I am having an windows executable and rpm in shared path that resides in a CIFS/SMB/NFS file sharing system which has a user name and password. How to pass the source path with credentials in the manifest of puppet master and run it through agent. I am getting "Source doesn't exist", though I am able to access the file through windows command prompt. Any help is greatly appreciated!
The most important thing to understand with the Puppet agent it runs under Local System SYSTEM context by default, which won't usually have access to network resources. So you will need to account for that by changing the user the service runs under to another user that has administrative access to the machine.
When it works if you run puppet agent -t (which runs under your user context), but not when the service runs (runs under the service account), it usually has to do with a permissions issue.
I'll provide links to the documentation once it comes back up.
HTH
Related
Using Delphi 11 Alexandria on a Windows 10 PC. I am deploying to a Cloud "Linux" server. This works, but the path it uses on Linux is too convoluted and not what I want.
The DocWiki tells me to change the Remote Machine Information in the "Connection Profile". But I am unable to see any such field.
So, how do I change the path on the Linux machine?
One place to set the target directory for each deployment file is from the Delphi main menu: Project -> Deployment where you can select a given Platform and Release type. Can edit the field directly in the list shown.
Note that by default PAServer runs in restricted mode and will not place files outside of the scratch directory. Look at the docs for PAServer for the command line parameter to run unrestricted.
The Question:
Why can't the LocalSystem account (NT Authority\System) see files in the Recycle Bins or the Temporary Internet Files directory?
Background:
I created a scheduled task to run using the System account. The purpose of the task is to execute the Disk Cleanup Utility with predefined setting (for example: cleanmgr.exe sagerun:1). When it executes, it seems to run with no errors. But when I check the resources it's supposed to clean (Temporary Internet Files, Recycle Bin etc.), they're still there.
So I thought maybe cleaning up the two resources manually might work. I developed a console application in C# that clears the Recycle Bin and the Temporary Internet Files. I test it and it works just fine. But again, when I attempt to run it as a scheduled task with the System account, I run into the same issue again.
Following the log, it looks like when running the application with System account, it sees no files are in the Recycle Bin or the Temporary Internet Files directory.
Upon checking the Security tab for the Temporary Internet Files directory, it shows System as a full access account to that directory.
I'm so puzzled by this issue. I may be missing something but I assumed the LocalSystem account has the highest privilege on a machine. Is that not the case?
I'm confused about setting up Jenkins slave on Mac. Google seems to have a great answer for java web start option (https://blog.codecentric.de/en/2012/01/continuous-integration-for-ios-projects-with-jenkins-ci/), however can someone clarify steps for setting up jenkins slave on mac with ssh start option.
Currently jenkins master is on Centos. As I understood, to make a slave on Mac you should:
1. Go to Mac and create a new full-fledged sudo user for jenkins with home folder where agent itself will reside.
2. Set up node as ususal linux node in Jenkins web interface with login|pass for this user.
3. Restrict your mac build to this node.
However I'm not sure if first step is right - do i need to set up jenkins user by hand with elevated privileges, ability to log onto machine, etc. Perhaps it's possible to create a "hidden" user - if that is so, can someone help or point to good manual for this? I'm new to mac terminal, so not sure if steps all the same as linux or different.
Thank you.
Just finished setting up my Mac mini slave for ssh access. Lots of old tutorials and ones with unnecessary information. I had to reboot my mini to start over again and this time it worked.
To put it quickly (this is all through terminal/command line, no Ubuntu nothing else):
Create ssh private and public keys with ssh-keygen. In my case keys were given to me with -C "name" but no passphrase and with file names of id_rsa and id_rsa.pub. Keep private (non .pub) key to be used by Jenkins Credentials later and for testing purposes while verifying things are working for ssh connection without having to relaunch Jenkins agent, the private key should be kept in the /Users/<username>/.ssh directory and readable permission and ownership of the user of local test host if that's how I'm testing it
mkdir .ssh in remote Mac mini slave's /User/jenkins/ directory
on Mac mini make sure owner of .ssh directory and any sub directories or files are jenkins and NOT root (sudo chown ...).
make sure permissions of .ssh directory and any sub dirs or files are read and writeable (if you haven't set ownership properly, in order to change permissions you will be required to use sudo. If you are using sudo to set permissions, you haven't properly set ownership to the jenkins user)
allow remote login in the Mac mini system preferences -> Sharing -> check Remote login and allow Administrators and static IP -> Network -> TCP/IP -> DHCP with manual or completely manual
on test host/local machine (non Mac mini) terminal and command line ssh jenkins#static.ip.address.of.MacMini to make sure you can ssh into remote Mac mini with password authentication. You may get a request to okay the new host (at remote Mac mini's IP address).
then logout and in local machine use ssh-copy-id -i to copy contents of id_rsa.pub (whether its in .ssh or wherever) to authorized_keys found here.
this will automatically generate authorized_keys file in .ssh directory
make sure authorized_keys file is also of proper permission
in Jenkins manage nodes. Create a new node. Add credential and make it ssh username with private key. Username: jenkins. Private key: enter directly. String should be copied from local machine test host private key (pbcopy<~/.ssh/id_rsa) including the ==== begin and end private key ====== parts and then save.
Then on new node configuration No need for toolkit. Remote root directory: /Users/jenkins. Host: Mac mini's static IP address. Host Key verification strategy: Manually Trusted Key verification strategy. Check require manual verification of initial connection
upon first connection attempt if you don't have JDK setup and running then do so. I downloaded Java 8 Stack Exchange Development Kit and once I confirmed it was installed on Mac mini with javac-version and java-version I launched agent again and authenticated no problem.
My mistakes from reading old tutorials were:
trying to remove the need for passwords in /etc/ssh/sshd_config. This was completely unnecessary
Also, I may have not paid attention to the owner and/or screwed up permissions of .ssh, .ssh/authorized_keys & .ssh/id_rsa in remote and my local machine as well.
Initially I deleted the ===== Begin private key and ======End private key when I manually entered the private key when creating the credential in jenkins. Those should be included. The file of id_rsa should be left as is.
You do need a user on the Mac which the Jenkins master will use to ssh in. But this is exactly the same as setting up a Linux slave.
Whether the user needs elevated privileges depends on what you want Jenkins to do with the account.
You also need to log into Mac from the console using an admin user and turn on remote login in the Sharing panel of System Preferences. In the same panel you can restrict the remote login to specific users or allow all users to log in.
If I were you, I would create a normal user for Jenkins using the Users and Groups panel in System Preferences. Creating a hidden user using command line tools is possible, but it is a bit involved. If you really want to go there, you can check how postinstall script in Jenkins Mac installer creates a user named jenkins:
https://github.com/jenkinsci/packaging/blob/master/osx/scripts/postinstall-launchd-jenkins
Is there a way that I can secure the webapps folder in Tomcat from direct access from a system user? In other words, I dont want a user to logon to the server machine and access the webapps folder. However, id still like the contents of the webapps folder to be served accordingly.
Would a soloution such as TrueCrypt to encypt the folder work? Or something like Windows admin rights? However, id still need a user to logon to the server machine to start and stop tomcat (bin folder) but not have access to the webapps folder.
Update Feb 15 '11: Yes, it's to stop someone logging onto the server machine and deply/undeploy. Since I'm going to be using a windows machine, I will probably restrict access to the tomcat folder and create an exe on the desktop to start and stop the services.
I am not sure what you mean by "access webapps folder", I will assume this means user can deploy/undeploy webapps and start/stop Tomcat. In Unix this can be doable as follows:
create a user for Tomcat. Change umask so all created files are only readable by this user and no one else, similar for directories.
create a user (e.g. system) that will be stopping/starting Tomcat.
give sudo rights for user system just to be able to start/stop Tomcat. You can, for example, externalize catalina.sh start and catalina.sh stop scripts somewhere in /usr/local/bin and give sudo access to those.
create a script that takes yourwebapp.war and copies to $tomcat_home/webapps or invokes relevant Tomcat manager command (for deployment/undeployment). Again, give sudo rights just for that script but otherwise change it's mode to 700 so it is not even readable by system user.
My application is not supposed to perform any administrative tasks, so I want a normal User account to be able to run it. Only thing is, my application reads from and writes to a database file; if the user running Windows 7 (Or Vista) installs my app in drive C, the drive's default permission set configuration doesn't allow my app to write data.
How can I allow my app to write to C:, without requiring full administrative privileges?
If the database file exists at install time you can just grant the user write access to the file as part of the installation process (ordinary users do not have this permission by default). If the file needs to be created by the program the user running the program will need modify permissions on the c drive, which is not something that I would recommend.
I'd suggest storing your db file in Documents and Settings / App data / your app / directory. It exists specifically for this purpose. Writing to C:/Program Files is not so good practice. If that's possible in your case, that is.
You need to open UAC (User Account Access) and set security slider to the bottom. Then you can access drive C: as you did in windows XP.
I decided to modify directory permissions in the setup process, so I created an .exe file that changes the permissions of its start-up path, and gives all users access to that path. I simply included that .exe file in my deployment project, and created a Custom Action that would run the file in the Commit phase of installation.
Because the setup asks the user for administrative rights when it is being installed, my .exe also enjoys administrative privileges and can modify the permissions of the installation directory.
In my .exe, I used a Process instance to run the ACL utility shipped with Windows (icacls.exe) as follows:
ICACLS.EXE [TargetDir] /T /C /grant Users:F
(Make sure that [TargetDir] doesn't end with a "\" or the call will fail.)
This gives all users full control access to the target directory.
I could also write .NET code and change directory permissions manually, but I'm a little lazy!
You may however want to inspect your environment conditions thoroughly so that what you do wouldn't become a security hole in your environment; but this was suitable for me.
I hope this helps others who faced the same issue.
The user by default should have write permissions to drive C:, if not, then you will need to change the directory you read from and write to, to the executing directory (C:/Program Files/Your App/) rather than the root of C:
You can get this by
String Path = Path.GetDirectoryName(Application.ExecutablePath);