• Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Major Major
    • ec2-plugin
    • None
    • ec2 plugin 1.24

      Supporting windows would be really useful: we ship our products on windows as well as Linux, but all our devs run Linux

          [JENKINS-4995] Support windows AMI's in EC2 plugin

          Joe Birney added a comment -

          jg_lgc - Hmmm can you share an example of a userdata script as we could not find it here.

          • We do have a local user setup, we do have WinRM enabled. 
          • We did disable WInRM "negotiation" with
            set winrm/config/service/auth @{Negotiate="false"}
          • We also followed Ted's comment since we are using our own local user account so added this to allow other local accounts to work:
            reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

          But we get the same winrm infinite loop issue. With these values in the logs:

          July 11, 2018 9:10:27 AM org.apache.http.client.protocol.RequestAuthenticationBase process
          WARNING: NEGOTIATE authentication error: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)

           

          Should we have disable Kerberos as well?

           

          Thanks all for your help!

          Joe Birney added a comment - jg_lgc - Hmmm can you share an example of a userdata script as we could not find it here. We do have a local user setup, we do have WinRM enabled.  We did disable WInRM "negotiation" with set winrm/config/service/auth @{Negotiate="false"} We also followed Ted's comment since we are using our own local user account so added this to allow other local accounts to work: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f But we get the same winrm infinite loop issue. With these values in the logs: July 11, 2018 9:10:27 AM org.apache.http.client.protocol.RequestAuthenticationBase process WARNING: NEGOTIATE authentication error: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)   Should we have disable Kerberos as well?   Thanks all for your help!

          The maxmemorypershell is pretty important for the agent to be able to actually do anything once launched. 

          <powershell>
          winrm set winrm/config @{MaxTimeoutms="300000"}
          winrm set winrm/config/service/auth @{Basic="true"}
          winrm set winrm/config/service/auth @{Kerberos="true"}
          winrm set winrm/config/service @{AllowUnencrypted="true"}
          winrm set winrm/config/client @{TrustedHosts="<jenkins master>"}
          winrm set winrm/config/service @{EnableCompatibilityHttpListener="true"}
          winrm set winrm/config/winrs @{MaxMemoryPerShellMB="12288"}
          restart-service winrm

          Justin Georgeson added a comment - The maxmemorypershell is pretty important for the agent to be able to actually do anything once launched.  <powershell> winrm set winrm/config @{MaxTimeoutms="300000" } winrm set winrm/config/service/auth @{Basic="true" } winrm set winrm/config/service/auth @{Kerberos="true" } winrm set winrm/config/service @{AllowUnencrypted="true" } winrm set winrm/config/client @{TrustedHosts="<jenkins master>" } winrm set winrm/config/service @{EnableCompatibilityHttpListener="true" } winrm set winrm/config/winrs @{MaxMemoryPerShellMB="12288" } restart-service winrm

          tapvir virk added a comment - - edited

          Hi,

          I'm trying to setup the windows slave and getting below error. Can someone help?

          Failed to verify connectivity to Windows slave
          java.lang.IllegalStateException: Unsupported authentication scheme: CredSSP
          at org.apache.http.auth.AuthSchemeRegistry.getAuthScheme(AuthSchemeRegistry.java:116)
          at org.apache.http.auth.AuthSchemeRegistry$1.create(AuthSchemeRegistry.java:152)
          at org.apache.http.impl.client.AuthenticationStrategyImpl.select(AuthenticationStrategyImpl.java:189)
          at org.apache.http.impl.client.TargetAuthenticationStrategy.select(TargetAuthenticationStrategy.java:44)
          at org.apache.http.impl.auth.HttpAuthenticator.handleAuthChallenge(HttpAuthenticator.java:154)
          at org.apache.http.impl.client.HttpAuthenticator.authenticate(HttpAuthenticator.java:58)
          at org.apache.http.impl.client.DefaultRequestDirector.handleResponse(DefaultRequestDirector.java:1056)
          at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:514)
          at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
          at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
          at hudson.plugins.ec2.win.winrm.WinRMClient.sendRequest(WinRMClient.java:217)
          at hudson.plugins.ec2.win.winrm.WinRMClient.sendRequest(WinRMClient.java:188)
          at hudson.plugins.ec2.win.winrm.WinRMClient.openShell(WinRMClient.java:82)
          at hudson.plugins.ec2.win.winrm.WinRM.ping(WinRM.java:29)
          at hudson.plugins.ec2.win.WinConnection.ping(WinConnection.java:132)
          at hudson.plugins.ec2.win.EC2WindowsLauncher.connectToWinRM(EC2WindowsLauncher.java:136)
          at hudson.plugins.ec2.win.EC2WindowsLauncher.launchScript(EC2WindowsLauncher.java:33)
          at hudson.plugins.ec2.EC2ComputerLauncher.launch(EC2ComputerLauncher.java:48)
          at hudson.slaves.SlaveComputer$1.call(SlaveComputer.java:294)
          at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
          at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:71)
          at java.util.concurrent.FutureTask.run(FutureTask.java:266)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
          at java.lang.Thread.run(Thread.java:748)

          tapvir virk added a comment - - edited Hi, I'm trying to setup the windows slave and getting below error. Can someone help? Failed to verify connectivity to Windows slave java.lang.IllegalStateException: Unsupported authentication scheme: CredSSP at org.apache.http.auth.AuthSchemeRegistry.getAuthScheme(AuthSchemeRegistry.java:116) at org.apache.http.auth.AuthSchemeRegistry$1.create(AuthSchemeRegistry.java:152) at org.apache.http.impl.client.AuthenticationStrategyImpl.select(AuthenticationStrategyImpl.java:189) at org.apache.http.impl.client.TargetAuthenticationStrategy.select(TargetAuthenticationStrategy.java:44) at org.apache.http.impl.auth.HttpAuthenticator.handleAuthChallenge(HttpAuthenticator.java:154) at org.apache.http.impl.client.HttpAuthenticator.authenticate(HttpAuthenticator.java:58) at org.apache.http.impl.client.DefaultRequestDirector.handleResponse(DefaultRequestDirector.java:1056) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:514) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at hudson.plugins.ec2.win.winrm.WinRMClient.sendRequest(WinRMClient.java:217) at hudson.plugins.ec2.win.winrm.WinRMClient.sendRequest(WinRMClient.java:188) at hudson.plugins.ec2.win.winrm.WinRMClient.openShell(WinRMClient.java:82) at hudson.plugins.ec2.win.winrm.WinRM.ping(WinRM.java:29) at hudson.plugins.ec2.win.WinConnection.ping(WinConnection.java:132) at hudson.plugins.ec2.win.EC2WindowsLauncher.connectToWinRM(EC2WindowsLauncher.java:136) at hudson.plugins.ec2.win.EC2WindowsLauncher.launchScript(EC2WindowsLauncher.java:33) at hudson.plugins.ec2.EC2ComputerLauncher.launch(EC2ComputerLauncher.java:48) at hudson.slaves.SlaveComputer$1.call(SlaveComputer.java:294) at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46) at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:71) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

          Ian Ellis added a comment -

          Getting the "java.lang.IllegalStateException: Unsupported authentication scheme: CredSSP" error message as well.

          Haven't used the EC2 agent for windows agents for last month or so, but it was working perfectly before that.

          Can RDP and WinRM in to the Windows agent that it spun up from my develop machine and our linux jenkins master. The agent just doesn't come on line, and we get the infinitely repeated "Waiting for WinRM to come up. Sleeping 10s." message. Can't find any corresponding logs on the Windows machine (don't you love :ms.

          I think the last time we used the ec2 agent plugin we were using 1.39, so I'm guessing 1.40 or 1.41 have broken it?

          Ian Ellis added a comment - Getting the "java.lang.IllegalStateException: Unsupported authentication scheme: CredSSP" error message as well. Haven't used the EC2 agent for windows agents for last month or so, but it was working perfectly before that. Can RDP and WinRM in to the Windows agent that it spun up from my develop machine and our linux jenkins master. The agent just doesn't come on line, and we get the infinitely repeated "Waiting for WinRM to come up. Sleeping 10s." message. Can't find any corresponding logs on the Windows machine (don't you love :ms . I think the last time we used the ec2 agent plugin we were using 1.39, so I'm guessing 1.40 or 1.41 have broken it?

          Ian Ellis added a comment - - edited

          Managed to get my windows jenkins agent online

          Just disabled the Server role of WSManCredSSP.

          PS C:\Users\Administrator> Disable-WSManCredSSP -Role Server

          Didn't work in the init data, cos that only gets executed after agent has come online. So used schtasks to execute it on startup in my packer build of agent's ami.

          Ian Ellis added a comment - - edited Managed to get my windows jenkins agent online Just disabled the Server role of WSManCredSSP. PS C:\Users\Administrator> Disable-WSManCredSSP -Role Server Didn't work in the init data, cos that only gets executed after agent has come online. So used schtasks to execute it on startup in my packer build of agent's ami.

          I believe this issue could (or should) actually be closed as Resolved, and new issues be filed about the issues that are still present.

          AFAIU, Francis worked on adding support (see commits linked as a comment in 2014 https://issues.jenkins-ci.org/browse/JENKINS-4995?focusedCommentId=206750&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-206750).

          People have rightly reported various issues above (infinite loop, etc.?).
          But then I also see people providing workarounds.

          In other words, I believe closing and having people report more specific issues would provide clarity and make this more actionable.

          I think I'll close this JIRA in the next days if people don't disagree. *Again*, this is not to say things are great and work perfectly already. The goal is actually to target more a win-win: better clarity, so the current EC2 plugin maintainers (I'm not one) can more easily understand what needs to be fixed and help users here with issues.

          Thanks!

          Baptiste Mathus added a comment - I believe this issue could (or should) actually be closed as Resolved, and new issues be filed about the issues that are still present. AFAIU, Francis worked on adding support (see commits linked as a comment in 2014 https://issues.jenkins-ci.org/browse/JENKINS-4995?focusedCommentId=206750&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-206750 ). People have rightly reported various issues above (infinite loop, etc.?). But then I also see people providing workarounds. In other words, I believe closing and having people report more specific issues would provide clarity and make this more actionable. I think I'll close this JIRA in the next days if people don't disagree. * Again *, this is not to say things are great and work perfectly already. The goal is actually to target more a win-win: better clarity, so the current EC2 plugin maintainers (I'm not one) can more easily understand what needs to be fixed and help users here with issues. Thanks!

          Oleg Nenashev added a comment -

          I also think it could be closed. Some documentation may be helpful, but I do not see anything outstanding left here.

          Please correct me if I am wrong

          Oleg Nenashev added a comment - I also think it could be closed. Some documentation may be helpful, but I do not see anything outstanding left here. Please correct me if I am wrong

          Francis Upton added a comment -

          We could wait another few months to close it after it's 10th anniversary.

          Francis Upton added a comment - We could wait another few months to close it after it's 10th anniversary.

          Oleg Nenashev added a comment -

          Sounds like a plan 

          Oleg Nenashev added a comment - Sounds like a plan 

          I'm going to assume Francis was being sarcastic (which I like ), so closing to avoid keeping this misleading for another 10 months or so .

          Please file specific issues if you find something not working. Please read my last comment above: this is NOT being closed because there's no issue at all, but because we want specific issues with reproduction steps to be actually able to understand and fix remaining issues.

          Thanks!

          Baptiste Mathus added a comment - I'm going to assume Francis was being sarcastic (which I like ), so closing to avoid keeping this misleading for another 10 months or so . Please file specific issues if you find something not working. Please read my last comment above: this is NOT being closed because there's no issue at all, but because we want specific issues with reproduction steps to be actually able to understand and fix remaining issues. Thanks!

            francisu Francis Upton
            lifeless lifeless
            Votes:
            27 Vote for this issue
            Watchers:
            34 Start watching this issue

              Created:
              Updated:
              Resolved: