DevOps Publish Error: EPERM operation not permitted - azure-devops

When building an artifact using Azure DevOps, "Publish artifact" task failed with error
Publishing build artifacts failed with an error: EPERM: operation not permitted

When you are using A file server option as an Artifact publish location for Publish task, make sure the Agent/Service has access to the server.
In my case, I added the agent in Administrator group to be able to do WRITE operation.

If you use self-hosted agent, by default it runs as local NETWORK SERVICE account that doesn't have access to remote shares. So you should either:
Change agent's logon account. For some reason Microsoft doesn't recommend to change it from Services snap-in, but rather reconfigure it from their scripts.
Grant to local NETWORK SERVICE account access to remote share. To do it, you need to add computer account with your agent (i.e. "DOMAIN\ServerA$") to Share and NTFS permissions on the shared folder. See for example here.

Related

Azure devops interactive agent as admin

I have a Windows 10 Enterprise VM running an Azure Devops Agent in Interactive mode. The agent runs using the only user the machine has, and it is an Administrator with UAC disabled. However, when executing tasks that require an elevated command prompt, as registering dlls, the command fails with the following error message:
##[error]Cmd.exe exited with code '5'.
And this message is when I'm trying to COPY files into Windows\SysWow64
##[error]Error: Failed cp: cp: copyFileSync: could not write to dest file (code=EPERM):C:\windows\SysWow64\test.txt
My testes also fail with the following error message:
Test method TestesRegressaoPGB.Autenticacao.AutenticarNoPGBL02 threw exception:
System.AggregateException: One or more errors occurred. (The requested operation requires elevation.) ---> System.ComponentModel.Win32Exception: The requested operation requires elevation.
TestCleanup method TestesRegressaoPGB.Autenticacao.Cleanup threw exception. System.NullReferenceException: System.NullReferenceException: Object reference not set to an instance of an object..
How do I run all commands while elevated?
In the Azure DevOps, If you want to access local file in the azure devops pipeline via self-hosted agent, It accesses the file via service account instead of Personal account.
Workaround
We could open check the file permission and configure the service account permission. service account format User/Administrator/Administrators({Agent.ComputerName}\User/Administrator/Administrators)
Also, we could change the agent service account to your owner account.
Steps: Open service on the agent machine and search the agent service account, check the pic below, just change the account name and password to yours, then It will use this account to perform the operation.
I just added permissions on each and every folder the pipeline agent needed to open. As I said to Vito, the agent was not running using a service account.

azure devops local agent pipeline permission denied

I have a python script that execute an automation script on remote SUT. and given that the script is working when execute locally with user tester and password xxx.
when I build the DevOps Azure pipeline I have checkout from GIT the project into the agent and then try to execute the code from the command line .
cd .\MatrixPro\TestFramework
python .\main.py -t profaund_tests.matrix_pro_rf_energy_across_impedances
this code gave me an error
E PermissionError: [WinError 5] Access is denied:
'//192.168.1.100\c$\'
seems that this script try to create report file on the SUT and doesn't have permission.
more over that the azure user agent have admin permission but I suspect that I need to change into the local user before execute the command.
note: I'm working on windows 10 .
what is the right method to solve this issue ? how can I figure out way this error occur ?
is their a simple way to change the pipeline permmision to work on local agent with local user and password?
When you run the build pipeline on Azure DevOps.
It's actually the build service account which is running the script. You should make sure the build service account have sufficient permission to Access: '//192.168.1.100\c$\'
To change the identity of the build agent, just go into Windows Services and change the identity of related Build service (service name is " Azure Pipelines Agent").
In the Services pane, right-click Azure Pipelines Agent.
Under Service Status, click Stop.
Click the Log On tab.
Specify the account you want to use for the service in the This
account text box.
Type the new password in the Password text box, and then type the
new password again in the Confirm password text box.
Under Service Status, click Start.
You should use a user to remote to that the server hold build agent and manually run the script to perform the deploy process. If that user is able to deploy succeed without any permission issue. Simply use this user as your build service account of Azure DevOps agent.
Hope this helps.

Publishing build artifacts fails with error EEXIST: file already exists

we are using the VSTS task "Publish Artifact". Recently it started to randomly give an error:
Publishing build artifacts failed with an error: Unable to create directory. EEXIST: file already exists.
This happens when the task is about to create the directory where to publish.
Here are some of the logs
To troubleshooting the issue, you can check with below aspects:
Check if the share path is accessible
You can manually access to \\appbld\C$\WDX\PublishArtifacts\Build Trunk to check if you can access.
Check if the write permission is allow
Check the Write permission for the share path is allowed or not.
Check if the private agent run as the account when login the agent machine (if the agent run as service)
Services App -> select the vsts agent service for the private agent -> properties -> Log On Tab -> check if the account same as you login the agent machine.

VSTS What User Account does Hosted Agent run under?

We are trying to setup Release (continuous deployment) from our VSTS in the cloud. After the build is done, the Hosted Agent VS2017 tries to deploy the artifacts to the target server.
Firstly, it failed because our firewall blocked the target server from receiving the artifact (a .zip containing all the stuff). In fact, if I connect to the server via RDP and try to download the artifact from a browser, it's blocked.
Our security team temporarily disabled this firewall rule, and it worked (this also means the hosted agent has line of sight for the target server). Now, they don't want this rule off, they would like to know what is the User Account that tries to download/publish the artifact from the hosted agent, so they would allow the download of the .zip only for that specific user. I'm not sure if it's the same account which runs the service in the Host Agent, or if it's Network Service (therefore the own target server credentials), os some other account.
How do I know what user account should be granted rights in our firewall to download anything?
Use the Windows Machine File Copy task, you can provide a username/password to use for copying the files.
However, it uses RoboCopy over SMB to copy the files. As a result, it's probably going to be safer to set up a private agent within your network that has line-of-sight to the target servers, rather than opening up holes in your firewall a whole slew of ports.

VSTS Deployment to a deployment group from a UNC share

I am using visualstudio.com Teams Services to build and deploy an ASP.NET website to two Azure VMs.
I have a build which on completion triggers a release to my two servers in a deployment group. When you configure a Deployment Group for Visual Studio Team Services you create an agent that by default runs as NT AUTHORITY\SYSTEM.
If I publish my build artifacts to Azure (the server option) then everything works fine and deployment succeeds to both my VMS. However when using a file-drop I get the following error:
The artifact directory does not exist:
\\MACHINE1\drop\RRStore\20170517.20. It can happen if the password of
the account NT AUTHORITY\SYSTEM is changed recently and is not updated
for the agent.
This is basically saying MACHINE2 cannot access \\MACHINE1\drop due to permissions. In windows I can bring up this folder just fine, but since the agent is running as NT AUTHORITY\SYSTEM it cannot access it.
I want to use a filedrop because my website is about 250MB (although in the meantime I am using the 'publish to server' option and deploying via team services.)
I am unclear how to give permissions to the file drop though as the agent is running as SYSTEM. I am running as a WORKGROUP and giving permissions to 'Everyone' does not seem to work.
What is the correct way to configure access to a VSTS drop folder so that the deployment agent can access it?
Few possible options:
Set up a domain (I tried doing this but then I need a new network interface and it sounds klunky)
Continue using teamservices to deploy the artifacts (or reduce the website size!)
Save to a storage account, but again I'm not sure how to configure that.
Run as a different user account
I have similar problems when deploying with VSTS. Instead I chose to:
Run VSTS agent on the deployment group VM as a local user with limited access.
Impersonate the account on the deployment group VM to test its access to the drop folder.
Save/cache a different credential to access the drop folder if applicable.
(So the sensitive information stays on the VM.)
The cached credentials can be a different local user account created on the drop server just for this purpose.
Grant the local user access to various parts of the file system explicitly to limit access permission of this VSTS agent service runner account.
This should work in most cases. In fact, this same way is used in my VSTS, Jenkins and TFS instances. This should prevent you from setting up a domain to solve this problem.
This may not be the best practice, but at least it should get you started in the right direction.