MSYS-798 - Fixes for windows administrator password #524
Conversation
Signed-off-by: dheerajd-msys <[email protected]>
lib/chef/knife/ec2_server_create.rb
Outdated
| @@ -1537,12 +1537,13 @@ def windows_password | |||
| if not locate_config_value(:winrm_password) | |||
| if locate_config_value(:identity_file) | |||
| print "\n#{ui.color("Waiting for Windows Admin password to be available", :magenta)}" | |||
| print(".") until check_windows_password_available(@server.id) { | |||
| print(".\n") unless @server | |||
There was a problem hiding this comment.
Isn't there supposed to be a loop here? Before we were calling check_windows_password_available which would sleep for 10 seconds and try the password, and because that was an until we would keep doing it.
Now there's just a single unless on a print, which isn't useful. If we need to not look for the password until @server is valid, I would expect a return false unless @server in check_windows_password_available after the sleep 10.
Signed-off-by: dheerajd-msys <[email protected]>
| response = connection.get_password_data(@server.id) | ||
| data = File.read(locate_config_value(:identity_file)) | ||
| config[:winrm_password] = decrypt_admin_password(response.body["passwordData"], data) | ||
| if @server |
There was a problem hiding this comment.
if the server isn't available yet for some reason, will we never try to get the windows password?
There was a problem hiding this comment.
I think you basically want a
until @server { ....}
until windows_password_available { ... }
There was a problem hiding this comment.
We need to confirm this do we required this line to set user data for Administrator since ec2 creates default user as Administrator and it generates its own password. So our main problem is here we unnecessarily as far as I understand we don't need to add that net user command for Administrator here https:/MsysTechnologiesllc/knife-ec2/blob/c3371c98ce2407bb09512f8d497498891e55dee3/lib/chef/knife/ec2_server_create.rb#L1061
This particular line is causing issue where it calls windows_password method before instance is getting created.
So we should not call above lines of code for Administrator that will automatically resolve the problem for user.
@btm to answer to your question server gets available after create and when we call bootstrap_for_window_node we get windows_password since we verify the winrm connection is successful and then call bootstrap https:/MsysTechnologiesllc/knife-ec2/blob/c3371c98ce2407bb09512f8d497498891e55dee3/lib/chef/knife/ec2_server_create.rb#L821
I have checked with until loop until loop goes in infinite loop for @server check since here create_server_def has call to ssl_config_user_data which calls for windows_password method. This call is before we create the server which will always create problem in case of winrm_user as Administrator and if winrm_password is not provided.
So my suggestion will be just verify do we really need this lines for Administrator user to set user data
https:/MsysTechnologiesllc/knife-ec2/blob/c3371c98ce2407bb09512f8d497498891e55dee3/lib/chef/knife/ec2_server_create.rb#L1061:L1062
There was a problem hiding this comment.
Adding some more points to @Vasu1105 comment:
For Administrator user and chef on Windows over SSL
While creating server here https:/chef/knife-ec2/blob/master/lib/chef/knife/ec2_server_create.rb#L534 call goes to https:/chef/knife-ec2/blob/master/lib/chef/knife/ec2_server_create.rb#L1179 and subsequently to ssl_config_user_data and satisfying all the conditions calls windows_password here
https:/chef/knife-ec2/blob/master/lib/chef/knife/ec2_server_create.rb#L1061. But since server is not created yet, password could not be fetched from https:/chef/knife-ec2/blob/master/lib/chef/knife/ec2_server_create.rb#L1540.
So we need to check for the server availability with if @server. until @server takes this to infinite loop.
Also in the first turn it goes to the else part here https:/chef/knife-ec2/pull/524/files#diff-e2993b8367db674f58a052036f00052aR1546 and fetches the primary details of server for creating server.
And in second try it satisfy the condition of if @server and make the password available from https:/chef/knife-ec2/pull/524/files#diff-e2993b8367db674f58a052036f00052aR1539
Description:
While Bootstrapping an Amazon node with chef on Windows over SSL
--winrm-transport sslfails because we check created instance id which did not exist at that time for administrator user password.Solution:
Updated code so that until instance is created we won't call
check_windows_password_availablemethod for Administrator's password.Command:
Issue fixed:
Bootstrap fails when using
--winrm-transport ssl--winrm-ssl-verify-mode verify_none.Ref: #521
Fixes #521
Signed-off-by: dheerajd-msys [email protected]