codedeploy stuck on beforeInstall - aws-code-deploy

I want to do a code deploy but don't want to run any hook. My appspec.yaml looks like
version: 0.0
os: windows
files:
- source: output
destination: C:\inetpub\wwwroot
However, the codeDeploy runs successfully till DownloadBundle but get stuck for a while on beforeInstall before failing with the error
before install CodeDeploy agent was not able to receive the lifecycle event. Check the CodeDeploy agent logs on your host and make sure the agent is running and can connect to the CodeDeploy server.
What could be the issue? I've verified code deploy agent is running..
powershell.exe -Command Get-Service -Name codedeployagent
returns
Running codedeployagent CodeDeploy Host Agent Service

Related

Can I prevent specific directory files from being locked by the dotnet.exe process on IIS Windows server?

I am using CodeDeplpy to deploy several IIS applications on a Windows 2019 server. During the deployment of one of my .Net Core 3.1 applications I noticed this error:
Permission denied # unlink_internal - C:/inetpub/wwwroot/webApi/AutocheckerEntities.dll
To solve that I added a line that kills the whole dotnet.exe process (see below) in addition to stopping the app pool and the app itself (see below). I added the dotnet kill line as simply stopping the app pool & app did not get around the error.
appstop.ps1:
Stop-WebSite 'WebApi'
Stop-WebAppPool (Get-Website -Name WebApi).applicationPool
taskkill /IM "dotnet.exe" /F
appspec.yml:
version: 0.0
os: windows
files:
- source: /
destination: C:\inetpub\wwwroot\webApi
hooks:
BeforeInstall:
- location: CodeDeploy/appstop.ps1
runas: administrator
ApplicationStart:
- location: CodeDeploy/appstart.ps1
runas: administrator
Is there a way to release temporarily the files in C:\inetpub\wwwroot\webApi directory without killing the whole dotnet.exe process? I have other dotnet applications on the same server and killing the process can affect those as well.

Debugging "Segmentation fault (core dumped)" for Flask App deployed on Apache with mod-wsgi-py3 (Ubuntu)

I created a Flask app that uses Beautiful Soup and Selenium to scrape and track Amazon product prices. The data was stored using CS50's version of SQLalchemy.
I then created an account to use Oracle's always free VM, with Ubuntu. I followed this excellent guide to the dot https://asdkazmi.medium.com/deploying-flask-app-with-wsgi-and-apache-server-on-ubuntu-20-04-396607e0e40f and set up Apache's conf file and the Wsgi file. I also added the network rules on Oracle's Virtual Cloud Network and to iptables, which I believe works fine.
Following this, the website still couldn't launch. Apache's error log showed a "PermissionError: [Errno 13] Permission denied: '/flask_session'". Based on this post Permission issue when writing file on webserver (flask, apache & wsgi) I changed the OS env to my env os.chdir('/home/ubuntu/flaskapp') and used chown to give rights
sudo chown -R ubuntu:www-data flaskapp
sudo chmod -R g+s flaskapp.
Now, my front page is accessible on http://129.150.38.171/ . However, upon any request to the server, Chrome displays "This page isn’t working 129.150.38.171 didn’t send any data." Apache's log shows a "segmentation fault (core dumped) python flask". Based on the sequence of my code, the error begins when I try to execute SQL, e.g. rows = usersdb.execute("SELECT * FROM users WHERE username = ?", request.form.get("username")).
I do not think that it is not my codes' error as it runs fine locally and the production server also worked when I set it up on Oracle VM using this guide https://docs.oracle.com/en-us/iaas/developer-tutorials/tutorials/flask-on-ubuntu/01oci-ubuntu-flask-summary.htm .
I've found this guide on debugging https://www.bustawin.com/debug-segmentation-faults-in-apache-from-mod_wsgi/ using gdb. But with source /etc/apache2/envvars
sudo -E gdb /usr/sbin/apache, it just tells me "No executable file specified".
Any ideas on what could be the error?

Non-root user not able to start w3svc service in docker

I'm working with the docker image "mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019". I've noticed that the default user for windowsservercore is ContainerAdministrator. If I try to run the image with the user ContainerUser (docker run -u ContainerUser mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019) I get the following error: ERROR: Failed to stop or query status of service 'w3svc' error [80070005].
I think that the error is related to the permissions that the user needs to run ServiceMonitor. So, first of all, is it correct to assume that windowsservercore images must run with ContainerAdministrator and cannot run with ContainerUser?
If the assumption above is correct I would like to confirm if running the container with ContainerAdministrator can expose the container to a security issue. As far as I understand even if the ServiceMonitor.exe is started with ContainerAdministrator the external-facing process is the IIS Windows service, which runs under a local account in IIS_IUSRS group. So even if an attacker could compromise the application it will not have administrator access to the container. Can anyone confirm if this is correct?
ContainerAdministrator is a special virtual account.ContainerAdministrator is the default account when you run a container – so if your CMD instruction starts a console app, that app will run as ContainerAdministrator. If your app runs in the background as a Windows Service, then the account will be the service account, so ASP.NET apps run under application pool accounts.
you could refer to the below link:
Accessing the Docker host pipe inside windows container with non-admin user
I was in the same position you are. I can't confirm your assumption (though I assume the same). But I can provide our dockerfile which enabled us to run as non root (to comply with an AKS policy).
dockerfile
FROM mcr.microsoft.com/dotnet/framework/wcf:4.8-windowsservercore-ltsc2019
SHELL ["cmd", "/S", "/C"]
# username = '1000' so the k8s policy can verify it's a non-root user
RUN net user /add 1000
# We copy some config files in the actual startup.ps1 so we need write access here
RUN icacls C:\inetpub\wwwroot\ /grant 1000:(OI)(CI)F /t
# ServiceMonitor.exe puts some environment variables in the applicationHost.config
RUN icacls C:\Windows\System32\inetsrv\Config\ /grant 1000:(OI)(CI)F /t /c
# S-1-5-32-545 is group Builtin\Users which contains user 1000. Allows user to restart the w3svc service
RUN sc.exe sdset w3svc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPDTLO;;;S-1-5-32-545)
COPY startup.ps1 /
WORKDIR /inetpub/wwwroot
ARG source=obj/Docker/publish
COPY ${source} .
USER 1000
ENTRYPOINT ["powershell", "/startup.ps1"]
startup.ps1
# ContainerAdministrators doesn't have these variables, but the
# custom account does have them. If this gets put into the applicationHost.config
# iis will try to write to the user specific temp directory, and fail (with an unrelated error)
Remove-Item env:TMP
Remove-Item env:TEMP
C:/ServiceMonitor.exe w3svc

Azure Cosmos DB Emulator Not running - It Starts and then throws Error

I am trying to install and run Cosmos DB Emulator on my machine but it is not letting me to connect to Azure Cosmos DB Emulator. When I run the Azure Cosmos DB Emulator, it shows the "Started" notification and then opened a page in browser but the page is not loaded. I am tired of doing everything which I have found on google.
Here is the Azure Cosmos DB Emulator Error:
And when the page is opened on link https://localhost:8081/_explorer/index.html, the Firefox browser shows "Unable to connect"
The strange thing is, when I installed it on another machine, it ran there without any issue.
After full of 3 hectic days, I have successfully run Cosmos DB Emulator. Here is the work around.
Shut down Azure Cosmos DB Emulator
I tried to run lodctr /R in command line by running it as "Run as Administrator", it threw an error: "Error: Unable to rebuild performance counter setting from system backup store, error code is 2"
Found a solution for the lodctr /R error which is to run another command as below:
"c:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -i"
It will install ASP.NET (2.0.50727). Here is the link: https://www.stevefenton.co.uk/2016/04/unable-to-rebuild-performance-counter-setting-from-system-backup-store/
Then again run the command lodctr /R, it sets the counter
Then start Azure Cosmos DB Emulator and it will run.
I used to get this constantly, I realised I was shutting down my pc before stopping the emulator. Once I started stopping the emulator before shutdown, this issue went away for me.
There are 5 ports the emulator runs on out of the box: 10251,10252,10253,10254. You can confirm this by typing:
.\CosmosDB.Emulator.exe -h
And you'll see:
/DirectPorts= Comma-separated list of 4 ports to use for direct connectivity. Default is 10251,10252,10253,
10254.
What tends to be my issue is that the emulator is still running on one of the above ports but .\CosmosDB.Emulator.exe /Shutdown doesn't effectively stop the process.
To combat this, I search to see which port is active:
PS C:\Program Files\Azure Cosmos DB Emulator> netstat -ano | findstr :10251
PS C:\Program Files\Azure Cosmos DB Emulator> netstat -ano | findstr :10252
PS C:\Program Files\Azure Cosmos DB Emulator> netstat -ano | findstr :10253
TCP 127.0.0.1:10253 0.0.0.0:0 LISTENING 27772
And then I stop that process:
stop-process 27772 // this is using powershell but that's unimportant
Then I can start the emulator again without issue:
.\CosmosDB.Emulator.exe

How to configure jboss-eap 6.2 as a service and set Auto-start on CentOS 6.x and Linux1 AMI

We were using an older version of Jboss 4.x with JDK 5 on CentOS 5.x, this version of Jboss is very old now, even this version is also not supported by RedHat now.
Now we are upgrading to jboss-eap 6.2 and jdk1.7.0_60 and CentOS 6.x in UAT and AWS Linux1 AMI for Production, I have installed Jboss 6.2 in /var/lib/jboss-eap-6.2 folder. Necessary modification in the code are already done, application is working fine and Jboss is running as a process using below command.
./standalone.sh -c standalone-full.xml -b 0.0.0.0 -bmanagement 0.0.0.0
Below command shows that process is running on port 8080.
netstat -aptn | grep LISTEN
Please help configure Jboss 6.2 as a service and set Auto-start, when OS starts?
Follow the below steps to Configure Jboss6.2 as Service and configure it as Auto restart. The process is same for CentOS 6.x and AWS Linux1 AMI.
Copy files into system directories
a. Copy the modified configuration file to the /etc/jboss-as directory.
mkdir /etc/jboss-as
cp /var/lib/jboss-eap-6.2/bin/init.d/jboss-as.conf /etc/jboss-as/
Uncomment following line
JBOSS_USER=root
and add the following line at the end of this file.
export JBOSS_USER
b. Copy the start-up script to the /etc/init.d directory.
cp /var/lib/jboss-eap-6.2/bin/init.d/jboss-as-standalone.sh /etc/init.d/jboss-62
Do following changes in /etc/init.d/jboss-62 file
i)-Set Java Home JAVA_HOME=/usr/java/jdk1.7.0_60 export JAVA_HOME
ii)-Set JBOSS Home JBOSS_HOME=/var/lib/jboss-eap-6.2 export JBOSS_HOME
iii)-Change Configuration xml file name(you may give what ever configuration file name you are using)
JBOSS_CONFIG=standalone-full.xml
iv)-Add "-b 0.0.0.0 -bmanagement 0.0.0.0" in the following line, so that binding is set for every IP address on this system
daemon --user $JBOSS_USER LAUNCH_JBOSS_IN_BACKGROUND=1
JBOSS_PIDFILE=$JBOSS_PIDFILE $JBOSS_SCRIPT -b 0.0.0.0 -bmanagement
0.0.0.0 -c $JBOSS_CONFIG 2>&1 > $JBOSS_CONSOLE_LOG &
Add the start-up script as a service.
Add the new jboss-as-standalone.sh ( i.e jboss-62 ) service to list of automatically started services, using the chkconfig command.
chkconfig --add jboss-62
Start the service.
service jboss-62 start
Make the service to start automatically when you restart your
server.
chkconfig jboss-62 on
Restart the service
service jboss-62 restart
Now Jboss6.2 configuration as a Service as Auto restart is complete.
Reboot os and check that service is running. Run below command ot verify that service is running on port 8080
netstat -aptn | grep LISTEN | grep 8080

Resources