Tentacle upgrade: [SC] OpenService FAILED 5: Access is denied


we’re having some problems when trying to upgrade a tentacle where the user that runs the tentacle service does not have the right to update the service properties. The ‘bug’ seems to be, that the sc command fails due to a lack of privileges, but it still tries to then restart the service which then results in a loooong wait (1h and more) for the whole upgrade task to complete which then blocks the rest of the task queue.
I’ve attached a screenshot that illustrates the issue.

There are three issues/features connected to this:
1st It would be great if you would define somewhere what privileges a user that runs the tentacle service needs to have to do it’s job. Because of a compliance issue we have to run the service under it’s specific user and this user only gets access to whatever is necessary to do his job. So we are currently trying to figure out what the basics are and so far it looks like the following things:

  • Allow updating and restarting the Tentacle service
  • Allow updating and restarting the Windows service that gets deployed
  • Allow updating the IIS path of an website/web-application
  • Allow to user to start then service to listening on port 10933

2nd It would be great if we could check the health of a tentacle on demand for a specific machine
3rd It would be great if we could upgrade only 1 specific machine and not all of them at one (or maybe even allow to just upgrade the tentacles of a specific env?)

Thanks for all the feedback. I’ve raised a bug regarding the upgrade failure.

I’ve also started some documentation on Tentacle permission requirements at http://docs.octopusdeploy.com/display/OD/Running+Tentacle.exe+under+a+specific+user+account - it is incomplete but as we identify different items we’ll update the list.

https://github.com/OctopusDeploy/Issues/issues/831 covers the targeted Tentacle upgrade requirement - feel free to add your scenario details there if it would help.

We’ll consider targeted health check too but given the “real time” status reporting we surface on the Environments and Machine Connectivity pages this one is not likely to make the list at this point.

Thanks again,