I have SLS files set up to copy things from a network folder to a local directory on a minion.
Looks a little like this:
cmd-test:
cmd.run:
- name: 'ROBOCOPY \\\CygwinSource C:\CygwinSource /E'
and get the following output:
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Tuesday, December 6, 2016 10:50:35 AM
2016/12/06 10:50:35 ERROR 1808 (0x00000710) Getting File System Type of Source \\<Server>\<program>\<file>\
The account used is a computer account. Use your global user account or local user account to access this server.
Source - \\<Server>\<program>\<folder>\
Dest : C:\<path>\<folder>\
Files : *.*
Options : *.* /S /E /DCOPY:DA /COPY:DATS /PURGE /MIR /NP /R:1 /W:1
------------------------------------------------------------------------------
NOTE : NTFS Security may not be copied - Source may not be NTFS.
2016/12/06 10:50:35 ERROR 1808 (0x00000710) Accessing Source Directory \\<Server>\<program>\<file>\
The account used is a computer account. Use your global user account or local user account to access this server.
Waiting 1 seconds... Retrying...
When I run the same thing locally in command line as 'ROBOCOPY \\\CygwinSource C:\CygwinSource /E' and it worked perfectly. I have no idea how to fix this 'use local user account' that Robocopy seems to give when using it through salt.
I also tried adding /MIR and /SEC which didnt't work.
Running Windows 10, Minion 2016.3.3
Master: Red Hat, 2016.3.3
Salt seems to be connecting to the network resource with a computer account. A few possible solutions:
Try changing the Salt Service on the Client (if that's how salt is executing the commands) to run as a domain user.
Try using the salt file server
Implement this hacky workaround where a scheduled task is created - discussed in the github issue that seems related to your problem: https://github.com/saltstack/salt/issues/16340
Related
Context
Running MariaDb 10.6.7 on Windows 11. Trying to use mariabackup to do a partial backup of my database. Database, target backup folder and backup process all on the same PC.
Issue
In a batch file I have this:
cd C:\"Program Files\MariaDB 10.6\bin"
mariabackup --backup --target-dir='D:\OneDrive\Backups\MariaDb' --databases-exclude="*test" --user=root --password=myPasswordWithNoQuotes
Which keeps giving me the response:
Failed to connect to MariaDB server: Access denied for user 'root'#'localhost' (using password: YES)
Things I've checked
Running the batch file as administrator
root has full priviliges
Password is correct - checked by logging into root with MySQL Workbench and MySQLClient and HeidiSQL.
Question
How do I set access rights so that the backup can proceed?
When I changed the root password to something simple everything worked. So it looks like the issue was a special character in the password (a % character perhaps) or the way that the password parameter was formed in the mariabackup command.
I created a Flask app that uses Beautiful Soup and Selenium to scrape and track Amazon product prices. The data was stored using CS50's version of SQLalchemy.
I then created an account to use Oracle's always free VM, with Ubuntu. I followed this excellent guide to the dot https://asdkazmi.medium.com/deploying-flask-app-with-wsgi-and-apache-server-on-ubuntu-20-04-396607e0e40f and set up Apache's conf file and the Wsgi file. I also added the network rules on Oracle's Virtual Cloud Network and to iptables, which I believe works fine.
Following this, the website still couldn't launch. Apache's error log showed a "PermissionError: [Errno 13] Permission denied: '/flask_session'". Based on this post Permission issue when writing file on webserver (flask, apache & wsgi) I changed the OS env to my env os.chdir('/home/ubuntu/flaskapp') and used chown to give rights
sudo chown -R ubuntu:www-data flaskapp
sudo chmod -R g+s flaskapp.
Now, my front page is accessible on http://129.150.38.171/ . However, upon any request to the server, Chrome displays "This page isn’t working 129.150.38.171 didn’t send any data." Apache's log shows a "segmentation fault (core dumped) python flask". Based on the sequence of my code, the error begins when I try to execute SQL, e.g. rows = usersdb.execute("SELECT * FROM users WHERE username = ?", request.form.get("username")).
I do not think that it is not my codes' error as it runs fine locally and the production server also worked when I set it up on Oracle VM using this guide https://docs.oracle.com/en-us/iaas/developer-tutorials/tutorials/flask-on-ubuntu/01oci-ubuntu-flask-summary.htm .
I've found this guide on debugging https://www.bustawin.com/debug-segmentation-faults-in-apache-from-mod_wsgi/ using gdb. But with source /etc/apache2/envvars
sudo -E gdb /usr/sbin/apache, it just tells me "No executable file specified".
Any ideas on what could be the error?
I'm working with the docker image "mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019". I've noticed that the default user for windowsservercore is ContainerAdministrator. If I try to run the image with the user ContainerUser (docker run -u ContainerUser mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019) I get the following error: ERROR: Failed to stop or query status of service 'w3svc' error [80070005].
I think that the error is related to the permissions that the user needs to run ServiceMonitor. So, first of all, is it correct to assume that windowsservercore images must run with ContainerAdministrator and cannot run with ContainerUser?
If the assumption above is correct I would like to confirm if running the container with ContainerAdministrator can expose the container to a security issue. As far as I understand even if the ServiceMonitor.exe is started with ContainerAdministrator the external-facing process is the IIS Windows service, which runs under a local account in IIS_IUSRS group. So even if an attacker could compromise the application it will not have administrator access to the container. Can anyone confirm if this is correct?
ContainerAdministrator is a special virtual account.ContainerAdministrator is the default account when you run a container – so if your CMD instruction starts a console app, that app will run as ContainerAdministrator. If your app runs in the background as a Windows Service, then the account will be the service account, so ASP.NET apps run under application pool accounts.
you could refer to the below link:
Accessing the Docker host pipe inside windows container with non-admin user
I was in the same position you are. I can't confirm your assumption (though I assume the same). But I can provide our dockerfile which enabled us to run as non root (to comply with an AKS policy).
dockerfile
FROM mcr.microsoft.com/dotnet/framework/wcf:4.8-windowsservercore-ltsc2019
SHELL ["cmd", "/S", "/C"]
# username = '1000' so the k8s policy can verify it's a non-root user
RUN net user /add 1000
# We copy some config files in the actual startup.ps1 so we need write access here
RUN icacls C:\inetpub\wwwroot\ /grant 1000:(OI)(CI)F /t
# ServiceMonitor.exe puts some environment variables in the applicationHost.config
RUN icacls C:\Windows\System32\inetsrv\Config\ /grant 1000:(OI)(CI)F /t /c
# S-1-5-32-545 is group Builtin\Users which contains user 1000. Allows user to restart the w3svc service
RUN sc.exe sdset w3svc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPDTLO;;;S-1-5-32-545)
COPY startup.ps1 /
WORKDIR /inetpub/wwwroot
ARG source=obj/Docker/publish
COPY ${source} .
USER 1000
ENTRYPOINT ["powershell", "/startup.ps1"]
startup.ps1
# ContainerAdministrators doesn't have these variables, but the
# custom account does have them. If this gets put into the applicationHost.config
# iis will try to write to the user specific temp directory, and fail (with an unrelated error)
Remove-Item env:TMP
Remove-Item env:TEMP
C:/ServiceMonitor.exe w3svc
I am able to do following
install salt master, minion (using root user)
login in master machine and execute salt command to install java / tomcat into minion server
result : java/tomcat is installed via root user
What i want to do is
install java / tomcat in minion server by user name 'tomcatuser'
As per my understanding only way of doing this is if i install my minion via tomcatuser.
Is my understanding correct ?
Any other way ?
I think you mix up the saltstack controller and how it control the application configuration.
For salt master and minion to communicate, you need to start both services as root, to control most of the configuration process. Then from there on, you can specify the user and group for application deployment inside your sls configuration.
Now come to your Tomcat/java/whatever package, you can refer to the salt stack configuration, to specify your own user group of the configuration and even startup(with other modification). e.g.
Deploy foo configuration:
file.managed:
- name: /etc/foo.conf
- source:
- salt://foo.conf
- user: foo
- group: users
- mode: 644
Then to startup your tomcat, you can do the similar by using a crontab and specify the user you want (as long as it is not load under service port smaller than 1024) . Or you can check whether salt.states.tomcat is helpful to start the services : https://docs.saltstack.com/en/latest/ref/states/all/salt.states.tomcat.html
How to reset password in MariaDB? I use Windows and NOT Linux. Anyone who knows how to reset my MySQL MariaDB password? I tried to search on Google but did not help.
I bumped into the same problem. I lost the root password for a test server on a windows development machine.
Following the Linux step:
After
net stop mysql
Try invoking mysqld with
mysqld --skip-grant-tables
mysqld will only exit with a short message
[Note] mysqld.exe <...5.5.48.MariaDB> starting as process <pid> ...
then it quits. However I tried to launch mysqld directly, there is no mysqld.exe process. The service start command might have some argument combination that enabled mysqld to run. Tried to pass the settings through a configuration file and it works.
put
skip-grant-tables=TRUE
into MariaDB 5.5\data\my.ini
Restart mysqld, by
net stop mysql && net start mysql
then being able to login as root.
Don't forget to remove the inserted line and restart mysqld again.
As this is top result in Google here's a quick way to change the password:
Stop the DB server
create a text file containing your new password:
ALTER USER 'root'#'localhost' IDENTIFIED BY 'DontForgetMeAgain';
Run this command (don't forget to replace the path to file):
mysqld --init-file=C:\\path\\to\\file.txt
And we're done
Using skip-grant-tables led Maria Db to complain when changing a password even if logged in as root.
I had to do a little modification on Tom's answer in the content of the file to make it work for me:
After stopping the DBServer i created a file with this content:
SET PASSWORD FOR 'root'#'localhost' = PASSWORD('mynewpassword');
FLUSH PRIVILEGES;
then I run:
C:\Program Files\MariaDB 10.1\bin>mysqld --init-file=C:\\path\\to\\file.txt
I then managed to log in