I can't believe how difficult puppet is being with Windows - particularly windows permissions! I have a very simple pp file that I'm trying to execute:
case $operatingsystem {
...
'Windows': {
file { 'c:/puppet/':
ensure => directory,
owner => 'myUser',
group => 'Administrators',
mode => '0777',
}
}
}
This seems as simple as it could get - create a directory called "c:\puppet" and let everyone have access - IT'S NOT WORKING! It creates a directory, but nobody has ANY permissions (except special permissions). I am in the administrators group, so I can delete it and access it, but I want to drop stuff inside and be able to install from there (since apparently an "http" source doesn't work directly on Windows ...).
Is ANYONE else using puppet for Windows, or am I just using the wrong tool for this job? I am getting very frustrated, and the documentation seems reasonable, but without simple examples of how I'm trying to use puppet I'm getting completely stuck.
have you checked out
https://forge.puppetlabs.com/puppetlabs/acl
from their docs you can do something like..
acl { 'c:/puppet':
permissions => [
{ identity => 'Administrator', rights => ['full'] },
{ identity => 'myuser', rights => ['read','execute'] }
owner => 'myuser',
],
}
I've come up with a solution that seems to be systems administration by blunt force trauma:
exec { 'fix_acls':
command => 'cmd.exe /c "takeown /r /f c:\puppet && icacls c:\puppet /grant SYSTEM:(OI)(CI)F myUser:(OI)(CI)F /T"',
path => $::path,
}
This gives myUser and SYSTEM access, I could also do this with USERS in general I think, but it seems there must be a better way.
Related
Sometimes when I deploy a Laravel project to AWS Elastic Beanstalk I'm faced with an annoying error saying that the log file cannot be opened:
The stream or file "/var/app/current/storage/logs/laravel-2020-10-21.log" could not be opened: failed to open stream: Permission denied
In my eb deploy.config file I have a statement which, in theory, should fix things, but doesn't:
files:
"/opt/elasticbeanstalk/hooks/appdeploy/post/99_make_storage_writable.sh":
mode: "000755"
owner: root
group: root
content: |
#!/usr/bin/env bash
echo "Making /storage writeable..."
chmod -R 755 /var/app/current/storage
if [ ! -f /var/app/current/storage/logs/laravel.log ]; then
echo "Creating /storage/logs/laravel.log..."
touch /var/app/current/storage/logs/laravel.log
chown webapp:webapp /var/app/current/storage/logs/laravel.log
fi
This is because it's not referencing the daily log file.
I have an .ebignore file in place which explicitly prevents local logs from being deployed, so it isn't the presence of an existing log file that's causing problems:
/storage/logs/*
The issue is that Laravel is creating the daily log as root so it cannot be written to by the normal user (webapp).
I just don't know why it's doing it?
The solution is to allow each process to create its own log file. That way each process will have the correct permissions to write to it.
You can do this in the config/logging.php file and adding the process name (php_sapi_name()) to the file name:
'daily' => [
'driver' => 'daily',
'path' => storage_path('logs/' . php_sapi_name() . '-laravel.log'),
'level' => 'debug',
'days' => 14,
],
Now each process will be able to write to its own file and there will be no permission problems.
Important Note: The above example uses "Daily", but make sure you make the change to right logging channel for you.
Try to set storage folder permissions to this
chmod -R gu+w storage/
chmod -R guo+w storage/
If anyone else stumbles upon this one, and can't solve it despite all the great solutions, one other thing that causes the original problem "could not be opened: failed to open stream: Permission denied" is that it seems like the log file is being written by the root user, not the ec2-user or webapp, which means no matter how much the right chmod or chown is done, we can't touch the file.
So the workaround to that is to make sure the log file is saved with the user id and then it will be different files.
Add ".get_current_user()." to the storage_path
config/logging.php
'single' => [
'driver' => 'single',
'path' => storage_path('logs/'.get_current_user().'laravel.log'),
'level' => env('LOG_LEVEL', 'debug'),
],
'daily' => [
'driver' => 'daily',
'path' => storage_path('logs/'.get_current_user().'laravel.log'),
'level' => env('LOG_LEVEL', 'debug'),
'days' => 14,
],
Further though, one can discuss why log files are stored on a Beanstalk instance as it will anyway be overwritten the next time, so I would advice Horizon, S3 storage or whatever else, but that's a different topic. I guess you just want to solve the issue. I spent like a week until I found out the root user wrote the file first...
You can check who owns the file if you can SSH in to the Beanstalk instance "eb ssh". Then go to the folder var/app/current/storage/logs then write "ls -la" (which will list permissions). Then you can see that the root user has written the file once first and then has rights to it. I tried to change predeploy and postdeploy settings but didn't work. Writing it as a separate file name worked fine.
Currently, I'm Setting up a custom button in Cloudforms to allow for the removal of a drive from a Virtual Machine that has been provisioned using Cloudforms(hooked into ansible)
I've been looking at this a little while and after some digging discovered the following https://github.com/ManageIQ/manageiq-automation_engine/blob/master/lib/miq_automation_engine/service_models/miq_ae_service_manageiq-providers-vmware-infra_manager-vm.rb
More specifically:
def remove_disk(disk_name, options = {})
sync_or_async_ems_operation(options[:sync], "remove_disk", [disk_name, options])
end
I've assumed two things, that this would probably take the vmdk name and would work the same as "add_disk" (vm.add_disk("[#{vm.storage_name}]", size * 1024, :sync => true)).
I AM AWARE that you can edit disks using the built-in functionality of CLoudforms via the provided configuration button, however, due to customer requirements we needed to edit the HAML files to remove some functionality. Redoing the HAML on every update of CloudForms is rather counterproductive. Creating our own custom dialogs provides us with the customization we needed.
# Get vm object
vm = $evm.root['vm']
raise "Missing $evm.root['vm'] object" unless vm
def log(level, message)
#method = 'Remove_Disk'
$evm.log(level, "#{#method} - #{message}")
end
$evm.create_notification(:audience => 'user', :level => :success, :message => "Lifecycle action 'Remove Disk' Initiated")
log(:info, "Started LCA to remove disk on vm: <#{vm}>")
# Remove disk from the VM
disk_choice = $evm.root['dialog_availabledisks'].to_i
if disk_choice.zero?
disk_name = "#{vm}"
$evm.create_notification(:audience => 'user', :level => :failure, :message => "Lifecycle action 'Remove Disk' Failed, OS Drive cannot be removed.")
log(:error, "C: Drive cannot be deleted")
exit MIQ_ABORT
else
disk_name = "#{vm}_#{disk_choice}"
end
log(:info, "Removing disk:<#{disk_name}> from #{vm}")
begin
vm.remove_disk(disk_name, :sync => true)
rescue => e
log(:error, "e: #{e}")
log(:error, "e.inspect: #{e.inspect}")
log(:error,"[#{e}]\n#{e.backtrace.join("\n")}")
log(:error, "e.message: #{e.message}")
end
exit MIQ_OK
My code runs through without any errors, however, does not actually do anything, the disk selected is not removed from the VM. Fairly sure I am just missing something obvious(Or my assumptions are incorrect), any ideas?
Hello I Have Successfully Remove Disk from VM in Cloudforms with Your Code
But There is one minor thing I have changed
you are using disk_name = "#{vm}_#{disk_choice}" as a disk name in order to delete Disk. But This is not like that.
You have to mention Datastore for that disk in disk_name then it will be work fine
you can try with following code
disk_name = "[your_datastore_name] #{vm}/#{vm}_#{disk_choice}.vmdk"
This works fine with me..!!
One more thing you can consider i.e Delete Backing
Delete Backing => OFF [Default] It will Just Detach your Disk from VM but not completely removed
so you have to turn on your Delete Backing so that it can completely remove disk from storage Domain as well
Delete Backing => ON
you can explore here
Thank you..!!
I have found an answer to this question for systems that are attached to an AD domain controller. However, this question is for standalone systems where there is no possibility of attaching to a domain controller. Essentially, air-gapped systems.
Short and sweet: Is there a way to list the last time each user changed their Windows password for a non-domain, air-gapped system (either Windows 7 or 10) all at once either as a batch file or PowerShell script?
I know that net user {username} | find /I "Password last set" will do it for them one at a time. However, that would be tedious to run multiple times per machine and we have over 60 systems of this type. So I'm looking for a way to do this in one fell swoop, if possible.
As a caveat, we don't have the option of installing the activedirectory module in PowerShell for this. Also, since the majority of the systems are Windows 7, we don't have access to the Bash command line tools that would be available in Windows 10.
Any and all help with regard to this is appreciated.
Here's one way using the ADSI WinNT provider:
$computerName = [Net.Dns]::GetHostName() # i.e., local computer
$computer = [ADSI] "WinNT://$computerName,Computer"
$childObjects = $computer.Children
foreach ( $childObject in $childObjects ) {
if ( $childObject.Class -eq "User" ) {
if ( $childObject.PasswordAge[0] -gt 0 ) {
$pwdLastSet = (Get-Date).AddSeconds(-$childObject.PasswordAge[0])
}
else {
$pwdLastSet = $null
}
$childObject | Select-Object `
#{Name="AdsPath"; Expression={$_.AdsPath}},
#{Name="PasswordLastSet"; Expression={$pwdLastSet}}
}
}
I am trying to use Vagrant to create an Ubuntu VM. My host is Windows7 and my basebox is precise64.
If I do the recommended way of adding a user in Puppet like this:
user { "johnboy":
ensure => present,
managehome => true,
password => '$6$ev8faya2$M2pB3YQRpKUJMnJx6LnsyTbDdi.umsEEZttD01pk8ZSfMGrVmlnjoVhIHyuqYt3.yaG1SZjaoSxB39nNgFKb//',
groups => ["admin"],
shell => "/bin/bash";
}
I log in after vagrant has provisioned my box and the hash is not in /etc/passwd.
If I don't set it with the resource type but use exec and usermod like this
user { "johnboy":
ensure => present,
managehome => true,
groups => ["admin"],
shell => "/bin/bash";
}
exec { 'set password':
command => "usermod -p '$6$ev8faya2$M2pB3YQRpKUJMnJx6LnsyTbDdi.umsEEZttD01pk8ZSfMGrVmlnjoVhIHyuqYt3.yaG1SZjaoSxB39nNgFKb//' johnboy",
require => User[johnboy];
}
I end up with only part of the hash in /etc/passwd
johnboy:.umsEEZttD01pk8ZSfMGrVmlnjoVhIHyuqYt3.yaG1SZjaoSxB39nNgFKb//:16101:0:99999:7:::
Some pages suggest installing ruby-shadow so I tried this:
gem install ruby-shadow
However, the install failed, probably because I don't have Ruby installed. Vagrant was a 100 MB download. Is the gem for managing passwords really not included with that?
How do I get Vagrant/Puppet to provision the password correctly?
That's because it's stored inside the /etc/shadow file. This is for security reasons as it is only accessible by the root/super user.
Escape the dollar signs in the hash like this and it should work.
exec { 'set password':
command => "usermod -p '\$6\$ev8faya2\$M2pB3YQRpKUJMnJx6LnsyTbDdi.umsEEZttD01pk8ZSfMGrVmlnjoVhIHyuqYt3.yaG1SZjaoSxB39nNgFKb//' johnboy",
require => User[johnboy];
}
I am trying to execute cmds on a remote CPU through telnet. While some commands sent (through Ruby's stdlib for telnet) are successful, others are giving me a weird response:
*===============================================================
Welcome to Microsoft Telnet Server.
*===============================================================
C:\Documents and Settings\UserJW>ls
Desktop
Favorites
My Documents
Start Menu
Sti_Trace.log
C:\Documents and Settings\UserJW>cd\
More?
Why is telnet giving me this "More?" response, as if expecting something?
In the code, I am simply connecting to remote CPU, logging in, and sending commands:
#connection = Net::Telnet.new(...)
#connection.login( user, pwd )
#connection.cmd(...)
Any help would be appreciated.
Thanks,
J
**EDIT:
#connection = Net::Telnet.new(
"Host" => machine,
"Prompt" => /[A-Za-z]:\\.*>\z/n,
"Timeout" => 3,
"Output_log" => output )
#connection.login( user, pwd )
#connection.cmd( 'ls' )
#connection.cmd( 'ls' )
output...
C:\Documents and Settings\UserJW>
ls
Desktop
Favorites
My Documents
Start Menu
Sti_Trace.log
C:\Documents and Settings\UserJW>
ls
More?
I can't even send more than one command, apparently. Is my Prompt regex wrong? I'm trying to allow..
C:[anything...]>
I meet a same problem with you ( ruby telnet to windows 2008 ,execute command error ).I solved it. the reason is ruby net/telnet library use error newline seperator. Must be EOL(CR+LF) but CR+NULL . But I don't know who make the bug,windows or ruby? I write a monkey patch as below:
class Net::Telnet
def print(string)
string = string.gsub(/#{IAC}/no, IAC + IAC) if #options["Telnetmode"]
if #options["Binmode"]
self.write(string)
else
if #telnet_option["BINARY"] and #telnet_option["SGA"]
self.write(string.gsub(/\n/n, CR))
elsif #telnet_option["SGA"]
self.write(string.gsub(/\n/n, EOL)) ### fix here. reaplce CR+NULL bY EOL
else
self.write(string.gsub(/\n/n, EOL))
end
end
end
end