Puppet Enterprise runonce fails but regularly scheduled agent run succeeds
45 views
Skip to first unread message
Paul Chernoch
Aug 29, 2014, 5:03:55 PM8/29/14
to puppet...@googlegroups.com
The node is a Windows 2008R2 box.
I am attempting to fetch files from Team Foundation Server using an exec resource and the command line program TF.EXE.
When I process the catalog using the regularly scheduled puppet run, it completes successfully.
When I use "Live Management" > "Control Puppet" > "runonce" I get errors. I do not fill in any parameters in the dialog.
In the puppet log, I see this message repeated for each file I try to fetch:
This seems to indicate that TF.EXE authentication prevented the operation.
My initial runs relied upon the currently-logged-in-user's credentials. We gave proper rights to the user account assigned to puppet and this used to work before some recent changes.
I decided to hardcode my personal user name and password to see if that would work.
It continues to work for the regularly scheduled agent run, and continues to fail for the "runonce" run.
Here is an example of a command that my EXEC resource is trying to execute:
The exec resource of course sets the current directory to be the location of TF.EXE and its DLLs.
Here is the flavor of the exec resource:
exec { "tf view ${filename} /version:${versionspec}":
command => $tfview_cmd,
path => $exec_path,
cwd => $tf_dir_unix,
onlyif => $tfhistory_cmd,
require => Class['tfview::tfcomponents']
}
The onlyif command invokes a ruby script that itself calls TF.EXE HISTORY to see if the file has changed in TFS and needs to be checked out again. That script is coded so that if an exception is thrown by TF.EXE, it will return zero, and indicate that TF VIEW must be called to fetch a new copy of the file.
Any ideas?
Paul Chernoch
Lead Software Engineer
EF Education First
Cambridge, MA
I am attempting to fetch files from Team Foundation Server using an exec resource and the command line program TF.EXE.
When I process the catalog using the regularly scheduled puppet run, it completes successfully.
When I use "Live Management" > "Control Puppet" > "runonce" I get errors. I do not fill in any parameters in the dialog.
In the puppet log, I see this message repeated for each file I try to fetch:
TF30063: You are not authorized to access http://<OUR-WEBSITE-NAME>.com:8080/tfs/<OUR-COLLECTION-NAME>.
This seems to indicate that TF.EXE authentication prevented the operation.
My initial runs relied upon the currently-logged-in-user's credentials. We gave proper rights to the user account assigned to puppet and this used to work before some recent changes.
I decided to hardcode my personal user name and password to see if that would work.
It continues to work for the regularly scheduled agent run, and continues to fail for the "runonce" run.
Here is an example of a command that my EXEC resource is trying to execute:
TF.exe view
/collection:http://<OUR-TFS-HOST>.com:8080/tfs/PhoenixCollection
/output:c:\phx_deployer\staging\phoenix\2.60.1.87\PaymentPlan.Services.Web.zip
$\ReleasePackages\PhoenixReleasePackages\PaymentPlan.Services.Web.zip
/login:<MY-USERNAME>,<MY-PASSWORD> /version:L2.60.1.87The exec resource of course sets the current directory to be the location of TF.EXE and its DLLs.
Here is the flavor of the exec resource:
exec { "tf view ${filename} /version:${versionspec}":
command => $tfview_cmd,
path => $exec_path,
cwd => $tf_dir_unix,
onlyif => $tfhistory_cmd,
require => Class['tfview::tfcomponents']
}
The onlyif command invokes a ruby script that itself calls TF.EXE HISTORY to see if the file has changed in TFS and needs to be checked out again. That script is coded so that if an exception is thrown by TF.EXE, it will return zero, and indicate that TF VIEW must be called to fetch a new copy of the file.
Any ideas?
Paul Chernoch
Lead Software Engineer
EF Education First
Cambridge, MA
Rob Reynolds
Sep 2, 2014, 2:55:58 PM9/2/14
to puppet...@googlegroups.com
On Fri, Aug 29, 2014 at 4:03 PM, Paul Chernoch <pache...@gmail.com> wrote:
The node is a Windows 2008R2 box.
I am attempting to fetch files from Team Foundation Server using an exec resource and the command line program TF.EXE.
When I process the catalog using the regularly scheduled puppet run, it completes successfully.
When I use "Live Management" > "Control Puppet" > "runonce" I get errors. I do not fill in any parameters in the dialog.
In the puppet log, I see this message repeated for each file I try to fetch:
TF30063: You are not authorized to access http://<OUR-WEBSITE-NAME>.com:8080/tfs/<OUR-COLLECTION-NAME>.
This seems to indicate that TF.EXE authentication prevented the operation.
My initial runs relied upon the currently-logged-in-user's credentials. We gave proper rights to the user account assigned to puppet and this used to work before some recent changes.
I decided to hardcode my personal user name and password to see if that would work.
It continues to work for the regularly scheduled agent run, and continues to fail for the "runonce" run.
Run once user is likely determined by the MCO service user and not the Puppet Agent service user. Please ensure you also add that user to the authorized list.
Here is an example of a command that my EXEC resource is trying to execute:TF.exe view /collection:http://<OUR-TFS-HOST>.com:8080/tfs/PhoenixCollection /output:c:\phx_deployer\staging\phoenix\2.60.1.87\PaymentPlan.Services.Web.zip $\ReleasePackages\PhoenixReleasePackages\PaymentPlan.Services.Web.zip /login:<MY-USERNAME>,<MY-PASSWORD> /version:L2.60.1.87
The exec resource of course sets the current directory to be the location of TF.EXE and its DLLs.
Here is the flavor of the exec resource:
exec { "tf view ${filename} /version:${versionspec}":
command => $tfview_cmd,
path => $exec_path,
cwd => $tf_dir_unix,
onlyif => $tfhistory_cmd,
require => Class['tfview::tfcomponents']
}
The onlyif command invokes a ruby script that itself calls TF.EXE HISTORY to see if the file has changed in TFS and needs to be checked out again. That script is coded so that if an exception is thrown by TF.EXE, it will return zero, and indicate that TF VIEW must be called to fetch a new copy of the file.
Any ideas?
Paul Chernoch
Lead Software Engineer
EF Education First
Cambridge, MA
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/93762f3f-53cd-4431-928d-5c281418af9f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rob Reynolds
Developer, Puppet Labs
Register by September 8th to take advantage of the Final Countdown —save $149!
Paul Chernoch
Sep 3, 2014, 9:15:55 AM9/3/14
to puppet...@googlegroups.com
Thank you! I did not know there was a separate MCO user! I will see what happens when I change it. My further investigation does show that the problem is due to which user account is running RUBY.EXE on the agent, so this is likely the answer.
Paul
Paul
Reply all
Reply to author
Forward
0 new messages