When creating a win2k8-r2 VM from the .kitchen.yml shown in the README, the vm never converges

[ricardolupo]

Finished creating <default-windows2008-r2> (8m22.76s).
-----> Converging <default-windows2008-r2>...
       Preparing files for transfer
       Preparing dna.json
       Resolving cookbook dependencies with Berkshelf 4.0.1...
       Removing non-cookbook files before transfer
       Preparing validation.pem
       Preparing client.rb
^@       [WinRM] connection failed, retrying in 1 seconds (#<HTTPClient::ConnectTimeoutError: execution expired>)
^@       [WinRM] connection failed, retrying in 1 seconds (#<HTTPClient::ConnectTimeoutError: execution expired>)
^@       [WinRM] connection failed, retrying in 1 seconds (#<HTTPClient::ConnectTimeoutError: execution expired>)
^@       [WinRM] connection failed, retrying in 1 seconds (#<HTTPClient::ConnectTimeoutError: execution expired>)
^@$$$$$$ [WinRM] connection failed, terminating (#<HTTPClient::ConnectTimeoutError: execution expired>)
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: Failed to complete #converge action: [execution expired]
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration

[binamov]

👍 I see this with kitchen-azurerm (0.2.3) and this in my .kitchen.yml:

platforms:
  - name: windows2008-r2
    driver_config:
      image_urn: MicrosoftWindowsServer:WindowsServer:2008-R2-SP1:latest
      winrm_powershell_script: |-
        winrm quickconfig -q
        winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'
        winrm set winrm/config '@{MaxTimeoutms="1800000"}'
        winrm set winrm/config/service '@{AllowUnencrypted="true"}'
        winrm set winrm/config/service/auth '@{Basic="true"}'
        netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" profile=public protocol=tcp localport=5985 remoteip=localsubnet new remoteip=any
    transport:
      name: winrm

[stuartpreston]

I just tried this out myself and looks like the agent process that executes the PowerShell script doesn't have enough rights to do what it needs to configure WinRM, where a similar script does seem to on Win2012R2.

[
    {
        "code": "ComponentStatus/StdOut/succeeded",
        "displayStatus": "Provisioning succeeded",
        "level": "Info",
        "message": "WinRM is not set up to receive requests on this machine.\\nThe following changes must be made:\\n\\nStart the WinRM service. \\nConfigure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.\\n\\nWinRM has been updated to receive requests.\\n\\nWinRM service started. \\nConfigured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.\\n\\nNo rules match the specified criteria.\\n",
        "time": null
    },
    {
        "code": "ComponentStatus/StdErr/succeeded",
        "displayStatus": "Provisioning succeeded",
        "level": "Info",
        "message": "WSManFault\\n    Message = Access is denied. \\n\\nError number:  -2147024891 0x80070005\\nAccess is denied. \\nWSManFault\\n    Message = Access is denied. \\n\\nError number:  -2147024891 0x80070005\\nAccess is denied. \\nWSManFault\\n    Message = Access is denied. \\n\\nError number:  -2147024891 0x80070005\\nAccess is denied. \\nWSManFault\\n    Message = Access is denied. \\n\\nError number:  -2147024891 0x80070005\\nAccess is denied. \\nWSManFault\\n    Message = Access is denied. \\n\\nError number:  -2147024891 0x80070005\\nAccess is denied. ",
        "time": null
    }
]

I confirmed the script was sent to the machine correctly:

PS C:\azuredata> gc .\CustomData.bin
winrm quickconfig -q
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'
winrm set winrm/config '@{MaxTimeoutms="1800000"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" profile=public protocol=tcp localport=59
85 remoteip=localsubnet new remoteip=any
PS C:\azuredata>

I believe this to be expected as the waagent executes the script as the SYSTEM account rather than an account with an Administrative token. I'm guessing one sort of fix is to pass in the default credentials for the specified admin user and use Start-Process to start another powershell.exe process with the configuration script supplied... @andrewelizondo Any other ideas? How did you get this working for your customer as the waagent?

[stuartpreston]

I have a fix for this close to being pushed up today, stand by for testing @ricardolupo @binamov @andrewelizondo

[stuartpreston]

Just to update this thread, I tried a number of ways including setting up a scheduled task and running an elevated PowerShell session and neither of these ways worked on Windows 2008 R2. Back to the drawing board. I have a branch here if anyone can think of a workaround using the same approach: https://github.com/pendrica/kitchen-azurerm/tree/psh-execution-as-admin

Otherwise it looks like we would have to do some KeyVault trickery with the driver to get things working correctly with Windows 2008.

[msghaleb]

Hi,

I've replaced few lines between line 297 and 313 and its working for me, currently when I provision a windows box the ps1 script works fine.

I replaced version 1.4 with 1.7 and added to the settings section the name and the url of the PS1 script.

ideally this would be arguments.

ref: https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-extensions-customscript/

def custom_script_extension_template(command)
<<-EOH
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(variables('vmName'),'/','enableWinRM')]",
"apiVersion": "2015-05-01-preview",
"location": "[variables('location')]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/',variables('vmName'))]"
],
"properties": {
"publisher": "Microsoft.Compute",
"type": "CustomScriptExtension",
"typeHandlerVersion": "1.7",
"autoUpgradeMinorVersion":true,
"settings": {
"ConfigureRemotingForAnsible": [
"https://ghalebtestkitchen.blob.core.windows.net/testkitchen/ConfigureRemotingForAnsible.ps1"
],
"commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File ConfigureRemotingForAnsible.ps1"
}
}
}
EOH
end

[stuartpreston]

This is a great script, we should look at integrating it into the driver so there are no external dependencies on it. Can you let me know the source of this script so I can provide proper attribution?

[msghaleb]

sure! its added already to the original post ;-)

source: https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-extensions-customscript/

[stuartpreston]

@msghaleb Sorry I meant the source of the .ps1 script - it looks like it is from here: https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 and is under a GPLv3 license.

[msghaleb]

@sturartperston ah ok :-) yes you are right this is ansible script. but best would be if you can add 2 more paramerts so that the user can overwrite it with the default values of the once above. What do you think? I assume some other tools may need different scripts so you can give the user the choice. If he didn't supply anything will failover to this script.

Again great work!

[stuartpreston]

This has been fixed by #44 - Windows 2008 converges are now possible! This will be available from Release 0.8.0 onwards.