search

cloudbase / windows-imaging-tools

Tools to automate the creation of a Windows image for OpenStack, supporting KVM, Hyper-V, ESXi and more.
Apache License 2.0
675 stars 227 forks source link

[MAAS] How to retrieve Admin password of newly deployed in MAAS #280

Closed babebbu closed 4 years ago

babebbu commented 5 years ago

It seems SetPasswordPlugin doesn't POST password to MAAS. And MAAS server doesn't seem to have the "Retrieve Password" menu.

Then, How do I retrieve the password configured from SetPasswordPlugin.

Or is there any guides for building retrieve password script?

ilenghel commented 5 years ago

Hello,

There are two ways to solve this:

  1. You can create a user and set a predefined password during the image generation process. You can later use that user to connect to the deployed Windows machine.

  2. You can add a x509 certificate to MaaS and use WinRM to send commands to that machine. To do so: Run the following command on your MaaS node (to generate a new x509 certificate): maas-generate-winrm-cert The public portion of the key will be printed to screen. Copy that key (including the "BEGIN CERTIFICATE" and "END CERTIFICATE" portion) and upload it to your MaaS node under user-->preferences-->SSL keys. (it should be in the same place you saved your SSH public key). Deploy the Windows image again and after it gets installed and Cloudbase-Init finishes running, you should be able to run remote commands via WinRM. You can use the following script to execute commands via WinRM: https://raw.githubusercontent.com/cloudbase/pywinrm/master/wsmancmd.py Please note that you will need pywinrm for this to work: sudo pip install pywinrm If everything went well up to this point you can now use something like this: ./wsmancmd.py -H <IP_OF_WINDOWS_MACHINE> -s -a certificate -c $HOME/.ssl/winrm_client_cert.pem -k $HOME/.ssl/winrm_client_cert.key "net user Administrator supersecretp@ss"

Please note that you might need to use the "Admin" account created by Cloudbase-Init to run the commands.

babebbu commented 5 years ago

Hello,

I tried the 2nd method as you mentioned. After I re-deploy Windows and cloudbase-init finished running. I executed wsmancmd.py and got SSL error. (Both Python 2 and Python 3.)

python3 wsmancmd.py -H 192.168.122.6 -s -a certificate -c $HOME/.ssl/winrm_client_cert.pem -k $HOME/.ssl/winrm_client_cert.key "net user Administrator supersecretp@ss"

Traceback (most recent call last):
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 472, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1808, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1548, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 603, in urlopen
    chunked=chunked)
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 344, in _make_request
    self._validate_conn(conn)
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
    conn.connect()
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connection.py", line 370, in connect
    ssl_context=context)
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 368, in ssl_wrap_socket
    return context.wrap_socket(sock)
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 478, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/babebbu/.local/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 641, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/util/retry.py", line 399, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='192.168.122.6', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "wsmancmd.py", line 172, in <module>
    main()
  File "wsmancmd.py", line 164, in main
    cert_key_pem, cmd)
  File "wsmancmd.py", line 121, in run_wsman_cmd
    shell_id = p.open_shell(codepage=CODEPAGE_UTF8)
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/protocol.py", line 157, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/protocol.py", line 234, in send_message
    resp = self.transport.send_message(message)
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 256, in send_message
    response = self._send_message_request(prepared_request, message)
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 261, in _send_message_request
    response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
  File "/home/babebbu/.local/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/home/babebbu/.local/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.122.6', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
babebbu commented 5 years ago

And I got ConnectionTimeout error sometimes

Traceback (most recent call last):
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connection.py", line 160, in _new_conn
    (self._dns_host, self.port), self.timeout, **extra_kw)
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/util/connection.py", line 80, in create_connection
    raise err
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/util/connection.py", line 70, in create_connection
    sock.connect(sa)
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 603, in urlopen
    chunked=chunked)
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 344, in _make_request
    self._validate_conn(conn)
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
    conn.connect()
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connection.py", line 316, in connect
    conn = self._new_conn()
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connection.py", line 165, in _new_conn
    (self.host, self.timeout))
urllib3.exceptions.ConnectTimeoutError: (<urllib3.connection.VerifiedHTTPSConnection object at 0x7f5815b09668>, 'Connection to 192.168.122.6 timed out. (connect timeout=30)')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/babebbu/.local/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 641, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/util/retry.py", line 399, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='192.168.122.6', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x7f5815b09668>, 'Connection to 192.168.122.6 timed out. (connect timeout=30)'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "wsmancmd.py", line 172, in <module>
    main()
  File "wsmancmd.py", line 164, in main
    cert_key_pem, cmd)
  File "wsmancmd.py", line 121, in run_wsman_cmd
    shell_id = p.open_shell(codepage=CODEPAGE_UTF8)
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/protocol.py", line 157, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/protocol.py", line 234, in send_message
    resp = self.transport.send_message(message)
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 256, in send_message
    response = self._send_message_request(prepared_request, message)
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 261, in _send_message_request
    response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
  File "/home/babebbu/.local/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/home/babebbu/.local/lib/python3.6/site-packages/requests/adapters.py", line 504, in send
    raise ConnectTimeout(e, request=request)
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='192.168.122.6', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x7f5815b09668>, 'Connection to 192.168.122.6 timed out. (connect timeout=30)'))
babebbu commented 5 years ago

I've tried to use wsmancmd.py without -s (ssl) arg. The following error occurs

Traceback (most recent call last):
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 262, in _send_message_request
    response.raise_for_status()
  File "/home/babebbu/.local/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error:  for url: http://192.168.122.6:5985/wsman

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "wsmancmd.py", line 172, in <module>
    main()
  File "wsmancmd.py", line 164, in main
    cert_key_pem, cmd)
  File "wsmancmd.py", line 121, in run_wsman_cmd
    shell_id = p.open_shell(codepage=CODEPAGE_UTF8)
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/protocol.py", line 157, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/protocol.py", line 234, in send_message
    resp = self.transport.send_message(message)
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 256, in send_message
    response = self._send_message_request(prepared_request, message)
  File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 266, in _send_message_request
    raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
ilenghel commented 5 years ago

The issue seems to be with the certificate itself. Can you check that the certificate and the key can be found in $HOME/.ssl/ ? Also check that there are no missing characters in the public key pasted in MaaS. Also have you tried using Admin as user, instead of Administrator?

ilenghel commented 5 years ago

Hello,

Did you had any luck with the above?

babebbu commented 5 years ago

Hi,

I'm trying to run it again. Sorry, I was having an ad-hoc task.

babebbu commented 5 years ago

Hello,

I tried to reproduce it again and this time it throws SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED]

I tested with both Administrator and Admin

./wsmancmd.py -H 192.168.120.191 -s -a certificate -c $HOME/.ssl/winrm_client_cert.pem -k $HOME/.ssl/winrm_client_cert.key "net user Administrator supersecretp@ss"
Traceback (most recent call last):
  File "./wsmancmd.py", line 172, in <module>
    main()
  File "./wsmancmd.py", line 164, in main
    cert_key_pem, cmd)
  File "./wsmancmd.py", line 121, in run_wsman_cmd
    shell_id = p.open_shell(codepage=CODEPAGE_UTF8)
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 157, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 234, in send_message
    resp = self.transport.send_message(message)
  File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 256, in send_message
    response = self._send_message_request(prepared_request, message)
  File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 261, in _send_message_request
    response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.120.191', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),))
ilenghel commented 5 years ago

Hello, This is quite strange. I will try to reproduce this in our environment and see if I can get the same error. Will get back to you as soon as I can reproduce this and find a solution for it.

ader1990 commented 4 years ago

Hello @codesonteen,

did you manage to get it working some other way? or do you need further assistance on this issue?

Thank you, Adrian.

babebbu commented 4 years ago

The WinRM method doesn't seem to be working and I haven't figured out yet. So, I work around by custom build a LocalScript to handle the password from user data which passed on cloudbase-init.

ader1990 commented 4 years ago

Thank you for the information,

I suppose better documentation would help on this matter. Did you follow this tutorial: https://cloudbase.it/windows-without-passwords-in-openstack/ ?

ader1990 commented 4 years ago

@codesonteen it seems there is an issue with Py2.7 and windows certificates. Can you try with an updated version of wsmancmd.py https://github.com/ader1990/winrm-scripts/commit/8df871b33f9fcf6bea8e6b0c87a264af1f68bfe7 ?

babebbu commented 4 years ago

@ader1990 Ok, I will try booting up my dev environments up and test it.

ader1990 commented 4 years ago

Closing the issue, as there was no recent response / activity.