Adds basic documentation for re-authentication and redirecting stdout/stderr
Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/7cd5a25b Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/7cd5a25b Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/7cd5a25b Branch: refs/heads/master Commit: 7cd5a25b2f2b77dcb8451d325c5c19b649f818e2 Parents: 2387a06 Author: Martin Harris <[email protected]> Authored: Fri May 22 16:23:04 2015 +0100 Committer: Richard Downer <[email protected]> Committed: Thu May 28 17:27:35 2015 +0100 ---------------------------------------------------------------------- docs/guide/yaml/winrm/about-winrm.md | 0 docs/guide/yaml/winrm/index.md | 17 +++++++++++ docs/guide/yaml/winrm/re-authentication.md | 38 +++++++++++++++++++++++++ docs/guide/yaml/winrm/stdout-and-stderr.md | 27 ++++++++++++++++++ 4 files changed, 82 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/7cd5a25b/docs/guide/yaml/winrm/about-winrm.md ---------------------------------------------------------------------- diff --git a/docs/guide/yaml/winrm/about-winrm.md b/docs/guide/yaml/winrm/about-winrm.md new file mode 100644 index 0000000..e69de29 http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/7cd5a25b/docs/guide/yaml/winrm/index.md ---------------------------------------------------------------------- diff --git a/docs/guide/yaml/winrm/index.md b/docs/guide/yaml/winrm/index.md new file mode 100644 index 0000000..76091ff --- /dev/null +++ b/docs/guide/yaml/winrm/index.md @@ -0,0 +1,17 @@ +--- +title: Windows blueprints using WinRM +layout: website-normal +children: +- about-winrm.md +- re-authentication.md +- stdout-and-stderr.md +--- + +This guide describes how Brooklyn entities can be easily created from Chef cookbooks. +As of this writing (May 2014) some of the integration points are under active development, +and comments are welcome. +A plan for the full integration is online [here](https://docs.google.com/a/cloudsoftcorp.com/document/d/18ZwzmncbJgJeQjnSvMapTWg6N526cvGMz5jaqdkxMf8). + +This guide assumes you are familiar with the basics of [creating YAML blueprints](../). + +{% include list-children.html %} http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/7cd5a25b/docs/guide/yaml/winrm/re-authentication.md ---------------------------------------------------------------------- diff --git a/docs/guide/yaml/winrm/re-authentication.md b/docs/guide/yaml/winrm/re-authentication.md new file mode 100644 index 0000000..52337e5 --- /dev/null +++ b/docs/guide/yaml/winrm/re-authentication.md @@ -0,0 +1,38 @@ +--- +title: Re-authenticating within a powershell script +title_in_menu: Re-authentication +layout: website-normal +--- + +## How and Why to re-authenticate withing a powershell script + +Brooklyn will run powershell scripts by making a WinRM call over HTTP. For most scripts this will work, however for +some scripts (e.g. MSSQL installation), this will fail even if the script can be run locally (e.g. by using RDP to +connect to the machine and running the script manually) + +In the case of MS SQL server installation, there was no clear indication of why this would not work. The only clue was +a security exception in the installation log + +It appears that when a script is run over WinRM over HTTP, the credentials under which the script are run are marked as +'remote' credentials, which are prohibited from running certain security-related operations. The solution was to obtain +a new set of credentials within the script and use those credentials to exeute the installer, so this: + +``` +( $driveLetter + "setup.exe") /ConfigurationFile=C:\ConfigurationFile.ini +``` + +became this: + +$pass = '${attribute['windows.password']}' +$secpasswd = ConvertTo-SecureString $pass -AsPlainText -Force +$mycreds = New-Object System.Management.Automation.PSCredential ($($env:COMPUTERNAME + "\Administrator"), $secpasswd) + +Invoke-Command -ComputerName localhost -credential $mycreds -scriptblock { + param($driveLetter) + Start-Process ( $driveLetter + "setup.exe") -ArgumentList "/ConfigurationFile=C:\ConfigurationFile.ini" -RedirectStandardOutput "C:\sqlout.txt" -RedirectStandardError "C:\sqlerr.txt" -Wait +} -Authentication CredSSP -argumentlist $driveLetter + +The `$pass=` line simply reads the Windows password from the entity before the script is copied to the server. This is +then encrypted on the next line before being used to create a new credential object. Then, rather than calling the executable +directly, the `Start-Process` scriptlet is used. This allows us to pass in the newly created credentials, under which +the process will be run http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/7cd5a25b/docs/guide/yaml/winrm/stdout-and-stderr.md ---------------------------------------------------------------------- diff --git a/docs/guide/yaml/winrm/stdout-and-stderr.md b/docs/guide/yaml/winrm/stdout-and-stderr.md new file mode 100644 index 0000000..b4e2502 --- /dev/null +++ b/docs/guide/yaml/winrm/stdout-and-stderr.md @@ -0,0 +1,27 @@ +--- +title: Redirecting stdout and stderr +title_in_menu: Redirecting stdout/stderr +layout: website-normal +--- + +## Redirecting stdout and stderr in a powershell script + +When calling an executable in a powershell script, the stdout and stderr will usually be output to the console, +which is not currently captured by Brooklyn. In order to facilitate debugging, it is usually possible to redirect +stdout and stderr to a file by using the Start-Process scriptlet. So instead of running the following: + +``` +D:\setup.exe /ConfigurationFile=C:\ConfigurationFile.ini +``` + +You would run the following: + +``` +Start-Process D:\setup.exe -ArgumentList "/ConfigurationFile=C:\ConfigurationFile.ini" -RedirectStandardOutput "C:\sqlout.txt" -RedirectStandardError "C:\sqlerr.txt" -PassThru -Wait +``` + +The -ArgumentList is simply the arguments that are to be passed to the executable, -RedirectStandardOutput and -RedirectStandardError take file locations for the output (if +the file already exists, it will be overwritten). The -PassThru argument indicates that PowerShell should write to the file *in addition* to the console, rather than *instead* of the console. +The -Wait augument will cause the scriptlet to block until the process is complete + +Further details can be found here: https://technet.microsoft.com/en-us/library/hh849848.aspx
