Jira (BOLT-1170) Unable to run apply() on Windows host - The current deserialized object size is xxx. The allowed maximum object size is 10485760
Title: Message Title Ethan Brown commented on BOLT-1170 Re: Unable to run apply() on Windows host - The current deserialized object size is xxx. The allowed maximum object size is 10485760 Migrated as https://github.com/puppetlabs/bolt/issues/1188 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.299441.1552092246000.80003.1567116120443%40Atlassian.JIRA.
Jira (BOLT-1170) Unable to run apply() on Windows host - The current deserialized object size is xxx. The allowed maximum object size is 10485760
Title: Message Title Ethan Brown commented on BOLT-1170 Re: Unable to run apply() on Windows host - The current deserialized object size is xxx. The allowed maximum object size is 10485760 Another way to work around the file content problem would be to enable SMB file transfers and make sure that Bolt internally uses that mechanism to send large blocks of content. WinRM transport is not really well equipped to send large amounts of binary data. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.299441.1552092246000.74895.1566932221087%40Atlassian.JIRA.
Jira (PUP-9970) Regression in Docker Images - puppetdb.conf permission denied
Title: Message Title Ethan Brown commented on PUP-9970 Re: Regression in Docker Images - puppetdb.conf permission denied Merged in https://github.com/puppetlabs/puppetserver/commit/725e903dfba6059f794fd65d22c17df3d7d7fd37 Pending automated release to DockerHub which should happen in the next few minutes! Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.321545.1566315167000.69842.1566515700425%40Atlassian.JIRA.
Jira (BOLT-1476) Kerberos - Fix the winrm gem and OMI server incompatibility
Title: Message Title
Ethan Brown updated an issue
Puppet Task Runner / BOLT-1476
Kerberos - Fix the winrm gem and OMI server incompatibility
Change By:
Ethan Brown
TravisCI Kerberos specs are currently disabled because the winrm gem and OMI server don't interoperate correctly when using Kerberos authentication.BOLT-1475 describes setting up a new development environment container to reproduce the problem / setup the system for better debugging. This ticket is about debugging / resolving the actual problem, which requires building OMI server from source and testing it in the dev environment. Problems typically manifest with a stack trace like {noformat}root@linuxdev:/# ./bolt-kerberos-test.sh Started on omiserver.bolt.test...Finished on omiserver.bolt.test: STDOUT:boltSuccessful on 1 node: winrm://omiserver.bolt.test:5985Ran on 1 node in 0.87 secondsStarted on omiserver.bolt.test...Finished on omiserver.bolt.test: STDOUT:boltSuccessful on 1 node: winrm://omiserver.bolt.test:5986Ran on 1 node in 0.93 secondsAnalytics opt-out is set, analytics will be disabledCould not read inventory file: /root/.puppetlabs/bolt/inventory.yamlDid not find config for winrm://omiserver.bolt.test:5985 in inventorySkipping submission of 'command_run' screenview because analytics is disabledStarted with 100 max thread(s)Starting: command 'whoami' on winrm://omiserver.bolt.test:5985Skipping submission of 'Transport initialize' event because analytics is disabledRunning command 'whoami' on ["winrm://omiserver.bolt.test:5985"]Started on omiserver.bolt.test...Running command 'whoami' on winrm://omiserver.bolt.test:5985Closed session "\xB5" from ASCII-8BIT to UTF-8 /root/bolt/lib/bolt/result.rb:124:in `encode' /root/bolt/lib/bolt/result.rb:124:in `to_json' /root/bolt/lib/bolt/result.rb:124:in `to_json' /root/bolt/lib/bolt/executor.rb:226:in `with_node_logging' /root/bolt/lib/bolt/executor.rb:236:in `block (2 levels) in run_command' /root/bolt/lib/bolt/executor.rb:103:in `block (3 levels) in queue_execute' /root/bolt/.bundle/gems/ruby/2.5.0/gems/concurrent-ruby-1.1.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:348:in `run_task' /root/bolt/.bundle/gems/ruby/2.5.0/gems/concurrent-ruby-1.1.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:337:in `block (3 levels) in create_worker' /root/bolt/.bundle/gems/ruby/2.5.0/gems/concurrent-ruby-1.1.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:320:in `loop' /root/bolt/.bundle/gems/ruby/2.5.0/gems/concurrent-ruby-1.1.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:320:in `block (2 levels) in create_worker' /root/bolt/.bundle/gems/ruby/2.5.0/gems/concurrent-ruby-1.1.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:319:in `catch' /root/bolt/.bundle/gems/ruby/2.5.0/gems/concurrent-ruby-1.1.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:319:in `block in create_worker' /root/bolt/.bundle/gems/ruby/2.5.0/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'Failed on omiserver.bolt.test: �
Jira (BOLT-1475) Kerberos - Create development / debug environment inside test containers
Title: Message Title Ethan Brown assigned an issue to Unassigned Puppet Task Runner / BOLT-1475 Kerberos - Create development / debug environment inside test containers Change By: Ethan Brown Assignee: Ethan Brown Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.317167.1563491448000.35021.1564437300494%40Atlassian.JIRA.
Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown commented on BOLT-126 Re: Support WinRM with Kerberos (from Linux node) We removed –realm switch in the PR in favor of using realm in the winrm definition. It's possible that we'll make it so that –user u...@domain.com will imply use of Kerberos. Windows should probably implicitly use the Kerberos ticket affiliated with the current logged on domain user ... making specification of realm unnecessary on Windows. It's also possible that realm will be changed to domain - that's still an open discussion. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.214093.150696560.31947.1564094940237%40Atlassian.JIRA.
Jira (BOLT-1323) Support WinRM with Kerberos (from Windows node)
Title: Message Title
Ethan Brown updated an issue
Puppet Task Runner / BOLT-1323
Support WinRM with Kerberos (from Windows node)
Change By:
Ethan Brown
BOLT-126 was originally intended to be for supporting Kerberos authentication over WinRM.After working on that effort, it was uncovered that the {{winrm}} gem only supports the MIT {{GSSAPI}}. While this is fine on Linux, where installation of the relevant packages is straightforward, it is a non-standard approach on Windows (even given the Windows installer for GSSAPI). No Windows admin wants to install an additional 3rd party library to access Kerberos functionality that is already built into the OS.Supporting Windows to Windows authentication using Kerberos and WinRM should use built-in Windows API calls, and should default to using the credentials from the active domain login (as a starting point).This will require adding support to the WinRM gem to provide encryption / decryption using Windows APIs.There are some useful details in [ https://docs.microsoft.com/en-us/windows/desktop/secauthn/sspi-kerberos-interoperability-with-gssapi ] about translating gssapi calls to equivalent Windows APIs: * gss_get_mic -> MakeSignature* gss_verify_mic -> VerifySignature* gss_init_sec_context -> [InitializeSecurityContext (Kerberos)|https://msdn.microsoft.com/en-us/library/windows/desktop/aa375507%28v=vs.85%29.aspx?f=255=-2147217396]* GSS_Wrap -> [EncryptMessage (Kerberos)|https://msdn.microsoft.com/en-us/library/Aa375385(v=VS.85).aspx]* GSS_Unwrap -> [DecryptMessage (Kerberos)|https://msdn.microsoft.com/en-us/library/Aa375215(v=VS.85).aspx]{{_iov}} functions may already be supported with the above APIs, but may require the {{*Ex}} versions. Code changes to winrm gem will need to be made to replicate the behavior of the {{HttpGSSAPI}} class at [ https://github.com/WinRb/WinRM/blob/master/lib/winrm/http/transport.rb#L287-L461 ] in a new class, {{HttpSSPI}}Ruby already has some limited helper code available around the Win32 SSPI layer, namely support for the {{AcquireCredentialsHandle}} and {{InitializeSecurityContext}} APIs - see [ https://github.com/ruby/ruby/blob/d48783bb0236db505fe1205d1d9822309de53a36/ext/win32/lib/win32/sspi.rb ] The code from gssapi simple that will need to be ported to a Windows API equivalent is at [ https://github.com/zenchild/gssapi/blob/master/lib/gssapi/simple.rb ] Some other ideas tossed around for consuming the MIT dep:- compile / build / redistribute Windows binaries in MSI from https://github.com/krb5/krb5 - build once / stash as a "static" dep in Artifactory - build via some kind of build step in puppet-runtime - not great solution for testing "source" - drag in older prebuilt binaries from upstream somehow - provide docs on how to install deps in Windows
Jira (BOLT-1475) Kerberos - Create development / debug environment inside test containers
Title: Message Title Ethan Brown assigned an issue to Ethan Brown Puppet Task Runner / BOLT-1475 Kerberos - Create development / debug environment inside test containers Change By: Ethan Brown Assignee: Ethan Brown Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.317167.1563491448000.26155.1563834840270%40Atlassian.JIRA.
Jira (BOLT-1475) Kerberos - Create development / debug environment inside test containers
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-1475 Kerberos - Create development / debug environment inside test containers Change By: Ethan Brown Sprint: Bolt Ready for Grooming Kanban Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.317167.1563491448000.26159.1563834840288%40Atlassian.JIRA.
Jira (BOLT-1472) Automated Test WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown assigned an issue to Lucy Wyman Puppet Task Runner / BOLT-1472 Automated Test WinRM with Kerberos (from Linux node) Change By: Ethan Brown Assignee: Ethan Brown Lucy Wyman Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.316522.1563208774000.26154.1563834780111%40Atlassian.JIRA.
Jira (BOLT-1476) Kerberos - Fix the winrm gem and OMI server incompatibility
Title: Message Title Ethan Brown created an issue Puppet Task Runner / BOLT-1476 Kerberos - Fix the winrm gem and OMI server incompatibility Issue Type: Task Assignee: Unassigned Created: 2019/07/18 4:14 PM Priority: Normal Reporter: Ethan Brown TravisCI Kerberos specs are currently disabled because the winrm gem and OMI server don't interoperate correctly when using Kerberos authentication. BOLT-1475 describes setting up a new development environment container to reproduce the problem / setup the system for better debugging. This ticket is about debugging / resolving the actual problem, which requires building OMI server from source and testing it in the dev environment. Add Comment This
Jira (BOLT-1472) Automated Test WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown commented on BOLT-1472 Re: Automated Test WinRM with Kerberos (from Linux node) After setting all of this up, it's clear that there is a bug in the protocol negotiation between the WinRM gem and OMI server, rather than a misconfiguration of the server (given powershell itself can connect to OMI and use Kerberos authentication). Therefore, I'd like to merge this setup with the pending tests, and have created 2 additional related tickets to capture the remaining work: BOLT-1475 - Setup an OMI / Kerberos debugging environment inside a new container BOLT-1476 - Resolve the winrm gem / OMI bug to be able to enable automated tests Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.316522.1563208774000.22542.1563491520056%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1475) Kerberos - Create development / debug environment inside test containers
Title: Message Title Ethan Brown created an issue Puppet Task Runner / BOLT-1475 Kerberos - Create development / debug environment inside test containers Issue Type: Task Assignee: Unassigned Created: 2019/07/18 4:10 PM Priority: Normal Reporter: Ethan Brown This is spun off of BOLT-1472, which was about enabling the winrm Kerberos tests to run in TravisCI. However, after setting up the environment completely, a bug was found in how the winrm gem and OMI server interoperate. This was confirmed because: the omicli tool can use Kerberos to connect to omi server without issue the winrm gem can communicate with Windows Active directory pwsh can use the Invoke-Command cmdlet with kerberos authentication to communicate with OMI server This first part of solving this problem is to provide a Bolt development environment in a new Linux based container that can easily reproduce the problem. This will be a fully opt-in net new container that is not used in CI. Linux is necessary, because the gssapi gem doesn't currently work on OSX without reconfiguring a default OSX system and a bunch of additional work. A container allows for a very portable environment.
Jira (BOLT-1472) Automated Test WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-1472 Automated Test WinRM with Kerberos (from Linux node) Change By: Ethan Brown Sprint: Bolt Ready for Grooming Kanban Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.316522.1563208774000.19612.1563381300071%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1472) Automated Test WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown assigned an issue to Ethan Brown Puppet Task Runner / BOLT-1472 Automated Test WinRM with Kerberos (from Linux node) Change By: Ethan Brown Assignee: Ethan Brown Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.316522.1563208774000.19611.1563381240142%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown commented on BOLT-126 Re: Support WinRM with Kerberos (from Linux node) BOLT-1472 has been created to cover the testing aspect of this ticket, so that we can move forward on merging the basics of this work with manual testing only. As mentioned in https://github.com/puppetlabs/bolt/pull/1087 the caveats are: Works only with MIT Kerberos from a Linux node Does not work with Heimdal on OSX - gssapi gem support for Heimdal is not well vetted - OSX doesn't export Kerberos IOV functions needed for MS DCE RPC Does not work from a Windows node as winrm / gssapi gems only support MIT Kerberos, and Windows has its own APIs Has been manually tested in a simple AD environment that has a CentOS host domain joined to Windows Active Directory Provides initial support for the --realm command line switch, which can be used intead of --username / --password. Note that Kerberos is an authentication method, not a transport, so can be used with or without SSL just like other authentication. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this
Jira (BOLT-1472) Automated Test WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-1472 Automated Test WinRM with Kerberos (from Linux node) Change By: Ethan Brown Sprint: Bolt Ready for Grooming Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.316522.1563208774000.15956.1563208861519%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1472) Automated Test WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown created an issue Puppet Task Runner / BOLT-1472 Automated Test WinRM with Kerberos (from Linux node) Issue Type: Task Assignee: Unassigned Components: WinRM Created: 2019/07/15 9:39 AM Labels: winrm kerberos Priority: Normal Reporter: Ethan Brown This has been spun off of the work in BOLT-126 for enabling Kerberos support. In an effort to get the code merged to support the feature, this separate ticket exists for the sake of completing the work on testing in https://github.com/puppetlabs/bolt/pull/999 At a high level, this involves doing a few things: Spinning up a new Samba container to host an Active Directory Domain joining the existing OMI container to the AD Enabling OMI server to use Kerberos authentication Configuring TravisCI to acquire a Kerberos ticket from AD, so that it can use Kerberos authentication to run PowerShell commands against OMI server New tests to demonstrate the behavior functioning properly
Jira (BOLT-1471) Support WinRM with Kerberos (from OSX)
Title: Message Title Ethan Brown created an issue Puppet Task Runner / BOLT-1471 Support WinRM with Kerberos (from OSX) Issue Type: Task Affects Versions: BOLT 1.26.0 Assignee: Unassigned Components: WinRM Created: 2019/07/12 10:47 AM Labels: windows winrm kerberos Priority: Normal Reporter: Ethan Brown OSX uses Heimdal libraries for Kerberos rather than MIT. There are 2 chief problems with Heimdal: The semantics of the Heimdal library are different from MIT Kerberos - this leads to a number of unresolved segfaults in the gssapi gem, resulting from things like double frees - for instance - https://github.com/zenchild/gssapi/issues/12 (marked as closed, but I've verified at least 2 segfaults are still present) The version of Heimdal included with OSX does not expose all the available functions either - to communicate with AD, Microsoft DCE RPC support is necessary, which is only included in the IOV functions, which are not present on OSX. Allegedly Heimdal added IOV functions before MIT Kerberos, but for whatever reason, they're unavailable for use on at least OSX 10.12.6 There are a few options for solutions to this problem: For development, require OSX users install / configure MIT Kerberos to run any
Jira (BOLT-1467) bolt_shim::command should execute via powershell on Windows
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-1467 bolt_shim::command should execute via powershell on Windows Change By: Ethan Brown Labels: windows Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.315975.1562793707000.11566.1562795880171%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1467) bolt_shim::command should execute via powershell on Windows
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-1467 bolt_shim::command should execute via powershell on Windows Change By: Ethan Brown Sprint: Bolt Ready for Grooming Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.315975.1562793707000.11564.1562795880160%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9719) Cannot run Puppet Agent as Administrator if first PA run is done as System
Title: Message Title Ethan Brown commented on PUP-9719 Re: Cannot run Puppet Agent as Administrator if first PA run is done as System Be careful when referring to Administrator We typically don't want Administrator (the user), we want to apply Administrators (the group). Administrators has a well known SID of S-1-5-32-544 and includes the users we typically wish to grant access to - Administrator, SYSTEM, domain admins, etc. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.310162.1558726819000.59788.1561481160862%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9566) Allow to send extra headers when requesting a catalog compilation
Title: Message Title Ethan Brown commented on PUP-9566 Re: Allow to send extra headers when requesting a catalog compilation Thanks for the comments Josh Cooper What other HTTP requests does Puppet make outside of requests to Puppetserver and HTTP backed file resources? Would hostname matching be a good mechanism for restricting headers for specific use cases? I'm thinking about something like csr_attributes - i.e. a separate YAML map of host -> array of additional headers. That's probably more complexity than we would want to add for this and it may become difficult to keep the server hostname in puppet.conf synchronized with a new sidecar file (rather than just using the servers hostname automatically to restrict) - but trying to come up with something that isn't so hardcoded around the identity of puppetserver. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.300606.1552923936000.49951.1560799860846%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1117) Powershell task helper library
Title: Message Title Ethan Brown assigned an issue to William Hurt Puppet Task Runner / BOLT-1117 Powershell task helper library Change By: Ethan Brown Assignee: Ethan Brown William Hurt Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.295235.1549498793000.19427.1558646760312%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1324) Add OMI server to docker compose TravisCI specs to test Linux PowerShell
Title: Message Title Ethan Brown assigned an issue to Cas Donoghue Puppet Task Runner / BOLT-1324 Add OMI server to docker compose TravisCI specs to test Linux PowerShell Change By: Ethan Brown Assignee: Ethan Brown Cas Donoghue Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.309473.1558376887000.13604.1558415460118%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1324) Add OMI server to docker compose TravisCI specs to test Linux PowerShell
Title: Message Title Ethan Brown created an issue Puppet Task Runner / BOLT-1324 Add OMI server to docker compose TravisCI specs to test Linux PowerShell Issue Type: Task Assignee: Unassigned Components: linux, powershell, Windows, WinRM Created: 2019/05/20 11:28 AM Priority: Normal Reporter: Ethan Brown As part of adding Kerberos support for Linux -> Windows connections over WinRM in BOLT-126, it was determined to add some testing. For now, the most convenient tests involve: A KDC server A Linux based OMI server instance that supports WinRM connections The OMI server can be independently setup with NTLM auth to start... and then when the KDC server is added, OMI can be configured to use Kerberos authentication. Therefore, complete this step first as it is an easy-to-verify fairly known entity. For now, a simple smoke test should be sufficient in validating WinRM in this scenario. It's known that there are still some issues with the WinRM gems ability to connect to Linux based PowerShell hosts.
Jira (BOLT-1324) Add OMI server to docker compose TravisCI specs to test Linux PowerShell
Title: Message Title Ethan Brown assigned an issue to Ethan Brown Puppet Task Runner / BOLT-1324 Add OMI server to docker compose TravisCI specs to test Linux PowerShell Change By: Ethan Brown Assignee: Ethan Brown Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.309473.1558376887000.12707.1558376941714%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1323) Support WinRM with Kerberos (from Windows node)
Title: Message Title
Ethan Brown updated an issue
Puppet Task Runner / BOLT-1323
Support WinRM with Kerberos (from Windows node)
Change By:
Ethan Brown
BOLT-126 was originally intended to be for supporting Kerberos authentication over WinRM.After working on that effort, it was uncovered that the {{winrm}} gem only supports the MIT {{GSSAPI}}. While this is fine on Linux, where installation of the relevant packages is straightforward, it is a non-standard approach on Windows (even given the Windows installer for GSSAPI). No Windows admin wants to install an additional 3rd party library to access Kerberos functionality that is already built into the OS.Supporting Windows to Windows authentication using Kerberos and WinRM should use built-in Windows API calls, and should default to using the credentials from the active domain login (as a starting point).This will require adding support to the WinRM gem to provide encryption / decryption using Windows APIs.There are some useful details in https://docs.microsoft.com/en-us/windows/desktop/secauthn/sspi-kerberos-interoperability-with-gssapi about translating gssapi calls to equivalent Windows APIs:* gss_get_mic -> MakeSignature* gss_verify_mic -> VerifySignature* gss_init_sec_context -> [InitializeSecurityContext (Kerberos)|https://msdn.microsoft.com/en-us/library/windows/desktop/aa375507%28v=vs.85%29.aspx?f=255=-2147217396]* GSS_Wrap -> [EncryptMessage (Kerberos)|https://msdn.microsoft.com/en-us/library/Aa375385(v=VS.85).aspx]* GSS_Unwrap -> [DecryptMessage (Kerberos)|https://msdn.microsoft.com/en-us/library/Aa375215(v=VS.85).aspx]{{_iov}} functions may already be supported with the above APIs, but may require the {{*Ex}} versions.Code changes to winrm gem will need to be made to replicate the behavior of the {{HttpGSSAPI}} class at https://github.com/WinRb/WinRM/blob/master/lib/winrm/http/transport.rb#L287-L461 in a new class, {{HttpSSPI}}Ruby already has some limited helper code available around the Win32 SSPI layer, namely support for the {{AcquireCredentialsHandle}} and {{InitializeSecurityContext )) }} APIs - see https://github.com/ruby/ruby/blob/d48783bb0236db505fe1205d1d9822309de53a36/ext/win32/lib/win32/sspi.rbThe code from gssapi simple that will need to be ported to a Windows API equivalent is at https://github.com/zenchild/gssapi/blob/master/lib/gssapi/simple.rb
Jira (BOLT-1323) Support WinRM with Kerberos (from Windows node)
Title: Message Title Ethan Brown assigned an issue to Ethan Brown Puppet Task Runner / BOLT-1323 Support WinRM with Kerberos (from Windows node) Change By: Ethan Brown Assignee: Ethan Brown Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.309458.1558371969000.12396.1558372621564%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown commented on BOLT-126 Re: Support WinRM with Kerberos (from Linux node) The WinRM gem has been updated. However, it was determined that this only supports the needs of non-Windows clients -> Windows using Kerberos. Windows client-side support is a separate task and I've filed BOLT-1323 for that. Currently working on getting testing up for this PR by bringing up a few additional nodes in our docker compose tests: A KDC based on Alpine Linux to authenticate against The Microsoft OMI server, with PowerShell and the PSRP plugin installed to allow for running Powershell remotely over WinRM (or SSH) There are still two wildcards in the mix here: The instructions on OMI server only specify how to authenticate against an Active Directory Domain Controller, not a KDC server (https://github.com/Microsoft/omi/blob/master/Unix/doc/setup-kerberos-omi.md) We know there are still some incompatibilities running PowerShell commands over WinRM to a Linux host (based on the webinar I did demonstrating this behavior). Being able to run Write-Host hi should be sufficient to test the Kerberos auth however. We don't yet support PowerShell over SSH transport, but this testing setup will make it easier to add support for that later Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (BOLT-1323) Support WinRM with Kerberos (from Windows node)
Title: Message Title Ethan Brown created an issue Puppet Task Runner / BOLT-1323 Support WinRM with Kerberos (from Windows node) Issue Type: New Feature Assignee: Unassigned Components: Windows, WinRM Created: 2019/05/20 10:06 AM Priority: Normal Reporter: Ethan Brown BOLT-126 was originally intended to be for supporting Kerberos authentication over WinRM. After working on that effort, it was uncovered that the winrm gem only supports the MIT GSSAPI. While this is fine on Linux, where installation of the relevant packages is straightforward, it is a non-standard approach on Windows (even given the Windows installer for GSSAPI). No Windows admin wants to install an additional 3rd party library to access Kerberos functionality that is already built into the OS. Supporting Windows to Windows authentication using Kerberos and WinRM should use built-in Windows API calls, and should default to using the credentials from the active domain login (as a starting point). This will require adding support to the WinRM gem to provide encryption / decryption using Windows APIs. There are some useful details in https://docs.microsoft.com/en-us/windows/desktop/secauthn/sspi-kerberos-interoperability-with-gssapi about translating gssapi calls to equivalent Windows APIs: gss_get_mic -> MakeSignature gss_verify_mic -> VerifySignature gss_init_sec_context -> InitializeSecurityContext (Kerberos) GSS_Wrap -> EncryptMessage (Kerberos) GSS_Unwrap -> DecryptMessage (Kerberos) _iov functions may already be supported with the above APIs, but may require the *Ex versions. Code changes
Jira (BOLT-126) Support WinRM with Kerberos (from Linux node)
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-126 Support WinRM with Kerberos (from Linux node) Change By: Ethan Brown Summary: Support WinRM with Kerberos (from Linux node) Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.214093.150696560.12224.1558370340842%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1267) Bolt should amend PowerShell PSModulePath to allow for easily importing shared code
Title: Message Title Ethan Brown created an issue Puppet Task Runner / BOLT-1267 Bolt should amend PowerShell PSModulePath to allow for easily importing shared code Issue Type: Bug Assignee: Unassigned Components: Windows Created: 2019/04/24 8:45 AM Labels: windows Priority: Normal Reporter: Ethan Brown Having to use relative paths to determine where shared module code is copied to remote systems when running PowerShell tasks can be problematic. It would be helpful if Bolt automatically added the default location for copied code to $ENV:PsModulePath so that end users can simply call Import-Module to load code. Similarly, it may be useful to have a small helper function specific to Bolt like Import-BoltCode to assist with this. Add Comment
Jira (BOLT-126) Support WinRM with Kerberos
Title: Message Title Ethan Brown commented on BOLT-126 Re: Support WinRM with Kerberos Blocking this on the merge of the PR that I put up for the WinRM gem at https://github.com/WinRb/WinRM/pull/302 to fix the Kerberos corruption. We'll want a new gem to be cut prior to integrating Kerberos support into Bolt. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-126) Support WinRM with Kerberos
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-126 Support WinRM with Kerberos Change By: Ethan Brown Sprint: Bolt Kanban Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1117) Powershell task helper library
Title: Message Title Ethan Brown commented on BOLT-1117 Re: Powershell task helper library Repo created at https://github.com/puppetlabs/puppetlabs-powershell_task_helper Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1209) Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018 / WSMAN ERROR CODE: 2147746132
Title: Message Title Ethan Brown commented on BOLT-1209 Re: Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018 / WSMAN ERROR CODE: 2147746132 This ticket also addressed a few additional failure modes: Timeout connecting to curl website to download CA bundle Timeout connecting to Forge to install Puppetfile Both of these scenarios now have timeouts. Unable to reproduce any failures while testing - though the next time a failure occurs there should be additional information in the logs. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1209) Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018 / WSMAN ERROR CODE: 2147746132
Title: Message Title
Ethan Brown updated an issue
Puppet Task Runner / BOLT-1209
Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018 / WSMAN ERROR CODE: 2147746132
Change By:
Ethan Brown
The following code can be used to help decipher the error codes https://p0w3rsh3ll.wordpress.com/2013/03/07/deciphering-winrm-error-codes/.Error code 1018 is defined in https://docs.microsoft.com/en-us/windows/desktop/Debug/system-error-codes--1000-1299- as { noformat}ERROR_KEY_DELETED1018 (0x3FA)Illegal operation attempted on a registry key that has been marked for deletion. { noformat} 2147746132 could be the COM error for {{REGDB_E_CLASSNOTREG}}{noformat}C:\Users\Iristyle> (New-Object -ComObject WSMAN.Automation).GetErrorMessage((Get-ErrorCode 2147746132).Int64)Class not registered{noformat}Both of these seem to indicate some registry setup may not be complete.{{ bundle exec rake integration:appveyor_agents}} fails intermittently with a few different types of winrm errors{noformat}Failures: 1) apply over winrm on Appveyor with Puppet Agents when running against puppet 5 runs a ruby task Failure/Error: expect(result[0]).to include('status' => 'success') expected {"node" => "winrm://roddypiper@localhost:5985", "result" => {"_error" => {"details" => {}, "issue_code" => "CON... host server and proxy are properly registered. "}}, "status" => "failure"} to include {"status" => "success"} Diff: @@ -1,2 +1,4 @@ -"status" => "success", +"node" => "winrm://roddypiper@localhost:5985", +"result" => {"_error"=>{"details"=>{}, "issue_code"=>"CONNECT_ERROR", "kind"=>"puppetlabs.tasks/connect-error", "msg"=>"Failed to connect to http://localhost:5985/wsman: [WSMAN ERROR CODE: 1018]: The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. "}}, +"status" => "failure", # ./spec/integration/apply_spec.rb:277:in `block (4 levels) in ' 2) apply over winrm on Appveyor with Puppet Agents when running against puppet 5 runs an apply plan Failure/Error: expect(result[0]).to include('status' => 'success') expected {"node" => "winrm://roddypiper@localhost:5985", "result" => {"_error" => {"details" => {}, "issue_code" => "CON... host server and proxy are properly registered. "}}, "status" => "failure"} to include {"status" => "success"} Diff: @@ -1,2 +1,4 @@ -"status" => "success", +"node" => "winrm://roddypiper@localhost:5985", +"result" => {"_error"=>{"details"=>{}, "issue_code"=>"CONNECT_ERROR", "kind"=>"puppetlabs.tasks/connect-error", "msg"=>"Failed to connect to http://localhost:5985/wsman: [WSMAN ERROR CODE: 1018]: The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. "}}, +"status" => "failure", # ./spec/integration/apply_spec.rb:277:in `block (4 levels) in ' 3) apply over winrm on Appveyor with Puppet Agents when
Jira (BOLT-1224) SPIKE - Investigate lighter weight code for sending analytics on Windows
Title: Message Title Ethan Brown created an issue Puppet Task Runner / BOLT-1224 SPIKE - Investigate lighter weight code for sending analytics on Windows Issue Type: Improvement Affects Versions: BOLT 1.15.0 Assignee: Unassigned Components: Windows Created: 2019/04/02 9:25 AM Priority: Normal Reporter: Ethan Brown Currently the analytics code loads both the concurrent and httpclient gems on Windows. These are fairly slow to load. For CLI consumers that haven't disabled analytics, this can slow down some of the basic bolt CLI interactions. Add Comment
Jira (BOLT-1208) SPIKE - Determine next area for Windows perf improvements
Title: Message Title
Ethan Brown updated an issue
Puppet Task Runner / BOLT-1208
SPIKE - Determine next area for Windows perf improvements
Change By:
Ethan Brown
Now that BOLT-1119 and BOLT-1186 are completed in an effort to improve startup time performance on , further investigate areas for performance improvements on Windows* Loading the list of available tasks / plans from modules on disk (i.e. {{bolt plan show}} and similar)* Connecting to remote hosts once to run a command / script / task* Connecting to the same host multiple times to run a command / script / taskIt may be useful to get other scenarios that feel "slow" to Windows users. Another useful output of this ticket might be a dependency graph showing how files / classes / gems are related to one another.
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send
Jira (BOLT-1209) Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018 / WSMAN ERROR CODE: 2147746132
Title: Message Title Ethan Brown commented on BOLT-1209 Re: Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018 / WSMAN ERROR CODE: 2147746132 Don't think that it's the same, like what we see in https://ci.appveyor.com/project/puppetlabs/bolt/builds/23295542/job/1l58h2g84vmve3md Failures: 1) Bolt::Transport::WinRM with an open connection when determining result fails for PowerShell terminating errors: Correct syntax bad command (CommandNotFoundException) Failure/Error: raise Bolt::Node::FileError.new(e.message, 'WRITE_ERROR') Bolt::Node::FileError: execution expired # ./lib/bolt/transport/winrm/connection.rb:156:in `rescue in write_remote_file_winrm' # ./lib/bolt/transport/winrm/connection.rb:152:in `write_remote_file_winrm' # ./lib/bolt/transport/winrm/connection.rb:148:in `write_remote_file' # ./lib/bolt/transport/winrm/connection.rb:216:in `write_remote_executable' # ./lib/bolt/transport/winrm.rb:97:in `block (2 levels) in run_script' # ./lib/bolt/transport/winrm/connection.rb:200:in `with_remote_tempdir'
Jira (BOLT-1209) Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018 / WSMAN ERROR CODE: 2147746132
Title: Message Title
Ethan Brown updated an issue
Puppet Task Runner / BOLT-1209
Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018 / WSMAN ERROR CODE: 2147746132
Change By:
Ethan Brown
{{bundle exec rake integration:appveyor_agents}} fails intermittently with a few different types of winrm errors{noformat}Failures: 1) apply over winrm on Appveyor with Puppet Agents when running against puppet 5 runs a ruby task Failure/Error: expect(result[0]).to include('status' => 'success') expected {"node" => "winrm://roddypiper@localhost:5985", "result" => {"_error" => {"details" => {}, "issue_code" => "CON... host server and proxy are properly registered. "}}, "status" => "failure"} to include {"status" => "success"} Diff: @@ -1,2 +1,4 @@ -"status" => "success", +"node" => "winrm://roddypiper@localhost:5985", +"result" => {"_error"=>{"details"=>{}, "issue_code"=>"CONNECT_ERROR", "kind"=>"puppetlabs.tasks/connect-error", "msg"=>"Failed to connect to http://localhost:5985/wsman: [WSMAN ERROR CODE: 1018]: The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. "}}, +"status" => "failure", # ./spec/integration/apply_spec.rb:277:in `block (4 levels) in ' 2) apply over winrm on Appveyor with Puppet Agents when running against puppet 5 runs an apply plan Failure/Error: expect(result[0]).to include('status' => 'success') expected {"node" => "winrm://roddypiper@localhost:5985", "result" => {"_error" => {"details" => {}, "issue_code" => "CON... host server and proxy are properly registered. "}}, "status" => "failure"} to include {"status" => "success"} Diff: @@ -1,2 +1,4 @@ -"status" => "success", +"node" => "winrm://roddypiper@localhost:5985", +"result" => {"_error"=>{"details"=>{}, "issue_code"=>"CONNECT_ERROR", "kind"=>"puppetlabs.tasks/connect-error", "msg"=>"Failed to connect to http://localhost:5985/wsman: [WSMAN ERROR CODE: 1018]: The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. "}}, +"status" => "failure", # ./spec/integration/apply_spec.rb:277:in `block (4 levels) in ' 3) apply over winrm on Appveyor with Puppet Agents when running against puppet 5 does not create Boltdir Failure/Error: expect(result[0]).to include('status' => 'success') expected {"node" => "winrm://roddypiper@localhost:5985", "result" => {"_error" => {"details" => {}, "issue_code" => "CON... host server and proxy are properly registered. "}}, "status" => "failure"} to include {"status" => "success"} Diff: @@ -1,2 +1,4 @@ -"status" => "success", +"node" => "winrm://roddypiper@localhost:5985", +"result" => {"_error"=>{"details"=>{}, "issue_code"=>"CONNECT_ERROR", "kind"=>"puppetlabs.tasks/connect-error", "msg"=>"Failed to connect to http://localhost:5985/wsman: [WSMAN ERROR CODE:
Jira (BOLT-1209) Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018
Title: Message Title
Ethan Brown updated an issue
Puppet Task Runner / BOLT-1209
Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018
Change By:
Ethan Brown
{{bundle exec rake integration:appveyor_agents}} fails intermittently with a few different types of winrm error errors {noformat}Failures: 1) apply over winrm on Appveyor with Puppet Agents when running against puppet 5 runs a ruby task Failure/Error: expect(result[0]).to include('status' => 'success') expected {"node" => "winrm://roddypiper@localhost:5985", "result" => {"_error" => {"details" => {}, "issue_code" => "CON... host server and proxy are properly registered. "}}, "status" => "failure"} to include {"status" => "success"} Diff: @@ -1,2 +1,4 @@ -"status" => "success", +"node" => "winrm://roddypiper@localhost:5985", +"result" => {"_error"=>{"details"=>{}, "issue_code"=>"CONNECT_ERROR", "kind"=>"puppetlabs.tasks/connect-error", "msg"=>"Failed to connect to http://localhost:5985/wsman: [WSMAN ERROR CODE: 1018]: The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. "}}, +"status" => "failure", # ./spec/integration/apply_spec.rb:277:in `block (4 levels) in ' 2) apply over winrm on Appveyor with Puppet Agents when running against puppet 5 runs an apply plan Failure/Error: expect(result[0]).to include('status' => 'success') expected {"node" => "winrm://roddypiper@localhost:5985", "result" => {"_error" => {"details" => {}, "issue_code" => "CON... host server and proxy are properly registered. "}}, "status" => "failure"} to include {"status" => "success"} Diff: @@ -1,2 +1,4 @@ -"status" => "success", +"node" => "winrm://roddypiper@localhost:5985", +"result" => {"_error"=>{"details"=>{}, "issue_code"=>"CONNECT_ERROR", "kind"=>"puppetlabs.tasks/connect-error", "msg"=>"Failed to connect to http://localhost:5985/wsman: [WSMAN ERROR CODE: 1018]: The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. "}}, +"status" => "failure", # ./spec/integration/apply_spec.rb:277:in `block (4 levels) in ' 3) apply over winrm on Appveyor with Puppet Agents when running against puppet 5 does not create Boltdir Failure/Error: expect(result[0]).to include('status' => 'success') expected {"node" => "winrm://roddypiper@localhost:5985", "result" => {"_error" => {"details" => {}, "issue_code" => "CON... host server and proxy are properly registered. "}}, "status" => "failure"} to include {"status" => "success"} Diff: @@ -1,2 +1,4 @@ -"status" => "success", +"node" => "winrm://roddypiper@localhost:5985", +"result" => {"_error"=>{"details"=>{}, "issue_code"=>"CONNECT_ERROR", "kind"=>"puppetlabs.tasks/connect-error", "msg"=>"Failed to connect to http://localhost:5985/wsman: [WSMAN ERROR CODE: 1018]: The WSMan
Jira (BOLT-1209) Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018 / WSMAN ERROR CODE: 2147746132
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-1209 Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018 / WSMAN ERROR CODE: 2147746132 Change By: Ethan Brown Summary: Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018 / WSMAN ERROR CODE: 2147746132 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1209) Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018
Title: Message Title
Ethan Brown created an issue
Puppet Task Runner / BOLT-1209
Intermittent AppVeyor test failure - WSMAN ERROR CODE: 1018
Issue Type:
Improvement
Assignee:
Unassigned
Components:
Windows
Created:
2019/03/26 9:56 AM
Priority:
Normal
Reporter:
Ethan Brown
bundle exec rake integration:appveyor_agents fails intermittently with a winrm error
Failures:
1) apply over winrm on Appveyor with Puppet Agents when running against puppet 5 runs a ruby task
Failure/Error: expect(result[0]).to include('status' => 'success')
expected {"node" => "winrm://roddypiper@localhost:5985", "result" => {"_error" => {"details" => {}, "issue_code" => "CON... host server and proxy are properly registered. "}}, "status" => "failure"} to include {"status" => "success"}
Diff:
Jira (BOLT-1208) SPIKE - Determine next area for Windows perf improvements
Title: Message Title Ethan Brown created an issue Puppet Task Runner / BOLT-1208 SPIKE - Determine next area for Windows perf improvements Issue Type: Improvement Assignee: Unassigned Components: performance, Windows Created: 2019/03/26 9:39 AM Labels: performance Priority: Normal Reporter: Ethan Brown Now that BOLT-1119 and BOLT-1186 are completed in an effort to improve startup time performance on , further investigate areas for performance improvements on Windows Loading the list of available tasks / plans from modules on disk (i.e. bolt plan show and similar) Connecting to remote hosts once to run a command / script / task Connecting to the same host multiple times to run a command / script / task It may be useful to get other scenarios that feel "slow" to Windows users.
Jira (BOLT-1186) Improve Bolt startup time on Windows redux
Title: Message Title Ethan Brown assigned an issue to Unassigned Puppet Task Runner / BOLT-1186 Improve Bolt startup time on Windows redux Change By: Ethan Brown Assignee: Ethan Brown Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1119) Improve Bolt startup time on Windows for bolt --help
Title: Message Title Ethan Brown commented on BOLT-1119 Re: Improve Bolt startup time on Windows for bolt --help My tests have been confined to a single host / scenario, so I'm not entirely comfortable with advertising "% faster" or absolute times improvements like "3 seconds faster" as that can be wildly variable based on machine. The focus of this work has been primarily on improving the path to something like bolt --help for now, but will expand out to encompass other common operations in later tickets / efforts. So for now, it's been about not loading code that we'll never need OR lazy-loading code when we need it (which will make small improvements across all operating systems - regardless of whether or not we're just asking for bolt --help or doing real work). Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1186) Improve Bolt startup time on Windows redux
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-1186 Improve Bolt startup time on Windows redux Change By: Ethan Brown Sprint: Bolt Ready for Grooming Kanban Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1117) Powershell task helper library
Title: Message Title Ethan Brown assigned an issue to Ethan Brown Puppet Task Runner / BOLT-1117 Powershell task helper library Change By: Ethan Brown Assignee: Ethan Brown Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1186) Improve Bolt startup time on Windows redux
Title: Message Title Ethan Brown assigned an issue to Ethan Brown Puppet Task Runner / BOLT-1186 Improve Bolt startup time on Windows redux Change By: Ethan Brown Assignee: Ethan Brown Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1119) Improve Bolt startup time on Windows for bolt --help
Title: Message Title Ethan Brown assigned an issue to Unassigned Puppet Task Runner / BOLT-1119 Improve Bolt startup time on Windows for bolt --help Change By: Ethan Brown Assignee: Ethan Brown Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1186) Improve Bolt startup time on Windows redux
Title: Message Title Ethan Brown created an issue Puppet Task Runner / BOLT-1186 Improve Bolt startup time on Windows redux Issue Type: Improvement Affects Versions: BOLT 1.14.0 Assignee: Unassigned Components: performance, Windows Created: 2019/03/19 9:22 AM Priority: Normal Reporter: Ethan Brown A number of improvements to Bolt gem code loading were made as part of BOLT-1119, reducing the effective startup time on Windows. The goal of this ticket is to further improve performance to reach approximately a 1.5 second (in a controlled environment) runtime for bolt --help The additional performance improvements / refactors that were not yet made include: Deferring the load of PAL and restructuring how concurrent libraries load Loading transport configs loads the entirety of the transport - this is unnecessary Separate Windows analytics client that uses BITs / doesn't rely on concurrent Getting a processor count using something other than concurrent (maybe inline the WMI call for Windows / use Concurrent library otherwise?) A better way to disable logging plugins than monkey patching
Jira (BOLT-1119) Improve Bolt startup time on Windows for bolt --help
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-1119 Improve Bolt startup time on Windows for bolt --help Change By: Ethan Brown Summary: SPIKE - understand why bolt is so slow Improve Bolt startup time on windows Windows for bolt --help Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1119) SPIKE - understand why bolt is so slow on windows
Title: Message Title Ethan Brown commented on BOLT-1119 Re: SPIKE - understand why bolt is so slow on windows Using a Windows 10 local VM with Ruby 2.5 and running Ruby / Bolt from source (with bundler) inside the ruby-prof profiler has generated some useful information. A typical bundle exec bolt --help on a clean system takes about 4.5 seconds. By comparison, simply loading irb takes under a second. There are two areas to further explore: About 85% of the time is spent in Rubys Kernel.require. While it's unlikely that performance of that core Ruby call can be improved, we may be able to make some optimizations around when code is loaded. In areas where code can be lazy loaded, it may be advantageous to do so, since expectations are that a typical --help should respond immediately. Next step is to add something like https://github.com/ruby-prof/ruby-prof/issues/159 to introduce more diagnostic information / analyze further. It's not yet determined if the majority of this time is loading PAL (Puppet As Library) - which it very well may be. 18% of the time is spent in a gem scan performed by the LittlePlugger gem - specifically in this line - https://github.com/TwP/little-plugger/blob/master/lib/little-plugger.rb#L191 (It's possible that loggers plugin system may be disabled to avoid running this code path) A couple of additional notes: Focus thus far has been on the most simple of cases - improving the experience around loading Bolt help. Additional work is still TBD for loading actual module / plan code and metadata, running tasks, etc. At least in this test environment, installing more gem code to the Ruby module path appears to degrade performance. Run times of 4.5 seconds lengthen to 5+ seconds. Other local changes have caused runs to degrade to 12+ seconds (still investigating if this is an anomaly or reproducible) Add Comment
Jira (PUP-9555) Update FFI dependency for Ruby 2.6 compatibility
Title: Message Title Ethan Brown created an issue Puppet / PUP-9555 Update FFI dependency for Ruby 2.6 compatibility Issue Type: Improvement Affects Versions: PUP 6.3.0 Assignee: Unassigned Components: Windows Created: 2019/03/11 1:08 PM Labels: windows Priority: Normal Reporter: Ethan Brown Puppet cannot be `bundle install`'d on Windows due to too strict a version requirement on FFI (of ~> 1.9.25). FFI did not add Window gems for Ruby 2.6 support until FFI 1.10.0. Change the requirement accordingly. Add Comment
Jira (BOLT-1119) SPIKE - understand why bolt is so slow on windows
Title: Message Title Ethan Brown assigned an issue to Ethan Brown Puppet Task Runner / BOLT-1119 SPIKE - understand why bolt is so slow on windows Change By: Ethan Brown Assignee: Ethan Brown Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1100) Bolt powershell module is not reliably installed
Title: Message Title Ethan Brown assigned an issue to Nick Lewis Puppet Task Runner / BOLT-1100 Bolt powershell module is not reliably installed Change By: Ethan Brown Assignee: Ethan Brown Nick Lewis Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1100) Bolt powershell module is not reliably installed
Title: Message Title Ethan Brown commented on BOLT-1100 Re: Bolt powershell module is not reliably installed Comments left on PR Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-153) Copy files over SMB on Windows
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-153 Copy files over SMB on Windows Change By: Ethan Brown Release Notes Summary: When transferring files to a Windows host, Bolt may optionally use the SMB protocol instead of using WinRM, for a significant reduction in transfer time. A user must either have Administrative rights to use an Administrative share like \\host\C$ or must use UNC style paths to access existing shares like \\host\share. Note that SMB file transfers can only be used in conjunction with winrm connections over HTTP, not HTTPS. SMB 3 (which supports encryption) is not yet supported. Release Notes: Enhancement Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this
Jira (BOLT-1130) Bolt PowerShell wrapper should allow for the use of Convert-ToJson (or similar) when using --params
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-1130 Bolt PowerShell wrapper should allow for the use of Convert-ToJson (or similar) when using --params Change By: Ethan Brown Release Notes Summary: The PowerShell cmdlet ConvertTo-Json typically does not produce JSON output consumable by the --params Bolt argument. Some values may need additional escaping to be properly passed to Bolt, while other types of values may not serialize in an easily consumable way. The PowerShell stop-parsing symbol --% may be used in some cases to address the escaping problem. A more comprehensive general solution will be addressed later. Release Notes: Known Issue Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to
Jira (BOLT-1130) Bolt PowerShell wrapper should allow for the use of Convert-ToJson (or similar) when using --params
Title: Message Title
Ethan Brown updated an issue
Puppet Task Runner / BOLT-1130
Bolt PowerShell wrapper should allow for the use of Convert-ToJson (or similar) when using --params
Change By:
Ethan Brown
BOLT-159 introduced a change to simplify argument passing from PowerShell when dealing with nested quotes.The change does improve the case mentioned, such that users can now use a simpler invocation like the following (rather than using {{"""}} themselves): {code} bolt command run 'echo "hi from $(hostname)"' --modulepath . --nodes winrm://localhost -u Administrator -p Qu@lity! --no-ssl{code} However, there are still cases where using more complex argument passing does not work properly due to not all values being escaped correctly for Ruby.In an ideal situation, a complex object should be serializable to a JSON string, which can then be passed directly like {{--params ($myobject | ConvertTo-Json)}}. Note that we will likely need a new PowerShell helper to serialize the values as desired, because of the way {{ConvertTo-Json}} handles certain types. For instance, more complex values like {{RegEx}}, {{IO.FileInfo}} and {{DateTime}} do not serialize in a way that's friendly to Bolt, requiring that {{ToString()}} be called first. {code} PS C:\cygwin64\home\Administrator> [DateTime]::Now | ConvertTo-Json{"value": "\/Date(155054351)\/","DateTime": "Tuesday, February 19, 2019 3:08:04 PM"}PS C:\cygwin64\home\Administrator> [DateTime]::Now.ToString() | ConvertTo-Json"2/19/2019 3:08:07 PM"PS C:\cygwin64\home\Administrator> [IO.FileInfo]'c:\windows' | ConvertTo-Json{"Name": "windows","Length": null,"DirectoryName": "c:\\","Directory": { "Name": "c:\\", "FullName": "c:\\", "Parent": null, "Exists": true, "Root": { "Name": "c:\\", "FullName": "c:\\", "Parent": null, "Exists": true, "Root": "c:\\", "Extension": "", "CreationTime": "\/Date(1536991766317)\/", "CreationTimeUtc": "\/Date(1536991766317)\/", "LastAccessTime": "\/Date(1550181187575)\/", "LastAccessTimeUtc": "\/Date(1550181187575)\/", "LastWriteTime": "\/Date(1550181186731)\/", "LastWriteTimeUtc": "\/Date(1550181186731)\/", "Attributes": 22 }, "Extension": "", "CreationTime": "\/Date(1536991766317)\/", "CreationTimeUtc": "\/Date(1536991766317)\/", "LastAccessTime": "\/Date(1550181187575)\/", "LastAccessTimeUtc": "\/Date(1550181187575)\/", "LastWriteTime": "\/Date(1550181186731)\/", "LastWriteTimeUtc": "\/Date(1550181186731)\/", "Attributes": 22
Jira (BOLT-159) Bolt commands on Powershell require triple quoting
Title: Message Title Ethan Brown commented on BOLT-159 Re: Bolt commands on Powershell require triple quoting Merged into master as https://github.com/puppetlabs/bolt-vanagon/commit/ae57a50ea979077b34493785967fc44bbd627f3a Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1130) Bolt PowerShell wrapper should allow for the use of Convert-ToJson (or similar) when using --params
Title: Message Title
Ethan Brown updated an issue
Puppet Task Runner / BOLT-1130
Bolt PowerShell wrapper should allow for the use of Convert-ToJson (or similar) when using --params
Change By:
Ethan Brown
BOLT-159 introduced a change to simplify argument passing from PowerShell when dealing with nested quotes.The change does improve the case mentioned, such that users can now use a simpler invocation like the following (rather than using {{"""}} themselves):{code}bolt command run 'echo "hi from $(hostname)"' --modulepath . --nodes winrm://localhost -u Administrator -p Qu@lity! --no-ssl{code}However, there are still cases where using more complex argument passing does not work properly due to not all values being escaped correctly for Ruby.In an ideal situation, a complex object should be serializable to a JSON string, which can then be passed directly like {{--params ($myobject | ConvertTo-Json)}}. Note that we will likely need a new PowerShell helper to serialize the values as desired, because of the way {{ConvertTo-Json}} handles certain types. For instance, more complex values like {{RegEx}}, {{IO.FileInfo}} and {{DateTime}} do not serialize in a way that's friendly to Bolt, requiring that {{ToString()}} be called first.{code}PS C:\cygwin64\home\Administrator> [DateTime]::Now | ConvertTo-Json{"value": "\/Date(155054351)\/","DateTime": "Tuesday, February 19, 2019 3:08:04 PM"}PS C:\cygwin64\home\Administrator> [DateTime]::Now.ToString() | ConvertTo-Json"2/19/2019 3:08:07 PM"PS C:\cygwin64\home\Administrator> [IO.FileInfo]'c:\windows' | ConvertTo-Json{"Name": "windows","Length": null,"DirectoryName": "c:\\","Directory": { "Name": "c:\\", "FullName": "c:\\", "Parent": null, "Exists": true, "Root": { "Name": "c:\\", "FullName": "c:\\", "Parent": null, "Exists": true, "Root": "c:\\", "Extension": "", "CreationTime": "\/Date(1536991766317)\/", "CreationTimeUtc": "\/Date(1536991766317)\/", "LastAccessTime": "\/Date(1550181187575)\/", "LastAccessTimeUtc": "\/Date(1550181187575)\/", "LastWriteTime": "\/Date(1550181186731)\/", "LastWriteTimeUtc": "\/Date(1550181186731)\/", "Attributes": 22 }, "Extension": "", "CreationTime": "\/Date(1536991766317)\/", "CreationTimeUtc": "\/Date(1536991766317)\/", "LastAccessTime": "\/Date(1550181187575)\/", "LastAccessTimeUtc": "\/Date(1550181187575)\/", "LastWriteTime": "\/Date(1550181186731)\/", "LastWriteTimeUtc": "\/Date(1550181186731)\/", "Attributes": 22
Jira (BOLT-159) Bolt commands on Powershell require triple quoting
Title: Message Title Ethan Brown commented on BOLT-159 Re: Bolt commands on Powershell require triple quoting The following comment was left on PR describing what's improved: While this is not a complete solution to more complex argument passing with --params (new BOLT ticket filed as BOLT-1130), for the more trivial cases where additional escaping is not required, this moves the ball forward. Given the command bolt command run 'echo "hi from $(hostname)"' --modulepath . --nodes winrm://localhost -u Administrator -p redacted --no-ssl Prior behavior was the following debug output listing arguments passed to Ruby command run echo "hi from $(hostname)" --modulepath . --nodes winrm://localhost -u Administrator -p *redacated* --no-ssl output ruby.exe : Unknown argument(s) from, $(hostname) At line:4 char:5 + &$env:RUBY_DIR\bin\ruby -S -- $env:RUBY_DIR\bin\bolt $args + ~~ + CategoryInfo : NotSpecified: (Unknown argument(s) from, $(hostname):String ) [], RemoteException + FullyQualifiedErrorId : NativeCommandError
Jira (BOLT-1130) Bolt PowerShell wrapper should allow for the use of Convert-ToJson (or similar) when using --params
Title: Message Title Ethan Brown created an issue Puppet Task Runner / BOLT-1130 Bolt PowerShell wrapper should allow for the use of Convert-ToJson (or similar) when using --params Issue Type: Task Affects Versions: BOLT 1.11.0 Assignee: Unassigned Components: Windows Created: 2019/02/19 7:12 AM Labels: windows Priority: Normal Reporter: Ethan Brown BOLT-159 introduced a change to simplify argument passing from PowerShell when dealing with nested quotes. The change does improve the case mentioned, such that users can now use a simpler invocation like the following (rather than using """ themselves): bolt command run 'echo "hi from $(hostname)"' --modulepath . --nodes winrm://localhost -u Administrator -p Qu@lity! --no-ssl However, there are still cases where using more complex argument passing does not work properly due to not all values being escaped correctly for Ruby. In an ideal situation, a complex object should be serializable to a JSON string, which can then be passed
Jira (BOLT-159) Bolt commands on Powershell require triple quoting
Title: Message Title Ethan Brown commented on BOLT-159 Re: Bolt commands on Powershell require triple quoting This is a good post that I use for reference whenever nested quoting comes into play on Windows - https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/ Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-1117) Powershell task helper library
Title: Message Title Ethan Brown commented on BOLT-1117 Re: Powershell task helper library The most useful thing that I can think of at the moment is around making a more formal structure / contract around the task output during failure / success. With a common idiom it makes it easier to plumb together tasks as plans. https://github.com/puppetlabs/puppetlabs-bootstrap/blob/master/tasks/windows.ps1#L213-L240 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-153) Copy files over SMB on Windows
Title: Message Title Ethan Brown assigned an issue to Ethan Brown Puppet Task Runner / BOLT-153 Copy files over SMB on Windows Change By: Ethan Brown Assignee: Ethan Brown Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-153) Copy files over SMB on Windows
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-153 Copy files over SMB on Windows Change By: Ethan Brown Sprint: Bolt Kanban Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-153) Copy files over SMB on Windows
Title: Message Title Ethan Brown updated an issue Puppet Task Runner / BOLT-153 Copy files over SMB on Windows Change By: Ethan Brown Team: Bolt Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9366) puppet apply mangle /etc/puppet/ssl files ownership and permission.
Title: Message Title Ethan Brown commented on PUP-9366 Re: puppet apply mangle /etc/puppet/ssl files ownership and permission. I think we're only mapping the PDB ssl directory, and we're not mounting it read only: https://github.com/puppetlabs/pupperware/blob/master/docker-compose.yml#L50 I don't believe we've run into any problems as a result. We're providing an agent container, but I don't think we're using things in the same capacity as what is being described here. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6429) Provide a way to install SSL certs on Windows machines
Title: Message Title Ethan Brown commented on PUP-6429 Re: Provide a way to install SSL certs on Windows machines At this time, a fully supported module for this functionality is not on our radar. That said, the CertificateDsc resource at https://github.com/PowerShell/CertificateDsc can be used in conjunction with the fully supported dsc_lite module OR an older version of the xCertificate resource is vendored into the fully supported dsc module (details at https://github.com/puppetlabs/puppetlabs-dsc/blob/1.7.0/types.md) As a result, closing this. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9337) Puppet sets permissions for Puppet files every run
Title: Message Title Ethan Brown commented on PUP-9337 Re: Puppet sets permissions for Puppet files every run In the changelog for 6.0.2 to 6.0.3 at https://github.com/puppetlabs/puppet/compare/6.0.2...6.0.3 I see the change to SYSTEM perm handilng for PUP-9106 at https://github.com/puppetlabs/puppet/pull/7088 That seems like the most likely culprit based on current information and we should try to create a minimal repro locally with puppet apply /cc Glenn Sarti Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9312) puppet package provider fails when reading from registry
Title: Message Title Ethan Brown commented on PUP-9312 Re: puppet package provider fails when reading from registry Pushed up a different PR with a whitelist approach instead that just queries for values by name instead if you want to have a look. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9337) Puppet sets permissions for Puppet files every run
Title: Message Title Ethan Brown updated an issue Puppet / PUP-9337 Puppet sets permissions for Puppet files every run Change By: Ethan Brown Sprint: Windows Grooming Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9337) Puppet sets permissions for Puppet files every run
Title: Message Title Ethan Brown updated an issue Puppet / PUP-9337 Puppet sets permissions for Puppet files every run Change By: Ethan Brown Team: Windows Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PDB-4186) Redirect all output to stdout for pdb containers
Title: Message Title Ethan Brown commented on PDB-4186 Re: Redirect all output to stdout for pdb containers Comments left on PR... we believe this is already default Docker behavior. Did you run into a particular problem? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7601) Remove built-in LDAP Node Terminus
Title: Message Title Ethan Brown commented on PUP-7601 Re: Remove built-in LDAP Node Terminus The documentation for 6 was not properly updated to reflect this. If you open up the tree on the left in https://puppet.com/docs/puppet/6.0/puppet_index.html there is an "Extensions for assigning classes to nodes" with a "The LDAP node classifier" underneath that has a dead link to https://puppet.com/docs/puppet/6.0/nodes_ldap.html Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9238) pxp-agent's tests/task.run_puppet.rb test fails on Windows with PUP-9106 changes
Title: Message Title Ethan Brown commented on PUP-9238 Re: pxp-agent's tests/task.run_puppet.rb test fails on Windows with PUP-9106 changes This should have not been moved to complete as the PR was never merged at https://github.com/puppetlabs/puppet/pull/7167 Moving back to in-progress and putting it into the current sprint. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9238) pxp-agent's tests/task.run_puppet.rb test fails on Windows with PUP-9106 changes
Title: Message Title Ethan Brown assigned an issue to Glenn Sarti Puppet / PUP-9238 pxp-agent's tests/task.run_puppet.rb test fails on Windows with PUP-9106 changes Change By: Ethan Brown Assignee: Ethan Brown Glenn Sarti Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9238) pxp-agent's tests/task.run_puppet.rb test fails on Windows with PUP-9106 changes
Title: Message Title Ethan Brown updated an issue Puppet / PUP-9238 pxp-agent's tests/task.run_puppet.rb test fails on Windows with PUP-9106 changes Change By: Ethan Brown Sprint: Windows 2018-10-17, 2018-10-24 , Windows - 2018-10-31 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9150) cwd option in Puppet::Util::Execution.execute should work with different Windows path types
Title: Message Title Ethan Brown commented on PUP-9150 Re: cwd option in Puppet::Util::Execution.execute should work with different Windows path types I don't think it's our job to check whether or not a user has access to the directory in question. If something fails, we should bubble up an error. If we need to re-implement directory to understand reparse points, I think that we should be able to do this (requires testing): def directory?(path) path = symlink?(path) ? readlink(path) : path ::File.directory?(path) end Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (PUP-9068) Windows admin? check should consider group membership
Title: Message Title Ethan Brown commented on PUP-9068 Re: Windows admin? check should consider group membership https://github.com/puppetlabs/puppet/commits/abda86cec25e62e6a2fb80150294469e1031d3fa includes the merged commit Last known good build of puppet-agent on 5.5.x: Built at: 1 Oct 2018 22:09:08 PUPPET_AGENT_VERSION: 5.5.6.141.gdb6e53b PUPPET_AGENT_COMMIT: db6e53b11c698e42a163be82f3f603ea6d122668 PUPPET_AGENT_SHORT_COMMIT: db6e53b11 FACTER_COMMIT: 8dd59ecdfbbf9a0c24f3257c960fb95feb241c9c PUPPET_COMMIT: abda86cec25e62e6a2fb80150294469e1031d3fa HIERA_COMMIT: 715ae4039e4cc7d248ccd9a1cf74c65d8b7f6226 PXPAGENT_COMMIT: b23ec4b6b114e766ce183fd311be047cd4dcf735
Jira (PUP-9106) Windows file system ACLs should always write SYSTEM: (F)
Title: Message Title Ethan Brown commented on PUP-9106 Re: Windows file system ACLs should always write SYSTEM: (F) In the last example, the notification is incorrect. Notice: Compiled catalog for vagrant-2008r2.localdomain in environment production in 0.03 seconds Warning: An attempt to set mode 488 on item c:/windows/temp/puppet-system would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control Notice: /Stage[main]/Main/File[c:/windows/temp/puppet-system/]/mode: mode changed '0770' to '0750' Notice: Applied catalog in 0.03 seconds We should discuss how we want to address that. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (FACT-1598) Add "core" fact for differentiating Windows Server versions
Title: Message Title Ethan Brown updated an issue Facter / FACT-1598 Add "core" fact for differentiating Windows Server versions Change By: Ethan Brown Summary: Add "core" fact for differentiating Windows Server versions Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9106) Windows file system ACLs should always write SYSTEM: (F)
Title: Message Title Ethan Brown updated an issue Puppet / PUP-9106 Windows file system ACLs should always write SYSTEM: (F) Change By: Ethan Brown Fix Version/s: PUP 6.0.0 Fix Version/s: PUP 6.0.1 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (BOLT-804) Bolt unable to connect to customer windows 2012 server over winrm
Title: Message Title Ethan Brown commented on BOLT-804 Re: Bolt unable to connect to customer windows 2012 server over winrm I would take a look at the diagnostic logs, which can be turned on following the directions at https://blogs.msdn.microsoft.com/wmi/2010/03/16/collecting-winrm-traces/ There's a good chance you'll get some useful info there. There's an article about using PowerShell to collect them at https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/05/troubleshoot-winrm-with-powershellpart-1/ Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9068) Windows admin? check should consider group membership
Title: Message Title Ethan Brown commented on PUP-9068 Re: Windows admin? check should consider group membership There's a nice PowerShell module that does all the heavy lifting with privilege assignment at https://gallery.technet.microsoft.com/scriptcenter/Grant-Revoke-Query-user-26e259b0 Through the process of elimination, I was able to determine the single token privilege necessary to "trick" our code - namely SeImpersonatePrivilege # create the user net user testadmin Admin123 /add # grant the impersonation privilege Grant-UserRight -Account testadmin -Right SeImpersonatePrivilege # verify user rights - should return only the SeImpersonatePrivilege Get-UserRightsGrantedToAccount testadmin # use psexec to launch a cmd process and navigate to a directory with Puppet installed, for instance C:\source\puppetlabs-scheduled_task> # run ruby and show elevated is on bundle exec ruby -e "require 'puppet'; puts Puppet::Util::Windows::Process.elevated_security?" # true
Jira (FACT-1881) Windows operating system versions fact should include build numbers for Windows 10 / resolve correctly on Server 2019
Title: Message Title Ethan Brown created an issue Facter / FACT-1881 Windows operating system versions fact should include build numbers for Windows 10 / resolve correctly on Server 2019 Issue Type: Bug Affects Versions: FACT 3.11.4 Assignee: Unassigned Components: Windows Created: 2018/09/06 1:34 PM Fix Versions: FACT 3.11.z Labels: windows fact Priority: Normal Reporter: Ethan Brown Some assumptions were made in FACT-1492 about how Windows version numbers should resolve. Those assumptions are codified in https://github.com/puppetlabs/facter/blob/2ad48c341831ac261c9ef16e94f94e74735959c2/lib/src/facts/windows/operating_system_resolver.cc#L103-L104 The story around Windows versioning has changed a bit, such that there are many versions of Windows 10 with different build numbers. See https://en.wikipedia.org/wiki/Windows_10_version_history for the current history. Furthermore, Windows 2019 now exists and it appears that it will follow a similar format going forward. Facter should be updated to address these details.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Ethan Brown commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators A couple of additional related tickets have been filed to wrap up this effort: PUP-8985 - set manage_internal_file_permissions to false in the packaging so that Puppet doesn't try to manage (and undo) ACLs set by the installer PUP-9068 - make sure that the check for Administrators includes group membership in addition to tokens PUP-9106 - when writing the SYSTEM ACE to the DACL, never write anything other than F Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6919) Puppet::Util::Windows::Process.execute should accept a working directory
Title: Message Title
Ethan Brown updated an issue
Puppet / PUP-6919
Puppet::Util::Windows::Process.execute should accept a working directory
Change By:
Ethan Brown
The Windows API supports setting a working directory when starting a process. However, Puppet does not currently allow setting this value programatically.The win32-process gem can pass {{cwd}} supplied through it's argument hash - see code at https://github.com/djberg96/win32-process/blob/win32-process-0.7.5/lib/win32/process.rb#L681Puppet currently uses {{Dir.chdir}} to set a working directory before creating a process - however, this might not always work properly on Windows. The {{cwd}} has {{File.directory?(dir)}} used to validate it, which could fail on UNC or other path types (like reparse points - i.e. symlinks) on Windows - meaning that {{Dir.chdir}} at https://github.com/puppetlabs/puppet/blob/master/lib/puppet/provider/exec.rb#L29 never gets called as expected.{{cwd}} should be passed in to {{Puppet::Util::Execution.execute}} at https://github.com/puppetlabs/puppet/blob/master/lib/puppet/provider/exec.rb#L59 / and the call to {{Process.create}} at https://github.com/puppetlabs/puppet/blob/master/lib/puppet/util/windows/process.rb#L12 should pass the {{arguments}} value through.
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (PUP-9106) Windows file system ACLs should always write SYSTEM: (F)
Title: Message Title Ethan Brown created an issue Puppet / PUP-9106 Windows file system ACLs should always write SYSTEM: (F) Issue Type: Bug Affects Versions: PUP 5.5.6 Assignee: Unassigned Components: Windows Created: 2018/09/05 10:42 AM Fix Versions: PUP 6.0.0 Labels: windows ntfs acl Priority: Normal Reporter: Ethan Brown When creating Windows ACLs when writing file permissions, the current code allows for the SYSTEM ACE to be written as something other than F (Full Control). This can be problematic as it can result in files that cannot have permissions reset, or that may be inaccessible to Puppet itself (which typically runs as SYSTEM). In practical terms, there is no good reason to set SYSTEM permissions to anything other than F and Puppet should disallow that. At one point the Puppet code was modified as part of https://projects.puppetlabs.com/issues/15559 (related to PUP-5480) in https://github.com/puppetlabs/puppet/commit/b578ed48ac9585edb86b296e99f8aeeecc02fb4e#diff-a788175040b15f1e899dae62e4c1b8c6 to re-add a missing SYSTEM if it wasn't already specified. We never took the additional step of making sure that SYSTEM can only be set to F, which in hindsight, seems like the right approach, given what is now known about permissions management and the work that was done as part of PA-2019 and PUP-5985. One thing to note is that this will technically be
Jira (PUP-9068) Windows admin? check should consider group membership
Title: Message Title Ethan Brown created an issue Puppet / PUP-9068 Windows admin? check should consider group membership Issue Type: Improvement Affects Versions: PUP 5.5.3 Assignee: Unassigned Components: Windows Created: 2018/08/15 10:28 AM Fix Versions: PUP 5.3.z, PUP 5.5.z Labels: windows ntfs security Priority: Normal Reporter: Ethan Brown In PA-2019, the installer was changed to lay down permissions differently so that ProgramData generally has Administrators: (F) and SYSTEM: (F) set recursively. It's possible to create an "administrative" user based on their token privileges, but without actually making them part of the Administrators group. The check inside Puppet at for elevated_security? at https://github.com/puppetlabs/puppet/blob/e7839794a1d7d393e6716927764c1276494123c2/lib/puppet/util/windows/process.rb#L183-L205 will then pass, despite the user not being in Administrators. If such a user is assigned to the Puppet service, then pandemonium ensues, given how permissions are set on ProgramData\PuppetLabs. The admin? check should be altered to ensure the user is part of Administrators or not. This determines where data can be written for that user.
Jira (PUP-8985) manage_internal_file_permissions should default to the new packaging default
Title: Message Title Ethan Brown commented on PUP-8985 Re: manage_internal_file_permissions should default to the new packaging default Has passed through the 5.5.x CI Last known good build of puppet-agent on 5.5.x: Built at: 29 Jul 2018 3:54:05 PUPPET_AGENT_VERSION: 5.5.4.51.g5954722 PUPPET_AGENT_COMMIT: 59547220f4d11cad3cd3766d6cbf3afa44b9cc90 PUPPET_AGENT_SHORT_COMMIT: 59547220f FACTER_COMMIT: fed0e27573339fc8919894c4014dc7a38c341c5c PUPPET_COMMIT: 39a17cf7e38d9d48bf42eab2ced135a3d8533325 HIERA_COMMIT: d465fc05462cbd666895b9b795dbb260934553a6 PXPAGENT_COMMIT: refs/tags/1.9.3 https://github.com/puppetlabs/puppet/commits/39a17cf7e38d9d48bf42eab2ced135a3d8533325 includes these commits in the 5.5.x branch
Jira (PUP-5491) The "client_data" Directory Permissions Incorrect After Installation
Title: Message Title Ethan Brown commented on PUP-5491 Re: The "client_data" Directory Permissions Incorrect After Installation Builds for testing, based on the PA-2112 work, can be found at http://builds.delivery.puppetlabs.net/puppet-agent/dd653d0fe7e1e5c1b683f8e7c187079fbd327b89/artifacts/windows/ - note that this build is a 1.10.x series build. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8985) manage_internal_file_permissions should default to the new packaging default
Title: Message Title Ethan Brown commented on PUP-8985 Re: manage_internal_file_permissions should default to the new packaging default Merged to 4.10.x in https://github.com/puppetlabs/puppet/commit/b184bad7cbf0c52cd58b447f68304f412aee843b Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1688) When applying a mode of 0466 on Windows, a mode of 0666 is applied instead
Title: Message Title Ethan Brown commented on PUP-1688 Re: When applying a mode of 0466 on Windows, a mode of 0666 is applied instead The PR for https://tickets.puppetlabs.com/browse/PUP-8939 at https://github.com/puppetlabs/puppet/pull/6919 adds a number of additional mode round-trip tests. Agree that we're probably OK here. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8985) manage_internal_file_permissions should default to the new packaging default
Title: Message Title Ethan Brown assigned an issue to Glenn Sarti Puppet / PUP-8985 manage_internal_file_permissions should default to the new packaging default Change By: Ethan Brown Assignee: Ethan Brown Glenn Sarti Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-266) Allow puppet to manage owner & group file settings
Title: Message Title Ethan Brown commented on PUP-266 Re: Allow puppet to manage owner & group file settings Based on the work / discoveries in PUP-6729 (and file system perms changes that landed in PA-2019), we've decided that this is not going to be done. PA-2019 lays down permissions for C:\ProgramData\ as desired and implementing this (or PUP-6729) would cause Puppet runs to modify those permissions. To avoid any confusion that may result, it's easier to keep the desired installer permissions / inheritance structure and use the default Windows perms when new files are created. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
