使用 MsDeploy 通过 preSync 命令部署 Windows 服务
是否有人成功使用 MsDeploy 通过 preSync runCommand 部署 Windows 服务?我已经使用管理员帐户让它工作,但我一生都无法让它在标准用户帐户上工作。不幸的是,我无法使用集成身份验证(我们正在部署到外部盒子),而且我们的管理员密码以明文形式保存在构建服务器上的日志中,这一想法并不让我感到太舒服。就此而言,任何用户凭据也没有 - 但我看不到解决这个问题的方法。
我使用的命令是这样的:
"tools/deploy/msdeploy.exe" -verb:sync
-preSync:runCommand="tools\Deploy\PreSyncCommand.cmd",waitInterval=30000
-source:dirPath="C:\BuiltSourcePath"
-dest:computerName=https://server:8172/msdeploy.axd?site=dummysitename,userName=service-deploy,password=service-deploy-pass,authType=basic,dirPath="C:\DeployPath\"
-allowUntrusted
在 IIS 中为虚拟站点设置规则,以允许对服务部署 Windows 帐户进行身份验证,并具有 contentPath 和 runCommand 权限(目前设置为 C:\,因为尚不完全清楚是否需要将其设置为 MsDeploy 流式传输到的临时路径,还是部署路径?)。服务部署帐户还可以完全控制目标目录。我得到以下信息:
Performing '-preSync'...
Info: Using ID '7a7d34a1-b5d8-49f1-960a-31c9cf825868' for connections to the remote server.
Info: Using ID '4d0b910c-aca4-4640-84bd-3597d22d99d1' for connections to the remote server.
Info: Updating runCommand (C:\TeamCity\buildAgent\work\aec989676b349656\tools\De
ploy\PreSyncCommand.cmd).
Warning: Access is denied.
Warning: The process 'C:\Windows\system32\cmd.exe' (command line '/c "C:\Windows
\ServiceProfiles\LocalService\AppData\Local\Temp\giz2t0kb.0ay.cmd"') exited with
code '0x1'.
即使 PreSyncCommand.cmd 的内容为空,也会发生这种情况。如果我传递管理员凭据,相同的命令可以正常运行。我尝试使用 ProcessMonitor 检查是否有任何内容被拒绝访问,但看不到任何内容 - 所以我猜测它仍然是 MsDeploy 身份验证规则。 WmSvc.log 中没有任何内容(调试已启用),事件日志中也没有任何内容。
有什么想法吗?谢谢!
Is anyone successfully using MsDeploy for deploying windows services with a preSync runCommand? I've got it working using an Administrator account, but can't for the life of me get it working on a standard user account. Unfortunately I can't use integrated authentication (we're deploying to an external box), and the thought of our Administrator password sitting in plaintext in logs on our build server doesn't exactly make me feel too comfortable. For that matter, neither does any user credentials - but I can't see a way around that.
The command I'm using is this:
"tools/deploy/msdeploy.exe" -verb:sync
-preSync:runCommand="tools\Deploy\PreSyncCommand.cmd",waitInterval=30000
-source:dirPath="C:\BuiltSourcePath"
-dest:computerName=https://server:8172/msdeploy.axd?site=dummysitename,userName=service-deploy,password=service-deploy-pass,authType=basic,dirPath="C:\DeployPath\"
-allowUntrusted
with rules set up in IIS for the dummy site to allow the authentication for the service-deploy windows account, with contentPath and runCommand permissions (for the moment set to C:\ as it's not entirely clear whether this needs to be set to the temporary path that MsDeploy streams to, or the deployment path?). The service-deploy account also has full control of the target directory. I get the following back:
Performing '-preSync'...
Info: Using ID '7a7d34a1-b5d8-49f1-960a-31c9cf825868' for connections to the remote server.
Info: Using ID '4d0b910c-aca4-4640-84bd-3597d22d99d1' for connections to the remote server.
Info: Updating runCommand (C:\TeamCity\buildAgent\work\aec989676b349656\tools\De
ploy\PreSyncCommand.cmd).
Warning: Access is denied.
Warning: The process 'C:\Windows\system32\cmd.exe' (command line '/c "C:\Windows
\ServiceProfiles\LocalService\AppData\Local\Temp\giz2t0kb.0ay.cmd"') exited with
code '0x1'.
This happens even if the contents of PreSyncCommand.cmd is blank. The same command runs fine if I pass in Administrator credentials. I've tried using ProcessMonitor to check if anything's being denied access but can't see any - so I'm guessing it's still a MsDeploy authentication rule. There's nothing in WmSvc.log (debugging is enabled), nor in the event log.
Any ideas? Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
由于您通过 WmSvc 使用 Web 部署,因此需要在目标服务器上设置适当的委派规则:
在 IIS 管理器 中,打开“管理服务委派”功能。添加至少指定
runCommand提供程序的新规则。在“运行方式”部分中,选择“特定用户”并提供该计算机上的本地管理员帐户的凭据。这是您的 runCommand 脚本将被执行的标识。最后,您为目标 dirPath 提供程序指定的用户需要添加到委派规则中。这允许您使用非特权帐户调用部署,并使用管理凭据在目标计算机上执行部署。
有关 IIS 功能委派的更多信息:http://learn.iis.net/ page.aspx/516/configure-the-web-deployment-handler/
Since you're using Web Deploy via WmSvc, you need to setup appropriate delegation rules on the destination server:
Within IIS Manager, open the "Management Service Delegation" feature. Add a new rule which at least specifies the
runCommandprovider. In the Run As section, chooseSpecific Userand provide credentials for a local administrator account on that machine. This is the identity under which your runCommand scripts will be executed. Finally, the user which you're specifying for the destination dirPath provider needs to be added to the delegation rule.That allows you to invoke a deployment using a non-privileged account, and yet have it executed on the target machine under administrative credentials.
More information on IIS feature delegation: http://learn.iis.net/page.aspx/516/configure-the-web-deployment-handler/