Win Cookbook File Permission Denied

tl;dr everytime we update this cookbook file we get a EACCESS error on Windows machines

We have a YAML file we drop on every machine (which is consumed by Ohai). On Windows whenever this file changes we get EACCESS errors every time. This breaks all our Windows servers. We’ve written some hacky fixes (something watches logs and nukes the cached and final version. On a fresh run we’re ok.

Error message (obfuscated) :

    ================================================================================
    Error executing action `create` on resource 'cookbook_file[C:/Some/Dir/stuff.yml]'
    ================================================================================

    Errno::EACCES
    -------------
    Permission denied @ rb_file_s_rename - (C:/Users/GSANCH~1/AppData/Local/Temp/11/chef-rest20160922-16016-1x92dpv, C:/
Chef/cache/cookbooks/my_cookbook/files/default/stuff.yml)

    Resource Declaration:
    ---------------------
    # In C:/Chef/cache/cookbooks/my_cookbook/recipes/stuff.rb

     36: cookbook_file node['my_cookbook']['stuff_path'] do
     37:   source 'stuff.yml'
     38:   unless platform?('windows')
     39:     owner root_owner
     40:     group root_group
     41:     mode '0644'
     42:   end
     43:   notifies :reload, 'ohai[reload_datacenter]', :immediately

    Compiled Resource:
    ------------------
    # Declared in C:/Chef/cache/cookbooks/my_cookbook/recipes/stuff.rb:36:in `from_file'

    cookbook_file("C:/Some/Dir/stuff.yml") do
      provider Chef::Provider::CookbookFile
      action [:create]
      retries 0
      retry_delay 2
      default_guard_interpreter :default
      source "stuff.yml"
      cookbook_name "my_cookbook"
      path "C:/Some/Dir/stuff.yml"
      declared_type :cookbook_file
      recipe_name "stuff"
    end

    Platform:
    ---------
    x64-mingw32

Any thoughts on how to best troubleshoot this? This error is on a box running 12.14 but I’ve tried watching w/ procmon with no luck.

This sounds like a file permissions issue to me. What identity is chef running under and does that account have write permissions on that folder?

As which user do you run chef? One thing I notice is that the file seems to be in your personal temp directory, but then gets moved to a global directory.

The key seems to be this:

Permission denied @ rb_file_s_rename - (C:/Users/GSANCH~1/AppData/Local/Temp/11/chef-rest20160922-16016-1x92dpv, C:/

Chef/cache/cookbooks/my_cookbook/files/default/stuff.yml)

What are the exact ownership and permissions of both the source and the destination files? Also check the permissions on the directories.

Kevin Keane
Whom the IT Pros Call
The NetTech
760-721-8339
http://www.4nettech.com
Our values: Privacy, Liberty, Justice
See https://www.4nettech.com/corp/the-nettech-values.html

Chef-client is running as SYSTEM.
Folder is owned by SYSTEM and has Full Control in the parent folder.
I’m running this as Administrator but this happens regardless of whether I run this or whether our scheduled task running as SYSTEM runs this.

Any tool suggestions to track down locks besides procmon?

One trick I find helpful trying to debug running as SYSTEM is using psexec and running PSEXEC -i -s -d CMD. That basically puts you on a cmd prompt running as the SYSTEM identity. Then you can test permissions, environment variables, temp folder locations and other oddities of the SYSTEM user.

Looks like a ruby_block resource above this had a line:
YAML.load(File.open('C:/Some/Dir/stuff.yml', 'r'))

I speculated that that the File.open was keeping a lock on it so I switched to:
YAML.load_file('C:/Some/Dir/stuff.yml') which looks like it does a proper File.close.

Seems like this fixed the issue. Thanks guys!

1 Like