On Wed, Oct 8, 2014 at 2:51 PM, Paul Chernoch <[email protected]> wrote:
> Thank you for your advice. While researching the problem with a colleague, > we discovered the root cause: > > TF.EXE HISTORY returns an ERRORLEVEL of 0 (meaning success) in one narrow > case when it should not. > > Case 1: Running user is Authorized for TFS, no login credentials on > command line. Success 0. CORRECT. > Case 2: Running user is Authorized for TFS, good login credentials on > command line. Success 0. CORRECT. > Case 3: Running user is Authorized for TFS, bad login credentials on > command line. Error 1. CORRECT. > Case 4: Running user is NOT Authorized for TFS, no login credentials on > command line. Success 0. INCORRECT. > Case 5: Running user is NOT Authorized for TFS, good login credentials on > command line. Success 0. CORRECT. > Case 6: Running user is NOT Authorized for TFS, bad login credentials on > command line. Error 1. CORRECT. > > So only case 4 produces incorrect results. > Strangely, the TF VIEW command, which actually fetches a file from TFS, > handles all the cases properly. > > Paul > > > On Tuesday, October 7, 2014 12:15:23 PM UTC-4, Paul Chernoch wrote: >> >> I have an EXEC command that has an onlyif condition. When I have my >> puppet service running as the correct user account, all goes well. >> When the puppet agent is running under an inadequately privileged >> account, some operations fail silently. >> >> During a maintenance action, another staff member tried to upgrade the >> puppet agent. >> When that didn't work with our version of enterprise, he reinstalled >> puppet, but forgot to change the service accounts to be our special puppet >> user. >> > One thing you can add to your install for the agent that will persist across upgrades is an MSI property you pass to the installer - PUPPET_AGENT_ACCOUNT_USER="special puppet user" PUPPET_AGENT_ACCOUNT_PASSWORD="special puppet user pass" See Installing PE Agent Windows[1] for more information. This was introduced in PE 3.2. [1] https://docs.puppetlabs.com/pe/latest/install_windows.html#msi-properties > That puppet user has access to Team Foundation Server while the default >> account (NT System) does not. >> I expected that puppet enterprise would show error messages in the log >> and show agent runs as failing. >> IT DID NOT. >> >> To diagnose the problem, I started a special shell using "Psexec.exe -i >> -s cmd.exe". This sysinternals tool allows me to impersonate "nt >> authority\system". >> While running under that account, I verified that my EXEC command and the >> accompanying "onlyif" command each fail with error code 1. >> The EXEC command being run is "TF.EXE" with the "VIEW" option, the Team >> Foundation Server command line executable. >> The onlyif command is a shell call to "ruby.exe" which executes a rub >> script that also calls TF.EXE, this time with the "HISTORY" option. >> The basic idea is that I call TF HISTORY to see if there is a newer file >> than the one I have extracted. If there is, then I return one value to >> indicate that EXEC should do its job. >> If there is no newer file then I return a code that indicates no changes >> occurred and EXEC should not perform its action. >> If TF.EXE returns an error code in the onlyif command, I decided to tell >> EXEC that it shoudl try to get the file whether it needs to or not. >> >> Running both TF VIEW and RUBY (which calls TF HISTORY) in the special >> shell with the wrong user yields return codes of "1". >> This should mean the the EXEC failed, but it does not log failure. >> >> What should I do? >> >> Here is a fragment of my puppet code: >> >> >> exec { "tf view ${filename} /version:${versionspec}": >> command => $tfview_cmd, >> path => $exec_path, >> cwd => $tf_dir_unix, >> onlyif => $tfhistory_cmd, >> returns => ["0"], >> logoutput => true, >> require => Class['tfview::tfcomponents'] >> } >> >> I am running agents on Windows 2008R2. >> >> Paul >> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/493d455a-eb1a-4af0-80f6-1c742ccb99f4%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/493d455a-eb1a-4af0-80f6-1c742ccb99f4%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Rob Reynolds Developer, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAMJiBK4CD2rOm5GFZY7Est1XRWfY%2BpiAXU7SQv%3D%2BSQWvw99XAA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
