On Tuesday, October 7, 2014 11:15:23 AM UTC-5, Paul Chernoch wrote:
>
> I have an EXEC command that has an onlyif condition. When I have my puppet
> service running as the correct user account, all goes well.
> When the puppet agent is running under an inadequately privileged account,
> some operations fail silently.
>
> During a maintenance action, another staff member tried to upgrade the
> puppet agent.
> When that didn't work with our version of enterprise, he reinstalled
> puppet, but forgot to change the service accounts to be our special puppet
> user.
> That puppet user has access to Team Foundation Server while the default
> account (NT System) does not.
> I expected that puppet enterprise would show error messages in the log and
> show agent runs as failing.
> IT DID NOT.
>
> To diagnose the problem, I started a special shell using "Psexec.exe -i -s
> cmd.exe". This sysinternals tool allows me to impersonate "nt
> authority\system".
> While running under that account, I verified that my EXEC command and the
> accompanying "onlyif" command each fail with error code 1.
>
It is not a Puppet error nor a reason for resource failure for the 'onlyif'
command of an Exec to return a failure code. Puppet interprets that as a
signal that the Exec's command does not need to be run -- that's the whole
purpose of 'onlyif'. If Puppet ran your Exec's 'onlyif' command and it
returned a failure code, as you suggest would have happened, then the Exec
*succeeds*. The onlyif result tells it that the Exec is already in sync.
This is normal behavior.
> What should I do?
>
>
It depends on your intended result. The 'onlyif', 'unless', and 'creates'
parameters of an Exec serve the purpose of determining whether it is
already in sync at the beginning of a catalog run. If it is (because an
'onlyif' fails, an 'unless' succeeds, or the target of 'creates' exists)
then that Exec succeeds without its 'command' being run. In many cases,
that's exactly what's wanted.
On the other hand, if there is a command whose failure must cause the Exec
to fail, then that command must be incorporated one way or another into the
Exec's 'command' parameter. Your options for that depend on the node
environment (especially the OS); I cannot advise you well for Windows, but
one alternative for making an Exec perform compound commands would be to
put them all in a batch file and Exec that. A universal alternative is to
put each command in a separate Exec, and declare an appropriate
relationship between them, perhaps something like this:
exec { ${tfhistory_cmd}:
path => $exec_path,
cwd => $tf_dir_unix,
returns => ["0"],
logoutput => true,
require => Class['tfview::tfcomponents']
}
exec { "tf view ${filename} /version:${versionspec}":
command => $tfview_cmd,
path => $exec_path,
cwd => $tf_dir_unix,
returns => ["0"],
logoutput => true,
require => Exec[$tfhistory_cmd]
}
That means something closer to what you seem to want.
John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/a8ed234b-20cf-4876-8671-109601eab478%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
