Closed babebbu closed 4 years ago
Hello,
There are two ways to solve this:
You can create a user and set a predefined password during the image generation process. You can later use that user to connect to the deployed Windows machine.
You can add a x509 certificate to MaaS and use WinRM to send commands to that machine. To do so:
Run the following command on your MaaS node (to generate a new x509 certificate):
maas-generate-winrm-cert
The public portion of the key will be printed to screen. Copy that key (including the "BEGIN CERTIFICATE" and "END CERTIFICATE" portion) and upload it to your MaaS node under user-->preferences-->SSL keys. (it should be in the same place you saved your SSH public key).
Deploy the Windows image again and after it gets installed and Cloudbase-Init finishes running, you should be able to run remote commands via WinRM.
You can use the following script to execute commands via WinRM: https://raw.githubusercontent.com/cloudbase/pywinrm/master/wsmancmd.py
Please note that you will need pywinrm for this to work:
sudo pip install pywinrm
If everything went well up to this point you can now use something like this:
./wsmancmd.py -H <IP_OF_WINDOWS_MACHINE> -s -a certificate -c $HOME/.ssl/winrm_client_cert.pem -k $HOME/.ssl/winrm_client_cert.key "net user Administrator supersecretp@ss"
Please note that you might need to use the "Admin" account created by Cloudbase-Init to run the commands.
Hello,
I tried the 2nd method as you mentioned.
After I re-deploy Windows and cloudbase-init finished running. I executed wsmancmd.py
and got SSL error. (Both Python 2 and Python 3.)
python3 wsmancmd.py -H 192.168.122.6 -s -a certificate -c $HOME/.ssl/winrm_client_cert.pem -k $HOME/.ssl/winrm_client_cert.key "net user Administrator supersecretp@ss"
Traceback (most recent call last):
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 472, in wrap_socket
cnx.do_handshake()
File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1808, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1548, in _raise_ssl_error
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 603, in urlopen
chunked=chunked)
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 344, in _make_request
self._validate_conn(conn)
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
conn.connect()
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connection.py", line 370, in connect
ssl_context=context)
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 368, in ssl_wrap_socket
return context.wrap_socket(sock)
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 478, in wrap_socket
raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/babebbu/.local/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 641, in urlopen
_stacktrace=sys.exc_info()[2])
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='192.168.122.6', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "wsmancmd.py", line 172, in <module>
main()
File "wsmancmd.py", line 164, in main
cert_key_pem, cmd)
File "wsmancmd.py", line 121, in run_wsman_cmd
shell_id = p.open_shell(codepage=CODEPAGE_UTF8)
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/protocol.py", line 157, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/protocol.py", line 234, in send_message
resp = self.transport.send_message(message)
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 256, in send_message
response = self._send_message_request(prepared_request, message)
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 261, in _send_message_request
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File "/home/babebbu/.local/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/home/babebbu/.local/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.122.6', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
And I got ConnectionTimeout
error sometimes
Traceback (most recent call last):
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connection.py", line 160, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw)
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/util/connection.py", line 80, in create_connection
raise err
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/util/connection.py", line 70, in create_connection
sock.connect(sa)
socket.timeout: timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 603, in urlopen
chunked=chunked)
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 344, in _make_request
self._validate_conn(conn)
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
conn.connect()
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connection.py", line 316, in connect
conn = self._new_conn()
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connection.py", line 165, in _new_conn
(self.host, self.timeout))
urllib3.exceptions.ConnectTimeoutError: (<urllib3.connection.VerifiedHTTPSConnection object at 0x7f5815b09668>, 'Connection to 192.168.122.6 timed out. (connect timeout=30)')
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/babebbu/.local/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 641, in urlopen
_stacktrace=sys.exc_info()[2])
File "/home/babebbu/.local/lib/python3.6/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='192.168.122.6', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x7f5815b09668>, 'Connection to 192.168.122.6 timed out. (connect timeout=30)'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "wsmancmd.py", line 172, in <module>
main()
File "wsmancmd.py", line 164, in main
cert_key_pem, cmd)
File "wsmancmd.py", line 121, in run_wsman_cmd
shell_id = p.open_shell(codepage=CODEPAGE_UTF8)
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/protocol.py", line 157, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/protocol.py", line 234, in send_message
resp = self.transport.send_message(message)
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 256, in send_message
response = self._send_message_request(prepared_request, message)
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 261, in _send_message_request
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File "/home/babebbu/.local/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/home/babebbu/.local/lib/python3.6/site-packages/requests/adapters.py", line 504, in send
raise ConnectTimeout(e, request=request)
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='192.168.122.6', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x7f5815b09668>, 'Connection to 192.168.122.6 timed out. (connect timeout=30)'))
I've tried to use wsmancmd.py without -s
(ssl) arg. The following error occurs
Traceback (most recent call last):
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 262, in _send_message_request
response.raise_for_status()
File "/home/babebbu/.local/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: for url: http://192.168.122.6:5985/wsman
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "wsmancmd.py", line 172, in <module>
main()
File "wsmancmd.py", line 164, in main
cert_key_pem, cmd)
File "wsmancmd.py", line 121, in run_wsman_cmd
shell_id = p.open_shell(codepage=CODEPAGE_UTF8)
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/protocol.py", line 157, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/protocol.py", line 234, in send_message
resp = self.transport.send_message(message)
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 256, in send_message
response = self._send_message_request(prepared_request, message)
File "/home/babebbu/.local/lib/python3.6/site-packages/winrm/transport.py", line 266, in _send_message_request
raise InvalidCredentialsError("the specified credentials were rejected by the server")
winrm.exceptions.InvalidCredentialsError: the specified credentials were rejected by the server
The issue seems to be with the certificate itself. Can you check that the certificate and the key can be found in $HOME/.ssl/ ? Also check that there are no missing characters in the public key pasted in MaaS. Also have you tried using Admin as user, instead of Administrator?
Hello,
Did you had any luck with the above?
Hi,
I'm trying to run it again. Sorry, I was having an ad-hoc task.
Hello,
I tried to reproduce it again and this time it throws SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED]
I tested with both Administrator
and Admin
./wsmancmd.py -H 192.168.120.191 -s -a certificate -c $HOME/.ssl/winrm_client_cert.pem -k $HOME/.ssl/winrm_client_cert.key "net user Administrator supersecretp@ss"
Traceback (most recent call last):
File "./wsmancmd.py", line 172, in <module>
main()
File "./wsmancmd.py", line 164, in main
cert_key_pem, cmd)
File "./wsmancmd.py", line 121, in run_wsman_cmd
shell_id = p.open_shell(codepage=CODEPAGE_UTF8)
File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 157, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 234, in send_message
resp = self.transport.send_message(message)
File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 256, in send_message
response = self._send_message_request(prepared_request, message)
File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 261, in _send_message_request
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.120.191', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),))
Hello, This is quite strange. I will try to reproduce this in our environment and see if I can get the same error. Will get back to you as soon as I can reproduce this and find a solution for it.
Hello @codesonteen,
did you manage to get it working some other way? or do you need further assistance on this issue?
Thank you, Adrian.
The WinRM method doesn't seem to be working and I haven't figured out yet. So, I work around by custom build a LocalScript to handle the password from user data which passed on cloudbase-init.
Thank you for the information,
I suppose better documentation would help on this matter. Did you follow this tutorial: https://cloudbase.it/windows-without-passwords-in-openstack/ ?
@codesonteen it seems there is an issue with Py2.7 and windows certificates. Can you try with an updated version of wsmancmd.py https://github.com/ader1990/winrm-scripts/commit/8df871b33f9fcf6bea8e6b0c87a264af1f68bfe7 ?
@ader1990 Ok, I will try booting up my dev environments up and test it.
Closing the issue, as there was no recent response / activity.
It seems SetPasswordPlugin doesn't POST password to MAAS. And MAAS server doesn't seem to have the "Retrieve Password" menu.
Then, How do I retrieve the password configured from SetPasswordPlugin.
Or is there any guides for building retrieve password script?