search

Esri / arcgis-cookbook

Chef cookbooks for ArcGIS
Apache License 2.0
300 stars 116 forks source link

Single unit installations #18

Closed pkdavidson closed 9 years ago

pkdavidson commented 9 years ago

Gents:

  1. If I want to use these cookbooks to install the components in a setup where each component, Server, Portal, DataStore and IIS/wa are all on separate servers, is it correct that I would just change the run list?

In this case, does the run_list always need to include arcgis__system ? For example, I just tried to run the datastore recipe with: "run_list":[ "recipe[arcgis::system]", "recipe[arcgis::datastore]" ]

I have assumed that we always need to have arcgis::system in the run_list? But then I noticed it activates IIS, etc... which is ok but not needed for DataStore if on a separate machince, correct? I mean, I have a separate IIS server running two wa, one for Hosting Server and one for Portal.

1.b. I had a failure which looks to be due to a login failure or inability to start or stop the Data Store service (I cannot start it by hand with my domain account so there is some permission issue):

I believe the pertinent info is (I can give you everything if needed but this looks to be the issue):

- execute the ruby block Change 'ArcGIS Data Store' service logon account

[2015-08-25T19:30:50-06:00] FATAL: Chef::Exceptions::Service: windows_service[ArcGIS Data Store](C:chefcookbooksarcgisprovidersdatastore.rb line 121) had an error: Chef::Exceptions::Service: Service windows_service[ArcGIS Data Store] did not start due to a logon failure (error 1069): possibly the specified user ' ' does not have the 'log on as a service' privilege, or the password is incorrect.

1.c. For a domain account, I am using "mydomain\username" is that correct? or should it be preceeded by a "\mydomain\username" ?

  1. Which raises another question, can Chef be setup to run off a single Server but to basically do a "run as" with remote execution to install the components across the network on the various servers?

I have not tried doing this with the specific server names coded into the node.json file. I've just assumed these cookbooks are designed to be run on the Server on which the software is being installed.

Thanks... I will try resetting the server and running with the different domain account naming convention and perhaps pulling arcgis::system out...
Late to a meeting...

pbobov commented 9 years ago

Hi Paul,

The 1.1.2 version of the cookbook is released. This version makes the cookbook work with domain accounts and has some other important improvements.

1a. The run_list for installing data store looks good. Don't remove the other attributes from the node.json just yet. And please note that datastore recipe registers Data Store with server, so the server must be installed first and the node.json attributes must provide the correct server domain or url of the up and running server.

IIS is installed on Windows Server 2012 to install .NET Framework, according to "Microsoft .NET Framework requirement for .NET Extension Support feature" section in arcgis-for-server-system-requirements manual. (I'm not sure why .NET Framework should be installed this way - the cookbook just does it "by the book".) . The simple workaround is to install .Net Framework yourself and remove the system recipe. I'll think about less invasive ways of installing .Net Framework.

1b. I'm not sure why you are running into logon failures with Data Store. Please check if you user account has "Log on as service" privileges. If you don't run Data Store in HA configuration where access to shared backup directory is required, then Data Store service can be run under Local System account. (The cookbook tries to use the same settings for both HA and single machine deployments). To run Data Store under Local System account, remove 

  ruby_block "Change 'ArcGIS Data Store' service logon account" do
      block do
        cmd = Mixlib::ShellOut.new("icacls.exe \"#{install_dir}\" /grant \"#{run_as_user}:(OI)(CI)F\"")
        cmd.run_command
        cmd.error!
        cmd = Mixlib::ShellOut.new("icacls.exe \"#{data_dir}\" /grant \"#{run_as_user}:(OI)(CI)F\"")
        cmd.run_command
        cmd.error!
        cmd = Mixlib::ShellOut.new("sc.exe config \"ArcGIS Data Store\" obj= \"#{service_logon_user}\" password= \"#{run_as_password}\"")
        cmd.run_command
        cmd.error!
      end
      #sensitive true
      action :run
    end

from /providers/datastore.rb.

1c. "mydomain\username" is a correct format.

In JSON format '\' must be escaped as '\'.

...
"ran_as_user" : "mydomain\\username"
...

The ArcGIS cookbook is designed to be run on the Server on which the software is being installed.

I did not try to install many different "A la carte" ArcGIS configurations. It might take a few iterations to get it right and cook them to perfection.

Good luck! Pavel

pkdavidson commented 9 years ago

Thanks for the very quick response Pavel! Yes, I pulled 1.1.2 down the other day.

I'm thinking I might have two issues.
I discovered I had the wrong account/password combo in my node.json file for the Server & Portal sections.

Also, I am trying to build into an existing Server & IIS setup.
The server is federated with WIA and is set to HTTPS only. Perhaps I need to drop this back to HTTPS & HTTP ?

Let explain where/what I'm trying to do: I was in the process of building up a test environment utilizing: Hosting Server, Portal, IIS (with two web adaptors) and DataStore. Once that is up I will add in another Server or two and Geo Processor Server. And then work on a high availability setup. Eventually another IIS server comes into play to support two main web apps we have. This will be federated into WIA/AD Each of these are to be on separate boxes (all virtual)

I had the Hosting Server and IIS box running and federated to WIA when I came across your cookbooks. First thing I did was get your all-in-one unit working and put up onto Vsphere We now consider this a development box and with the cookbook, we can spin this up locally for our developers if needed. Very slick. (I develop under VM Workstation and then our system guys pop it into the sphere for me. Slick stuff (and fun.))

So I'm now trying to get DataStore and Portal up and running off the cookbooks. If (when!) this is successful, I will be able to very quickly build up the production environment.)

I'll look into the "Log on" privileges. However I can stop and start any other service that I've tried.

pkdavidson commented 9 years ago

Log on as a service was the key. I read that domain accounts often don't have this priviledge. For others that might run into this, here's the details: From Admin Tools, open Local Security Policy: Local Policies: User Rights Assignment. In Policy window, open Log on as a service and add your arcgis logon account here.

FWIW: I am using a domain service account that is in an AD group. This group includes the domain service account, and the domain log ins of those of us in the GIS IT program. I then use this AD group to give permissions on our GIS servers, etc...

I'll have to try building up another all in one server using the domain account and see if the same issue shows up.