Teardown always need agent?

Automation/IaC
, , ,
1

Hello, I have a workflow with 2 powershell tasks : one in provision, and the other on the teardown phase.
When a vm is created using this catalog, onto a vmware cloud using “vmwaretools” as an rpc method and agent not instaled and VM on an isolated network, the provisioning task is working fine (via vmwareTools), but the task in teardown phase always fails with that stacktrace :

2024-02-08_16:23:57.11847 ''[2024-02-08 16:23:57,445] [RxCachedThreadScheduler-1146] INFO o.a.c.t.h.HTTPConduit - Authorization loop detected on Conduit "{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmPort.http-conduit" on URL "http://172.28.32.27:5985/wsman" with realm "null" 2024-02-08_16:23:57.44577 ''[2024-02-08 16:23:57,447] [RxCachedThreadScheduler-1146] WARN o.a.c.p.PhaseInterceptorChain - Interceptor for {http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmService#{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}Create has thrown exception, unwinding now 2024-02-08_16:23:57.44767 'org.apache.cxf.interceptor.Fault: Could not send Message. [...] 2024-02-08_16:24:18.36436 '[2024-02-08 16:24:18,363] [RxCachedThreadScheduler-1146] ERROR c.m.RpcService - winrm4j also had an error attempting to connect: java.lang.IllegalStateException: Invalid credentials or incompatible authentication schemes 2024-02-08_16:24:18.36459 'java.lang.IllegalStateException: Invalid credentials or incompatible authentication schemes [...] 2024-02-08_16:24:18.37417 Caused by: java.io.IOException: Authorization loop detected on Conduit "{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmPort.http-conduit" on URL "http://172.28.32.27:5985/wsman" with realm "null" [...] 2024-02-08_16:24:18.37640 '[2024-02-08 16:24:18,368] [RxCachedThreadScheduler-1146] ERROR c.m.RpcService - winrmrb Error Detected: null 2024-02-08_16:24:18.37652 'org.jruby.exceptions.StandardError: (WinRMAuthorizationError) WinRM::WinRMAuthorizationError

This is not a big problem, but ther is something i don’t understand with it

2

as far as i understand, morpheus tries to connect with the administrator password he has created when creating the VM, and as we have a GPO that disable administrator password as soon as the VM is joined to our AD, morpheus can’t connect to this VM anymore at the teardown phase.

Is there a way to mention new credentials to connect to the VM once it has been joined to domain ?

regards,

Matthieu

3

Under the server you can edit the username and password that it should use to connect.
image

You could also automate this by using a task and calling this API endpoint. https://apidocs.morpheusdata.com/reference/updatehost

1 Like
4

Thank you for the tip. maybe i can add a post-provision task, that can fill this in order to manage the VM once it has been joined to domain ?
Isn’t it possible for morpheus to use credentials into user settings to do these things ?

regards,

Matthieu

5

Yeah I think a task would make the most sense. You could have a service account and store the creds in a cypher.

The credentials under the user is so you have the option to automatically create a local user on deployment. I’m not aware of a way to pull that password.

image
image1098×209 4.52 KB

6

I don’t know if cybersec would allow me to create a service account that can connect on all servers to install things or run powershell commands :smiley:

thank you for your advises anyway :wink:

Matthieu