Tentacle service account permissions recommendations

Octopus introduced me to powershell and well I made a mistake i thought i would never make… I wiped out the c:\ drive of a build agent due to a bad script …
Remove-Item “$ObfuscateLocation*” -Force -Recurse -ErrorAction SilentlyContinue
and $ObfuscateLocation was never defined in octopus - D’oh!

This would not have happened had I not setup our “svc_octodeploy” service account as admin on the build agent box. (lost a few hours but everything is back up)

I’m looking for a way to have minimum privileges for this service account.

  • only has access to folders explicitly given access to
    • c:\Octopus
    • c:\Program Files (x86)\Octopus Tentacle
    • network shares are easy since share it to a specific user
  • since it runs a service it’s automatically given: “Log on as a service” in Local Security Policy
  • netsh http add urlacl url=http://*:10933/ user=domain\svc_octodeploy
    • else AddressAccessDeniedException

I did the above but it hangs on downloading packages step.

2012-08-10 15:54:06 ERROR System.ServiceModel.ServerTooBusyException: The HTTP service located at http://10.10.71.46:10933/Packages/ is too busy. —> System.Net.WebException: The remote server returned an error: (503) Server Unavailable.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

any recommendations that has worked to give the tentacle minimum privileges?

Thanks,

lm

Ouch! I’m am very sorry this happened to you.

Can you try also giving the user account:

  • Read/write access to %windir%\Temp
  • Full access to HKLM\Software\Octopus

Also, can you check the Windows event log? It may have more information about what is causing the 503.

Paul

Oh, in your netsh command, you may need to use “+” instead of “*”. For example:

netsh http add urlacl url=http://+:10933/ user=domain\svc_octodeploy

Regards,
Paul Stovell
Octopus Deploy | Application Developer
W: octopusdeploy.com | T: @octopusdeploy

OK, I was wrong about that. I added

http://+:10933

then:

http://*:10933

And got the same 503 as you. Deleting the +:10933 worked.

Perhaps try a “netsh http show urlacl” to see if you have any other reservations for 10933?

Regards,
Paul Stovell
Octopus Deploy | Application Developer
W: octopusdeploy.com | T: @octopusdeploy

one problem after setting all tentacles to be under minimum privileges is now I cannot auto upgrade tentacles.

System.InvalidOperationException: Cannot open Octopus Tentacle service on computer ‘.’. —> System.ComponentModel.Win32Exception: Access is denied

some other problems we ran into was:
iis modifictions require r/w on: C:\Windows\system32\inetsrv\config\

needed by tentacle for iis path switching

and updating window services - i had to create an account i use to elevate only when i need to.
sc start/stop services…

Write-Host "The service will be stopped and reconfigured"
	Invoke-Command {
	param(
		[string]$ServiceName,
		[string]$fullPath 
	)
	Stop-Service $ServiceName -Force
	& "sc.exe" config "$ServiceName" binPath= $fullPath start= auto | Write-Host
} -comp $computerName -cred $cred -ArgumentList @("$ServiceName","$fullPath")

The minimum permissions - eliminates accidental mess ups like mine but there is a need to elevate at various points of deployment.

If you are getting the error “Retrieving the COM class factory for remote component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from machine localhost failed due to the following error: 80070005 localhost.” then you will need to grant Launch and Activation Permissions and Access Permissions to the DCOM component “ahadmin” through Component Services.

If the setting are greyed out you will first need to take ownership of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID{9fa5c497-f46d-447f-8011-05d03d7d7ddc} and give yourself full access. Then restart component services and the settings will be editable.