jenkinsamazon-ec2winrm

Jenkins Amazon EC2 plugin WinRM infinite loop


I am currently setting up my Jenkins server to create EC2 instanced when a build is initialized. It perfectly creates and destroys the instance but it wont connect with WinRM. I have tried everything online at this point, been at it for a total of 16 hours atleast.

Some things iv tried:

Powershell commands:

Enable-PSRemoting -Force
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'

Tried changing group policies to allow all hosts and enabeling untrusted connection Tried connecting from my local machine with powershell and basic auth (worked perfectly) Tried changing bassicly all settings both on jenkins and AWS. Searched the entire web Downgraded the EC2 plugin from 5.1 to 4.2

I am completely out of ideas on what I could do.

This output below is infinitely looping:

Connecting to ******.eu-west-3.compute.amazonaws.com(52.47.***.**) with WinRM as 
administrator
Waiting for WinRM to come up. Sleeping 10s.

Solution

  • I just finished a trip down this rabbit hole and managed to get things working. My setup is Jenkins server 2.235.5 and ec2-plugin version 1.55. I build an AMI using packer, configure the user data and enable smb. Within Jenkins, I configure the agent to use HTTPS and the self signed certificate. The agent uses the password generated for the Administrator account. Be sure that the role has the ability to fetch the password.

    Packer builder

    "builders": [
        {
            "type": "amazon-ebs",
            "communicator": "winrm",
            "winrm_username": "Administrator",
            "winrm_use_ssl": true,
            "winrm_insecure": true,
            "user_data_file": "/opt/scripts/EC2UserData.ps1",
     ...
    

    Ec2UserData.ps1

    <powershell>
        write-output "Running User Data Script"
        write-host "(host) Running User Data Script"
    
        Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
    
        # Don't set this before Set-ExecutionPolicy as it throws an error
        $ErrorActionPreference = "stop"
    
        # Remove HTTP listener
        Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
    
        Enable-PSRemoting -force
        Set-Item WSMan:\localhost\Client\trustedhosts -value * -force
    
        # Create a self-signed certificate to let ssl work
        $Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
        New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
    
        # WinRM
        write-output "Setting up WinRM"
        write-host "(host) setting up WinRM"
    
        cmd.exe /c winrm quickconfig -q
        cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
        cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
        cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
        cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
        cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
        cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
        cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
        cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
        cmd.exe /c netsh firewall add portopening TCP 5986 "Port5986"
        cmd.exe /c net stop winrm
        cmd.exe /c sc config winrm start= auto
        cmd.exe /c net start winrm
    
    </powershell>
    

    Packer provisioners

    "provisioners": [
        {
            "type": "file",
            "source": "/opt/config/jdk_11.0.2/cacerts",
            "destination": "c:\\temp\\cacerts"
        },
        {
            "type": "powershell",
            "scripts": [
                "/opt/scripts/InstallJava.ps1",
                "/opt/scripts/InstallJenkinsSlave.ps1",
                "/opt/scripts/EnableSmb.ps1"
            ]
        },
    

    InstallJava.ps1

    wget 'http://javadl.oracle.com/webapps/download/AutoDL?BundleId=210185' -Outfile 'C:\jreinstaller.exe'
    Start-Process -filepath C:\jreinstaller.exe -passthru -wait -argumentlist "/s","INSTALLDIR=c:\Java\jre1.8.0_91"
    del C:\jreinstaller.exe
    Copy-Item "C:\Java\jre1.8.0_91\lib\security\cacerts" -Destination "C:\Java\jre1.8.0_91\lib\security\cacerts.original"
    Copy-Item "c:\temp\cacerts" -Destination "C:\Java\jre1.8.0_91\lib\security\cacerts" -Force
    $env:JAVA_HOME="c:\Java\jre1.8.0_91"
    setx PATH "$env:path;c:\Java\jre1.8.0_91\bin"
    

    InstallJenkinsSlave.ps1

    # enable UserData to run on next launch
    cd C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts
    ./InitializeInstance.ps1 -Schedule
    
    Set-NetFirewallProfile -Profile Public,Private -Enabled False
    

    EnableSmb.ps1

    echo "Enabling smb1"
    
    #Enable SMB1 protocol to workaround Windows on-demand issues
    Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart
    Set-SmbServerConfiguration -EnableSMB1Protocol $true -Confirm:$true -Force #may work on 2012 but not 2019
    set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters SMB1 -Type DWORD -Value 1 -Force
    #Just in case firewall really didn't get disabled
    Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
    
    echo "restarting lanman"
    Restart-Service lanmanserver