packer (0.9.0) with AWS can't connect via winrm

1,827 views
Skip to first unread message

David O'Brien

unread,
Mar 15, 2016, 1:36:05 AM3/15/16
to Packer
Hi all,

got a packer build that used to work just fine.
Now that I have updated packer to 0.9.0 I am seeing the following behaviour:

amazon-ebs output will be in this color.

==> amazon-ebs: Prevalidating AMI Name...
==> amazon-ebs: Inspecting the source AMI...
==> amazon-ebs: Creating temporary keypair: packer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
==> amazon-ebs: Creating temporary security group for this instance...
==> amazon-ebs: Authorizing access to port 5986 the temporary security group...
==> amazon-ebs: Launching a source AWS instance...
    amazon-ebs: Instance ID: i-xxxxxxxx
==> amazon-ebs: Waiting for instance (i-xxxxxxxx) to become ready...
==> amazon-ebs: Waiting for auto-generated password for instance...
    amazon-ebs: It is normal for this process to take up to 15 minutes,
    amazon-ebs: but it usually takes around 5. Please wait.
    amazon-ebs:
    amazon-ebs: Password retrieved!
==> amazon-ebs: Waiting for WinRM to become available...
==> amazon-ebs: Timeout waiting for WinRM.
==> amazon-ebs: Terminating the source AWS instance...
==> amazon-ebs: No AMIs to cleanup
==> amazon-ebs: Deleting temporary security group...
==> amazon-ebs: Deleting temporary keypair...
Build 'amazon-ebs' errored: Timeout waiting for WinRM.

==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: Timeout waiting for WinRM.

==> Builds finished but no artifacts were created.

Anybody got an idea?

Cheers
David

James Woolfenden

unread,
Mar 19, 2016, 1:55:36 PM3/19/16
to Packer
I get the same thing, also the same issue if i try to use terraform and then use the winrm remote provisioner. Except i can winrm to the box directly just not via packer/terraform. I'm using http.

Luis Echegaray

unread,
Apr 30, 2016, 2:20:25 PM4/30/16
to Packer
Same issue on a mac, using packer 0.10.0.

James Woolfenden

unread,
May 1, 2016, 4:03:43 AM5/1/16
to Packer
i got past my issues. it was a number of things, set to use http instead of https, fixing the firewall with userdata (and setting an admin password) and setting my winrm config.
hoper that helps?

Aman Sharma

unread,
May 18, 2016, 5:52:10 PM5/18/16
to Packer
In the user data file from the blog post at the link you provided, where do you configure winrm? Also, is that the user data file for a Terraform template? It has has "Terraform" in it. In any case, I ran the following in Powershell: 

set-item WSMan:\localhost\Client\AllowUnencrypted -Value True
set-item WSMan:\localhost\Client\Auth\Basic  -Value True
set-item WSMan:\localhost\Client\TrustedHosts -Value *

I created a json file similar to what you have and included the user data file that you have, but it's still stuck on "Waiting for winRM to become available." Is the problem that winRM is using https but the instance is expecting https? I would really appreciate some help with this. There's not too many clear solutions out there regarding this.

Thanks

James Woolfenden

unread,
May 18, 2016, 6:12:24 PM5/18/16
to packe...@googlegroups.com

Hi Aman,

Terraform being in the userdata is just because I was also using the packer built amis in terraform -later.

It’s the winrm http port that needs opening on the packer ami (via userdata) and the on the machine running packer. Leave https for now.

The main problem is that the script in userdata can fail silently, so you really need to check it. I was setting a password on the AMI that failed the default password policy and it was all failing.

(My clients network was also blocking winrm ports so I had to tether my phone but that’s somewhat less likely)

If that doesn’t help post what you have and ill have a look. James

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Packer" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/packer-tool/2bW8Oe-InRg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/5b4bc0c6-27d6-40c5-aa41-1d1125a7641d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Aman Sharma

unread,
May 19, 2016, 10:41:50 AM5/19/16
to Packer
Thanks James. It's still timing out. Is it because the password needs to be something specific? Here's the json file I'm building:

example.json

{
   "builders": [{
    "type": "amazon-ebs",
    "region": "us-east-1",
    "instance_type": "t2.micro",
    "source_ami": "ami-c8a9baa2",
    "ami_name": "windows-ami-01",
    "user_data_file": "bootstrap-aws.txt",
    "communicator": "winrm",
    "winrm_username": "Administrator",
    "winrm_timeout": "4h",
    "security_group_id": "sg-0ed32675",
    "winrm_password": "password",
    "access_key": "AAAAAAAAAAAAAAAAAA",
    "secret_key": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  }]
}

And here's the user data file I'm using:

bootstrap-aws.txt

<powershell>
Enable-PSRemoting -force
set-item WSMan:\localhost\Service\AllowUnencrypted -Value True
set-item WSMan:\localhost\Service\Auth\Basic  -Value True
set-item WSMan:\localhost\Client\AllowUnencrypted -Value True
set-item WSMan:\localhost\Client\Auth\Basic  -Value True
new-NetFirewallRule -Name Terraform-http -DisplayName  "Terraform http" -Enabled  True -Profile Any -Action  Allow -protocol tcp -RemotePort 5985
new-NetFirewallRule -Name Terraform-https -DisplayName  "Terraform https" -Enabled  True -Profile Any -Action  Allow -protocol tcp -RemotePort 5986
net user Administrator password
set-executionpolicy bypass -force
iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
</powershell>

James Woolfenden

unread,
May 19, 2016, 12:20:03 PM5/19/16
to packe...@googlegroups.com

I got an adapted version of your sample. Three things -firewall, needs a more complex password other wise it fails silently and you don’t need to specify a security group (its only temporary).

Example.json

{

    "variables": {

      "admin_password": "some0thingG?me5"

    },

    "builders": [

    {

        "type": "amazon-ebs",

        "region": "us-east-1",

        "source_ami": "ami-c8a9baa2",

        "instance_type": "m4.xlarge",

        "user_data_file": "bootstrap-aws.txt",

        "communicator": "winrm",

        "winrm_username": "Administrator",

        "winrm_timeout": "30m",

        "winrm_password": "{{user `admin_password`}}",

        "ami_name": "windows-ami-01"

     }

  ]

}

And bootstrap-aws.txt is:

 

<powershell>

Enable-PSRemoting -force

set-item WSMan:\localhost\Service\AllowUnencrypted -Value True

set-item WSMan:\localhost\Service\Auth\Basic  -Value True

set-item WSMan:\localhost\Client\AllowUnencrypted -Value True

set-item WSMan:\localhost\Client\Auth\Basic  -Value True

set-NetFirewallRule -Name  WINRM-HTTP-In-TCP-PUBLIC -Profile Any -Enabled true

set-NetFirewallRule -Name  WINRM-HTTP-In-TCP -Profile Any -Enabled true

new-NetFirewallRule -Name Terraform-http -DisplayName  "Terraform http" -Enabled  True -Profile Any -Action  Allow -protocol tcp -RemotePort 5985

new-NetFirewallRule -Name Terraform-https -DisplayName  "Terraform https" -Enabled  True -Profile Any -Action  Allow -protocol tcp -RemotePort 5986

net user Administrator some0thingG?me5

set-executionpolicy bypass -force

</powershell>

 

Hope that helps.

 

 

This works.

Message has been deleted

Aman Sharma

unread,
May 19, 2016, 2:45:29 PM5/19/16
to Packer
Is there anything else that could be causing the timeout? I've implemented the changes you suggested, and I'm still running into the same issue. Here's the code:

example.json

{
   "builders": [{
    "type": "amazon-ebs",
    "region": "us-east-1",
    "instance_type": "t2.micro",
    "source_ami": "ami-c8a9baa2",
    "ami_name": "windows-ami-01",
    "user_data_file": "bootstrap-aws.txt",
    "communicator": "winrm",
    "winrm_username": "Administrator",
    "winrm_timeout": "30m",
    "winrm_password": "some0thingG?me5",
    "access_key": "AAAAAAAAAAAAAAA",
    "secret_key": "AAAAAAAAAAAAAAAAAAAAAAAAAA"
  }]
}

bootstrap-aws.txt

<powershell>
Enable-PSRemoting -force
set-item WSMan:\localhost\Service\AllowUnencrypted -Value True
set-item WSMan:\localhost\Service\Auth\Basic  -Value True
set-item WSMan:\localhost\Client\AllowUnencrypted -Value True
set-item WSMan:\localhost\Client\Auth\Basic  -Value True
set-NetFirewallRule -Name  WINRM-HTTP-In-TCP-PUBLIC -Profile Any -Enabled true
set-NetFirewallRule -Name  WINRM-HTTP-In-TCP -Profile Any -Enabled true
new-NetFirewallRule -Name Terraform-http -DisplayName  "Terraform http" -Enabled  True -Profile Any -Action  Allow -protocol tcp -RemotePort 5985
new-NetFirewallRule -Name Terraform-https -DisplayName  "Terraform https" -Enabled  True -Profile Any -Action  Allow -protocol tcp -RemotePort 5986
net user Administrator some0thingG?me5
set-executionpolicy bypass -force
iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
</powershell>

James Woolfenden

unread,
May 19, 2016, 2:52:13 PM5/19/16
to packe...@googlegroups.com

Have you opened up winrm locally?

Sent from my Fire


On Sunday, May 1, 2016 at 3:03:43 AM UTC-5, James Woolfenden wrote:</

Aman Sharma

unread,
May 19, 2016, 3:12:10 PM5/19/16
to Packer
That's done with winrm get winrm/config, right? Yesterday, I had configured these settings as per what you specified in your blog post. Unfortunately, I've lost admin rights to my computer due to an unrelated issue, and I can no longer run that command. (I restarted my computer this morning, and all of a sudden I no longer had admin rights. I should get this resolved soon) Unless those settings could have changed during the restart, they should be the correct settings I set yesterday. Once I get my admin rights issue resolved, I will double check and let you know.

Aman Sharma

unread,
May 24, 2016, 12:25:20 PM5/24/16
to Packer
I have my admin rights issue resolved. Here is the output of winrm get winrm/config:

    MaxEnvelopeSizekb = 500
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = true
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = false
        Auth
            Basic = false
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 10
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 25
        MaxMemoryPerShellMB = 1024
        MaxShellsPerUser = 30

I believe I have the correct settings enabled. Running winrm quickconfig returns: WinRM service is already running on this machine. WinRM is already set up for remote management on this computer.

What else could be the issue? I really appreciate all your help.
Reply all
Reply to author
Forward
0 new messages