Missing permissions after installing framework service

[bieba]

I installed the background service within the framework and the plugins.

function Invoke-IcingaFrameworkKickstart {
    [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11";
    $ProgressPreference = "SilentlyContinue";

    $global:IcingaFrameworkKickstartSource = 'https://raw.githubusercontent.com/Icinga/icinga-powershell-kickstart/master/script/icinga-powershell-kickstart.ps1';

    $Script = (Invoke-WebRequest -UseBasicParsing -Uri $global:IcingaFrameworkKickstartSource).Content;

    #geändert, damit hier auch immer das aktuelle Framework gezogen wird
    <# $LatestRelease = (Invoke-WebRequest -Uri 'https://github.com/Icinga/icinga-powershell-framework/releases/latest' -UseBasicParsing).BaseResponse.ResponseUri.AbsoluteUri;
    $RepositoryUrl = $LatestRelease.Replace('/releases/tag/', '/archive/');
    $Tag           = $RepositoryUrl.Split('/')[-1];
    $RepositoryUrl = [string]::Format('{0}/{1}.zip', $RepositoryUrl, $Tag); #>
    #Alternativ: eine Feste URL auf die ZIP hinterlegen
    $RepositoryUrl = 'https://github.com/Icinga/icinga-powershell-framework/archive/refs/heads/feature/rewrite_plugin_execution.zip'
    #Ende

    $Script += "`r`n`r`n Start-IcingaFrameworkWizard -RepositoryUrl '" + $RepositoryUrl + "' -ModuleDirectory 'C:\Program Files\WindowsPowerShell\modules\' -AllowUpdate 1 -SkipWizard;";

    Invoke-Command -ScriptBlock ([Scriptblock]::Create($Script));
}

function Invoke-IcingaFrameworkPluginInstallation {
    Use-Icinga

    #ohne URL würde er immer die aktuellste Version laden
    Install-IcingaFrameworkComponent -Name plugins -Release -Url 'https://github.com/Icinga/icinga-powershell-plugins/archive/refs/heads/master.zip';
}

function Invoke-IcingaFrameworkServiceInstallation {
    Use-Icinga

    #https://icinga.com/docs/icinga-for-windows/latest/service/doc/02-Installation/

    $FrameworkServiceUrl = 'https://github.com/Icinga/icinga-powershell-service/releases/download/v1.1.0/icinga-service-v1.1.0.zip'
    $ServiceDirectory = 'C:\Program Files\icinga-framework-service\'
    $serviceData = Get-IcingaFrameworkServiceBinary -FrameworkServiceUrl $FrameworkServiceUrl -ServiceDirectory $ServiceDirectory

    Install-IcingaFrameworkService -Path $serviceData.ServiceBin -User 'NT AUTHORITY\NetworkService';
}

Invoke-IcingaFrameworkKickstart
Invoke-IcingaFrameworkPluginInstallation
Invoke-IcingaFrameworkServiceInstallation

After configuring the background service it wasn't able to write its results to disk within each tick.

The permissions after installation:

PS C:\Windows\system32> gi "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" | get-acl | Select-Object path,owner,accesstostring,group | fl

Path           : Microsoft.PowerShell.Core\FileSystem::C:\Program
                 Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache
Owner          : VORDEFINIERT\Administratoren
AccessToString : NT SERVICE\TrustedInstaller Allow  FullControl
                 NT SERVICE\TrustedInstaller Allow  268435456
                 NT-AUTORITÄT\SYSTEM Allow  FullControl
                 NT-AUTORITÄT\SYSTEM Allow  268435456
                 VORDEFINIERT\Administratoren Allow  FullControl
                 VORDEFINIERT\Administratoren Allow  268435456
                 VORDEFINIERT\Benutzer Allow  ReadAndExecute, Synchronize
                 VORDEFINIERT\Benutzer Allow  -1610612736
                 ERSTELLER-BESITZER Allow  268435456
                 ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANWENDUNGSPAKETE Allow  ReadAndExecute, Synchronize
                 ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANWENDUNGSPAKETE Allow  -1610612736
                 S-1-15-2-2 Allow  ReadAndExecute, Synchronize
                 S-1-15-2-2 Allow  -1610612736
Group          : DOMAINNAME\Domänen-Benutzer

Just for testing I added full permissions at the 'cache' folder level and it was working. I testet it one more and was running into the same problem.

OS: Windows Server 2012 R2 OS Language: german

[LordHepipud]

What happens if you try this and run

Test-IcingaAgent

after installation? It should check the permission for the folder and prompt you to change it in case it is wrong. You just have to ensure the Icinga for Windows and Icinga 2 service are running with the same user. Because we always expect it to be the same user.

[bieba]

While the installation is running

[Passed]: Icinga Agent service is installed
[Passed]: The specified user "NT AUTHORITY\NetworkService" is allowed to run as service
[Passed]: Directory "C:\ProgramData\icinga2\etc" is accessible and writeable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\ProgramData\icinga2\var" is accessible and writeable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\cache" is accessible and writeable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Icinga Agent configuration is valid
[Passed]: Icinga Agent debug log is disabled
[Notice]: Restarting service "icinga2"

For me it seems that the installation of the icinga agent 2 is fixing the permission issue.

I tried to run

Test-IcingaAgent

but it gave me the error, Agent not installed. After installation it worked.

But thats somehow not the perfect solution. I ran into the issue, as I only re-installed the framework/plugins without re-installing the agent. I checked this behaviour again (deletion of framework/plugins and installing them again) and I can confirm that this is the problem. Right after re-installation of the agent it started working again.

I used the default user (network service) for both.

[LordHepipud]

The problem right now is that the command only works while the Agent is installed. That's something we should re-work to make it non-dependent on the Agent.

[LordHepipud]

Icinga for Windows v1.12.0 adds a new command

Test-IcingaForWindows;

which should resolve most of the test issues. In addition, the installer now properly handles permission updates during the installation.