Hi
I’ve got an intermittent issue when using packer to create a Windows image on GCP. Its intermittent, it can work 10 times and then stop working with the following error:-
build.googlecompute.build: Checking image does not exist...
build.googlecompute.build: Creating temporary RSA SSH key for instance...
build.googlecompute.build: Using image: windows-server-2019-dc-v20221014
build.googlecompute.build: Creating instance...
build.googlecompute.build: Loading zone: europe-west1-c
build.googlecompute.build: Loading machine type: e2-highcpu-2
build.googlecompute.build: Requesting instance creation...
build.googlecompute.build: Waiting for creation operation to complete...
build.googlecompute.build: Instance has been created!
build.googlecompute.build: Waiting 2m30s before adding SSH keys...
build.googlecompute.build: Creating windows user for instance...
build.googlecompute.build: Waiting for windows password to complete...
build.googlecompute.build: Error creating windows password: googleapi: Error 412: Supplied fingerprint does not match current metadata fingerprint., conditionNotMet
build.googlecompute.build: Deleting instance...
build.googlecompute.build: Instance has been deleted!
build.googlecompute.build: Deleting disk...
build.googlecompute.build: Disk has been deleted!
Build 'build.googlecompute.build' errored after 5 minutes 6 seconds: Error creating windows password: googleapi: Error 412: Supplied fingerprint does not match current metadata fingerprint., conditionNotMet
Wait completed after 5 minutes 6 seconds
Some builds didn't complete successfully and had errors:
build.googlecompute.build: Error creating windows password: googleapi: Error 412: Supplied fingerprint does not match current metadata fingerprint., conditionNotMet
There is a firewall rule to open the ports 5985 and 5986 which is applied when the network has the pipeline-build tag. I just cant work out why it works and then it doesn’t?
A slimmed down version of the HCL file is:-
source "googlecompute" "build" {
project_id = var.project_id
region = "europe-west1"
zone = "europe-west1-c"
communicator = "winrm"
disk_size = "50"
disk_type = "pd-standard"
image_description = "My-Windows-2019-Image"
image_family = "windows-2019"
image_labels = local.labels
image_name = "win-2019-{{timestamp}}"
image_storage_locations = ["eu"]
impersonate_service_account = var.deployment_sa
instance_name = "${var.image_family}-${var.build_number}-build"
labels = local.labels
machine_type = e2-highcpu-2
metadata = {windows-startup-script-cmd = local.windows_startup_script_cmd}
network_project_id = var.project_id
scopes = ["https://www.googleapis.com/auth/cloud-platform"]
service_account_email = var.instance_sa_email
source_image = windows-server-2019-dc-v20221014
source_image_project_id = windows-cloud
startup_script_file = "packer_userdata.ps1"
state_timeout = "15m"
subnetwork = image-building-subnetwork
tags = ["pipeline-build"]
wait_to_add_ssh_keys = "150s"
winrm_insecure = true
winrm_use_ssl = true
winrm_username = packer_user
}
build {
name = "build"
sources = ["source.googlecompute.build"]
provisioner "powershell" {
inline = ["GCESysprep -NoShutdown"]
skip_clean = true
}
}
The line in the local.hcl file for windows_startup_script_cmd is:-
windows_startup_script_cmd = "winrm quickconfig -quiet & net user /add packer_user & net localgroup administrators packer_user /add & winrm set winrm/config/service/auth @{Basic=\"true\"}"
and the packer_userdata.ps1 is below. Not sure this is actually needed?
<powershell>
# Set administrator password
wmic useraccount where "name='packer_user'" set PasswordExpires=FALSE
# First, make sure WinRM can't be connected to
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=block
# Delete any existing WinRM listeners
winrm delete winrm/config/listener?Address=*+Transport=HTTP 2>$Null
winrm delete winrm/config/listener?Address=*+Transport=HTTPS 2>$Null
# Disable group policies which block basic authentication and unencrypted login
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client -Name AllowBasic -Value 1
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client -Name AllowUnencryptedTraffic -Value 1
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service -Name AllowBasic -Value 1
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service -Name AllowUnencryptedTraffic -Value 1
# Create a new WinRM listener and configure
winrm create winrm/config/listener?Address=*+Transport=HTTP
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="0"}'
winrm set winrm/config '@{MaxTimeoutms="7200000"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="12000"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'
# Configure UAC to allow privilege elevation in remote shells
$Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Setting = 'LocalAccountTokenFilterPolicy'
Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force
# Configure and restart the WinRM Service; Enable the required firewall exception
Stop-Service -Name WinRM
Set-Service -Name WinRM -StartupType Automatic
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
Start-Service -Name WinRM
#Configure RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
</powershell>
When it does connect the log shows as:-
build.googlecompute.build: Checking image does not exist...
build.googlecompute.build: Creating temporary RSA SSH key for instance...
build.googlecompute.build: Using image: windows-server-2019-dc-v20221014
build.googlecompute.build: Creating instance...
build.googlecompute.build: Loading zone: europe-west1-c
build.googlecompute.build: Loading machine type: e2-highcpu-2
build.googlecompute.build: Requesting instance creation...
build.googlecompute.build: Waiting for creation operation to complete...
build.googlecompute.build: Instance has been created!
build.googlecompute.build: Waiting 2m30s before adding SSH keys...
build.googlecompute.build: Creating windows user for instance...
build.googlecompute.build: Waiting for windows password to complete...
build.googlecompute.build: Created password.
build.googlecompute.build: Waiting for the instance to become running...
build.googlecompute.build: IP: 34.79.156.46
build.googlecompute.build: Using WinRM communicator to connect: 34.79.156.46
build.googlecompute.build: Waiting for WinRM to become available...
build.googlecompute.build: WinRM connected.
build.googlecompute.build: Connected to WinRM!
build.googlecompute.build: Provisioning with Powershell...