winrm communicator in GCE

505 views
Skip to first unread message

Sachin

unread,
Mar 25, 2017, 7:02:46 AM3/25/17
to Packer
Hello,

I am having issue with use of winrm communicator in Google Cloud, I even tried to run packer scrip from same subnet where I am building instance in GCE, I can connect to instance with power shell with this command, 


Enter-PSSession -ComputerName [IP_ADDRESS] -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) -Credential $credentials

So network connectivity is not problem,

But packer script waits for winrm and its times out.

Is any one using packer in Google cloud to build windows instance please give me some idea of what I am doing wrong.

Here is my builders section, I tried using both port 5985 and 5986. I set time out to 300 for testing. with this new windows instance comes up but packer never able to connect to it with winrm.

"builders": [
    {
      "account_file": "xxxx.json",
      "communicator": "winrm",
      "disk_size": "80",
      "disk_type": "pd-ssd",
      "image_description": "xxxxxxx",
      "image_family": "xxxxxx",
      "image_name": "xxxxxx",
      "instance_name": "xxxxxx",
      "machine_type": "n1-standard-1",
      "project_id": "xxxxxxx",
      "source_image": "windows-server-2012-r2-dc-v20170214",
      "type": "googlecompute",
      "use_internal_ip": true,
      "winrm_insecure": true,
      "winrm_port": 5986,
      "winrm_timeout": "300m",
      "winrm_use_ssl": true,
      "winrm_username": "packer",
      "zone": "us-east1-d"
    }
  ],

Rickard von Essen

unread,
Mar 25, 2017, 7:25:00 AM3/25/17
to packe...@googlegroups.com
By default the GCE firewall doen't allow WinRM connections (from the outside). Have you opened up port 5986 in the firewall? If that doesn't help can you run PACKER_LOG=1 packer build template.json and attach/gist the output?

// Rickard

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/8a1c0d67-bb35-4ae8-a007-22ab980f795d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Sachin

unread,
Mar 25, 2017, 8:22:16 AM3/25/17
to Packer
2017/03/25 07:55:09 packer.exe: 2017/03/25 07:55:09 [DEBUG] connecting to remote shell using WinRM
2017/03/25 07:55:09 packer.exe: 2017/03/25 07:55:09 [ERROR] connection error: http response error: 401 - invalid content type
2017/03/25 07:55:09 packer.exe: 2017/03/25 07:55:09 [ERROR] WinRM connection err: http response error: 401 - invalid content type
2017/03/25 07:55:14 packer.exe: 2017/03/25 07:55:14 [INFO] Attempting WinRM connection...
2017/03/25 07:55:14 packer.exe: 2017/03/25 07:55:14 [DEBUG] connecting to remote shell using WinRM
2017/03/25 07:55:14 packer.exe: 2017/03/25 07:55:14 [ERROR] connection error: http response error: 401 - invalid content type
2017/03/25 07:55:14 packer.exe: 2017/03/25 07:55:14 [ERROR] WinRM connection err: http response error: 401 - invalid content type
2017/03/25 07:55:19 packer.exe: 2017/03/25 07:55:19 [INFO] Attempting WinRM connection...
2017/03/25 07:55:19 packer.exe: 2017/03/25 07:55:19 [DEBUG] connecting to remote shell using WinRM
2017/03/25 07:55:19 packer.exe: 2017/03/25 07:55:19 [ERROR] connection error: http response error: 401 - invalid content type
2017/03/25 07:55:19 packer.exe: 2017/03/25 07:55:19 [ERROR] WinRM connection err: http response error: 401 - invalid content type
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.

Sachin

unread,
Mar 25, 2017, 8:27:22 AM3/25/17
to Packer

Sachin

unread,
Mar 25, 2017, 8:46:40 AM3/25/17
to Packer

looks like credential object sent to GCE instance from packer is not formed correctly, as remote instance is expecting credentials in System.Security.SecureString and may be packer is sending plain text format.

Rickard von Essen

unread,
Mar 25, 2017, 12:10:56 PM3/25/17
to packe...@googlegroups.com
I could reproduce this. Could you please report a bug. I couldn't get this to work with any version of Windows. I also tested building an Windows AMI on AWS and that works fine.

When you file the issue please add as much debug info as possible. 

To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/320059a9-afa3-4cba-9602-d394fcadea3d%40googlegroups.com.

Sachin

unread,
Mar 25, 2017, 12:30:20 PM3/25/17
to Packer

Thank you Rickard,

I will report bug.

Rickard von Essen

unread,
Mar 25, 2017, 12:39:03 PM3/25/17
to packe...@googlegroups.com
Actually after some googling I think it kind of works but then we should have an example in the docs.

To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/850f91bf-3e03-4630-89d7-a2510ed76e48%40googlegroups.com.

Rickard von Essen

unread,
Mar 25, 2017, 12:49:57 PM3/25/17
to packe...@googlegroups.com
This works for me, but since I know nothing about Windows it's a bit of black magic what's done:

{
  "variables":
  {
    "startup_script": "winrm quickconfig -quiet & net user /add packer & net localgroup administrators packer /add & netsh advfirewall firewall set rule name=\"Windows Remote Management (HTTP-In)\" profile=public new remoteip=any & winrm set winrm/config/service @{AllowUnencrypted=\"true\"} & winrm set winrm/config/service/auth @{Basic=\"true\"} & powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \"Set-ExecutionPolicy -ExecutionPolicy bypass -Force\""
  },
  "builders":
  [
    {
      "type": "googlecompute",
      "project_id": "packer-test-141600",
      "disk_size": "50",
      "image_name": "windows-dc-test-{{timestamp}}",
      "disk_type": "pd-ssd",
      "machine_type": "n1-standard-1",
      "source_image": "windows-server-2016-dc-v20170227",
      "zone": "europe-west1-b",
      "communicator": "winrm",
      "winrm_username": "packer",
      "winrm_insecure": true,
      "winrm_timeout": "300m",
      "winrm_use_ssl": true,
      "metadata": { "windows-startup-script-cmd": "{{user `startup_script`}}" }
    }
  ],
  "provisioners": [{
    "type": "powershell",
    "inline": [
      "dir c:\\"
    ]
  }]
}


It would be awesome if you understand what the startup script does and could clean it up and we could put it in the docs.

// Rickard

Sachin

unread,
Mar 25, 2017, 1:41:45 PM3/25/17
to Packer
Thank you Rickard,

I am trying this right now. this script is opening up windows firewall and adding packer user to local admin group making winrm rules little bit less restrictive on new instance. in AWS we use same kind of script to make winrm communication to instance.

but in packer documentation

https://www.packer.io/docs/builders/googlecompute.html

it says that start up script does not work on windows build at this time that is why i did not tried.

Thank you for your help, I will try and let you know result.

Thank you,
Reply all
Reply to author
Forward
0 new messages