy
+        sku: 22_04-lts-gen2
+        version: latest
+        apt_sku: 22.04
+      install_ui: true
+      conda_config: false
+    # "Custom Image From Gallery":
+    #   source_image_name: your-image
+    #   install_ui: true
+    #   conda_config: true
+```
+
+The `vm_sizes` section is a map of a custom SKU description to the SKU identifier.
+
+The `image_options` section defined the possible image choices for the template (note that the name of the image used here needs to be included in the corresponding enum in `template_schema.json`).
+
+Within the image definition in `image_options` there are a few properties that can be specified:
+
+| Name                     | Description                                                                                              |
+| ------------------------ | -------------------------------------------------------------------------------------------------------- |
+| `source_image_name`      | Specify VM image to use by name (see notes below for identifying the image gallery containing the image) |
+| `source_image_reference` | Specify VM image to use by `publisher`, `offer`, `sku` & `version` (e.g. for Azure Marketplace images)   |
+| `install_ui`             | (Linux only) Set `true` to install desktop environment                                                   |
+| `conda_config`           | Set true to configure conda                                                                              |
+
+When specifying images using `source_image_name`, the image must be stored in an [image gallery](https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery).
+To enable re-using built user resource templates across environments where the image may vary, the image gallery is configured via the `RP_BUNDLE_VALUES` environment variable when deploying the TRE.
+The `RP_BUNDLE_VALUES` variable is a JSON object, and the `image_gallery_id` property within it identifies the image gallery that contains the images specified by `source_image_name`:
+
+```bash
+RP_BUNDLE_VALUES='{"image_gallery_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<your-rg>/providers/Microsoft.Compute/galleries/<your-gallery-name>"}
+```

docs/tre-templates/user-resources/guacamole-linux-vm.md

@@ -7,3 +7,13 @@ It blocks all inbound and outbound traffic to the internet and allows only RDP c
 
 - [A base workspace bundle installed](../workspaces/base.md)
 - [A guacamole workspace service bundle installed](../workspace-services/guacamole.md)
+- [A Nexus shared service has been deployed](../shared-services/nexus.md)
+
+## Notes
+
+- Nexus is a prerequisite of installing the Linux VMs given the additional commands in the bootstrap scripts.
+- In production we recommend using VM images to avoid transient issues downloading and installing packages. The included user resource templates for VMs with bootstrap scripts should only be used for trial/demonstration purposes. More info can be found [here](./custom.md).
+- Snap (app store for linux via [snapcraft.io](https://snapcraft.io)) hasn't been configured to work via the nexus proxy
+
+## Using Custom Images
+For custom image usage, visit this [page](./custom.md).

e2e_tests/test_performance.py

@@ -106,7 +106,7 @@ async def test_bulk_updates_to_ensure_each_resource_updated_in_series(verify) ->
         "properties": {
             "display_name": "Perf test VM",
             "description": "",
-            "os_image": "Ubuntu 18.04"
+            "os_image": "Ubuntu 22.04 LTS"
         }
     }
 

templates/shared_services/sonatype-nexus-vm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-sonatype-nexus
-version: 2.8.13
+version: 3.0.0
 description: "A Sonatype Nexus shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/shared_services/sonatype-nexus-vm/scripts/nexus_realms_config.json

@@ -1,5 +1,4 @@
 [
-  "NexusAuthenticatingRealm",
-  "NexusAuthorizingRealm",
-  "DockerToken"
+  "DockerToken",
+  "NexusAuthenticatingRealm"
 ]

templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/microsoft_download_conf.json

@@ -0,0 +1,32 @@
+{
+    "name": "microsoft-download",
+    "online": true,
+    "storage": {
+        "blobStoreName": "default",
+        "strictContentTypeValidation": true,
+        "write_policy": "ALLOW"
+    },
+    "proxy": {
+        "remoteUrl": "https://download.microsoft.com/download",
+        "contentMaxAge": 1440,
+        "metadataMaxAge": 1440
+    },
+    "negativeCache": {
+        "enabled": true,
+        "timeToLive": 1440
+    },
+    "httpClient": {
+        "blocked": false,
+        "autoBlock": false,
+        "connection": {
+            "retries": 0,
+            "userAgentSuffix": "string",
+            "timeout": 60,
+            "enableCircularRedirects": false,
+            "enableCookies": false,
+            "useTrustStore": false
+        }
+    },
+    "baseType": "raw",
+    "repoType": "proxy"
+  }

templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/r_studio_download_conf.json

@@ -0,0 +1,32 @@
+{
+    "name": "r-studio-download",
+    "online": true,
+    "storage": {
+        "blobStoreName": "default",
+        "strictContentTypeValidation": true,
+        "write_policy": "ALLOW"
+    },
+    "proxy": {
+        "remoteUrl": "https://download1.rstudio.org",
+        "contentMaxAge": 1440,
+        "metadataMaxAge": 1440
+    },
+    "negativeCache": {
+        "enabled": true,
+        "timeToLive": 1440
+    },
+    "httpClient": {
+        "blocked": false,
+        "autoBlock": false,
+        "connection": {
+            "retries": 0,
+            "userAgentSuffix": "string",
+            "timeout": 60,
+            "enableCircularRedirects": false,
+            "enableCookies": false,
+            "useTrustStore": false
+        }
+    },
+    "baseType": "raw",
+    "repoType": "proxy"
+  }

templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/snapcraft_conf.json

@@ -0,0 +1,32 @@
+{
+    "name": "snapcraft",
+    "online": true,
+    "storage": {
+        "blobStoreName": "default",
+        "strictContentTypeValidation": true,
+        "write_policy": "ALLOW"
+    },
+    "proxy": {
+        "remoteUrl": "https://snapcraftcontent.com",
+        "contentMaxAge": 1440,
+        "metadataMaxAge": 1440
+    },
+    "negativeCache": {
+        "enabled": true,
+        "timeToLive": 1440
+    },
+    "httpClient": {
+        "blocked": false,
+        "autoBlock": false,
+        "connection": {
+            "retries": 0,
+            "userAgentSuffix": "string",
+            "timeout": 60,
+            "enableCircularRedirects": false,
+            "enableCookies": false,
+            "useTrustStore": false
+        }
+    },
+    "baseType": "raw",
+    "repoType": "proxy"
+  }

templates/shared_services/sonatype-nexus-vm/terraform/locals.tf

@@ -1,7 +1,7 @@
 locals {
   core_vnet                       = "vnet-${var.tre_id}"
   core_resource_group_name        = "rg-${var.tre_id}"
-  nexus_allowed_fqdns             = "pypi.org,*.pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org"
+  nexus_allowed_fqdns             = "pypi.org,*.pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org,download1.rstudio.org,*.snapcraftcontent.com,download.microsoft.com"
   nexus_allowed_fqdns_list        = distinct(compact(split(",", replace(local.nexus_allowed_fqdns, " ", ""))))
   workspace_vm_allowed_fqdns      = "r3.o.lencr.org,x1.c.lencr.org"
   workspace_vm_allowed_fqdns_list = distinct(compact(split(",", replace(local.workspace_vm_allowed_fqdns, " ", ""))))

templates/shared_services/sonatype-nexus-vm/terraform/vm.tf

@@ -83,6 +83,7 @@ resource "azurerm_user_assigned_identity" "nexus_msi" {
   location            = data.azurerm_resource_group.rg.location
   resource_group_name = local.core_resource_group_name
   tags                = local.tre_shared_service_tags
+
   lifecycle { ignore_changes = [tags] }
 }
 

templates/workspace_services/guacamole/user_resources/README.md

@@ -2,10 +2,9 @@
 
 This folder contains user resources that can be deployed with the Guacamole workspace service:
 
-- linuxvm - a Linux-based virtual machine (expects an Ubuntu 18.04-based VM)
+- linuxvm - a Linux-based virtual machine
 - windowsvm - A Windows-based virtual machine
 
-
 ## Customising the user resources
 
 The `guacamole-azure-linuxvm` and `guacamole-azure-windowsvm` folders follow a consistent layout.
@@ -29,22 +28,15 @@ custom:
     "8 CPU | 32GB RAM": Standard_D8s_v5
     "16 CPU | 64GB RAM": Standard_D16s_v5
   image_options:
-    "Ubuntu 18.04":
+    "Ubuntu 22.04 LTS":
       source_image_reference:
         publisher: canonical
-        offer: ubuntuserver
-        sku: 18_04-lts-gen2
+        offer: 0001-com-ubuntu-server-jammy
+        sku: 22_04-lts-gen2
         version: latest
+        apt_sku: 22.04
       install_ui: true
       conda_config: false
-    "Ubuntu 18.04 Data Science VM":
-      source_image_reference:
-        publisher: microsoft-dsvm
-        offer: ubuntu-1804
-        sku: 1804-gen2
-        version: latest
-      install_ui: false
-      conda_config: true
     # "Custom Image From Gallery":
     #   source_image_name: your-image
     #   install_ui: true
@@ -68,8 +60,6 @@ When specifying images using `source_image_name`, the image must be stored in an
 To enable re-using built user resource templates across environments where the image may vary, the image gallery is configured via the `RP_BUNDLE_VALUES` environment variable when deploying the TRE.
 The `RP_BUNDLE_VALUES` variable is a JSON object, and the `image_gallery_id` property within it identifies the image gallery that contains the images specified by `source_image_name`:
 
-
 ```bash
 RP_BUNDLE_VALUES='{"image_gallery_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<your-rg>/providers/Microsoft.Compute/galleries/<your-gallery-name>"}
 ```
-

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-linuxvm
-version: 0.6.9
+version: 1.0.0
 description: "An Azure TRE User Resource Template for Guacamole (Linux)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -14,29 +14,21 @@ custom:
     "8 CPU | 32GB RAM": Standard_D8s_v5
     "16 CPU | 64GB RAM": Standard_D16s_v5
   image_options:
-    "Ubuntu 18.04":
+    "Ubuntu 22.04 LTS":
       source_image_reference:
         publisher: canonical
-        offer: ubuntuserver
-        sku: 18_04-lts-gen2
+        offer: 0001-com-ubuntu-server-jammy
+        sku: 22_04-lts-gen2
         version: latest
+        apt_sku: 22.04
       install_ui: true
       conda_config: false
-    "Ubuntu 18.04 Data Science VM":
-      source_image_reference:
-        publisher: microsoft-dsvm
-        offer: ubuntu-1804
-        sku: 1804-gen2
-        version: latest
-      install_ui: false
-      conda_config: true
     # For information on using custom images, see README.me in the guacamole/user-resources folder
     # "Custom Image From Gallery":
     #   source_image_name: your-image
     #   install_ui: true
     #   conda_config: true
 
-
 credentials:
   - name: azure_tenant_id
     env: ARM_TENANT_ID
@@ -91,7 +83,7 @@ parameters:
     default: "public"
   - name: os_image
     type: string
-    default: "Ubuntu 18.04 Data Science VM"
+    default: "Ubuntu 22.04 LTS"
   - name: vm_size
     type: string
     default: "2 CPU | 8GB RAM"

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/template_schema.json

@@ -16,8 +16,7 @@
       "title": "Linux image",
       "description": "Select Linux image to use for VM",
       "enum": [
-        "Ubuntu 18.04",
-        "Ubuntu 18.04 Data Science VM"
+        "Ubuntu 22.04 LTS"
       ]
     },
     "vm_size": {

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/apt_sources_config.yml

@@ -14,6 +14,8 @@ apt:
     deb [trusted=yes] $PRIMARY $RELEASE main restricted universe multiverse
     deb [trusted=yes] $PRIMARY $RELEASE-updates main restricted universe multiverse
     deb [trusted=yes] $SECURITY $RELEASE main restricted universe multiverse
-    deb [signed-by=/etc/apt/trusted.gpg.d/microsoft.gpg] ${nexus_proxy_url}/repository/microsoft-apt/ubuntu/18.04/prod $RELEASE main
+    deb [signed-by=/etc/apt/trusted.gpg.d/microsoft.gpg] ${nexus_proxy_url}/repository/microsoft-apt/ubuntu/${apt_sku}/prod $RELEASE main
     deb [signed-by=/etc/apt/trusted.gpg.d/microsoft.gpg] ${nexus_proxy_url}/repository/microsoft-apt/repos/edge stable main
+    deb [signed-by=/etc/apt/trusted.gpg.d/microsoft.gpg] ${nexus_proxy_url}/repository/microsoft-apt/repos/vscode stable main
+    deb [signed-by=/etc/apt/trusted.gpg.d/microsoft.gpg] ${nexus_proxy_url}/repository/microsoft-apt/repos/azure-cli $RELEASE main
     deb [signed-by=/etc/apt/trusted.gpg.d/docker-archive-keyring.gpg] ${nexus_proxy_url}/repository/docker/ $RELEASE stable

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/get_apt_keys.sh

@@ -6,6 +6,10 @@ set -o nounset
 # Uncomment this line to see each command for debugging (careful: this will show secrets!)
 # set -o xtrace
 
+#remove key if they already exist
+sudo rm -f /etc/apt/trusted.gpg.d/docker-archive-keyring.gpg || true
+sudo rm -f /etc/apt/trusted.gpg.d/microsoft.gpg || true
+
 # Get Docker Public key from Nexus
 curl -fsSL "${NEXUS_PROXY_URL}"/repository/docker-public-key/gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/docker-archive-keyring.gpg