Self-hosted windows agent powershell error code 5

[maxricketts]

Description of the issue

Random pipelines fail with the below error

##[error]Exit code 5 returned from process: file name 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', arguments '-NoLogo -Sta -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". ([scriptblock]::Create('if ([Console]::InputEncoding -is [Text.UTF8Encoding] -and [Console]::InputEncoding.GetPreamble().Length -ne 0) { [Console]::InputEncoding = New-Object Text.UTF8Encoding $false } if (!$PSHOME) { $null = Get-Item -LiteralPath ''variable:PSHOME'' } else { Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1'')) ; Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1'')) }')) 2>&1 | ForEach-Object { Write-Verbose $_.Exception.Message -Verbose } ; Import-Module -Name 'C:\a\_tasks\ps-rule-assert_8804fc31-b62f-4d49-b2a1-c80dc0879dae\2.6.2211067\ps_modules\VstsTaskSdk\VstsTaskSdk.psd1' -ArgumentList @{ NonInteractive = $true } -ErrorAction Stop ; $VerbosePreference = 'SilentlyContinue' ; $DebugPreference = 'SilentlyContinue' ; Invoke-VstsTaskScript -ScriptBlock ([scriptblock]::Create('. ''C:\a\_tasks\ps-rule-assert_8804fc31-b62f-4d49-b2a1-c80dc0879dae\2.6.2211067\powershell.ps1'''))"'

Module in use and version:

Checking PSRule
[info] Using repository: PSGallery
[info] Installing PSRule: 2.6.0
Checking modules
> Checking module: PSRule.Rules.Azure
  - Installing module
  - Using version: 1.21.2
Checking environment
[info] Using PSRule: 2.6.0
[info] Using Extension: 2.6.0
[info] Using Task: 2.6.2211067
[info] Using Workspace: C:\a\1\s
[info] Using PWD: C:\a\_tasks\ps-rule-assert_8804fc31-b62f-4d49-b2a1-c80dc0879dae\2.6.2211067
[info] Using Path: C:\a\1\s
[info] Using Source: C:\a\1\s\.ps-rule\
[info] Using Baseline: 
[info] Using Conventions: 
[info] Using InputType: repository
[info] Using InputPath: C:\a\1\s\newImage\bicep\
[info] Using Option: 
[info] Using Outcome: 
[info] Using OutputFormat: Nunit3
[info] Using OutputPath: C:\a\1\s\rule-report.xml

[BernieWhite]

@maxricketts Ok so error code 5 reported by PowerShell indicates an access denied error. This could happen both for inputs and outputs.

With OutputPath set to rule-report.xml I don't think it is related to the outputs.

This looks like a problem. Using Source: C:\a\1\s.ps-rule which would not be valid.

Are you able to provide the pipeline YAML code for the ps-rule-assert@2 task and any settings configured within ps-rule.yaml under the input: and output: keys.

Also this discussion may help: https://github.com/microsoft/PSRule-pipelines/discussions/387

[maxricketts]

@BernieWhite. Here is the yaml for the psrule stage. This happens randomly, even when no changes have been applied to the code or yaml. Run the pipeline again and it will work. This does look like the same issue as 387 but I have the inputType set to repository and still get the random occurence or error code 5.

Please let me know if you require any more information.

# yaml-language-server: $schema=./deploy.yml

stages: 
  - stage: PSRuleScanning
    displayName: PSRule validation and governance
    jobs:
      - job: PSRule
        displayName: Checkout and scan code
        steps:
          - checkout: Exg.DevOps.ImageBuilder
            # Analyze Azure resources using PSRule for Azure
          - task: ps-rule-assert@2
            displayName: Analyze Azure bicep files
            inputs:
              modules: PSRule.Rules.Azure
              inputType: repository
              inputPath: newImage/bicep/
              outputFormat: Nunit3
              outputPath: rule-report.xml
            env:
              # Define environment variables within Azure Pipelines
              AZURE_CLIENT_ID: $(psrule-clientid)
              AZURE_CLIENT_SECRET: $(psrule-secret)
              AZURE_TENANT_ID: $(psrule-tenant)
          # PSRule results
          - task: PublishTestResults@2
            displayName: 'Publish PSRule results'
            inputs:
              testRunTitle: 'PSRule'
              testRunner: NUnit
              testResultsFiles: 'rule-report.xml'
              mergeTestResults: true
              publishRunAttachments: true
            condition: succeededOrFailed()

[BernieWhite]

@maxricketts Looks like the missing \ was just how the output sample was pasted. The paths look correct now as a text block.

The task parameters look fine.

We're going need to collect more information. You can enable verbose output by setting the SYSTEM_DEBUG pipeline variable to true.

[maxricketts]

I have attached the logs for you. It seems like it always fails the first time on a fresh vm instance on the scale set. run it again and its fine. I have also attached a log of when it runs all ok at the bottom

psrulepipelinedebug.txt

pipelinelogcompleted.txt

[BernieWhite]

@maxricketts Thanks for the logs. From the logs, PSRule is running and it starting to process files. It start to expand a Bicep file here:

2022-11-25T16:13:58.1294941Z ##[debug][Azure.ExpandBicep] -- Expanding bicep source: C:\a\1\s\newImage\bicep\imagebuilder.bicep

That's the last action in the logs.

With your VMSS setup, do you have additional custom scripts that might be running in the background while this job is running?

[BernieWhite]

@maxricketts Also additionally, I've added some additional verbose logging for testing in pre-release v1.22.0-B0203. This might help confirm if the Bicep compile is definitely the cause of the failure.

To use the pre-release you will need to enable the pre-release by setting the prerelease: true input parameter for the ps-rule-assert@2 task.

[maxricketts]

@BernieWhite - I have added prerelease: true - and I am getting the below error.

          - task: ps-rule-assert@2
            displayName: Analyze Azure bicep files            
            inputs:
              prerelease: true
              modules: PSRule.Rules.Azure
              inputType: repository
              inputPath: newImage/bicep/
              outputFormat: Nunit3
              outputPath: rule-report.xml

[error]An error occurred installing a dependency module. A parameter cannot be found that matches parameter name 'AllowPrerelease'.

[BernieWhite]

@BernieWhite - I have added prerelease: true - and I am getting the below error.

          - task: ps-rule-assert@2
            displayName: Analyze Azure bicep files            
            inputs:
              prerelease: true
              modules: PSRule.Rules.Azure
              inputType: repository
              inputPath: newImage/bicep/
              outputFormat: Nunit3
              outputPath: rule-report.xml

[error]An error occurred installing a dependency module. A parameter cannot be found that matches parameter name 'AllowPrerelease'.

Ah thanks for the feedback. This could occur if you have an old version of PowerShellGet installed. You could do either of the following to address that error:

• Update to the latest version of PowerShellGet on the host.
• Add the ps-rule-install@2 task to install PSRule.Rules.Azure as a pre-release before ps-rule-assert@2, then you can avoid using prerelease: true on ps-rule-assert@2.

---

However the latest v1.22.0 is out so you can avoid installing the pre-release anyway :)

[maxricketts]

@BernieWhite What version of powershellget is needed as the latest version of powershell was installed only a couple of weeks ago and that came with close to the latest powershellget version.

I'll test the fix and let you know

many thanks

[BernieWhite]

@BernieWhite What version of powershellget is needed as the latest version of powershell was installed only a couple of weeks ago and that came with close to the latest powershellget version.

I'll test the fix and let you know

many thanks

Any latest version installed in the last year should be fine. It's not a new feature, but does not ship in the PowerShell modules installed in Windows by default. If that's not your experience then maybe there is an old version installed in Windows PowerShell.

[BernieWhite]

@maxricketts Did you get a chance to check this with PSRule for Azure v1.22.0?

[mpr555]

@BernieWhite - This has re-appeared a few times. I think it's when the scale set creates a new image. I have checked and it is on the latest version.

[mpr555]

@maxricketts Did you get a chance to check this with PSRule for Azure v1.22.0?

@BernieWhite - This has re-appeared a few times. I think it's when the scale set creates a new image. I have checked and it is on the latest version.

[BernieWhite]

@mpr555 @maxricketts If you are able to post the debugs logs again since v1.22.0 because we added additional logging to help track specifically where the failure occurred. Thanks.

[mpr555]

@BernieWhite I have attached the log files with the exit 5 issue. psruleext5issue.txt

[BernieWhite]

@maxricketts @mpr555 So based on the additional logging the crash is occurring when calling Bicep CLI.

Are you using Bicep CLI via the Azure CLI?

If not, to test if there is any different behaviour can you insert a new step before PSRule to install the Bicep CLI via Azure CLI.

For example:

- script: |
    az bicep install
    az bicep upgrade

Then add the PSRULE_AZURE_BICEP_USE_AZURE_CLI environment variable called out in Using Azure CLI.

[BernieWhite]

@maxricketts @mpr555 An update on this one. We were able to reproduce a case where path probing of the Bicep binaries was causing an issue and generating exit code 5. We've improved the behaviour to be less noisy. I'm not sure if this resolves your specific case however if you are able to test pre-release v1.25.0-B0035 and let us know.

If that does not resolve the issue, can I suggest that you:

1. Separately install the Bicep CLI.
2. Set the PSRULE_AZURE_BICEP_PATH environment variable to the specific location of the Bicep binary.

Details are further included here: https://azure.github.io/PSRule.Rules.Azure/setup/setup-bicep/#installing-bicep-cli

---

Please let us know how you go so that we can close the issue or update guidance docs as required.

[BernieWhite]

@maxricketts @mpr555 v1.25.0 is now released. Hopefully this has resolved the issue. Thanks for your patience to test and collect information. Please let us know if there is still an issue.

[maxricketts]

@BernieWhite - I am still getting an error on some builds.

##[error]One or more assertions failed.
---
##[error]Exit code 1 returned from process: file name 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', arguments '-NoLogo -Sta -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". ([scriptblock]::Create('if ([Console]::InputEncoding -is [Text.UTF8Encoding] -and [Console]::InputEncoding.GetPreamble().Length -ne 0) { [Console]::InputEncoding = New-Object Text.UTF8Encoding $false } if (!$PSHOME) { $null = Get-Item -LiteralPath ''variable:PSHOME'' } else { Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1'')) ; Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1'')) }')) 2>&1 | ForEach-Object { Write-Verbose $_.Exception.Message -Verbose } ; Import-Module -Name 'C:\a\_tasks\ps-rule-assert_8804fc31-b62f-4d49-b2a1-c80dc0879dae\2.6.2301031\ps_modules\VstsTaskSdk\VstsTaskSdk.psd1' -ArgumentList @{ NonInteractive = $true } -ErrorAction Stop ; $VerbosePreference = 'SilentlyContinue' ; $DebugPreference = 'SilentlyContinue' ; Invoke-VstsTaskScript -ScriptBlock ([scriptblock]::Create('. ''C:\a\_tasks\ps-rule-assert_8804fc31-b62f-4d49-b2a1-c80dc0879dae\2.6.2301031\powershell.ps1'''))"'.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within 7 days. Thank you for your contributions.

[github-actions[bot]]

This issue was closed because it has not had any recent activity.