Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-8406

puppet_agent: windows fix inheritable SYSTEM perms exec has a broken unless check

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: puppet_agent
    • Labels:
      None
    • Template:
      MODULES Bug Template
    • Team:
      Platform OS
    • Sprint:
      Platform OS Kanban
    • Method Found:
      Inspection
    • QA Risk Assessment:
      Needs Assessment

      Description

      As a resolution to PUP-5480, the puppet_agent module will adjust the permissions on the client_datadir as part of a Windows upgrade. This adjustment is carried out using an exec resource that is guarded by an unless clause:

      https://github.com/puppetlabs/puppetlabs-puppet_agent/blob/1.7.0/manifests/windows/install.pp#L74-L79

      The unless attempts to pipe the output of icacls to findstr, but cmd.exe rejects the pipe as invalid syntax. Therefore the unless check always fails and the permissions adjustment is always executed.

      Reproduction case

      • Install PE 2018.1.5 and Bolt 1.x on a master node.
      • Configure the master with Windows packages for PE 2018.1.4:

      # Fix a hard-coded PE version in the template used to generate install.ps1
      sed -i'' "s/current/<%= scope['pe_version'] %>/" /opt/puppetlabs/puppet/modules/pe_repo/templates/install.ps1.erb
      mkdir -p /opt/puppetlabs/server/data/packages/public/2018.1.4
       
      puppet apply -e 'pe_repo::windows { "windows-x86_64": arch => "x64", agent_version => "5.5.6", pe_version => "2018.1.4"}'
      

      • Install the puppet_agent module:

      puppet module install puppetlabs-puppet_agent --version 1.7.0
      

      • Install the 2018.1.4 agent on a node running Windows:

      # NOTE: Change to the hostname of your node
      win_node='winrm://Administrator@qcx05m12sifwqpy.delivery.puppetlabs.net'
       
      bolt command run --nodes "${win_node}" --no-ssl \
        "[Net.ServicePointManager]::ServerCertificateValidationCallback = {\$true}
        \$webClient = New-Object System.Net.WebClient
        \$webClient.DownloadFile('https://$(hostname -f):8140/packages/2018.1.4/install.ps1', \$env:temp + '/install.ps1')
        powershell -File (\$env:temp + '/install.ps1')" \
        --password
       
      puppet cert sign -a
      bolt command run --nodes "${win_node}" --no-ssl \
        "puppet agent --onetime --no-daemonize --verbose" \
        --password
      

      • Apply the puppet_agent class to upgrade the agent node.

      puppet apply <<'EOF'
      pe_node_group { 'Agent Upgrade':
        parent          => 'PE Agent',
        refresh_classes => true,
        pinned          => puppetdb_query("inventory[certname] { ! facts.aio_agent_version = '${facts['aio_agent_version']}' }").map |$row| {
          $row['certname']
        },
        classes         => {
          'puppet_agent' => {
            'package_version' => $facts['aio_agent_version'],
          }
        }
      }
      EOF
      

      • Run the upgrade on the Windows with the --debug flag to observe exec output:

      bolt command run --nodes "${win_node}" --no-ssl \
        "puppet agent --onetime --no-daemonize --debug" \
        --password
      

      Outcome

      The upgrade proceeds, but the unless check on "Exec[fix inheritable SYSTEM perms]" fails due to invalid syntax caused by the pipe joining icacls to findstr:

      # bolt command run --nodes "${win_node}" --no-ssl \
        "puppet agent --onetime --no-daemonize --debug" \
        --password
      Please enter your password:
      Started on qcx05m12sifwqpy.delivery.puppetlabs.net...
      Finished on qcx05m12sifwqpy.delivery.puppetlabs.net:
        STDOUT:
          ... trimmed for brevity ...
       
          Info: /Stage[main]/Puppet_agent::Windows::Install/File[C:\Users\ADMINI~1\AppData\Local\Temp\install_puppet.bat]: Filebucketed C:/Users/ADMINI~1/AppData/Local/Temp/install_puppet.bat to puppet with sum c7c22a4154e7eab5b7cd693222710dae
          Notice: /Stage[main]/Puppet_agent::Windows::Install/File[C:\Users\ADMINI~1\AppData\Local\Temp\install_puppet.bat]/content: content changed '{md5}c7c22a4154e7eab5b7cd693222710dae' to '{md5}7bb1ec5e89bdce9c3fb99aee0428fa04'
          Debug: /Stage[main]/Puppet_agent::Windows::Install/File[C:\Users\ADMINI~1\AppData\Local\Temp\install_puppet.bat]: The container Class[Puppet_agent::Windows::Install] will propagate my refresh event
          Debug: Exec[install_puppet.bat](provider=windows): Executing 'C:\Windows\system32\cmd.exe /c start /b C:\Windows\system32\cmd.exe /c "C:\Users\ADMINI~1\AppData\Local\Temp\install_puppet.bat" 3780'
          Debug: Executing: 'C:\Windows\system32\cmd.exe /c start /b C:\Windows\system32\cmd.exe /c "C:\Users\ADMINI~1\AppData\Local\Temp\install_puppet.bat" 3780'
          Notice: /Stage[main]/Puppet_agent::Windows::Install/Exec[install_puppet.bat]/returns: executed successfully
          Debug: /Stage[main]/Puppet_agent::Windows::Install/Exec[install_puppet.bat]: The container Class[Puppet_agent::Windows::Install] will propagate my refresh event
          Debug: Exec[fix inheritable SYSTEM perms](provider=windows): Executing check 'C:\Windows\system32\icacls.exe "C:/ProgramData/PuppetLabs/puppet/cache/client_data" | findstr "SYSTEM:(OI)(CI)(F)"'
       
       
          Debug: Executing: 'C:\Windows\system32\icacls.exe "C:/ProgramData/PuppetLabs/puppet/cache/client_data" | findstr "SYSTEM:(OI)(CI)(F)"'
          Debug: /Stage[main]/Puppet_agent::Windows::Install/Exec[fix inheritable SYSTEM perms]/unless: Invalid parameter "|"
       
       
          Debug: Exec[fix inheritable SYSTEM perms](provider=windows): Executing 'C:\Windows\system32\icacls.exe "C:/ProgramData/PuppetLabs/puppet/cache/client_data" /grant "SYSTEM:(OI)(CI)(F)"'
          Debug: Executing: 'C:\Windows\system32\icacls.exe "C:/ProgramData/PuppetLabs/puppet/cache/client_data" /grant "SYSTEM:(OI)(CI)(F)"'
          Notice: /Stage[main]/Puppet_agent::Windows::Install/Exec[fix inheritable SYSTEM perms]/returns: executed successfully
          Debug: /Stage[main]/Puppet_agent::Windows::Install/Exec[fix inheritable SYSTEM perms]: The container Class[Puppet_agent::Windows::Install] will propagate my refresh event
          Debug: Class[Puppet_agent::Windows::Install]: The container Stage[main] will propagate my refresh event
          Debug: Service[pxp-agent](provider=windows): Service pxp-agent is running
          Debug: Service[pxp-agent](provider=windows): Service pxp-agent start type is auto start
          Debug: /Stage[main]/Puppet_enterprise::Profile::Agent/File[C:\ProgramData/PuppetLabs/puppet/cache/state/package_inventory_enabled]: Nothing to manage: no ensure and the resource doesn't exist
          Debug: Finishing transaction 47669160
          Debug: Storing state
          Debug: Stored state in 0.02 seconds
          Notice: Applied catalog in 3.24 seconds
          Debug: Dynamically-bound server lookup failed, falling back to report_server setting
          Debug: Dynamically-bound port lookup failed; falling back to report_port setting
          Debug: Failed to load library 'msgpack' for feature 'msgpack': cannot load such file -- msgpack
          Debug: Puppet::Network::Format[msgpack]: feature msgpack is missing
          Debug: report supports formats: json pson yaml
          Debug: Failed to load library 'msgpack' for feature 'msgpack': cannot load such file -- msgpack
          Debug: Puppet::Network::Format[msgpack]: feature msgpack is missing
          Debug: report supports formats: json pson yaml
          Debug: Failed to load library 'msgpack' for feature 'msgpack': cannot load such file -- msgpack
          Debug: Puppet::Network::Format[msgpack]: feature msgpack is missing
          Debug: report supports formats: json pson yaml
          Debug: Using cached connection for https://tm5ohr4ojs7iqan.delivery.puppetlabs.net:8140
          Debug: Caching connection for https://tm5ohr4ojs7iqan.delivery.puppetlabs.net:8140
          Debug: Closing connection for https://tm5ohr4ojs7iqan.delivery.puppetlabs.net:8140
      Successful on 1 node: winrm://Administrator@qcx05m12sifwqpy.delivery.puppetlabs.net
      Ran on 1 node in 20.84 seconds
      

      Expected outcome

      The unless check for "Exec[fix inheritable SYSTEM perms]" uses valid CMD syntax.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jonathan.morris Jonathan Morris
              Reporter:
              chuck Charlie Sharpsteen
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support