tdlr; I want to create an AMI with "partial sysprep" so that SSM can connect when I launch a different Instance Type than the original off that AMI, but want to keep all else equal. It only needs to update metadata/kms routes.
I recently hit an issue where SSM was unreachable if I deployed instances of an instance type other than the instance type for which the AMI was originally created. This turned out to be because the different instance size would be launched into a different availability zone, and the routes to connect to SSM were saved to the image pointing to the availability zone of the original instance type AMI.
The solution to this was to shut down with sysprep before creating the AMI. However, that opened other issues:
1- Launching systems off the sysprep'd AMI take 2+ minutes for SSM to become available, as opposed to instantly when sysprep is not used. But more importantly:
2- Part of my launch script downloads an exe to the desktop and install it using SSM RunPowershellScript. This part now fails, I believe because the desktop, etc. isn't created until I RDP into the new instance. I've tested with a 15 minute sleep with same result. That portion of the code runs fine after I've rdp'd into the instance.
I have:
1. Confirmed the exe installer runs fine when the AMI is not sysprep'd. However, in this mode, I am stuck with only the Instance Type for which the original AMI was created.
Tried a 15min sleep before downloading/running the installer when sysprep is used. This did not work.
Confirmed that on the sysprep'd image, installer downloads & runs if I have rdp'd into the instance to initialize the desktop, etc.
This is all related to metadata/KMS routes described at the bottom of the page here: https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2launch.html#ec2launch-inittasks
When an AMI is created without using sysprep, if an instance launches off that AMI into a different Availability Zone, SSM is unreachable and the following error occurs in logs:
2019-08-28 22:39:12 ERROR [func1 # coremanager.go.245] [instanceID=i-0d6c57bbfe2db46af] error occurred trying to start core module. Plugin name: StartupProcessor. Error: Internal error occurred by startup processor: runtime error: invalid memory address or nil pointer dereference
2019-08-28 22:39:27 ERROR [SetWebSocket # controlchannel.go.89] [MessageGatewayService] Failed to get controlchannel token, error: CreateControlChannel failed with error: createControlChannel request failed: unexpected response from the service Unauthorized request.
Expected behavior is to be able to launch instances off an AMI with everything preconfigured (including the desktop, etc. which needs to be fully reinitialized when sysprep is used), and have the new instance update metadata/kms routes so SSM is reachable.
Related
I'm new to AWS EC2 and I'm trying to access to a windows instance (it's an image created from another instance),
But when I click on Get password in RDP section, i got this message:
The instance was running since yesterday so why I still have this message? is this something related to missing configuration?
Thanks for your help!
Check the console output for the instance to see whether the AMI that you used to launch it was created with password generation disabled. If password generation is disabled, the console output contains the following:
Ec2SetPassword: Disabled
If password generation is disabled and you don't remember the password for the original instance, you can reset the password for this instance. For more information, see .Reset a lost or expired Windows administrator password
I had a composer-rest-server running on a host. Due to some reason I had to reboot my aws instance. So I stopped all the fabric docker containers except the chaincode and also stopped the composer rest server.
After rebooting the machine, I restarted all the containers. At this time the chaincode container did not start. However, I issued a ping command with admin identity card and the chaincode container too started.
Next, I restarted the composer rest server with the same admin identity. However, when I tried to issue an "identitiy request" command for a participant it resulted in:
Unhandled error for request POST /api/system/identities/issue: Error: fabric-ca request register failed with errors [[{"code":20,"message":"Authorization failure"}]]
Does it mean the old admin identities are invalidated after a system restart?
This is occurring because when the AWS instance reboots, the identity data within the fabric-ca container is cleared (the container uses sqlite for an ephemeral data store).
If you instead setup the fabric-ca container to use a mysql or postgresql db container, you will be able to persist the identity data even after machine/container restarts.
This question also pertains to your situation as well Hyperledger Composer Identity Issue error after network restart (code:20, authorization failure)
This error is usually seen when you try and Issue a New Identity whilst using an Identity that does not have the rights to do so.
(If you are in single user mode the card you started the REST server with does not have the rights, or if in Multi-User mode the card currently being used in the Wallet does not have the rights.)
The Network Admin card initially created to administer the network has the rights to Issue New identities, and if you want to create additional Identities (Cards) that have the right you need to give them issuer rights when you create them. This is an option you use when Issuing an identity. On the CLI you would use a command such as composer identity issue -c admin#my-network --issuer -u mynewuser ...
On the REST server you would include an option in the JSON data e.g.:
{
"participant" : "org.acme.mynetwork.Manager#MGR02",
"userID" : "BrianM",
"options": {"issuer":true}
}
I have a Windows 2008R2 server in GCE that is behaving oddly (may be compromised). I can no longer access it via RDP. When I reboot the machine and look at the serial console, I see at the very bottom after the boot sequence, that something called Credentials Manager runs and appears to delete or change some username/password. I suspect that this is what is changing the RDP password. (see image attached). On a normally running Windows VM, I do not see this in the trace.
GCE Agent started.
Starting AddressManager
Starting CredentialsManager
Credentials have changed. Updating...
Changing username...
Deleting old user...
Username or password was updated successfully.```
I have tried resetting or adding a new password using the metadata windows-startup-script-cmd = net user but that does not seem to do anything.
What I get is an error message of the form:
Booting on date 05/05/2015 10:22:49
WARNING: Computer Name windows does not match Compute Engine Instance Name XXXXX.
Did you forget to run gcesysprep?
attributes/windows-startup-script-bat value is not set or metadata server is not reachable.
attributes/windows-startup-script-ps1 value is not set or metadata server is not reachable.
So the question is, how can I get into the machine to see what is happening? Is there a way that the GCE startup sequence could be changed to not call the credential manager to change the password or username?
What you could do is if you have a Gcloud SDK (https://cloud.google.com/compute/docs/gcloud-compute/) installed, you can run the following command while that instance is running:
gcloud compute instances decribe instance_name
This will provide all the information about the instance and you will see a section called MetaData which will display the users and the passwords. Then you can try to remote in and remove any credentials setup in the Credentials Manager located in Control Panel -> User Accounts.
I hope this give you access to your VM
I am trying to set up Jappix on amazon ec2. I have followed this guide and setup everything.
https://github.com/jappix/jappix/wiki
https://project.jappix.com/
I ran into this problem while setting up and solved it.
lua-sec-prosody Unable to locate package
Now after everything is set up(modifying config files etc) I am not able to create an account.
When I try to register from my custom installation of jappix, It shows "Service unavailable".
I also tried to point Pidgin to my instance and tried to create an account but failed. However, it is able to connect because I verified that by
service metronome stop
and
service metronome start
Now I tried to use the admin interface through telnet
telnet localhost 5582
and tried to create a user. I got this error
Error: /usr/local/lib/metronome/core/usermanager.lua:80: attempt to index field '?' (a nil value)
Is there anything that I am missing?
PS: I have enabled the required ports on my ec2 instance.
That ominous message means, you're trying to create a user on an unexistant or unactivated host.
(That's fixed in latest tip btw)
I have a ec2 windows machine AMI, from Which I created an instance yesterday, I don;t remember its admin password, and I have been trying to get the windows password, but every time I try it says "it may take upto 30 minutes". It has been more then 15 hrs now, is there something fundamentally wrong here, how can i get access to my machine.
Windows instance created from a custom AMI will inherit the password from the instance from which you created the AMI.
It will not generate PAssword. You have to login with the password you have configured on the instance from which you created this AMI.
This post is a typical scenario of not reading the error message carefully. :