Bootstrap windows machine with machine resource

[kamalim]

We want to create windows instances in aws with machine resource.After the machine is created we want to retrieve the random password and then continue the chef run. But currently the chef run fails after 120 s saying connection time out.

Please help with the configuration on how to add that.

machine "#{machine_name}#{i}-srv" do add_machine_options bootstrap_options: { block_device_mappings: [{ device_name: device_name, ebs: { volume_size: 60, delete_on_termination: true, }, }], instance_type: data_instance_type, security_group_ids: [data_srv_security_group_name], subnet_id: data_subnet_ids[i % data_subnet_ids.length], iam_instance_profile: { name: data_iam_role, }, } files '/etc/chef/encrypted_data_bag_secret' => databag_secret chef_environment chef_environment run_list srv_runlist end

Where should I add the winrm related config

[mistroh]

Hi, I'm having the same issue. I found the following settings, and tried to apply them to the machine_options portion of the recipe. However, I still can't get the timeout to extend past 120 seconds. I entered this as an issue as well - might be a bug.

    :machine_max_wait_time => 240,
    :image_max_wait_time => 600,
    :wait_for_admin_password => 300,

[mistroh]

I received some help on another thread for this, and found the solution. I was using chef-client in local mode to provision the instance. The settings above needed to be set in a client.rb file that the chef-client --local-mode -c "path to rb file" command is run from. Within that client.rb, I needed to set the following:

chef_provisioning({:image_max_wait_time => 600, :machine_max_wait_time => 240})

Maybe that will help you out as well.

[kamalim]

Hi Mike :

Thanks for the help. It worked in getting the knife bootstrap started, but now it is failing with the below error:

-----> Installing Chef Omnibus (always install latest version)

                                   Downloading package from

https://opscode-omnibus-packages.s3.amazonaws.com/windows/2012r2/i386/chef-client-12.8.1-1-x86.msi

                                   Download complete.

                                   Successfully verified

C:\Users\ADMINI~1\AppData\Local\Temp\chef-latest.msi

                                   Installing Chef Omnibus package

C:\Users\ADMINI~1\AppData\Local\Temp\chef-latest.msi

[ppv-qa-tenant2-data01-srv] msiexec was not successful. Received exit

code At C:\chef\install.ps1:55 char:28

• if ($p.ExitCode -ne 0) { throw "msiexec was not successful. Received exit code ...

                                    + CategoryInfo          :
OperationStopped: (msiexec was not...ived exit c
                                   ode :String) [], RuntimeException
                                    + FullyQualifiedErrorId : msiexec was
not successful. Received exit code

================================================================================
    Error executing action `converge` on resource
'machine[ppv-qa-tenant2-data01-srv]'

================================================================================

    RuntimeError
    ------------
    Error: command 'powershell.exe -ExecutionPolicy Unrestricted -NoProfile
"& ""C:\chef\install.ps1"""' exited with code 1.

On Tue, Mar 29, 2016 at 3:27 AM, Mike Stroh <notifications@github.com>
wrote:

> I received some help on another thread for this, and found the solution. I
> was using chef-client in local mode to provision the instance. The settings
> above needed to be set in a client.rb file that the chef-client
> --local-mode -c "path to rb file" command is run from. Within that
> client.rb, I needed to set the following:
>
> chef_provisioning({:image_max_wait_time => 600, :machine_max_wait_time =>
> 240})
>
> Maybe that will help you out as well.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly or view it on GitHub
> <https://github.com/chef/chef-provisioning-aws/issues/472#issuecomment-202596400>
>

[mwrock]

this looks extremely similar to https://github.com/test-kitchen/kitchen-ec2/issues/241 are you provisioning 2008R2?

[mistroh]

I'm provisioning a Windows 2012 R2 instance. I was able to resolve the initial timeout issue, but now I"m either getting connection issues to the ec2 instance when Chef-Client tries to connect and run the initial recipe after provisioning. I get a connection attempt failed to the public IP of the instance and the winrm port. I have a user_data section in the recipe that is supposed to enable winrm, but it appears to not be getting executed. Also, if I manually enable winrm on the new instance and try and run the recipe again, I still can't connect and I get WinRMAuthorization errors.

[rayjanoka]

@mistroh would you take a look my .kitchen.yml in test-kitchen/kitchen-ec2#241 to see if you have the settings correct? My .kitchen.yml works with default 2012 R2 AMI in AWS.

[mwrock]

WinRMAuthorization errors typically indicate that winrm is running and you are able to reach it but there could be

• a simple user/password error.
• you are trying to use a non administrator user which will not work.
• Might try setting the winrm user name to .\<username>
• If using basic auth over HTTP, the node winrm settings need to enable that as well as allowunencrypted

[mistroh]

Thank you for the help and the suggestions.
Username/password issue: In my Chef recipe, I'm using the same "administrator" username and password that I use to RDP into the machine. In the recipe, I set the following:

is_windows: true, # false by default
    winrm_username: ".\Administrator",
    winrm_password: "########",

(also, I can run Test-WSMan to the ec2 instance and looks like I get back a valid response)

.\<username> I tried setting this in the recipe, but didn't see to work. WinRM settings: I believe I have these winrm settings correct on my ec2 instance. Below is the winrm config:

[mwrock]

try changing ".\Administrator" to ".\\Administrator"

[mistroh]

Thank you very much for the suggestion. I tried it, but I still get the WinRM Authorization error.

[mwrock]

So here are a couple things to try:

1. You may have done this already. Try to connect to your node from another windows machine using psremoting:

Set-Item WSMan:\localhost\Client\TrustedHosts <public ip>
Enter-PSSession -Computername <public ip> -Credential '.\Administrator'

If this works you know for sure winrm is correct and there is an issue on the ruby winrm side

1. Use knife-windows knife winrm to see if its an issue with ruby winrm or chef-provisioning:

knife winrm -m <public ip> ipconfig -x '.\administrator' -P your_password

Make sure you have the latest version of knife-windows.

[mistroh]

Thank you again for the response and the assistance.

1. I was able to connect to the node from another Windows system using psremoting as you specified, so issue does appear to be on the ruby winrm side
2. I also was able to use the knife winrm command to connect to the node and run ipconfig, so it does appear to be an issue with my chef-provisioning setup.

On both commands above, I needed to set the username to 'administrator' to get it to work (and not '.\administrator').

Would this indicate a problem with something in my provisioning recipe or something else?

Thanks.

[mistroh]

OK, I think the WinRM issue was with the recipe I was trying to add to the runlist for the new node I created with my provision recipe. If I run the provision recipe without a recipe listed in the machine block, then it appears to proceed to the "add public key" step, but then errors out with a "Socket Error getaddrinfo: the specified class was not found".

Thus, it fails on the "converge" action and doesn't install chef-client in order to run the desired recipes.

I assume I need to get chef-client installed on the newly created node, and then have that node point back to my Chef DK system in order to grab the recipes and apply them?

[mistroh]

OK, I finally got it figured out. Needed to point the recipe to a chef server instead of my workstation, and it now works start to end (connects to the instance through winrm, installs chef-client, applies the recipe, etc.... Thanks for all of the help!

[mwrock]

nice!!

[rayterrill]

It sounds like I'm running into a similar issue - timing out on the WinRM connection when trying to do a Chef-Provisioning run into AWS using Chef-Zero (chef-client -z). I was able to bump my timeout using the following, but that still didn't fix my issue.

chef_provisioning({:machine_max_wait_time => 300})

Also validated that I was able to connect to my instance with WinRM/Enter-PSSession from another machine, so WinRM/SecurityGroups, etc all appear to be fine.

So does this mean we can't use Chef-Zero to do Chef Provisioning - we need to go the full Chef Server route? I believe I did see something about WinRM not working over Chef Zero because of a port-forwarding issue, but I didn't grok that.

@kamalim Can you post your working recipe? I'd love to check it out.

[mistroh]

@rayterrill When I got this working, I needed to set both of the following values in my custom client.rb chef_provisioning({:image_max_wait_time => 600, :machine_max_wait_time => 240})

Then, when using chef zero, I ran the following from my Chef DK machine: chef-client --local-mode -c .\_path to client ruby file_\client.rb -r "recipe[_windows provisioning cookbook name_::default]"

[rayterrill]

@mistroh Thanks! Any chance I can check out your client.rb and windows provisioning cookbooks with anything secret stripped out?? I'd love to see what others are doing/setting to get this working, and I'm having a heck of a time finding a decent Windows-based provisioning example.

[r4hulgupta]

@mistroh I am also trying to do similar stuff with AWS resource deployments and configuration and I am also stuck at the "Socket Error getaddrinfo: the specified class was not found" error. I am not putting any specific recipe in machine_options and running it from my work station in the same way as you described.

One thing I am not clear about is how to point it to chef server. Did you use "chef_server" under machine_options to point it to the chef server and still run the chef-client command from your workstation in local mode?

Also do you have any good link to learn the basic windows setup here. I am totally new to Chef and don't understand where to start. The Chef tutorials are using knife bootstrap to do initial chef client installation and checkin to chef server but I don't know how to do that during the deployment of machine itself.

Any help would be appreciated!

[mistroh]

Hello @r4hulgupta. To point to the chef server, I used the following at the top of my recipe:

with_chef_server '_url to chef server_', {
      :client_name => '_user for chef server_',
      :signing_key_filename => '_location of pem file to connect to Chef Server_'
}

As for Windows Chef tutorials, as for tutorials, below is one that I found very useful starting out: https://learn.chef.io/manage-a-node/windows/

From there I've just searched and pull pieces from various tutorials and forums.

Hope this helps!

[mistroh]

@rayterrill Sorry! I apologize for not replying to your request. Did you get a working example? If not, let me know and I'll see if I can get you an example that I've used.

[r4hulgupta]

@mistroh Thanks for the response. I instead used chef_server inside machine like this: chef_server( :chef_server_url => "https://chef_server_url", :client_name => Chef::Config[:node_name], :signing_key_filename => Chef::Config[:client_key])

But I keep getting 401 UnAuthorized error whenever I run my recipe from workstation.