Azure-docs: Patch Orchestration App does nothing

@wasabii Thank you for your feedback. Could you provide the URL of the documentation that you are following?

-James

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-patch-orchestration-application

@wasabii to confirm, it is only the step with deploying the app you are having issues with?

If you go to the Service Fabric Explorer you see fabric:/System/RepairManagerService correct?

@wasabii any update on this?

@wasabii I will close for now. When ready let me know and we can reopen and continue.

Um. As I said, the REST API never returns any updates as having been applied. The REST API wouldn't exist if I hadn't managed to get the thing installed. :)

To repeat, no, the problem is not with "deploying the app". It's with it not doing anything once deployed.

@novino @aljo-microsoft could either of you help further on this?

I have noticed this problem in one of our on-premise clusters. The PatchOrchestration worked when I tested on a 5-node unsecure cluster. I am now trying to get the PatchOrchestration to run on a 5-node secure windows cluster, and set a schedule for Weekly, Sunday, 22:00:00. It never seems to trigger the update and I see the same behavior as Wasabii reported calling the Rest API. It returns an empty result.

In case you're using windows based security.
You'd have to do an additional step of configuring your windows security.

Add below section in your clustermanifest.
"ClientIdentities": [
{
"Identity": "NT AUTHORITY\SYSTEM",
"IsAdmin": true
}
]

This would whitelist process running as system to access service fabric client api's.
I think this info is missing in the documentation, and we'll have to update the same.

In case this doesn't fix your problem. Share the service fabric logs from your cluster around the time period sunday 22:00 - 23:00.

@wasabii could you try the above steps as well, in case you're using windows based security for your service fabric clusters. Also do share the service fabric logs.

Hi Novino, thanks for the fast response. I'll add that identity to my cluster config. It does look like that could be the problem, as that identity would not have any permissions on the secure cluster, as I use a GMSa. I will report back when the schedule runs again.

I am configuring my cluster with the mentioned value and will post when I know whether it fixed the problem or not.

It's been about 24 hours now. I've reset WUFrequency so that it is hit a few times now. The patch orchestration app appears to still be doing nothing. Hitting the GetWindowsUpdateResults REST Uri still returns an empty array.

@wasabii
Have you confirmed you have patches to apply?

I've previously seen user's provision new VM's on prim, build a cluster, and wonder why no patches where being applied; it was because in their case, provisioned VM's came with updated, and they didn't have any patches to apply yet.

There are patches to apply, yes.

@wasabii , could you share the Service Fabric logs from your cluster.
Refer - how to collect logs for standalone cluster.

@darran1971 were you able to unblock yourself ?

I haven't tested this in our production environment yet, as I have an issue activating the new backup/restore service. That seems permission related "access denied" when starting up an OWIN host, even though I have added the "Nt Authority\System" account as an admin. I will try to test this with the Patch Orchestration service over the next few days.

@darran1971 - What's the issue you facing with activating Backup Restore service? Can you please open up a new issue for that? Would be happy to help you unblock.

@raunakpandya, there is already an issue, #19950, for BRS activation which we are investigating.

Ok, I have checked, and can confirm that the Upgrade Orchestration service failed to run on Sunday at 18:00, with the NT Authority\System account added as an admin. I remembered that I had configured this on our UAT environment which is set up exactly the same as our Live environment.

Woh, hey guys. It took a couple days, but it just started showing stuff for me. Adding the SYSTEM account was all I did, so that's probably what did the trick for me.

It took DAYS to show up though. Even though I have the thing set to run Daily.

Good to hear that @wasabii , it could be due to changes of "NT Authority\System" might've not taken effect. Similar to what darran has reported above.

In case you're interested in knowing when your cluster manifest settings took effect, you can check by having a look at the cluster upgrade details in your Service fabric explorer. It has details of last cluster upgrade, version of cluster manifest which was upgraded and timelines for the operation.

Feel free to engage us in any new discussion around POA or SF in general. Am closing this one.

@MicahMcKittrick-MSFT feel free to close this thread once @darran1971 has confirmed its working for him as well..

I have just set the WU frequency to daily at 8pm. So will see if this starts to trigger a patch update over the next few days.

From: Naveen Chandrakar [mailto:[email protected]]
Sent: 11 December 2018 06:07
To: MicrosoftDocs/azure-docs
Cc: Williams, Darran (YST); Mention
Subject: Re: [MicrosoftDocs/azure-docs] Patch Orchestration App does nothing (#18713)

--- This email was sent from an external source ---

@MicahMcKittrick-MSFThttps://github.com/MicahMcKittrick-MSFT feel free to close this thread once @darran1971https://github.com/darran1971 has confirmed its working for him as well..

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/18713#issuecomment-446083911, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AmzSNk796a-vEtAUGeWUUfuSCIS_QaWlks5u30uagaJpZM4YaDPG.

This email was scanned by Symantec.Cloud on behalf of SEWS-E.

Sumitomo Electric Wiring Systems (Europe) Ltd

Confidential information may be contained in this message. If you are not the addressee indicated (or responsible for delivery of the message), you may not copy or deliver this message to anyone. In such case, you should destroy this message and notify the sender. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of SEWS-E shall be understood as neither given nor endorsed by it.

@darran1971 - Ok please note that the time you mention is in UTC.

I can confirm that the patch orchestration is now working correctly on a Windows Secure stand alone cluster, as a result of adding the NT Authority\System account to the cluster security as admin as specified by @novino .

"ClientIdentities": [
{
"Identity": "NT AUTHORITY\\SYSTEM",
"IsAdmin": true
}

I guess this issue can now be closed :)

Thanks for confirming @darran1971 , @MicahMcKittrick-MSFT could you close this issue as i don't have closing permission.