Archived
This forum has been archived. Please start a new discussion on GitHub.
icegridnode as windows service
I am trying to set up a collocated icegridnode as a windows service. It runs fine when I start it from the command line, but when I start it as a service I get:
The error occurs whether I configure the service to run as LocalService or as administrator.
I have followed the steps in the Manual for ensuring that the Data directories are Readable/Writable by all users. The system PATH variable includes C:\Ice-3.3.0-VC90\bin.
Here is the service info:
One more bit of info: My PC is running anti-virus software that is not entirely under my control due to corporate policy. However, I am able to add exceptions for icegridnode.exe, and/or port 4061, and to temporarily disable it and it doesn't seem to make any difference.
Any suggestions would be appreciated.
C:\>sc start foolcol [SC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion.The interesting thing is, the icegridnode service does start - I can query the registry and the servers are activated on demand - and it runs for 30 seconds before windows shuts it down with the above error message.
The error occurs whether I configure the service to run as LocalService or as administrator.
I have followed the steps in the Manual for ensuring that the Data directories are Readable/Writable by all users. The system PATH variable includes C:\Ice-3.3.0-VC90\bin.
Here is the service info:
C:\>sc qc foolcol [SC] GetServiceConfig SUCCESS SERVICE_NAME: foolcol TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : icegridnode.exe --Ice.Config=/foogrid/collocate.cfg LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : foolcol DEPENDENCIES : SERVICE_START_NAME : LocalSystemand here is the config file:
#collocate.cfg IceGrid.InstanceName=FooIceGrid # # The IceGrid locator proxy. # Ice.Default.Locator=FooIceGrid/Locator:tcp -h localhost -p 4061 # # IceGrid node configuration. # # # The node object adapter listens on all interface using an OS- # assigned port # IceGrid.Node.Endpoints=tcp IceGrid.Node.Name=node IceGrid.Node.Data=\foogrid\node IceGrid.Node.CollocateRegistry=1 # # IceGrid registry configuration. # IceGrid.Registry.Client.Endpoints=tcp -h localhost -p 4061 IceGrid.Registry.Server.Endpoints=tcp IceGrid.Registry.Internal.Endpoints=tcp IceGrid.Registry.Data=\foogrid\registry IceGrid.Registry.DefaultTemplates=\foogrid\foo.xml IceGrid.Registry.PermissionsVerifier=FooIceGrid/NullPermissionsVerifier IceGrid.Registry.AdminPermissionsVerifier=FooIceGrid/NullPermissionsVerifier
One more bit of info: My PC is running anti-virus software that is not entirely under my control due to corporate policy. However, I am able to add exceptions for icegridnode.exe, and/or port 4061, and to temporarily disable it and it doesn't seem to make any difference.
Any suggestions would be appreciated.
0
Comments
-
Hi Edward,
Did you try to install this service using the iceserviceinstall tool?
It does not look like you used iceserviceinstall: with iceserviceinstall, the service name would be icegridnode.<IceGrid instance name>.<Node name>.
Best regards,
Bernard0 -
Hi Bernard,
I tried using the iceserviceinstall. I was unable to install the service as user LocalService. It would always come back with this error:C:\>\Ice-3.3.0-VC90\bin\iceserviceinstall.exe icegridnode C:\Ice-3.3.0-VC90\config\icegridnode.cfg
Error: Could not retrieve effective rights for NT Authority\LocalService on C:\Documents and Settings\LocalService\Local Settings\Application Data\Ze
roC\icegrid\node1: Circular service dependency was specified.
Press any key to continue . . .
I found that I could install the service (although not successfully) with "sc", so that is what I have been using.
Thanks,0 -
Hi Edward,
This is a surprising error! Did you setup previously any dependency between services?
Could you remove all your installed Ice/Windows services, and the ZeroC directory in C:\Documents and Settings\LocalService\Local Settings\Application Data, reboot (as Windows does not always cleanup removed Windows service until a reboot) and then try again?
Best regards,
Bernard0 -
Hi Edward,
Could you also try to install a plain icegridregistry and icegridnode Windows service using the sample Windows service config file in your "config" directory?
Thanks,
Bernard0 -
You can also get additional output from iceserviceinstall by passing the (undocumented) --Debug option.
Best regards,
Bernard0 -
I removed all my attempted windows services, rebooted, tried iceserviceinstall with supplied config files, and got the same result:
C:\sunflower\AutoTest\bin>iceserviceinstall.exe icegridnode C:\Ice-3.3.0-VC90\config\icegridnode.cfg Error: Could not retrieve effective rights for NT Authority\LocalService on C:\Documents and Settings\LocalService\Local Settings\Application Data\ZeroC\icegrid\node1: Circular ser vice dependency was specified. Press any key to continue . . . C:\sunflower\AutoTest\bin>iceserviceinstall.exe icegridregistry C:\Ice-3.3.0-VC90\config\icegridregistry.cfg Error: Could not retrieve effective rights for NT Authority\LocalService on C:\Documents and Settings\LocalService\Local Settings\Application Data\ZeroC\icegrid\registry: Circular service dependency was specified. Press any key to continue . . .
It doesn't like the "--Debug" flag, where in the command line would that go?0 -
OK, "--Debug=1" works, but doesn't give much more info:
C:\sunflower\AutoTest\bin>iceserviceinstall.exe --Debug=1 icegridregistry C:\Ice-3.3.0-VC90\config\icegridregistry.cfg [ 10/20/08 15:30:15.221 iceserviceinstall.exe: IceServiceInstaller: SID: S-1-5-19; Full name: NT Authority\LocalService ] Error: Could not retrieve effective rights for NT Authority\LocalService on C:\Documents and Settings\LocalService\Local Settings\Application Data\ZeroC\icegrid\registry: Circular service dependency was specified. Press any key to continue . . .
0 -
Hi Edward,
If you look at the iceserviceinstall source code (which is quite straightforward) this error message comes from:TRUSTEE trustee; BuildTrusteeWithSid(&trustee, _sid); ACCESS_MASK accessMask = 0; res = GetEffectiveRightsFromAcl(acl, &trustee, &accessMask); if(res != ERROR_SUCCESS) { throw "Could not retrieve effective rights for " + _sidName + " on " + path + ": " + IceUtilInternal::errorToString(res); }
I don't understand how GetEffectiveRightsFromAcl can fail with this error.
iceserviceinstall adds dependencies to "netprofm", "Nla" (if they exist), which should be totally safe.
Did you try to install the service using another user, e.g. yourself? (the option is --ObjectName=<yourname> --Password=<yourpassword>).
Also, make sure to run iceserviceinstall as an administrator on your system.
Best regards,
Bernard0 -
Hi Bernard,
Yes, that works. I can install and run the sample Windows services, icegridregistry and icegridnode, when I set "--ObjectName=myself".
In case I missed something, here is the cacls output:C:\Documents and Settings\LocalService\Local Settings\Application Data>cacls ZeroC C:\Documents and Settings\LocalService\Local Settings\Application Data\ZeroC NT AUTHORITY\LOCAL SERVICE:F NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(IO)F NT AUTHORITY\SYSTEM:F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F BUILTIN\Administrators:F BUILTIN\Administrators:(OI)(CI)(IO)F
I really appreciate your help on this. I know that it will eventually turn out some obscure account setting, or service, or anti-virus, or environment variable, or something causing the problem. But I would like to solve as many potential problems now, before I start installing the software on a variety of PCs around the office.
Thanks,0 -
Hi Edward,
Which Windows version do you use on this PC? (The location of the LocalService home directory varies from version to version).
Can you reproduce this problem on another Windows PC?
Thanks,
Bernard0 -
Hi Bernard,
It's running Windows XP Pro service pack 2.
I'll try reproducing the problem on another PC. Every PC around here is slightly different because every developer has his or her favorite tools, etc. However, the overall corporate account management, anti-virus, etc., should be the same.
Thanks,0 -
Hi Bernard,
I get the same error on another PC:C:\>\Ice-3.3.0-VC90\bin\iceserviceinstall.exe --Debug=1 icegridregistry C:\Ice-3.3.0-VC90\config\icegridregistry.cfg [ 10/21/08 11:19:40.883 /Ice-3.3.0-VC90/bin/iceserviceinstall.exe: IceServiceInstaller: SID: S-1-5-19; Full name: NT Authority\LocalService ] Error: Could not retrieve effective rights for NT Authority\LocalService on C:\Documents and Settings\LocalService\Local Settings\Application Data\ZeroC: Circular service dependency was specified. Press any key to continue . . .
Thanks again,0 -
Hi Edward,
Here is the expected output (also on XP SP2):C:\>\Ice-3.3.0-VC90\bin\iceserviceinstall.exe --Debug=1 icegridregistry C:\Ice-3.3.0-VC90\config\icegridregistry.cfg [ 10/21/08 14:46:18.172 /Ice-3.3.0-VC90/bin/iceserviceinstall.exe: IceServiceInstaller: SID: S-1-5-19; Full name: NT Authority\LocalService ] [ 10/21/08 14:46:18.344 /Ice-3.3.0-VC90/bin/iceserviceinstall.exe: IceServiceInstaller: NT Authority\LocalService had already the desired permissions on C:\Documents and Settings\LocalService\Local Settings\Application Data\ZeroC ] [ 10/21/08 14:46:18.391 /Ice-3.3.0-VC90/bin/iceserviceinstall.exe: IceServiceInstaller: NT Authority\LocalService had already the desired permissions on C:\Documents and Settings\LocalService\Local Settings\Application Data\ZeroC\icegrid ] [ 10/21/08 14:46:18.422 /Ice-3.3.0-VC90/bin/iceserviceinstall.exe: IceServiceInstaller: NT Authority\LocalService had already the desired permissions on C:\Documents and Settings\LocalService\Local Settings\Application Data\ZeroC\icegrid\registry ] [ 10/21/08 14:46:18.469 /Ice-3.3.0-VC90/bin/iceserviceinstall.exe: IceServiceInstaller: Granted access on C:\Ice-3.3.0-VC90\config\icegridregistry.cfg to NT Authority\LocalService ] Press any key to continue . . .
Bernard0 -
That is essentially what I get when I add the "--ObjectName=myself" option:
C:\>\Ice-3.3.0-VC90\bin\iceserviceinstall.exe --Debug=1 icegridregistry C:\Ice-3.3.0-VC90\config\icegridregistry.cfg --ObjectName=bishope [ 10/21/08 11:55:08.004 /Ice-3.3.0-VC90/bin/iceserviceinstall.exe: IceServiceInstaller: SID: S-1-5-21-391068476-594298578-1233803906-69298; Full name: AM\bishope ] [ 10/21/08 11:55:08.004 /Ice-3.3.0-VC90/bin/iceserviceinstall.exe: IceServiceInstaller: AM\bishope had already the desired permissions on C:\Documents and Settings\LocalService\Local Settings\Application Data\ZeroC\ic egrid\registry ] [ 10/21/08 11:55:08.051 /Ice-3.3.0-VC90/bin/iceserviceinstall.exe: IceServiceInstaller: AM\bishope had already the desired permissions on C:\Ice-3.3.0-VC90\config\icegridregistry.cfg ] Press any key to continue . . .
0 -
Hi Edward,
Could you try with a different directory? (by editing icegridregistry.cfg) E.g. just C:\IceGrid\registry.
This "C:\Documents and Settings\LocalService" is just the default location for the LocalService home directory. It doesn't matter for Ice.
Thanks,
Bernard0 -
Hi Bernard,
Same result:C:\>iceserviceinstall.exe --Debug=3 icegridregistry C:\Ice-3.3.0-VC90\config\icegridregistry2.cfg [ 10/21/08 12:13:45.236 iceserviceinstall.exe: IceServiceInstaller: SID: S-1-5-19; Full name: NT Authority\LocalService ] Error: Could not retrieve effective rights for NT Authority\LocalService on C:\icegrid: Circular service dependency was specified. Press any key to continue . . . C:\sunflower\AutoTest\bin>
Here is the modified cfg file. I also changed the instance name so as not to conflict with the previously installed service (after I accumulate a few I'll delete them and reboot):# # Sample configuration file for the IceGrid registry daemon # # # The IceGrid instance name; must be unique, to distinguish several # IceGrid deployments # IceGrid.InstanceName=SampleIceGrid2 # # Client object adapter: listens on all interfaces # (add -h <name | IP address> to listen on just one interface) # IANA-registered TCP ports for the IceGrid registry: # - 4061 (insecure) # - 4062 (secure, using SSL) # IceGrid.Registry.Client.Endpoints=tcp -p 4061 #IceGrid.Registry.Client.Endpoints=ssl -p 4062 #IceGrid.Registry.Client.Endpoints=tcp -p 4061:ssl -p 4062 # # Server and Internal object adapters: listens on all interfaces # using an OS-assigned port number. # IceGrid.Registry.Server.Endpoints=tcp IceGrid.Registry.Internal.Endpoints=tcp # # The registry DB home; must exist when icegridregistry starts # # Under Vista we recommend using: # # C:\Windows\ServiceProfiles\LocalService\AppData\Local\ZeroC\icegrid\registry # IceGrid.Registry.Data=C:\icegrid\registry # # Authentication/authorization # With NullPermissionsVerifier, any password is accepted (not recommended # for production) # IceGrid.Registry.PermissionsVerifier=SampleIceGrid2/NullPermissionsVerifier IceGrid.Registry.AdminPermissionsVerifier=SampleIceGrid2/NullPermissionsVerifier # # Default templates # IceGrid.Registry.DefaultTemplates=C:\Ice-3.3.0-VC90\config\templates.xml # # Trace properties. # IceGrid.Registry.Trace.Node=1 IceGrid.Registry.Trace.Replica=1
Thanks,0 -
Hi Edward,
I don't know how this error can occur, and I can't reproduce it, so I've just posted a question on a Microsoft newsgroup.
Best regards,
Bernard0 -
Hi Bernard,
Success (of a sort)!
Searching the web, it looks like GetEffectiveRightsFromAcl() has some strange bugs on a variety of platforms, although I could not find any record of this bug on this platform. So, I built iceserviceinstall with IceServiceInstaller::grantPermissions() modified to return immediately, and it worked! That is, I was able to install and run my collocated service.
I had to modify the LogOn / Account with the Windows Admin/Services dialog. The iceserviceinstall had set the account to NT Authority\Local Service. With that setting, I was unable to start my servers via IceGridGUI. I would get the error: "Error: can't reach this server's Admin object". After I stopped the service and selected the radio button for the "Local system account" and restarted everything worked.
There is a lot going on here that I don't understand: Why did GetEffectiveRightsFromAcl() fail? Why did my workarounds with sc fail? How is "Local system account" different from "NT Authority\Local Service"? If I had my way we would do all of our development on Linux. Oh well.
Thanks,0 -
Hi Edward,
Your work-around is a bit extreme! Local Service is a low-privilege built-in account while Local System has Admin rights. See Service User Accounts (Windows).
You could probably use the unmodified iceserviceinstall and specify --ObjectName=LocalSystem to get the same behavior.
The main question is why is GetEffectiveRightsFromAcl with LocalService failing with this strange error on your XP systems ... I have no idea!
Best regards,
Bernard0 -
Hi Bernard,
Here is the result when I add --ObjectName=LocalSystem to the unmodified iceserviceinstall command:C:\>iceserviceinstall icegridnode c:/foogrid/collocate2.cfg --ObjectName=LocalSystem Error: Could not retrieve Security ID for LocalSystem: The trust relationship between the primary domain and the trusted domain failed. Press any key to continue . . .
Searching the web, it seems this is a common error and that my PC, or my account. needs to be deleted and then re-added to the Domain. Or something.
I am very reluctant to get our system administrators involved. My workaround, returning immediately from grantPermissions(), is adequate for now.
Thanks again,0 -
Hi Edward,
Sometime ago I had problems installing icegrid (Ice 3.3.1) as a service.
I can't recall the exact details, but I had threee problems:
1. Insufficient rights to install the service on some PCs (Windows XP) as LocalService.
2. An IceGridNode running on a Linux platform was unable to connect to the IceGridRegistry running as Windows Service.
3. An the show stopper was not being able to launch a Windows app with a HMI using IceGrid.
Admittedly I did not spend a lot of time trying to resolve the issues. However in the end I simply added some code to an existing "Utility" that spawns icegridnode (collocated mode) as a standard process. The "Utility" gets run whenever the PC boots and spawns the icegridnode process automatically. The utility appears as a system tray icon, which allows me open a form and perform housekeeping functions, as well as start and stop IceGrid manually.
Cheers John0