New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problems with changing "run as user" on Windows with 2.11 RC1 - Was: Check command 'powershell' does not exist. with new Agent: v2.11.0-rc1 #7387
Comments
Hi,
It may be the case that your zones.conf was modified during upgrade, and the agent denies to receive the synced zone configuration for Also, please share the object Related note: The master/satellite should be upgraded to 2.11 first, is that the case in this scenario? |
Another thought: Did you modify the ITL command config files on the Windows agent by yourself? Such things are overridden on upgrades. |
I just tested the same at my environment (same specs as ChristianMoritz, for this test not updated the master to 2.11 RC) and I had not any issues with the execution of my powershell commands. Agent was Windows Server 2016 |
Cool, thanks for testing 👍 💪 |
I think that first the clients have to be upgraded before you can upgrade the master because otherwise the error comes from the change of the certificates trust and the master would not trust the clients anymore and thus the clients as "unknown" or the like in the monitoring would. My Powershell Checks Use the default "Check-command" powershell... with the option ps_command: These Powershell Scripts lay on the VM insight the Agent Direcory here's the Output of:
|
here is the log entry... [2019-07-26 21:40:58 +0200] warning/PluginCheckTask: Check command for object 'dummy.test.net' (PID: 0, arguments: 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "& 'C:\Program Files\ICINGA2\sbin\pending-updates.ps1'" $LASTEXITCODE') terminated with exit code 127, output: Command C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "& 'C:\Program Files\ICINGA2\sbin\pending-updates.ps1'" $LASTEXITCODE failed to execute: 5, "Access is denied." seems like after the upgrade the agent is not allowed to run the check. The Icinga2 Agent runs as Network Service insight the Windows Services, so it should be allow to run the Powershell. |
The docu for update-windows notes The Network Services Account which runs Icinga 2 by default does not have the required permissions to run this check. |
Not sure if I can follow. The certificate cipher suite thingy has been fixed, you can apply the workaround inside the Likely it needed a manual intervention, and this now results that the agent received the synced command. Am I right about this step? The following indicates that the agent now received the check command and executes checks, right?
Same as @R-Sommer already mentioned - the permissions for running the specific script are wrong, and presumingly you didn't specify to setup the "run service as user" during configuration routine. Can you share how you're installing the Windows agent, either with a script of yours, or a screenshot of the Windows setup wizard? Are there any errors logged in the Windows event console when executing the command? |
Hopefully this gets fixed with the Windows permissions on its own. For 2.11 and Icinga 2, I don't see a release blocking issue here. I'm leaving this open for further findings. |
the Agent install runs during the deployment of the VM's after the VM is properly deployed, domain joined and so on...
copy-item -Path \path to icinga\Icinga2Agent -Destination $PSHOME\Modules\ -Recurse Get-ChildItem -Path \path to icinga\scripts\ -Recurse | Copy-Item ${env:ProgramFiles}\ICINGA2\sbin\ -Recurse @R-Sommer |
Can you share how you've switched the service user and how you've verified this? Edit: Oh, and please attach |
Maybe a silly question: Does your check had a run after the change of the service user? There is still a bug in the powershell modul (can't find the according issue right now) which ignores the setting about the "Service User" in the director. Workaround: add this parameter:
|
TestsConfigModify the local Powershell terminal as admin, vim is installed via chocolatey.
Network-Service User
LocalSystemChange PermissionsWell, Powershell is from hell. This doesn't work.
This works.
Verify it
ConclusionWorks for me. Therefore I am closing this issue, thanks for testing and providing feedback 👍 Special thanks to @R-Sommer for his ongoing support. Unfortunately I cannot help you with the Powershell module, that's @LordHepipud 's playground and not part of Icinga 2 itself. @lippserd Yet another issue which did cost me quite some hours. If you cannot find the issue with the service user, please create a new one in the Powershell module's repo. I'd say that doesn't hurt. |
Describe the bug
If upgraded the Windows Agent on a Test VM to the new Agent v2.11.0rc1
But until now i didnt Upgrade the Icinga itself to the new RC1!!!!
After the Upgrade of the Agent all my Powershell Checks doesnt run any more.
I Only got the
"Unknown State"
for the Checks with the Output:
"Check command 'powershell' does not exist."
On all VMs which running the Agent v2.10,5 i doesnt got the Issue
Your Environment
Include as many relevant details about the environment you experienced the problem in
Icinga2: r2.10.5-1
OS Ubuntu 16.04.6 LTS
PHP: 7.0.33-0ubuntu0.16.04.5
Icingaweb: 2.7.0
Disabled features: compatlog debuglog elasticsearch gelf grafana influxdb livestatus opentsdb statusdata syslog
Enabled features: api checker command graphite ido-mysql mainlog notification perfdata
Config validation
root@smon03:/# icinga2 daemon -C
[2019-08-02 08:59:35 +0200] information/cli: Icinga application loader (version: r2.10.5-1)
[2019-08-02 08:59:35 +0200] information/cli: Loading configuration file(s).
[2019-08-02 08:59:35 +0200] information/ConfigItem: Committing config item(s).
[2019-08-02 08:59:35 +0200] information/ApiListener: My API identity: smon03.intranet.stg
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 1 ScheduledDowntime.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 3136 Services.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 1 IcingaApplication.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 527 Hosts.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 1 FileLogger.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 6 NotificationCommands.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 3211 Notifications.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 1 NotificationComponent.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 15 HostGroups.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 1 ApiListener.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 10 Downtimes.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 1 GraphiteWriter.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 1 PerfdataWriter.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 13 Comments.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 1 CheckerComponent.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 182 Zones.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 1 ExternalCommandListener.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 180 Endpoints.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 2 ApiUsers.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 4 Users.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 1 IdoMysqlConnection.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 235 CheckCommands.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 2 UserGroups.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 5 ServiceGroups.
[2019-08-02 08:59:36 +0200] information/ConfigItem: Instantiated 5 TimePeriods.
[2019-08-02 08:59:37 +0200] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icinga2.vars'
[2019-08-02 08:59:37 +0200] information/cli: Finished validating the configuration file(s).
The text was updated successfully, but these errors were encountered: