Jenkins Amazon EC2 plugin WinRM infinite loop

Question

I am currently setting up my Jenkins server to create EC2 instanced when a build is initialized. It perfectly creates and destroys the instance but it wont connect with WinRM. I have tried everything online at this point, been at it for a total of 16 hours atleast.

Some things iv tried:

Powershell commands:

Enable-PSRemoting -Force
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'

Tried changing group policies to allow all hosts and enabeling untrusted connection Tried connecting from my local machine with powershell and basic auth (worked perfectly) Tried changing bassicly all settings both on jenkins and AWS. Searched the entire web Downgraded the EC2 plugin from 5.1 to 4.2

I am completely out of ideas on what I could do.

This output below is infinitely looping:

Connecting to ******.eu-west-3.compute.amazonaws.com(52.47.***.**) with WinRM as 
administrator
Waiting for WinRM to come up. Sleeping 10s.

score 2 · Accepted Answer · answered Jan 22 '21 at 03:47

I just finished a trip down this rabbit hole and managed to get things working. My setup is Jenkins server 2.235.5 and ec2-plugin version 1.55. I build an AMI using packer, configure the user data and enable smb. Within Jenkins, I configure the agent to use HTTPS and the self signed certificate. The agent uses the password generated for the Administrator account. Be sure that the role has the ability to fetch the password.

Packer builder

"builders": [
    {
        "type": "amazon-ebs",
        "communicator": "winrm",
        "winrm_username": "Administrator",
        "winrm_use_ssl": true,
        "winrm_insecure": true,
        "user_data_file": "/opt/scripts/EC2UserData.ps1",
 ...

Ec2UserData.ps1

<powershell>
    write-output "Running User Data Script"
    write-host "(host) Running User Data Script"

    Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

    # Don't set this before Set-ExecutionPolicy as it throws an error
    $ErrorActionPreference = "stop"

    # Remove HTTP listener
    Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

    Enable-PSRemoting -force
    Set-Item WSMan:\localhost\Client\trustedhosts -value * -force

    # Create a self-signed certificate to let ssl work
    $Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
    New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

    # WinRM
    write-output "Setting up WinRM"
    write-host "(host) setting up WinRM"

    cmd.exe /c winrm quickconfig -q
    cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
    cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
    cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
    cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
    cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
    cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
    cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
    cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
    cmd.exe /c netsh firewall add portopening TCP 5986 "Port5986"
    cmd.exe /c net stop winrm
    cmd.exe /c sc config winrm start= auto
    cmd.exe /c net start winrm

</powershell>

Packer provisioners

"provisioners": [
    {
        "type": "file",
        "source": "/opt/config/jdk_11.0.2/cacerts",
        "destination": "c:\\temp\\cacerts"
    },
    {
        "type": "powershell",
        "scripts": [
            "/opt/scripts/InstallJava.ps1",
            "/opt/scripts/InstallJenkinsSlave.ps1",
            "/opt/scripts/EnableSmb.ps1"
        ]
    },

InstallJava.ps1

wget 'http://javadl.oracle.com/webapps/download/AutoDL?BundleId=210185' -Outfile 'C:\jreinstaller.exe'
Start-Process -filepath C:\jreinstaller.exe -passthru -wait -argumentlist "/s","INSTALLDIR=c:\Java\jre1.8.0_91"
del C:\jreinstaller.exe
Copy-Item "C:\Java\jre1.8.0_91\lib\security\cacerts" -Destination "C:\Java\jre1.8.0_91\lib\security\cacerts.original"
Copy-Item "c:\temp\cacerts" -Destination "C:\Java\jre1.8.0_91\lib\security\cacerts" -Force
$env:JAVA_HOME="c:\Java\jre1.8.0_91"
setx PATH "$env:path;c:\Java\jre1.8.0_91\bin"

InstallJenkinsSlave.ps1

# enable UserData to run on next launch
cd C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts
./InitializeInstance.ps1 -Schedule

Set-NetFirewallProfile -Profile Public,Private -Enabled False

EnableSmb.ps1

echo "Enabling smb1"

#Enable SMB1 protocol to workaround Windows on-demand issues
Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart
Set-SmbServerConfiguration -EnableSMB1Protocol $true -Confirm:$true -Force #may work on 2012 but not 2019
set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters SMB1 -Type DWORD -Value 1 -Force
#Just in case firewall really didn't get disabled
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

echo "restarting lanman"
Restart-Service lanmanserver

Small adjustment to the `Ec2UserData.ps1` script for the never windows version like windows server 2022: Old line: `cmd.exe /c netsh firewall add portopening TCP 5986 "Port5986"` Replacement: `cmd.exe /c netsh advfirewall firewall Add rule name="Open port 5986" dir=in action=allow protocol=TCP localport=5986` — Jakob Ojvind Nielsen, Aug 31 '23 at 14:06