-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCI Windows Instance admin launch password - pass to winrm for provisioners #7033
Comments
Did you ever figure it out? Were you able to test WinRM function on the image via + To use WinRM on an instance (https://docs.cloud.oracle.com/iaas/Content/Compute/References/images.htm). On the OCI provided images I've tried this in the builder section (and combos of this) with no dice, but also the remote PSSessions aren't working as described (verified connectivity and subnet acl):
Packer v1.3.2 |
@sardm that's not quite right. You don't use the Then to access the winrm password in the provisioners you use that "{{.WinRMPassword}}" syntax. |
@Marcus-James-Adams Does the example here help clarify how to use the template engine to pass in the winrm password? This engine doesn't work for all fields for all provisioners, but does work for various fields in the powershell and shell-local provisioners, as well as the ansible provisioner and maybe a couple of others. All of the provisioners which allow this functionality should have it documented on their docs pages. |
@SwampDragons
TRY 2 TRY 3 |
Okay so you're having trouble getting it to connect to winrm at all. I checked my notes from when I was working on this. It looks like you're missing a user data file:
Where that file contains code setting up winrm. I thought I'd gotten this working, but I have a note in this config that I hadn't gotten the winrmpassword thing figured out yet. My oracle credentials have expired so I'm going to have to try to track new ones down before I can do real life testing on this. I'll try to get back to you soon but I'm not sure I'm going to have time to get this figured out before the new year. |
@SwampDragons I'll try that on my creds as that was my "trying to avoid workaround" but according to this and blogs https://docs.cloud.oracle.com/iaas/images/windows-server-2012-r2-bm/ |
Just a thought -- by default, Packer isn't messing around with ingress rules on the security lists for whatever subnet you're on; you need to make sure your port for winrm is open by adding a new ingress rule to that list. I've found some credentials, and I'm also stuck on getting winrm to connect. I'll see if I can figure it out. |
Hi
Just to say in my example testing I also did a try 4 with an image that I had previously set the opc password to and set winrm to that.
I used the same machine for all four tests and its one I know has full all ports/protocols access to the oci compartment
That goes through fine and packer builds ok
|
Just a further update on this, I've tried using user data as a way to get around this, using scripts that work for other provisioners ( changing to ps native ads said) but they don't seem to work either. it still hangs at the waiting at winrm. This is a pain as OCI now has a number of different hardware combos that all require their own base image so having to manually create images in order to create images is long and just feels so wrong |
Sounds like there's definitely something still wrong on the Packer side. |
To get WinRM working for remote provisioning OCI Windows images there are a few small hurdles to jump through: The article https://medium.com/oracledevs/managing-oracle-cloud-infrastructure-iscsi-block-volume-attachments-with-terraform-16ae46fdf3b4 covers how I got this working with Terraform, the same approach may work for Packer.
|
Hello, Any updates on this issue? I am facing the same problem and none of the workarounds mentioned are working for me. Thanks |
The following example uses a cloudbase-init script when creating the builder instance to overrides the initial password and disable the password reset to allow connectivity over WinRM. The same password needs to be set in both the userdata.ps1 file and the packer json. userdata.ps1 #ps1_sysnative
cmd /C 'wmic UserAccount where Name="opc" set PasswordExpires=False'
$opcUser = get-wmiobject win32_useraccount | Where-Object { $_.Name -match 'opc' }
([adsi]("WinNT://"+$opcUser.caption).replace("\","/")).SetPassword("myTemp#Pa55_Word") packer.json {
"builders": [
{
"type": "oracle-oci",
"availability_domain": "ilMx:CA-TORONTO-1-AD-1",
"base_image_ocid": "ocid1.image.oc1....",
"compartment_ocid": "ocid1.compartment.oc1.....",
"subnet_ocid": "ocid1.subnet.oc1....",
"shape": "VM.Standard2.1",
"image_name": "MyWinImage",
"communicator": "winrm",
"winrm_username": "opc",
"winrm_password": "myTemp#Pa55_Word",
"winrm_insecure": true,
"winrm_use_ssl": true,
"winrm_port": 5986,
"user_data_file": "./userdata.ps1"
}
],
"provisioners": [
{
"type": "windows-shell",
"inline": [
"dir c:\\"
]
}
]
} |
(Thanks to Stephen) Use userdata to set new a pw
Use it in the builder:
|
Hi! How do i run powershell scripts in provisioners with elevated privileges while building a Windows Image in OCI ? Usage of provisioners as mentioned below, gives me error "provisioners":[ |
Try |
Thank you for the reply. Using the 'Password' variable in Provisioners gives me the same error.
Any other suggestions that has worked ? |
you need to use backticks, not single quotes. |
Thank you very much @SwampDragons . The below worked fine. Digging into what went wrong the previous time. |
Thank you! I didn't have to specify a password and just used this |
Did you have to use an API at all to make the image? If not, did you just leave the winrm_password variable blank? Please share |
with the one-liner cloudbase-init script as below, only set winrm_username = "opc", but DO NOT set winrm_password.
|
This all works, but the resulting image is useless because it's not possible to know what the OPC password is. So any instance created from this image is not able to ever be logged onto. |
@jmdoman. that would be the next and final step which depends on what type of the image you want. Check out this oracle documentation: https://docs.oracle.com/en-us/iaas/Content/Compute/References/windowsimages.htm. for specialized image, you have to set/hardcoded the initial password in the image. for generalized/syspreped image, the scripts will help you create an image which behaves like the OCI platform image which will create random password that can be seen on OCI console. You do need to modify the Generalize.cmd to remove the "ipconfig /release" command as these scripts are meant for manual process and will kill automated packer process. |
This could be me not fully understanding the documentation and I think all the outstanding blockers are now resolved, and there seem to be a number of tickets about it, but I don't seem to see the one that pulls it all together.
So we want to create our own Gold Windows OS images based up the OCI provided images but that we have run windows-update and added a number of other core features that we then use as a base of our BAU packer processes. And this is currently the only non-automated part of our process now.
The now seems to be a way for the builder to get the auto-generated password and windows images now have winrm enabled by default along with cloud-init.
So how do I configure my builder/provisioner when working in OCI so that I can pass the automatically generated password into winrm so that I can provision builds?
The text was updated successfully, but these errors were encountered: