I am trying to apply Azure Pipeline Agent artifact while creating an Azure VM from the pipeline using Azure Dev Test Lab Create VM Task.
I have provided all the valid values in the ARM Template(organization, pat, agent name, etc)
but the specified artifact is failed to apply. here is the exception info
Validating parameters
Preparing agent installation location
Checking for previously configured agent
Downloading agent package
Extracting agent package contents
Getting agent installer path
Installing agent
ERROR: Connecting to remote server localhost failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.
The artifact failed to apply.
Anyone has any idea on why I am getting this exception? please help me if you have any information
(401) Unauthorized
This means that your token is not be get and used correctly. Just for test purpose, you can create a PAT with Full access scope to see if this works.
You need to check whether your token is correctly converted to Base64String in the script.
$token = "{PAT}"
$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($token)"))
In addition, if you tried the above two points and the problem still exists, you can share your script sample in the question for further investigation.
After configuring WinRM before installing the artifacts, the issue is resolved.
Related
I am executing a powershell script on a target machine using Azure DevOps release pipeline (which uses PSSession) and I have got the following error:
2022-06-17T12:27:22.1621620Z ##[section]Starting: PowerShell Script - Backup Temp DB
2022-06-17T12:27:22.2530275Z ==============================================================================
2022-06-17T12:27:22.2530704Z Task : PowerShell on target machines
2022-06-17T12:27:22.2531137Z Description : Execute PowerShell scripts on remote machines using PSSession and Invoke-Command for remoting
2022-06-17T12:27:22.2531501Z Version : 3.200.0
2022-06-17T12:27:22.2531752Z Author : Microsoft Corporation
2022-06-17T12:27:22.2532172Z Help : https://learn.microsoft.com/azure/devops/pipelines/tasks/deploy/powershell-on-target-machines
2022-06-17T12:27:22.2532638Z ==============================================================================
2022-06-17T12:29:58.1951592Z ##[error]Unable to create pssession. Error: 'Connecting to remote server NewDBServer.XYZ.local failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.'
2022-06-17T12:30:19.4281448Z ##[error]The remote session query failed for NewDBServer.XYZ.local with the following error message: WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet.
2022-06-17T12:30:19.4694522Z ##[error]PSSession could not be created for Machine:'NewDBServer.XYZ.local:5986'
2022-06-17T12:30:19.5266279Z ##[section]Finishing: PowerShell Script - Backup Temp DB
what am I missing here?
Update 1:
I logged into the NewDBServer using the credentials that I mentioned in the DevOps and task. This is what I got:
Don't know how helpful it will be however I sent the protocol to HTTP instead of HTTPS. So port 5985 was used and there were no issues.
I'd like to add an offsite Windows VM to Azure Arc for health monitoring. The VM is hosted by Vultr and runs Windows Server 2016 Standard Build 14393.
However, installing AzureConnectedMachineAgent.msi on the target VM fails with error code 1603. Installation log also contains this error:
Start-Service : Service 'Guest Configuration Extension service
WixQuietExec64: (ExtensionService)' cannot be started due to the following error: Cannot start
WixQuietExec64: service ExtensionService on computer '.'.
WixQuietExec64: At C:\Program Files\AzureConnectedMachineAgent\ExtensionService\GC\Modules\Exte
WixQuietExec64: nsionService\ServiceHelper.psm1:367 char:5
Any suggestions on how to fix this?
You may Check if the user with which you are logged into the VM have
sufficient permissions to start a system service
If you find the following in the
%ProgramData%\AzureConnectedMachineAgent\Log\himds.log or in installation logs :
time="2021-02-11T08:39:38-08:00" level=error msg="Cannot open event source: Azure Hybrid Instance Metadata Service."
You can verify the permissions by collecting the following registry
key from an impacted server.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomS
Mitigation can be to grant the permission to write to the
SECURITY_SERVICE_RID S-1-5-6 which would grant the required
permissions to the himds service account.
https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids.
If the registry key does NOT exist on the impacted VM, then this
resolution will NOT apply as there will be a separate root cause such
as AV interference.
If the root cause is not found here ,then a procmon trace needs to be
taken to analyze the root cause for the msi not being able to start a
service.
( In case a procmon trace has to be analyzed , please open an MS
Support ticket)
To get support for Windows Agent and extensions in Azure, the Windows
Agent on the Windows VM must be later than or equal to version
2.7.41491.911. However the cause for the failure of agent installation is different in this case.
You may also want to check %programdata%\ext_mgr_logs\gc_ext_telemetry.txt log which must have had an entry something like this :
<GCLOG>........ Not starting Extension Service since machine is an Azure VM</GCLOG>
Cause:
This can happen while attempting to install the agent on an Azure VM.This is an unsupported production scenario.One Should not be installing this agent on an Azure VM as it conflicts with the Azure Guest Agent and interferes with Azure VM management.
If one wishes to use an Azure VM simply for testing purposes then
they can follow the below document for guidance
https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-evaluate-on-azure-virtual-machine
I have created the app service in existing internal app service environment. And then I’m trying to deploy the source code into above app service using Azure DevOps CI & CD pipelines. But, in the release pipeline I’m getting the below error message in Azure DevOps:
Error: Error Code: ERROR_DESTINATION_INVALID
More Information: Could not connect to the remote computer ("xx-xxxx-v1-api-dev.scm.xxx-int-nonp.xxxcloudapps.com"). Make sure that the remote computer name is correct and that you are able to connect to that computer. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_DESTINATION_INVALID.
Error: The remote name could not be resolved: 'xx-xxxx-v1-api-dev.scm.xxx-int-nonp.xxxxcloudapps.com'
Error count: 1.
Note: I’m using self-hosted agent in the release pipeline. I have tried to access Kudu environment for the above service in the private virtual machine. But, the kudu not opening.
So, please suggest me how to fix the above issue.
Kindly set/add the following to the Application setting and see if it helps.
Name: WEBSITE_WEBDEPLOY_USE_SCM
Value: false
If I have understood your issue correctly (using private link).
For accessing the Kudu console, or Kudu REST API (deployment with Azure DevOps self-hosted agents for example), you must create two records in your Azure DNS private zone or your custom DNS server. Kindly check this document for more details. If you haven't added the records, kindly see if that works.
Name Type Value
mywebapp.privatelink.azurewebsites.net A PrivateEndpointIP
mywebapp.scm.privatelink.azurewebsites.net A PrivateEndpointIP
https://learn.microsoft.com/azure/app-service/networking/private-endpoint#dns
Ensure that the release pipeline is running in the right host. Because the endpoint is private for the SCM too, the DevOps Agent must be in a network with access with the endpoint, so mandatory to use self-hosted Devops Agent.
Kindly see this doc for more details:
https://learn.microsoft.com/azure/app-service/networking/private-endpoint#dns
If the issue still persists, kindly capture a network trace/HAR or client-side HTTP log/review the logs.
P.S. Kindly do not share any PII data on the public forum for your privacy.
In Azure pipeline when creating a VM through deployment template, we have the option to 'Configure with WinRM agent' as given below.
This acts as a custom extension behind the scenes. But the downloading of this custom extension can be blocked by an internal vnet in Azure. This is the error we are getting.
<datetime> Adding extension 'WinRMCustomScriptExtension' on virtual machine <vmname>
<datetime> Failed to add the extension to the vm: <vmname>. Error: "VM has reported a failure when processing extension 'WinRMCustomScriptExtension'. Error message: \"Failed to download all specified files. Exiting. Error Message: The underlying connection was closed: An unexpected error occurred on a send.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot "
Since the files cannot be downloaded, I am thinking of a couple of solutions:
How can I know which powershell files azure is using to setup winrm?
Location to store files would be storage account (same vnet as VM)
Perhaps not use WinRM at all and use custom script extension to resolve
everything (with all files from storage account). I hope error from extension stops the pipeline if it happens.
Is there a better solution to resolve this? To me it looks like a bad design by azure as it is not covering non-public VMs.
EDIT:
Found answer to #1) https://aka.ms/vstsconfigurewinrm. This was shown in Raw logs of the pipeline when diagnostics were enabled
Even if you know - how does it help you? It won't be able to download them anyway and you cant really tell it to use local files
If you enable service endpoins and allow your subnet to talk to the storage account - it should work
there is a way to configure WinRM when you create the VM. Keyvault example
You could use script extension like you wanted to as well, but script extension has to download stuff to the Vm as well. Example
Currently, trying to configure a release pipeline in Azure Devops. I've successfully created a CI pipeline that is working and running tests successfully. My release pipeline uses the artifacts from latest the CI build and should be deploying to azure. When I look at the logs I can see the the following were completed successfully:
Initialize Agent
Initialize job
Download arifact
and then the "Deploy to Azure App Service" fails with the logs showing the following details:
2019-02-07T19:06:57.5433805Z Got service connection details for Azure App Service:'MyApp'
2019-02-07T19:06:57.5487495Z ##[error]Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'MyAPP'. Error: Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request
2019-02-07T19:06:57.5496340Z Failed to add release annotation. TypeError: Cannot read property 'getApplicationSettings' of undefined
I haven't been able to find much to help with this so far. I created the release pipeline by selecting Azure App Service deployment from the templates for stage 1 of the pipline (I only have one stage) and I added an artifact who's source is from my build pipeline. I then selected the Tasks tab and selected my Pay-as-you-go subscription under "Available Azure Service Connections". After selecting my subscription, my app service name became available in the "App service name" dropdown and I selected it. I then hit save and tried to create a release but every release fails with the above error message.
What can I do to overcome this?
Finally found a solution to my issue. The problem was in the way I set up my service connection. I went to:
project settings -> service connections -> new service connection -> selected azure resource manager -> selected service principal authentication INSTEAD OF managed identity authentication -> a popup came up that allowed me to log in and authorize.
Then I used that service connection when creating the release pipeline instead of the pre-existing Pay-As-You-Go subscription that I used last time.
Previously when I tried this, I had an adblocker running and it blocked the popup which allowed me to authorize when I selected service principal authentication. That resulted in an "Unable to authorize account" error message which is why I went with managed identity authentication in the first place.
In my case, it was related to a chrome extension I have added 'enable CORS' plugin. After disabling, release pipeline worked nicely