Feature Request: Windows Support about kitchen-oci HOT 17 CLOSED

@briangustafson ^^

from kitchen-oci.

Hi @ehaselwanter, sorry for not getting back to you earlier.

I must confess that Windows support wasn't something I'd envisaged so you may have to help me out a bit here. Could you clarify a little what you're looking for? Do you mean to say that you're running ChefDK on a Windows workstation and the plugin isn't working on the windows client side, or is the problem to do with launching Windows instances in OCI? Could you describe what happens when you attempt to do whatever it is you're trying to do?

from kitchen-oci.

Hi @stephenpearson,

no problem. We are heavy user of kitchen-oci to test all our linux boxes. so chef code on linux ... currently we want to move our windows workloads to OCI too. So it is about running the chef code on windows boxes in the cloud.

Maybe everything is already working and I just can not figure out how to configure an example. In that case an example config would help.

cheers
Edmund

from kitchen-oci.

I think the problem may be that you have to use winrm rather than ssh if using the supplied Windows images. Normally (i.e. outside of Kitchen) the initial password for the opc user has to be retrieved from the API or console and then Windows forces a password change on first login. When running this using the winrm transport then I'm not sure how we would handle this inside the Kitchen driver.

Are you planning to use custom Windows images in Kitchen containing a fixed password?

from kitchen-oci.

@ehaselwanter I was able to make this work as follows:

First I had to make a custom Windows image from the standard Oracle provided Windows 2016 Server image. I reset the initial password for the opc user to something else. I then ensured that ports tcp/5985 and tcp/5986 were accessible through the windows firewall and via the security list in OCI. Then I made sure that winrm was remotely accessible by running winrm quickconfig from a command session running as Administrator and accepting the prompts. Finally I shut the machine down, then clicked 'Stop' for the instance in the console, and then clicked 'Create Custom Image'.

When that was complete, I added the new image OCID into the following kitchen configuration file for my cookbook:

---
driver:
  name: oci

provisioner:
  name: chef_zero
  always_update_cookbooks: true

verifier:
  name: inspec

platforms:
  - name: windows
    os_type: windows
    driver:
      # These are mandatory
      compartment_id: ocid1.compartment.....
      availability_domain: ....
      image_id: ocid1.image.....
      shape: VM.Standard2.2
      subnet_id: ocid1.subnet....

      # These are optional
      use_private_ip: false
      oci_config_file: ~/.oci/config
      oci_profile_name: DEFAULT
      ssh_keypath: "~/.ssh/id_rsa.pub"
    transport:
      name: winrm
      username: opc
      password: "<redacted>"

suites:
  - name: default
    run_list:
      - recipe[my_cookbook::default]
    verifier:
      inspec_tests:
        - test/smoke/default
    attributes:

I ran kitchen as follows:

[stephen@chef my_cookbook]$ kitchen converge
-----> Starting Kitchen (v1.24.0)
WARN: Unresolved specs during Gem::Specification.reset:
      bundler (>= 1.10)
WARN: Clearing out unresolved specs.
Please report a bug if this causes problems.
-----> Creating <default-windows>...
       [WinRM] Established

       Finished creating <default-windows> (9m14.09s).
-----> Converging <default-windows>...
... etc ...

from kitchen-oci.

@stephenpearson that sounds great. Will test this in the upcoming days. we definitely should find a way for setting a (known) password during bootstrap / the api call. Will investigate that matter

from kitchen-oci.

@stephenpearson do you see a way to provide a cloudinit.ps1 like shown in: https://github.com/terraform-providers/terraform-provider-oci/tree/master/docs/examples/compute/windows#what-this-example-covers

I guess something like https://github.com/test-kitchen/kitchen-ec2/blob/d2fd013073c2f51869776a628b7198b3b43f7dcb/lib/kitchen/driver/ec2.rb#L67

from kitchen-oci.

@ehaselwanter Thanks for those links. That approach may work, and I was looking at extending the .kitchen.yml file in this kind of way:

      user_data:
        - type: x-shellscript
          inline: |
            #!/bin/bash
            touch /tmp/foo.txt
          filename: init.sh

.. and since the Windows images now contain cloud-init then that ought to work for Powershell too. Unfortunately, so far I've not been able to inject the multipart-mime userdata into cloud-init successfully but I'll keep tinkering with it.

If this general approach does work, then using the examples you linked to it ought to be possible to enable winrm and set a password. If we did set the password this way then it would imply that the userdata would have to contain the password in plaintext (or base64 encoded), so not very secure but probably good enough for spinning up a temporary test environment.

from kitchen-oci.

great to hear. yes. I agree. not that secure but at least not a hardcoded value in the image itself.

from kitchen-oci.

@ehaselwanter FYI, I think the above PR does what you want. If you pass setup_winrm: true in the driver config then it'll insert a powershell script to setup winrm and to set a new random password for the instance that doesn't need to be changed on first login. There is an example .kitchen.yml file in the README.md.

If there are no objections from anyone then I'll merge and publish this as version 1.5.0.

from kitchen-oci.

WOW! this sounds perfect! I'll test and report how it works :-) So all for it.

from kitchen-oci.

@stephenpearson would you mind to merge/push it?

from kitchen-oci.

@ehaselwanter Ok, I've just made a few small refactoring changes to make Rubocop happy, so as soon as I've tested that then I'll merge and push it out.

from kitchen-oci.

No problem, no point waiting any longer to publish it. I'll assume it worked ok for you, if not then we can fix any bugs with a patch release.

from kitchen-oci.

@ehaselwanter FYI: I released version 1.5.0 onto rubygems.org

from kitchen-oci.

tested it. works great. I will open another feature request though. we would love to be able to specify a password to set instead of the random one. use case is testing windows_task resources which needs to know the password in the chef run. I have a workaround for it with lifecycle hooks. that does not feel right, but works

from kitchen-oci.

That's great. I'll close this feature request and let you open another one to keep things separate.

from kitchen-oci.