General discussion about Chef

[chef] Re: Newbie needs help creating AWS EC2 Windows instance


Chronological Thread 
  • From: Alex Neihaus < >
  • To: " " < >
  • Subject: [chef] Re: Newbie needs help creating AWS EC2 Windows instance
  • Date: Fri, 25 Sep 2015 19:04:54 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23
Thanks for all the help. Unfortunately, I think I am going to call it a day (or, actually two) and declare defeat much as I don’t want to.

It’s relatively uncomplicated to get knife ec2 to stand up an instance — the devilishly hard thing seems to be able to get it to bootstrap to a Chef server in the same pass. A Google search or two brings up people that don’t even try: they run knife ec2 and then knife windows winrm to bootstrap. I just don’t understand why that should be necessary.

It occurred to me that the most logical response to the “you are using the wrong key” was to create my own AMI and launch it with the key I originally used when launching from AWS’s AMI. Doing this doesn’t produce the OpenSSL padding error. It simply hangs waiting for the password — forever. So, even when I am certain I am using the correct key, it fails. If I use the  knife ec2 –x and –P parameters to specify the now known userid and password from my own AMI, I get a different error: “warning: epoll is not supported on this platform. 

I am on ChefDK 0.8.0, freshly installed just to try this. 

It seems like Windows is always going to be a second-class citizen in Chef. That’s too bad.

This mailing list is very responsive — I really appreciate all the suggestions.

From: Fabien Delpierre
Reply-To: " "> "
Date: Friday, September 25, 2015 at 11:11
To: chef
Subject: [chef] Re: RE: Re: RE: Re: Newbie needs help creating AWS EC2 Windows instance

The need for a keypair for Windows Server instances in AWS is an AWS limitation. They wanted a secure way to deliver the password for the local Administrator account. So they devised this scheme where you associate a keypair with the instance, even though, as you pointed out, you will not be using SSH to actually interact with the instance. The password is encrypted with the keypair's public key, and you provide your private key to decrypt it.
Why Knife needs those elements follows from the above: once the instance is up, Knife attempts to download the password from the AWS API by providing the .pem file. Using that password, it can proceed to actually connect to the instance and provision it with Chef.

On Fri, Sep 25, 2015 at 10:56 AM, Alex Neihaus < " target="_blank"> > wrote:
Thanks again for your help.

I was thinking the same thing -- that the wrong key is being used to connect to the instance --  so here’s what I tried:
1). Generated a new AWS keypair
2). Placed that key in chef-repo/.chef
3). Ran knife ec2 with that key name in --ssh-key _without_ the .pem extension.  That is, --ssh-key=name_of_key_file_without.pem_extension (knife ec2 blows up if you use the full filename with a “cannot be found message" message from AWS.)
4). Logged into the console and successfully decrypted the password with the .pem file specified in the knife ec2 command

Conceptually, I am having a problem understanding what, exactly, is going on that requires an ssh key. I know the doc says it's needed but I don't understand why. There's nothing listening on port 22 in the instance -- that's where

Still no joy getting knife ec2 to bootstrap the running, accessible instance.

Could there be a problem with the version of knife ec2? I am running 12.4.1.

Appreciate the tip about the instance costs -- until I get it running, I've dialed that back. The AMI is an AWS image with SQL Server, to t2. Instance types are out.



From: Fabien Delpierre [mailto: "> ]
Sent: Friday, September 25, 2015 10:09
To: chef < "> >
Subject: [chef] Re: RE: Re: Newbie needs help creating AWS EC2 Windows instance

Usually that error would occur if you weren't using the correct private key.
Suggestion: create an instance the exact same way you did (or use one that you still have running), go to the AWS web console, and try to download the admin credentials by using the same .pem file you used in your knife ec2 command. That'll tell you whether you're at least using the right one. Unless you knowingly put the .pem file corresponding to your AWS keypair in your /chefrepo/.chef directory, my guess is you're using the wrong file.
Also, I might suggest that you don't use m4.xlarge instances for initial testing -- Windows instances of that size aren't cheap and it will add up quickly!

On Fri, Sep 25, 2015 at 9:45 AM, Alex Neihaus < "> > wrote:
Thanks to everyone who has responded. I am almost there.

I have knife ec2 standing up a Windows Server 2008 R2 instance and, apparently, connecting to it via winrm. However, after accessing winrm and during what I think is the attempt to bootstrap the instance to Chef, I receive an OpenSSL “padding check failed” error.

If anyone has any clues, I’d appreciate your help. Here's the error and the knife ec2 command I am using (with the sensitive parts removed):

Waiting for EC2 to create the instance......
Subnet ID: subnet-<removed>
Tenancy: default
Private IP Address: <removed>
Waiting for winrm access to become available.....done
Waiting for Windows Admin password to be available............
ERROR: OpenSSL::PKey::RSAError: padding check failed

knife ec2 server create --flavor m4.xlarge --associate-public-ip --bootstrap-protocol winrm -N WinServerTestNodeCanBeDeleted --region us-east-1 --availability-zone us-east-1d --security-group-ids sg-NNNNN -T name=WinServerTestNodeCanBeDeleted -I ami-YYYYY --user-data /path-to-user-text/usertext.txt -A <removed> -K <removed> --ssh-key <AWS key name> --subnet subnet-XXXXXXX   --identity-file /pathtochefrepo/.chef/<removed>.pem -VV

Alex

Archive powered by MHonArc 2.6.16.

§