Trying to get Packer provisioners type Ansible to work with Windows Server 2019 WinRm
69 views
Skip to first unread message
i255d
Sep 28, 2020, 11:57:24 AM9/28/20
to Packer
{
"variables": {
"region": "{{env `region`}}",
"environment": "{{env `env`}}",
"lob": "{{env `lob`}}",
"vpc_id": "{{env `vpc_id`}}",
"subnet_id": "{{env `subnet_id`}}",
"account": "{{env `account`}}",
"role": "{{env `iam_instance_profile`}}",
"kms_key": "{{env `kms_key_id`}}"
},
"builders": [
{
"type": "amazon-ebs",
"region": "{{user `region`}}",
"vpc_id": "{{user `vpc_id`}}",
"subnet_id": "{{user `subnet_id`}}",
"instance_type": "t2.medium",
"source_ami_filter": {
"filters": {
"virtualization-type": "hvm",
"name": "Windows_Server-2019-English-Full-Base-*",
"root-device-type": "ebs"
},
"most_recent": true,
"owners": "amazon"
},
"ami_name": "test-ansible-packer",
"user_data_file": "scripts/user_data.txt",
"communicator": "winrm",
"force_deregister": true,
"winrm_insecure": true,
"winrm_username": "Administrator",
"winrm_use_ssl": true,
"iam_instance_profile": "{{user `role`}}",
"skip_profile_validation" : true
}
],
"provisioners": [
{
"type": "ansible",
"playbook_file": "./playbook.yml",
"user": "Administrator",
"use_proxy": false,
"extra_arguments": ["-e", "ansible_winrm_server_cert_validation=ignore"]
}
]
}
Here is my win2019.json file.
Message has been deleted
Message has been deleted
i255d
Sep 28, 2020, 2:12:06 PM9/28/20
to Packer
<powershell>
# Set administrator password
net user Administrator SOMETHINGGOOD
wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE
# First, make sure WinRM can't be connected to
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=block
# Delete any existing WinRM listeners
winrm delete winrm/config/listener?Address=*+Transport=HTTP 2>$Null
winrm delete winrm/config/listener?Address=*+Transport=HTTPS 2>$Null
# Create a new WinRM listener and configure
winrm create winrm/config/listener?Address=*+Transport=HTTP
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="0"}'
winrm set winrm/config '@{MaxTimeoutms="7200000"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="12000"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Certificate="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Certificate="true"}'
# Configure UAC to allow privilege elevation in remote shells
$Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Setting = 'LocalAccountTokenFilterPolicy'
Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force
# Configure and restart the WinRM Service; Enable the required firewall exception
Stop-Service -Name WinRM
Set-Service -Name WinRM -StartupType Automatic
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
Start-Service -Name WinRM
</powershell>
Here is my user_data.txt file from the line "user_data_file": "scripts/user_data.txt.
As you can see, I want to be able to use a predetermined password.
==> amazon-ebs: Force Deregister flag found, skipping prevalidating AMI Name
171
amazon-ebs: Found Image ID: ami-0eb7fbcc77e5e6ec6
172
==> amazon-ebs: Creating temporary keypair: packer_5f720690-c3aa-4a5b-103b-b244e5cfaf67
173
==> amazon-ebs: Creating temporary security group for this instance: packer_5f720692-6518-386c-fcfb-64088f3bdde8
174
==> amazon-ebs: Authorizing access to port 5986 from [0.0.0.0/0] in the temporary security groups...
175
==> amazon-ebs: Launching a source AWS instance...
176
==> amazon-ebs: Adding tags to source instance
177
amazon-ebs: Adding tag: "Name": "Packer Builder"
178
amazon-ebs: Instance ID: i-076f324e8ca7a0f28
179
==> amazon-ebs: Waiting for instance (i-076f324e8ca7a0f28) to become ready...
180
==> amazon-ebs: Waiting for auto-generated password for instance...
181
amazon-ebs: It is normal for this process to take up to 15 minutes,
182
amazon-ebs: but it usually takes around 5. Please wait.
183
==> amazon-ebs: Error waiting for password: retry count exhausted. Last err: Error retrieving auto-generated instance password: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message:
i255d
Sep 28, 2020, 2:45:08 PM9/28/20
to Packer
I seem to have made it past the above problem by added winrm_password to the build.
This is back to where I have been stuck all along now, waiting for winrm???
==> amazon-ebs: Force Deregister flag found, skipping prevalidating AMI Name
amazon-ebs: Found Image ID: ami-0eb7fbcc77e5e6ec6
==> amazon-ebs: Creating temporary keypair: packer_5f722e4c-5acb-dd97-e2bc-3d2748cc83df
==> amazon-ebs: Creating temporary security group for this instance: packer_5f722e4e-875f-3fe7-a2f0-104cb20e0fbf
==> amazon-ebs: Authorizing access to port 5986 from [0.0.0.0/0] in the temporary security groups...
==> amazon-ebs: Launching a source AWS instance...
==> amazon-ebs: Adding tags to source instance
amazon-ebs: Adding tag: "Name": "Packer Builder"
amazon-ebs: Instance ID: i-07fd947bd9857679f
==> amazon-ebs: Waiting for instance (i-07fd947bd9857679f) to become ready...
==> amazon-ebs: Skipping waiting for password since WinRM password set...
==> amazon-ebs: Using winrm communicator to connect: 10.184.21.17
==> amazon-ebs: Waiting for WinRM to become available...
i255d
Sep 28, 2020, 3:35:58 PM9/28/20
to Packer
I feel lIke we are so close. I think this has to do with SSL???
==> amazon-ebs: Provisioning with Ansible...
amazon-ebs: Not using Proxy adapter for Ansible run:
amazon-ebs: Using WinRM Password from Packer communicator...
==> amazon-ebs: Executing Ansible: ansible-playbook -e packer_build_name="amazon-ebs" -e packer_builder_type=amazon-ebs -e ansible_winrm_server_cert_validation=ignore ansible_password=***** ansible_connection=winrm ansible_winrm_transport=basic -e ansible_password=***** -i /tmp/packer-provisioner-ansible765667905 /codebuild/output/src538734588/src/git.nylcloud.com/Cloud-Team/packer-aws-nyl-win2016/playbook.yml
amazon-ebs:
amazon-ebs: PLAY [all] *********************************************************************
amazon-ebs:
amazon-ebs: TASK [Gathering Facts] *********************************************************
amazon-ebs: [WARNING]: ERROR DURING WINRM SEND INPUT - attempting to recover: WinRMError
amazon-ebs: The pipe is being closed. (extended fault data: {'transport_message': 'Bad
amazon-ebs: HTTP response returned from server. Code 500', 'http_status_code': 500,
amazon-ebs: 'wsmanfault_code': '232', 'fault_code': 's:Receiver', 'fault_subcode':
amazon-ebs: 'w:InternalError'})
amazon-ebs: fatal: [default]: FAILED! => {"msg": "winrm send_input failed; \nstdout: \nstderr C\u0000a\u0000n\u0000n\u0000o\u0000t\u0000 \u0000s\u0000t\u0000a\u0000r\u0000t\u0000 \u0000W\u0000i\u0000n\u0000d\u0000o\u0000w\u0000s\u0000 \u0000P\u0000o\u0000w\u0000e\u0000r\u0000S\u0000h\u0000e\u0000l\u0000l\u0000 \u0000v\u0000e\u0000r\u0000s\u0000i\u0000o\u0000n\u0000 \u00006\u0000.\u00002\u0000.\u00006\u0000 \u0000b\u0000e\u0000c\u0000a\u0000u\u0000s\u0000e\u0000 \u0000i\u0000t\u0000 \u0000i\u0000s\u0000 \u0000n\u0000o\u0000t\u0000 \u0000i\u0000n\u0000s\u0000t\u0000a\u0000l\u0000l\u0000e\u0000d\u0000.\u0000\r\u0000\n\u0000"}
amazon-ebs:
amazon-ebs: PLAY RECAP *********************************************************************
amazon-ebs: default : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
i255d
Sep 30, 2020, 2:27:09 PM9/30/20
to Packer
I wonder if I can install Powershell core on the servers before I try and do this, and if that would help.
Does packer suport PWSH for Powershell Core?
Also on my build speck I am going to try
export POWERSHELL_VERSION=None to my build spec file, or
aws configure set POWERSHELL_VERSION None
if that doesn’t work.
I have a $PSversiontable in the powershell provisioner that shows it is PowerShell version 5.1, when I switch the OS from 2019 to 2016, and the when the Ansible part runs is says this: amazon-ebs: <10.184.21.18> WINRM EXEC 'PowerShell' ['-Version', '6.2.6', '-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand',
I am pretty sure the version 6.2.6 is the issue.
Here is someone who worked around this issue on reddit:
captnron76
1 year ago
Hiyas...
for posterity in case anyone else comes across this thread:
The problem seems to be that CodeBuild sets an environment variable POWERSHELL_VERSION (amongst several other *_VERSION variables), in my case it was 6.1.3.
Ansible's powershell.py unfortunately uses the same environment variable to enable PowerShell executed over WinRM with a specific version of PowerShell.
The fix for me at least was to unset POWERSHELL_VERSION before invoking packer, although doing that as a CodeBuild step didn't seem to work (I didn't spend long on it). Our call to packer is wrapped in a shell script anyway, so I did it there with success.
HTH,
I think the powershell.py above is this script below.
Here is the part that shows where the POWERSHELL_VERSION is passed by code build to ansible.
_common_args = ['PowerShell', '-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Unrestricted']
# Primarily for testing, allow explicitly specifying PowerShell version via
# an environment variable.
_powershell_version = os.environ.get('POWERSHELL_VERSION', None)
if _powershell_version:
_common_args = ['PowerShell', '-Version', _powershell_version] + _common_args[1:]
i255d
Sep 30, 2020, 2:56:56 PM9/30/20
to Packer
Adding this line before the packer build line works:
- export POWERSHELL_VERSION=""
- ./packer build win2019.json
Reply all
Reply to author
Forward
0 new messages