20:00:00 <nitzmahone> #startmeeting Ansible Windows Working Group
20:00:01 <zodbot> Meeting started Tue Jan 25 20:00:00 2022 UTC.
20:00:01 <zodbot> This meeting is logged and archived in a public location.
20:00:01 <zodbot> The chair is nitzmahone. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
20:00:01 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
20:00:01 <zodbot> The meeting name has been set to 'ansible_windows_working_group'
20:00:04 <nitzmahone> bam
20:00:29 <nitzmahone> #info agenda https://github.com/ansible/community/issues/644
20:00:46 <nitzmahone> Nothing new on the agenda today.
20:01:06 <briantist> hello
20:01:09 <nitzmahone> Jordan's got a public holiday in Australia today, so just me
20:01:16 <nitzmahone> Hey briantist!
20:01:28 <briantist> Hey Matt! :)
20:01:38 <nitzmahone> #topic CI image issues
20:01:38 <briantist> I got nothing today either
20:01:54 <briantist> CI image issues?
20:02:17 <nitzmahone> Just a heads up that we *think* we've knocked the most recent batch of issues in CI- Amazon keeps changing things on the older Windows version AMI builds
20:02:59 <nitzmahone> They broke 2012/2012R2 a couple weeks ago with an apparently incomplete or corrupted ngen that wouldn't let our PS startup optimizations work
20:03:53 <nitzmahone> and last week they broke something about 2016 with Windows Update and Defender where those services were thrashing on boot to the point that CI would time out or the customization didn't complete in time
20:04:18 <briantist> ugghh
20:04:30 <nitzmahone> We've decided to disable Defender realtime protection on all the images for now, which has the ancillary benefit of speeding up CI by ~20% ;)
20:05:39 <nitzmahone> We try not to roll our own sub-images in order to stay current with the released AMIs, so ansible-core-ci does quick customizations on each machine's boot
20:06:09 <briantist> yeah that makes sense, both things do I mean
20:06:11 <nitzmahone> Anyway, things seem to be working OK with those changes
20:06:16 <nitzmahone> and with that
20:06:19 <nitzmahone> #topic open floor
20:06:24 <briantist> defender's real-time protction really does slow things down
20:07:06 <nitzmahone> I'm actually amazed they've not tagged us as malware- I was figuring Cylance or one of the other vendors might... I guess some of them do because we use `-EncodedCommand`, but that's just lazy
20:07:20 <nitzmahone> But a lot of the techniques we use are very similar to PS malware :(
20:07:57 <briantist> heh true
20:07:58 <nitzmahone> But yeah, when I see `msmpeng.exe` soaking up 25+% CPU constantly during test runs... :(
20:08:35 <briantist> I was so happy to see `-EncodedCommand` in use in Ansible, I've used that for a long time to avoid quoting issues and such
20:08:56 <nitzmahone> We like running with it enabled just so we've got some inkling if a Defender update *does* start breaking things, but this latest image build issue just caused too many problems
20:09:35 <nitzmahone> Yeah, we have people file bugs on it a lot because a couple of the lazier AV/malware things block it, it's like, "uhh, you don't want us to stop using that, trust us"
20:10:30 <briantist> seriously.. there's no reason to flag that, the deep scriptblock logging can decode it all anyway for nice auditing purposes and such
20:10:34 <nitzmahone> Exactly
20:11:11 <nitzmahone> (which we've also had problems with- hard not to let secrets drip into logs with the scriptblock logging when we're doing dynamic codegen stuff)
20:12:03 <briantist> right
20:12:14 <nitzmahone> Anyway, nothing else exciting from this end, so if no new topics, will close in 2...
20:15:05 <briantist> sgtm
20:15:20 <nitzmahone> Thanks for stopping by- til next week!
20:15:26 <nitzmahone> #endmeeting