Puppet users - Oct 2014 - EXEC resource fails but does not log a failure

I have an EXEC command that has an onlyif condition. When I have my puppet 
service running as the correct user account, all goes well.
When the puppet agent is running under an inadequately privileged account, 
some operations fail silently.

During a maintenance action, another staff member tried to upgrade the 
puppet agent. 
When that didn't work with our version of enterprise, he reinstalled 
puppet, but forgot to change the service accounts to be our special puppet 
user.
That puppet user has access to Team Foundation Server while the default 
account (NT System) does not.
I expected that puppet enterprise would show error messages in the log and 
show agent runs as failing.
IT DID NOT.

To diagnose the problem, I started a special shell using "Psexec.exe -i -s 
cmd.exe". This sysinternals tool allows me to impersonate "nt 
authority\system".
While running under that account, I verified that my EXEC command and the 
accompanying "onlyif" command each fail with error code 1.
The EXEC command being run is "TF.EXE" with the "VIEW"
option, the Team
Foundation Server command line executable.
The onlyif command is a shell call to "ruby.exe" which executes a rub 
script that also calls TF.EXE, this time with the "HISTORY" option.
The basic idea is that I call TF HISTORY to see if there is a newer file 
than the one I have extracted. If there is, then I return one value to 
indicate that EXEC should do its job.
If there is no newer file then I return a code that indicates no changes 
occurred and EXEC should not perform its action.
If TF.EXE returns an error code in the onlyif command, I decided to tell 
EXEC that it shoudl try to get the file whether it needs to or not.

Running both TF VIEW and RUBY (which calls TF HISTORY) in the special shell 
with the wrong user yields return codes of "1".
This should mean the the EXEC failed, but it does not log failure.

What should I do?

Here is a fragment of my puppet code:


  exec { "tf view ${filename} /version:${versionspec}":
    command   => $tfview_cmd,
    path      => $exec_path,
    cwd       => $tf_dir_unix,
    onlyif    => $tfhistory_cmd,
    returns   => ["0"],
    logoutput => true,
    require   => Class['tfview::tfcomponents']
  } 

I am running agents on Windows 2008R2.

Paul

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/982853f4-45dd-4e80-a339-fcc85ed59318%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.