abaqus floating licenses gets hung. For example: if I kill a running job, the tokens that were previously in use (by me) gets hung and if I submit a job again there are no tokens available. When I check the token usage with abaqus licensing ru, it's my machine that’s using the tokens but no other job is running and no one else is using.
At the moment I’m restarting my machine to free up the tokens. Sometimes (Close to all) restart also doesn't help. Simulia Knowledgebase is not of much help.
I also checked whether the lmgrd.exe and ABAQUSLM is running in the process, apparently not. I don't have access to the server, How the client can purge the licenses, which the client checked out?
From the client side, it must be used the command 'lmutil' :
./lmutil lmremove --help
lmutil - Copyright (c) 1989-2014 Flexera Software LLC. All Rights Reserved.
usage: lmremove [-c licfile] feature user host display
lmremove [-c licfile] -h feature host port handle
lmremove [-c licfile] [-tsborrow <client_host>] | [-tsborrowstat]
For the 'licfile' parameter, you can use <server port>#<server name>.
But all users can't do that. Under Linux (I suppose under Windows to) the user that use this command must belong to the 'lmadmin' group on the licenses server.
A good solution is to use the 'TIMEOUT' directive in the option file if Abaqus's vendor daemon authorize this. 'TIMEOUT' define a delay. If a token isn't used during this delay, the server get it (an automatic 'IN' is done) and the token is free for an other user or the same when needed.
The license administrator can forbid this user action. It's very dangerous because all services licenses can be shut down by all members of the 'lmadmin' group. There is now way to limit the user's privileges if he belongs to the 'lmadmin' group on the licences server.
The simple solution is to ask to your licences administrator to release the token. In some case, there is no other solution than stop and restart the licences service.
Related
Openshift Online does not allow containers running processes as root for security reasons (see the corresponding question in their FAQ section). RStudio Server, on the other hand, requires root privileges for installation and certain operations. According to the RStudio Server admin guide:
RStudio Server runs as the system root user during startup and then
drops this privilege and runs as a more restricted user. RStudio
Server then re-assumes root privilege for a brief instant when
creating R sessions on behalf of users (the server needs to call
setresuid when creating the R session, and this call requires root
privilege).
Under these circumstances, is it somehow possible to get an RStudio Server docker container running on Openshift Online?
Using OpenShift Online the short answer is no, you will not be able to get it running. You would need to find a Docker image for it which is a single user version and doesn't implement a system whereby is trying to provide it for multiple users and expects to be able to switch user identity.
I have one windows service which will use plink.exe for SSH connection and I found that Plink cannot find the running Pageant.
Here is the steps I have done so far.
Install Windows service to run as particular user
Before starting Windows service, I log in as that user and start Pageant with PuTTY generated key.
Then I start the Windows service (but I can't manage to make it work since Plink cannot find Pageant and server reply as No supported authentication methods available.)
Note: If I run Windows service as console application with that user, everything is working fine.
PLink will be run in Service session (Session\0) while pageant runs in user session (Session\1). Plink uses some interprocess communication which, as it looks from your problem, doesn't work across sessions. Most likely there's MMF communication inside and objects are created without prefix, i.e. they become session-only (not global). You would need to build custom version of plink to solve the problem.
Pageant explicitly allows feeding keys to an application (PuTTY, PSFTP, PSCP, WinSCP, FileZilla) running in the same Windows session only. This is obviously for security reasons, not to allow a different user on the same machine hijack private keys loaded by another users. And even for convenience (ironically), so that you do not inadvertently use keys of a different user (leading possibly to having your account locked due to invalid login attempts).
Also note that the Pageant is not intended for an automation anyway. For the automation, use the private key explicitly, using the -i command-line parameter.
See https://the.earth.li/~sgtatham/putty/latest/htmldoc/Chapter3.html#using-cmdline-identity
Such private key have to be unencrypted. Note that this imposes security risk, if someone gains access to the key. You should consider restricting an access to the unprotected private key file to the local account that runs the script only (using Windows file system permissions).
As #Eugene point out, it is Session 0 Isolation.
I managed to solve the issue by not using agent but directly passed the private key and password to plink.exe. By doing that, I'm able to run without using pageant.
To start plink.exe without agent;
plink.exe -noagent -i private_key.ppk -pw mypassword -P 1234 user#host.com
Is anyone successfully using MsDeploy for deploying windows services with a preSync runCommand? I've got it working using an Administrator account, but can't for the life of me get it working on a standard user account. Unfortunately I can't use integrated authentication (we're deploying to an external box), and the thought of our Administrator password sitting in plaintext in logs on our build server doesn't exactly make me feel too comfortable. For that matter, neither does any user credentials - but I can't see a way around that.
The command I'm using is this:
"tools/deploy/msdeploy.exe" -verb:sync
-preSync:runCommand="tools\Deploy\PreSyncCommand.cmd",waitInterval=30000
-source:dirPath="C:\BuiltSourcePath"
-dest:computerName=https://server:8172/msdeploy.axd?site=dummysitename,userName=service-deploy,password=service-deploy-pass,authType=basic,dirPath="C:\DeployPath\"
-allowUntrusted
with rules set up in IIS for the dummy site to allow the authentication for the service-deploy windows account, with contentPath and runCommand permissions (for the moment set to C:\ as it's not entirely clear whether this needs to be set to the temporary path that MsDeploy streams to, or the deployment path?). The service-deploy account also has full control of the target directory. I get the following back:
Performing '-preSync'...
Info: Using ID '7a7d34a1-b5d8-49f1-960a-31c9cf825868' for connections to the remote server.
Info: Using ID '4d0b910c-aca4-4640-84bd-3597d22d99d1' for connections to the remote server.
Info: Updating runCommand (C:\TeamCity\buildAgent\work\aec989676b349656\tools\De
ploy\PreSyncCommand.cmd).
Warning: Access is denied.
Warning: The process 'C:\Windows\system32\cmd.exe' (command line '/c "C:\Windows
\ServiceProfiles\LocalService\AppData\Local\Temp\giz2t0kb.0ay.cmd"') exited with
code '0x1'.
This happens even if the contents of PreSyncCommand.cmd is blank. The same command runs fine if I pass in Administrator credentials. I've tried using ProcessMonitor to check if anything's being denied access but can't see any - so I'm guessing it's still a MsDeploy authentication rule. There's nothing in WmSvc.log (debugging is enabled), nor in the event log.
Any ideas? Thanks!
Since you're using Web Deploy via WmSvc, you need to setup appropriate delegation rules on the destination server:
Within IIS Manager, open the "Management Service Delegation" feature. Add a new rule which at least specifies the runCommand provider. In the Run As section, choose Specific User and provide credentials for a local administrator account on that machine. This is the identity under which your runCommand scripts will be executed. Finally, the user which you're specifying for the destination dirPath provider needs to be added to the delegation rule.
That allows you to invoke a deployment using a non-privileged account, and yet have it executed on the target machine under administrative credentials.
More information on IIS feature delegation: http://learn.iis.net/page.aspx/516/configure-the-web-deployment-handler/
I'd like to write a service (that starts up and runs whenever the machine is on) that queries Active directory since the user IIS uses does not have permission to query AD. How do I determine if A) my workstation where I have local admin rights, and B) a shared team workstation will allow me to do this?
Anything you can do as an interactive user can be done by a service with appropriate permissions and configuration, so it isn't so much an issue of determining if you can, but rather configuring the service so that it can.
Your installation package should request an appropriate set of credentials (and of course must be run by a user with privileges to install such a service). The service itself should simply catch and log any permission exceptions.
As an example - look at the SQL Server installation process. Early on it requests that you specify accounts with the required privileges.
I have an application that runs as a service, and dynamically creates and publishes windows performance (perfmon) counters.
When I run the application under my own account (as a service) which has administrative privileges, I get the following error:
714: The specified registry key is referenced by a predefined handle.
When I run the application from the command line, no error is produced.
I believe that this is a result of UAC, but I don't particularly want to disable UAC altogether.
Any ideas?
It is not enough just to be logged in as an administrator. The service needs to have an embedded manifest that sets the requestedExecutionLevel to requireAdministrator.