search

WinRb / vagrant-windows

Other
444 stars 83 forks source link

provision inline shell execution doesn't run elevated #166

Closed lmayorga1980 closed 10 years ago

lmayorga1980 commented 10 years ago

Hi,

I have my Vagrantfile like this... and i am trying to execute puppet enterprise within the windows box.

  config.vm.define :win1 do |win1|
    win1.vm.box      = "win2008r2"
    win1.vm.synced_folder "../scripts", "/vagrant_data"
    win1.vm.network   :private_network, ip: "10.xx.xx.xx"
    win1.vm.provision :shell, :path => "../scripts/set-ip-address.bat"
    win1.vm.provision :shell, :path => "../scripts/add-hostfile-entries.bat"
    win1.vm.provision :shell, :inline => "puppet agent -t --server puppetmaster"
  end

My guess is that it might not be running with elevated permissions.

Error: WebPiCmd.exe /Install /Products:NETFramework4 /AcceptEula /Log:C:\Temp\NETFramework4Log.htm returned 255 instead of one of [0]
Error: /Stage[main]/Netfx40/Exec[netframework40]/returns: change from notrun to 0 failed: WebPiCmd.exe /Install /Products:NETFramework4 /AcceptEula /Log:C:\Temp\NETFramework4Log.htm returned 255 instead of one of [0]
Warning: /Stage[main]/Netfx45/Exec[netframework45]: Skipping because of failed dependencies
Warning: /Stage[main]/Netfx45/Exec[netframework451]: Skipping because of failed dependencies
Warning: /Stage[main]/Netfx45/Reboot[after netframework45]: Skipping because of failed dependencies
Warning: /Stage[main]/Netfx45/Reboot[after netframework451]: Skipping because of failed dependencies
Notice: /Stage[main]/Netfx45/Exec[netframework45]: Dependency Exec[netframework40] has failures: true
Notice: /Stage[main]/Netfx45/Exec[netframework451]: Dependency Exec[netframework40] has failures: true
Notice: /Stage[main]/Netfx45/Reboot[after netframework45]: Dependency Exec[netframework40] has failures: true
Notice: /Stage[main]/Netfx45/Reboot[after netframework451]: Dependency Exec[netframework40] has failures: true
Notice: /Stage[main]/Aat/File[C:/puppet-aat/tests/iis_test.rb]/ensure: defined content as '{md5}6fe45aeb6e13146e1c45f79d43e5303e'
Info: Creating state file C:/ProgramData/PuppetLabs/puppet/var/state/state.yaml
Notice: Finished catalog run in 73.27 seconds
An error occurred executing a remote WinRM command.

Shell: powershell
Command:               $old = Get-ExecutionPolicy;
              Set-ExecutionPolicy Unrestricted -force;
              c:\tmp\vagrant-shell.ps1;
              Set-ExecutionPolicy $old -force

Message: Command execution failed with an exit code of 6

When running from the windows puppet enterprise console it works just fine.

sneal commented 10 years ago

What's in this file? C:\Temp\NETFramework4Log.htm

lmayorga1980 commented 10 years ago

From the vagrant output...

Error: WebPiCmd.exe /Install /Products:NETFramework4 /AcceptEula /Log:C:\Temp\NETFramework4Log.htm returned 255 instead of one of [0]

From the NETFramework4Log.htm

WebPiCmd Information: 0 : 
    DateTime=2014-01-15T00:56:34.5420000Z
WebPiCmd Warning: 0 : The software that you obtain using the Web Plaform Installer Command Line Tool is licensed to you by its owner.  Microsoft grants you no rights for third party software.
    DateTime=2014-01-15T00:56:34.5420000Z
WebPiCmd Verbose: 0 : Executing command: WebPiCmd.exe /Install /Products:NETFramework4 /AcceptEula /Log:C:\Temp\NETFramework4Log.htm
    DateTime=2014-01-15T00:56:34.5576250Z
WebPiCmd Information: 0 : Successfully loaded primary feed: https://go.microsoft.com/?linkid=9824573
    DateTime=2014-01-15T00:56:37.3545000Z
WebPiCmd Start: 0 : The following software is going to be installed:
    DateTime=2014-01-15T00:56:37.4638750Z
WebPiCmd Information: 0 : EULA: 'Microsoft .NET Framework 4', which is owned by 'Microsoft Corporation', will be downloaded from 'http://download.microsoft.com/download/9/5/A/95A9616B-7A37-4AF6-BC36-D6EA96C8DAAE/dotNetFx40_Full_x86_x64.exe'.
    DateTime=2014-01-15T00:56:37.4638750Z
WebPiCmd Information: 0 : The license agreement to 'Microsoft .NET Framework 4' is available at 'http://go.microsoft.com/fwlink/?LinkId=188993&clcid=0x409'.
    DateTime=2014-01-15T00:56:37.4638750Z
WebPiCmd Stop: 0 : Accepted Eulas.
    DateTime=2014-01-15T00:56:37.4638750Z
WebPiCmd Start: 0 : Starting Installation
    DateTime=2014-01-15T00:56:37.4638750Z
WebPiCmd Information: 0 : Started downloading products...
    DateTime=2014-01-15T00:56:37.4795000Z
WebPiCmd Information: 0 : Started downloading: 'Microsoft .NET Framework 4'
    DateTime=2014-01-15T00:56:37.4951250Z
WebPiCmd Information: 0 : Downloaded: 'Microsoft .NET Framework 4'
    DateTime=2014-01-15T00:58:48.2133750Z
WebPiCmd Information: 0 : Started installing Products... 
    DateTime=2014-01-15T00:58:48.7290000Z
WebPiCmd Start: 0 : Started installing: 'Microsoft .NET Framework 4'
    DateTime=2014-01-15T00:58:48.7446250Z
WebPiCmd Information: 0 : Install completed (Failure): 'Microsoft .NET Framework 4'
    DateTime=2014-01-15T00:59:00.3696250Z
WebPiCmd Error: 0 : NETFramework4 : Failed.

    DateTime=2014-01-15T00:59:00.3852500Z
WebPiCmd Information: 0 : 
    DateTime=2014-01-15T00:59:00.5883750Z
WebPiCmd Start: 0 : Verifying successful installation...
    DateTime=2014-01-15T00:59:00.5883750Z
WebPiCmd Information: 0 : Microsoft .NET Framework 4                         False
    DateTime=2014-01-15T00:59:00.5883750Z
WebPiCmd Information: 0 :     Log Location: %temp%\dd_dotnetfx4install.html
    DateTime=2014-01-15T00:59:00.5883750Z
WebPiCmd Verbose: 0 : Download count: 215.77 Mb, 131 sec
    DateTime=2014-01-15T00:59:00.5883750Z
WebPiCmd Verbose: 0 : Installation count: 1.65 Mb, 12 sec
    DateTime=2014-01-15T00:59:00.5883750Z
WebPiCmd Verbose: 0 : Products            , Down. Size, Inst. Time, Down. Time, Inst. Size, Log Size  
    DateTime=2014-01-15T00:59:00.5883750Z
WebPiCmd Verbose: 0 : NETFramework4       , 48.11     , 12        , 131       , 1.65      , 0         
    DateTime=2014-01-15T00:59:00.5883750Z
WebPiCmd Verbose: 0 : Total (download size/install time): 48.11 Mb, 12 sec
    DateTime=2014-01-15T00:59:00.5883750Z
WebPiCmd Error: 0 : Install of Products: FAILURE
    DateTime=2014-01-15T00:59:00.5883750Z
lmayorga1980 commented 10 years ago

wondering if there is a registry entry to run everything with elevated privileges.

btw i am using the packer-windows https://github.com/joefitzgerald/packer-windows.

joefitzgerald commented 10 years ago

@lmayorga1980 In Autounattend.xml, we explicitly disable UAC: https://github.com/joefitzgerald/packer-windows/blob/master/answer_files/2012_r2/Autounattend.xml#L285 / http://technet.microsoft.com/en-us/library/ff715520.aspx

sneal commented 10 years ago

I'd set the MaxMemoryPerShellMB to 0, or unlimited.

There's also an issue with that setting being ignored.

lmayorga1980 commented 10 years ago

@joefitzgerald I have that setting in the Autounattend.xml. But this doesn't me that ....

vm.provision :shell, :path => "<this will run elevated?>"

I know that the Chocolatey guys figure out how to execute their powershell scripts with elevated permissions but not sure how to add that code on the vagrant-windows plugin.

joefitzgerald commented 10 years ago

Are you certain that elevation is the issue here? I think you might want to to run this with more detailed logging and get the actual install failure error from there.

lmayorga1980 commented 10 years ago

Correct me if i am wrong here but when i execute this command puppet agent -t --server puppetmaster from the Vagrantfile it fails but when I do it inside the VM it just works.

Check this gist with Access Denied at the end...

https://gist.github.com/lmayorga1980/8442734

joefitzgerald commented 10 years ago

Have you tried runas /user:Administrator "<your command here>" or runas /user:vagrant "<your command here>"?

It is possible this will prompt you for credentials (in which case this is not a solution), but I'm not sure of the behavior if you run that while logged in as the same user you specify as an argument to runas.

joefitzgerald commented 10 years ago

This also looks promising: http://support.microsoft.com/kb/951016

lmayorga1980 commented 10 years ago

I can try that option but I took Puppet Enterprise out of the way in order to check for other suspicious behavior. In this case i am just calling WebPICmd.exe directly from the :inline value. 

  config.vm.define :win1 do |win1|
    win1.vm.box      = "win2008r2"
    win1.vm.synced_folder "../scripts", "/vagrant_data"
    win1.vm.network   :private_network, ip: "10.10.11.11"
    win1.vm.provision :shell, :path => "../scripts/set-ip-address.bat"
    win1.vm.provision :shell, :path => "../scripts/add-hostfile-entries.bat"
    win1.vm.provision :shell, :inline => "C:\\Temp\\Webpicmd.exe /Install /Products:NETFramework4 /AcceptEula"
  end
[win1] Running provisioner: shell...

The software that you obtain using the Web Plaform Installer Command Line Tool is licensed to you by its owner.  Microsoft grants you no rights for third party software.
Successfully loaded primary feed: https://go.microsoft.com/?linkid=9824573
The following software is going to be installed:
EULA: 'Microsoft .NET Framework 4', which is owned by 'Microsoft Corporation', will be downloaded from 'http://download.microsoft.com/download/9/5/A/95A9616B-7A37-4AF6-BC36-D6EA96C8DAAE/dotNetFx40_Full_x86_x64.exe'.
The license agreement to 'Microsoft .NET Framework 4' is available at 'http://go.microsoft.com/fwlink/?LinkId=188993&clcid=0x409'.
Accepted Eulas.
Starting Installation
Started downloading products...
Started downloading: 'Microsoft .NET Framework 4'
Downloaded: 'Microsoft .NET Framework 4'
Started installing Products... 
Started installing: 'Microsoft .NET Framework 4'
Install completed (Failure): 'Microsoft .NET Framework 4'
NETFramework4 : Failed.

Verifying successful installation...
Microsoft .NET Framework 4                         False
    Log Location: %temp%\dd_dotnetfx4install.html
Install of Products: FAILURE
An error occurred executing a remote WinRM command.

Shell: powershell
Command:               $old = Get-ExecutionPolicy;
              Set-ExecutionPolicy Unrestricted -force;
              c:\tmp\vagrant-shell.ps1;
              Set-ExecutionPolicy $old -force

Message: Command execution failed with an exit code of 65535
lmayorga1980 commented 10 years ago

@joefitzgerald Interesting article. Guess you might want to add that registry entry on the Autounattend.xml file :+1:

joefitzgerald commented 10 years ago

Can you try modifying that registry entry manually and rebooting your box to see if it fixes the issue for you?

lmayorga1980 commented 10 years ago

The article does not mention Windows 2008 R2 SP1 and that registry entry was already on the generated VM.

lmayorga1980 commented 10 years ago

http://support.microsoft.com/kb/2526083

ferventcoder commented 10 years ago

WebPICmd is not the best method of trying to install .net framework 4. It fails sometimes for no apparent reason. This is how I do it https://github.com/ferventcoder/vagrant-windows-puppet/blob/master/boxes/shared/shell/InstallNet4.ps1

ferventcoder commented 10 years ago

Just wait until you get to UAC and Windows 8/2012 (with only the registry setting to actually turn it off). Thus choco install disableuac

More on UAC turning off - the control panel on Win 8 no longer allows you to completely turn off UAC (even though it looks like it when you slide the slider all the way down). The reason is the Metro stuff. Once UAC is off completely, the Metro (or whatever it is called now) apps will no longer function at all.

lmayorga1980 commented 10 years ago

Interesting finding about WebPICmd. I did actually use your script and the installation worked just fine but just to let you know that I have a netfx40 puppet manifest that uses the webpicmd command line but the Puppet Enterprise Windows Service runs under the SYSTEM account and everything is fine for this framework version.

Wondering what will happen if I use WebPICmd for Framework 4.5 using the :inline attribute.

Thanks your help. :+1:

sneal commented 10 years ago

Running installers over WinRM (or even SSH) is tenuous at best. This is why the vagrant-windows chef-solo provisioner doesn't work like the other provisioners. Instead of directly executing chef, it schedules a task with 'elevated privileges' enabled.

Not all administrator accounts are created equal in Windows even with UAC off.

lmayorga1980 commented 10 years ago

Well,

I wonder if it could be possible to take a look at the provisioning logging information while is executing that scheduled task. At this point I guess i will just configure the NET Framework Packages when building the Windows VM (packer-windows AutoUnattended.xml).

BTW... It didn't work with .netfx451 (Lost my faith in WebPICmd.exe again)

The software that you obtain using the Web Plaform Installer Command Line Tool is licensed to you by its owner.  Microsoft grants you no rights for third party software.
Successfully loaded primary feed: https://go.microsoft.com/?linkid=9824573
The following software is going to be installed:
EULA: 'Microsoft .NET Framework 4.5.1', which is owned by 'Microsoft Corporation', will be downloaded from 'http://go.microsoft.com/fwlink/?LinkId=321332'.
The license agreement to 'Microsoft .NET Framework 4.5.1' is available at 'http://go.microsoft.com/fwlink/?LinkID=330604&clcid=0x409'.
Accepted Eulas.
Starting Installation
Started downloading products...
Started downloading: 'Microsoft .NET Framework 4.5.1'
Downloaded: 'Microsoft .NET Framework 4.5.1'
Started installing Products... 
Started installing: 'Microsoft .NET Framework 4.5.1'
Install completed (Failure): 'Microsoft .NET Framework 4.5.1'
NETFramework451 : Failed.

Verifying successful installation...
Microsoft .NET Framework 4.5.1                     False
    Log Location: %temp%\dd_dotnetfx451install.html
Install of Products: FAILURE
An error occurred executing a remote WinRM command.

Shell: powershell
Command:               $old = Get-ExecutionPolicy;
              Set-ExecutionPolicy Unrestricted -force;
              c:\tmp\vagrant-shell.ps1;
              Set-ExecutionPolicy $old -force

Message: Command execution failed with an exit code of 65535
ferventcoder commented 10 years ago

WebPICmd.exe can be retarded sometimes...

lmayorga1980 commented 10 years ago

Amazing news! Now I trust the Chocolatey guys more than those who created WebPICmd.exe. Guess I will need to remove my dependencies on WebPICMD asap.

ferventcoder commented 10 years ago

We use webpi as a package source, which uses webpicmd.exe.

Not sure what we did to gain your trust more but :+1:

lmayorga1980 commented 10 years ago

No so sure how other people have solved this issue but for now i just call a scheduled task.

Now it seems that Windows think that the execution of Puppet was a SUCCESS but it didn't finish to complete the tasks and it fact returned the message below in less than a second. "Nice!"

SUCCESS: Attempted to run the scheduled task "ExecutePE".

For now just need to tell my devs: execute vagrant provision and wait till you get the report on the dashboard. or something like this...

SUCCESS: Attempted to run the scheduled task "ExecutePE". Dude: the message above definitely was not a success. Wait until you see the complete report on the puppet dashboard. Sorry I did not implement schtasks

sneal commented 10 years ago

@lmayorga1980 I'm going to close this issue. This seems to be unrelated to vagrant-windows.

sneal commented 10 years ago

PR #189 should allow .NET installations to complete successfully now without any additional work on your part (will be in vagrant-windows 1.7 and Vagrant core).