Peter Mounce's questions

I'm creating a (local) user for a Windows service to run as. I've got good reasons for not wanting to use NETWORK SERVICE, LOCAL SERVICE, or LOCAL SYSTEM.

I create the user via net user foobar "Abcd123!" /add - this works fine.

At this point, c:\users\foobar does not exist.

If I create the user's home directory, before the user either logs on (or, more pertinently) or the service that the user is for starts up, Windows creates a user-profile next-door called c:\users\foobar-{gibberish/SID/whatever} - this is not a predictable name.

I need the user's home directory to contain things like a .ssh directory, a .gitconfig - tools like that (not limited to those tools) that make assumptions that it'll be a person using them, and so user-configuration goes inside ~/.... Usually, tools from a Unix heritage.

Actual question

So - is there a programmatic (preferably, PowerShell, or out-of-the-box command-line) way to tell Windows to create the user-profile for a local user?

Or, any other workarounds?

Things I've yet to try:

• An NSSM start/pre hook that copies files from elsewhere into the user-profile directory that hopefully exists at this point by virtue of Windows starting the service, creating the user-profile then handing control to the NSSM wrapper running the hook before startup.
• Setting the USERPROFILE environment variable for the service to be somewhere other than the actual user-profile directory. This strikes me as dangerously off-piste but also might work fine.

Other context:

• Windows Server 2016, desktop experience.
  • Can't use Core/Nano.
• There is no active directory in play. There won't be.
• These are local users.
• I'm doing this via Ansible, which is using PowerShell under the hood for Windows things. Specifically the win_user module, with Ansible 2.7.5.
• I don't want to create a C:\users\default (the equivalent of /etc/skel), because there are a few different service-users and one size won't fit all. This also doesn't affect when the user-profile is created, just what will be in it when it is.
• I'm using NSSM to manage the services.

Things I've tried

• starting the service and allowing Windows to create the directory
  • I don't want to do this, because the service requires secrets before starting up, and so if I do this inside my image-baking process I'll then need to clean them up, and also make sure my service doesn't do any work during the baking phase. I want to avoid both of those fiddly bits.

We're just now getting to grips with statsd+graphite, and we (think we) want to look at graphs sliced differently. For example, say we have a website foo that is multi-tenanted to 3 customers and served on 4 servers:

1. aggregate (all servers, all tenants) across our whole service - so publish foo.logins.attempts:3|c
2. aggregate by tenant (all servers) across our service - so publish tenant1.foo.logins.attempts:3|c
3. individual servers across our service - so publish tenant1.server1.foo.logins.attempts:3|c

What are the implications of

1. publishing the stats 3 times (actually, one statsd call, with one stat per line), once each with each different prefix, so it's easier to find in statsd and graphite, and manipulate
2. publishing the stat once (#3 above) and then using graphite to mix and match to produce the views that we want

?

GitHub Enterprise ships as an Open Virtualisation Appliance and File; it's intended to be dropped into existing virtualization setup like VMWare, VirtualBox, etc.

I'd like to run it inside of the AWS EC2 cloud (Github doesn't provide an AMI currently).

I've read around the subject and it seems like AWS EC2's VMImport tool only supports Windows VMs, currently.

I wonder if there exists a step-by-step guide to exporting an OVA/OVF appliance into an EC2 instance, so I can create an AMI of it and go from there? I've tried to follow this guide but I don't know how to follow steps 1-3, honestly; GHE only gives me limited ssh access to the instance, and I'm not sure what to look for or how to look for it. GHE seems to ship on an Ubuntu base distribution.

(I'm still quite a beginner-level linux sysadmin; I come from a Windows development background, but am quite capable of learning quickly.)

We're spinning up infrastructure inside of an AWS VPC via CloudFormation.

We're using auto-scaling groups to bring up VPC-EC2 instances (so, we don't bring up instances directly; ASGs manage that).

Inside of a PVC, EC2 instances only have a private IP; they cannot see the outside world without further work.

When these instances spin up, we have some bootstrap tasks that require talking to the various AWS APIs. We also have some ongoing tasks that require AWS API traffic.

How are you tackling this apparent chicken-egg problem?

We've read about:

• NAT instances - but don't like this so much because it's another layer to our stack.
• assigning elastic-IPs to each VPC instance that needs to talk - but a) they all do, and b) since we're using ASGs, we don't know which instances to assign EIPs to at provision-time, and c) we'd need to set up something to monitor those ASGs and assign EIPs when instances are terminated and replaced
• spinning up an instance (actually, a load-balanced pair, probably spanning AZs) to act as an AWS-API proxy for all API traffic

I guess I'm wondering whether there's some kind of back-door we can open that allows our VPC EC2 instances access to the AWS API endpoints, but nothing else, for cheap-complexity setup, that doesn't add another network-hop layer to our infrastructure for serving requests.

Is it possible to deploy all MSI packages within a folder-share to a group of computers, with a single group-policy object?

If so, how?

I've taken an Amazon Linux AMI (based on CentOS) and installed RVM (1.10.3) to it in multi-user fashion (see {1} below). I used that to install ruby 1.9.3-p125, rubygems 1.8.17, and bundler 1.1 as the baseline requirements for most things I'm going to be using the instances for.

I've captured that instance to an AMI, and am now launching it via CloudFormation, with some CloudFormation::Init commands. One of them is to use s3cmd to pull down a private gem from S3, and the next one, the one that fails, is to install that gem. It fails with an error message

2012-03-15 16:53:20,201 [ERROR] Command 20_install_gems (/usr/local/rvm/rubies/ruby-1.9.3-p125/bin/gem install ./*.gem) failed
2012-03-15 16:53:20,202 [DEBUG] Command 20_install_gems output: /usr/local/rvm/rubies/ruby-1.9.3-p125/bin/gem:12:in `require': no such file to load -- rubygems (LoadError)
    from /usr/local/rvm/rubies/ruby-1.9.3-p125/bin/gem:12

Now, that happens during the cfn-init execution - I assume, but haven't checked yet, that cfn-init is being run with an environment different from that of ec2-user (there are no other users on the instance).

If I run gem install mygem.gem in an interactive session then that works fine.

So, my question really, is what should I do to make this work for cfn-init? Have I correctly set up rvm as multi-user?

I've confirmed that cfn-init is being run as the root user, with his restricted environment. How should I source the /etc/profile.d/rvm.sh into root's sessions?

{1} My semi-automated rvm installation steps (run in interactive session as ec2-user):

sudo bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer )
sudo gpasswd -a ec2-user rvm
# iconv-devel is baked into centos' glibc
sudo yum install -y autoconf automake bison bzip2 gcc-c++ git libffi-devel libtool libxml2-devel libxslt-devel libyaml-devel make openssl-devel patch readline readline-devel zlib zlib-devel
source /etc/profile.d/rvm.sh
rvm list known

# in a new session:
rvm install ruby-1.9.3-p125
rvm use 1.9.3 --default
gem update --system
# gems required by public_web-awareness
gem install aws-sdk bundler cocaine sinatra
echo -e "gem: --no-ri --no-rdoc\n" > /home/ec2-user/.gemrc

# delete unnecessary documentation files
rm -rf `gem env gemdir`/doc

sudo -s
sudo echo -e "gem: --no-ri --no-rdoc\n" > /etc/skel/.gemrc
sudo echo -e "gem: --no-ri --no-rdoc\n" > /etc/gemrc
# ctrl + d out of the sudo session

Some environment information:

[ec2-user@ip ~]$ echo $PATH
/usr/local/rvm/gems/ruby-1.9.3-p125/bin:/usr/local/rvm/gems/ruby-1.9.3-p125@global/bin:/usr/local/rvm/rubies/ruby-1.9.3-p125/bin:/usr/local/rvm/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/aws/bin:/home/ec2-user/bin
[ec2-user@ip ~]$ echo $GEM_HOME
/usr/local/rvm/gems/ruby-1.9.3-p125
[ec2-user@ip ~]$ echo $GEM_PATH
/usr/local/rvm/gems/ruby-1.9.3-p125:/usr/local/rvm/gems/ruby-1.9.3-p125@global
[ec2-user@ip ~]$ echo $BUNDLE_PATH

[ec2-user@ip ~]$ gem list

*** LOCAL GEMS ***

aws-sdk (1.3.6)
bundler (1.1.0)
cocaine (0.2.1)
httparty (0.8.1)
json (1.6.5)
multi_json (1.1.0)
multi_xml (0.4.1)
nokogiri (1.5.1, 1.5.0)
rack (1.4.1)
rack-protection (1.2.0)
rake (0.9.2)
sinatra (1.3.2)
tilt (1.3.3)
uuidtools (2.1.2)
yamler (0.1.0)

I would like to launch my stack using a keypair that is created as part of the CloudFormation.

Is that possible?

....
"Resources": {
    "ReverseProxyKeyPair": {
        "Type": "AWS::EC2::KeyPair",
        "Properties": {
            "KeyName": "reverse_proxy"
        }
    },
....

was a guess, but hasn't worked. I haven't tracked down a schema for CloudFormation to say this isn't possible.

Most of the examples assume a KeyPair has already been created - I assume because there's only one chance to download it, at creation-time. But I'd like to dynamically create one, and then use it as an Output and dump it into S3 (say).

Or, is this a silly idea?

On Windows Server 2008 R2 Core Edition, how do I assign the "log on as a service" permission to a user, from the command-line?

(ntrights.exe from the Win2003 resource kit is not included in Win2008 R2 Core).

I don't mind whether it's cmd or a powershell cmdlet. I would prefer it to be a command run locally on the box, rather than one invoked remotely.

The server is not, and will not be, part of an active directory.

I find the appcmd CLI inscrutable, and so will often do more esoteric operations once locally in the server-manager, then look at the various changes to the config files that happen so I can perform them by hand or script.

I could swear I've seen a screenshot of someone generating the appcmd invocations based on an already-created-and-configured site from IIS Server Manager.

Is that possible (and if so, how??), or was I dreaming? I've googled for things like "iis7 generate appcmd" to no avail so far.

I have a VisualSVN server running on Windows 2008 R2 x64 using basic authentication.

I want to upgrade to use windows authentication.

However, some of the usernames set up do not match the domain usernames.

Is there a way to alias basic-auth-username to domain-username, so when someone now commits using domain-username, svn records it as their old basic-auth username?

Or is there a way to spin through the repositories and find/replace basic-auth usernames in commits to domain-auth usernames?

Or is it probably not worth the trouble?

Is it possible to set up ssh and Active Directory (Win2008r2 flavour) such that domain-users can access *nix and ssh-servers-running-on-Windows-servers without needing to type their password?

If so, how?

I've found some documentation that suggests that it (or something like it) is possible by modifying the AD schema to make room for a public-key.

However, most of the concepts themselves are new to me, because really, I'm a developer masquerading as a sysadmin in a dev-ops team.

Context: we have some Windows boxes, and some *nix boxes, and we want to run some remote-admin automation on both sets of them in a continuous-deployment type scenario as well as an ad-hoc maintenance-from-a-central-place type scenario.

So in a Windows environment, we use bginfo in the all-users startup folder to write out server details to the desktop.

However, different people connect with different resolutions, and we share the account we use to connect with because we lack individual accounts at present. The different resolutions cause bginfo to write its background at a slightly different offset each time, which means the background is garbled over time.

How can we get the desktop background to be reset on logon, so that bginfo writes its new one with a clean slate?

Don't mind if this is a thing we need to add in addition to bginfo, or whether this is built into bginfo but we haven't found the option...?

We integrate with 3 payment service providers in multiple countries, and sporadically we will get customer reports that the 3DSecure-check part of the payments-process is not working. We've yet to get adequate reports to troubleshoot the problem or proactively warn customers that this may happen (or disable the check for the duration of a problem).

How can we directly monitor the VISA and MasterCard service-dependencies so that we can get better insight into our payments-process status? Our PSPs do not expose the problems in a proactive way; we get problem-reports direct from customers, as I mentioned - not the best place to be in.

We're after:

1. An API-call we can periodically make to get red/green status for each system
2. A web-page we can hit to see whether the system is expected to be up/down
3. A web-page we can hit to see whether there's upcoming maintenance/down-time
4. A way of running through a test payment, but against a real live payment-card, but that won't then affect the credit rating of the card's account since we'll essentially be setting up and cancelling payment-authorisations on a several-times-a-day basis if we do that

Where can we find some/all of the ab

I'm setting up automated deployment of applications in a Windows environment from continuous integration (TeamCity build-agents), and using cygwin + openssh to perform the remote-execution part of that - I'm basically using ruby's capistrano with a bunch of custom tasks.

Since the build-agent is runnings as a windows service on the box, it's headless. The box doesn't sit with a user signed in, and so there's no opportunity for a user to type the key's passphrase when (for example) keychain or pageant might otherwise be loaded.

So currently, the passphrase is hard-coded in the deployment script - I mean, in a single place, so it's not scattered all over, but still, seems like there must be a more secure way of doing this.

Can anyone tell me what it is? :-)

• I don't really want to not use a passphrase.
• I'd prefer to not have to manually sign in to the build-agents each time they're rebooted to do some step to give each the passphrase so the key can be loaded.

Update:

• I chose to use passphrase'd keys because it seemed inherently more secure, until I later ran into the obstacle of how to unlock the key for a headless process. The idea was that only people that had the key's passphrase would be able to deploy. Perhaps I want one (closely controlled) passphrase-less key for the CI build-agents to use, and one passphrase'd key for humans to use?

We'd like to host a rubygems source internally on our own network, because while we do want to use gems as a distribution mechanism, we don't want to publish our gems externally to the company, since the scripts are perforce very specific to our environment (Windows).

Where can I find instructions on how to do such a thing?

I am working to set up some deployment automation, and one of the things I'm trying is to use Ruby's Capistrano to remotely execute commands over ssh. I have used cygwin's openssh to run sshd on the box I'm using as the test victim.

Out of the box, though, this will require an identical user on each victim box, with the same password, which is clearly a bad idea.

I would like therefore to enable public-key authentication, but after a couple of days of banging my head against a wall, I'm not succeeding. Can anyone point me at a successful guide on the web to accomplish this?

I think that:

• having generated a public key locally on the overlord box, I need to run ssh-agent and then ssh-add , right? As in, not on the victim boxes.
• on each victim box, I need to cat the public key into /home/username/.ssh/authorized_keys
• I then need to ssh to the victim box like ssh username@victim and I shouldn't be asked for a password... right? This is the piece that is failing; I'm being asked for my password.

I'm using VMWare ESX to host some VMs, and have allocated 60Gb to one Windows Server 2008 VM. It's not using close to that and is unlikely to.

How can I reduce the amount of space that this virtual disk takes up on the physical disk? I've heard words like Thin Disk and compact bandied about, but haven't had a chance to look properly yet (running out of room is not yet a pressing concern).

I'm using VMWare ESX 3.5.

I've just created a couple of different-flavour VMs (a Windows 2008 one and a Windows 2003 one), installed windows updates, and am generally happy with their pristine nature.

I will want to run them now, but reuse them from their current state later. So, I want to archive off a snapshot now, to come back to when I want to spin up more.

What are my options?

• Manually zip up the directory that contains the VM and physically store that someplace else?
• Something specific to VMWare ESX?

I have allocated xGb for the virtual disk; is unused-but-allocated space still taken up on the "real" disk?

Note: Backups are not my question - I'll handle that separately.

Edit:

• I'm not using vSphere or vCenter; that's AFAIK not available to me as an option here (separate license? Am unfamiliar).

I have a newly built VMWare ESX Server that I would like to create a few Windows VMs on. I'd like to transfer ISOs to the server to then mount them to install from.

How do I do this? I assume there's a default set of FTP credentials or something of that nature...?

My boss just asked me whether I knew any good places to advertise for good sysadmins for a big-scale data-centre build/spec in the UK - and I didn't have a good answer. Do you? If so, what? hiddennetwork and joelonsoftware spring to mind; anything else?