Packer: vSphere post-processor "\" escaping issue

Created on 30 Oct 2018 · 27Comments · Source: hashicorp/packer

vSphere username follows the following convention: domain\username. When creating a VM and exporting it as an OVA using the ovftool through packer, the following error is received:

Error exporting virtual machine: exit status 1
...
Could not lookup host: domain

After looking at the vSphere post-processor code I think this may be due to the QueryEscape function (in func escapeWithSpaces(stringToEscape string){...})taking the username in as a string surrounded in double quotes rather than a string surrounded in back ticks (correct me if I'm wrong). After playing around with golang myself and the QueryEscape function, I have realised that with double quotes it is unable to escape the backslash, but with the backticks it escapes it just fine.

Can this be altered to make it work?

Packer version = 1.2.3
Host platform = Windows 10

Relevant section of debug output:
(IN PARTICULAR LINE 9 AND 14)


1. 2018/10/31 15:03:13 packer.exe: 2018/10/31 15:03:13 Writing VMX to: C:\Users\sarah\AppData\Local\Temp\packer-vmx924776817\packer-vmware-iso.vmx
2. 2018/10/31 15:03:13 packer.exe: 2018/10/31 15:03:13 [DEBUG] Opening new ssh session
3. 2018/10/31 15:03:13 packer.exe: 2018/10/31 15:03:13 [DEBUG] Starting remote scp process:  scp -vt /vmfs/volumes/DATASTORE/packer-vmware-iso
4. 2018/10/31 15:03:13 packer.exe: 2018/10/31 15:03:13 [DEBUG] Started SCP session, beginning transfers...
5. 2018/10/31 15:03:13 packer.exe: 2018/10/31 15:03:13 [DEBUG] Copying input data into temporary file so we can read the length
6. 2018/10/31 15:03:13 packer.exe: 2018/10/31 15:03:13 [DEBUG] scp: Uploading packer-vmware-iso.vmx: perms=C0644 size=2903
7. 2018/10/31 15:03:13 packer.exe: 2018/10/31 15:03:13 [DEBUG] SCP session complete, closing stdin pipe.
8. 2018/10/31 15:03:13 packer.exe: 2018/10/31 15:03:13 [DEBUG] Waiting for SSH session to complete.
9. 2018/10/31 15:03:13 packer.exe: 2018/10/31 15:03:13 [DEBUG] scp stderr (length 158): Could not chdir to home directory /home/local/DOMAIN/user: No such file or directory
10. 2018/10/31 15:03:13 packer.exe: Sink: C0644 2903 packer-vmware-iso.vmx
11. 2018/10/31 15:03:13 packer.exe: 2018/10/31 15:03:13 [DEBUG] Opening new ssh session
12. 2018/10/31 15:03:13 packer.exe: 2018/10/31 15:03:13 [DEBUG] starting remote command: vim-cmd vmsvc/reload 156
13. 2018/10/31 15:03:13 ui: ==> vmware-iso: Exporting virtual machine...
14. 2018/10/31 15:03:13 ui:     vmware-iso: Executing: ovftool.exe --shaAlgorithm=sha1 --machineOutput --noSSLVerify=true --skipManifestCheck -tt=ova vi://domain\user:****@X.X.X.X/packer-vmware-iso output-vmware-iso
15. 2018/10/31 15:03:15 ui error: ==> vmware-iso: Error exporting virtual machine: exit status 1
16. ==> vmware-iso: ERROR
17. ==> vmware-iso: + <Errors>
18. ==> vmware-iso: + <Error>
19. ==> vmware-iso: + <Type>ovftool.net.lookup</Type>
20. ==> vmware-iso: + <LocalizedMsg>
21. ==> vmware-iso: + Could not lookup host: domain
22. ==> vmware-iso: + </LocalizedMsg>
23. ==> vmware-iso: + <Arg>
24. ==> vmware-iso: + domain
25. ==> vmware-iso: + </Arg>
26. ==> vmware-iso: + </Error>
27. ==> vmware-iso: + </Errors>
28. ==> vmware-iso: 
29. ==> vmware-iso: RESULT
30. ==> vmware-iso: + ERROR

Line 9 shows that packer is taking DOMAIN and user as two separate directories when this should not be the case. DOMAIN/user should be a single directory.

Line 14 shows the ovftool execution. If you look at vi://domain\user:****@X.X.X.X/packer-vmware-iso output-vmware-iso you can see that it has not escaped the backslash in the username as %5C as it should.

Template to reproduce error:

{
  "builders": [
    {
      "type": "vmware-iso",
      "iso_url": "http://some/sort/of/path.ISO",
      "iso_checksum": "xxxxxxxx",
      "iso_checksum_type": "md5",
      "boot_wait": "60s",
      "http_directory": "http",
      "remote_type": "esx5",
      "remote_host": "X.X.X.X",
      "remote_username": "DOMAIN/username",
      "remote_password": "Password-123%",
      "remote_datastore": "DATASTORE",
      "shutdown_command": "shutdown /s /t 10 /d p:2:4 /c \"Packer Builder\"",
      "guest_os_type": "windows8srv-64",
      "disk_size": 102400,
      "disk_type_id": "thin",
      "format": "ova",
      "ovftool_options": [
        "--shaAlgorithm=sha1",
        "--machineOutput"
      ],
      "vmx_data": {
        "scsi0.virtualDev": "lsisas1068",
        "ethernet0.networkName": "VM Network",
        "memSize": "16384",
        "numvcpus": "4"
      }
    }
  ],
  "provisioners": [
    {
      "type": "windows-restart",
      "only": [
        "vmware-iso"
      ]
    }
    }
  ]
}

bug post-processovsphere

Source

sazazi

All 27 comments

Please supply the information requested in the issue template:

Packer version (packer version)
Host platform (uname -a etc.)
Debug log output from PACKER_LOG=1 packer build template.json.
Please paste this in a gist.
The _simplest example template and scripts_ needed to reproduce the bug.
Include these in your gist.

rickard-von-essen on 31 Oct 2018

👍1

I don't think your analysis is completely accurate. The username is url escaped where \ is changed to %5C. Rather it looks like there is some problem with the whole ovftool_uri, see postt-processor.go#L135.

rickard-von-essen on 31 Oct 2018

I have updated the initial comment. When I change it to credentials of a local user (so the username doesn't have a backslash) it works, and exports the VM as an OVA successfully. It only fails when the username has a backslash in it (i.e. domain user).

sazazi on 31 Oct 2018

Update:

1) I tried it with the latest packer version and it failed the exact same way.

2) I tried executing the ovftool using the exact same command that's shown in the output (refer to line 14) and it failed. Then I tried escaping it myself and it worked. It's definitely an escaping issue in packer.
_See output below:_

Backslash in username not escaped:

Command:

ovftool.exe --shaAlgorithm=sha1 --noSSLVerify=true --skipManifestCheck -tt=ova vi://domain\user:Password%2D123%[email protected]/WindowsTest C:\Users\sarah\Documents\WindowsTest.ova

Output:

Error: Could not lookup host: domain
Completed with errors

Backslash in username escaped:

Command:

ovftool.exe --shaAlgorithm=sha1 --noSSLVerify=true --skipManifestCheck -tt=ova vi://domain%5Cuser:Password%2D123%[email protected]/WindowsTest C:\Users\sarah\Documents\WindowsTest.ova

Output:

Opening VI source: vi://domain%[email protected]:443/WindowsTest
Opening VI source: vi://domain%[email protected]:443/WindowsTest
Opening OVA target: C:\Users\sarah\WindowsTest.ova
Writing OVA package: C:\Users\sarah\WindowsTest.ova
Disk progress: 5%
...

sazazi on 2 Nov 2018

There is something fishy with this, our code seems to escape correctly:

https://play.golang.org/p/lf7iUgjNWh1

rickard-von-essen on 2 Nov 2018

Please gist a full debug log from PACKER_LOG=1 packer build template.json.

rickard-von-essen on 2 Nov 2018

There is something fishy with this, our code seems to escape correctly:

https://play.golang.org/p/lf7iUgjNWh1

In the example that you have provided, you have included two backslashes (user\\domain), so that one escapes the other in the string. However, the string that is passed (domain\username) only contains one backslash (as you can see in the template). I cannot pass in two backslashes otherwise connection to the VMware host fails as the credentials end up being incorrect.

sazazi on 5 Nov 2018

Please gist a full debug log from PACKER_LOG=1 packer build template.json.

See the gist here.

sazazi on 5 Nov 2018

you have included two backslashes

Yes that is how you escape \ in Go. It equivalent with the single \ you have in your template json.

rickard-von-essen on 5 Nov 2018

Could you provide the exact template you used (with the password removed). Your template and debug log doesn't match. It's very hard to understand what is happening when things don't add up.

rickard-von-essen on 5 Nov 2018

Could you provide the exact template you used (with the password removed).

You can see the full template here.

sazazi on 5 Nov 2018

Looks like the problem is at step_export.go Line36. The Username is not escaped here...

Making the following changes gets it working:

    username := url.QueryEscape(c.RemoteUser)

    ...

    args := []string{
        "--noSSLVerify=true",
        "--skipManifestCheck",
        "-tt=" + s.Format,
        "vi://" + username + ":" + password + "@" + c.RemoteHost + "/" + displayName,
        s.OutputDir,
    }

jonreeves on 6 Nov 2018

👍1

Here's a windows build of @jonreeves' suggestion, linked above in PR 6962. If this works for you, @sazazi I'll merge.

SwampDragons on 6 Nov 2018

packer.zip

SwampDragons on 6 Nov 2018

Here's a windows build of @jonreeves' suggestion, linked above in PR 6962. If this works for you, @sazazi I'll merge.

Unfortunately it errored in a slightly different way this time as you can see in the following section of the debug log:


1. 2018/11/07 10:30:22 packer.exe: 2018/11/07 10:30:22 Writing VMX to: C:\Users\sarah\AppData\Local\Temp\packer-vmx956536649\packer-vmware-iso.vmx
2. 2018/11/07 10:30:22 packer.exe: 2018/11/07 10:30:22 [DEBUG] Opening new ssh session
3. 2018/11/07 10:30:22 packer.exe: 2018/11/07 10:30:22 [DEBUG] Starting remote scp process:  scp -vt /vmfs/volumes/DATASTORE/packer-vmware-iso
4. 2018/11/07 10:30:22 packer.exe: 2018/11/07 10:30:22 [DEBUG] Started SCP session, beginning transfers...
5. 2018/11/07 10:30:22 packer.exe: 2018/11/07 10:30:22 [DEBUG] Copying input data into temporary file so we can read the length
6. 2018/11/07 10:30:22 packer.exe: 2018/11/07 10:30:22 [DEBUG] scp: Uploading packer-vmware-iso.vmx: perms=C0644 size=2929
7. 2018/11/07 10:30:22 packer.exe: 2018/11/07 10:30:22 [DEBUG] SCP session complete, closing stdin pipe.
8. 2018/11/07 10:30:22 packer.exe: 2018/11/07 10:30:22 [DEBUG] Waiting for SSH session to complete.
9. 2018/11/07 10:30:22 packer.exe: 2018/11/07 10:30:22 [DEBUG] scp stderr (length 158): Could not chdir to home directory /home/local/DOMAIN/user: No such file or directory
10. 2018/11/07 10:30:22 packer.exe: Sink: C0644 2929 packer-vmware-iso.vmx
11. 2018/11/07 10:30:22 packer.exe: 2018/11/07 10:30:22 [DEBUG] Opening new ssh session
12. 2018/11/07 10:30:22 packer.exe: 2018/11/07 10:30:22 [DEBUG] starting remote command: vim-cmd vmsvc/reload 199
13. 2018/11/07 10:30:22 ui: ==> vmware-iso: Exporting virtual machine...
14. 2018/11/07 10:30:22 ui:     vmware-iso: Executing: ovftool.exe --shaAlgorithm=sha1 --machineOutput --noSSLVerify=true --skipManifestCheck -tt=ova vi://domain%5Cuser:****@X.X.X.X/packer-vmware-iso output-vmware-iso
15. 2018/11/07 10:30:24 ui error: ==> vmware-iso: Error exporting virtual machine: exit status 255
16. ==> vmware-iso: ERROR
17. ==> vmware-iso: + <Errors>
18. ==> vmware-iso: + <Error>
19. ==> vmware-iso: + <Type>ovftool.abort</Type>
20. ==> vmware-iso: + <LocalizedMsg>
21. ==> vmware-iso: + Execution aborted
22. ==> vmware-iso: + </LocalizedMsg>
23. ==> vmware-iso: + </Error>
24. ==> vmware-iso: + </Errors>

See the full debug log gist here

sazazi on 7 Nov 2018

Using a build generated from the latest release (1.3.2) with @jonreeves' suggestion worked. Perhaps there are other changes in the develop branch causing problems elsewhere?

sazazi on 7 Nov 2018

You're right. I did _just_ merge a PR that involved some refactoring to extend esxi functionality to the vmware-vmx builder. That may have caused an issue, and if so, I'm super glad we're catching it now instead of in a release.

~It looks like your output directory is malformed/different in the new implementation compared to the old one. I'm going to tinker and see what I can come up with.~ EDIT: oops, nope, that was just me reading your manual ovftool attempts instead of your packer logs

SwampDragons on 7 Nov 2018

Are you able to share the output from your build that _did_ work? I'm particularly interested in what this line looks like:

 Executing: ovftool.exe --shaAlgorithm=sha1 --machineOutput --noSSLVerify=true --skipManifestCheck -tt=ova vi://domain%5Cuser:****@X.X.X.X/packer-vmware-iso output-vmware-iso

SwampDragons on 7 Nov 2018

Reading some docs online, it looks like we might be able to get more info about this by adding --X:logFile=transferissue.log and --X:logLevel=trivia to your ovftool_options. Mind trying that for me?

Sorry for asking you to do this legwork; I don't have an esxi setup that uses active directory, so I don't think I can reproduce the domainuser convention. (I could very well be wrong about this -- I'm no VMware expert)

SwampDragons on 7 Nov 2018

The latest error I reported doesn't seem to be related to packer as all builds, regardless of the packer versions, now fail in the same way, including the build that previously worked. I am working on resolving it, and will then try the binary that you provided. I'll let you know the outcome.

sazazi on 9 Nov 2018

Interesting; thanks! Let me know if I can help any more while you resolve it.

SwampDragons on 9 Nov 2018

Interesting; thanks! Let me know if I can help any more while you resolve it.

Will do, thanks! Do you have a linux version of the packer binary that you generated earlier please?

sazazi on 12 Nov 2018

I don't have that exact one, but here's a linux build of this patch on latest master:
packer.zip

SwampDragons on 12 Nov 2018

So after trying the linux build that you provided the virtual machine is exporting successfully. It looks like that patch solved the problem!

It outputs the line, as expected, showing the backslash being escaped correctly:

Executing: ovftool.exe --shaAlgorithm=sha1 --machineOutput --noSSLVerify=true --skipManifestCheck -tt=ova vi://domain%5Cuser:****@X.X.X.X/packer-vmware-iso output-vmware-iso

sazazi on 13 Nov 2018

🎉 That's awesome news! I'll merge the patch and close this issue. Reach out if you have any other problems!

SwampDragons on 13 Nov 2018

Great! Thanks for the help!

sazazi on 14 Nov 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.