Octopus Tentacle permissions


We’re switching to run the tentacles under non-privileged accounts, for security reasons.
In this page http://docs.octopusdeploy.com/display/OD/Running+Tentacle+under+a+specific+user+account+for+use+in+Powershell
there’s a list with minimal rights required by the service to run.
But can they be more specific?
I’m interested in this part:

Full control The Octopus Tentacle Windows Service Tentacle must be able to upgrade and restart itself for remote administration SC.EXE

The problem is that we cannot upgrade the tentacle itself.

Running Tentacle version 3.6.0
Beginning upgrade
Waiting for Tentacle to shut down and restart with the new version 3.6.1…
Running Tentacle version 3.6.0 — repeated many times.
Finishing upgrade
Host Name: WEBST01
Running As: MyDomain\OctopusAgent (Local Administrator: False)
Running Tentacle version 3.6.0
Running latest version of Calamari: 3.6.5
Host Name: WEBST01
Running As: MyDomain\OctopusAgent (Local Administrator: False)
Running Tentacle version 3.6.0

I tried may solutions, including monitoring with process monitor, to see what files/registry/network are accessed during upgrade, I tried using subinacl, but I couldn’t identify all the required permissions.


Thanks for getting in touch. You should be able to see more complete logging around the reason for failure in the raw logs from the upgrade task (click on “Raw” at the top right of the task log screen). Two things are needed to ensure you can run upgrades, permission to the Tentacle service and permission to run the installer MSI. You should see information about either of these in the raw logs.

To check you can control the service start a command prompt as your low privalege user and see if you can start and stop the Tentacle service:
(Throughout the examples I am using “OctopusDeploy Tentacle” as the Tentacle service name, this is the default, but may be different if you have a named Tentacle instance, so check that and use the appropriate name)

sc stop "OctopusDeploy Tentacle"
sc start "OctopusDeploy Tentacle"

To add permissions to the Tentacle service the subinacl command would be:

subinacl.exe /SERVICE "OctopusDeploy Tentacle" /grant=NAME_OF_YOUR_ACCOUNT

The next thing the account needs is permission to run the Tentacle MSI. You can run into problems if you previously ran the Tentacle installation with an Administrator account and then try to run it with a reduced access account, as the new account won’t have permission to uninstall the old version of Tentacle unless it is also an Administrator. To check this you can download a Tentacle MSI from our download page and check that your account can run that:

msiexec /i c:\temp\Octopus.Tentacle.3.6.1-x64.msi /quiet /li log.txt

Then check log.txt for errors.

I hope that helps. If you don’t have any luck with those can you please attach a full raw log of a failed upgrade task.



Thanks for the reply. The MSI was the problem.
I ran the msi install command as the user of the tentacle, and the error I got was due to insufficient rights to run an elevated install.
When I ran the command without /quiet parameter, I was prompted to provide an administrator password.