Packer, WinRM, AMIs - making it work

This has been a pretty frustrating task for me, so it felt like a good thing to write about.  Pretty much every source had one thing or another wrong, and I'd ended up just mashing it all into one big huge WinRM script glob.

I would preface this with 'it's a packer build, not concerned with security and encryption', which is not terribly security-conscious of me, but here we are.  One of the articles I found whilst googling had a basic SSL setup, but I opted to start with the Packer documentation after many many failures.

If you start with said documentation here (https://www.packer.io/intro/getting-started/build-image.html#a-windows-example) you will (possibly) discover that you are still blocked by 'waiting for winrm'.  So add this to your user-data WinRM setup portion:
set-item WSMan:\localhost\Client\AllowUnencrypted -Value True -Force
set-item WSMan:\localhost\Client\Auth\Basic -Value True -Force
set-item WSMan:\localhost\Client\TrustedHosts -Value * -Force
Enable-PSRemoting -force
(haven't extensively tested the above, but I strongly suspect it's the 3rd line that does it)

Yay, WinRM manages to connect!

But then you get to the end, and this happens:
Build 'amazon-ebs' errored: Error processing command: Error uploading ps script containing env vars: Couldn't determine whether destination was a folder or file: unknown error Post http://IP.AD.DR.ES:5985/wsman: read tcp MYAD.DR.ES:63667->IP.AD.DR.ES:5985: read: connection reset by peer
==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: Error processing command: Error uploading ps script containing env vars: Couldn't determine whether destination was a folder or file: unknown error Post http://IP.AD.DR.ES:5985/wsman: read tcp MY.AD.DR.ES:63667->IP.AD.DR.ES:5985: read: connection reset by peer
Reading up on it, this is an error due to WinRM getting interrupted at the end of the build (because the build has, indeed, finished correctly).  This is extra irritating because installing all the garbage required by a build agent takes a good 40m.

Then, by a stroke of luck(?) our main build script (a powershell script provisioner) silently died, and let the rest of the process finish - and it finished successfully!  So it's definitely something in our build scripts breaking the process.  The following principles were applied:
  • If there is to be a system restart, let Packer handle it
  • Be heavy on the output so you can follow along
  • Don't rely on "it worked during debug"
So now that we have all this working, it'll become the method by which all our Windows servers can be provisioned, and enables putting everything behind ASGs.  Woop!

For some context, here is the process we are using (with additional output sent to Slack):
  1. User-data script sets up WinRM for Packer
    1. Have a gist: https://gist.github.com/christrotter/ff73e3793858fab7cf0d613fedf5e8a7
  2. Powershell script provisioner 
    1. Clones our AWS config repo which has a pile of powershell scripts
    2. Gets EC2 Tags - 'additionalBuildSteps' where we can define 'buildAgent'
    3. It executes the collection of scripts related to 'allServers' and 'additionalBuildSteps'
  3. Powershell 'windows-restart' provisioner
  4. Powershell script provisioner
    1. EC2 Launch sysprep scripts
For reference, this blog article was the best/most relevant/recent:  https://david-obrien.net/2016/12/packer-and-aws-windows-server-2016/

Comments

Post a Comment

Popular posts from this blog

Learning through failure - a keyboard creation journey

Image
tl;dr Built a custom keyboard cuz I have weirdo nerve pain issues.   Learned a lot cuz I failed a lot.   Maybe 'do it right the first time' is a bad frame of mind.   The keyboard ended up being kinda nifty.   It has lights, and a trackball, and QMK, and it helps my issues.   \o/ ( tl;dr is internet lingo that means, too long; didn't read ) Pain as a key ingredient An old proverb says, 'necessity is the mother of invention', and that is how this story begins. Over the last few years, age or stress or something has caught up with me and I developed the need to change my human-to-computer interface.  Mousing changed to trackballing.  The traditional keyboard was swapped out for an ergonomic, and then split keyboard.  Complicated multi-finger-and-hand key combinations were replaced by single keypress macros.  And yet more was still needed. It's often said that change only happens with pain - indeed, the organizations many of us work in seem to apply this as law - an
Read more

Learning Opportunities - Watching/listening list

Over the last year I've spent a lot of time learning (thank you, long commute & lunch hours).  Many topics ranging from Chef to DevOps to architecture concepts to management concepts and everything in between.  Why have I done this? DevOps Demystified with Ben Rockwood: https://www.youtube.com/watch?v=h5E--QSBVBY DevOps at ancestry.com: https://www.youtube.com/watch?v=pF5ya0q53kk Those two presentations were key in sending me down this road.  First, and most important, was Mr. Rockwood's explanation as to the real 'why', and the point behind DevOps from an operational perspective.  Second, and no less important but for a different reason, the continuous delivery system at ancestry.com really made it real to me because they are a 'Windows shop'.  So much of what I'd been reading about Chef/config mgmt. relied on amazing tools (see the error there?) only available to the Linux world.  Suddenly here's this guy telling me that it's possible on
Read more

DFSR - eventid 4312 - replication just won't work

This warning isn't documented that well on the googles, so here's some google fodder: You are trying to set up replication for a DFS folder (no existing replication) Source server is 2008R2, 'branch office' server is 2012R2 (I'm moving all our infra to 2012R2) You have no issues getting replication configured You see the DFSR folders get created on the other end, but nothing stages Finally you get EventID 4312: The DFS Replication service failed to get folder information when walking the file system on a journal wrap or loss recovery due to repeated sharing violations encountered on a folder. The service cannot replicate the folder and files in that folder until the sharing violation is resolved.    Additional Information:  Folder: F:\Users$\user.name\Desktop\Random Folder Name\  Replicated Folder Root: F:\Users$  File ID: {00000000-0000-0000-0000-000000000000}-v0  Replicated Folder Name: Users  Replicated Folder ID: 33F0449D-5E67-4DA1-99A
Read more