In Puppet, I use an EXEC resource to "view" files from TFS by calling TF.EXE. The TF VIEW command allows me to fetch the files without needing a workspace.
I am using Puppet 3.4.3 with Puppet Enterprise 3.2.3. The agent is running on a Windows 2008R2 VM.
When the automatically scheduled puppet agent run occurs, the TF VIEW commands all succeed. When I use "Live Management" to perform a "runonce", the TF VIEW commands all log an error to puppet and the windows application log, the infamous TF30063 error.
Thinking that the two methods might use different authentication, I hard-coded a user/password in the TF command. This did not fix the problem.
I tried other things:
- Deleted the auth cache for TFS.
- Checked the IE proxy settings (no proxy used).
- Added our TFS server to the allowed site list in IE.
Here is the flavor of the TF.EXE command:
TF.exe view /collection:http://<MY_SERVER>.<MYCOMPANY>.com:8080/tfs/<MY_COLLECTION> /output:c:\phx_deployer\<MORE_PATH>\<MY_FILE>.zip $\ReleasePackages\<MORE_PATH>\<MY_FILE>.zip /login:<USER>,<PASSWORD> /version:L2.60.1.87
UPDATE:
Further testing reveals that the different behavior can be attributed to which user is running the puppet process on the agent machine.
- The account setup for puppet, which has suitable privileges for TFS.
- nt authority\system, which does not.
I was able to determine this by two checking two things:
- In the puppet enterprise GUI, go to the "Nodes" page and click on the problem node. Part of the display includes facts. The "id" fact tells which user account was used to run the catalog most recently. When the scheduled run occurs, this is set to tourspuppetsvc, the correct account. When the runonce run occurs, this is set to "nt authority\system".
- On the agent machine, in the Task Manager, I checked the box "showed processes from all users" and saw that there were multiple "ruby.exe*32" processes. At least one was running as "SYSTEM".
Why is puppet runonce using the wrong user? That is now the real question.
Update 2
I learned that runonce is executed by the Marionette Collective Service (pe-mcollective) which runs under a different account than the regular puppet agent service. This is a "feature". I changed the account that runs this service and all works as expected now.