Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Done
-
None
-
None
-
None
-
Platform OS
-
Platform OS Kanban
-
Inspection
-
Needs Assessment
Description
As a resolution to PUP-5480, the puppet_agent module will adjust the permissions on the client_datadir as part of a Windows upgrade. This adjustment is carried out using an exec resource that is guarded by an unless clause:
The unless attempts to pipe the output of icacls to findstr, but cmd.exe rejects the pipe as invalid syntax. Therefore the unless check always fails and the permissions adjustment is always executed.
Reproduction case
- Install PE 2018.1.5 and Bolt 1.x on a master node.
- Configure the master with Windows packages for PE 2018.1.4:
# Fix a hard-coded PE version in the template used to generate install.ps1
|
sed -i'' "s/current/<%= scope['pe_version'] %>/" /opt/puppetlabs/puppet/modules/pe_repo/templates/install.ps1.erb |
mkdir -p /opt/puppetlabs/server/data/packages/public/2018.1.4 |
|
|
puppet apply -e 'pe_repo::windows { "windows-x86_64": arch => "x64", agent_version => "5.5.6", pe_version => "2018.1.4"}' |
- Install the puppet_agent module:
puppet module install puppetlabs-puppet_agent --version 1.7.0 |
- Install the 2018.1.4 agent on a node running Windows:
# NOTE: Change to the hostname of your node
|
win_node='winrm://Administrator@qcx05m12sifwqpy.delivery.puppetlabs.net' |
|
|
bolt command run --nodes "${win_node}" --no-ssl \ |
"[Net.ServicePointManager]::ServerCertificateValidationCallback = {\$true} |
\$webClient = New-Object System.Net.WebClient
|
\$webClient.DownloadFile('https://$(hostname -f):8140/packages/2018.1.4/install.ps1', \$env:temp + '/install.ps1') |
powershell -File (\$env:temp + '/install.ps1')" \ |
--password
|
|
|
puppet cert sign -a
|
bolt command run --nodes "${win_node}" --no-ssl \ |
"puppet agent --onetime --no-daemonize --verbose" \ |
--password
|
- Apply the puppet_agent class to upgrade the agent node.
puppet apply <<'EOF' |
pe_node_group { 'Agent Upgrade': |
parent => 'PE Agent', |
refresh_classes => true, |
pinned => puppetdb_query("inventory[certname] { ! facts.aio_agent_version = '${facts['aio_agent_version']}' }").map |$row| { |
$row['certname'] |
},
|
classes => {
|
'puppet_agent' => { |
'package_version' => $facts['aio_agent_version'], |
}
|
}
|
}
|
EOF
|
- Run the upgrade on the Windows with the --debug flag to observe exec output:
bolt command run --nodes "${win_node}" --no-ssl \ |
"puppet agent --onetime --no-daemonize --debug" \ |
--password
|
Outcome
The upgrade proceeds, but the unless check on "Exec[fix inheritable SYSTEM perms]" fails due to invalid syntax caused by the pipe joining icacls to findstr:
# bolt command run --nodes "${win_node}" --no-ssl \
|
"puppet agent --onetime --no-daemonize --debug" \
|
--password
|
Please enter your password:
|
Started on qcx05m12sifwqpy.delivery.puppetlabs.net...
|
Finished on qcx05m12sifwqpy.delivery.puppetlabs.net:
|
STDOUT:
|
... trimmed for brevity ...
|
|
|
Info: /Stage[main]/Puppet_agent::Windows::Install/File[C:\Users\ADMINI~1\AppData\Local\Temp\install_puppet.bat]: Filebucketed C:/Users/ADMINI~1/AppData/Local/Temp/install_puppet.bat to puppet with sum c7c22a4154e7eab5b7cd693222710dae
|
Notice: /Stage[main]/Puppet_agent::Windows::Install/File[C:\Users\ADMINI~1\AppData\Local\Temp\install_puppet.bat]/content: content changed '{md5}c7c22a4154e7eab5b7cd693222710dae' to '{md5}7bb1ec5e89bdce9c3fb99aee0428fa04'
|
Debug: /Stage[main]/Puppet_agent::Windows::Install/File[C:\Users\ADMINI~1\AppData\Local\Temp\install_puppet.bat]: The container Class[Puppet_agent::Windows::Install] will propagate my refresh event
|
Debug: Exec[install_puppet.bat](provider=windows): Executing 'C:\Windows\system32\cmd.exe /c start /b C:\Windows\system32\cmd.exe /c "C:\Users\ADMINI~1\AppData\Local\Temp\install_puppet.bat" 3780'
|
Debug: Executing: 'C:\Windows\system32\cmd.exe /c start /b C:\Windows\system32\cmd.exe /c "C:\Users\ADMINI~1\AppData\Local\Temp\install_puppet.bat" 3780'
|
Notice: /Stage[main]/Puppet_agent::Windows::Install/Exec[install_puppet.bat]/returns: executed successfully
|
Debug: /Stage[main]/Puppet_agent::Windows::Install/Exec[install_puppet.bat]: The container Class[Puppet_agent::Windows::Install] will propagate my refresh event
|
Debug: Exec[fix inheritable SYSTEM perms](provider=windows): Executing check 'C:\Windows\system32\icacls.exe "C:/ProgramData/PuppetLabs/puppet/cache/client_data" | findstr "SYSTEM:(OI)(CI)(F)"'
|
|
|
|
|
Debug: Executing: 'C:\Windows\system32\icacls.exe "C:/ProgramData/PuppetLabs/puppet/cache/client_data" | findstr "SYSTEM:(OI)(CI)(F)"'
|
Debug: /Stage[main]/Puppet_agent::Windows::Install/Exec[fix inheritable SYSTEM perms]/unless: Invalid parameter "|"
|
|
|
|
|
Debug: Exec[fix inheritable SYSTEM perms](provider=windows): Executing 'C:\Windows\system32\icacls.exe "C:/ProgramData/PuppetLabs/puppet/cache/client_data" /grant "SYSTEM:(OI)(CI)(F)"'
|
Debug: Executing: 'C:\Windows\system32\icacls.exe "C:/ProgramData/PuppetLabs/puppet/cache/client_data" /grant "SYSTEM:(OI)(CI)(F)"'
|
Notice: /Stage[main]/Puppet_agent::Windows::Install/Exec[fix inheritable SYSTEM perms]/returns: executed successfully
|
Debug: /Stage[main]/Puppet_agent::Windows::Install/Exec[fix inheritable SYSTEM perms]: The container Class[Puppet_agent::Windows::Install] will propagate my refresh event
|
Debug: Class[Puppet_agent::Windows::Install]: The container Stage[main] will propagate my refresh event
|
Debug: Service[pxp-agent](provider=windows): Service pxp-agent is running
|
Debug: Service[pxp-agent](provider=windows): Service pxp-agent start type is auto start
|
Debug: /Stage[main]/Puppet_enterprise::Profile::Agent/File[C:\ProgramData/PuppetLabs/puppet/cache/state/package_inventory_enabled]: Nothing to manage: no ensure and the resource doesn't exist
|
Debug: Finishing transaction 47669160
|
Debug: Storing state
|
Debug: Stored state in 0.02 seconds
|
Notice: Applied catalog in 3.24 seconds
|
Debug: Dynamically-bound server lookup failed, falling back to report_server setting
|
Debug: Dynamically-bound port lookup failed; falling back to report_port setting
|
Debug: Failed to load library 'msgpack' for feature 'msgpack': cannot load such file -- msgpack
|
Debug: Puppet::Network::Format[msgpack]: feature msgpack is missing
|
Debug: report supports formats: json pson yaml
|
Debug: Failed to load library 'msgpack' for feature 'msgpack': cannot load such file -- msgpack
|
Debug: Puppet::Network::Format[msgpack]: feature msgpack is missing
|
Debug: report supports formats: json pson yaml
|
Debug: Failed to load library 'msgpack' for feature 'msgpack': cannot load such file -- msgpack
|
Debug: Puppet::Network::Format[msgpack]: feature msgpack is missing
|
Debug: report supports formats: json pson yaml
|
Debug: Using cached connection for https://tm5ohr4ojs7iqan.delivery.puppetlabs.net:8140
|
Debug: Caching connection for https://tm5ohr4ojs7iqan.delivery.puppetlabs.net:8140
|
Debug: Closing connection for https://tm5ohr4ojs7iqan.delivery.puppetlabs.net:8140
|
Successful on 1 node: winrm://Administrator@qcx05m12sifwqpy.delivery.puppetlabs.net
|
Ran on 1 node in 20.84 seconds
|
Expected outcome
The unless check for "Exec[fix inheritable SYSTEM perms]" uses valid CMD syntax.
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
-
- Closed
-
- mentioned in
-
Page Loading...
-
-
-
-
-
-
-
(5 mentioned in)
