I'm getting permissions errors with the create action on windows servers.
Initially I was doing this in one recipe:
directory "C:/topdir" do
rights :full_control, 'Users'
action :create
end
directory "C:/topdir/subdir" do
action :create
recursive true
end
If I run this in test kitchen or even login to a bootstrapped server and run chef-client it completes with no errors.
But I see these errors on Chef server when it runs automatically:
Description: Error executing action `create` on resource 'directory[C:/topdir/subdir]'
Chef::Exceptions::InsufficientPermissions
Cannot create directory[C:/topdir/subdir] at C:/topdir/subdir due to insufficient permissions
It seems I "fixed" this by replacing rights :fullcontrol, 'Users' with rights :fullcontrol, 'Everyone' but I don't want that and it doesn't make sense to me why that would be necessary.
Why is this happening?
Also, how can I test this if the errors only happen during automated chef runs- I can only see errors in chef server reporting. How can I see what user this is even running in? I assumed local system but I guess not? It works running chef-client locally from an elevated prompt so why would it not work when running on schedule?
My knowledge of Windows is limited, but in general I think services get run as a dedicated SYSTEM user, which is not part of the Users group.
Related
I have the following problem with the abrt daemon:
For a tuning application I am executing the same program over and over again. A lot of the times the program I am executing fails. That is no problem and actually expected, but after thousands of fails abrtd runs at 100% CPU usage.
Because I don't need the error reporting from abrt I would like to configure it to ignore all crashes that happen from executables stored in my project directory. I found the BlackListedPaths configuration keyword, but I can not access the configuration file under /etc because I do not have admin privileges.
Is there a way to to configure abrtd as described above without admin rights?
Many thanks in advance!
I was able to disable the abrt error reporting without admin rights by creating a file under ~/.config/abrt/abrt.conf with BlackListedPaths = /path/to/project/ as its content.
I've got a chef deployment script that works well. To start the script off all users a logged off, application installed and then system rebooted with
reboot "app_requires_reboot" do
action :request_reboot
reason "Need to reboot when the run completes successfully."
delay_mins 0
end
Instead of rebooting I want to have the script logon the user instead.
I can't see to find the command to make this work.
Any ideas?
I'm trying to install PostgreSQL 9.0.1 on Windows Server 2008, but every time, there will be such error message
"Problem running post-install step. Installation may not complete
correctly. Failed to start the database server"
in the installation log, it is due to a failure in initdb.exe, error is
"The program postgres is needed by initdb, but was not found in the
same directory as D:\PostgreSQL\9.0\bin\initdb.exe, Check your
installation."
I searched such error in internet and tried the solution in this page "Installing PostgreSQL on Windows Server 2008", but no help.
After reading code of initdb, I know it is caused by the window api CreateProcess in the function pipe_read_line. the calling of CreateProcess returned -5 (access denied). it is because initdb was executed in a subprocess invoked in the functiion CreateRestrictedProcess.
I know it is due to privilege setting, I ran gpedit.msc to add users group (even everyone) into almost all privilege policy, but the error was still there.
I also assigned full control rights of the install target folder to everyone, no help!
I also tried postgresql 9.6.2, the error was still there :-)
from the code, I know if there is the environment variable PG_RESTRICT_EXEC with value 1, initdb will not executed in a restricted process. so before run initdb.exe, I set an environment PG_RESTRICT_EXEC=1 in command prompt, then run initdb.exe. this time such error was gone!!
So I wonder how to change the os settings to allow the installation running without error!
I tried to create a directory in chef using this simple block of code
...
directory "/opt/myfolder" do
owner "abc"
group "abc"
mode "0755"
action :create
end
...
When i execute this using "chef-client" it works. But when i execute this in chef-shell (running in client mode), I get this error
================================================================================
Error executing action `create` on resource 'directory[/opt/myfolder/]'
================================================================================
Chef::Exceptions::InsufficientPermissions
-----------------------------------------
Cannot create directory[/opt/myfolder/] at /opt/myfolder/ due to insufficient permissions
I am using chef-shell to debug my recipes
In chef-shell I am using node.run_chef to run start a client run
Are you running chef-shell with sudo or as root? If not, you need to.
It would be interesting to know the output of `whoami` when run in chef-shell. That would tell you what user it thinks it is running as. You could add that to the recipe and see what the output is when running as chef-client. I'd guess that chef-client is running as root.
For some months we've run Hudson on a Windows XP "server" under a user account. This means someone manually logs in and starts Hudson via a .bat file (that sets up a few environment variables, then runs java -jar hudson.war)
However a few recent power cuts have resulted in the requirement to have Hudson start automatically at the time the server boots up. So I've turned to looking at Hudson running as a Windows Service. This would allow Hudson to start automatically with Windows, and would not require a specific user account.
I've managed to install it as a service, and I've changed hudson.xml so that the batch file is run rather than java directly. I do this because we build with git on Cygwin and SHELLOPTS=igncr must be set before bash starts java/Hudson.
The service seems to start properly, and the web interface is present and functional. However, it appears that the user that Hudson is now running under is unable to write/modify existing jobs in C:\hudson:
FATAL: Could not checkout 4a121704f178123c36f6ab4e861b3c771953b187
hudson.plugins.git.GitException: Could not checkout 4a121704f178123c36f6ab4e861b3c771953b187
at hudson.plugins.git.GitAPI.checkout(GitAPI.java:382)
at hudson.plugins.git.GitSCM$4.invoke(GitSCM.java:529)
at hudson.plugins.git.GitSCM$4.invoke(GitSCM.java:521)
at hudson.FilePath.act(FilePath.java:676)
at hudson.FilePath.act(FilePath.java:660)
at hudson.plugins.git.GitSCM.checkout(GitSCM.java:521)
at hudson.model.AbstractProject.checkout(AbstractProject.java:833)
at hudson.model.AbstractBuild$AbstractRunner.checkout(AbstractBuild.java:314)
at hudson.model.AbstractBuild$AbstractRunner.run(AbstractBuild.java:266)
at hudson.model.Run.run(Run.java:948)
at hudson.model.Build.run(Build.java:112)
at hudson.model.ResourceController.execute(ResourceController.java:93)
at hudson.model.Executor.run(Executor.java:118)
Caused by: hudson.plugins.git.GitException: Error performing c:\cygwin\bin\git.exe checkout -f 4a121704f178123c36f6ab4e861b3c771953b187
at hudson.plugins.git.GitAPI.launchCommandIn(GitAPI.java:302)
at hudson.plugins.git.GitAPI.launchCommand(GitAPI.java:276)
at hudson.plugins.git.GitAPI.checkout(GitAPI.java:380)
... 12 more
Caused by: hudson.plugins.git.GitException: Command returned status code 1: error: git checkout-index: unable to create file .gitignore (Permission denied)
error: git checkout-index: unable to create file .gitmodules (Permission denied)
error: git checkout-index: unable to create file Makefile (Permission denied)
I'm not really a Windows sort of person, but I thought perhaps if I added "Full Access" Security permissions to C:\hudson for the user "LOCAL_SERVICE" then that might fix it. Alas, it did not. I also tried full permissions for the user "Everyone" but that also did not solve the problem.
What am I missing here? Is there any way to allow a process running as a Service unfettered access to a subdirectory on a local disk?
How about you change the user that the service is running as. So create a new "technical" user account whose password nobody knows (except an envelope in your safe) and make this user the owner of all your hudson job folders. This also has the advantage that you can take permissions away from hudson. This way a Hudson job can not act as an admin on your windows machine.
The advantage of a service compared to a scheduled job is, that it restarts when it crashes.
Instead of running it as a service, maybe you should use Task Scheduler to set the process to run at logon, then have the user account auto-login. This is probably going to be much less hassle than dealing with service permissions, especially if you have to communicate with other machines.