Environment configurations:
-Chef Manage v14.11.21
-Windows 2016 DataCenter
-chef-client-14.12.9-1-x64.msi
-vSphere 6.7.0.30000 machine template.
-vRA 7.5.0 (Build: 10053500)
-Chef Server plug-in for vRealize Orchestrator 1.0.0
-Default workflow that came with the Chef server plugin - "CHEF\Windows Node Management\VMTools\Windows VMTools Chef-client first run Validatorless workflow"
-Chef supermarket "sql_server" cookbook v 5.5.0
-SQL Server enterprise core 2016
Cookbook\Recipe configuration:
I have commented out several items and options that we don't need in the "sql_server" cookbook. I have also added a new recipe that runs first to bootstrap my server with custom applications. Then the server.rb recipe runs, and includes the configure.rb recipe at the end which is default behavior. Then I added a post recipe to run some of the custom applications added by the first recipe. The cookbook runs all recipes successfully using chef-solo while logged into a VM.
Provisioning process:
VMTools is updated to the latest version in a previous workflow.
VM is provisioned and vRA subscription is setup to execute the "CHEF\Windows Node Management\VMTools\Windows VMTools Chef-client first run Validatorless workflow" under a local admin AD domain 'user' account. I have also ran it using a local admin AD domain 'service' account.
The VM is successfully added as a Client and Node is successfully added in chef manage under either account.
My custom first recipe completes successfully every time.
The server.rb recipe consistently fails with one of the following errors under either account:
1.SQL core installer complains about WMI service cannot be started. There are COM+ registry errors in the windows event viewer at the exact time or just seconds before associated with my local administrator AD domain account not having permissions to the runtimebroker com+ application. The event viewer also shows that the SQL Server ScenarioEngine.exe registry keys in use leaked, which results in windows closing the handle before SQL Server ScenarioEngine.exe is done using it for the install.
-
"SQL Server Setup was not able to access domain 'WinNT://XXXX' to validate user account 'XXXXX'. The SQL Server service account login or password is not valid.” However, the service account password is correct and validated using run as powershell credentials test running notepad or some other app as that user. SQL installer is trying to connect to AD via the runtimebroker COM+ app to validate the service account the SQL configuration.ini unattend file is setting on the windows sql services, but cannot access runtimebroker due to the registry unloads the key necessary as indicated in the error above. It seems to pretty consistently alternate between these 2 errors. I can run it and get WMI error, then run again and get user account access error, then run again and get WMI, then run again and get user account access error.
-
I occasionally will get "could not read key from registry" without getting either of the first 2 errors.
I believe that all of these errors are associated to registry entries that SQL Server needed being unloaded when the user running the installation logs off.
Work-arounds/Fixes:
IF I login to the VM prior to or during the beginning stages of the cookbook execution as either account chef is executing the recipes under, the cookbook completes all recipes successfully without issue and SQL is installed and functions as expected.
--I used a ruby puts command to print out the user the cookbook is running as and it prints the right account passed to the chef plugin workflow.
If we set the security policy "Do not forcefully unload the user registry at user logoff" or registry key at HKLM:\Software\Policies\Microsoft\Windows\System -Name DisableForceUnload, the installation successfully completes without any of the errors and SQL functions correctly.
I have also tried to use the powershell plugin's powershell workflow but I could not get it to successfully add the powershell host because of a cert issue:
Default workflow that came with the Chef server plugin - "CHEF\Windows Node Management\PowerShell\Windows PS Chef-client first run Validatorless workflow"
NOTES: Similar errors occur when installing Windows_Features and are resolved with login during the recipe execution or setting the registry entry. Also, we recently tried install_method :windows_feature_powershell for windows features in the resource block within the recipe and that resolves the errors too.
QUESTIONS:
Is anyone else seeing similar issues with registry entries necessary for install being unloaded?
How does chef manage logins during a cookbook execution?
Does it login at the beginning of the workflow and execute each recipe in the cookbook and then log off?
Does it login multiple times per recipe or resource block in a recipe?