Using octopus in an environment with cutdown security permissions

Currently our IT team won’t give us admin over our production environment, we’re trying to get octopus working in prod with a cut down set of permissions (basically read only for IIS but allow write to disk).

It looks like octopus checks most configuration options before it tries to configure them which is ideal as we’ll get an error if something is wrong but it won’t actually change any of the config.

We are currently stuck on an error that suggests that it always tries to assign a website to app pool without checking if it’s already in that apppool.

Assigning website to application pool…
16:46:15Info
Attempt 1 of 5 failed: Filename: \?\C:\Windows\system32\inetsrv\config\applicationHost.config
16:46:15Info
Error: Cannot write configuration file due to insufficient permissions

It would be nice if it checked first.

We did also notice that it writes to disk before it checks the config, would be really nice if it did a sanity check of all changes before it tried anything but that would be a much bigger change.

Forgot to mention, we have full admin over the dev environment which is why we’re using some of the app pool settings etc.

We’re hoping to be able to get admin on the prod eventually but need to take baby steps.

Hi,

Thanks for reaching out. The Tentacle component behind all this logic is Calamari, which is an Open Source project. You could add the App Pool check feature yourself and send us a PR for us to evaluate it. I can’t see we we wouldn’t merge it if you submit it :slight_smile:

You’d need to make that change somewhere along these lines: https://github.com/OctopusDeploy/Calamari/blob/master/source/Calamari/Scripts/Octopus.Features.IISWebSite_BeforePostDeploy.ps1#L246-L265

I’m afraid that for the actual changes on IIS, you’re gonna need to continue the discussion with your IT team to get an account with higher privileges.

Best regards,

Dalmiro

Added pull request for app pool check (https://github.com/OctopusDeploy/Calamari/pull/66) Will potentially be doing more separate pull requests as I find more issues.

Awesome! Thanks for that.