(Packer Azure) Error 401 - invalid content type throwing after PS domain join script was executed

[ngeegoh]

Packer failed to continue running the template with http response error: 401 - invalid content type after the PowerShell domain join command was executed.

As I need to add the temporary VM which is generated by Packer during the build into the domain, I have added a Domain join PowerShell script into the template which looks like this (I have tested this script several times in a fresh VM and it got no errors with it - it will add the VM to the domain):

$domain = "xxxxx" $password = "xxxxx" | ConvertTo-SecureString -asPlainText -Force
$username = "$domain\aaa.bbb"
$credential = New-Object System.Management.Automation.PSCredential($username,$password)
Add-Computer -DomainName $domain -Credential $credential

This is the Azure Packer template that I ran:
https://gist.github.com/ngeegoh/369b3dac2d8e4f5661a5e7d2754c7bd3
(The reason why I put 2 window-restart before running PS domain join script was just to make sure the windows-restart is working in Packer.)

Additionally, if I replace the "Domain join" with other normal PS scripts, they just work normally and Packer will generate the build artifact at the end. Not sure what happened with the Packer after the Domain join script was executed, nothing after could run and kept throwing error 401: Invalid content. I tried to debug it but still did not see anything and did not have enough information as well.

I have talked to several Packer contributors and even posted it in the mailing list but no one could really resolve this issue which I am not sure if it is the Packer bug or not as if it is good, Packer is supposed to run the Domain join script and then continue running the template without throwing errors right. Hope you guys could help or maybe just try to run the above template and PS script to see if you got the same error as mine! Thanks

I have attached the log for the packer build of the above template below.

Info:
Azure packer
Packer version from 1.2.3
Host platform: Windows10
Debug log output from PACKER_LOG=1 packer build template.json.
https://gist.github.com/ngeegoh/4fc8ceecd68335d872aead39c859db20

[ngeegoh]

Hi @SwampDragons, just wondering if there is any update for this bug in Packer? Thanks.

[SwampDragons]

No, sorry. I haven't had a chance to inspect.

[dee3sync]

I also have this issue on Packer 1.4.0 with AzureRM.

I am executing a domain join via Chef which works fine on my test kitchen but fails on Packer (when running the same recipe). The domain join executes, I run a packer restart and it looks like it uploads the next provisioner initially (see below where it has 74 bytes written) then I get the same 401 - invalid content type 0 bytes written message (a bunch of times repeated, only posting one example in the output below) that @ngeegoh has in the gist.

Packer's verbose logs post reboot:

2019/05/04 14:38:19 packer.exe: 2019/05/04 14:38:19 Uploading env vars to c:/Windows/Temp/packer-ps-env-vars-5ccdd5d8-692e-a1b6-1767-58c1c1f1ac4c.ps1
2019/05/04 14:38:19 packer.exe: 2019/05/04 14:38:19 [INFO] 74 bytes written for 'uploadData'
2019/05/04 14:38:19 packer.exe: 2019/05/04 14:38:19 Uploading file to 'c:/Windows/Temp/packer-ps-env-vars-5ccdd5d8-692e-a1b6-1767-58c1c1f1ac4c.ps1'
2019/05/04 14:38:19 [INFO] 74 bytes written for 'uploadData'
2019/05/04 14:38:20 packer.exe: 2019/05/04 14:38:20 Retryable error: Error uploading ps script containing env vars: Error uploading file to $env:TEMP\winrmcp-0b9ef5eb-bdb1-4bab-55f6-29ff0e31b560.tmp: Couldn't create shell: http response error: 401 - invalid content type
2019/05/04 14:38:22 packer.exe: 2019/05/04 14:38:22 [INFO] 0 bytes written for 'uploadData'
2019/05/04 14:38:22 [INFO] 0 bytes written for 'uploadData'

[SwampDragons]

Looking at the README for our golang winrm library, domain users aren't supported, which may explain why we fail to connect immediately after performing a domain join.

One possible workaround would be to perform the domain join as the very last step in the last provisioner in your Packer build; that would prevent Packer from needing to reconnect post-join.

[ngeegoh]

Hi @SwampDragons,
Since I have got some scripts that need to be cloned from our own git directory (which requires a domain join for authentication) in order to execute. Additionally, I want to provision with Chef Solo, but I got the same issue here, our Chef solo codebase is in our own git directory again and needs to be cloned in order to get the all the cookbooks. And some of the Chef recipes perform some tasks like adding service account with passwords and ADgroup (which I am not too sure why it would work if the machine hasn't been domain joined).
Have you got any suggestions on how to overcome this?? I reason why I want to use Packer because I want it to run Chef solo configuration before I use Terraform to deploy the resources (want to incorporate both to an Azure DevOps configuration/ deployment pipeline. Terraform at the moment does not really well support ChefSolo (or have to execute remote-exe and run ChefSolo as part of provisioner - but i don't think this is a good approach since incorporate Chef solo configuration in Terraform provisioner would make it hard to manage and monitor)

Any suggestions and recommendations are highly appreciated? Thanks :)

[SwampDragons]

Sorry... I'm not a Windows expert, so I'm not a great person to ask.

These kinds of "does anyone have any bright ideas?" questions are generally much better answered by our mailing list, since a lot more people will see them there.

The only thing I can think of is pretty hacky -- you could try cloning the git repo to the machine running Packer and use the file provisioner to upload the repo to your windows VM.

[ghost]

This issue has been automatically migrated to hashicorp/packer-plugin-azure#22 because it looks like an issue with that plugin. If you believe this is not an issue with the plugin, please reply to hashicorp/packer-plugin-azure#22.