docs and cleanup

2020-03-31 16:55:32 -07:00 · 2020-03-31 16:55:32 -07:00 · 64b706983e
parent d45ffe73d0
commit 64b706983e
3 changed files with 211 additions and 28 deletions
--- a/provisioner/ansible/provisioner.go
+++ b/provisioner/ansible/provisioner.go
@ -305,11 +305,6 @@ func (p *Provisioner) setupAdapter(ui packer.Ui, comm packer.Communicator) (stri
 	return k.privKeyFile, nil
 }

-// ansible_user: LocalUsername
-// ansible_password: Password
-// ansible_connection: winrm
-// ansible_winrm_transport: basic
-
 const DefaultSSHInventoryFilev2 = "{{ .HostAlias }} ansible_host={{ .Host }} ansible_user={{ .User }} ansible_port={{ .Port }}\n"
 const DefaultSSHInventoryFilev1 = "{{ .HostAlias }} ansible_ssh_host={{ .Host }} ansible_ssh_user={{ .User }} ansible_ssh_port={{ .Port }}\n"
 const DefaultWinRMInventoryFilev2 = "{{ .HostAlias}} ansible_host={{ .Host }} ansible_connection=winrm ansible_winrm_transport=basic ansible_shell_type=powershell ansible_user={{ .User}} ansible_port={{ .Port }}\n"
@ -641,11 +636,11 @@ func (p *Provisioner) executeAnsible(ui packer.Ui, comm packer.Communicator, pri
 	// remove winrm password from command, if it's been added
 	flattenedCmd := strings.Join(cmd.Args, " ")
 	sanitized := flattenedCmd
-	// winRMPass, ok := p.generatedData["WinRMPassword"]
-	// if ok && winRMPass != "" {
-	// 	sanitized = strings.Replace(sanitized,
-	// 		winRMPass.(string), "*****", -1)
-	// }
+	winRMPass, ok := p.generatedData["WinRMPassword"]
+	if ok && winRMPass != "" {
+		sanitized = strings.Replace(sanitized,
+			winRMPass.(string), "*****", -1)
+	}
 	ui.Say(fmt.Sprintf("Executing Ansible: %s", sanitized))

 	if err := cmd.Start(); err != nil {
--- a/website/source/docs/builders/amazon-ebs.html.md.erb
+++ b/website/source/docs/builders/amazon-ebs.html.md.erb
@ -83,7 +83,7 @@ necessary for this build to succeed and can be found further down the page.
 ### Block Devices Configuration

 Block devices can be nested in the
-[ami_block_device_mappings](#ami_block_device_mappings) or the 
+[ami_block_device_mappings](#ami_block_device_mappings) or the
 [launch_block_device_mappings](#launch_block_device_mappings) array.

 <%= partial "partials/builder/amazon/common/BlockDevice" %>
@ -241,6 +241,100 @@ after termination. If you need to preserve those source volumes, you can
 overwrite the termination setting by specifying `delete_on_termination=false`
 in the `launch_block_device_mappings` block for the device.

+## Connecting to Windows instances using WinRM
+
+If you want to launch a Windows instance and connect using WinRM, you will need
+to configure WinRM on that instance. The following is a basic powershell script
+that can be supplied to AWS using the "user_data_file" option. It enables
+WinRM via HTTPS on port 5986, and creates a self-signed certificate to use to
+connect. If you are using a certificate from a CA, rather than creating a
+self-signed certificate, you can omit the "winrm_insecure" option mentioned
+below.
+
+autogenerated_password_https_boostrap.txt
+
+``` ps1
+<powershell>
+
+# MAKE SURE IN YOUR PACKER CONFIG TO SET:
+#
+#
+#    "winrm_username": "Administrator",
+#    "winrm_insecure": true,
+#    "winrm_use_ssl": true,
+#
+#
+
+
+write-output "Running User Data Script"
+write-host "(host) Running User Data Script"
+
+Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
+
+# Don't set this before Set-ExecutionPolicy as it throws an error
+$ErrorActionPreference = "stop"
+
+# Remove HTTP listener
+Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
+
+# Create a self-signed certificate to let ssl work
+$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
+New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
+
+# WinRM
+write-output "Setting up WinRM"
+write-host "(host) setting up WinRM"
+
+cmd.exe /c winrm quickconfig -q
+cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
+cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
+cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
+cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
+cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
+cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
+cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
+cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
+cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
+cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
+cmd.exe /c net stop winrm
+cmd.exe /c sc config winrm start= auto
+cmd.exe /c net start winrm
+
+</powershell>
+```
+
+You'll notice that this config does not define a user or password; instead,
+Packer will ask AWS to provide a random password that it generates
+automatically.  The following config will work with the above template:
+
+```
+{
+  "builders": [
+  {
+    "type": "amazon-ebs",
+    "region": "us-east-1",
+    "instance_type": "t2.micro",
+      "source_ami_filter": {
+        "filters": {
+          "virtualization-type": "hvm",
+          "name": "*Windows_Server-2012*English-64Bit-Base*",
+          "root-device-type": "ebs"
+        },
+        "most_recent": true,
+        "owners": "amazon"
+      },
+    "ami_name": "default-packer",
+    "user_data_file": "winrm_bootstrap.txt",
+    "communicator": "winrm",
+    "force_deregister": true,
+    "winrm_insecure": true,
+    "winrm_username": "Administrator",
+    "winrm_use_ssl": true
+  }]
+}
+```
+
+
 ## Windows 2016 Sysprep Commands - For Amazon Windows AMIs Only

 For Amazon Windows 2016 AMIs it is necessary to run Sysprep commands which can
--- a/website/source/docs/provisioners/ansible.html.md.erb
+++ b/website/source/docs/provisioners/ansible.html.md.erb
@ -132,14 +132,14 @@ Optional Parameters:
 -   `groups` (array of strings) - The groups into which the Ansible host should
    be placed. When unspecified, the host is not associated with any groups.

-   `inventory_file` (string) - The inventory file to use during provisioning.
-    When unspecified, Packer will create a temporary inventory file and will
-    use the `host_alias`.
-
 -   `host_alias` (string) - The alias by which the Ansible host should be
    known. Defaults to `default`. This setting is ignored when using a custom
    inventory file.

+-   `inventory_file` (string) - The inventory file to use during provisioning.
+    When unspecified, Packer will create a temporary inventory file and will
+    use the `host_alias`.
+
 -   `inventory_directory` (string) - The directory in which to place the
    temporary generated Ansible inventory file. By default, this is the
    system-specific temporary file location. The fully-qualified name of this
@ -148,6 +148,12 @@ Optional Parameters:
    inventory directory with `host_vars` `group_vars` that you would like to
    use in the playbook that this provisioner will run.

+-   `keep_inventory_file` (boolean) - If `true`, the Ansible provisioner will
+    not delete the temporary inventory file it creates in order to connect to
+    the instance. This is useful if you are trying to debug your ansible run
+    and using "--on-error=ask" in order to leave your instance running while you
+    test your playbook. this option is not used if you set an `inventory_file`.
+
 -   `local_port` (uint) - The port on which to attempt to listen for SSH
    connections. This value is a starting point. The provisioner will attempt
    listen for SSH connections on the first available of ten ports, starting at
@ -181,14 +187,16 @@ Optional Parameters:
    `ansible-playbook` with the `-e ansible_ssh_private_key_file` option.

 -   `user` (string) - The `ansible_user` to use. Defaults to the user running
-    packer.
+    packer, NOT the user set for your communicator. If you want to use the same
+    user as the communicator, you will need to manually set it again in this
+    field.

-   `use_proxy` (boolean) - Whether or not to set up a localhost proxy adapter
+-   `use_proxy` (boolean) - When `true`, set up a localhost proxy adapter
    so that Ansible has an IP address to connect to, even if your guest does not
    have an IP address. For example, the adapter is necessary for Docker builds
-    to use the Ansible provisioner. Defaults to "true". If you set this option
-    to `false`, but Packer cannot find an IP address to connect Ansible to, it
-    will automatically set up the adapter anyway.
+    to use the Ansible provisioner. If you set this option to `false`, but
+    Packer cannot find an IP address to connect Ansible to, it will
+    automatically set up the adapter anyway.

    In order for Ansible to connect properly even when use_proxy is false, you
    need to make sure that you are either providing a valid username and ssh key
@ -197,7 +205,11 @@ Optional Parameters:
    provide a user to ansible, it will use the user associated with your
    builder, not the user running Packer.

-    use_proxy=false is currently only supported for SSH, not winRM.
+    use_proxy=false is currently only supported for SSH and WinRM.
+
+    Currently, this defaults to `true` for all connection types. In the future,
+    this option will be changed to default to `false` for SSH and WinRM
+    connections where the provisioner has access to a host IP.

 <%= partial "partials/provisioners/common-config" %>

@ -272,13 +284,87 @@ connection to chroot and running Ansible as root/sudo.
 }
 ```

-### winrm communicator
+### WinRM Communicator

-Windows builds require a custom Ansible connection plugin and a particular
-configuration. Assuming a directory named `connection_plugins` is next to the
-playbook and contains a file named `packer.py` which implements the connection
-plugin. On versions of Ansible before 2.4.x, the following works as the
-connection plugin
+There are two possible methods for using ansible with the WinRM communicatior.
+
+#### Method 1 (recommended)
+
+The recommended way to use the WinRM communicator is to set `"use_proxy": false`
+and let the Ansible provisioner handle the rest for you. If you
+are using WinRM with HTTPS, and you are using a self-signed certificate you
+will also have to set `ansible_winrm_server_cert_validation=ignore` in your
+extra_arguments.
+
+Below is a fully functioning Ansible example using WinRM:
+
+```
+{
+  "builders": [
+  {
+    "type": "amazon-ebs",
+    "region": "us-east-1",
+    "instance_type": "t2.micro",
+      "source_ami_filter": {
+        "filters": {
+          "virtualization-type": "hvm",
+          "name": "*Windows_Server-2012*English-64Bit-Base*",
+          "root-device-type": "ebs"
+        },
+        "most_recent": true,
+        "owners": "amazon"
+      },
+    "ami_name": "default-packer",
+    "user_data_file": "windows_bootstrap.txt",
+    "communicator": "winrm",
+    "force_deregister": true,
+    "winrm_insecure": true,
+    "winrm_username": "Administrator",
+    "winrm_use_ssl": true
+  }],
+  "provisioners": [
+    {
+      "type":  "ansible",
+      "playbook_file": "./playbook.yml",
+      "user": "Administrator",
+      "use_proxy": false,
+      "extra_arguments": [
+        "-e", "ansible_winrm_server_cert_validation=ignore"
+      ]
+    }
+  ]
+}
+```
+
+Note that you do have to set the "Administrator" user, because otherwise Ansible
+will default to using the user that is calling Packer, rather than the user
+configured inside of the Packer communicator. For the contents of
+windows_bootstrap.txt, see the winrm docs for the amazon-ebs communicator.
+
+When running from OSX, you may see an error like:
+
+```
+    amazon-ebs: objc[9752]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called.
+    amazon-ebs: objc[9752]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
+    amazon-ebs: ERROR! A worker was found in a dead state
+```
+
+If you see this, you may be able to work around the issue by telling Ansible to
+explicitly not use any proxying; you can do this by setting the template option
+
+```
+"ansible_env_vars": ["no_proxy=\"*\""],
+```
+
+in the above Ansible template.
+
+#### Method 2 (Not recommended)
+
+If you want to use the Packer ssh proxy, then you need a custom Ansible
+connection plugin and a particular configuration. You need a directory named
+`connection_plugins` next to the playbook which contains a file named
+packer.py` which implements the connection plugin. On versions of Ansible
+before 2.4.x, the following works as the connection plugin:

 ``` python
 from __future__ import (absolute_import, division, print_function)
@ -361,7 +447,7 @@ Platform:
  "builders": [
    {
      "type": "googlecompute",
-      "account_file": "{{user `account_file`}}",
+      "account_file": "{{ user `account_file`}}",
      "project_id": "{{user `project_id`}}",
      "source_image": "windows-server-2012-r2-dc-v20160916",
      "communicator": "winrm",
@ -489,3 +575,11 @@ Example playbook:
      yum:
        name: httpd
 ```
+
+### Troubleshooting
+
+If you are using an Ansible version >= 2.8 and Packer hangs in the
+"Gathering Facts" stage, this could be the result of a pipelineing issue with
+the proxy adapter that Packer uses. Setting `use_proxy: false,` in your
+Packer config should resolve the issue. In the future we will default to setting
+this, so you won't have to but for now it is a manual change you must make.