Newbie needs help creating AWS EC2 Windows instance


#1

Hello,

Total Chef newbie.

I am trying to spin up a Windows Server instance using knife ec2. I’m stuck conceptually on how to accomplish this using knife. Should I try knife ec2 server create? If so, can someone please help with a command I can pattern from? (The knife ec2 doc is, ahem, a little sparse).

Thanks!


#2

knife ec2 server create --groups=default region=us-east-1 --availability-zone=us-east-1a --image=ami-# --flavor=t2.large --ssh-user=username --ssh-key=keyname --identity-file=~keylocation -r "role[name]”

 On Thursday, September 24, 2015 11:40 AM, Alex Neihaus <architect@air11.com> wrote:

Hello,

Total Chef newbie.

I am trying to spin up a Windows Server instance using knife ec2. I’m stuck conceptually on how to accomplish this using knife. Should I try knife ec2 server create? If so, can someone please help with a command I can pattern from? (The knife ec2 doc is, ahem, a little sparse).

Thanks!


#3

Hi Alex,
Yes, knife ec2 server create is where you want to start.
There’s a serviceable, if minimal (and possibly insufficient for your use)
example of a command at https://github.com/chef/knife-ec2:

$ knife ec2 server create -r ‘role[webserver]’ -I ami-7000f019 -f m1.small
-A ‘Your AWS Access Key ID’ -K “Your AWS Secret Access Key”

The -r flag sets the Chef run list and I think the other ones are
self-explanatory.
You should run the following command to get a list of all the flags:
$ knife ec2 server create -h

The one command above will accomplish two things:

  1. Create an AWS EC2 instance matching the specified settings
  2. Once AWS is done baking the EC2 instance, it will then be bootstrapped
    with chef-client, registered to your Chef server, and a first chef-client
    run will occur.

On Thu, Sep 24, 2015 at 2:39 PM, Alex Neihaus architect@air11.com wrote:

Hello,

Total Chef newbie.

I am trying to spin up a Windows Server instance using knife ec2. I’m
stuck conceptually on how to accomplish this using knife. Should I try
knife ec2 server create? If so, can someone please help with a command I
can pattern from? (The knife ec2 doc is, ahem, a little sparse).

Thanks!


#4

Thank you!

I am almost there. Can someone shed light on the --ssh-key parameter? I’m passing a local copy of a .pem file that is on AWS but knife is saying it cannot be found.


Sent from Alex’s mobile device. Please excuse typos and brevity.

On Sep 24, 2015, at 14:58, Fabien Delpierre <fabien.delpierre@gmail.commailto:fabien.delpierre@gmail.com> wrote:

Hi Alex,
Yes, knife ec2 server create is where you want to start.
There’s a serviceable, if minimal (and possibly insufficient for your use) example of a command at https://github.com/chef/knife-ec2:

$ knife ec2 server create -r ‘role[webserver]’ -I ami-7000f019 -f m1.small -A ‘Your AWS Access Key ID’ -K “Your AWS Secret Access Key”

The -r flag sets the Chef run list and I think the other ones are self-explanatory.
You should run the following command to get a list of all the flags:
$ knife ec2 server create -h

The one command above will accomplish two things:

  1. Create an AWS EC2 instance matching the specified settings
  2. Once AWS is done baking the EC2 instance, it will then be bootstrapped with chef-client, registered to your Chef server, and a first chef-client run will occur.

On Thu, Sep 24, 2015 at 2:39 PM, Alex Neihaus <architect@air11.commailto:architect@air11.com> wrote:
Hello,

Total Chef newbie.

I am trying to spin up a Windows Server instance using knife ec2. I’m stuck conceptually on how to accomplish this using knife. Should I try knife ec2 server create? If so, can someone please help with a command I can pattern from? (The knife ec2 doc is, ahem, a little sparse).

Thanks!


#5

It can be identity-file=~/.ssh/filename.pem

 On Thursday, September 24, 2015 1:22 PM, Alex Neihaus <architect@air11.com> wrote:

Thank you!
I am almost there. Can someone shed light on the --ssh-key parameter? I’m passing a local copy of a .pem file that is on AWS but knife is saying it cannot be found.

-----Sent from Alex’s mobile device. Please excuse typos and brevity.
On Sep 24, 2015, at 14:58, Fabien Delpierre fabien.delpierre@gmail.com wrote:

Hi Alex,
Yes, knife ec2 server create is where you want to start.
There’s a serviceable, if minimal (and possibly insufficient for your use) example of a command athttps://github.com/chef/knife-ec2:

$ knife ec2 server create -r ‘role[webserver]’ -I ami-7000f019 -f m1.small -A ‘Your AWS Access Key ID’ -K “Your AWS Secret Access Key”

The -r flag sets the Chef run list and I think the other ones are self-explanatory.
You should run the following command to get a list of all the flags:
$ knife ec2 server create -h

The one command above will accomplish two things:

  1. Create an AWS EC2 instance matching the specified settings
  2. Once AWS is done baking the EC2 instance, it will then be bootstrapped with chef-client, registered to your Chef server, and a first chef-client run will occur.

On Thu, Sep 24, 2015 at 2:39 PM, Alex Neihaus architect@air11.com wrote:

Hello,

Total Chef newbie.

I am trying to spin up a Windows Server instance using knife ec2. I’m stuck conceptually on how to accomplish this using knife. Should I try knife ec2 server create? If so, can someone please help with a command I can pattern from? (The knife ec2 doc is, ahem, a little sparse).

Thanks!


#6

If working on linux node, I would suggest setting up the ~/.ssh/config file
first. This should take care of defined ssh connections to the nodes. You
will not require to specify the keys each time to ssh into the nodes.

For windows, the git hub doc have this below entry

A Windows instance via the WinRM protocol – *–ssh-key is still

required due to EC2 API operations that need it to grant access to the
Windows instance*

--spot-price option lets you specify the spot pricing

knife ec2 server create -I ami-173d747e -G windows -f m1.medium
–user-data ~/your-user-data-file -x ‘.\a_local_user’ -P
’yourpassword’ *–ssh-key your-public-key-id *–spot-price
price-in-USD

So, put in your pub key id/name, that you will use in that reason.

On Thu, Sep 24, 2015 at 1:21 PM, Alex Neihaus architect@air11.com wrote:

Thank you!

I am almost there. Can someone shed light on the --ssh-key parameter? I’m
passing a local copy of a .pem file that is on AWS but knife is saying it
cannot be found.


Sent from Alex’s mobile device. Please excuse typos and brevity.

On Sep 24, 2015, at 14:58, Fabien Delpierre fabien.delpierre@gmail.com
wrote:

Hi Alex,
Yes, knife ec2 server create is where you want to start.
There’s a serviceable, if minimal (and possibly insufficient for your use)
example of a command at https://github.com/chef/knife-ec2:

$ knife ec2 server create -r ‘role[webserver]’ -I ami-7000f019 -f m1.small
-A ‘Your AWS Access Key ID’ -K “Your AWS Secret Access Key”

The -r flag sets the Chef run list and I think the other ones are
self-explanatory.
You should run the following command to get a list of all the flags:
$ knife ec2 server create -h

The one command above will accomplish two things:

  1. Create an AWS EC2 instance matching the specified settings
  2. Once AWS is done baking the EC2 instance, it will then be bootstrapped
    with chef-client, registered to your Chef server, and a first chef-client
    run will occur.

On Thu, Sep 24, 2015 at 2:39 PM, Alex Neihaus architect@air11.com wrote:

Hello,

Total Chef newbie.

I am trying to spin up a Windows Server instance using knife ec2. I’m
stuck conceptually on how to accomplish this using knife. Should I try
knife ec2 server create? If so, can someone please help with a command I
can pattern from? (The knife ec2 doc is, ahem, a little sparse).

Thanks!


Regards
nirish okram


#7

–ssh-key expects the name of a keypair that you created in EC2, not the
.pem file.
You do need to use the corresponding .pem file as well, but you’ll provide
that to knife-ec2 with the --identity-file parameter.

On Thu, Sep 24, 2015 at 4:21 PM, Alex Neihaus architect@air11.com wrote:

Thank you!

I am almost there. Can someone shed light on the --ssh-key parameter? I’m
passing a local copy of a .pem file that is on AWS but knife is saying it
cannot be found.


Sent from Alex’s mobile device. Please excuse typos and brevity.

On Sep 24, 2015, at 14:58, Fabien Delpierre fabien.delpierre@gmail.com
wrote:

Hi Alex,
Yes, knife ec2 server create is where you want to start.
There’s a serviceable, if minimal (and possibly insufficient for your use)
example of a command at https://github.com/chef/knife-ec2:

$ knife ec2 server create -r ‘role[webserver]’ -I ami-7000f019 -f m1.small
-A ‘Your AWS Access Key ID’ -K “Your AWS Secret Access Key”

The -r flag sets the Chef run list and I think the other ones are
self-explanatory.
You should run the following command to get a list of all the flags:
$ knife ec2 server create -h

The one command above will accomplish two things:

  1. Create an AWS EC2 instance matching the specified settings
  2. Once AWS is done baking the EC2 instance, it will then be bootstrapped
    with chef-client, registered to your Chef server, and a first chef-client
    run will occur.

On Thu, Sep 24, 2015 at 2:39 PM, Alex Neihaus architect@air11.com wrote:

Hello,

Total Chef newbie.

I am trying to spin up a Windows Server instance using knife ec2. I’m
stuck conceptually on how to accomplish this using knife. Should I try
knife ec2 server create? If so, can someone please help with a command I
can pattern from? (The knife ec2 doc is, ahem, a little sparse).

Thanks!


#8

Thanks to everyone who has responded. I am almost there.

I have knife ec2 standing up a Windows Server 2008 R2 instance and, apparently, connecting to it via winrm. However, after accessing winrm and during what I think is the attempt to bootstrap the instance to Chef, I receive an OpenSSL “padding check failed” error.

If anyone has any clues, I’d appreciate your help. Here’s the error and the knife ec2 command I am using (with the sensitive parts removed):

Waiting for EC2 to create the instance…
Subnet ID: subnet-
Tenancy: default
Private IP Address:
Waiting for winrm access to become available…done
Waiting for Windows Admin password to be available…
ERROR: OpenSSL::PKey::RSAError: padding check failed

knife ec2 server create --flavor m4.xlarge --associate-public-ip --bootstrap-protocol winrm -N WinServerTestNodeCanBeDeleted --region us-east-1 --availability-zone us-east-1d --security-group-ids sg-NNNNN -T name=WinServerTestNodeCanBeDeleted -I ami-YYYYY --user-data /path-to-user-text/usertext.txt -A -K --ssh-key --subnet subnet-XXXXXXX --identity-file /pathtochefrepo/.chef/.pem -VV

Alex


#9

Usually that error would occur if you weren’t using the correct private key.
Suggestion: create an instance the exact same way you did (or use one that
you still have running), go to the AWS web console, and try to download the
admin credentials by using the same .pem file you used in your knife ec2
command. That’ll tell you whether you’re at least using the right one.
Unless you knowingly put the .pem file corresponding to your AWS keypair in
your /chefrepo/.chef directory, my guess is you’re using the wrong file.

Also, I might suggest that you don’t use m4.xlarge instances for initial
testing – Windows instances of that size aren’t cheap and it will add up
quickly!

On Fri, Sep 25, 2015 at 9:45 AM, Alex Neihaus architect@air11.com wrote:

Thanks to everyone who has responded. I am almost there.

I have knife ec2 standing up a Windows Server 2008 R2 instance and,
apparently, connecting to it via winrm. However, after accessing winrm and
during what I think is the attempt to bootstrap the instance to Chef, I
receive an OpenSSL “padding check failed” error.

If anyone has any clues, I’d appreciate your help. Here’s the error and
the knife ec2 command I am using (with the sensitive parts removed):

Waiting for EC2 to create the instance…
Subnet ID: subnet-
Tenancy: default
Private IP Address:
Waiting for winrm access to become available…done
Waiting for Windows Admin password to be available…
ERROR: OpenSSL::PKey::RSAError: padding check failed

knife ec2 server create --flavor m4.xlarge --associate-public-ip
–bootstrap-protocol winrm -N WinServerTestNodeCanBeDeleted --region
us-east-1 --availability-zone us-east-1d --security-group-ids sg-NNNNN -T
name=WinServerTestNodeCanBeDeleted -I ami-YYYYY --user-data
/path-to-user-text/usertext.txt -A -K --ssh-key --subnet subnet-XXXXXXX --identity-file
/pathtochefrepo/.chef/.pem -VV

Alex


#10

Thanks again for your help.

I was thinking the same thing – that the wrong key is being used to connect to the instance – so here’s what I tried:
1). Generated a new AWS keypair
2). Placed that key in chef-repo/.chef
3). Ran knife ec2 with that key name in --ssh-key without the .pem extension. That is, --ssh-key=name_of_key_file_without.pem_extension (knife ec2 blows up if you use the full filename with a “cannot be found message" message from AWS.)
4). Logged into the console and successfully decrypted the password with the .pem file specified in the knife ec2 command

Conceptually, I am having a problem understanding what, exactly, is going on that requires an ssh key. I know the doc says it’s needed but I don’t understand why. There’s nothing listening on port 22 in the instance – that’s where

Still no joy getting knife ec2 to bootstrap the running, accessible instance.

Could there be a problem with the version of knife ec2? I am running 12.4.1.

Appreciate the tip about the instance costs – until I get it running, I’ve dialed that back. The AMI is an AWS image with SQL Server, to t2. Instance types are out.

From: Fabien Delpierre [mailto:fabien.delpierre@gmail.com]
Sent: Friday, September 25, 2015 10:09
To: chef chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Newbie needs help creating AWS EC2 Windows instance

Usually that error would occur if you weren’t using the correct private key.
Suggestion: create an instance the exact same way you did (or use one that you still have running), go to the AWS web console, and try to download the admin credentials by using the same .pem file you used in your knife ec2 command. That’ll tell you whether you’re at least using the right one. Unless you knowingly put the .pem file corresponding to your AWS keypair in your /chefrepo/.chef directory, my guess is you’re using the wrong file.
Also, I might suggest that you don’t use m4.xlarge instances for initial testing – Windows instances of that size aren’t cheap and it will add up quickly!

On Fri, Sep 25, 2015 at 9:45 AM, Alex Neihaus architect@air11.com wrote:
Thanks to everyone who has responded. I am almost there.

I have knife ec2 standing up a Windows Server 2008 R2 instance and, apparently, connecting to it via winrm. However, after accessing winrm and during what I think is the attempt to bootstrap the instance to Chef, I receive an OpenSSL “padding check failed” error.

If anyone has any clues, I’d appreciate your help. Here’s the error and the knife ec2 command I am using (with the sensitive parts removed):

Waiting for EC2 to create the instance…
Subnet ID: subnet-
Tenancy: default
Private IP Address:
Waiting for winrm access to become available…done
Waiting for Windows Admin password to be available…
ERROR: OpenSSL::PKey::RSAError: padding check failed

knife ec2 server create --flavor m4.xlarge --associate-public-ip --bootstrap-protocol winrm -N WinServerTestNodeCanBeDeleted --region us-east-1 --availability-zone us-east-1d --security-group-ids sg-NNNNN -T name=WinServerTestNodeCanBeDeleted -I ami-YYYYY --user-data /path-to-user-text/usertext.txt -A -K --ssh-key --subnet subnet-XXXXXXX --identity-file /pathtochefrepo/.chef/.pem -VV

Alex


#11

The need for a keypair for Windows Server instances in AWS is an AWS
limitation. They wanted a secure way to deliver the password for the local
Administrator account. So they devised this scheme where you associate a
keypair with the instance, even though, as you pointed out, you will not be
using SSH to actually interact with the instance. The password is encrypted
with the keypair’s public key, and you provide your private key to decrypt
it.
Why Knife needs those elements follows from the above: once the instance is
up, Knife attempts to download the password from the AWS API by providing
the .pem file. Using that password, it can proceed to actually connect to
the instance and provision it with Chef.

On Fri, Sep 25, 2015 at 10:56 AM, Alex Neihaus architect@air11.com wrote:

Thanks again for your help.

I was thinking the same thing – that the wrong key is being used to
connect to the instance – so here’s what I tried:
1). Generated a new AWS keypair
2). Placed that key in chef-repo/.chef
3). Ran knife ec2 with that key name in --ssh-key without the .pem
extension. That is, --ssh-key=name_of_key_file_without.pem_extension
(knife ec2 blows up if you use the full filename with a “cannot be found
message" message from AWS.)
4). Logged into the console and successfully decrypted the password with
the .pem file specified in the knife ec2 command

Conceptually, I am having a problem understanding what, exactly, is going
on that requires an ssh key. I know the doc says it’s needed but I don’t
understand why. There’s nothing listening on port 22 in the instance –
that’s where

Still no joy getting knife ec2 to bootstrap the running, accessible
instance.

Could there be a problem with the version of knife ec2? I am running
12.4.1.

Appreciate the tip about the instance costs – until I get it running,
I’ve dialed that back. The AMI is an AWS image with SQL Server, to t2.
Instance types are out.

From: Fabien Delpierre [mailto:fabien.delpierre@gmail.com]
Sent: Friday, September 25, 2015 10:09
To: chef chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Newbie needs help creating AWS EC2 Windows
instance

Usually that error would occur if you weren’t using the correct private
key.
Suggestion: create an instance the exact same way you did (or use one that
you still have running), go to the AWS web console, and try to download the
admin credentials by using the same .pem file you used in your knife ec2
command. That’ll tell you whether you’re at least using the right one.
Unless you knowingly put the .pem file corresponding to your AWS keypair in
your /chefrepo/.chef directory, my guess is you’re using the wrong file.
Also, I might suggest that you don’t use m4.xlarge instances for initial
testing – Windows instances of that size aren’t cheap and it will add up
quickly!

On Fri, Sep 25, 2015 at 9:45 AM, Alex Neihaus architect@air11.com wrote:
Thanks to everyone who has responded. I am almost there.

I have knife ec2 standing up a Windows Server 2008 R2 instance and,
apparently, connecting to it via winrm. However, after accessing winrm and
during what I think is the attempt to bootstrap the instance to Chef, I
receive an OpenSSL “padding check failed” error.

If anyone has any clues, I’d appreciate your help. Here’s the error and
the knife ec2 command I am using (with the sensitive parts removed):

Waiting for EC2 to create the instance…
Subnet ID: subnet-
Tenancy: default
Private IP Address:
Waiting for winrm access to become available…done
Waiting for Windows Admin password to be available…
ERROR: OpenSSL::PKey::RSAError: padding check failed

knife ec2 server create --flavor m4.xlarge --associate-public-ip
–bootstrap-protocol winrm -N WinServerTestNodeCanBeDeleted --region
us-east-1 --availability-zone us-east-1d --security-group-ids sg-NNNNN -T
name=WinServerTestNodeCanBeDeleted -I ami-YYYYY --user-data
/path-to-user-text/usertext.txt -A -K --ssh-key --subnet subnet-XXXXXXX --identity-file
/pathtochefrepo/.chef/.pem -VV

Alex