Thank you for your advice. While researching the problem with a colleague,
we discovered the root cause:
TF.EXE HISTORY returns an ERRORLEVEL of 0 (meaning success) in one narrow
case when it should not.
Case 1: Running user is Authorized for TFS, no login credentials on command
line. Success 0. CORRECT.
Case 2: Running user is Authorized for TFS, good login credentials on
command line. Success 0. CORRECT.
Case 3: Running user is Authorized for TFS, bad login credentials on
command line. Error 1. CORRECT.
Case 4: Running user is NOT Authorized for TFS, no login credentials on
command line. Success 0. INCORRECT.
Case 5: Running user is NOT Authorized for TFS, good login credentials on
command line. Success 0. CORRECT.
Case 6: Running user is NOT Authorized for TFS, bad login credentials on
command line. Error 1. CORRECT.
So only case 4 produces incorrect results.
Strangely, the TF VIEW command, which actually fetches a file from TFS,
handles all the cases properly.
Paul
On Tuesday, October 7, 2014 12:15:23 PM UTC-4, Paul Chernoch wrote:
>
> I have an EXEC command that has an onlyif condition. When I have my puppet
> service running as the correct user account, all goes well.
> When the puppet agent is running under an inadequately privileged account,
> some operations fail silently.
>
> During a maintenance action, another staff member tried to upgrade the
> puppet agent.
> When that didn't work with our version of enterprise, he reinstalled
> puppet, but forgot to change the service accounts to be our special puppet
> user.
> That puppet user has access to Team Foundation Server while the default
> account (NT System) does not.
> I expected that puppet enterprise would show error messages in the log and
> show agent runs as failing.
> IT DID NOT.
>
> To diagnose the problem, I started a special shell using "Psexec.exe -i -s
> cmd.exe". This sysinternals tool allows me to impersonate "nt
> authority\system".
> While running under that account, I verified that my EXEC command and the
> accompanying "onlyif" command each fail with error code 1.
> The EXEC command being run is "TF.EXE" with the "VIEW" option, the Team
> Foundation Server command line executable.
> The onlyif command is a shell call to "ruby.exe" which executes a rub
> script that also calls TF.EXE, this time with the "HISTORY" option.
> The basic idea is that I call TF HISTORY to see if there is a newer file
> than the one I have extracted. If there is, then I return one value to
> indicate that EXEC should do its job.
> If there is no newer file then I return a code that indicates no changes
> occurred and EXEC should not perform its action.
> If TF.EXE returns an error code in the onlyif command, I decided to tell
> EXEC that it shoudl try to get the file whether it needs to or not.
>
> Running both TF VIEW and RUBY (which calls TF HISTORY) in the special
> shell with the wrong user yields return codes of "1".
> This should mean the the EXEC failed, but it does not log failure.
>
> What should I do?
>
> Here is a fragment of my puppet code:
>
>
> exec { "tf view ${filename} /version:${versionspec}":
> command => $tfview_cmd,
> path => $exec_path,
> cwd => $tf_dir_unix,
> onlyif => $tfhistory_cmd,
> returns => ["0"],
> logoutput => true,
> require => Class['tfview::tfcomponents']
> }
>
> I am running agents on Windows 2008R2.
>
> Paul
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/493d455a-eb1a-4af0-80f6-1c742ccb99f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
