Octopus Deploy's Permissions for Web Site Files - iis

I have several ASP.NET Core Web API services that are deployed via Octopus Deploy (v2019.12.1) to IIS.
I am trying to figure out how the permissions work to the files. When I look at the files/folders, they do not have any any permissions setup on them to allow the App Pool to access them. I don't understand how this works. But I did not care until today when stopped working.
I setup a file share to the Applications folder under the Octopus2 directory. When I did that it all stopped working. My sites now give me an error saying that they do not have permissions to access the config file.
When I look up fixes for this, they say I need to add the App Pool to the file/folder security. When I do this it works... until the next deploy when octopus makes another folder that does not have the added permissions. I could move those permissions up a folder, but then I am moving to manually managing it.
And somehow it worked without giving the App Pool direct permissions. So here is my question:
For an Octopus Deploy IIS Web Application, how does the application have access to the config file? (Assuming you did not do anything beyond the basic template for an IIS Web Application (and supplying a user for the App Pool).

In my case I'm using the custom installation folder where I'm keeping all my applications.
D:\Applications
D:\Applications\Product\Services\App1
D:\Applications\Product\Services\App2
Before any deployment I have a step (required step) in order to set up root home directory as above.
Create Folder step
I'm granting all IIS application's identities ability to access their installation folder.
In case you are using Octopus installation directory you can create child step which will grant desired permission to your application identity.
Application directory:
Octopus.Action.Package.InstallationDirectoryPath
Octopus System Variables

Related

Azure web hosting using FTP / MS WebDeploy

Can I host a web application created on .net core 2.1 with sql server as database to azure web app service using CI tools / MS WebDeploy?
The following points I want to take care:
The application is using file system for temp storage and file storage
Deployment should be managed by some CI tools such as jenkins
After deployment, the app settings file should be modified with some keys/server details
Log files(stored on app root) should be accessible by application administrator
Is there a way to create a virtual directory same as in IIS and upload the files using FTP or similar protocols..?
All your doubts about deploying .net core 2.1 web app are achievable.
Suppose our projects are all completed and uploaded to github.
Questions and explanations about your concerns:
About the connection configuration using the database, you can directly configure it in web.config. If you are using azure sql server, find the connection string, set up the firewall, and pass the SSMS test, you can test the connection in the code. It can also be added in the Configuration -> Application settings -> Connection strings in the portal. After the addition, the priority is higher than the configuration in web.config, which will override the configuration and not modify the web.config file.
Regarding the use of file storage, you can use azure storage services or not. Looking specifically at the business, for example, very small pictures, documents and other files can be stored in the current program running directory, which is consistent with the original development at the code level. When publishing, you need to include the MyFiles file in the publishing process, or wait for the publishing to be completed and add folders manually in kudu, or the program can judge. It is recommended to use the program to judge that the subsequent program upgrade will not lose data.
The confidential information in the app settings file can actually be configured in web.config or appsetting.json. Make sure that the offline project is running properly when you are debugging locally, and then you can publish it. The rest is configured in the portal as in the first explanation.
The Log Files file storage can fully achieve the effect you want. It should be enough to set the owner permissions of this app services. For details, please refer to the official documentation.
Virtual directories and virtual applications, I have a better answer in another post here, you can refer to it.
Steps:
First of all, we can create a web app in portal and select .net core 2.1. Create appservices, and click Deployment Center when finished.
Follow the prompts step by step, and wait until the Action in github is completed, and the release is successful.

Changing AppPool folder permissions in Azure App Service - IIS APPPOOL\MyUserName

I've deployed nopCommerce as an Azure App Service using the simple Web Publish option.
Having then tried to configure the installation by running the nopCommerce installer I receive the following errors.
The 'IIS APPPOOL\MyUserName' account is not granted with Modify permission on folder....
Now normally this would be a trivial fix as I would login the application IIS server and presumably grant modify permissions to the IIS APPPOOL user for the given folders. However because this is an Azure App Service, I do not believe there is any way to login to the actual VM that runs all my application instances and thereby grant permissions to the APPPOOL user.
So is there some way to work around this? Can I grant these permissions using some other means for an Azure App Service (for example using the console in Azure)?
For anyone curious the actual solution was creating these folders.
wwwroot\bin
wwwroot\log
and the files:
installedPlugins.json
dataSettings.json
Once I added those files/folders I was able to successfully complete the installation.

How to set file/folder permission for azure cloud service package

I'm using VSTS to deploy a azure cloud service package and getting a file access issue for web.config not able to be written to after a successful deployment.
At the moment I manually set the file permission via RDP to correct it for eg. on e:\siteroot\1\Web.config (Everyone FC)
To avoid this manual step - how can I set a folder/file permission for a file under cloud service deployment.
The issue seems not related to azure projects directly. It's not suggest to give a permission with Everyone FC, this may cause security risk.
For Azure Cloud Services Web Roles, the default Application Pool Identity account is “Network Service”.
In a normal basis the Application Pool account needs read permission over the web.config file so it can read all the application configuration.
For this kind of issue, you could creating a Startup Task to give write permission to Network Service in the application Web.config file.
Please go through the detail steps in this similar issue: Error “Access to the path ‘E:sitesrootWeb.config’ is denied” when storing Azure AD’s public key in Web.config of an Azure Cloud Services application.
Also take a look at this related question: Web.config Access denied when Package Azure cloud services projects in Visual Studio 2013 for Web
You can create a .bat file where you call the icacls command with the parameters you prefer:
How to grant permission to users for a directory using command line in Windows?
and then you can configure a startup task for your cloud service to run this file:
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-startup-tasks

Azure: 409 Conflict: Cannot delete directory. It is either not empty or access is not allowed

I use Azure with node js App Service.
When i try to delete empty folder using ftp or kudu app in node_modules folders i get error: 409 Conflict: Cannot delete directory. It is either not empty or access is not allowed. This folder is totally empty. How i can delete it?
Check AppSettings of Web App and delete the setting ‘WEBSITE_RUN_FROM_PACKAGE’ or changing the setting value to 0.
0 - write mode;
1 - read-only mode
All Azure Web Apps (as well as Mobile App/Services, WebJobs and Functions) run in a secure environment called a sandbox. Each app runs inside its own sandbox, isolating its execution from other instances on the same machine as well as providing an additional degree of security and privacy which would otherwise not be available. For more details, refer to this article.
For directory level access please refer the below:
Home directory access (d:\home):
Every Azure Web App has a home directory stored/backed by Azure Storage. This network share is where applications store their content. This directory is available for the sandbox with read/write access.
The sandbox implements a dynamic symbolic link in kernel mode which maps d:\home to the customer home directory. This is done to remove the need of the customer to keep referencing their own network share path when accessing the site. No matter where the site runs, or how many sites run on a VM, each can access their home directory using d:\home.
Local directory access (d:\local):
This is a temporary directory and can be deleted when no longer needed. This directory is a place to store temporary data for the application. The application naturally has read/write access to this directory.
Note that the d:\local folder in the scm site (where Kudu runs) is not the same as the one in the main site (where the web app runs). As a result, they cannot see each other's local files.
Incase if you haven’t tried this already, use the rmdir directoryname /s /q command in Kudu Console to delete the directory and see if that works.
You can also run this command from Web App console. To access, Goto Web app -> Development Tools -> Console
Hope this helps.
There is a Process explorer tab in the header.
Open Process explorer
Kill the task that's using the folder or file
You will be able to delete the folder in question
This is how I resolved the same issue.
Here is my solution: adding this option to your step deploying to the app service.
Hope it would help
You may use the command api to do that. Craft a CMD or PowerShell command that'll clean your wwwroot and then execute it.
I tried all of the upper solutions and didn't worked. Blackhole!
I stopped the app service, removed the files and started again. It worked.

folder created within an api service not loading

I created an app service at http://testsam.controltrackonline.com, it loads properly. I have also created a folder within it called webapi but it does not load up and does not allow publishing content to it via appVeyor. The non loading folder location can be loaded here http://testsam.controltrackonline.com/webapi
I do not see any permissions issues surrounding this as other app services with same settings load well with folder within. But for this appservice there seems to an issue.
Any ideas?
It seems that you'd like to publish content to an Azure web app virtual directory, so please make sure you configure virtual directory or application under Application settings blade in the Azure Portal.
Note: you can also refer to "Deploying multiple virtual directories to a single Azure Website" to set up the virtual directory or application.
I have also created a folder within it called webapi but it does not load up and does not allow publishing content to it via appVeyor.
I do not see any permissions issues surrounding this as other app services with same settings load well with folder within. But for this appservice there seems to an issue.
Please try to use FTP or Kudu to access your Azure web site folder, and then you can try to upload your content package to webapi folder and check if it works as expected.
Besides, If issue only appear on that specific app service, you can create an Azure support request, Azure support can help you investigate the issue.

Resources