0

I am trying to spin up AWS EC2 Windows 2016/2012R2 server using Kitchen create with defined yaml configuration, but while in the process it is waiting to connect to that remote EC2 machine using wsman (http://:5985/wsman) and failed after timeout.

please find below code in kitchen.local.yml file-

---
driver:
  name: ec2
  security_group_ids: ["sg-1234jh21"]
  region: us-east-1
  require_chef_omnibus: true
  instance_type: t2.micro
  aws_ssh_key_id: chef
  subnet_id: subnet-1234jsg
  retryable_sleep: 5
  retryable_tries: 360
  shared_credentials_profile: saml
  associate_public_ip: false
  tags: {
    Name: "windows2016",
    Owner: "ABC",
    Account Code: "ABC",
    Dept: "ABC"
   }

transport:
  #name: winrm
  #ssh_key: C:\Users\username\.ssh\chef.pem
  #retryable_tries: 200
  #retryable_sleep: 8
  #connection_timeout: 90
  # elevated: true
  username: testkitchen
  password: xxxxxxxx

verifier:
  name: inspec

provisioner:
  name: chef_zero

platforms:
  - name: windows-2016
    driver:
      image_id: ami-******
      user_data: |
        <powershell>
        $logfile="C:\Users\testkitchen\kitchen-ec2.log"
        # Allow script execution
        Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
        #PS Remoting and & winrm.cmd basic config
        Enable-PSRemoting -Force -SkipNetworkProfileCheck
        & winrm.cmd set winrm/config '@{MaxTimeoutms="1800000"}' >> $logfile
        & winrm.cmd set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}' >> $logfile
        & winrm.cmd set winrm/config/winrs '@{MaxShellsPerUser="50"}' >> $logfile
        #Server settings - support username/password login
        & winrm.cmd set winrm/config/service/auth '@{Basic="true"}' >> $logfile
        & winrm.cmd set winrm/config/service '@{AllowUnencrypted="true"}' >> $logfile
        & winrm.cmd set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}' >> $logfile
        #Firewall Config
        & netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" profile=public protocol=tcp localport=5985 remoteip=localsubnet new remoteip=any  >> $logfile
        "Disabling Complex Passwords" >> $logfile
        $seccfg = [IO.Path]::GetTempFileName()
        & secedit.exe /export /cfg $seccfg >> $logfile
        (Get-Content $seccfg) | Foreach-Object {$_ -replace "PasswordComplexity\s*=\s*1", "PasswordComplexity = 0"} | Set-Content $seccfg
        & secedit.exe /configure /db $env:windir\security\new.sdb /cfg $seccfg /areas SECURITYPOLICY >> $logfile
        & cp $seccfg "c:\"
        & del $seccfg
        $username="testkitchen"
        $password="xxxxxxxxx"
        "Creating static user: $username" >> $logfile
        & net.exe user /y /add $username $password >> $logfile
        "Adding $username to Administrators" >> $logfile
        & net.exe localgroup Administrators /add $username >> $logfile
        Set-ItemProperty -Name LocalAccountTokenFilterPolicy -Path HKLM:\software\Microsoft\Windows\CurrentVersion\Policies\system -Value 1
        </powershell>
    driver_config:
      log_level: debug
      guest: windows
      communicator: 'winrm'

suites:
  - name: default
    run_list:
      - recipe[windows::default]
    attributes:

Error message-

2018/02/02 10:19:10Z: Message: Windows is Ready to use

       EC2 instance <i-xxxxxxxxxxxx> ready.
D      [WinRM] <{:endpoint=>"http://<ip>:5985/wsman", :user=>"testkitchen", :password=>"xxxxxxx", :transport=>:negotiate, :elevated_username=>"testkitchen", :elevated_password=>"xxxxxxxx", :no_ssl_peer_verification=>true, :disable_sspi=>false, :basic_auth_only=>false}> (Write-Host '[WinRM] Established
')
D      [WinRM] opening remote shell on http://<ip>:5985/wsman
D      [WinRM] opening remote shell on http://<ip>:5985/wsman

I, [2018-02-01T22:13:18.894201 #2052]  INFO -- Kitchen: -----> Starting Kitchen (v1.19.2)
I, [2018-02-01T22:13:32.925614 #2052]  INFO -- Kitchen: -----> Creating <default-windows-2012r2>...
E, [2018-02-01T22:29:02.938333 #2052] ERROR -- Kitchen: ------Exception-------
E, [2018-02-01T22:29:02.938333 #2052] ERROR -- Kitchen: Class: Kitchen::ActionFailed
E, [2018-02-01T22:29:02.938333 #2052] ERROR -- Kitchen: Message: 1 actions failed.
>>>>>>     Failed to complete #create action: [Unable to parse authorization header. Headers: {"Via"=>"1.1 10.158.11.157 (McAfee Web Gateway 7.6.2.16.0.24166)", "Date"=>"Thu, 01 Feb 2018 16:55:20 GMT", "Content-Type"=>"text/html", "Cache-Control"=>"no-cache", "Content-Length"=>"2663", "Proxy-Connection"=>"Keep-Alive", "Proxy-Authenticate"=>"Basic realm=\"McAfee Web Gateway\""}
Body: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<!-- FileName: index.html
     Language: [en]
-->
<!--Head-->
<head>
  type="text/javascript" ></script>
  <link rel="stylesheet" href="/mwg-internal/gfddsdfd/files/default/stylesheet.css" />
</head>
<!--/Head-->
  <tr>
    <td class='footData'>
      generated <span id="time">2018-02-01 22:25:20</span> by McAfee Web Gateway
      <br />
      Ruby WinRM Client (2.8.3, ruby 2.4.2)
    </td>
  </tr>
asur
  • 1,759
  • 7
  • 38
  • 81

1 Answers1

0

From the Chef side of things, you appear to have some kind of corporate internet proxy that is rejecting Chef's HTTP requests. The UA header is not configurable so you'll have to fix this on the gateway (but honestly you probably can't).

coderanger
  • 52,400
  • 4
  • 52
  • 75