Icinga
Set-IcingaAgentServiceUser.psm1 - will always return $FALSE
Hello
i am using ansible to automate installation and came across "Set-IcingaServiceUser" to update user in some cases. Using a new powershell window (like ansible does by default everytime for every task) without calling "Set-IcingaServiceEnvironment" first, necessary environment variables aren't loaded and so "Set-IcingaServiceUser" will always return $FALSE.
PS C:\Users\Administrator> Set-IcingaServiceUser -User 'NT AUTHORITY\NetworkService' -Service icingapowershell -SetPermission
False
PS C:\Users\Administrator> Set-IcingaServiceUser -User 'NT AUTHORITY\NetworkService' -Service icingapowershell -SetPermission
False
PS C:\Users\Administrator> Set-IcingaServiceEnvironment
PS C:\Users\Administrator> Set-IcingaServiceUser -User 'NT AUTHORITY\NetworkService' -Service icingapowershell -SetPermission
[Notice]: The Icinga Service User already has permission to run as service
[Passed]: Directory "C:\ProgramData\icinga2\etc" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\ProgramData\icinga2\var" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Passed]: Directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate" is accessible and writable by the Icinga Service User "NT AUTHORITY\NetworkService"
[Notice]: Service User "NT AUTHORITY\NetworkService" for service "icingapowershell" successfully updated
True
PS C:\Users\Administrator>
Hope that helps.
Can confirm:
PS C:\Windows\system32> Set-IcingaServiceUser -User 'NT AUTHORITY\System'
False
PS C:\Windows\system32> Set-IcingaServiceEnvironment
PS C:\Windows\system32> Set-IcingaServiceUser -User 'NT AUTHORITY\System'
[Notice]: Service User "NT AUTHORITY\System" for service "icinga2" successfully updated
True
We mostly switch the user to NT AUTHORITY\System, except on a few systems.
Installation is also done via a PowerShell script call by Ansible. Excerpt from the script:
function agent-installation {
write-Host "Start Icinga Agent installation"
# Downloading icinga agent installer
$agent_installer = "C:\tools\icinga-agent-installation\Icinga2-v$agentversion-x86_64.msi"
if (-not (Test-Path $agent_installer)) {
# set security protocols for webrequests
[Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11';
Invoke-WebRequest -UseBasicParsing -Uri "https://$repourl/monitoring/icingaforwindows/stable/agent/Icinga2-v$agentversion-x86_64.msi" -outfile $agent_installer
Start-Sleep -Seconds 10
}
# run icinga agent installer
msiexec /i $agent_installer /qn /norestart
Start-Sleep -Seconds 30
# configure agent
& 'C:\Program Files\ICINGA2\sbin\icinga2.exe' pki save-cert --host $endpointConnections --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt"
if($secondsatellite -eq "yes"){
& 'C:\Program Files\ICINGA2\sbin\icinga2.exe' node setup --cn ($env:COMPUTERNAME).ToLower() --zone ($env:COMPUTERNAME).ToLower() --parent_zone $parentZone --parent_host $endpointConnections --endpoint $endpoints,$endpointConnections,$caport --endpoint $secondsatendpoint,$secondendpointConnection,$caport --global_zones "global-windows" --ticket $ticket --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt" --accept-commands --accept-config --disable-confd
}
else{
& 'C:\Program Files\ICINGA2\sbin\icinga2.exe' node setup --cn ($env:COMPUTERNAME).ToLower() --zone ($env:COMPUTERNAME).ToLower() --parent_zone $parentZone --parent_host $endpointConnections --endpoint $endpoints,$endpointConnections,$caport --global_zones "global-windows" --ticket $ticket --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt" --accept-commands --accept-config --disable-confd
}
# change logging severity of the Icinga2 agent
if(Test-Path "C:\ProgramData\icinga2\etc\icinga2\features-available\windowseventlog.conf"){
write-Host "Set logging severity to critical to avoid EventLog spam"
(Get-Content "C:\ProgramData\icinga2\etc\icinga2\features-available\windowseventlog.conf") -Replace '"information"', '"critical"' | Set-Content "C:\ProgramData\icinga2\etc\icinga2\features-available\windowseventlog.conf"
}
# set the service user and restart the service
Set-IcingaAgentServiceUser -user $serviceuser
Start-Sleep -Seconds 5
Restart-Service -name "icinga2"
}
This used to work before when Framework v1.11.1 was installed (though not 100% sure) Maybe this got introduced with one of the v1.12.x releases? We have installed v1.12.3 now.
Running
Set-IcingaServiceEnvironment
Set-IcingaAgentServiceUser -user 'NT Authority\SYSTEM'
Restart-Service -name "icinga2"
does not work reliably via the script called by Ansible. Not sure why. Maybe because Set-IcingaServiceEnvironment takes some time to complete.
update: This works
if (whatever){
$serviceuser = 'NT AUTHORITY\NetworkService'
}else {
$serviceuser = 'NT Authority\SYSTEM'
}
Start-Process -FilePath "sc.exe" -ArgumentList "config icinga2 obj= `"$serviceuser`"" -Wait
Thank you for the issue. The problem in this case is, that the Icinga for Windows environment is not loaded when executed directly via Ansible.
You will have to run Use-Icinga before executing PowerShell calls like this, to ensure the environment is set and the service configuration is fetched.
Use-Icinga;
Set-IcingaServiceUser -User 'NT AUTHORITY\NetworkService' -Service icingapowershell -SetPermission;
This should then always work.
