Detect windows also with ssh transport

[StefanScherer]

I found out that Packer 1.3.5 comes with the Inspec provisioner built-in. This is awesome. I immediately tried it for a Packer build for a Windows VM. And here I struggled a little bit as the detection for Windows only checks if the winrm transport is used.

I run the Packer build on a non-Windows machine (macOS in my case) and so the other detections doesn't see that the target is a Windows machine.

I've opened hashicorp/packer#7364 to raise awareness in the Packer repo, but I also tried to find out what the root cause is.

Here is my take how to improve the detection. I know that now the first SSH command to any Linux machine will be cmd /c ver instead of uname -s.

Maybe somebody else can find a better "Linux first, but don't forget Windows" approach as I don't know the codebase.

With that change I can run Inspec tests in the Windows VM from my MBP. 🎉

$ /usr/local/bin/inspec exec my_win10 --backend ssh --host 127.0.0.1 --key-files /var/folders/gw/_ms1v_611gx58lnkdy9yxr100000gq/T/packer-provisioner-inspec.764520426.key --user stefanscherer --port 54086 --attrs /var/folders/gw/_ms1v_611gx58lnkdy9yxr100000gq/T/packer-provisioner-inspec.220892737.yml 

Profile: InSpec Profile (my_win10)
Version: 0.1.0
Target:  ssh://[email protected]:54086

  ×  Chocolatey: Chocolatey installed
     ×  File C:/ProgramData/Chocolatey/bin/choco.exe should be file
     expected `File C:/ProgramData/Chocolatey/bin/choco.exe.file?` to return true, got false


Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 1 failure, 0 skipped

The command would be the command created by the packer Inspec provisioner to talk to a temporary local SSH agent that forwards all commands to the Packer WinRM communicator. For Inspec it is a SSH connection and the Packer provisioner does the rest.

[e-mow]

Stefan, I tried this and all of the checks came back as failed even though they should have been passing. While Inspec is sending the commands over the SSH tunnel I don't believe that they are formatted correctly. I believe Inspec is treating the commands as the running connection is raw Windows and not a WinRM pipe. The commands that go across the SSH tunnel still have to be formatted for WinRM.

Packer Sending calls over the WinRM Communicator:

2019/03/06 17:52:05 packer: 2019/03/06 17:52:05 Checking that WinRM is connected with: 'powershell.exe -EncodedCommand aQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAHYAYQByAGkAYQBiAGwAZQA6AGcAbABvAGIAYQBsADoAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAKQB7ACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsAIABlAGMAaABvACAAIgBXAGkAbgBSAE0AIABjAG8AbgBuAGUAYwB0AGUAZAAuACIA'

EncodedCommand base64 decoded:
if (Test-Path variable:global:ProgressPreference){$ProgressPreference='SilentlyContinue'}; echo "WinRM connected."

Inspec Attempting to get WinRM Service Status over Packer SSH connection.

2019/03/06 17:52:17 packer: 2019/03/06 17:52:17 [INFO] starting remote command: New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Service -Value (Get-Service -Name 'wuauserv'| Select-Object -Property Name, DisplayName, Status) -PassThru | Add-Member -MemberType NoteProperty -Name WMI -Value (Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq 'wuauserv' -or $_.DisplayName -eq 'wuauserv'} | Select-Object -Property StartMode) -PassThru | ConvertTo-Json

If you use the Ansible provisioner for Packer you will see that Ansible sends over the powershell command with a EncodedCommand option that is base64 encoded.

Ansible using Packer SSH for WinRM Calls:

2019/03/06 17:29:25 packer: 2019/03/06 17:29:25 [INFO] starting remote command: PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAkAHQAbQBwAF8AcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEUAeABwAGEAbgBkAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABWAGEAcgBpAGEAYgBsAGUAcwAoACcAJQBUAEUATQBQACUAJwApAAoAJAB0AG0AcAAgAD0AIABOAGUAdwAtAEkAdABlAG0AIAAtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAdABtAHAAXwBwAGEAdABoACAALQBOAGEAbQBlACAAJwBhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADUANQAxADgAOQAzADMANgA1AC4AMgAyADIANwAyADAAOQAtADIANgAxADIAOAA1ADMAOAA2ADcAOAAyADYANAAyACcACgBXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAJAB0AG0AcAAuAEYAdQBsAGwATgBhAG0AZQAKAEkAZgAgACgALQBuAG8AdAAgACQAPwApACAAewAgAEkAZgAgACgARwBlAHQALQBWAGEAcgBpAGEAYgBsAGUAIABMAEEAUwBUAEUAWABJAFQAQwBPAEQARQAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQApACAAewAgAGUAeABpAHQAIAAkAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAAfQAgAEUAbABzAGUAIAB7ACAAZQB4AGkAdAAgADEAIAB9ACAAfQA=

EncodedCommand base64 decoded =
Set-StrictMode -Version Latest
$tmp_path = [System.Environment]::ExpandEnvironmentVariables('%TEMP%')
$tmp = New-Item -Type Directory -Path $tmp_path -Name 'ansible-tmp-1551893365.2227209-261285386782642'
Write-Output -InputObject $tmp.FullName
If (-not $?) { If (Get-Variable LASTEXITCODE -ErrorAction SilentlyContinue) { exit $LASTEXITCODE } Else { exit 1 } }

[StefanScherer]

Thanks @e-mow yes that‘s what I just found out, too. I‘ve only tested „red“ tests and not „green“ ones.
So there‘s probably more refactoring needed.

[StefanScherer]

@e-mow some tests work, others do not seem to get passed through the Packer communicator. This control file

# encoding: utf-8
# copyright: 2018, The Authors

title 'Chocolatey package manager'

# you can also use plain tests
control "Chocolatey" do
  title 'Chocolatey installed'

  describe file('C:\ProgramData\chocolatey\bin\choco.exe') do
    it { should be_file }
  end

  describe command('choco --version') do
    its(:stdout) { should match /0.10.11/ }
    its(:exit_status) { should eq 0 }
  end

end

gives me two passed test and one failing test

Profile: InSpec Profile (my_win10)
Version: 0.1.0
Target:  ssh://[email protected]:58759

  ×  Chocolatey: Chocolatey installed (1 failed)
     ×  File C:\ProgramData\chocolatey\bin\choco.exe should be file
     expected `File C:\ProgramData\chocolatey\bin\choco.exe.file?` to return true, got false
     ✔  Command: `choco --version` stdout should match /0.10.11/
     ✔  Command: `choco --version` exit_status should eq 0


Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 2 successful, 1 failure, 0 skipped

I'll try to understand the codebase a little more, but I'm also not a regular Ruby developer.
But maybe there is also work to do in the Packer Inspec provisioner.

[StefanScherer]

@e-mow After long digging through the code I found a command wrapper and enhanced it for remote Windows connections. Can you try it with the second commit in this PR?

I now can check services and files and commands are now run in a powershell.

  ✔  WinRM: WinRM up and running
     ✔  Service WinRM should be installed
     ✔  Service WinRM should be running
  ✔  Chocolatey: Chocolatey installed
     ✔  File C:\ProgramData\chocolatey\bin\choco.exe should be file
     ✔  Command: `choco --version` stdout should match /0.10.11/
     ✔  Command: `choco --version` exit_status should eq 0

Feedback from maintainers are more than welcome if this approach has a chance to get merged.

[e-mow]

@StefanScherer I tried the changes and they are working for Windows. I ran a Linux test as well to make sure nothing was broken there with these changes and the Linux run ran fine as well.

Thanks for adding this!

[clintoncwolfe]

TravisCI failure is a fluke, restarting...

[clintoncwolfe]

This looks great, and is very clear code!
That said, it would be best if we could get some tests on this. See for example test/unit/transports/ssh_test.rb (we should show that when the detected platform is Windows, SSH transport will still initialize).

I was also alarmed to find we have no integration tests for windows; I opened #419 to cover that, but I don't expect you to do that.

Thanks again!

[StefanScherer]

Thanks @clintoncwolfe
Good to know that I'm on the right way. I'll look into adding tests.

What I found out today is that the Microsoft OpenSSH server behaves a little bit different and instead of just testing cmd /c ver we also need to check ver directly. The OpenSSH directly starts in a cmd session.

[StefanScherer]

@clintoncwolfe I pushed a first unit test for command_wrapper
I also had a look at the ssh_test.rb, but to be honest I don't really know where to start here. I first tried to copy a linux block and changed every "linux" to "windows", but the tests were already green without this PR changes 🤔

I'll test the other Windows scenario with Microsoft OpenSSH that uses cmd.exe session so "cmd /c ver" check didn't work and update the detection code to try "cmd /c ver" and as fallback "ver" as well. I'll try that in a Vagrantfile. I can share that if you like.

[clintoncwolfe]

Hey @StefanScherer, thanks for your work on this - don't worry about an integration test (one talking to a real Windows VM). Please post any thoughts / Vagrantfiles you have for that on #419, we'd love to explore ideas.

I'll look over the unit tests and see if we can move this ahead.

[StefanScherer]

I have added commit 06147ed to add a second check for Windows. This is needed with Microsoft OpenSSH as it defaults to the cmd.exe and for some reason cmd /c ver does not recognize Windows. I used the Vagrantfile I shared in #419 (comment)

But after looking closed with a test with ssh directly I found out this:

$ ssh [email protected] cmd /c ver
[email protected]'s password: 
'ver"' is not recognized as an internal or external command,
operable program or batch file.

Wait, what? Command 'ver"' is not found? Why is there a double quote at the end? So I tried this:

$ ssh [email protected] "cmd /c ver "
[email protected]'s password: 

Microsoft Windows [Version 10.0.17763.379]

What? This works, hm. So it seems that the command is somehow quoted in the OpenSSH server on Windows. Adding a space at the end also fixes this issue.

So changing the os_windows.rb to this also works without the second check:

    def detect_windows
      res = @backend.run_command('cmd /c ver ')
      return false if res.exit_status != 0 or res.stdout.empty?

@clintoncwolfe so should I revert the last commit and just add the space after ver?

[zenspider]

This failure has been fixed on master (version string comparison has now been relaxed to a regexp check). So as far as I'm concerned, the appveyor failures can be ignored. Probably also fixable via a rebase.

[StefanScherer]

Thanks @zenspider for the heads-up. I've rebased. AppVeyor is now green. There seems to be some flaky tests that caused one of the Travis tests go to red. Can anybody re-trigger Travis, please?

[StefanScherer]

Opened a ticket PowerShell/Win32-OpenSSH#1373 why we see a problem with ssh cmd /c ver.

Stale

[zenspider]

Thank you. Minor request.

[StefanScherer]

@clintoncwolfe @zenspider I've changed the PR to use cmd.exe /c ver which works in Packer Inspec environment (SSH to inspec provisioner which proxies to the WinRM session) as well as directly with SSH to Microsoft OpenSSH native port. Thanks again @jborean93
This is my GitHub moment today, collaborating across multiple projects and getting help to find a better solution. 🎉

[clintoncwolfe]

A long road to .exe - thanks for staying with this! Great work @StefanScherer !

[miah]

Thanks @StefanScherer

[zenspider]

Thank you so much for figuring this out!

[StefanScherer]

Thanks, I'm happy to see the release 2.1.0. Now waiting for the next InSpec release 😄
Lessons learned: tiny four characters make a huge difference
I haven't expected that problem for .exe extension, but now when I remember I also had problems with running Node.js npm in a Windows container, where npm.cmd works (Docker only searches for .exe as it seems, but not all extensions from PATHEXT variable).

[akr257]

Hi,
I'm running Packer version 1.3.5 and inspec 4.3.2 and I'm still experiencing this issue when attempting to run the Packer inspec provisioner against a Windows 2016 server. Can someone please advise if this has been fixed? Thanks.

==> amazon-ebs: Executing Inspec: inspec exec inspec-base-test-cases.rb --backend ssh --host 127.0.0.1 --key-files /tmp/packer-provisioner-inspec.717618113.key --user gitlab-runner --port 41867 --attrs /tmp/packer-provisioner-inspec.142919724.yml
    amazon-ebs: /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-2.0.12/lib/train/platforms/detect/scanner.rb:41:in `scan': Sorry, we are unable to detect your platform (Train::PlatformDetectionFailed)
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-2.0.12/lib/train/platforms/detect.rb:9:in `scan'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-2.0.12/lib/train/plugins/base_connection.rb:110:in `platform'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-2.0.12/lib/train/extras/command_wrapper.rb:128:in `load'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-2.0.12/lib/train/transports/ssh_connection.rb:53:in `initialize'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-2.0.12/lib/train/transports/ssh.rb:238:in `new'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-2.0.12/lib/train/transports/ssh.rb:238:in `create_new_connection'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-2.0.12/lib/train/transports/ssh.rb:82:in `connection'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-4.3.2/lib/inspec/backend.rb:52:in `create'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-4.3.2/lib/inspec/runner.rb:78:in `configure_transport'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-4.3.2/lib/inspec/runner.rb:70:in `initialize'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-4.3.2/lib/inspec/cli.rb:266:in `new'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-4.3.2/lib/inspec/cli.rb:266:in `exec'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
    amazon-ebs: 	from /opt/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-bin-4.3.2/bin/inspec:15:in `<top (required)>'
    amazon-ebs: 	from /usr/bin/inspec:150:in `load'
    amazon-ebs: 	from /usr/bin/inspec:150:in `<main>'

My packer file looks like this:

{
   "builders":[
      {
         "type":"amazon-ebs",
         "access_key":"{{user `aws_access_key`}}",
         "secret_key":"{{user `aws_secret_key`}}",
         "region":"{{user `region`}}",

         "force_deregister": "true",
         "force_delete_snapshot": "true",

         "source_ami":"{{user `source_ami`}}",
         "instance_type":"{{user `instance_type`}}",
         "communicator":"winrm",
         "winrm_username":"{{user `winrm_username`}}",
         "winrm_use_ssl":"{{user `winrm_use_ssl`}}",
         "winrm_insecure":"{{user `winrm_use_insecure`}}",

         "subnet_id":"{{user `subnet_id`}}",
         "security_group_id":"{{ user `security_group_id` }}",
         "user_data_file":"files/install-winrm.ps1",
         "ami_name":"win2016-base-test",
         "launch_block_device_mappings":[
            {
               "device_name":"/dev/sda1",
               "volume_size":"{{user `root_volume_size`}}",
               "volume_type":"{{user `root_volume_type`}}",
               "delete_on_termination":true
            }
         ]
      }
   ],
   "provisioners":[
     {
        "type":"inspec",
        "profile":"inspec-base-test-cases.rb"
     }
   ]
}

[ghost]

Hello,

I am also having the same issue for AWS. Are there any workarounds? Windows 2016 ADO build server creating a Windows 2019 AWS template.

2020-02-11T22:07:29.2922093Z amazon-ebs: C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-core-3.2.14/lib/train/platforms/detect/scanner.rb:41:in `scan': Sorry, we are unable to detect your platform (Train::PlatformDetectionFailed) 2020-02-11T22:07:29.2932280Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-core-3.2.14/lib/train/platforms/detect.rb:9:in `scan' 2020-02-11T22:07:29.2944376Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-core-3.2.14/lib/train/plugins/base_connection.rb:120:in `platform' 2020-02-11T22:07:29.2952002Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-core-3.2.14/lib/train/extras/command_wrapper.rb:189:in `load' 2020-02-11T22:07:29.2961140Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-core-3.2.14/lib/train/transports/ssh_connection.rb:57:in `initialize' 2020-02-11T22:07:29.2961884Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-core-3.2.14/lib/train/transports/ssh.rb:240:in `new' 2020-02-11T22:07:29.2975358Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-core-3.2.14/lib/train/transports/ssh.rb:240:in `create_new_connection' 2020-02-11T22:07:29.3011341Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/train-core-3.2.14/lib/train/transports/ssh.rb:82:in `connection' 2020-02-11T22:07:29.3175466Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-core-4.18.85/lib/inspec/backend.rb:38:in `create' 2020-02-11T22:07:29.3185016Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-core-4.18.85/lib/inspec/runner.rb:86:in `configure_transport' 2020-02-11T22:07:29.3191486Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-core-4.18.85/lib/inspec/runner.rb:78:in `initialize' 2020-02-11T22:07:29.3196098Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-core-4.18.85/lib/inspec/cli.rb:286:in `new' 2020-02-11T22:07:29.3200403Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-core-4.18.85/lib/inspec/cli.rb:286:in `exec' 2020-02-11T22:07:29.3208428Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run' 2020-02-11T22:07:29.3215933Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command' 2020-02-11T22:07:29.3219981Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch' 2020-02-11T22:07:29.3223878Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start' 2020-02-11T22:07:29.3224444Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-core-4.18.85/lib/inspec/base_cli.rb:35:in `start' 2020-02-11T22:07:29.3232126Z amazon-ebs: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-bin-4.18.85/bin/inspec:11:in `' 2020-02-11T22:07:29.3232948Z amazon-ebs: from C:/opscode/inspec/bin/inspec:205:in `load' 2020-02-11T22:07:29.3244925Z amazon-ebs: from C:/opscode/inspec/bin/inspec:205:in `' 2020-02-11T22:07:29.3278660Z 2020/02/11 22:07:29 packer.exe plugin: shutting down the SSH proxy 2020-02-11T22:07:29.3283343Z 2020/02/11 22:07:29 [INFO] (telemetry) ending inspec