Windows Server 2016 task questions

[Lee Turchin]

Hi,

I have installed Razor Server on a CentOS 7 platform and have followed the GitHub instructions to run the installation for Windows Server.  In my case, I am testing the installation of Windows 2016 Server on a SAN. I have gotten to the point where my installation successfully loads the microkernel, reboots my blade, and then unpacks the ps1 created boot.wim file, attaches to a share, runs the Windows 2016 setup and copies the files to the appropriate SAN disk.

However, after the reboot, stage 2 never happens.  There is the continual loop that unpacks the boot.wim on the next go around. I am using the Windows 2016 task and have the correct path selected for tasks.

In the razor documentation, https://github.com/puppetlabs/razor-server/wiki/Writing-Tasks, there is a statement that says:

Each boot (except for the default boot) must culminate in something akin to curl <%= stage_done_url %> before the node reboots. Omitting this will cause the node to reboot into the same boot template over and over again.

My questions are:  

1. where should the line 'curl <%= stage_done_url %' go?  I need to let razor know that stage 1 is completed.

2. what edits do I make to the unattended.xml ?

3. why does Windows 2016.task show that it is related to the Windows 2008 pro engine, when it should be related to the Windows 2010 engine? as in the following output from the command 'razor tasks windows/2016 base'

[root@Lee-Centos7 etc]# razor tasks windows/2016 base

From http://localhost:8150/api/collections/tasks/windows:

         name: windows

  description: Microsoft Windows Generic Installer

           os:

                 version: 8-pro

     boot_seq:

                       1: boot_wim

                 default: boot_local

4. is there an edit that I can apply to the boot order, for example, in  'second-stage.ps1.erb', a file housed in the /opt/puppetlabs/server/apps/razor-server/share/razor-server/tasks/windows/8pro.task directory, that can move the process forward?

5. would an upgrade of 'wimboot' be of any help and does this file need to be in the Windows/2016 task folder? 

6. are there any Windows 2016 Server example tasks that I might model my own after?  for now, it appears that the jump to stage 2 in the windows server setup is vital to the success of our project.

Thank you,

Lee

[Scott McClellan]

Hi Lee,

First a clarification about the `stage_done_url` and how that relates to Windows tasks. The second stage of the Windows tasks is not an actual reboot, but a second stage of the same boot. The client will fetch the second-stage.ps1 file and run it without rebooting. Here are a few lines as reference:

- https://github.com/puppetlabs/razor-server/blob/master/build-winpe/razor-client.ps1#L61-L66 - The code that fetches the rendered second-stage.ps1.erb file.

- https://github.com/puppetlabs/razor-server/blob/master/tasks/windows/2016.task/metadata.yaml#L7-L8 - The boot sequence for the windows/2016 task, which has one install step and an indefinite local boot step.

With that said, could there be an error that's causing it not to advance? What's the last thing that happens before the reboot?

I'm happy to answer the rest of your questions here, but this is where I'd start.

Scott

--
You received this message because you are subscribed to the Google Groups "puppet-razor" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-razor...@googlegroups.com.
To post to this group, send email to puppet...@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-razor.
For more options, visit https://groups.google.com/d/optout.

[Lee Turchin]

Hi Scott,

Last message after copying files is "Windows Needs to Restart to Continue", seen from the console to view my blade progress in a Windows setup screen.

If there is an error message, it's not readily available. I should have some Windows logs to sift through, but this does seem like a razor issue where the instruction to boot locally is absent.  Why?  Because I can force a local boot by interrupting the repeat razor boot.wim loop, and Windows will then load.

Does razor leave a trai/log for this type of activity?

The reboot in Windows is normal, AFIK.

I am using a noop.broker, btw and have not added anything to that directory.  Someone in my group suggested that a hook may be needed to promote the installation.

I am expecting razor to boot locally to SAN and it does not. It appears that Windows does complete a normal installation. 

Can you shed some light on this?

Thank you,

Lee

[Scott McClellan]

Hi Lee,

For reproduction, I just completed installation of Windows Server 2016 using an evaluation ISO. I did not see the "Windows Needs to Restart To Continue" message, but I did see "After you restart the computer, setup will complete automatically." followed by a progress bar, followed by exiting to the previous shell script where it continues. I did also notice that when the installer gets called, the /noreboot argument is passed in. That is so Razor's script can maintain control and notify Razor server that the install completed. In other words, it is essential that setup.exe does not reboot the machine. Here is where this happens:

https://github.com/puppetlabs/razor-server/blob/master/tasks/windows.task/second-stage.ps1.erb#L36-L39

I suspect that our ISOs may be different: perhaps your version is not respecting the /noreboot flag. If you are interested, I see two different approaches for debugging to find what may be different in your environment:

1) We can try installing 2016 in your environment via the evaluation ISO. This ISO includes a product key by default, so you will need to override the unattended.xml.erb file to remove its <ProductKey> entry entirely. If this finishes the install and reboots normally, we have a difference in ISOs. If it does not, it could be caused by some hardware difference (I used VirtualBox), a code difference (e.g. differing task code), or something else.

2) To debug deeper into your ISO, we can update your local copy of the second-stage.ps1.erb file to pass more arguments into the installer. Here is a resource which lists some potential arguments: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options. 

Hope this gets us started finding what's going on here. Let me know if you'd like to explore these options.

Scott

[Lee Turchin]

Hi Scott,

Your input is very much appreciated.  I will test some of those options, starting with utilizing a different ISO in my repo area.

I will be sharing this information with my team and will provide you with updates as soon as possible.

Thanks again,

Lee

[Lee Turchin]

Hi Scott,

I did find several mistakes in my setup and tried to correct and change them.  This time, I did use the eval version but I don't think that was the issue.

For one thing, I was relying on a setup.exe from a share that I manually created, instead of the Samba share.  I removed the command to start setup.exe in that fashion.  So that explains why razor did not work in that configuration.

But even after making changes to my setup I seem to be stuck.

My samba share has been there all along.  For some reason the setup.exe on the samba share (repo) currently does not get called.

I thought that the razor config finds the repo store directory and then runs setup.exe  and I am wondering if I have missed something.  My repo and policy are intact.  I reinstalled the node prior to this iteration.

I have attached several log files that were created by windows during setup.  I am left at the X:\Windows\System32 screen after the boot.wim loads

I have also attached a copy of smb.conf to get your comments on its validity or need for editing.

Shouldn't the setup.exe execute via samba even if no edits are made to the unattended.xml file?

And, lastly, does wpeinit need to execute a ps file during it's boot up via boot.wim?  

Thank you,

Lee

[Lee Turchin]

Hi Scott,

We are deploying to blades and so the following lines are placed in the startnet.cmd file to help connect to the network.  This info will help some of us coming later to this site:

@echo off

echo starting wpeinit to detect and boot network hardware

    wpeinit

    netsh interface ipv4 set address "Onboard LAN 0-0 Func 0" static xxx.xx.xx.xxx 255.255.255.x  xxx.xx.x.1   [Identify your onboard LANs, put their names in quotes, and create a static route]

    ping 127.0.0.1 -n 16 -w 1000>null                [Since it takes some time for the network to activate, this line creates a small delay]

    net use r: \\x.x.x.x\razor

echo starting the razor client

    powershell -executionpolicy bypass -noninteractive -file %SYSTEMDRIVE%\razor-client.ps1

    echo dropping to a command shell now...

Since I did not hear back from you, I reviewed my setup and found that the 'build-winpe' files were corrupted.  I fixed that and now see some actual razor interaction with my Windows repo, although I still get errors.

Screenshots are attached.  Let me know your thoughts if you have a second.

Thank you,

Lee

[Scott McClellan]

Hi Lee,

That's great that you are now at the part where the client is trying to connect to the Samba share. One first question, is Razor server called "Lee-Centos7"? The client must be able to ping the Razor server at that address.

The error you're seeing is from this line in second-stage.ps1.erb:

```

  new-psdrive -name 'i' -psprovider filesystem -root "$($drive_path)" -persist -credential $cred

```

If you want this to use an IP rather than `hostname`, I would override the second-stage.ps1.erb file with an edited version of this line:

```

  $server = '<%= `hostname`.strip %>'

```

Here's a troubleshooting script I recommend trying on the Razor Server to verify your SMB setup:

```

  sudo yum install -y samba-client
  smbclient \\\\localhost\\razor -U guest -N -c ls

```

Once you see `win2016-razor` in the output from the above, the connection should be good to go.

Side question, is this for PE Razor? If so, ensure the `enable_windows_smb` argument is enabled.

Hope that gets you started, let me know if you need anything else.

Scott

[Lee Turchin]

Hi Scott, 

I was wondering if the hardcode razor IP address instructions on GitHub were in question..  I will try your suggestion.  

Thanks.  Lee

[Lee Turchin]

Yes the Razor server is Lee-Centos7.  I was not able to ping it by name from the WinPE command prompt.

I do have a question on the edit.

In the following string:   $server = '<%= `hostname`.strip %> Do I subtitute 'ip_addr' for 'hostname' ?  

Do I leave or omit: '.strip'

[Scott McClellan]

Response in-line.

On Wed, Feb 27, 2019 at 10:40 AM Lee Turchin <ltur...@gmail.com> wrote:

Yes the Razor server is Lee-Centos7.  I was not able to ping it by name from the WinPE command prompt.

I do have a question on the edit.

In the following string:   $server = '<%= `hostname`.strip %> Do I subtitute 'ip_addr' for 'hostname' ?  

Do I leave or omit: '.strip'

Whatever goes inside the backticks (``) will be run on the Razor server. `hostname` is a command that returns hostname, so you'll want a command that returns the IP. The `#strip` function will remove whitespace from both sides of the result.

I'll note I suggest, rather than editing in-line, copying the file somewhere else on the `task_path` config (e.g. /etc/puppetlabs/razor-server/tasks) and editing that copy, leaving the original intact. If the original (in /opt) is intact, upgrades to that file will happen automatically.

[Lee Turchin]

Hi Scott,

Ok.  I managed to connect to the samba share and possibly the razor repo.  My concern is that the files were never written to the SAN and that Samba and/or Razor did not find the actual setup.exe file in the repo subdirectory

 /opt/puppetlabs/server/data/razor-server/repo/win2016-razor  -  Do I need to explicitly call out this directory in /etc/puppetlabs/razor-server/config.yaml ?

Also, prior to seeing the ggggggggggggggg's going across the screen, which appeared to be an attempt at download the setup files, I got the following error message:

1. How to correct the exception listed in the screen?

2. Point my repo to the actual directory that contains the 'setup.exe' ?

Thanks,

Lee

[Scott McClellan]

Response in-line.

Scott

On Thu, Feb 28, 2019 at 8:56 AM Lee Turchin <ltur...@gmail.com> wrote:

Hi Scott,

Ok.  I managed to connect to the samba share and possibly the razor repo.  My concern is that the files were never written to the SAN and that Samba and/or Razor did not find the actual setup.exe file in the repo subdirectory

 /opt/puppetlabs/server/data/razor-server/repo/win2016-razor  -  Do I need to explicitly call out this directory in /etc/puppetlabs/razor-server/config.yaml ?

Also, prior to seeing the ggggggggggggggg's going across the screen, which appeared to be an attempt at download the setup files, I got the following error message:

1. How to correct the exception listed in the screen?

Try visiting /svc/file/7/second-stage.ps1 in a browser to view the returned file directly. If it's returning an error, there may be a problem with the template. I'd also look at the logs for Razor server, e.g. /var/log/puppetlabs/razor-server/server.log or /var/log/razor-server/server.log.

2. Point my repo to the actual directory that contains the 'setup.exe' ?

This shouldn't be necessary.

[Lee Turchin]

Hello Scott:

Now getting Exception calling 'DownloadString" with "1" argument(s) - screen shot attached.  Points to second-stage.ps1 line 66

(new-object System.Net.WebClient).DownloadString($url) | invoke-expression

Not seeing the gggggggggggggg's crossing screen.

Are we getting warm?   :)   Thanks, Lee

[Lee Turchin]

correction:  points to razor-client.ps1:66 hcar:1

[Scott McClellan]

Hi Lee,

That looks like the same error. On the Razor server, can you try `curl http://172.17.11.119/svc/file/7/second-stage.ps1`? I suspect it will return an error. Then also on the Razor server, look at Razor's server log (/var/log/puppetlabs/razor-server/server.log) to see if there's an error message.

Scott

[Lee Turchin]

Hi Scott,

I do get an error when I run the  curl http://172.17.11.119/svc/file/7/second-stage.ps1` 

But if I run curl http://172.17.11.119:8150/svc/file/7/second-stage.ps1I see the file output from second-stage.ps1   - using the port number 8150

The error that continues to come up is in the screenshot.  

The psdrive error continues as does the samba share issue.

I will re visit the server.log on Monday.

Thank you,

Lee

[Scott McClellan]

The first error is a different one. This error is likely from the `-credential` being passed to the SMB share. Try removing this in second-stage.ps1.erb:

$pass = "password" | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('user', $pass)

new-psdrive -name 'i' -psprovider filesystem -root "$($drive_path)" -persist -credential $cred

and replacing with:

new-psdrive -name 'i' -psprovider filesystem -root "$($drive_path)" -persist

[Lee Turchin]

Hi Scott,

Ok.  Will do that.  BTW.  Our servers will be down for several days due to maintenance issues and there may be a short lapse in communication.

Thank you for your quick response.

Lee

[Lee Turchin]

Scott,

Very good news.  That change worked and I see that razor accessed the repo and started the setup.exe on our samba share.

My next step will be to configure the unattended.xml.erb for our SAN.

If you have any tips regarding the xml configuration or any information that is specific to razor, please share that with me.

Another question: after setup completes and copies the files to the SAN drives, and then reboots, will the razor pxe boot be automatically passed by/ignored?  Will I see any razor messages during the phase of setup?

Thanks very much,

Lee

Response in-line.

Scott

Thanks,

Lee

Response in-line.

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-razor+unsubscribe@googlegroups.com.

To post to this group, send email to puppet...@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-razor.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "puppet-razor" group.

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-razor+unsubscribe@googlegroups.com.

To post to this group, send email to puppet...@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-razor.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "puppet-razor" group.

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-razor+unsubscribe@googlegroups.com.

To post to this group, send email to puppet...@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-razor.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "puppet-razor" group.

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-razor+unsubscribe@googlegroups.com.

To post to this group, send email to puppet...@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-razor.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "puppet-razor" group.

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-razor+unsubscribe@googlegroups.com.

To post to this group, send email to puppet...@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-razor.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "puppet-razor" group.

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-razor+unsubscribe@googlegroups.com.

To post to this group, send email to puppet...@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-razor.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "puppet-razor" group.

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-razor+unsubscribe@googlegroups.com.

To post to this group, send email to puppet...@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-razor.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "puppet-razor" group.

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-razor+unsubscribe@googlegroups.com.

[Scott McClellan]

On Fri, Mar 8, 2019 at 5:55 PM Lee Turchin <ltur...@gmail.com> wrote:

Scott,

Very good news.  That change worked and I see that razor accessed the repo and started the setup.exe on our samba share.

My next step will be to configure the unattended.xml.erb for our SAN.

If you have any tips regarding the xml configuration or any information that is specific to razor, please share that with me.

I just recommend using metadata and defaults where it makes sense, especially if that can avoid duplication. For example:

<%= node.metadata['some-value'] || 'some-default' %>

So if the metadata is present, it will be used, otherwise you have a fall-back. This applies beyond just xml files.

Another question: after setup completes and copies the files to the SAN drives, and then reboots, will the razor pxe boot be automatically passed by/ignored?  Will I see any razor messages during the phase of setup?

Nodes should still PXE boot through Razor every time they start up. If a node is recognized as already having an operating system installed, it will simply boot locally, skipping the microkernel stage. Keeping Razor in the boot workflow ensures that e.g. the `reinstall-node` command works as expected.

[Lee Turchin]

Hi Scott,

I don't think the defaults will work because currently, they do not.  It appears that the unattended.xml.erb partitions the drives using a 350MB system/hidden drive.  I don't think that works with Windows 2016 and SAN.  I usually have to use the diskpart utility in the Window Pre Install Environment and need to do a select disk 0, clean, create partition primary, active, list vol,  sel vol [#] assign letter=C, format fs=ntfs quick, and exit. 

The current unattended.xml.erb seems to use some Windows 8 partitioning scheme as a default.  Can you comment on that?

Can you point to the git hub link for the unattended.xml.erb file you generally utilize?

Lee

[Lee Turchin]

Hi Scott:

You really do need to adjust the GitHub document to show that Windows Server 2016 does not use a Primary 350MB partition and that the unattended.install.erb file for the Windows 2016 Task needs to edited to take that instruction out. 

Windows Server 2016 creates 1 primary, active partition.  Otherwise the files are not copied and installation fails.

Please respond.

-Lee

On Wednesday, February 20, 2019 at 1:53:37 PM UTC-8, Lee Turchin wrote:

[Lee Turchin]

HI All -

Successfully completed the installation and automation of Windows Server 2016 DataCenter Desktop Experience.  Needed to utilize a customized unattended.xml.erb and a non-evaluation version of Windows Server 2016.  

I must thank Scott McClellan for leading me in the right direction, often, when I faced some serious blocks and seeming dead ends.

Good luck to all.  

Questions and answers are welcomed.

Regards,

Lee

On Wednesday, February 20, 2019 at 1:53:37 PM UTC-8, Lee Turchin wrote:

[Andrew Philp]

Awesome stuff Lee, have been watching this topic and agree Scott is almost valuable resource for this project.

Many Thanks

Andrew Philp

T: +447482853508

http://uk.linkedin.com/in/andrewphilp

http://twitter.com/PHIAN01

[Scott McClellan]

On Thu, Mar 14, 2019 at 2:01 AM Andrew Philp <andrew...@gmail.com> wrote:

Awesome stuff Lee, have been watching this topic and agree Scott is almost valuable resource for this project.

Many Thanks

Andrew Philp

T: +447482853508

http://uk.linkedin.com/in/andrewphilp

http://twitter.com/PHIAN01

On 13 Mar 2019, at 17:01, Lee Turchin <ltur...@gmail.com> wrote:

HI All -

Successfully completed the installation and automation of Windows Server 2016 DataCenter Desktop Experience.  Needed to utilize a customized unattended.xml.erb and a non-evaluation version of Windows Server 2016.  

I must thank Scott McClellan for leading me in the right direction, often, when I faced some serious blocks and seeming dead ends.

Thanks Lee! I'm glad you were able to get it working. One final note, for posterity, is that there are two ways to install Windows Server using an evaluation version:

- Using a real ISO and the evaluation key. Our unattended.xml.erb includes the evaluation key, so should work out of the 'box' using this ISO.

- Using the Evaluation ISO (downloadable from Microsoft). This version ships with a valid product key, so you need to remove the "<ProductKey>" block from our unattended.xml.erb.

Since our unattended.xml.erb ships with the evaluation key, that means we can harness node metadata ("productkey") to sub in a real key for a deployment.

Scott

[Lee Turchin]

Thanks you for your comment. Getting kudos for completing this is fantastic for me, mid career.  Lots of little detours and blind alleys but I love the challenges.

I successfully automated from start to finish  with no intervention 5x today on a blade that is approaching EOL but is still supported.

Scott is a great resource in that he knows exactly how much information to impart and how much we need to figure out on our own.  Of course I always give people way too much credit for reading my mind. :)

Anyway, I can see that Razor is truly a great and valuable product.  I will be testing Windows Server 2019 very soon. 

I would love to hear from others re: where any blind spots have been filled in and exactly what they might be for those people who are new to this.

Thanks for your attention,

Lee